OPINION AND ORDER
Two motions are pending before the Court. Defendant Arkansas Foundation for Medical Care, Inc. ("AFMC") filed a motion (Doc. 26) to dismiss or order an adverse inference for intentional and bad faith spoliation of evidence and a brief (Doc. 27) in support. Plaintiffs Brian Herzig and Neal Martin filed a response (Doc. 30) and brief (Doc. 31) in opposition. AFMC filed a reply (Doc. 38) with leave of Court. The Court held a hearing (Doc. 41) on this motion on February 7, 2019. AFMC also filed a motion (Doc. 33) for summary judgment and a statement of facts (Doc. 34) and brief (Doc. 35) in support. Herzig and Martin filed a response (Doc. 43), statement of facts (Doc. 44), and brief (Doc. 45) in opposition. AFMC filed a reply (Doc. 48). A motion to deem facts admitted on procedural grounds was terminated by the Court, which explained that it will consider the argument to deem facts admitted on the motion for summary judgment.
For the reasons stated herein, the spoliation motion will be granted in part and denied in part and the motion for summary judgment will be granted.
After viewing the record in the light most favorable to the nonmoving party and granting all reasonable factual inferences in the nonmovant's favor, a motion for summary judgment must be granted "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to summary judgment as a matter of law." Fed. R. Civ. P. 56(a); Haggenmiller v. ABM Parking Serv., Inc., 837 F.3d 879, 884 (8th Cir. 2016). Facts are material when they can "affect the outcome of the suit under the governing law." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). Disputes are genuine when "the evidence is such that a reasonable jury could return a verdict for the nonmoving party." Id. "While the burden of demonstrating the absence of any genuine issue of material fact rests on the movant, a nonmovant may not rest upon mere denials or allegations, but must instead set forth specific facts sufficient to raise a genuine issue for trial." Haggenmiller, 837 F.3d at 884 (quotations omitted). A party must support its assertions or disputes of material fact by citing to the record, and failure to do so may result in the Court deeming facts admitted or disputed. Fed. R. Civ. P. 56(c), (e); W.D. Ark. R. 56.1.
"Aside perhaps from perjury, no act serves to threaten the integrity of the judicial process more than the spoliation of evidence." United Med. Supply Co., Inc. v. United States, 77 Fed. Cl. 257, 258 (Fed. Cl. 2007). A court has inherent authority to fashion appropriate sanctions for conduct which abuses the judicial process. Stevenson v. Union Pac. R. Co., 354 F.3d 739, 745 (8th Cir. 2004). "A spoliation-of-evidence sanction requires 'a finding of intentional destruction indicating a desire to suppress the truth.'" Greyhound Lines, Inc. v. Wade, 485 F.3d 1032, 1035 (8th Cir. 2007) (quoting Stevenson, 354 F.3d at 746). If the movant shows the spoliation was done in bad faith, the Court may give an adverse inference or dismiss the case. Menz v. New Holland N. Am., Inc., 440 F.3d 1002, 1006 (8th Cir. 2006).
Herzig and Martin's responsive statement of facts (Doc. 44) does not cite to evidence in the record to support the disputes it identifies with AFMC's statement of facts (Doc. 34). Herzig and Martin fail to show their disputes are genuine. Furthermore, most of the identified disputes concern facts immaterial to the resolution of Herzig and Martin's age discrimination claims. The material facts in AFMC's statement of facts are deemed admitted, though the Court will continue to draw factual inferences in Herzig and Martin's favor and will consider their legal disputes with AFMC's interpretation of the material facts.
AFMC provides medical necessity review services related to Medicaid under contract with the State of Arkansas. AFMC receives, uses, and transfers protected health information and must observe privacy and security requirements imposed by the Health Insurance Portability and Accountability Act ("HIPAA"). Among those requirements are that AFMC must limit access to protected health information to the minimum personnel necessary to perform AFMC's contractual obligations, AFMC must log electronic access to protected health information for audit purposes, and AFMC must implement appropriate disciplinary actions against individuals who violate HIPAA.
Plaintiff Brian Herzig began working at AMFC in 2005 as a Software Applications Developer and eventually was promoted to Director of Information Technology in 2009. In that position, he was responsible for development, production, and maintenance of AFMC's IT systems and for ensuring employee compliance with data confidentiality and security policies. Herzig reported directly to Nathan Ray, AFMC's Chief Technology Officer.
