Opinion
23-cv-06950 (NSR)
09-16-2024
DOLORES GAY AND CORRINE JACOB, on behalf of themselves and all others similarly situated, Plaintiffs, v. GARNET HEALTH. Defendant.
OPINION & ORDER
NELSON S. ROMAN UNITED STATES DISTRICT JUDGE
Plaintiffs Dolores Gay (“Gay”) and Corrine Jacob (“Jacob”), on behalf of themselves and all others similarly situated (“Plaintiffs”), initiated this action on August 7, 2023 (ECF No. 1), alleging violations of the Electronic Communications Privacy Act 18 U.S.C. § 2511(1) (“ECPA”), New York Civil Rights Law §§ 50, 51, New York Consumer Law General Business Law § 349, as well as bringing common law claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment and negligence against Garnet Health (“Garnet” or “Defendant”).
Presently before the Court is the Defendant's Motion to Dismiss Plaintiffs' claims pursuant to Federal Rule of Civil Procedure 12(b)(6). For the following reasons, Defendant's Motion to Dismiss is DENIED IN PART and GRANTED IN PART.
BACKGROUND
The following facts are derived from the Complaint and are taken as true and construed in the light most favorable to the Plaintiffs at this stage.
Plaintiffs Dolores Gay and Corine Jacob bring this action as individuals and on behalf of all others similarly situated against Garnet. Plaintiffs are current patients of Garnet. (Compl. ¶¶ 35, 47.) Garnet is a not-for-profit New York corporation. (Id. ¶ 59.) Defendant is headquartered at 706 East Main Street, Middletown, New York 10940. (Id.) Defendant is a covered entity under the Health Insurance Portability and Accountability Act of 1996. (Id. ¶ 62.) Defendant is a provider of healthcare services to approximately 450,000 patients across Orange, Sullivan and Ulster Counties, and has over 4,000 healthcare professionals and 850 medical staff members. (Id. ¶ 61.)
Defendant owns and operates the website https://www.garnethealth.org/, along with the Garnet Health MyChart Account portal (collectively, the “Website”), which is accessible from Garnet's website. Plaintiffs use the Website to obtain information about different conditions and treatment opportunities, Defendant's locations and the available clinicians at each location, and the services offered to patients. (Id. ¶ 2.) Patients are also able to use a search bar on the Website where they can enter questions, symptoms, conditions, clinician names and other queries to obtain responsive information. (Id.) Patients also access their MyChart Patient Account through the Website; the MyChart Patient Account contains the patient's personally identifiable information (“PII”) and protected health information (“PHI”) (together, “Private Information”).
Defendant installed the Facebook Tracking Pixel (“Pixel”) on its Website. (Id. ¶ 2.) The Pixel enables the transmission of Plaintiffs' and Class Members' PII and PHI. (Id.) Defendant also allegedly installed the Facebook Conversion Application Programming Interface (“Conversions API”) on its Website. (Id. ¶ 4.) By doing so, Defendant facilitated additional unauthorized transmission of Plaintiffs' and Class Members' PII and PHI. (Id. ¶ 5.) Where the Tracking Pixel and Conversions API are installed on Defendant's Website, the information Plaintiffs submit through use of Defendant's Website is unlawfully disclosed to Facebook alongside the Plaintiffs' unique and persistent Facebook ID (“FID”). (Id. ¶¶ 7-8.) The Pixel communicates directly to Facebook from the Defendant's Website. (Id. ¶ 10.) The Pixel share's the user's Facebook User ID through a “cookie” Facebook stores whenever an individual accesses their Facebook account from the same web browser. (Id. ¶ 11.) Similarly, the Conversion API allows the Defendant to send information from their Webpage to Facebook. (Id. ¶ 14.) Defendant stores Plaintiffs' PII and PHI on its own server and then communicates this information to Facebook. (Id. ¶ 15.) Plaintiffs' activity on the Website is tracked by Conversion API and then transmitted directly to Facebook. (Id. ¶ 19.) From there, Facebook sells Plaintiffs' private information to third parties. (Id. ¶ 22.)
