Summary
finding plaintiff's allegations that defendants "failed to implement industry protocols and exercise reasonable care in protecting and safeguarding the PII and PHI of [plaintiff] and failed to heed industry warnings and alerts to provide adequate safeguards to protect the PII and PHI" sufficient to plead that defendants breached their duty (cleaned up)
Summary of this case from In re Mednax Servs., Inc., Customer Data Sec. Breach Litig.Opinion
Case No. 8:21-cv-1478-MSS-SPF
2022-01-25
John Allen Yanchunis, Morgan & Morgan, PA, Ryan D. Maxey, Ryan Maxey Law, P.A., Tampa, FL, for Plaintiff. Kimberly J. Donovan, Jason Daniel Joffe, Squire Patton Boggs (US) LLP, Miami, FL, for Defendant Humana Inc. Julie Singer Brady, Baker & Hostetler, LLP, Orlando, FL, Michelle R. Gomez, Paul G. Karlsgodt, Pro Hac Vice, Baker & Hostetler LLP, Denver, CO, for Defendant Cotiviti, Inc.
John Allen Yanchunis, Morgan & Morgan, PA, Ryan D. Maxey, Ryan Maxey Law, P.A., Tampa, FL, for Plaintiff.
Kimberly J. Donovan, Jason Daniel Joffe, Squire Patton Boggs (US) LLP, Miami, FL, for Defendant Humana Inc.
Julie Singer Brady, Baker & Hostetler, LLP, Orlando, FL, Michelle R. Gomez, Paul G. Karlsgodt, Pro Hac Vice, Baker & Hostetler LLP, Denver, CO, for Defendant Cotiviti, Inc.
ORDER
MARY S. SCRIVEN, UNITED STATES DISTRICT JUDGE THIS CAUSE comes before the Court for consideration of Defendants’ Motions to Dismiss Plaintiff's Complaint, (Dkts. 15, 16), and Plaintiff's response in opposition thereto. (Dkt. 26) Upon consideration of all relevant filings, case law, and being otherwise fully advised, the Court GRANTS IN PART and DENIES IN PART the Motions to Dismiss.
I. BACKGROUND
A. Factual Background
This putative class action arises out of a data breach affecting customers of Humana, Inc., a medical benefit plan provider. (Dkt. 1-1 at ¶¶ 1, 3) In January 2019, Steven K. Farmer became a Humana member through his Medicare Advantage plan. (Id. at ¶ 54) To become a Humana member, Farmer was required to provide personally identifiable information ("PII"), including his name, Social Security number, and date of birth. (Id. ) Farmer alleges that he is "very careful" about sharing his PII, storing documents with such information in a "safe and secure location" and destroying them when necessary. (Id. at ¶ 57)
In December 2020, Humana learned that PII and protected health information ("PHI") of approximately 62,000 members had been exposed to "unauthorized individuals." (Id. at ¶ 3) Cotiviti, Inc., a Humana vendor, had collected members’ PII and PHI in order to verify data reported to the Centers for Medicare and Medicaid Services. (Id. at ¶ 21) Cotiviti, in turn, shared the PII and PHI with Visionary, a subcontractor hired to review medical records. (Id. at ¶¶ 25, 31) From October 2020 to December 2020, a Visionary employee disclosed medical records containing Humana members’ PII and PHI to "unauthorized individuals in an effort to provide medical coding training to those individuals for a personal coding business endeavor." (Id. at ¶ 25)
In March 2021, Humana sent Farmer a "Notice of Privacy Incident" that disclosed the data breach. (Id. ) Humana informed Farmer that unauthorized persons had obtained access to a wide variety of PII and PHI, including Social Security numbers, names, dates of birth, addresses, phone numbers, dates of service, medical record numbers, treatment-related information, and x-rays. (Id. )
Farmer alleges that Humana and Cotiviti failed to take "appropriate steps" to protect his and other Humana members’ PII and PHI. (Id. at ¶ 36) According to Farmer, the data breach would not have occurred if Humana and Cotiviti had implemented "appropriate technical safeguards" before sharing the PII and PHI with Visionary. (Id. at ¶ 35) Farmer also claims that, at the time of the data breach, Humana and Cotiviti departed from "standard industry rules, regulations, and practices" concerning the protection of PII and PHI. (Id. at ¶ 99)