Plaintiff Neal Martin began working at AFMC in 2010 as Manager of Programming and eventually was promoted to Assistant Director of Information Technology in October, 2016. In that position, he was responsible for application development projects and implementation of programs and applications. Martin's position as Assistant Director was newly-established when he was promoted, and Martin reported directly to Herzig.
In 2016, AFMC designed and developed in-house medical necessity review software called "ReviewPoint." ReviewPoint was intended to integrate servers hosting protected health information through a software platform called "Laserfiche" with customized and default features of a software platform called "Salesforce." AFMC's Business Intelligence Department in Little Rock was in charge of AFMC's implementation and use of Salesforce. AFMC's IT Department in Fort Smith was in charge of the ReviewPoint project. Because AFMC's IT Department had the only employees with computer program development knowledge and responsibilities, the IT Department was responsible for the Laserfiche Integration Program, which would allow Salesforce to access the Laserfiche-based protected health information in a way that complied with AFMC's HIPAA obligations to limit and log personnel access to that information. Mark Gossman was the lead programmer responsible for writing the computer code for the Laserfiche Integration Program and was directly supervised by Martin.
At meetings attended by Herzig, Martin, Chief Technology Officer Ray, AFMC Manager of Security D.J. Blaylock, and AFMC General Counsel and HIPAA Privacy Officer Breck Hopkins, the need to meet HIPAA security and logging requirements was emphasized, and Herzig, Martin, and Blaylock agreed that necessary security and logging protections either could be developed or were already in place. Prior to AFMC's deployment of ReviewPoint on January 13, 2017, Blaylock submitted a security report and Martin assured AFMC leadership that the Laserfiche Integration Program was effective at secure, HIPAA-compliant retrieval of Laserfiche-based protected health information.
On March 7, 2017, employees in the Business Intelligence Department learned of an exploit that they believed would allow a ReviewPoint user to bypass ReviewPoint security and gain unauthorized access to protected health information by changing the document number displayed in the URL on ReviewPoint. The employees contacted HIPAA Privacy Officer Hopkins and demonstrated the exploit. Hopkins reported the exploit to Chief Technology Officer Ray and to AFMC Chief Operating Officer Marilyn Little. Thereafter, AFMC disabled the Laserfiche Integration Program, preventing ReviewPoint users from uploading medical records. This in turn prevented AFMC personnel from using ReviewPoint to conduct medical necessity reviews pursuant to AFMC's Arkansas Medicaid contract. Hopkins then reviewed the logs for Laserfiche to determine if anyone had actually used the exploit to unnecessarily access protected health information in violation of HIPAA. During that review, Hopkins learned of a second potential problem—Laserfiche was not logging access by users who actually accessed protected health information. Instead, after a user entered his or her credentials into ReviewPoint and then accessed a Laserfiche document containing protected health information, ReviewPoint's security features were bypassed and Laserfiche logged access by Mark Gossman because Gossman had hardcoded his administrative credentials into the Laserfiche Integration Program's code.
On March 7, following the discovery of these issues, Chief Operating Officer Little asked Herzig who, if anyone, had conducted a secondary code review of Gossman's work on the Laserfiche Integration Program. Neither Herzig nor Martin had reviewed the code, and Herzig was initially unable to provide an answer. Little directed Chief Technology Officer Ray to investigate the root cause of the vulnerability. On March 13, Ray asked Herzig about the IT Department's quality control methods, and on March 16, Little again asked Herzig about secondary code review. Herzig remained unable to provide an answer. Herzig then directed Martin by text message to communicate with IT Department staff and find out the answer. After communicating with Gossman and Vieng Siripoun, another programmer in the IT Department, Martin determined that no one fully reviewed the code prior to AFMC's deployment of the Laserfiche Integration Program and on March 17, 2017 sent an email to Herzig communicating that. Shortly thereafter, Herzig informed Little and Ray that development team members Jarrod Thrift and Vieng Siripoun performed the secondary code review.
Herzig and Martin then had Gossman, Siripoun, and another IT Department employee draft a summary of the quality control and testing methods used in the Laserfiche Integration Program's development. Siripoun noted that the summary ultimately did not make a good case for the IT Department, and accepted complete blame for the Laserfiche Integration Program failures. In addition to providing the summary to their superiors, Herzing and Martin suggested that a change made by the Business Intelligence Department may have contributed to the vulnerability. Ray contacted Jason Scheel, Director of the Business Intelligence Department, regarding this matter. Business Intelligence Department personnel did not have access to or responsibility for developing Laserfiche Integration Program code. Scheel communicated that the Business Intelligence Department made a change to the ReviewPoint page layout, and that the IT Department had been involved in that change. Ray reported to AFMC during his preliminary investigation that the Business Intelligence Department did not contribute to the root cause of the Laserfiche Integration Program issues.