As an example, Plaintiffs made use of Defendant's Website to schedule appointments, communicate with doctors, complete patient web forms, and review medical and billing records. (Id. ¶ 23.) Afterwards, this information was transmitted from Defendant's Website to Facebook. (Id. ¶ 24.) Thereafter, Plaintiffs saw targeted ads tailored to the information transmitted by Defendant. (Id. ¶¶ 46, 58). Plaintiffs assert that Defendant utilized Facebook Pixel and Conversions API knowing that Plaintiffs' PHI and PII would be transmitted to Facebook. (Id. ¶ 30.) Consequently, Plaintiffs allege suffering injury as a result: invasion of privacy, lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Pixel, loss of benefit of the bargain, diminution of value of the Private Information, statutory damages and the continued and ongoing risk to their Private Information. (Id. ¶ 33.)
PROCEDURAL HISTORY
On August 7, 2023, Plaintiffs commenced this action against Defendant in its complaint (“the Complaint”.) (ECF No. 1.) On December 29, 2023, Defendant filed a motion to dismiss and its memorandum of law in support (the “Motion” or “Mot.”, ECF Nos. 20 and 21.) Plaintiffs filed an opposition to the Motion (the “Opposition” or “Opp.”, ECF No. 23.) The Defendant also filed a reply in further support of the Motion (the “Reply”, ECF No. 24.)
LEGAL STANDARD
A. Motion to Dismiss
Under Federal Rule of Civil Procedure 12(b)(6), dismissal is proper unless the complaint “contain[s] sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). When there are well-pled factual allegations in the complaint, “a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief.” Id. at 679. While the Court must take all material factual allegations as true and draw reasonable inferences in the non-moving party's favor, the Court is “not bound to accept as true a legal conclusion couched as a factual allegation,” or to credit “mere conclusory statements” or “[t]hreadbare recitals of the elements of a cause of action.” Id. at 678 (quoting Twombly, 550 U.S. at 555). The Second Circuit “deem[s] a complaint to include any written instrument attached to it as an exhibit or any statements or documents incorporated in it by reference . . . and documents that plaintiffs either possessed or knew about and upon which they relied in bringing the suit.” Rotham v. Gregor, 220 F.3d 81, 88 (2d Cir. 2000) (internal citations omitted). The critical inquiry is whether the Plaintiff has pled sufficient facts to nudge the claims “across the line from conceivable to plausible.” Twombly, 550 U.S. at 570. A motion to dismiss will be denied where the allegations “allow[] the court to draw the reasonable inference that the Defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678.
DISCUSSION
Plaintiffs bring claims pursuant to Electronic Communications Privacy Act 18 U.S.C. § 2511(1) (“ECPA”), New York Civil Rights Law §§ 50, 51, New York Consumer Law General Business Law § 349, as well as common law claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment and negligence. Plaintiffs' claims of negligence, unjust enrichment, and breach of implied contract must be dismissed. The Motion to Dismiss is denied as to Plaintiffs' claims under the ECPA, New York Civil Rights Law, New York Consumer Law General Business Law and Plaintiffs' breach of fiduciary duty/confidentiality claim.
A. Electronic Communications Privacy Act, 18 U.S.C. § 2511(1) et seq
For an ECPA claim to survive a motion to dismiss based on the one-party consent rule, the Plaintiff must make sufficient allegations that “support an inference that the offender intercepted the communication for the purpose of a tortious or criminal act that is independent from the intentional act of recording.” Caro v. Weintraub, 618 F.3d 94, 100 (2d Cir. 2010). The criminal or tortious purpose exception is to be construed narrowly. United States v. Jiau, 734 F.3d 147, 152 (2d Cir. 2013)
Plaintiffs are able to survive this threshold. Plaintiffs did not consent to the interception, but one-party consent is sufficient under the ECPA. Kwok Sze v. Pui-Ling Pang, No. 15-CV-447 CS, 2015 WL 6867134, Note 3 (S.D.N.Y. Nov. 9, 2015) (noting that § 2511(1) allows for interceptions with one-party consent). Where Defendant's conduct became problematic is where it intended to transmit Plaintiffs' PHI and PII without Plaintiffs' consent for commercial purposes. (Compl. ¶ 215.) Through the alleged use of the Pixel and Conversion API, “Defendant's [interception] of patient communications [] were used and disclosed to Facebook and Google . . . for purposes of committing criminal and tortious acts in violation of . . . HIPAA, 42 U.S.C. § 1320d-6 (“HIPAA”).” (Id. ¶ 216.) HIPAA makes it a criminal violation to disclose individually identifiable health information to another person without the patient's consent. 42 U.S.C. § 1320d-6. The Complaint alleges that Defendant's use of Pixel and Conversion API was to “track and utilize Plaintiffs' and Class Members PHI and PII for financial gain,” in violation of applicable laws such as HIPAA.
