From Casetext: Smarter Legal Research

Desue v. 20/20 Eye Care Network, Inc.

United States District Court, Southern District of Florida
Mar 15, 2022
No. 21-CIV-61275-RAR (S.D. Fla. Mar. 15, 2022)

Opinion

21-CIV-61275-RAR

03-15-2022

WENSTON DESUE, individually and as legal guardian of N.D. and M.D. and all others similarly situated, Plaintiff, v. 20/20 EYE CARE NETWORK, INC., et al., Defendants.


ORDER GRANTING IN PART DEFENDANTS' MOTION TO DISMISS

RC DOLFO A. RUIZ II., UNITED STATES DISTRICT JUDGE.

THIS CAUSE comes before the Court upon Defendants' Joint Motion to Dismiss Plaintiffs' First Amended Consolidated Complaint [ECF No. 40] (“Motion”). Having reviewed the Motion, Plaintiffs' Opposition [ECF No. 41] (“Response”), Defendants' Joint Reply in Support of the Motion [ECF No. 43] (“Reply”), the record, applicable law, and being otherwise fully advised, it is hereby

ORDERED AND ADJUDGED that Defendants' Motion to Dismiss is GRANTED IN PART as set forth herein.

BACKGROUND

This action is the result of a data breach detected in January 2021 (“Data Breach”), when 20/20 Eye Care, 20/20 Hearing Care, and iCare allegedly failed to protect the personally identifiable information (“PII”) and protected health information (“PHI”) of Plaintiffs and over 3.2 million similarly situated persons-including their names, dates of birth, Social Security numbers, member identification numbers, and health insurance information. [ECF No. 37] (“Amended Complaint”) ¶¶ 1-4, 6-7. Defendants provide third-party administrative services in the healthcare space, sharing and storing patients' PII and PHI in the same platform. Id. ¶¶ 21, 25-26.

Defendant 20/20 Eye Care is a managed vision care company that provides eye care services and acts as a third-party insurance plan administrator, assisting both insurance companies and patients. Id. ¶¶ 20-21. Defendant iCare acquired Defendant 20/20 Eyecare in September 2020 and exercises some control over 20/20 Eye Care. Id. ¶ 23. Defendant 20/20 Hearing Care manages a network of audiologists, acting as a middleman between managed care plans and their members. Id. ¶ 25.

After the Data Breach occurred, Defendants provided notice to various state Attorneys General explaining that the Data Breach was “insider wrong doing.” Id. ¶ 97. As a result of the Data Breach, the PII and PHI of more than 3.2 million health plan members were potentially accessed, downloaded, and deleted from Defendants' technological platform. Id. ¶ 95. Defendants began notifying victims of the Data Breach in late May of 2021-approximately four months after Defendants became aware of the potential breach. Id. ¶ 100.

Plaintiffs allege that Defendants failed “to implement and maintain adequate and reasonable data security safeguards, fail[ed] to exercise reasonable care in the hiring, training, and supervision of its employees and agents, and fail[ed] to comply with industry-standard data security practices and federal and state laws and regulations governing data security and privacy….” Id. ¶ 6. Plaintiffs maintain these failures and the ensuing Data Breach have caused them numerous and imminent injuries. Id. ¶ 16. Plaintiffs, on behalf of themselves and purported Class Members, assert the following claims: negligence, unjust enrichment, breach of confidence, and a violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). Id. ¶ 18. They seek injunctive relief, declaratory relief, monetary damages, and any other relief as authorized by law. Id. at 60.

Defendants have now moved to dismiss Plaintiffs' Amended Complaint for lack of Article III standing and alternatively, for failure to state a claim upon which relief can be granted.

LEGAL STANDARD

I. Lack of Subject Matter Jurisdiction Under Fed.R.Civ.P. 12(b)(1)

One element of the case-or-controversy requirement under Article III of the United States Constitution is that plaintiffs “must establish that they have standing to sue” in federal court. Raines v. Byrd, 521 U.S. 811, 818 (1997). Thus, standing is a “threshold question in every federal case, determining the power of the court to entertain the suit.” Warth v. Sedlin, 422 U.S. 490, 498 (1975).

In the class action context, Article III requires two distinct inquiries to determine whether a class representative has “standing to represent a class.” Fox v. Ritz-Carlton Hotel Company, L.L.C., 977 F.3d 1039, 1046 (11th Cir. 2020) (citing Mills v. Foremost Ins. Co., 511 F.3d 1300, 1307 (11th Cir. 2008)). A class representative must satisfy the individual standing prerequisites for each claim he or she asserts and “must also ‘be part of the class and possess the same interest and suffer the same injury as the class members.'” Id. (citations omitted); see also Preisler v. Eastpoint Recovery Group, Inc., No. 20-62268, 2021 WL 2110794, at *3 (S.D. Fla. May 25, 2021). To be clear, if “we have at least one individual plaintiff who has demonstrated standing, ” we do not need to “consider whether the other ... plaintiffs have standing to maintain the suit.” Wilding v. DNC Servs. Corp., 941 F.3d 1116, 1124-25 (11th Cir. 2019) (citing Arlington Heights v. Metro. Hous. Dev. Corp., 429 U.S. 252, 264 n.9 (1977) (citations omitted)).

