Opris v. Sincera Reprod. Med.

1

SIMONA OPRIS, et al., Plaintiffs, v. SINCERA REPRODUCTIVE MEDICINE, formerly known as and operating as ABINGTON REPRODUCTIVE MEDICINE, P.C., Defendant.

Civil Action No. 21-3072

United States District Court, E.D. Pennsylvania

May 23, 2022

OPINION

Slomsky, J.

TABLE OF CONTENTS

I. INTRODUCTION

II. BACKGROUND

III. STANDARD OF REVIEW

IV. ANALYSIS

A. Count I: Negligence

1. Negligence a. Duty b. Breach of Duty c. Causation d. Actual Injury or Damages

2. Negligence Per Se a. HIPAA

b. FTC Act

B. Count II: Breach of Fiduciary Duty

C. Count III: Violation of the UTPCPL

D. Count IV: Declaratory Judgment

V. CONCLUSION

I. INTRODUCTION

Cybersecurity is a topic of utmost importance in a world reliant upon technology. One particular use of technology is to store information. Despite the benefits of computerized data storage and the precautions taken to safeguard the data, maintaining sensitive personal information on a computer server leaves this data exposed to hackers and other bad actors. This case involves a class action lawsuit brought by Plaintiffs against their healthcare provider, Defendant Sincera Reproductive Medicine (“Sincera”), after a breach of their sensitive personal data. The breach occurred when a hacker accessed the healthcare facility's computer server. Before the Court is Defendant Sincera's Motion to Dismiss the Amended Complaint for failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6). (Doc. No. 17.) For reasons that follow, the Court will grant Defendant's Motion in part and deny it in part.

II. BACKGROUND

The named Plaintiffs in this case, Simona Opris, Adrian Adam, and Britney Richardson, are former patients of Defendant Sincera Reproductive Medicine (“Sincera”). (Doc. No. 15 ¶ 6.) Sincera is an entity that provides reproductive medicine to its patients. (See id. ¶ 17.) On May 13, 2021, Plaintiffs received a written notification from Defendant that a data breach had occurred at the healthcare center. (See id. ¶ 14.) The notification informed Plaintiffs that their personal identifiable information (“PII”) and protected health information (“PHI”) may have been exposed to third parties during the breach. (Id. ¶ 15.) This PII and PHI included, inter alia, patient names, driver's license numbers, medical diagnosis and treatment information, prescription information, treating and referring physician information, and health insurance information. (Id. ¶ 39.)

As alleged in the Amended Complaint, on or before August 10, 2020, the data breach occurred when a hacker gained access to Sincera's network, where all patient data was stored. (Id. ¶ 38.) Sincera did not contain the breach until September 13, 2020. (Id.) Because of this lapse in time, “the hacker had unlimited access to confidential patient data on [Sincera's] networks (including Plaintiffs' and Class Members' breached PII and PHI) for more than one month.” (Id. ¶ 38.) Also, sometime on or before November 8, 2020, the patient information was posted on a ransomware website, Maze, on the dark web.^[1] (Id. ¶ 40.) The Amended Complaint alleges that more than 37, 000 patients of Defendant had their PII and PHI taken as a result of the breach. (Id. ¶ 43.)

On June 1, 2021, Plaintiffs initiated this case by filing a class action Complaint in the Philadelphia Court of Common Pleas. (See Doc. No. 1-1.) The Complaint identifies the class as “individuals, patients of or people that are customers of or have their records at Sincera whose PII and/or PHI was accessed and exposed to unauthorized third parties” during the data breach. (Id. ¶ 6.) On July 9, 2021, Defendant Sincera removed the case to this Court pursuant to the Class Action Fairness Act (“CAFA”), under 28 U.S.C. § 1332(d)(2). (See Doc. No. 1.)

On August 31, 2021, Plaintiffs filed an Amended Complaint. (Doc. No. 15.) The Amended Complaint alleges four claims against Defendant: (1) negligence (Count I); (2) breach of fiduciary duty and confidences (Count II); (3) violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law (“UTPCPL”), 73 P.S. § 201-1, et seq. (Count III); and (4) for a declaratory judgment under the Declaratory Judgment Act, 28 U.S.C. §§ 2201, et seq. (Count IV).

On September 14, 2021, Defendant Sincera filed the instant Motion to Dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim. (Doc. No. 17.) In the Motion, Defendant argues that the Amended Complaint in its entirety should be dismissed. (Id. at 10.)