Plaintiffs' Complaint explicitly asserts that Defendant's interception and transmitting of Plaintiffs' PHI and PII was for the purpose of “increase[ing] its profit margins” and for “financial gain.” (Compl. ¶ 209.) The Complaint sufficiently alleges an independent action secondary to the interception; Plaintiff states that Defendant used and accessed Plaintiffs' and Class Members' data to “send identifiers and the content of communications with Defendant simultaneously to Defendant and Facebook, Google, and others.” (Id. ¶ 222.) By inserting various programs, the Defendant “commanded Plaintiffs' and Class Members' computing devices to remove and redirect their data and the content of their communications with Defendant to Google, Facebook, and others.” (Id. ¶ 227.)
Similar allegations have been found to be sufficient to invoke the criminal or tortious exception to the one-party consent rule under the ECPA. See Cooper v. Mount Sinai Health Sys., Inc., No. 23 CIV. 9485 (PAE), 2024 WL 3586357 (S.D.N.Y. July 30, 2024). Here, the Court denied a motion to dismiss by Defendant Mount Sinai against Plaintiff Ronda Cooper. Cooper argued that Mount Sinai intercepted their communications - user activity on Mount Sinai's Web Properties. Mount Sinai was a party to the communication, therefore requiring the crime-tort exception to apply in order for Mount Sinai to be liable under the ECPA. Cooper sought to invoke the exception, arguing “Mount Sinai intercepted their communications with the purpose of disclosing them to Facebook and other third parties without Plaintiffs' consent ‘in violation of the laws of the United States and New York.'” Id. at *6. Cooper alleged that “Mount Sinai disclosed Plaintiffs' names, emails, computer IP addresses, device identifiers, web URLs, and the days on which they sought treatment, as well as the services they selected and their patient statuses, medical conditions, treatments, and provider and appointment information.” Id. at *7. Subsequently, “Plaintiffs thereafter received targeted ads on Facebook keyed to their confidential health conditions.” Id. The Court therefore concluded this sufficiently pled that “at least some information transmitted was individually identifiable health information.” Id.
Mount Sinai, similar to Garnet, installed a Pixel to its webpage throughout “a multistep process that must be undertaken by the website owner.” Id. The complaint alleged that “Mount Sinai routinely sent Facebook individually identifiable information that Plaintiffs had entered into Mount Sinai's Web Properties.” Id. The Court found that Mount Sinai “engaged in such disclosures knowingly and deliberately.” Id. at *8. As a result, the Court declined to grant the motion to dismiss the ECPA claim, finding that the complaint plausibly supported the inference that “Mount Sinai, for commercial ends, intentionally disclosed individually identifiable patient health information, and thus violated HIPAA, which makes it a crime for a health care provider to disclose individually identifiable health information for commercial gain.” Id.
The Court finds Cooper instructive. Like Mount Sinai, Garnet installed a Pixel (the Facebook Tracking Pixel) as well as the Facebook Conversions Application Programming Interface (“Conversion API”) on its website. (Compl ¶¶ 3, 4.) Like Mount Sinai, Garnet “routinely sent Facebook [and Google] individually identifiable information that Plaintiffs had entered into [Garnet Health's] Web Properties” in violation of applicable law such as HIPAA. Cooper, 2024 WL 3586357 *8. According to the Complaint, this information included “medical treatment sought, the particular health condition, and the fact that the individual attempted to or did book a medical appointment.” (Compl. ¶ 21.) Plaintiff Corinne Jacob alleged that she “used Defendant for a breast biopsy procedure” and that “[s]ubsequent to visiting Defendant's Website to view her test results, Plaintiff began seeing advertisements related to the treatment of breast cancer.” (Id. ¶ 46.) Plaintiff Dolores Gay similarly alleged that after using the Defendant's website she has “seen numerous targeted advertisements on Facebook related to her medical conditions and treatments sought through Garnet Health.” (Id. ¶ 58.) Thus, as was the case in Cooper, this dynamic evidences an intent on Garnet's part to commit tortious or unlawful conduct at the time of interception as required to state an ECPA claim, making the application of the criminal or tortious conduct exception applicable. Cooper, 2024 WL 3586357, *8. Kane, like Cooper, significantly overlaps with the facts before the Court presently, further counseling against dismissal of Plaintiffs' ECPA claim.
