From Casetext: Smarter Legal Research

In re Mednax Servs., Customer Data Sec. Breach Litig.

United States District Court, Southern District of Florida
Aug 18, 2022
No. 21-MD-02994-RAR (S.D. Fla. Aug. 18, 2022)

Opinion

21-MD-02994-RAR

08-18-2022

In re MEDNAX SERVICES, INC., CUSTOMER DATA SECURITY BREACH LITIGATION


This Document Relates to All Actions

ORDER GRANTING IN PART DEFENDANTS' PARTIAL MOTION TO DISMISS

RODOLFO A. RUIZ, II, UNITED STATES DISTRICT JUDGE.

THIS CAUSE comes before the Court upon Defendants' Partial Motion to Dismiss Plaintiffs' Consolidated Second Amended Complaint [ECF No. 123] (“Motion”). The Court having reviewed the briefs, the record, and applicable law, and being otherwise fully advised, it is

The Motion is fully briefed, including supplemental briefing on arguments as to Count VII that were not included in Defendants' Motion to Dismiss Plaintiffs' Consolidated Amended Complaint [ECF No. 84] as discussed infra Background. See [ECF Nos. 126, 128-30].

ORDERED AND ADJUDGED that Defendants' Motion is GRANTED IN PART as set forth herein.

BACKGROUND

The Court assumes the parties are familiar with the factual background of this case as extensively set forth in the Court's Order Granting in Part Defendant's Motion to Dismiss [ECF No. 104]. See In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., No. 21-02994, 2022 WL 1468057 (S.D. Fla. May 10, 2022) (“Mednax I”). In the wake of Mednax I, Plaintiffs filed their Consolidated Second Amended Complaint for Damages (“SAC”) [ECF No. 115] on June 10, 2022. Defendants filed their Motion on July 1, 2022, for the limited purpose of dismissing four of Plaintiffs' eleven remaining counts for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). Of the four counts included in the Motion, three (Counts IV, V, and VIII) were dismissed without prejudice and with leave to amend in Mednax I. See 2022 WL 1468057, at *29. Defendants primarily argue that Plaintiffs fail to remedy the defects prompting the Court's dismissal of these counts inMednaxI. See Mot. at 4-11. The other count (Count VII) was retained in Mednax I, but Defendants raise new arguments as to why it should be dismissed under relevant case law. Id. at 11-15. Although Defendants' inclusion of Count VII in the Motion amounts to a request for reconsideration of the Court's finding in Mednax I, the Court found Defendants' arguments sufficiently meritorious to necessitate supplemental briefing. See [ECF No. 127]. The Court has considered the parties' arguments in their supplemental briefs [ECF Nos. 129-30] and addresses them on the merits infra Analysis III.

ANALYSIS

I. Plaintiffs Are Entitled to Seek Declaratory and Injunctive Relief under the Florida Deceptive and Unfair Trade Practices Act (Count IV)

In Mednax I, the Court dismissed Plaintiffs' claim under the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”) because they did not sufficiently plead diminution in the value of the goods and services they received from Defendants as required when seeking damages under the statute. 2022 WL 1468057, at *15. In response to that ruling, Plaintiffs' SAC abandons their claim for damages and instead seeks only injunctive and declaratory relief. See SAC ¶¶ 531-32. Defendants raise four arguments in support of dismissal:

1) Plaintiffs' claims are equitable in nature and must be dismissed because Plaintiffs have an adequate remedy at law;
2) The injunctive and declaratory relief Plaintiffs seek is unavailable because Plaintiffs do not allege any facts from which the Court could plausibly conclude they would be irreparably harmed if such relief is not issued;
3) Plaintiffs are not entitled to the injunctive relief they seek because they do not plausibly allege a real and immediate threat of future injury; and
4) The Court has substantial discretion to deny Plaintiffs' request for declaratory relief.

