Case No. 3:16-cv-1938
MEMORANDUM OPINION AND ORDER
Defendant Mercy Health requests I dismiss Plaintiff Lindsey Williams-Diggins' First Amended Complaint, arguing Williams-Diggins does not have standing to bring the claims asserted in his complaint, and also that he fails to state a claim for relief even if jurisdiction existed. (Doc. No. 27). Williams-Diggins opposes, arguing he both has standing to bring his claims and has stated plausible claims for relief. (Doc. No. 30). Mercy Health filed a brief in reply. (Doc. No. 33). For the reasons stated below, Defendant's motion is granted.
Williams-Diggins initiated this action on August 2, 2016, alleging Mercy Health's use of software known as the Horizon Patient Folder WebStation portal ("WebStation") caused private and protected patient information to be exposed to unauthorized third parties. Mercy Health uses WebStation to store and maintain its patients' personal health information, and to give patients electronic access to that information. (Doc. No. 21 at 5 (alleging WebStation has been described "as a 'document management and imaging solution that electronically captures, indexes, completes and stores a legal electronic medical record' and that allows for '[e]asy access to patient information'")).
Williams-Diggins asserts the known issues with the WebStation platform caused WebStation to be publicly available and to potentially allow unauthorized individuals or other third parties to access patients' medical information, including treatment records and lab results. He asserts Mercy Health knew or should have known WebStation operated on an outdated Java-based computer server that could be easily accessed, permitting patient information to be removed or deleted. (Doc. No. 1 at 11 ("It is just a matter of time until a hacker discovers Mercy's vulnerable system and further exposes patients' private medical information.")). Mercy Health certified it had completed updates and additional measures addressing the issue with WebStation on August 5, 2016.
Williams-Diggins alleges Mercy Health assumed a duty to maintain the security and confidentiality of its patients' medical information through its Notice of Privacy Practices and its "Corporate Responsibility" and "Core Values" statements on its website. (Doc. No. 21 at 6-8). Williams-Diggins also alleges Mercy Health is obligated to fulfill this duty by the Healthcare Insurance Portability and Accountability Act ("HIPAA") and "industry standards." (Id. at 6, 9). Further, Williams-Diggins contends the particular vulnerabilities compromising the version of WebStation Mercy Health operated had been known for several years and could have been easily and inexpensively repaired well before he filed suit. (Doc. No. 21 at 13, 16-17). He seeks to represent a nationwide class and an Ohio-based subclass made up of other Mercy Health patients to pursue claims for breach of contract, unjust enrichment, breach of confidence, and violation of the Ohio Consumer Sales Protection Act.
A federal court does not have jurisdiction under Article III of the Constitution of the United States to hear a claim unless the individual bringing the claim has standing to do so. A plaintiff has standing to assert a claim if the plaintiff "(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-60 (1992) and Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81 (2000)). "To establish injury in fact, a plaintiff must show that he or she suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'" Spokeo, Inc., 136 S. Ct. at 1548 (quoting Lujan, 504 U.S. at 560)). Challenges to Article III standing are reviewed as questions of subject matter jurisdiction pursuant to Rule 12(b)(1). Am. BioCare Inc. v. Howard & Howard Att'ys PLLC, 702 F. App'x 416, 419 (6th Cir. 2017).
In order to establish standing, Williams-Diggins must show a "'concrete' injury . . . that is, [one that] actually exist[s]." Spokeo, 136 S. Ct. at 1548. Because he cannot, his claims cannot proceed.
As Plaintiff appears to concede, he cannot establish standing by alleging Defendant's software put his personal information at risk because it could have easily been accessed without permission by a third party. (See Doc. No. 30 at 11-12). Even before Defendant implemented the security updates and remedied the alleged vulnerabilities, Williams-Diggins only alleged that his personal information might be accessed improperly, not that it actually was. (See, e.g., Doc. No. 1 at 2 ("[S]ensitive medical information entrusted to Mercy by its patients has been exposed and is at great risk of further authorized disclosure (if it hasn't already been disclosed.")). Allegations of "possible future injury" do not rise to the level of an "imminent injury." Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016) (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (emphasis in original)); see also Bassett v. ABM Parking Servs., Inc., 883 F.3d 776, 783 n.4 (9th Cir. 2018) (citing Galaria and dismissing plaintiff's claim under the Fair Credit Report Act for lack of standing as too speculative, due to plaintiff's failure to allege his personal information actually was improperly accessed or taken). The mere possibility that Williams-Diggins' personal information "may have already been compromised and misused," (Doc. No. 21 at 26), is only a link in the "speculative chain of possibilities" which might lead from Plaintiff's relationship with Defendant to the alleged harm for which he seeks to recover. Clapper, 568 U.S. at 410 (citing Summers v. Earth Island Institute, 555 U.S. 488, 496 (2009)). That possibility is not sufficient to confer standing.