Further caselaw supports rejecting Garnet's efforts to dismiss Plaintiffs' ECPA claim. Paralleling Cooper, in Kane v. Univ. of Rochester, No. 23-CV-6027-FPG, 2024 WL 1178340 (W.D.N.Y. Mar. 19, 2024) the Court denied a motion to dismiss an ECPA claim with similar allegations to Plaintiffs'. Therein, the Kane Plaintiffs used the University of Rochester's website to search for, make appointments with and communicate with healthcare providers. Id. at *1. Plaintiffs alleged that the University of Rochester used two web tracking products (the same before the Court presently), the Facebook Tracking Pixel and the Conversions Application Program Interface. Plaintiffs alleged that the University of Rochester transmitted their personally identifiable information and non-public health information to Facebook without consent. Id. The Court therefore concluded that “Plaintiffs can invoke the tort-crime exception. Plaintiffs have alleged that Defendant configured the Pixel to collect and disclose, among other things, that a specific user booked an appointment and the search terms that the user entered to find that provider . . . [that information] would be associated with a particular Facebook User . . . They have further alleged that Defendants disclosed this information to enhance its marketing efforts. . . Accordingly, Plaintiffs have plausibly alleged that Defendant's purpose was to commit an act that is punishable as a crime under 42 U.S.C. § 1320d-6: knowingly disclose [individually identifiable health information] without authorization for marketing purposes.” Id. at 7.
Courts in other circuits have likewise declined to dismiss ECPA claims based around criminal or tortious use of private and protected data relating to patient's medical care. See Mekhail v. N. Mem'l Health Care, No. 23CV00440KMMTNL, 2024 WL 1332260, *5 (D. Minn. Mar. 28, 2024). Here, the Court denied Defendant's motion to dismiss where Plaintiff alleged the interceptions were made to access and monetize her private and protected health data, noting that the Plaintiff “sufficiently plead an interception made with the purpose of violating one or more laws, independent of the act of interception itself”). The Court further stated that “the parties require discovery to determine whether [the Defendant's] actions do, in fact, constitute conduct required to invoke the crime-tort exception. But at this stage, [Plaintiff's] ECPA [] claims may proceed.” Id. at *5. See also Kurowski v. Rush Sys. for Health, No. 22 C 5380, 2023 WL 8544084, *3 (N.D. Ill.Dec. 11, 2023) (denying motion to dismiss where Plaintiff alleged that defendant knowingly transmitted metadata for the purpose of financial gain and that such allegations were “sufficient to invoke the HIPAA [criminal or tortious] exception-to-the-party exception” for a Wiretap Claim).
Therefore, considering Cooper and Kane, as well as precedent in other circuits, the Court finds that Plaintiffs have sufficiently stated a claim under the ECPA 18 U.S.C. § 2511(1). It may be discovery reveals that Defendant had neither a criminal nor tortious intent, but at the motion to dismiss stage Plaintiffs have met their burden for their ECPA claim to survive.
B. Breach of Fiduciary Duty/Confidentiality and Negligence
The elements of a breach of fiduciary duty/confidentiality claim under a physician-patient are: (1) existence of physician-patient relationship; (2) the physician's acquisition of information relating to the patient's treatment or diagnosis; (3) the disclosure of such confidential information to a person not connected with the patient's medical treatment, in a manner that allows the patient to be identified; (4) lack of consent for that disclosure; and (5) damages. See Chanko v. Am. Broad. Cos. Inc., 27 N.Y.3d 46, 53-54 (2016). To state a negligence claim, “a plaintiff must demonstrate that the defendant owed plaintiff a duty and breached it, and that his injury proximately resulted from that breach.” Gewirtz v. City of New York, 196 N.Y.S.3d 683, 687 (N.Y. Sup. Ct. 2023).
