Wittmeyer v. Heartland All. For Human Needs & Human Rights

1

TRACY WITTMEYER and AUDREY APPIAKORANG, Plaintiffs v. HEARTLAND ALLIANCE FOR HUMAN NEEDS & RIGHTS, et al., Defendants

No. 23 CV 1108

United States District Court, N.D. Illinois, Eastern Division

January 17, 2024

MEMORANDUM OPINION AND ORDER

JEREMY C. DANIEL, JUDGE

Plaintiffs Tracy Wittmeyer and Audrey Appiakorang, on behalf of themselves and all others similarly situated, bring suit against Heartland Alliance for Human Needs & Rights and its four sister entities (collectively “Heartland”),^[1] alleging various claims that stem from a 2022 data breach. (R. 27, hereinafter “FAC”). Heartland moves to dismiss the plaintiffs' first amended complaint (“FAC”) under Federal Rule of Civil Procedure 12(b)(6). (R. 29.) For the reasons discussed below Heartland's motion is granted in part and denied in part.

BACKGROUND

Heartland is a non-profit, anti-poverty organization that provides healthcare and other services to more than 500,000 individuals annually throughout the Midwest. (FAC ¶¶ 3, 24-28, 32.) As a condition of receiving its services, Heartland collects personally identifiable information (“PII”) from its clients, including names, Social Security numbers, dates of birth, driver's license numbers, and financial account numbers. (Id. ¶ 33.) For those receiving health-related services, Heartland maintains records of individuals' personal health information (“PHI”), including medical diagnoses medication, dental scans, and patient notes. (Id. ¶¶ 33, 41-42.)

In January 2022, Heartland experienced a “disruption to its digital environment” during which unauthorized users obtained access to PII and PHI of Heartlands' clients, employees, and independent contractors. (Id. ¶¶ 6, 41-42.) Plaintiffs Tracy Wittmeyer and Audrey Appiakorang were both clients of Heartland at the time of the data breach and each received notice in December 2022 that their PII and PHI was compromised. (Id. ¶¶ 40, 42, 96.) They claim that the data breach was caused by Heartland's failure to properly secure and safeguard PII and PHI. (Id. ¶¶ 44, 49, 62-63.)

Following the data breach, Appiakorang noticed unauthorized activity on her credit report, specifically that someone had obtained car insurance in her name. (Id. ¶ 101.) The plaintiffs allege other damages as a result of the breach, including increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with the breach, loss of value in their PII and PHI, and emotional harms like anxiety and stress. (Id. ¶¶ 97-100, 104-109.) These injuries, according to the plaintiffs, were further compounded by Heartland's failure to provide prompt notice that their data had been compromised. (Id. ¶¶ 42, 64, 110.)

Wittmeyer and Appiakorang now bring suit against Heartland on behalf of themselves and two putative classes-a nationwide class defined as “[a]ll individuals in the United States who were impacted by the Data Breach, including all who were sent a notice of the Data Breach,” and an Illinois subclass defined as “[a]ll residents of Illinois who were impacted by the Data Breach, including all who were sent a notice of the Data Breach.” (Id. at ¶¶ 116-17.) The FAC asserts claims for negligence (Count I), negligence per se (Count II), breach of contract (Count III), breach of implied contract (Count IV), and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 ILCS 505/1, et seq. (Count V). (Id. at 31-45.) The plaintiffs also seek a declaratory judgment in their favor and prospective injunctive relief (Count VI). (Id. at 45-48.) Heartland moves to dismiss the FAC in its entirety under Rule 12(b)(6). (R. 29.)

LEGAL STANDARD

A motion to dismiss tests the sufficiency of a claim, not the merits of a case. Gociman v. Loyola Univ. of Chi., 41 F.4th 873, 885 (7th Cir. 2022). To survive a motion to dismiss under Rule 12(b)(6), a claim “must provide enough factual information to state a claim to relief that is plausible on its face and raise a right to relief above the speculative level.” Haywood v. Massage Envy Franchising, LLC, 887 F.3d 329, 333 (7th Cir. 2018) (quoting Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 736 (7th Cir. 2014)). In deciding a Rule 12(b)(6) motion, the Court accepts as true all well-pleaded factual allegations and draws all reasonable inferences in the plaintiff's favor. Lax v. Mayorkas, 20 F.4th 1178, 1181 (7th Cir. 2021). Dismissal is proper where “the allegations in a complaint, however true, could not raise a claim of entitlement to relief.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 558 (2007).

ANALYSIS

I. Negligence and Negligence PER SE Claims

Heartland first argues that the FAC fails to state claims for negligence (Count I) and negligence per se (Count II) because the plaintiffs cannot plausibly show that Heartland owed them a duty to safeguard their personal information, nor have they alleged actionable damages as a result of the data breach. (R. 30 at 3-4.)