Mot. at 4-8. Defendants' first two arguments miss the mark because they “confus[e] the requirements for injunctive or declaratory relief under federal [and other state] statutes with the quite different requirements under the FDUTPA.” Galstaldi v. Sunvest Cmtys. USA, LLC, 637 F.Supp.2d 1045, 1057 (S.D. Fla. 2009). Specifically, they cite the Court's finding in Mednax I that equitable “claims under California's Unfair Competition Law and Consumer Legal Remedies Act” require a plaintiff to “allege that he lacks an adequate remedy at law.” 2022 WL 1468057, at *18 (citing Sonner v. Premier Nutrition Corp., 971 F.3d 834, 839 n.2, 844 (9th Cir. 2020); In re Cal. Gasoline Spot Mkt. Antitrust Litig., No. 20-03131, 2021 WL 1176645, at *7-8 (N.D. Cal. Mar. 29, 2021)) (cleaned up); Mot. at 4. Among Defendants' other citations is the Supreme Court's requirement under the federal Patent Act that a party seeking injunctive relief must show “that it has suffered an irreparable injury” and “that remedies available at law, such as monetary damages, are inadequate to compensate for that injury.” eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 390 (2006); Mot. at 4.

But FDUTPA has a lower threshold: “Without regard to any other remedy or relief to which a person is entitled, anyone aggrieved by a violation of this part may bring an action . . . to enjoin a person who has violated, is violating, or is otherwise likely to violate this part.” Fla. Stat. § 501.211(1). As one court in this district explained, a “plain reading of the statute indicates that the [p]laintiff is entitled to declaratory and injunctive relief ‘without regard to any other remedy or relief to which a person is entitled.'” Weiss v. Gen. Motors LLC, 418 F.Supp.3d 1173, 1185-86 (S.D. Fla. 2019) (quoting Galstaldi, 637 F.Supp.2d at 1057). Further, “[t]here is no requirement that a plaintiff show an ongoing practice or irreparable harm, and declaratory relief is available regardless of whether an adequate remedy at law also exists.” Galstaldi, 637 F.Supp.2d at 1057; see also Carroll v. Lowes Home Ctrs., Inc., No. 12-23996, 2014 WL 1928669, at *4 (S.D. Fla. May 6, 2014). Defendants cite no countervailing authority supporting their arguments in the FDUTPA context.

Defendants' third argument essentially seeks to relitigate the issue of standing the Court exhaustively addressed in Mednax I. There, the Court found that the actual misuse and actual access of Plaintiffs' personal data resulting from Defendants' data security breach is sufficient to establish “a ‘substantial risk' of future harm, and thus, injury in fact for purposes of Article III standing regarding their claim for injunctive relief.” Mednax I, 2022 WL 1468057, at *7. This finding is sufficient to confer statutory standing under FDUTPA, and the Court need comment no further. See Desue v. 20/20 Eye Care Network, Inc., No. 21-61275, 2022 WL 796367, at *11 (S.D. Fla. Mar. 15, 2022).

Defendants' fourth argument, while correct, is of no moment because the Court finds that Plaintiffs seek remedies through FDUTPA that are not available through their other claims.

II. Plaintiffs Fail to Remedy the Defects of Their Claims under the Missouri Merchandising Practices Act (Count V) and the Virginia Consumer Protection Act (Count VIII)

In Mednax I, the Court dismissed Counts V and VIII (Counts IX and XV in Plaintiffs' original complaint) without prejudice, having found that Plaintiffs failed to state claims under the Missouri Merchandising Practices Act (“MMPA”) and the Virginia Consumer Protection Act (“VCPA”), respectively. 2022 WL 1468057, at *29. Out of an abundance of caution, the Court granted Plaintiffs leave to amend these counts in the event Plaintiffs could remedy their defects by alleging additional facts. Unfortunately, Plaintiffs still do not allege facts sufficient to state claims under the relevant statutes, so these counts must be dismissed with prejudice.

a. Missouri Merchandising Practices Act (Count V)

The Court found that Plaintiffs' original MMPA claim failed for two reasons. First, Plaintiffs insufficiently alleged “that [Defendant Mednax] failed to disclose information [it] knew or . . . should have known[ ] at the time of the relevant transactions.” Mednax I, 2022 WL 1468057, at *17. The Court found that Plaintiffs did “not allege when they received healthcare services from physicians affiliated with Defendants or that Defendants knew or should have known about any alleged data security flaws when Plaintiffs received healthcare services.” Id. Second, Plaintiffs did not plausibly allege how any unlawful act regarding the security of their information occurred in relation to the sale of merchandise as required by the MMPA. Id. Although intangible services may qualify as merchandise under the statute, the Court held that “Defendant Mednax sold healthcare services and not data security services,” so “[a]ny data security it provided to Plaintiffs was merely incidental-not in relation-to what it actually sold them.” Id. (citing Kuhns v. Scottrade, Inc., 868 F.3d 711, 719 (8th Cir. 2017)).