Plaintiffs' negligence claim is subsumed within Plaintiffs' claim of breach of fiduciary/confidentiality. Regarding their negligence claim, Plaintiffs allege that “Defendant owed Plaintiffs and Class Members a duty to keep their Private Information completely confidential, and to safeguard sensitive personal and medical information.” (Id. ¶ 267.) Plaintiffs assert that Defendant breached this duty because “[c]ontrary to its duties as a medical provider and its express promises of confidentiality, Defendant installed its Pixel and Conversion API to disclose and transmit to third parties Plaintiffs' and Class Members' communications with Defendant, including Private Information and the contents of such information.” (Id. ¶ 269.) The Complaint, as written, does not differentiate between Defendant's legal duty as a healthcare provider and an independent legal duty of care. Cf Smith v. Home Depot U.S.A., Inc., No. 2:20-CV-4125 (DRH) (AKT), 2021 WL 4904572 (E.D.N.Y. Oct. 21, 2021) (declining to dismiss negligence claim as duplicative where the Complaint differentiated between the Defendant's legal duty under contract and independent legal duty of care). The harm Plaintiffs allege for their breach of fiduciary duty/confidentiality claim under the physician-patient relationship and harm Plaintiffs allege for their negligence claim are identical. (Compl. ¶¶ 193, 272.) Such identicality “further demonstrate[s] that these claims are duplicative.” See Beck v. Metro. Bank Holding Corp., No. 2:23-CV-07564 (NJC) (ARL), 2024 WL 3849461, *18 (E.D.N.Y. Aug. 16, 2024) (granting motion to dismiss where negligence claim was duplicative of breach of contract claim, noting that the damages asserted between the two claims were the same).
Just as in Beck, where the court dismissed a negligence claim as duplicative of a breach of contract claim, here the Court finds Plaintiffs' negligence claim to be duplicative of Plaintiffs' breach of fiduciary duty/confidentiality claim and is dismissed without prejudice. Plaintiffs may amend their complaint to more specifically allege the legal duty owed to Plaintiffs by Defendant independent of the physician-patient relationship, and to allege any differentiating harm Plaintiffs have allegedly suffered.
Regarding Plaintiffs' breach of fiduciary/confidentiality claim, the Court finds that Plaintiffs have successfully stated such claim. Jacob and Gay both assert they are patients of the Defendant. (Compl. ¶¶ 36, 48.) Defendant acquired information relating to Jacob and Gay's treatment and/or diagnosis. (Id. ¶¶ 37-40, 49-52.) Because of Defendant's alleged use of the Pixel and Conversion API, confidential information related to Plaintiffs' treatment was transmitted to a party not connected to Plaintiffs' medical treatment (e.g., Facebook) in a manner that allowed the patient to be identified. (Id.¶ 85.) Plaintiffs did not consent to this disclosure. (Id. ¶¶ 42, 54.) Plaintiffs allege they have suffered harm, namely: “a. Sensitive and confidential information that Plaintiffs and Class Members intended to remain private is no longer private; b. Plaintiffs and Class Members face ongoing harassment and embarrassment in the form of unwanted targeted advertisements; c. Defendant eroded the essential confidential nature of the provider-patient relationship; d. General damages for invasion of their rights in an amount to be determined by a jury; e. Nominal damages for each independent violation; f. Defendant took something of value from Plaintiffs and Class Members and derived benefit therefrom without Plaintiffs' and Class Members' knowledge or informed consent and without compensation for such data; g. Plaintiffs and Class Members did not get the full value of medical services for which they paid, which included Defendant's duty to maintain confidentiality; h. Defendant's actions diminished the value of Plaintiffs' and Class Members' Private Information; and i. Defendant's actions violated property rights Plaintiffs and Class members have in their private information.” (Id. ¶ 193.) Accordingly, Plaintiffs have successfully stated a breach of fiduciary duty/confidentiality claim.
C. Invasion of Privacy, New York Civil Rights Law §§ 50, 51
Plaintiffs have withdrawn their Invasion of Privacy claim arising under New York Civil Rights Law §§ 50, 51. (Opp., note 3). Accordingly, Count III of Plaintiffs' Complaint is dismissed with prejudice.