Farmer identifies several injuries he and other unnamed class members allegedly suffered due to the data breach. (Id. at ¶¶ 11, 54-62) The injuries include (i) a "substantially increased risk of fraud" and "identity theft," (ii) "damages to and diminution in the value of [the] PII and PHI," (iii) "out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of [the] PII and PHI," (iv) time spent "dealing with the consequences of" the data breach, and (v) "anxiety and increased concerns for the loss of [ ] privacy." (Id. )
B. Procedural History
Farmer brought this putative class action against Humana and Cotiviti in Florida state court, asserting claims against both Defendants for negligence, invasion of privacy, breach of confidence, and violations of the Florida Deceptive and Unfair Trade Practices Act ("FDUTPA"), and a claim against Humana for breach of implied contract. (Dkt. 1; Dkt. 1-1) Farmer seeks to represent a nationwide class of Humana members whose PII and PHI were compromised in the data breach; he also seeks to represent a Florida subclass. (Dkt. 1-1 at ¶¶ 64-65) Defendants removed the action to federal court and moved to dismiss the Complaint for failure to state a claim. (Dkts. 1, 15, 16)
II. LEGAL STANDARD
A. Rule 12(b)(1)
Federal courts are courts of limited jurisdiction. "[B]ecause a federal court is powerless to act beyond its statutory grant of subject matter jurisdiction, a court must zealously ensure that jurisdiction exists over a case, and should itself raise the question of subject matter jurisdiction at any point in the litigation where a doubt about jurisdiction arises." Smith v. GTE Corp., 236 F.3d 1292, 1299 (11th Cir. 2001).
Motions to dismiss for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) may attack jurisdiction facially or factually. Morrison v. Amway Corp., 323 F.3d 920, 924 n.5 (11th Cir. 2003). "Facial attacks" on the complaint require the Court to examine the four corners of the complaint to determine if the plaintiff has sufficiently alleged a basis for subject matter jurisdiction, and the allegations in the complaint are taken as true for the purposes of the motion. Lawrence v. Dunbar, 919 F.2d 1525, 1528-29 (11th Cir. 1990). "Factual attacks," on the other hand, permit the Court to look outside the four corners of the complaint to determine if jurisdiction exists. Eaton v. Dorchester Dev., Inc., 692 F.2d 727, 732 (11th Cir. 1982). In a factual attack, the presumption of truthfulness afforded to a plaintiff under Rule 12(b)(6) does not attach. Scarfo v. Ginsberg, 175 F.3d 957, 960 (11th Cir. 1999) (citing Lawrence, 919 F.2d at 1529 ). Because the Court's authority to hear the case is at issue in a Rule 12(b)(1) motion, the Court is free to weigh evidence outside the complaint. Eaton, 692 F.2d at 732.
B. Rule 12(b)(6)
The threshold for surviving a motion to dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6) is a low one. Quality Foods de Centro Am., S.A. v. Latin Am. Agribusiness Dev. Corp., S.A., et al., 711 F.2d 989, 995 (11th Cir. 1983). A plaintiff must plead only enough facts to state a claim to relief that is plausible on its face. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S. Ct. 1955, 1968-69, 167 L.Ed.2d 929 (2007) (abrogating the "no set of facts" standard for evaluating a motion to dismiss established in Conley v. Gibson, 355 U.S. 41, 45-46, 78 S.Ct. 99, 2 L.Ed.2d 80 (1957) ). Although a complaint challenged by a Rule 12(b)(6) motion to dismiss does not need detailed factual allegations, a plaintiff is still obligated to provide the "grounds" for his entitlement to relief, and "a formulaic recitation of the elements of a cause of action will not do." Berry v. Budget Rent A Car Sys., Inc., 497 F. Supp. 2d 1361, 1364 (S.D. Fla. 2007) (quoting Twombly, 127 S. Ct. at 1964-65 ). In evaluating the sufficiency of a complaint in light of a motion to dismiss, the well pleaded facts must be accepted as true and construed in the light most favorable to the plaintiff. Quality Foods, 711 F.2d at 994-95. However, the court should not assume that the plaintiff can prove facts that were not alleged. Id. Thus, dismissal is warranted if, assuming the truth of the factual allegations of the plaintiff's complaint, there is a dispositive legal issue that precludes relief. Neitzke v. Williams, 490 U.S. 319, 326, 109 S.Ct. 1827, 104 L.Ed.2d 338 (1989).