On March 28, 2017, Chief Operating Officer Little put Herzig, Martin, Gossman, and Blaylock on administrative leave with pay pending final completion of AFMC's investigation. Each of them was given a final opportunity to provide information for AFMC's consideration. Gossman took responsibility for the contribution of his coding error to any issues with the Laserfiche Integration Program. Herzig expressed disappointment in his development staff and in Martin, and communicated that he held them accountable for these issues. Martin noted that Chief Technology Officer Ray's preliminary investigation did not include a review of information Martin had provided, which he believed indicated that whatever code errors might exist, any vulnerability was created only when the Business Intelligence Department incorrectly set ReviewPoint user permissions.
Chief Technology Officer Ray finalized his investigation and submitted a final report recommending that Herzig, Martin, Gossman, and Blaylock be terminated for their contributions to the Laserfiche Integration Program's vulnerabilities and, in Herzig and Martin's case, for repeated misrepresentations to AFMC that the Laserfiche Integration Program was secure and HIPAA-compliant. HIPAA Privacy Officer Hopkins supported and independently made these recommendations. Chief Operating Officer Little agreed and directed Ray to terminate Herzig, Martin, Gossman, and Blaylock's employment. All four were fired on April 4, 2017. At that time, Herzig was 44 years old and Martin was 41 years old. Additionally, Blaylock was 37, Little was 63, Hopkins was 63, and Scheel was 42.
In September 2017, AFMC hired Michael Troop to replace Herzig as Director of Information Technology. At the time of his hire, Troop was 55 years old. AFMC did not hire anyone to fill the position of Assistant Director of Information Technology. That same month, Herzig and Martin filed discrimination charges with the Equal Employment Opportunity Commission, alleging age discrimination. Following receipt of their right-to-sue letters, Herzig and Martin filed the complaint in this action alleging their employment was terminated in violation of the Age Discrimination in Employment Act ("ADEA"), 29 U.S.C. § 621, et seq.
When the parties conferred pursuant to Federal Rule of Civil Procedure 26(f), they agreed that AFMC might request data from Herzig and Martin's mobile phones and that the parties had taken reasonable measures to preserve potentially discoverable data from alteration or destruction. (Doc. 10, ¶ 4). On July 18, 2018 AFMC served requests for production on Herzig and Martin, including a request for production of documents related to communications with current or former AFMC employees relevant to Herzig and Martin's lawsuit. On August 22, 2018, Herzig and Martin served their responses. Herzig agreed to produce responsive documents. Martin claimed to have no responsive documents. Responsive documents were not produced at that time, however. Rather, on September 4, 2018, Herzig and Martin produced screenshots of parts of text message conversations from Martin's mobile phone, including communications between Herzig and Martin. All produced text message portions ended on August 20, 2018, and Herzig and Martin produced no additional messages. Following a motion to compel, Herzig and Martin produced additional text messages from those text message conversations, but nothing more recent than August 20, 2018. After the August production, Martin installed the application Signal on his phone (Herzig had done so while working at AFMC), and Herzig and Martin used that application for communicating, not only with each other but with Blaylock. Signal allows users to send and receive encrypted text messages accessible only to sender and recipient, and to change settings to automatically delete these messages after a short period of time. Herzig and Martin set the application to delete their communications. Herzig and Martin disclosed no additional text messages to AFMC, and AFMC was unaware of their continued communication using Signal until Herzig disclosed it in his deposition near the end of the discovery period. Herzig and Martin allege that they used the application only to arrange meetings with one another or their attorney, and no longer had any text message communications responsive to AFMC's request for production.
A. Spoliation Motion
In its motion for dismissal or adverse inference on the basis of spoliation, AFMC argues that despite Herzig and Martin's duty to impose litigation holds and to update responses to requests for production following their initial and reluctant production of text messages, Herzig and Martin instead intentionally acted to withhold and destroy discoverable evidence by installing and using the Signal application on their mobile devices. Herzig and Martin respond that they had no duty to allow AFMC to see all their communications, only communications responsive to the requests for production, and AFMC has no evidence that Herzig and Martin had responsive communications using Signal or that the destruction of those communications was in bad faith.