To establish the individual standing prerequisites, a plaintiff must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). These three elements must be supported “with the manner and degree of evidence required at the successive stages of the litigation.” Wilding, 941 F.3d at 1124 (citing Lujan, 504 U.S. at 561); see also 31 Foster Children v. Bush, 329 F.3d 1255, 1263 (11th Cir. 2003) (“How much evidence is necessary to satisfy [the standing requirement] depends on the stage of litigation at which the standing challenge is made.”). And plaintiffs must establish standing for each claim that they press and for each form of relief that they seek. TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2208 (2021).

A plaintiff has suffered an injury in fact if he has “suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Spokeo, 136 S.Ct. at 1548 (quoting Lujan, 504 U.S. at 560). “Central to assessing concreteness is whether the asserted harm has a ‘close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts-such as a physical harm, monetary harm, or various intangible harms….” TransUnion LLC, 141 S.Ct. at 2200. Concrete intangible harms may include reputational harms, disclosure of private information, and intrusion upon seclusion. Id. at 2204 (collecting cases).

Beyond establishing that plaintiff has suffered an injury in fact, plaintiff must allege a “causal connection between the injury and the conduct complained of”-in other words, the injury must be “fairly traceable to the challenged action of the defendant.” Lujan, 504 U.S. at 560 (quotation omitted and alterations adopted). However, Article III standing does not require that the defendant “be the most immediate cause, or even a proximate cause, of the plaintiffs' injuries; it requires only that those injuries be ‘fairly traceable' to the defendant.” Lexmark Int'l, Inc. v. Static Control Components, Inc., 134 S.Ct. 1377, 1391 n.6 (2014). “[E]ven harms that flow indirectly from the action in question can be said to be ‘fairly traceable' to that action for standing purposes.” Wilding, 941 F.3d at 1125 (citing Focus on the Family v. Pinellas Suncoast Transit Auth., 344 F.3d 1263, 1273 (11th Cir. 2003)).

II. Failure to State a Claim Under Fed.R.Civ.P. 12(b)(6)

“To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). When reviewing a motion to dismiss pursuant to Rule 12(b)(6), a court must accept as true all factual allegations contained in the complaint, and the plaintiff should receive the benefit of all favorable inferences that can be drawn from the facts alleged. See Chaparro v. Carnival Corp., 693 F.3d 1333, 1337 (11th Cir. 2012); see also Iqbal, 556 U.S. at 678. A court considering a Rule 12(b)(6) motion is generally limited to the facts contained in the complaint and attached exhibits but may also consider documents referred to in the complaint that are central to the claim and whose authenticity is undisputed. See Wilchombe v. TeeVee Toons, Inc., 555 F.3d 949, 959 (11th Cir. 2009). “Dismissal pursuant to Rule 12(b)(6) is not appropriate unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” Magluta v. Samples, 375 F.3d 1269, 1273 (11th Cir. 2004) (citation and quotation omitted).

ANALYSIS

Defendants raise several arguments in favor of dismissal, including a lack of subject matter jurisdiction under Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6). The Court will address each argument in turn.

The Court has proceeded to analyze all claims under Florida law (as was briefed by the parties). Courts commonly rely upon the law briefed in deciding a motion to dismiss without conducting a fact-intensive choice of law analysis. In re Brinker Data Incident Litig., No. 3:18-686, 2020 WL 691848, at *3 (M.D. Fla. Jan. 27, 2020) (citing McKenzie v. Allconnect, Inc., 369 F.Supp.3d 810, 817 (E.D. Ky. 2019); Davidson v. Apple, Inc., No. 16-4942, 2017 WL 3149305, at *3 (N.D. Cal. July 25, 2017)).

I. Plaintiffs have sufficiently alleged Article III standing.

Of the three standing prerequisites-injury in fact, traceability, and redressability- Defendants challenge two. First, they contend that two of the five named Plaintiffs fail to allege an injury in fact. And second, that all named Plaintiffs fail to plausibly allege traceability. Because Defendants' standing arguments solely address the allegations in the First Amended Complaint rather than any extrinsic materials, this is considered a facial attack, which “requires the [C]ourt merely to look and see if the [P]laintiff[s] ha[ve] sufficiently alleged a basis of subject matter jurisdiction.” See Stalley ex rel. U.S. v. Orlando Reg'l Healthcare Sys., Inc., 524 F.3d 1229, 1232 (11th Cir. 2008) (citation omitted). As this is a facial attack, the allegations in the First Amended Complaint are taken as true for standing purposes. Id. And upon examination of the First Amended Complaint, Plaintiffs have satisfied the requirements for Article III standing.

a. Plaintiffs Liang and Johnson both allege injuries-in-fact.