While Williams-Diggins alleges he and other Mercy patients "remain at risk of suffering further harm from the long-term exposure of their confidential and sensitive information . . . until a third party is able to confirm that—despite Mercy's lackluster data practices—patient data was not compromised," he has the burden to allege facts which show he actually has suffered an injury. (Doc. No. 21 at 3). He may not proceed by attempting to require Mercy to prove he was not harmed. See, e.g., Daubenmire v. City of Columbus, 507 F.3d 383, 388 (6th Cir. 2007) ("The party seeking to invoke federal jurisdiction bears the burden to demonstrate standing and he 'must plead its components with specificity.'" (quoting Coyne v. Am. Tobacco Co., 183 F.3d 488, 494 (6th Cir. 1999)). --------
Nor does Plaintiff's overpayment theory help to establish standing. Williams-Diggins contends he suffered an economic injury because some portion of his payments to Defendant for healthcare services were for data security measures that Defendant should have (but did not) take. (Doc. No. 30 at 10-11). The problem with Plaintiff's argument is that his allegations only show Defendant did not take a specific action, and do not show Defendant failed to take sufficient action to prevent unauthorized disclosure. Cf. Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012) ("Plaintiffs also allege that AvMed either failed to implement or inadequately implemented policies to secure sensitive information, as can be seen from the data breach" (emphasis added)). Instead, taking his allegations as true, he paid for healthcare services with the expectation that the personal information he provided or that was created through the care he received would not be disclosed to third parties who were not entitled to obtain it. This is what he received. Even if Defendant's approach to data security was clumsy, it also was harmless, and that is fatal to Plaintiff's claims.
The cases Plaintiff cites in his opposition brief are not to the contrary. (See, e.g., Doc. No. 30 at 12-13). Though the plaintiffs in those cases plausibly alleged claims under an overpayment or benefit-of-the-bargain theory, those cases involved actual disclosure or breach. See, e.g., Resnick, 693 F.3d at 1322 (Defendant had not secured customer information saved on two laptops stolen from defendant's offices); In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F.Supp.3d 1183 (D. Ore. 2016) (hackers obtained customer information through a phishing message sent to a Premera employee); In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953 (N.D. Cal. 2016) (customer data stolen from company by hackers); Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (denying defendant's motion to dismiss plaintiff's overpayment breach-of-contract claim because defendant's disclosure to third party of plaintiff's personal information "already has occurred"); Svenson v. Google, Inc., 2015 WL 1503429 (N.D. Cal., April 1, 2015) (denying motion to dismiss plaintiff's benefit-of-the-bargain breach of contract claim because defendant transferred customer information to a third party in violation of the parties' contract). Williams-Diggins does not allege a concrete injury because he cannot show Mercy Health did not actually prohibit the disclosure of his personal information.
Finally, as Defendant notes, Williams-Diggins' remaining factual allegations regarding patient data security measures also do not establish standing because those allegations rely on HIPAA regulations. (See, e.g., Doc. No. 21 at 19 ("Mercy also failed to comply with industry standards. Over a decade ago, in March 2005, the National Institute of Standards and Technology ("NIST") published a report detailing standards for healthcare providers seeking to comply with HIPAA's Security Rule.")). "Any HIPAA claim fails as HIPAA does not create a private right of action for alleged disclosures of confidential medical information." Wilkerson v. Shinseki, 606 F.3d 1256, 1267 n.4 (10th Cir. 2010).
For the reasons stated above, Mercy Health's motion to dismiss Williams-Diggins' complaint for lack of standing pursuant to Rule 12(b)(1), (Doc. No. 27), is granted.
s/ Jeffrey J. Helmick
United States District Judge