Herzig and Martin had numerous responsive communications with one another and with other AFMC employees prior to responding to the requests for production on August 22, 2018 and producing only some of those responsive communications on September 4, 2018. They remained reluctant to produce additional communications, doing so only after AFMC's motion to compel. Thereafter, Herzig and Martin did not disclose that they had switched to using a communication application designed to disguise and destroy communications until discovery was nearly complete. Based on the content of Herzig and Martin's earlier communications, which was responsive to the requests for production, and their reluctance to produce those communications, the Court infers that the content of their later communications using Signal were responsive to AFMC's requests for production. Based on Herzig and Martin's familiarity with information technology, their reluctance to produce responsive communications, the initial misleading response from Martin that he had no responsive communications, their knowledge that they must retain and produce discoverable evidence, and the necessity of manually configuring Signal to delete text communications, the Court believes that the decision to withhold and destroy those likely-responsive communications was intentional and done in bad faith.
This intentional, bad-faith spoliation of evidence was an abuse of the judicial process and warrants a sanction. The Court need not consider whether dismissal, an adverse inference, or some lesser sanction is the appropriate one, however, because in light of the motion for summary judgment, Herzig and Martin's case can and will be dismissed on the merits.
B. Summary Judgment Motion
Herzig and Martin claim that AFMC's termination of their employment was due to unlawful age discrimination. "It shall be unlawful for an employer to fail or refuse to hire or to discharge any individual or otherwise discriminate against any individual with respect to his compensation, terms, conditions, or privileges of employment, because of such individual's age." 29 U.S.C. § 623(a)(1). "An age discrimination plaintiff may survive the defendant's motion for summary judgment either by setting out direct evidence of discrimination or by creating an inference of discrimination under the McDonnell Douglas Corp. v. Green burden-shifting framework." Haggenmiller, 837 F.3d at 884 (quoting Ramlet v. E.F. Johnson Co., 507 F.3d 1149, 1152 (8th Cir. 2007)).
Direct evidence is evidence showing a specific link between the alleged discriminatory animus and the challenged decision, sufficient to support a finding by a reasonable fact finder that an illegitimate criterion actually motivated the adverse employment action. In this context, whether evidence is direct depends on its causal strength. Direct evidence does not include stray remarks in the workplace, statements by nondecisionmakers, or statements by decisionmakers unrelated to the decisional process itself.Ramlet, 507 F.3d at 1152 (quotations and citations omitted).
Where a plaintiff lacks direct evidence that termination of his employment was unlawful age discrimination, he may create an inference of age discrimination by showing that he was at least 40 years old at the time of the adverse employment action, and so a member of the protected class; was qualified for his position; and was terminated under circumstances that give rise to an inference of age discrimination, such as being replaced by a younger employee. Ramlet, 507 F.3d at 1153. If the plaintiff can make this prima facie case, the defendant must then proffer a legitimate, nondiscriminatory reason for the adverse employment action, and if the defendant can do so, the plaintiff must then show the proffered reason is pretext for age discrimination. Id.
Herzig and Martin lack direct evidence of unlawful age discrimination. Herzig testified in deposition that at some point in October or November 2016, when he was meeting with Chief Technology Officer Ray, Ray mentioned that he was looking to hire some younger talent out of college. (Doc. 33-12, p. 66 (Deposition of Brian Herzig, pp. 258:5-259:20 (Dec. 13, 2018))). However, other than Ray's central involvement in the investigation that led to Herzig and Martin's termination, this single remark has no connection to the adverse employment decision. "Direct evidence does not include stray remarks in the workplace, statements by nondecisionmakers, or statements by decisionmakers unrelated to the decisional process itself." Ramlet, 507 F.3d at 1152 (quoting Browning v. President Riverboat Casino-Missouri, Inc., 139 F.3d 631, 635 (8th Cir. 1998)) (emphasis added).
Because Herzig and Martin do not have direct evidence of discrimination, they must rely on the McDonnell Douglas burden-shifting framework to survive summary judgment. Herzig and Martin cannot make a prima facie case that termination of their employment was the result of age discrimination. Both were members of the protected class—Herzig was 44 years old and Martin was 41 years old at the time of termination of their employment. They were qualified for their positions, and were terminated from those positions on April 4, 2017. However, the circumstances surrounding their termination do not give rise to an inference of unlawful age discrimination. Herzig was replaced as Director of Information Technology by someone even older than Herzig (Michael Troop, who was 55 years old at the time of his hire) and Martin was not replaced. Despite Chief Technology Officer Ray's statement several months prior to the adverse employment action that he wanted to hire younger talent, he did not do so in this case. Although Herzig and Martin point out that some employees younger than them were not fired for involvement in the issues with the Laserfiche Integration Program, other employees younger than Herzig and Martin—such as Blaylock—were fired for involvement. Finally, the only employee who might possibly be similarly situated to Herzig and Martin but treated differently for his involvement in the Laserfiche Integration Program ReviewPoint issues was Director of Business Intelligence Jason Scheel, who was 42 years old and within the same protected class. The circumstances surrounding termination of Herzig and Martin's employment do not give rise to an inference of discrimination, and they have failed to make a prima facie case.