Defendants argue that Plaintiffs Benjamin Liang and Suzanne Johnson fail to allege injuries-in-fact. Mot. at 6-7. As a threshold matter, the Court need only find that one named Plaintiff has Article III standing to maintain suit. However, because Defendants request that this Court dismiss any named Plaintiff that lacks standing, Mot. at 8, the Court will assess whether the named Plaintiffs challenged by Defendants-Liang and Johnson-have sufficiently alleged injuries-in-fact.

The parties have conceded that three of the five named Plaintiffs-Stephany Alcala, Amber Lowe, and David Runkle-have alleged injuries-in-fact. See Reply at 2, n.1.

At issue is whether the injuries alleged by Liang and Johnson are “concrete”, “particularized”, and “actual or imminent, not conjectural or hypothetical.” See Lujan, 504 U.S. at 560. Liang and Johnson allege the following injuries: a substantial risk of imminent identity, financial, and health fraud and theft; emotional anguish and distress resulting from the Data Breach; and increased time spent reviewing financial statements and credit reports to determine whether there has been fraudulent activity on any of their accounts. Am. Compl. ¶¶ 46-49, 81-83. In addition, Liang alleges that he has experienced an uptick in robocalls and Johnson alleges that she has experienced an increased amount of phishing calls and emails since the Data Breach. Id. ¶¶ 49, 84. Plaintiffs seek both damages and injunctive relief. Id. at 60.

The Court will first focus on Liang and Johnson's common alleged injuries. The Eleventh Circuit and the Supreme Court have recently weighed in on whether certain types of injuries- including the risk of future harm-are sufficiently concrete to establish injury in fact. Whether Liang and Johnson suffer from a substantial risk of imminent identity, financial, and health fraud and theft is central to this Court's inquiry into whether their injuries are sufficiently concrete.

In Tsao v. Captiva MVP Restaurant Partners, the Eleventh Circuit distilled two relevant principles in considering whether the threat of future harm is concrete for standing purposes. 986 F.3d 1332, 1339 (11th Cir. 2021). First, the threat of future harm must be a “substantial risk” or “certainly impending.” Id. Second, if the threat of future harm does not meet that standard, a plaintiff cannot “conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.” Id. In other words, any steps taken by plaintiffs to monitor their credit or financial statements for fraudulent activity establish an injury in fact only if plaintiff has shown that they face a substantial or certainly impending threat of future harm. Id. The threat of future identity theft has been considered “certainly impending” or a “substantial risk” in cases where plaintiffs have alleged “actual misuse or actual access to personal data.” Id. at 1340. In short, “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.” Tsao, 986 F.3d at 1344.

Just four months after the Eleventh Circuit's decision in Tsao, the Supreme Court addressed the issue of whether a material risk of future harm is sufficiently concrete to confer standing in TransUnion LLC v. Ramirez. Prior to TransUnion, the Court had recognized only that a material risk of future harm could satisfy the concreteness requirement in a claim for injunctive relief. TransUnion, LLC, 141 S.Ct. at 2210 (citing Spokeo, 578 U.S. at 341-42) (cleaned up). In TransUnion, the Court held that the material risk of future harm, without more, was not sufficiently concrete for purposes of Article III standing in a suit for damages. Id. at 2211 (emphasis added). That holding leaves this Court to answer the question-what is more? Contrary to Defendants' desires, the Court in TransUnion gave us an emotional injury sized clue. Id. (propounding that emotional injury may be an independent harm caused by plaintiffs' exposure to the risk that their credit reports would be provided to third-party businesses); see also Mot. at 8.

In a post-Tsao and TransUnion world, courts in this circuit have yet to weigh in on standing issues-specifically, issues related to establishing injury in fact-in a data breach case. Here, plaintiffs are pursuing a medley of relief, including damages and injunctive relief. Therefore, the Court must find that plaintiffs plausibly allege an injury in fact based on each request for relief. To make that determination, the Court must determine whether Liang and Johnson have established that the threat of future harm poses a “substantial risk” or is “certainly impending.” See Tsao, 986 F.3d at 1339.

In Tsao, the Eleventh Circuit addressed a smattering of cases in which courts found that the threat of future harm was sufficient to establish injury in fact. See Tsao, 986 F.3d at 1339. In those cases, plaintiffs alleged actual misuse or access of their data. Id. (citing Attias v. Carefirst, Inc., 865 F.3d 620, 626 n.2 (D.C. Cir. 2017) (holding that there was a “substantial risk” of future harm where an unauthorized party accessed personally identifiable information from a healthcare company's servers); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693 (7th Cir. 2015) (finding a substantial risk of future harm where plaintiffs had already experienced fraudulent charges on their credit card); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010) (holding that plaintiffs faced a “credible threat of harm” where a laptop was stolen containing their encrypted data and one of the plaintiffs had a fraudulent bank account opened in their name)).