III. DISCUSSION
A. Standing
Neither side argues that Farmer lacks standing to pursue his claims. Farmer contends, however, that in seeking dismissal of his negligence claim for failure to allege damages, Defendants have raised an "ill-disguised [standing] argument." (Dkt. 26 at 7) Although Farmer does not brief standing, he asks this Court to address the issue before turning to the merits of his claims. (Id. at 5-6) Regardless of whether the Parties raise standing, the Court "is obligated to inquire into subject matter jurisdiction sua sponte whenever it may be lacking." Univ. of S. Alabama v. Am. Tobacco Co., 168 F.3d 405, 410 (11th Cir. 1999). The Court concludes that Farmer has standing to bring his claims.
The "irreducible constitutional minimum of standing consists of three elements": "[t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 578 U.S. 330, 338, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016). A plaintiff experiences an injury in fact when the plaintiff "suffer[s] an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical." Id. at 339, 136 S.Ct. 1540. "For an injury to be ‘particularized,’ it must affect the plaintiff in a personal and individual way." Id.
For an injury to be "concrete," it "must be ‘de facto ’; that is, it must actually exist." Id. at 340, 136 S.Ct. 1540. "Economic injuries are ‘[c]ertainly’ concrete." In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247, 1262 (11th Cir. 2021) (quoting Debernardis v. IQ Formulations, LLC, 942 F.3d 1076, 1084 (11th Cir. 2019) ). "So are identity theft and damages resulting from such theft, as well as wasted time." Id. "A plaintiff can also satisfy the concreteness element by showing a ‘material’ risk of harm." Id. "Material" is "a familiar word that, in this context, means ‘important; essential; relevant.’ " Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 927 (11th Cir. 2020) (quoting New Oxford American Dictionary (3d ed. 2010)).
As for the actual-or-imminent element, "[w]hen there is no actual injury, an imminent injury must be certainly impending, as allegations of possible future injury are not sufficient." In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d at 1262. "It need not be literally certain that the injury will come about, but there must be a substantial risk." Id.
The Eleventh Circuit recently applied these principles in Equifax. That case arose from a data breach that exposed "at least 146.6 million names, 146.6 million dates of birth, 145.5 million Social Security numbers, 99 million addresses, 17.6 million driver's license numbers, 209,000 credit card numbers, and 97,500 tax identification numbers." Id. The plaintiffs claimed that "identity thieves" could use this information to "create fake identities, fraudulently obtain loans and tax refunds, and destroy a consumer's credit-worthiness." Id. The plaintiffs also alleged that they " ‘remain[ed] subject to a pervasive, substantial and imminent risk of identity theft and fraud’ due to the ‘highly-sensitive nature of the information stolen,’ and that they spent time, money, or effort dealing with the breach." Id. The Eleventh Circuit held that, "[g]iven the colossal amount of sensitive data stolen, including Social Security numbers, names, and dates of birth, and the unequivocal damage that can be done with this type of data," the plaintiffs "adequately alleged that they face a ‘material’ and ‘substantial’ risk of identity theft that satisfies the concreteness and actual-or-imminent elements." Id. Accordingly, the plaintiffs had "plausibly alleged an injury in fact." Id.
The same conclusion follows here. Like the plaintiffs in Equifax, Farmer alleges that (i) unauthorized persons obtained access to a wide range of highly sensitive information about Humana members, including names, dates of birth, Social Security numbers, and addresses; (ii) "identity thieves" can use the PII stolen from Humana members to create fake identities and commit various forms of fraud, including "obtain[ing] driver's licenses, government benefits, [and] medical services"; (iii) Farmer faces a "substantially increased risk of fraud" and "identity theft" as a result of the data breach; and (iv) Farmer and the other class members spent money and time addressing the exposure of their PII and PHI. (Dkt. 1-1 at ¶¶ 11, 25, 41, 46) As in Equifax, these allegations are sufficient to plausibly plead that Farmer "face[s] a ‘material’ and ‘substantial’ risk of identity theft that satisfies the concreteness and actual-or-imminent elements." In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d at 1262.
Because Farmer adequately alleges that he suffered an injury in fact caused by Humana and Cotiviti and redressable "by a favorable judicial decision," he has standing to pursue his claims. Spokeo, Inc., 578 U.S. at 338, 136 S.Ct. 1540.
B. Negligence
Farmer asserts a negligence claim against Humana and Cotiviti, alleging that they breached their duty to take appropriate steps to safeguard Humana members’ PII and PHI, resulting in the data breach and the injuries described in the Complaint. (Dkt. 1-1 at ¶¶ 80-113) Defendants move to dismiss this claim. They argue that Farmer fails to adequately allege the elements of duty, breach, causation, and damages. (Dkt. 15 at 5-11; Dkt. 16 at 5-9) The Court concludes that Farmer has plausibly pled his negligence claim.