In their SAC, despite additional allegations, Plaintiffs fail to remedy the central defects of their original claim. See SAC ¶¶ 533-49. As to the first defect, Plaintiffs still do not allege when any Plaintiff received healthcare services from physicians affiliated with Defendants. See id. As to the second defect, Plaintiffs' only new allegation is the conclusory assertion that the “[p]rivacy and the security of Plaintiff's and the Missouri Subclass Members' PHI and PII is part of the services provided by Defendant [Mednax] and paid for by Plaintiff and the Missouri Subclass Members.” SAC ¶ 548. But this mere recitation of an element of an MMPA claim is unsupported by any factual allegations. Plaintiffs do not plausibly allege any sale of security services. They do not allege that they paid Defendant Mednax anything at all for data security, what data security services they purchased, or the amounts they paid for them. In short, Plaintiffs offer nothing to overcome the Court's finding that security services were merely incidental rather than central to the healthcare services they bargained for. Accordingly, Count V is DISMISSED with prejudice.

The Court also found in Mednax I that Plaintiffs' reliance on “studies showing an increase in healthcare-related cyberattacks as of 2014 as evidence that ‘Defendants were on notice' of their inadequate data security” was misplaced because “they fail[ed] to articulate why reports of cyberattacks in general would have revealed deficiencies in Defendants' security measures in particular.” Mednax I, 2022 WL 1468057, at *17. Plaintiffs' SAC more specifically alleges deficiencies in Defendant Mednax's email system that, coupled with industrywide reports of increased cyberattacks due to such deficiencies, should have placed Defendant Mednax on notice of the risk of potential cyberattacks. SAC ¶¶ 537-41. Because the other defects are fatal to Plaintiffs' MMPA claim, the Court need not reach the question of whether these additional allegations meet Plaintiffs' statutory requirement to demonstrate that Defendant Mednax failed to disclose information it should have known when Plaintiffs received healthcare services.

b. Virginia Consumer Protection Act (Count VIII)

As with Plaintiffs' MMPA claim, the Court dismissed Plaintiffs' original VCPA claim because they insufficiently alleged “that Defendants failed to disclose information [they] knew or . . . should have known[ ] at the time of the relevant transactions.” Mednax I, 2022 WL 1468057, at *17. But unlike the MMPA, the VCPA requires Plaintiffs to show that Defendants had actual knowledge they withheld from Plaintiffs. See, e.g., Allen v. FCA U.S. LLC, No. 1700007, 2017 WL 1957068, at *2-3 (W.D. Va. May 10, 2017); Lambert v. Downtown Garage, Inc., 553 S.E.2d 714, 718 (Va. 2001) (“We hold that a violation of the [VCPA] founded upon the nondisclosure of a material fact also requires evidence of a knowing and deliberate decision not to disclose the fact.”).

The VCPA claim in Plaintiffs' SAC remains virtually unchanged from the original. Consequently, the Court's finding that Plaintiffs' reliance on “studies showing an increase in healthcare-related cyberattacks as of 2014 as evidence that ‘Defendants were on notice' of their inadequate data security” is misplaced because “they fail to articulate why reports of cyberattacks in general would have revealed deficiencies in Defendants' security measures in particular” still applies. Mednax I, 2022 WL 1468057, at *17. Accordingly, Count VIII is DISMISSED with prejudice.

III. Plaintiffs Fail to State a Claim against Defendant American Anesthesiology under the New York General Business Law (Count VII)

In Mednax I, the Court declined to dismiss Plaintiffs' claim against Defendant American Anesthesiology under section 349 of the New York General Business Law, under which “an out-of-state victim possesses standing to sue . . . so long as some part of the underlying transaction occurred in New York State.” Wright v. Publishers Clearing House, Inc., 439 F.Supp.3d 102, 110 (E.D.N.Y. 2020) (citations omitted). The Court found that the necessary “part of the underlying transaction” was satisfied by Defendant American Anesthesiology's “overseeing or contributing to the protocols for properly safeguarding Plaintiffs' and putative Class Members' PHI and PII . . . in New York.” Mednax I, 2022 WL 1468057, at *15. Defendants renew their motion to dismiss this count based on a series of cases concerning the relevant meaning of “transaction” in the section 349 context. Mot. at 11-15. With the benefit of additional briefing, the Court finds it appropriate to reverse its holding in Mednax I as to Count VII (Count XI in the original complaint).