Further, courts have found that evidence of misuse of certain individuals' data affected by the same data breach can help establish a “substantial risk” of future harm for those plaintiffs who have not yet been affected. See McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295, 301 (2nd Cir. 2021) (finding that courts have been more likely to conclude that plaintiffs have established a substantial risk of future injury where they can show that at least some part of the compromised dataset has been misused - even if plaintiffs' particular data subject to the same disclosure incident has not yet been affected); see also In re Zappos.com, Inc., 888 F.3d 1020, 1027 n.7 (9th Cir. 2018) (explaining that even though some plaintiffs in the suit had not yet suffered identity theft, allegations that other customers whose data was compromised had reported fraudulent charges helped establish that plaintiffs were at substantial risk of future harm).

Unlike Defendants' characterizations of Tsao, the Eleventh Circuit did not flatly reject the notion that the substantial risk of future identity theft could confer standing. Mot. at 7. In Tsao, plaintiffs alleged that their credit card data had been stolen (and not information such as Social Security numbers and dates of birth). See Tsao, 986 F.3d at 1344. Further, plaintiffs failed to allege any specific misuse of class members' data. Id. Based on these particular allegations, the Eleventh Circuit held that plaintiffs had failed to allege a “substantial risk” of future harm sufficient to confer standing. Id.

In this case, however, Plaintiffs allege both actual misuse and actual access of their personal data resulting from the Data Breach. Am. Compl. ¶¶ 2-3. Specifically, Defendants confirmed that on January 11, 2021, data was potentially removed from its systems and then deleted. Id. ¶ 97. That data included the names, addresses, Social Security numbers, member identification numbers, dates of birth, and health insurance information of some or all its health plan members. Id. ¶ 98. Defendants could not confirm which files were seen or deleted by the unknown person(s). Id. ¶ 97. Further, Plaintiffs Alcala, Lowe, and Runkle allege actual misuse of their personal data, including unknown credit inquiries, the opening of fraudulent bank accounts, and fraudulent applications for personal loans and unemployment benefits. See Am. Compl. ¶¶ 33-34, 58, 71. Given that Plaintiffs have alleged actual access and misuse of Plaintiffs' PHI and PII, Liang and Johnson have established a “substantial risk” of future harm and thus, injury in fact, for purposes of Article III standing regarding their claim for injunctive relief.

Given that Plaintiffs' requested relief includes damages, the Court must take its analysis one step further. In a claim for damages, “the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 141 S.Ct. at 2211. Here, in addition to establishing a substantial risk of future harm, Liang and Johnson have alleged two separate concrete harms sufficient to satisfy the Court's holding in TransUnion: the suffering of emotional anguish and distress related to possible identity theft and the cost of the increased time plaintiffs spend reviewing their financial information.

Defendants contend that allegations of emotional anguish cannot confer standing, citing a case out of the Third Circuit and a recent decision of this Court. Mot. at 8. In Preisler, this Court held that where plaintiff was relying solely on alleged emotional harms to satisfy concreteness, plaintiff's alleged harms were insufficient to confer standing. Preisler v. Eastpoint Recovery Group, Inc., No. 20-62268, 2021 WL 2110794, at *6 (S.D. Fla. 2021). In Reilly, the Third Circuit held that plaintiffs failed to allege any concrete injury, including that of emotional distress, because plaintiffs did not allege any misuse of their information. Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3rd Cir. 2011). Both cases are markedly different from this action. Here, we have established that the risk of future harm to plaintiffs is substantial and imminent. Thus, the question in this case is not whether plaintiffs' allegations of emotional distress, on their own, are sufficiently concrete to establish an injury in fact. Instead, it is whether allegations of emotional distress, coupled with the substantial risk of future harm, are sufficiently concrete to establish standing in a claim for damages. The Court concludes that they are. See TransUnion, 141 S.Ct. at 2211.

Given that Plaintiffs' allegations of a substantial risk of future harm and emotional injury are sufficient to establish injury in fact, the Court need not address whether Plaintiffs' alleged injuries related to the mitigation of future harm are sufficient for purposes of standing. However, for the sake of completeness, it will do so. Defendants contend that the Tsao Court flatly rejected the notion that a plaintiff could establish an injury in fact based on injuries related to the mitigation of future harms. Mot. at 7. But the Eleventh Circuit's holding requires a more nuanced reading than that presented by Defendants.

The court in Tsao held that injuries related to mitigating the risk of future identity theft were not concrete because plaintiffs did not sufficiently allege a substantial risk of future harm. In essence, if the risk of harm to plaintiffs is not substantial, their steps to mitigate a non-substantial risk do not create an injury. Here, however, Plaintiffs have alleged a substantial and imminent risk of future identity theft and thus, injuries related to the mitigation of those risks-including time spent reviewing their financial accounts-are sufficiently concrete to establish injury in fact. See In re: Practicefirst Data Breach Litigation, No. 121-00790, 2022 WL 354544, at *6 (W.D.N.Y. Feb. 2, 2022) (citing McMorris, 995 F.3d at 303 (“‘Where plaintiffs have shown substantial risk of future identity theft or fraud, any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact.' Conversely, ‘where plaintiffs have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.'”)) In sum, Liang and Johnson's alleged injuries constitute injuries-in-fact sufficient to satisfy claims for injunctive relief and damages.