To state a claim for negligence, a plaintiff "must allege four elements: a duty, breach of that duty, causation, and damages." Virgilio v. Ryland Grp., Inc., 680 F.3d 1329, 1339 (11th Cir. 2012).
Farmer sufficiently alleges that Defendants owed a duty to take reasonable measures to safeguard Humana members’ PII and PHI. "[E]stablishing the existence of a duty under [Florida's] negligence law is a minimum threshold legal requirement that opens the courthouse doors ..., and is ultimately a question of law for the court rather than a jury." Id. "Where a defendant's conduct creates a foreseeable zone of risk, the law generally will recognize a duty placed upon defendant either to lessen the risk or see that sufficient precautions are taken to protect others from the harm that the risk poses." Kaisner v. Kolb, 543 So. 2d 732, 735 (Fla. 1989). Where, as here, a business "collect[s] sensitive, private data from consumers," it has "a duty to protect that information." Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1365 (S.D. Fla. 2017) ; see also In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2020 WL 691848, at *8 (M.D. Fla. Jan. 27, 2020) ("Brinker, by collecting personal information and payment card data, had control over the information and had a duty to use reasonable care in protecting that data from theft.").
Defendants contend that they owed no duty because an employee of Visionary—a non-party—caused the data breach, and "one has no duty to control the conduct of another to prevent harm," including "the criminal acts of a third person." (Dkt. 16 at 6-7; see also Dkt. 15 at 6) This argument fails. The defendants in a similar data breach case argued that they had no duty to "ensure that a third-party hacker would be unable to invade a database that is in the possession of a third-party vendor." In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742, at *15 (D.N.J. Dec. 16, 2021). Applying Florida law, the court concluded that the defendants "define[d] [their] duty to Plaintiffs far too narrowly." Id. According to the court, "[t]he duty to Plaintiffs arose when Defendants collected Plaintiffs’ Personal Information and not, as Defendants try to frame the issue, when the Personal Information was stolen from [the third-party vendor]." Id. Although the defendants "did not have a duty to oversee the operations of [the third-party vendor]," they retained a "duty to take reasonable care by, for example, reasonably ensuring that the third-party collection agency they contracted with had adequate data security." Id. Here, Farmer plausibly pleads that Humana and Cotiviti owed a duty to ensure that Visionary "had the appropriate technical safeguards in place" concerning members’ PII and PHI. (Dkt. 1-1 at ¶ 35)
Farmer also sufficiently alleges that Defendants breached this duty. He pleads that Defendants (i) "fail[ed] to implement industry protocols and exercise reasonable care in protecting and safeguarding the PII and PHI of [Farmer]," and (ii) "failed to heed industry warnings and alerts to provide adequate safeguards to protect" the PII and PHI. (Id. at ¶¶ 98, 100) These allegations are sufficient to plead a breach of duty. See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *15 (holding that plaintiffs adequately pled breach of duty by alleging, among other things, that defendants "fail[ed] to implement measures to monitor, audit, or evaluate [a third-party vendor's] data security practices").
Finally, Farmer adequately pleads that Defendants’ breach of duty caused him cognizable injuries. Farmer alleges that the data breach would not have occurred had Humana and Cotiviti implemented "appropriate technical safeguards" before sharing the PII and PHI with Visionary. (Dkt. 1-1 at ¶ 35) The breach allegedly caused Farmer and other Humana members a variety of injuries, including (i) "out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of [the] PII and PHI," (ii) time spent "dealing with the consequences of" the data breach, and (iii) a "substantially increased risk of fraud" and "identity theft." (Id. at ¶¶ 11, 54-62) These allegations are sufficient to plead that Farmer incurred "some actual harm" as a result of the data breach. Am. Optical Corp. v. Spiewak, 73 So. 3d 120, 127 (Fla. 2011) ; see also In re GE/CBPS Data Breach Litig., No. 20 CIV. 2903 (KPF), 2021 WL 3406374, at *9 (S.D.N.Y. Aug. 4, 2021) (holding that plaintiff adequately pled "concrete damages as a proximate result of [a] [d]ata [b]reach" based on allegations that plaintiff experienced "ongoing, imminent, and impending threat of identity theft crimes, fraud, and abuse," and incurred "expenses" for "credit monitoring and identity theft insurance").
