Weinberg v. Advanced Data Processing, Inc.

147 F.Supp.3d 1359

Yehonatan Weinberg, individually and on behalf of all others similarly situated, Plaintiff,

v.Advanced Data Processing, Inc., et al., Defendants.

Case No. 15–CIV–61598–BLOOM/Valle

United States District Court, S.D. Florida.

Signed November 16, 2015

Filed November 17, 2015

Edmund Alonso Normand, Normand Law PLLC., Orlando, FL, for Plaintiff.

Dana M. Richens, Smith Gambrell & Russell, Atlanta, GA, John Patrick Marino, Smith Gambrell Russell, Jacksonville, FL, for Defendants.

ORDER

BETH BLOOM, UNITED STATES DISTRICT JUDGE

THIS CAUSE is before the Court upon Defendant's Motion to Dismiss, (“Motion”), ECF No. [13], Plaintiff's Complaint, ECF No. [1] (“Complaint”). The Court has carefully reviewed the Motion, all supporting and opposing submissions, the record, and applicable law. For the reasons set forth below, the Motion is granted in part and denied in part.

I. Introduction

Plaintiff Yehonatan Weinberg (“Plaintiff”) commenced this class action lawsuit on August 4, 2015, against Defendants Advanced Data Processing, Inc. (“ADP”) and Intermedix Corp. (“Intermedix,” together with ADP, “Defendants”),¹ for failure to safeguard the sensitive personal information of Plaintiff and other emergency medical service patients (the “Class”), including their names, dates of birth, Social Security numbers, dates of medical services, health insurance information, and other protected health information (collectively, “Sensitive Information”), pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. §§ 1301, et seq., and its implementing rules.

At some point in 2012, Plaintiff was taken by ambulance to a hospital for emergency medical treatment. Compl. ¶ 36. In order to use the ambulance, Plaintiff was required to provide the ambulance service with his Sensitive Information. Id. ¶ 37. “Unbeknownst to Plaintiff,” the ambulance services he used, Philadelphia Fire Department Emergency Medical Services (“EMS”), engaged Defendants to handle its billing and payment-related processing services. Id. ¶ 38. As a result, Defendants received Plaintiff's Sensitive Information. Id. Between June 1 and October 2, 2012, “an Intermedix employee systematically accessed and viewed the Sensitive Information of hundreds (if not thousands) of emergency medical service patients [the Class] who used ambulances ( [for] which Intermedix provided, among other things, billing and payment processing [ ] ). This Sensitive Information was then provided to third parties who used it to file fraudulent tax returns with the Internal Revenue Service.” Id. ¶¶ 4, 21.

The records accessed and viewed by the Intermedix employee included Plaintiff's Sensitive Information. Id. ¶ 39. Plaintiff's Sensitive Information was “thereafter disclosed to or sold to a group of individuals who subsequently used that information to steal his identity and file a fraudulent tax return using his name and Social Security number.” Id. ¶ 40. Plaintiff alleges that “after learning that his identity was stolen, Plaintiff Weinberg spent (and continues to spend) a substantial amount of time and resources fixing the identity theft that he experienced.” Id. ¶ 41. Plaintiff further claims that these instances of identity theft, both for him and for the Class, were caused directly by Intermedix's failure to protect his Sensitive Information. Id. ¶¶ 6, 44–46.

Intermedix's alleged security failures include, but are not limited to, the following:

Failing to ensure the confidentiality and integrity of electronic protected health information created, received, maintained, and transmitted in violation of 45 C.F.R. § 164.306(a)(1) ;

Failing to implement technical policies and procedures for electronic information systems that maintain electronically protected health information to allow access only to those persons or software programs that have been granted access rights in violation of 45 C.F.R. § 164.312(a)(1) ;

Failing to implement policies and procedures to prevent, detect, contain, and correct security violations in violation of 45 C.F.R. § 164.308(a)(1) ;

Failing to identify and respond to suspected or known security incidents, and failing to mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity in violation of 45 C.F.R. § 164.308(a)(6)(ii) ;

Failing to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information in violation of 45 C.F.R. § 164.306(a)(2) ;

Failing to protect against reasonably anticipated uses or disclosures of electronic protected health information that are not permitted under the privacy rules regarding individually identifiable health information in violation of 45 C.F.R. § 164.306(a)(3) ;

Failing to ensure compliance with the HIPAA security standard rules by their workforce in violation of 45 C.F.R. § 164.306(a)(4) ;

Impermissibly and improperly using and disclosing protected health information that is and remains accessible to unauthorized persons in violation of 45 C.F.R. §§ 164.502, et seq. ; and

Failing to effectively train all members of their workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of their workforce to carry out their functions and to maintain security of protected health information in violation of 45 C.F.R. [§] 164.308(a)(5).