Beyond the injuries discussed herein, Liang and Johnson each allege a unique injury. However, the Court need not determine whether those unique injuries-an increase in robocalls and phishing emails-constitute an injury in fact for purposes of Article III standing.

b. Plaintiffs plausibly allege traceability.

Defendants contend that there is no nexus between the Data Breach and the misuse of Plaintiffs' information. Mot. at 9-10. They argue that the data accessed in the Data Breach did not contain enough information to support Plaintiffs' allegations that bad actors had misused their personal data by opening fraudulent bank accounts and submitting fraudulent applications for personal loans and improper government benefits. Id. at 11. Article III standing requires a “causal connection between the injury and the conduct complained of.” Lujan, 504 U.S. at 560 (quotation omitted and alterations adopted). In other words, the injury must be “fairly traceable to the challenged action of the defendant.” Id. The Supreme Court has cautioned federal courts not to “confuse weakness on the merits with absence of Article III standing.” Moody v. Holman, 887 F.3d 1281, 1285 (11th Cir. 2018) (citing Ariz. St. Leg. v. Ariz. Indep. Redistricting Comm'n, 135 S.Ct. 2652, 2663 (2015)). And to satisfy Article III's standing causation requirement, plaintiff need not show proximate causation. Wilding, 941 F.3d at 1125. “[E]ven harms that flow indirectly from the action in question can be said to be ‘fairly traceable' to that action for standing purposes.” Id. (citing Focus on the Family, 344 F.3d at 1273). Plaintiffs need not show that defendant's actions are the very last step in the chain of causation. Id. at 1126.

Here, Plaintiffs allege that Defendants failed to protect their PII and PHI. Am. Compl. ¶ 5. As a result, a Data Breach occurred, whereby a third party was able to access Plaintiffs' private information, including dates of birth and Social Security numbers. Id. After the Data Breach occurred, Plaintiffs experienced documented incidents of “identity theft, economic losses, lost time, and emotional injuries” and are at substantial risk of future incidents of identity theft. Reply at 9. While Defendants argue that this is not enough to satisfy traceability, the Court disagrees. Mot. at 8-10. Even if the data accessed in the Data Breach did not provide all the information necessary to carry out the documented incidents of identity theft, it could very well have been enough to aid in the commission of identity theft. And “[e]ven a showing that a plaintiff's injury is indirectly caused by a defendant's actions satisfies the fairly traceable requirement.” Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012). Because we assume, at the pleading stage, that plaintiffs will prevail on the merits of their claims, the Court has little difficulty in concluding that Defendants' failure to secure Plaintiffs' data is sufficiently traceable to Plaintiffs' alleged injuries. See Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017) (holding that plaintiffs satisfied the traceability requirement for Article III standing by alleging that defendants failed to secure their data and thereby subjected them to a substantial risk of identity theft).

Accordingly, all named Plaintiffs have established Article III standing and Defendants' Motion to Dismiss for lack of subject matter jurisdiction is DENIED.

II. Plaintiffs have failed to state a claim upon which relief can be granted.

Defendants contend that Plaintiffs' claims must be dismissed because they are based on conclusory allegations and legal labels. Mot. at 3. As a result of these deficiencies, Defendants argue that Plaintiffs fail to state a claim upon which relief can be granted. Id. The Court agrees and will address each claim in turn.

a. Negligence

Defendants argue that Plaintiffs' negligence claim consists of a shotgun pleading that improperly commingles multiple negligence and liability theories into a single claim. Mot. at 12-13. The Court agrees. The Eleventh Circuit has relieved its district courts of the burden of dealing with “shotgun pleadings, ” which it defines, in part, as follows:

[O]ne that commits the sin of not separating into a different count each cause of action or claim for relief . . . [and] assert[s] multiple claims against multiple defendants without specifying which of the defendants are responsible for which acts or omissions, or which of the defendants the claim is brought against. The unifying characteristic of all types of shotgun pleadings is that they fail to one degree or another, and in one way or another, to give the defendants adequate notice of the claims against them and the grounds upon which each claim rests.
Weiland v. Palm Beach County Sheriff's Office, 792 F.3d 1313, 1321-23 (11th Cir. 2015). Plaintiffs' negligence claim is a classic shotgun pleading. Within one count of negligence, Plaintiffs plead multiple causes of action, including a common law theory of negligence, negligence per se, negligent hiring, negligent training, and negligent supervision. Am. Compl. ¶¶ 181-213. See Hayes v. Bank of N.Y. Mellon, No. 1:14-338, 2014 WL 3887922, at *8 (N.D.Ga. Aug. 6, 2014), aff'd, 592 Fed.Appx. 891 (11th Cir. 2015) (dismissing complaint because “Plaintiffs ... mix together and conjoin multiple legal theories within their counts”).