C. Breach of Implied Contract
Farmer seeks to hold Humana liable for breach of implied contract. (Dkt. 1-1 at ¶¶ 114-19) He contends that when he became a Humana member in 2019, the Parties entered an "implied contract" in which Humana agreed to "safeguard and protect" the PII and PHI he entrusted to Humana. (Id. at ¶ 116) That contract was allegedly breached when Humana failed to take appropriate measures to protect Farmer's PII and PHI, leading to the data breach that exposed the PII and PHI to unauthorized persons. (Id. at ¶¶ 118-19) Humana argues that this claim fails because Farmer does not allege (i) the existence of an implied contract, (ii) causation, or (iii) damages. (Dkt. 15 at 11-14) None of Humana's arguments support dismissal of the implied-contract claim.
"To establish the existence of a contract under Florida law, the plaintiff must show offer, acceptance, consideration, and specificity in terms of the contract." In re Brinker Data Incident Litig., 2020 WL 691848, at *4. "Implied contracts are inferred in whole or in part from the parties’ conduct." Id. "When considering whether an implied contract exists, a court should give ‘the effect which the parties, as fair and reasonable men, presumably would have agreed upon if, having in mind the possibility of the situation which has arisen, they had contracted expressly thereto.’ " Id. (quoting Bromer v. Fla. Power & Light Co., 45 So. 2d 658, 660 (Fla. 1950) ). "Because the parties’ conduct is central to determining whether an implied contract was formed, this determination is typically left for the fact finder." Id.
"The majority of federal courts have held that the existence of an implied contract to safeguard customers’ data could reasonably be found to exist between a merchant and customer when a customer uses a payment card to purchase goods and services." Id.; see also Torres v. Wendy's Int'l, LLC, No. 616CV210ORL40DCI, 2017 WL 8780453, at *3 (M.D. Fla. Mar. 21, 2017) ("[O]ther courts have found that a reasonable fact-finder could conclude an implied contract exists between the merchant and its customer when the customer uses a credit card to purchase products. Included in that implied contract is an agreement that the merchant will safeguard its customers’ data.").
Farmer does not claim to have used a "payment card" to sign up for Humana's services. The reasoning of these decisions, however, applies with equal force here. To become a Humana member, Farmer was required to provide a variety of PII, including his name, Social Security number, and date of birth. (Dkt. 1-1 at ¶ 54) Where, as here, "a person hands over sensitive information, in addition to receiving a ... service, they presumably expect to receive an implicit assurance that the information will be protected." Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016). In that situation, "[a] jury could reasonably conclude ... that an implicit agreement to safeguard the data is necessary to effectuate the contract." Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011). Thus, Farmer has adequately alleged the existence of an implied contract to safeguard his PII and PHI.
For the reasons explained above in connection with the negligence claim, Farmer has also sufficiently pled causation and damages. See Resnick v. AvMed, Inc., 693 F.3d 1317, 1324-28 (11th Cir. 2012) (analyzing, in data breach action, causation and damages elements of negligence and breach of contract claims together). Moreover, even if Farmer had not alleged "quantifiable damages," he could still recover nominal damages for the alleged breach of implied contract. See E-Z Pack Mfg., LLC v. RDK Truck Sales & Serv., Inc., No. 8:10-CV-1870-T-27AEP, 2011 WL 4343790, at *4 (M.D. Fla. Aug. 10, 2011) ("In a breach of contract action, even if a party is unable to sufficiently allege quantifiable damages, either because that party may be barred by the contract at issue or there is no evidence in support of actual damages, under Florida Law, a party may nevertheless recover nominal damages."), adopted by 2011 WL 3841631 (M.D. Fla. Aug. 30, 2011). Farmer has stated a plausible claim for breach of implied contract.