D. Breach of Implied Contract
“A contract may be implied in fact where inferences may be drawn from the facts and circumstances of the case and the intention of the parties as indicated by their conduct.” Matter of Boice, 640 N.Y.S.2d 681, 683 (1996). Plaintiffs allege that when they provided their PHI and PII to Defendant “they entered into an implied contract pursuant to which Defendant agreed to safeguard and not disclose their private information without their consent.” (Compl. ¶ 253.) Earlier on in their complaint, Plaintiffs reference Defendant's Notice of Privacy Practices, which states that “use and disclosure of your medical information for marketing purposes or involving a sale of your information will be made only with your written authorization.” (Id. ¶ 135.)
However, absent from the Complaint is that Plaintiffs viewed Defendant's NOPP in deciding whether to engage Defendant's services. For a contract to be formed, there must be mutual assent. See Virgilio Trailer Corp. v. Ferrandino & Son, Inc., 184 N.Y.S.3d 385, 387 (2023). Plaintiff cannot have assented to assurances described in the NOPP if they did not view the Defendant's policies at the time of contract formation. Id. Accordingly, Plaintiffs cannot state a claim for breach of implied contract at this time. Plaintiffs may amend their complaint to allege sufficient details indicating Plaintiffs, at the time of contract formation, was aware of these provisions and assented to them.
E. Unjust Enrichment
To state a claim for unjust enrichment, the claimant must allege (1) the other party was enriched, (2) at the party's expense and (3) that it is against equity and good conscience to permit the other party to retain what is sought to be recovered. Georgia Malone & Co. v. Rieder, 973 N.E.2d 743, 746 (2012).
The Complaint does allege that Defendant made use of Plaintiffs' PII and PHI. (Compl. ¶¶ 262-264.) Defendant was enriched by the disclosure of Plaintiffs' information because “[i]n exchange for disclosing the Private Information of its patients, Defendant is compensated by Facebook in the form of enhanced advertising services and more cost-efficient marketing on Facebook.” (Id. ¶ 162.) Plaintiffs allege they have suffered due to Defendant's conduct because they were not compensated for use of their Private Information. (Id. ¶ 264.) Plaintiffs demand that Defendant should be “compelled to disgorge into a common fund for the benefit of Plaintiffs and Class Members all unlawful or inequitable proceeds.” (Id. ¶ 265.) While such allegations are necessary for an unjust enrichment claim, they are not sufficient. The unjust enrichment claim duplicates Plaintiffs' breach of fiduciary duty/breach of confidentiality in its allegations around use of Plaintiffs' private data and the alleged damages suffered. (Id. ¶¶ 193, 261-262.) “An unjust enrichment claim is not available where it simply duplicates or replaces a conventional contract or tort claim.” See Carovillano v. Sirius XM Radio Inc., No. 23 CIV. 4723 (PAE), 2024 WL 450040, *13 (S.D.N.Y. Feb. 6, 2024) (internal citations omitted). Here, Plaintiffs' unjust enrichment claim duplicates their breach of fiduciary duty/breach of confidentiality claim - a tort claim. See Fedell v. Wierzbieniec, 127 Misc.2d 124, 127485 N.Y.S.2d 460 (Sup. Ct. 1985), aff'd, 116 A.D.2d 990, 498 N.Y.S.2d 1013 (1986) (recognizing breach of confidence as a tort action and holding other causes of action attempting to duplicate the claim as inappropriate). Thus, Plaintiffs' unjust enrichment claim is dismissed as duplicative without prejudice. Cooper v. Anheuser-Busch, LLC, 553 F.Supp.3d 83, 116 (S.D.N.Y. 2021) (dismissing unjust enrichment claim where it was “premised on the same factual allegations as those supporting Plaintiffs' other claims, and Plaintiffs have not alleged distinct damages with respect to this claim”). Plaintiffs may amend their complaint to demonstrate distinct factual allegations and damages to support an unjust enrichment claim.
F. New York Consumer Law General Business Law § 349
To state a claim under § 349, “a plaintiff must allege that a defendant engaged in consumer-oriented conduct that was materially misleading and that the plaintiff suffered an injury as a result.” Miguel Frias, Jessica Avilez and Roy Campbell, individually & on behalf of all others similarly situated, Plaintiffs, v. Mars Wrigley Confectionery U.S. LLC, Defendant., No. 23 CIV. 4422 (AT), 2024 WL 3988667, *2 (S.D.N.Y. Aug. 28, 2024). A consumer for § 349 is one “‘who purchase[s] goods and services for personal, family or household use.'” Exxonmobil Inter-Am., Inc. v. Advanced Info. Eng'g Servs., Inc., 328 F.Supp.2d 443, 449 (S.D.N.Y. 2004).