For instance, Plaintiffs allege that Defendants breached both common law and statutory duties. Am. Compl. ¶¶ 189, 204-6. See Reed v. Royal Caribbean Cruises, Ltd., No. 19-24668, 2021 WL 2592914, at *8 (S.D. Fla. Apr. 23, 2021) (citations omitted) (finding a shotgun pleading where plaintiff alleged eleven separate ways in which defendant breached its duty of care). At a minimum, “negligent supervision and negligent training are separate claims which must be pled separately.” Id. (citing Burgess v. Royal Caribbean Cruises Ltd., No. 20-20687, 2020 U.S. Dist. LEXIS 188606, at *4-5 (S.D. Fla. Oct. 9, 2020) (dismissing claim titled “Negligent Hiring, Selection, Retention, Monitoring and Training” as impermissible shotgun pleading because “[t]hese counts combine different causes of action that have distinct elements of law and require different findings”)).

In addition to comingling causes of action, Plaintiffs fail to make clear which Defendants are responsible for certain acts or omissions. As Defendants correctly note, Plaintiffs have improperly commingled different liability theories against Defendants. Mot. at 13. Accordingly, Count I is DISMISSED without prejudice.

b. Unjust Enrichment

Under Florida law, a claim for unjust enrichment requires that: “(1) the plaintiff has conferred a benefit on the defendant; (2) the defendant has knowledge of the benefit; (3) the defendant has accepted or retained the benefit conferred; and (4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying fair value for it.” Brinker, 2020 WL 691848, at *10 (quoting Della Ratta v. Della Ratta, 927 So.2d 1055, 1059 (Fla. 4th DCA 2006)). Because Plaintiffs fail to sufficiently allege that they conferred any benefit on Defendants, this claim warrants dismissal.

“To prevail on an unjust enrichment claim, the plaintiff must directly confer a benefit to the defendant.” Marrache v. Bacardi U.S.A., Inc., 17 F.4th 1084, 1101 (11th Cir. 2021) (citing Kopel v. Kopel, 229 So.3d 812, 818 (Fla. 2017); accord Extraordinary Title Servs., LLC v. Fla. Power & Light Co., 1 So.3d 400, 404 (Fla. 3d DCA 2009)); see also Virgilio v. Ryland Group, Inc., 680 F.3d 1329, 1337 (11th Cir. 2021) (holding that plaintiffs failed to confer a benefit on defendants where the relationship alleged by plaintiffs with defendants was indirect). Here, Plaintiffs did not provide their PII or PHI directly to Defendants. They do not allege any direct relationship between the parties, nor do they specify what type of relationship exists between the two parties. In fact, the allegations are threadbare and conclusory. Plaintiffs merely aver that they and other Class Members conferred a benefit on Defendants and Defendants accepted that benefit when they collected, stored, and used Plaintiffs and Class Members' PII and PHI. Am. Compl. ¶¶ 224-5 (“Defendants profited from the provision of these health services and used the PII and PHI of Plaintiffs and Class Members for business and monetary purposes.”). At best, the Court understands that Plaintiffs provided their PII/PHI to a third party who then contracted with Defendants to provide healthcare services-meaning any benefit conferred by Plaintiffs would be indirect-and therefore, insufficient to establish a claim for unjust enrichment under Florida law.

Even if Florida allowed for the indirect conferral of benefits (e.g., through a third-party intermediary), this claim would still fail. The instant matter is akin to Stephens v. Availity-where defendant, who acted as a bridge between healthcare providers and healthcare insurers to aid in the process of medical claims, suffered a data breach. Stephens v. Availity, L.L.C., No. 19-236, 2019 WL 13041330, at *1 (M.D. Fla. Oct. 1, 2019). In that case, the court dismissed the claim for unjust enrichment due to the lack of a relationship between the parties-holding that plaintiff failed to confer a benefit on defendant because, even though defendant received plaintiff's PII/PHI, plaintiff did not pay defendant (or their healthcare providers or insurers) for data security services. Id. at *6; see also In re Blackbaud, Inc., Customer Data Breach Litigation, No. 20-mn-02972, 2021 WL 4866393, at *14 (D.S.C. Oct. 19, 2021) (holding that plaintiffs failed to allege that they conferred a benefit on defendant where plaintiffs (1) gave their private information to a third party, (2) did not choose to use defendant's services in the first place, (3) did not pay for defendant's services, and (4) did not provide their information directly to defendant). Id.

Here, the Court is faced with a similar lack of relationship. Plaintiffs provided their private information to multiple third parties. They did not affirmatively choose to use Defendants' services; they did not pay for Defendants' services nor provide their private information to Defendants. Even if an indirect conferral of benefits were allowed under Florida law-which it is not-Plaintiffs still fail to show that they conferred any benefit sufficient to establish a claim for unjust enrichment.

Accordingly, Count II is DISMISSED without prejudice . Given that the Court is granting Plaintiffs leave to amend their operative complaint in conformance with this Order, Plaintiffs will be given an opportunity to establish a benefit directly conferred on Defendants with the specificity necessary to satisfy applicable pleading standards.

c. Breach of Confidence

Next, Defendants contend that Plaintiffs fail to state a claim for breach of confidence because Defendants did not disclose Plaintiffs' private information and Defendants are not in a confidential relationship with Plaintiff. Mot. at 24-25. Once again, the Court agrees.