D. Invasion of Privacy
Farmer asserts a claim for invasion of privacy against Humana and Cotiviti, alleging that they "allowed unauthorized ... parties access to ... the PII and PHI of [Farmer] and [unnamed class members] by way of Defendants’ failure to protect the PII and PHI." (Dkt. 1-1 at ¶ 124) Defendants correctly argue that this claim fails because Farmer does not allege that Humana or Cotiviti intentionally revealed his PII and PHI. (Dkt. 15 at 14-15; Dkt. 16 at 9-13)
"Florida courts recognize the invasion of privacy tort under common law." T.G. v. Sears, Roebuck & Co., No. 06-61228-CIV, 2006 WL 8432512, at *6 (S.D. Fla. Nov. 20, 2006). "The elements for the tort of invasion of privacy by the disclosure of private facts are the following: (1) the publication, (2) of private facts, (3) that are offensive, and (4) are not of public concern." Woodard v. Sunbeam Television Corp., 616 So. 2d 501, 503 (Fla. 3d DCA 1993). Invasion of privacy is an intentional tort. Rowell v. Holt, 850 So. 2d 474, 478 n.1 (Fla. 2003) ; see also Chase Manhattan Inv. Servs., Inc. v. Miranda, 658 So. 2d 181, 182 (Fla. 3d DCA 1995) (describing "invasion of privacy" as an "intentional tort[ ]"). Thus, Florida courts routinely dismiss invasion-of-privacy claims where a plaintiff fails to allege that a defendant "intentionally divulged his PII," and instead asserts that "an unknown [person] stole the PII from [the defendant's] computer system." Burrows v. Purchasing Power, LLC, No. 1:12-CV-22800-UU, 2012 WL 9391827, at *6 (S.D. Fla. Oct. 18, 2012) ; see also Carlisi v. Sprintcom, Inc., No. 06-60751-CIV, 2006 WL 8432613, at *2 (S.D. Fla. Sept. 6, 2006) ("Here, Plaintiff alleges that Defendant is liable for invasion of privacy because Defendant negligently maintained its records allowing a third party to obtain private information about Plaintiff. This is insufficient to state a claim for the intentional tort of invasion of privacy because no cause of action can exist for the negligent commission of an intentional tort.").
Farmer's invasion-of-privacy claim fails because he does not allege that Humana or Cotiviti intentionally disclosed his PII and PHI to unauthorized persons. Instead, Farmer pleads that Defendants’ negligent "failure to protect the PII and PHI" resulted in the disclosure. (Dkt. 1-1 at ¶ 124) "This is insufficient to state a claim for the intentional tort of invasion of privacy because no cause of action can exist for the negligent commission of an intentional tort." Carlisi, 2006 WL 8432613, at *2 ; see also Burton v. MAPCO Exp., Inc., 47 F. Supp. 3d 1279, 1288 (N.D. Ala. 2014) ("Even if the defendants were negligent, as alleged, in safeguarding Mr. Burton's account information, such negligence does not morph into an intentional act of divulging his confidential information.").
E. Breach of Confidence
Farmer claims that Humana and Cotiviti are liable for breach of confidence because they "fail[ed] to prevent" the data breach, leading to the disclosure of Humana members’ PII and PHI to "unauthorized third parties." (Dkt. 1-1 at ¶ 138) Defendants are correct that this claim must be dismissed because there is no allegation that they "voluntarily or intentionally revealed [Farmer's] confidential information." (Dkt. 15 at 17)
"A breach of confidence ... involves the unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship." Muransky, 979 F.3d at 932. A breach-of-confidence claim thus requires a "disclosure." Id. Disclosure is "[t]he act or process of making known something that was previously unknown." In re Brinker Data Incident Litig., 2020 WL 691848, at *22 (quoting Disclosure, Black's Law Dictionary (11th ed. 2019)). Thus, a breach-of-confidence claim does not lie where a defendant's "inadequate security facilitated the theft" of information by "third-parties." Id. Instead, a plaintiff must allege that the defendant "affirmatively shared [ ] information" or performed some "act that made [the plaintiff's] information known." Id.; In re Ambry Genetics Data Breach Litig., No. SACV2000791CJCKESX, 567 F.Supp.3d 1130, 1146–47 (C.D. Cal. Oct. 18, 2021) ; see also Foster v. Health Recovery Servs., Inc., 493 F. Supp. 3d 622, 636 (S.D. Ohio 2020) (holding that plaintiff failed to state a claim for breach of confidence because "what is alleged is that a third party has exploited Defendant's security weakness to access the information without Defendant's authorization").
The claim for breach of confidence fails because "there are no alleged facts suggesting that Defendant[s] disclosed [Farmer's] information to a third party." Purvis v. Aveanna Healthcare, LLC, No. 1:20-CV-02277-LMM, 563 F.Supp.3d 1360, 1378 (N.D. Ga. Sept. 27, 2021). Instead, Farmer alleges that his PII and PHI were exposed in a data breach due to Humana and Cotiviti's failure to adequately safeguard this information. (Dkt. 1-1 at ¶ 138) These allegations sound in negligence, not breach of confidence. See In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d at 1146–47 (dismissing breach-of-confidence claim predicated on allegation that "unauthorized parties accessed the email account of an Ambry employee allowing unauthorized parties to access and acquire Plaintiffs’ and Class Members’ Private Information"); Purvis, 563 F.Supp.3d at 1378 (dismissing breach-of-confidence claim premised on allegations that "Defendant (1) allowed the disclosure to happen and (2) failed to heed warnings that its records might be targeted in a cyberattack"); In re Brinker Data Incident Litig., 2020 WL 691848, at *22 ("Even assuming, arguendo, that Brinker's inadequate security facilitated the theft, such a claim would lie in negligence not breach of confidence.").