Essentially, Defendant asserts that the Amended Complaint fails to allege that Plaintiffs “are the victims of identity theft, actual or attempted, ” that Plaintiffs “have made any purchases in an attempt to monitor their credit or identity, ” or that Plaintiffs took particular actions “in response to the ransomware attack.” (Id.) Thus, Defendant seeks dismissal of Counts I, II, III, and IV.

On October 12, 2021, Plaintiffs filed a Response in Opposition to Defendant's Motion. (Doc. No. 20.) And on October 26, 2021, Defendant filed a Reply. (Doc. No. 22.) On October 28, 2021, Defendant filed a Memorandum of Supplemental Authority, noting a recent Pennsylvania Superior Court decision, Bailey v. Hosp. of the Univ. of Pennsylvania, 266 A.3d 654 (Pa. Super. 2021).^[2] (Doc. No. 23.) On December 21, 2021, the Court held a hearing on Defendant's Motion to Dismiss. The matter is now fully briefed and ripe for disposition.

III. STANDARD OF REVIEW

The motion to dismiss standard under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim is set forth in Ashcroft v. Iqbal, 556 U.S. 662 (2009). After Iqbal it is clear that “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice” to defeat a Rule 12(b)(6) motion to dismiss. Id. at 678; see also Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007). “To survive dismissal, ‘a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.'” Tatis v. Allied Interstate, LLC, 882 F.3d 422, 426 (3d Cir. 2018) (quoting Iqbal, 556 U.S. at 678). Facial plausibility is “more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting Iqbal, 556 U.S. at 678). Instead, “[a] claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (quoting Iqbal, 556 U.S. at 678).

Applying the principles of Iqbal and Twombly, the Third Circuit in Santiago v. Warminster Township, 629 F.3d 121 (3d Cir. 2010) set forth a three-part analysis that a district court in this Circuit must conduct in evaluating whether allegations in a complaint survive a Rule 12(b)(6) motion to dismiss:

First, the court must “tak[e] note of the elements a plaintiff must plead to state a claim.” Second, the court should identify allegations that, “because they are no more than conclusions, are not entitled to the assumption of truth.” Finally, “where there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement for relief.”

Id. at 130 (quoting Iqbal, 556 U.S. at 675, 679). The inquiry is normally broken into three parts: “(1) identifying the elements of the claim, (2) reviewing the complaint to strike conclusory allegations, and then (3) looking at the well-pleaded components of the complaint and evaluating whether all of the elements identified in part one of the inquiry are sufficiently alleged.” Malleus v. George, 641 F.3d 560, 563 (3d Cir. 2011).

A complaint must do more than allege a plaintiff's entitlement to relief, it must “show” such an entitlement with its facts. Fowler v. UPMC Shadyside, 578 F.3d 203, 210-11 (3d Cir. 2009) (citing Phillips v. Cnty. of Allegheny, 515 F.3d 224, 234-35 (3d Cir. 2008)). “[W]here the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged-but it has not ‘show[n]'-‘that the pleader is entitled to relief.'” Iqbal, 556 U.S. at 679 (second alteration in original) (citation omitted). The “plausibility” determination is a “context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Id.

IV. ANALYSIS

A. Count I: Negligence

Count I of the Amended Complaint asserts a claim for negligence under Pennsylvania law, as well as negligence per se for failure to comply with the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45(a), ^[3] and the Health Insurance Portability and Accountability Act (“HIPAA”) 42 U.S.C. § 1320(d) et seq.^[4] In the Motion to Dismiss, Defendant asserts that the elements of a negligence claim under Pennsylvania law are not met. Additionally, Defendant argues that, under Pennsylvania law, a plaintiff may not assert negligence per se unless the statute authorizes a private right of action, “or the aim of the action is to protect a particular group of individuals.” (Doc. No. 17 at 17.) And, according to Defendant, neither is met here. In response to these arguments, Plaintiffs assert that they have pled the elements of negligence under Pennsylvania law, and there is no requirement that asserting an action for negligence per se must be authorized by statute. The Court will address each argument in turn.

1. Negligence

To make out a claim of negligence under Pennsylvania law, a plaintiff must assert the following elements: (1) a duty to conform to a certain standard for the protection of others against unreasonable risks; (2) the defendant's failure to conform to that standard, or a breach of its duty; (3) a causal connection between the conduct and the resulting...