A breach of confidence involves “the unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship.” Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 932 (11th Cir. 2020). The Muransky court noted two key elements in a breach of confidence claim: (i) disclosure to a third party and (ii) the existence of a confidential relationship between the parties. Id. “Disclosure” has been defined as “[t]he act or process of making known something that was previously unknown.” In re Brinker Data Incident Litigation, No. 18-686-J, 2020 WL 691848, at *21 (M.D. Fla. Jan. 27, 2020). A “confidential relationship is found ‘where confidence is reposed by one party and a trust accepted by the other.'” Hutson v. Brooks, 646 So.2d 276, 277 (Fla. 2d DCA 1994) (quoting Traub v. Traub, 102 So.2d 157, 159 (Fla. 2d DCA 1958) (citations omitted)). Confidential relationships most often arise in close professional relationships-“those involving physicians, therapists, financial institutions, and the like.” Muransky, 979 F.3d at 932.

i. Plaintiffs fail to allege Defendants disclosed their PII/PHI.

Plaintiffs allege that their PII and PHI were disclosed by Defendants in the Data Breach as the result of Defendants' inadequate computer systems and technologies for storing Plaintiffs' private information. Am. Compl. ¶ 241. Courts in the Eleventh Circuit have held that when a Defendant does not act to disclose Plaintiffs' information, (i.e., when the data was stolen by a third party), there is no disclosure sufficient to establish a breach of confidence claim. Brinker, 2020 WL 691848, at *21-22; see also Purvis v. Aveanna Healthcare, LLC, No. 20-02277, 2021 WL 5230753, at *12 (N.D.Ga. Sept. 27, 2021). As noted by the court in Brinker, “[s]imply put, [the defendant] made no disclosure, thus, this count is due to be dismissed.” Id. at *22. This conclusion is further elucidated in Purvis, where the court dismissed a breach of confidence claim based on the lack of disclosure. 2021 WL 5230753, at *12. In that case, plaintiffs alleged that defendant allowed the disclosure to happen by failing to heed warnings that its records may be targeted in a cyberattack. Id. Here, as in Purvis, Plaintiffs' allegations surrounding disclosure stem from the failing of technology, not from any affirmative act of disclosure. As such, Plaintiffs fail to allege any acts of disclosure sufficient to establish a breach of confidence claim. Brinker, 2020 WL 691848, at *22.

ii. Plaintiffs fail to allege a confidential relationship between the parties.

Plaintiffs allege that “Defendants' relationship with Plaintiff and Class Members was governed by terms that Plaintiffs' and Class Members' PII would be collected, stored, and protected in confidence, and would not be disclosed to unauthorized persons.” Am. Compl. ¶ 236. They further assert that “Defendants voluntarily received in confidence Plaintiffs' and Class Members' PII and PHI with the understanding it would not be disclosed or disseminated to the public or any unauthorized third parties.” Id. ¶ 237. It appears that these conclusory statements are designed to establish some type of privity between the parties. But while the Court is required to accept as true all allegations contained in the complaint, courts “are not bound to accept as true a legal conclusion couched as a factual allegation.” Twombly, 550 U.S. at 555 (quotation omitted); Iqbal, 556 U.S. at 678. Given the conclusory nature of these allegations, the Court cannot determine the true extent of the relationship, or lack thereof, between the parties. The Court suspects this is because no privity exists.

In any event, the Court need not weigh in on the importance of privity to find that Plaintiffs have failed to establish a confidential relationship between the parties. Plaintiffs do not allege that they had any type of direct contact with Defendants that involved entrusting Defendants with their private information. This is a claim premised upon a Data Breach involving confidential information-not a confidential relationship. Simply put, Plaintiffs must do more to establish a breach of confidence claim. See Stephens, 2019 WL 13041330 at *7 (M.D. Fla. Oct. 1, 2019) (holding that where plaintiff had no contact with defendant, plaintiff could not have entrusted anything to defendant amounting to the establishment of a confidential relationship). Accordingly, Count III is DISMISSED without prejudice.

d. Violation of FDUTPA

A consumer claim for damages under FDUTPA has three elements: (1) an objectively deceptive act or unfair practice; (2) causation; and (3) actual damages. Carriuolo v. Gen. Motors Co., 823 F.3d 977, 985-86 (11th Cir. 2016); Rollins, Inc. v. Butland, 951 So.2d 860, 869 (Fla. 2d DCA 2006). Defendants move to dismiss this claim because Plaintiffs have failed to plead actual damages-and maintain that Plaintiffs also lack Article III standing for injunctive relief under FDUTPA. Mot. at 20-22. As Defendants do not contest that Plaintiffs have adequately alleged the first two elements of a FDUTPA claim, the Court focuses solely on the issue of actual damages and standing for injunctive relief.

i. Plaintiffs fail to allege actual damages as required under FDUTPA.