Even if Herzig and Martin could have made a prima facie case, AFMC has proffered a legitimate, nondiscriminatory reason for terminating their employment. HIPAA requires that appropriate disciplinary action be taken against employees to ensure compliance. Herzig and Martin misled AFMC leadership regarding ReviewPoint's compliance with HIPAA access and audit requirements and led the Information Technology Department that AFMC determined was ultimately responsible for the potential vulnerabilities in the Laserfiche Integration Program. AFMC believed termination of Herzig and Martin's employment was appropriate discipline.
Herzig and Martin argue in response that AFMC was incorrect about any vulnerabilities and who caused them. This is insufficient to show that AFMC's proffered reason was pretext for unlawful discrimination. Whether or not AFMC was ultimately correct about Herzig and Martin's culpability is immaterial. What matters is whether AFMC believed that Herzig and Martin were responsible for the issues AFMC believed existed. See McCullough v. Univ. of Ark. for Med. Scis., 559 F.3d 855, 861-62 (8th Cir. 2009) ("The critical inquiry in discrimination cases like this one is not whether the employee actually engaged in the conduct for which he was terminated, but whether the employer in good faith believed that the employee was guilty of the conduct justifying discharge."). Chief Technology Officer Ray investigated the cause of the perceived vulnerability in the Laserfiche Integration Program, and in their response to AFMC's statement of facts Herzig and Martin both dispute that Ray has the technical capability to accurately determine whether computer code creates a vulnerability or whether a particular AFMC employee actually caused technical issues. As a result, Herzig and Martin argue that AFMC was incorrect and disciplined them for something they were not responsible for; that is, they argue AFMC's proffered reason was wrong, rather than arguing AFMC proffered its reason knowing the reason was untrue, or pretextual.
Even if Herzig and Martin could show that AFMC's proffered reason was pretextual, they cannot show it was pretext for unlawful discrimination. See St. Mary's Honor Ctr. v. Hicks, 509 U.S. 502, 515-16 (1993) (holding it is not enough that a plaintiff show that an employer's stated reasons were pretextual, but the plaintiff must also show that the underlying reason was unlawful discrimination). "An employee's attempt to prove pretext or actual discrimination requires more substantial evidence than it takes to make a prima facie case, . . . because unlike evidence establishing the prima facie case, evidence of pretext and discrimination is viewed in light of the employer's justification." Smith v. Allen Health Sys., Inc., 302 F.3d 827, 834 (8th Cir. 2002) (quoting Sprenger v. Fed. Home Loan Bank of Des Moines, 253 F.3d 1106, 1111 (8th Cir., 2001)). Herzig and Martin did not cite to evidence sufficient to make a prima facie case of unlawful discrimination. Without even that evidence, then whether or not they can show that AFMC's proffered reason for terminating their employment was pretext, they cannot make a showing that the actual cause was unlawful age discrimination.
Without direct evidence of unlawful discrimination or sufficient evidence to raise an inference of unlawful discrimination under the McDonnell Douglas burden-shifting framework, no reasonable juror could find in favor of Herzig and Martin on their age discrimination claim. The motion for summary judgment must be granted.
IT IS THEREFORE ORDERED that Defendant's motion to dismiss or for an adverse inference (Doc. 26) is GRANTED IN PART and DENIED IN PART. The motion is GRANTED insofar as the Court finds Herzig and Martin intentionally spoliated evidence in bad faith, but because the motion for summary judgment will be granted, the requested sanctions are DENIED as moot.
IT IS FURTHER ORDERED that Defendant's motion for summary judgment (Doc. 33) is GRANTED and Plaintiffs' age discrimination claims are DISMISSED WITH PREJUDICE. Judgment will be entered accordingly.
IT IS SO ORDERED this 3rd day of July, 2019.
P.K. HOLMES, III
U.S. DISTRICT JUDGE