F. FDUTPA
Finally, Farmer alleges that Humana and Cotiviti committed "unfair or deceptive acts" in violation of FDUTPA by, among other things, failing "to implement adequate data security practices to safeguard PII and PHI." (Dkt. 1-1 at ¶¶ 144-51) To remedy these alleged violations, Farmer seeks damages and injunctive relief, including an order requiring Defendants to "implement measures that ensure that the PII and PHI of Humana's current and former members is appropriately encrypted and safeguarded." (Id. at ¶¶ 150-51) Defendants contend that the FDUTPA claim fails because (i) Humana, as an insurer, is exempt from FDUTPA, (ii) Farmer fails to sufficiently allege a deceptive act or unfair practice, and (iii) Farmer does not adequately allege actual damages. (Dkt. 15 at 19-24; Dkt. 16 at 14-16) The Court concludes that the FDUTPA claim against Humana must be dismissed. The claim may proceed against Cotiviti, but only to the extent that Farmer seeks injunctive relief.
"[A] consumer claim for damages under FDUTPA has three elements: (1) a deceptive act or unfair practice; (2) causation; and (3) actual damages." Rollins, Inc. v. Butland, 951 So. 2d 860, 869 (Fla. 2d DCA 2006). "In the absence of actual damages, the FDUTPA permits any ‘aggrieved party’ to pursue injunctive relief." In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *29. "Put plainly, a plaintiff is ‘aggrieved’ under FDUTPA when the deceptive conduct alleged has caused a non-speculative injury that has affected the plaintiff beyond a general interest in curbing deceptive or unfair conduct." Superior Consulting Servs., Inc. v. Shaklee Corp., No. 616CV2001ORL31GJK, 2017 WL 2834783, at *7 (M.D. Fla. June 30, 2017).
Humana cannot be held liable under FDUTPA because it is an insurance company exempt from that statute's coverage. FDUTPA excludes from civil liability "[a]ny person or activity regulated under laws administered by ... The Office of Insurance Regulation of the Financial Services Commission." Fla. Stat. § 501.212(4)(a) (emphasis added). "The disjunctive ‘or’ in section 501.212(4) indicates that there are two separate and distinct exclusions from liability under FDUTPA—either ‘persons’ regulated under laws administered by certain administrative agencies, or ‘activities’ regulated under the same." CMR Constr. & Roofing, LLC v. Am. Cap. Assurance Corp., No. 220CV00416JLBNPM, 2021 WL 354167, at *2 (M.D. Fla. Feb. 2, 2021). For purposes of FDUTPA, "person" includes corporations. Fla. Stat. § 1.01(3). Humana asserts—and Farmer does not dispute—that Humana is an insurance company subject to regulation by the Office of Insurance Regulation. (Dkt. 15 at 20-21; Dkt. 26 at 27-28) Accordingly, Humana is a "person" covered by Fla. Stat. § 501.212(4)(a), and the FDUTPA claim against it must be dismissed. See Antoine v. State Farm Mut. Auto. Ins. Co., 662 F. Supp. 2d 1318, 1326 (M.D. Fla. 2009) ("State Farm Mutual Automobile Insurance Company, as its name reflects, is an insurance company," and thus "no cause of action may be maintained against it under the Florida Deceptive and Unfair Trade Practices Act.").