Florida courts consider actual damages, in the FDUTPA context, to be a “term of art.” Casa Dimitri Corp. v. Invicta Watch Co. of Am., 270 F.Supp.3d 1340, 1352 (S.D. Fla. 2017) (citing Diversified Mgmt. Sols., Inc. v. Control Sys. Research, Inc., No. 15-81062, 2016 WL 4256916, at *5 (S.D. Fla. May 16, 2016) (citations and internal quotation marks omitted)). Generally, actual damages “is the difference in the market value of the product or service in the condition in which it was delivered and its market value in the condition in which it should have been delivered according to the contract of the parties.” Rollins, 951 So.2d at 869 (quoting Rollins, Inc. v. Heller, 454 So.2d 580, 585 (Fla. 3d DCA 1984)) (describing this measurement as being “well-defined in the case law”). “[T]he statute [501.211] entitles a consumer to recover damages attributable to the diminished value of the goods or services received, but does not authorize recovery of consequential damages to other property attributable to the consumer's use of such goods or services.” Fort Lauderdale Lincoln Mercury, Inc. v. Corgnati, 715 So.2d 311, 314 (Fla. 4th DCA 1998) (quoting Urling v. Helms Exterminators, Inc., 468 So.2d 451, 454 (Fla. 1st DCA 1985)).

Plaintiffs argue that the definition of “actual damages” under FDUTPA as set forth by decades of precedent has come to an abrupt end. Resp. at 21. In doing so, Plaintiffs primarily rely on one case. See Tymar Distribution LLC v. Mitchell Group USA, LLC, No. 21-21976, 2021 WL 4077966 (S.D. Fla. Sept. 8, 2021). Upon close examination of the case, however, the Court is left bewildered by Plaintiffs' contentions. In particular, Plaintiffs fail to point out that the court's holding in Tymar applies specifically to “FDUTPA claims arising outside the consumer transaction context.” Id. at *7. This point is made abundantly clear just a few sentences later, when the court explains that “a corporate-competitor plaintiff may seek lost profits damages under the FDUTPA.” Id. (emphasis added). Here, Plaintiffs are consumers, not corporate-competitors. Am. Compl. ¶ 247; see also Reply at 12. Accordingly, Plaintiffs' recovery is limited to “damages attributable to the diminished value of the goods or services received.” Corgnati, 715 So.2d at 314.

Unfortunately, Plaintiffs fail to allege damages that are attributable to the diminished value of the services or goods they received-instead relying on the promise of future discovery to determine such damages. Resp. at 19. As a result, Plaintiffs cannot maintain a claim under FDUTPA given the complete absence of any allegations regarding a diminished value (or value at all) for the goods or services received. Further, the damages alleged elsewhere in the Amended Complaint-including the diminution of PII/PHI, future risk of identity theft, and emotional distress-amount to “merely ‘other property' that was damaged as a result of [the use of Defendants' health care services].” See Brinker, 2020 WL 691848, at *13 (citations omitted). Alternatively stated, they are consequential damages insufficient to state a claim under FDUTPA.

ii. Plaintiffs have standing for injunctive relief under FDUTPA.

Defendants attempt to recycle their Article III standing argument in the context of Plaintiffs' FDUTPA claim. Mot. at 22-24. They argue that the speculative risk of identity theft or the hypothetical possibility of a subsequent data breach is insufficient to establish injury in fact. Mot. at 23. But as explained in the standing section of this Order, the Court finds that Plaintiffs have established Article III standing sufficient to bring a claim for injunctive relief.

In sum, despite the presence of standing, Plaintiffs have failed to establish the actual damages necessary to maintain a FDUTPA claim. Count IV is therefore DISMISSED without prejudice.

CONCLUSION

Although Plaintiffs have standing to bring this lawsuit, their claims fail to state a claim upon which relief can be granted and therefore warrant dismissal. Accordingly, it is hereby ORDERED AND ADJUDGED as follows:

1. Defendants' Motion to Dismiss Plaintiffs' First Amended Complaint [ECF No. 40] is GRANTED IN PART.
2. Counts I, II, III, and IV are DISMISSED without prejudice and with leave to amend .
3. Plaintiffs shall file a Second Amended Complaint in conformance with this Order on or before March 29, 2022.

DONE AND ORDERED.


Summaries of

Desue v. 20/20 Eye Care Network, Inc.

United States District Court, Southern District of Florida
Mar 15, 2022
No. 21-CIV-61275-RAR (S.D. Fla. Mar. 15, 2022)
Case details for

Desue v. 20/20 Eye Care Network, Inc.

Case Details

Full title:WENSTON DESUE, individually and as legal guardian of N.D. and M.D. and all…

Court:United States District Court, Southern District of Florida

Date published: Mar 15, 2022

Citations

No. 21-CIV-61275-RAR (S.D. Fla. Mar. 15, 2022)

Citing Cases

Watson v. Lemongrass Holdings LLC

See Cnty. of Riverside v. McLaughlin, 500 U.S. 44, 51 (1991) (assessing standing requirements based on…

St. Francis Holdings, LLC v. MMP Capital, Inc.

See Id. at *7 (explaining that “a corporate-competitor plaintiff may seek lost profits damages under the…