Charlie v. Rehoboth McKinley Christian Health Care Servs.

598 F.Supp.3d 1145

Alicia CHARLIE, Leona Garcia Lacy, Darrell Tsosie, and E.H., a minor, by and through his guardian, Gary Hicks on behalf of themselves and a class of similarly situated individuals, Plaintiffs,

v.REHOBOTH MCKINLEY CHRISTIAN HEALTH CARE SERVICES, Defendant.

Civ. No. 21-652 SCY/KK

United States District Court, D. New Mexico.

Filed April 11, 2022

Kristina Martinez, Egolf, Ferlic & Harwood, LLC, Santa Fe, NM, David K. Lietz, Pro Hac Vice, Gary E. Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Gary M. Klinger, Pro Hac Vice, Mason, Lietz, and Klinger LLP, Chicago, IL, for Plaintiffs.

Elizabeth Perkins, Gregory L. Biehler, Lewis Brisbois Bisgaard & Smith LLP, Albuquerque, NM, Jon P. Kardassakis, Pro Hac Vice, Lewis Brisbois, Los Angeles, CA, for Defendant.

MEMORANDUM OPINION AND ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS ¹

STEVEN C. YARBROUGH, UNITED STATES MAGISTRATE JUDGE

Plaintiffs bring this putative class action case in the wake of a ransomware cyberattack against Defendant Rehoboth McKinley Christian Health Care Services that exposed patients’ private data to cybercriminals. According to the complaint, the compromised data included personal identifying information of the Plaintiffs and putative class members. This breach allegedly increased the risk of identity fraud for Plaintiffs and putative class members. Plaintiffs claim Defendant was negligent or reckless with the data and, despite knowing of the risk of cyberattacks, Defendant failed to take adequate precautions to guard against that risk. Defendant moves to dismiss, arguing that it had no actionable duty to protect Plaintiffs’ data, that Plaintiffs fail to allege actual damages, and that most of the individual causes of action fail for various other reasons.

The Court rejects Defendant's no-duty argument. At a minimum, it owed Plaintiffs a duty of ordinary care with respect to storing and protecting their private data. Regarding damages, Plaintiffs allege that Defendant's failure to protect their private information has caused them to devote time to protecting and monitoring their security. Defendant has not argued that recovery for the value of this lost time is not permitted. Lastly, the Court agrees with Defendant that the complaint does not sufficiently allege a cause of action based on affirmative misrepresentations under the Arizona Consumer Fraud Act, a breach of implied contract, or the intentional tort of intrusion into private affairs. However, Defendant's remaining arguments directed at Plaintiffs’ various claims are unavailing and so the Court denies the balance of Defendant's motion to dismiss.

BACKGROUND

Plaintiffs filed this action in state court on June 4, 2021. Class Action Complaint, Doc. 2 ("Compl.") at 3. Defendant removed it to federal court on July 15, citing the Class Action Fairness Act. Doc. 1 at 3. The case concerns a cybersecurity incident through which an unauthorized actor was able to access patient information and data between January 21 and February 5, 2021. Compl. ¶ 41. Defendant learned of the breach on February 16 and began notifying affected individuals on May 19. Id. ¶¶ 39, 45. The complaint brings causes of action for (1) negligence; (2) intrusion upon seclusion/invasion of privacy; (3) negligence per se; (4) breach of implied contract; (5) breach of fiduciary duty; (6) unjust enrichment; (7) violation of the New Mexico Unfair Practices Act; and (8) violation of the Arizona Consumer Fraud Act.

The complaint alleges that "[a]s a result of the Data Breach, Plaintiffs and approximately 207,191 Class Members suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the unauthorized access and exfiltration of their sensitive and highly personal information." Compl. ¶ 2 (footnote omitted). Plaintiffs allege that Defendant inadequately safeguarded their data, failed to provide timely and adequate notice of the breach, and maintained the data "in a reckless matter" so as to be "vulnerable to cyberattacks," and that "the mechanism of the cyberattack and potential for improper disclosure ... was a known risk to Defendant." Id. ¶¶ 3-4. The complaint alleges Defendant failed to follow: Federal Trade Commission ("FTC") guidelines to protect customer data, id. ¶¶ 50-58, various industry standards, id. ¶¶ 59-63, and the Health Insurance Portability and Accountability Act ("HIPAA"), id. ¶¶ 64-68.