“The power to change an interlocutory ruling is within the sound discretion of a trial judge conducting his court in the interest of furthering the administration of justice.” Court-Appointed Receiver for Lancer Mgmt. Grp., LLC v. Redwood Fin. Grp., Inc., No. 06-60919, 2010 WL 2822053, at *1 (S.D. Fla. July 16, 2010).

Section 349 prohibits “[d]eceptive acts or practices in the conduct of any business, trade[,] or commerce or in the furnishing of any service in this state.” N.Y. Gen. Bus. Law § 349(a). Courts have interpreted the requirement that the act occur “in this state” to mean that “to qualify as a prohibited act under [section 349], the deception of a consumer must occur in New York.” Goshen v. Mut. Life Ins. Co. of N.Y., 774 N.E.2d 1190, 1195 (N.Y. 2002). Where a defendant keeps its headquarters and conducts its business is “irrelevant.” In re GE/CBPS Data Breach Litig., No. 20-2903, 2021 WL 3406374, at *13 (S.D.N.Y. Aug. 4, 2021). Section 349 “was not intended to police the out-of-state transactions of New York companies,” Goshen, 774 N.E.2d at 1196, so “clever rearticulations” of a defendant's headquarters do not state a valid section 349 claim, Wright, 439 F.Supp.3d at 110.

A narrow reading of section 349's territorial requirement thus looks at where a plaintiff was deceived. See Cruz v. FXDirectDealer, LLC, 720 F.3d 115, 122-23 (2d Cir. 2013) (citing cases focusing on where the deception occurred); Ovitz v. Bloomberg L.P., 909 N.Y.S.2d 710, 712 (N.Y.App.Div. 2010) (“The complaint also fails to state a cause of action under General Business Law § 349. Plaintiff, a resident of Illinois, was not deceived in New York State.”), aff'd, 967 N.E.2d 1170 (N.Y. 2012). But even under a more lenient approach, courts have held that at least part of “the transactions at issue must have occurred in New York.” Egan v. Telomerase Activation Scis., Inc., 8 N.Y.S.3d 175, 176 (N.Y.App.Div. 2015); see also Cruz, 720 F.3d at 122 (focusing on “the location of the transaction, and in particular the strength of New York's connection to the allegedly deceptive transaction, rather than ‘on the residency of the parties'” (quoting Goshen, 774 N.E.2d at 1196)); Morrissey v. Nextel Partners, Inc., 895 N.Y.S.2d 580, 587 (N.Y.App.Div. 2010) (“General Business Law § 349 requires the deceptive transaction to have occurred in New York and, therefore, no viable claim under the statute would lie for potential class members from outside the state who were victimized by defendant's practices.”); Drizin v. Sprint Corp., 785 N.Y.S.2d 428, 429 (N.Y.App.Div. 2004) (similar).

As to whether Plaintiffs were deceived in New York, the SAC contains no allegations to support such a finding. The SAC includes a conclusory assertion that “New Yorkers” were “affected by” Defendants' data security breach, SAC ¶ 567, but this allegation alone is insufficient. No named Plaintiff hails from New York, so the Court infers that this allegation refers to unnamed putative class members. But unnamed putative class members are not parties to this civil action, and “any claims that they might have . . . necessarily exist only by hypothesis.” In re Checking Acct. Overdraft Litig., 780 F.3d 1031, 1037 (11th Cir. 2015). Plaintiffs cannot use hypothetical claims of unnamed members of a non-certified class to survive Rule 12(b)(6).