Cotiviti is not an insurance company. Nevertheless, Cotiviti contends that the FDUTPA claim against it fails because (i) Farmer does not allege a deceptive act or unfair practice, and (ii) there are no allegations of actual damages. (Dkt. 16 at 15-16) The first argument lacks merit. "An unfair practice is one that offends established public policy and one that is immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers." PNR, Inc. v. Beacon Prop. Mgmt., Inc., 842 So. 2d 773, 777 (Fla. 2003). "Courts have held that the failure to adequately secure Personal Information may qualify as an actionable ‘unfair practice’ under the FDUTPA." In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *28 ; see also Burrows, 2012 WL 9391827, at *6 ("Burrows's first FDUTPA allegation, that Defendants failed to adequately secure his PII, qualifies as an unfair practice."). Because Farmer alleges that Cotiviti failed "to implement adequate data security practices to safeguard PII and PHI," he has pled an unfair practice under FDUTPA. (Dkt. 1-1 at ¶¶ 144-51) Cotiviti is correct, however, that the FDUTPA damages claim must be dismissed. " ‘[A]ctual damages’ under FDUTPA is a term of art." ADT LLC v. Vivint, Inc., No. 17-CV-80432, 2017 WL 5640725, at *5 (S.D. Fla. Aug. 3, 2017). "In the context of FDUTPA, ‘actual damages’ are defined as the difference in the market value of the product or service in the condition in which it was delivered and its market value in the condition in which it should have been delivered according to the contract of the parties." Rodriguez v. Recovery Performance & Marine, LLC, 38 So. 3d 178, 180 (Fla. 3d DCA 2010). "This is the FDUTPA's sole permissible measure of recovery—the statute expressly excludes claims for personal injury or consequential damages to any ‘property other than the property that is the subject of the consumer transaction.’ " In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *28 (quoting Fla. Stat. § 501.212(3) ).
In Brinker, the plaintiffs—victims of a data breach that exposed their "payment card information"—alleged that they suffered actual damages because they would have paid less to dine at Chili's "had Defendant disclosed its inadequate data security." In re Brinker Data Incident Litig., 2020 WL 691848, at *13. The court held that, for purposes of FDUTPA, the "property that [was] the subject of the consumer transaction" was "the food or drinks that Plaintiffs purchased." Id. According to the court, those items "ha[d] no diminished value because of [the] alleged inadequate data security." Id. Although the plaintiffs also alleged damages in the form of "unauthorized charges, lost time, and lost cash-back rewards," the court concluded that these were "consequential damages" that could not be recovered under FDUTPA. Id. Accordingly, the plaintiffs "failed to allege damages recognized under FDUTPA." Id.
Farmer does not describe the services he received from Cotiviti, a vendor Humana used for data reporting to the Centers for Medicare and Medicaid Services. (Dkt. 1-1 at ¶ 25) Nor does Farmer allege that any service he might have received from Cotiviti was reduced in value because of the company's allegedly inadequate data security. Instead, Farmer pleads that the alleged FDUTPA violations caused him and other unnamed class members "damages arising from identity theft and fraud; out-of-pocket expenses associated with procuring identity protection and restoration services; increased risk of future identity theft and fraud, and the costs associated therewith; and time spent monitoring, addressing, and correcting the current and future consequences of the data breach." (Id. at ¶ 149) These injuries are unrecoverable consequential damages. See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *28 ("Plaintiffs’ allegations of fraudulent charges, expended time, purchase of monitoring services, and hacked accounts are unrecoverable ‘consequential damages’ [under FDUTPA]."). Because Farmer does not plead that he received services from Cotiviti that declined in value because of inadequate data security, the FDUTPA claim for damages against Cotiviti is dismissed.
The FDUTPA claim against Cotiviti survives, however, to the extent Farmer seeks injunctive relief. As noted above, "[i]n the absence of actual damages, the FDUTPA permits any ‘aggrieved party’ to pursue injunctive relief." Id. at *29. A party is "aggrieved" if it suffered a "non-speculative injury that has affected [it] beyond a general interest in curbing deceptive or unfair conduct." Superior Consulting Servs., Inc., 2017 WL 2834783, at *7. Here, Farmer identifies a series of non-speculative injuries he suffered from the data breach, including (i) "out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of [his] PII and PHI," (ii) time spent "dealing with the consequences of" the data breach, and (iii) a "substantially increased risk of fraud" and "identity theft." (Dkt. 1-1 at ¶¶ 11, 54-62) These alleged injuries are sufficient to support a claim for injunctive relief under FDUTPA.
IV. CONCLUSION
Upon consideration of the foregoing, it is hereby ORDERED as follows:
1. Defendants’ Motions to Dismiss Plaintiff's Complaint, (Dkts. 15, 16), are GRANTED IN PART and DENIED IN PART .
a. The claims for invasion of privacy and breach of confidence are DISMISSED.
b. The FDUTPA claim against Humana is DISMISSED . The FDUTPA claim against Cotiviti is DISMISSED to the extent Farmer seeks damages. The FDUTPA claim against Cotiviti SURVIVES to the extent Farmer seeks injunctive relief.
c. The claims for negligence and breach of implied contract SURVIVE .
DONE and ORDERED in Tampa, Florida, this 25th day of January 2022.