A. Negligence

The Court begins with the plaintiffs' negligence claim. To state a claim for negligence in Illinois, a plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) that the defendant breached that duty, and (3) that the breach was the proximate cause of the plaintiff's injuries. Flores v. Aon Corp., - N.E.3d -, 2023 IL App (1st) 230140, ¶ 23 (citing Cowper v. Nyberg, 28 N.E.3d 768, 772 (Ill. 2015)). The first element-duty of care-may be derived from statute or common law. Zissu v. IHS Prop. Ill., L.P., 157 F.Supp.3d 797, 800 (N.D. Ill. 2016) (citing Barnett v. Zion Park Dist., 665 N.E.2d 808, 812 (Ill. 1996)). Whether a duty exists is a question of law that may be resolved on a motion to dismiss. Id.

“Though duty is a basic concept in tort law, the Illinois Supreme Court has not directly spoken to this question in the context of data breaches.” Cmty. Bank of Treton v. Schnuck Mkts. Inc., 887 F.3d 803, 816 (7th Cir. 2018). In Cooney v. Chicago Public Schools, the Illinois Appellate Court rejected the theory that either the Health and Insurance Portability and Accountability Act (“HIPAA”) or the Illinois Personal Information Protection Act (“PIPA”) imposed any duty to safeguard personal information. 943 N.E.2d 23, 28 (Ill.App.Ct. 2010). Instead, the Illinois Appellate Court explained that the only duty owed, pursuant to PIPA, is the duty to provide notice of a security breach. Id. The Cooney court further declined to recognize a common law duty to safeguard personal information, explaining “we do not believe that the creation of a new legal duty beyond legislative requirements already in place” (i.e., notice) “is part of our role on appellate review.” Id. at 29. In Community Bank of Trenton v. Schnuck Markets, Inc., the Seventh Circuit addressed, among other issues, whether a retail merchant owed a common law duty to safeguard banking information of the plaintiff banks' customers. 887 at 816. In so doing, the Seventh Circuit looked to Cooney and predicted that the Illinois Supreme Court would agree that there exists no common law data security duty under Illinois law. Id.

Heartland asks this Court to follow Schnuck and Cooney and find that there exists no common law duty in Illinois to protect personal information. (R. 30 at 5.) But PIPA has been amended since Cooney was decided, and the statute now requires data collectors to “implement and maintain reasonable security measures to protect” records from “unauthorized access, acquisition, destruction, use, modification, or disclosure.” In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 590 (N.D. Ill. 2022) (citing 815 ILCS 530/45(a)). Indeed, the Illinois Appellate Court recently explained that, given this amendment to PIPA, “the reasoning of the Cooney court no longer applies.” Flores, 2023 IL App (1st) 230140, ¶ 23. And in addressing anew whether there exists a duty of care to protect personal information, the Illinois Appellate Court held that such a duty exists under both PIPA and the common law. Id. at ¶ 24. The Court therefore declines to find, as a matter of law, that Heartland owed no duty to the plaintiffs to safeguard their personal information.

Heartland next argues that the plaintiffs' negligence claim must be dismissed under Illinois' economic loss doctrine. (R. 30 at 9-11.) The economic loss doctrine, also known as the Moorman doctrine, bars tort recovery for purely economic losses based on the failure to perform contractual obligations. Catalan v. GMAC Mortg. Corp., 629 F.3d 676, 692-93 (7th Cir. 2011) (citing Moorman v. Mfg Co. v. Nat'l Tank Co., 435 N.E.2d 443, 448-49 (Ill. 1982)). Economic loss is defined as “damages for inadequate value, costs of repair and replacement of the defective product, or consequent loss of profits-without any claim of personal injury or damage to other property.” Ctr. PC v. Auctus Grp., No. 22 C 959, 2023 WL 5854398, at *3 (N.D. Ill. Sept. 10, 2023) (citing Moorman, 435 N.E.2d at 449). The theory behind the economic loss doctrine is that “parties to a contract may allocate their risks by agreement and do not need the special protections of tort law to recover damages caused by a breach of contract.” Flores, 2023 IL App (1st) 230140, ¶ 56 (citing Mars, Inc. v. Heritage Builders of Effingham, Inc., 763 N.E.2d 428, 434 (Ill. 2002)).

In the context of the service industry, however, the Illinois Supreme Court has held that the economic loss doctrine applies only where the duty of the party performing the service is defined by contract executed with the client. Congregation of the Passion, Holy Cross Province v Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994). “Where a duty arises outside of the contract, the economic loss doctrine does not prohibit recovery in tort...