Plaintiffs allege their "identities are now at considerable risk" because data thieves can commit future crimes using the stolen data. Id. ¶¶ 9-10. As a result, Plaintiffs have a "heightened and imminent risk of fraud and identity theft." Id. ¶ 11. Plaintiffs "must now and in the future closely monitor their financial and medical accounts and information to guard against identity theft" and "may also incur actual monetary costs." Id. ¶¶ 11-12. Plaintiff Alicia Charlie "has experienced a substantial increase in suspicious scam phone calls which appear to be placed with the intent to obtain personal information to commit identity theft by way of a social engineering attack." Id. ¶ 109. "Since being notified of the Data Breach, Plaintiff Alicia Charlie has been monitoring her accounts for fraud and dealing with the impact of the Data Breach at least three times per week." Id. ¶ 110. "Plaintiff E.H. received a notice letter regarding the unauthorized access and breach of his confidential health information, and consequently his guardian, Gary Hicks, has to expend time and resources dealing with the impact of the Data Breach." Id. ¶ 111. "Plaintiff Leona Garcia Lacy has begun to receive phishing calls regarding a payday loan ...." Id. ¶ 112. She "has spent at least 2 hours per week monitoring her accounts for fraud and dealing with the impact of the Data Breach." Id. ¶ 113. "Plaintiff Darrell Tsosie received a notice letter regarding the unauthorized access and breach of his confidential health information, and consequently he has to expend time and resources dealing with the impact of the Data Breach." Id. ¶ 114. All Plaintiffs "anticipate" spending time and money on an ongoing basis, "face substantial risk of out-of-pocket fraud losses" and being targeted by "future" cybercriminal activity, and "may" incur costs for monitoring services. Id. ¶¶ 115, 119-21. "Plaintiffs and Class Members also suffered a loss of value of their Private Information when it was acquired by cyber thieves in the Data Breach." Id. ¶ 122. Plaintiffs "live with the anxiety that their Private Information" may be publicly exposed. Id. ¶ 127.

Defendant filed this motion to dismiss on August 17, 2021. Doc. 15. Defendant argues that it has no duties under state law, as the state legislature has passed a statute requiring only that companies notify their customers in the event of a data breach, which Defendant did in this case. Further, Defendant argues it has no duty to protect Plaintiffs from the criminal actions of third-party hackers. Regarding federal statutes, Defendant asserts that the Federal Trade Commission Act ("FTCA") and HIPAA do not create a private cause of action. Moving past the concept of duty, Defendant argues that all Plaintiffs’ claims should be dismissed because Plaintiffs do not allege actionable damages. Finally, Defendant moves to dismiss multiple counts in the complaint for reasons unique to each claim. Plaintiffs filed a response on September 14, Doc. 22,² and Defendant filed a reply on October 12, Doc. 28. Briefing is complete and the motion is ready for decision.

STANDARD OF REVIEW

Federal Rule of Civil Procedure 8 requires that a complaint state "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Federal Rule of Civil Procedure 12(b)(6) allows a court to dismiss a complaint for failure to state a claim upon which the court can grant relief. "[T]o withstand a Rule 12(b)(6) motion to dismiss, a complaint must contain enough allegations of fact, taken as true, to state a claim to relief that is plausible on its face." Khalik v. United Air Lines , 671 F.3d 1188, 1190 (10th Cir. 2012) (quoting Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). While a complaint does not require detailed factual allegations to survive a Rule 12(b)(6) motion to dismiss, it "requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Twombly , 550 U.S. at 555, 127 S.Ct. 1955.

"A claim is facially plausible when the allegations give rise to a reasonable inference that the defendant is liable." Mayfield v. Bethards , 826 F.3d 1252, 1255 (10th Cir. 2016). The court's consideration, therefore, is limited to determining whether the complaint states a legally sufficient claim upon which the court can grant relief. See Sutton v. Utah State Sch. for the Deaf & Blind , 173 F.3d 1226, 1236 (10th Cir. 1999). The court is not required to accept conclusions of law or the asserted application of law to the alleged facts. See Hackford v. Babbitt , 14 F.3d 1457, 1465 (10th Cir. 1994). Nor is the court required to accept as true legal conclusions that are masquerading as factual allegations. Ashcroft v. Iqbal , 556 U.S. 662, 679, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). The court must, however, view the plaintiffs’ allegations in the light most favorable to them. Schrock v. Wyeth, Inc. , 727 F.3d 1273, 1280 (10th Cir. 2013).

DISCUSSION

Defendant's primary argument is that it owed Plaintiffs no duty to protect their information from the criminal acts of third parties over which it had no control. It cites various statutes, all of which it argues impose no duty on it to protect Plaintiffs’ information. The Court disagrees. Regardless of whether any statute explicitly imposed such a duty and regardless of whether Defendant could...