Plaintiffs plead that Defendant violated its express policy. See (Compl. ¶¶ 132-136.) Specifically, Plaintiffs allege that Defendant misrepresented its privacy and security policy regarding management of patient health information. (Id.) Plaintiffs note that Defendant does not inform patients of its actions in transmitting information from Defendant's Website to Facebook. (Id.) Given the discrepancy between the policies explicitly articulated by the Defendant and the actual conduct carried out regarding Plaintiffs PHI and PII, at this stage in the case, Plaintiffs have sufficiently alleged that the conduct was materially misleading.
Plaintiffs assert that because of Defendant's misrepresentations, they have “lost money or property in the form [of] monies paid for Defendant's services, diminution in value of their Private Information, as well as loss of the benefit of their bargain with Defendant.” (Id. ¶ 287.) Defendant's motion to dismiss argues that Gay and Jacob “do not identify any alleged injury that is resulting from Garnet Health's claimed deception.” (Mot. p. 9). Per Miguel Frias, Plaintiffs can establish injury where they allege they did not receive the full value of her purchase - which can be done by stating that plaintiff would not have purchased the product or been willing to pay as much had they known the true facts. Miguel Frias, 2024 WL 3988667, *4. Here, the closest Plaintiffs get to this language is when Plaintiffs state “Plaintiffs and Class Members would not have trusted Defendant with their Private Information in the absence of an implied contract between them and Defendant obligating Defendant to not disclose Private Information without consent. Plaintiffs and Class Members would not have retained Defendant to provide healthcare services in the absence of an implied contract between them and Defendant obligating Defendant to not disclose Private Information without consent.” (Compl. ¶¶ 254-255.) While these allegations are made under Count IV Breach of Implied Contract, Plaintiffs here are clearly stating they would not have purchased the product or service had they known the true facts. This is sufficient for the purposes of pleading injury. See Pichardo v. Only What You Need, Inc., No. 20-CV-493 (VEC), 2020 WL 6323775 (S.D.N.Y. Oct. 27, 2020) (holding that Plaintiff sufficiently pled injury where they asserted that had they known the true facts they would not have purchased the product). Additionally, Plaintiffs allege the “loss of the benefit of their bargain with Defendant.” (Compl. ¶ 287.) Plaintiffs here are pleading that they did not receive the full value of their purchased services. Accordingly, Plaintiffs sufficiently alleged that the Defendant materially misrepresented its services offered and that, as a result, they suffered injury. Thus, Plaintiffs have sufficiently pled a claim under New York Consumer Law General Business Law § 349.
CONCLUSION
For the foregoing reasons, the Court GRANTS the Defendant's motion to dismiss Plaintiffs' Breach of Implied Contract, Unjust Enrichment and Negligence Causes of Action against Defendant without prejudice. Plaintiffs' Invasion of Privacy Claim under New York Civil Rights Law §§ 50 and 51 is dismissed with prejudice. Defendant's motion to dismiss is DENIED as to Plaintiffs' Breach of Fiduciary Duty/Confidentiality, ECPA, and New York General Business Law § 349 claims. Plaintiffs are granted leave to file an Amended Complaint by October 21, 2024. Plaintiffs are advised that the Amended Complaint will replace, not supplement, the Complaint, and so any claims that it wishes to pursue must be included in, or attached to, the Amended Complaint. Should Plaintiffs file an Amended Complaint, the Defendant is directed to answer or otherwise respond by November 12, 2024. If Plaintiffs fail to timely file an Amended Complaint within the time allowed, those claims that were dismissed without prejudice shall be deemed dismissed with prejudice. If no Amended Complaint is timely filed, the Defendant is directed to file an answer on or before October 28, 2024 and the parties are directed to complete and file a Case Management Plan and Scheduling Order by November 11, 2024.
The Clerk of Court is respectfully directed to terminate the motion at ECF No. 20.
SO ORDERED.