Id. ¶¶ 30–31. The Complaint also alleges that Defendants failed to comply with industry standards relating to data security.² Id. ¶¶ 32–34.

The Complaint states three counts—one for negligence, a second for breach of fiduciary duty, and a third for unjust enrichment. As to the negligence claim, Plaintiff asserts that Defendants “had a duty to exercise reasonable care in safeguarding and protecting” Sensitive Information, id. ¶ 55, as well as “a duty to employ procedures to detect and prevent the improper access and misuse of the Plaintiff's and the Class's Sensitive Information,” id. ¶ 56. Plaintiff alleges that Defendants unlawfully breached these duties. Id. ¶¶ 56–57. “But for [Defendants'] breach of its duties, Plaintiff's and the Class's Sensitive Information would not have been compromised. Plaintiff's and the Class's Sensitive Information was stolen and accessed as the proximate result of Intermedix failing to exercise reasonable care in safeguarding such information by adopting, implementing, and maintaining appropriate security measures.” Id. ¶ 59. Pursuant to the claim for breach of fiduciary duty, Defendants “owed a fiduciary duty to Plaintiff and the Class to: (1) protect their Sensitive Information; (2) timely notify them of a data breach; and (3) maintain complete and accurate records of what and where their Sensitive Information was stored and who had access to that information.” Id. ¶ 63. Defendants breached this duty to Plaintiff and the Class by failing to safeguard their Sensitive Information, which failures are articulated in more detail above and in the Complaint. See id. ¶ 64. For counts one and two, Plaintiff alleges actual damages that proximately flow from Defendants' breach of fiduciary duty, as well as “other forms of injury and/or harm including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses.” Id. ¶¶ 60–61, 65–66.³ Plaintiff's third cause of action for unjust enrichment alleges that, “[u]nder principles of equity and good conscience,” Plaintiff and the Class are owed money knowingly received by Defendants for their payment processing services. Id. ¶¶ 67–72.

II. Legal Standard

A pleading in a civil action must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). Although a complaint “does not need detailed factual allegations,” it must provide “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ; see Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (explaining that Rule 8(a)(2)'s pleading standard “demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation”). Nor can a complaint rest on “ ‘naked assertion[s]’ devoid of ‘further factual enhancement.’ ” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Twombly, 550 U.S. at 557, 127 S.Ct. 1955 (alteration in original)). When reviewing such a motion, a court, as a general rule, must accept the plaintiff's allegations as true and evaluate all plausible inferences derived from those facts in favor of the plaintiff. See Chaparro v. Carnival Corp., 693 F.3d 1333, 1337 (11th Cir.2012) ; Miccosukee Tribe of Indians of Fla. v. S. Everglades Restoration Alliance, 304 F.3d 1076, 1084 (11th Cir.2002) ; AXA Equitable Life Ins. Co. v. Infinity Fin. Grp., LLC, 608 F.Supp.2d 1349, 1353 (S.D.Fla.2009) (“On a motion to dismiss, the complaint is construed in the light most favorable to the non-moving party, and all facts alleged by the non-moving party are accepted as true.”).

A court considering a Rule 12(b) motion is generally limited to the facts contained in the complaint and attached exhibits, including documents referred to in the complaint that are central to the claim. See Wilchombe v. TeeVee Toons, Inc., 555 F.3d 949, 959 (11th Cir.2009) ; Maxcess, Inc. v. Lucent Technologies, Inc., 433 F.3d 1337, 1340 (11th Cir.2005) (“[A] document outside the four corners of the complaint may still be considered if it is central to the plaintiff's claims and is undisputed in terms of authenticity.”) (citing Horsley v. Feldt, 304 F.3d 1125, 1135 (11th Cir.2002) ).

III. Discussion

Defendants argue that Plaintiff's allegations are conclusory and, thus, insufficient. See Motion at 2. For this reason, they argue that none of Plaintiff's three counts state a claim upon which relief can be granted. See id. Plaintiff counters that Defen...