The SAC also fails to aver whether part of any relevant transaction occurred in New York. Only Plaintiffs Nielsen and Lee allege any interaction with Defendant American Anesthesiology. See SAC ¶¶ 191, 218 (alleging these Plaintiffs received notice letters concerning Defendants' data security breach). And the only alleged transaction between Defendant American Anesthesiology and either Plaintiff Nielsen or Lee is the provision of healthcare. See id. ¶¶ 190, 217. As the Court found previously, this transaction occurred “in these Plaintiffs' home states, where they provided their PHI and PII to Defendants.” Mednax I, 2022 WL 1468057, at *5. Plaintiffs Nielsen and Lee are residents of Virginia and South Carolina, respectively; neither alleges to have ever set foot in New York, much less to have conducted any relevant transactions there.

Having found that the relevant transactions occurred outside New York, the Court need go no further. But for the sake of thoroughness, the Court also notes that any role Defendant American Anesthesiology played in data security or oversight was not a transaction that triggers section 349. Indeed, section 349 governs “consumer-oriented conduct,” 4 K & D Corp. v. Concierge Auctions, LLC, 2 F.Supp.3d 525, 548 (S.D.N.Y. 2014), and a transaction is an exchange between at least two people, see, e.g., Transaction, Webster's Third New International Dictionary (2002). Defendants cite numerous cases to support this reading of section 349. Mot. at 12-15. For example, in Wright, New York-based defendants allegedly “hatched” a deceptive advertising scheme “in New York,” “sent the relevant advertising materials from New York,” and “received payment and processed orders in New York.” 439 F.Supp.3d at 110. But the Wright court dismissed the section 349 claim against those defendants, explaining that “transactions occur where the consumer viewed the advertisement or purchased the product,” and the plaintiffs had not alleged their transactions took place in New York. Id. at 112. Similarly, the court in Fishon v. Peloton Interactive, Inc. held that not even “part” of a plaintiff's “specific transaction” occurred in New York-even though the plaintiff alleged that the “deceptive conduct was organized and perpetrated in [the defendant's] New York headquarters” and that the plaintiff's payment to the defendant ended up in a New York bank account. No. 19-11711, 2021 WL 2941820, at *4 (S.D.N.Y. July 12, 2021).

The Court's prior holding notwithstanding.

Plaintiffs' opposition to the Motion on this count is cursory at best. Faced with Defendants' persuasive array of legal precedent, Plaintiffs fail to articulate how their SAC plausibly alleges any facts suggesting that Defendant American Anesthesiology's data security or oversight fits into the framework of the case law governing consumer transactions under section 349. Nor do they cite any precedent of their own. Rather, Plaintiffs' two-page supplemental response doubles down on the undisputed fact that Defendant American Anesthesiology is headquartered in New York and offers the conclusory argument that, accordingly, “relevant transactions committed by Defendant [American Anesthesiology] occurred in New York.” [ECF No. 129] at 2. But as Wright and Fishon make clear, the so-called transactions Plaintiffs allege that Defendant American Anesthesiology unilaterally “committed”-e.g., that they “generated” and “signed” the notice letter in New York, “collaborated (impliedly from New York) to develop customized solutions that benefit its patients,” and “received patient Protected Health Information” at its headquarters in New York-are not transactions at all. Id. These are the types of “clever rearticulations” of a defendant's headquarters that do not state a valid section 349 claim. Wright, 439 F.Supp.3d at 110.

Plaintiffs request that, “should the Court conclude that Plaintiffs' allegations do not clearly state that Defendant American Anesthesiology engaged in relevant transactions in the [sic] New York or that patients were deceived in New York,” they be allowed to amend their allegations in a Third Amended Complaint. [ECF No. 129] at 2. Ordinarily, because Plaintiffs have had no opportunity to amend this count after a ruling on the merits, the Court would grant this request. But Plaintiffs do not provide the Court with a proposed Third Amended Complaint, nor do they indicate how they would amend this count. Indeed, it is readily apparent the non-transactions Plaintiffs reference in their cursory supplemental response would continue to form the basis of any allegations advanced in a Third Amended Complaint. Because such allegations would fail as a matter of law given the territorial and transactional requirements of section 349, amendment would be “futile.” Hall v. United Ins. Co. of Am., 367 F.3d 1255, 1263 (11th Cir. 2004). Accordingly, Count VII is DISMISSED with prejudice.

CONCLUSION

For the foregoing reasons, it is hereby

ORDERED AND ADJUDGED that Defendants' Motion [ECF No. 123] is GRANTED IN PART. Counts V, VII, and VIII are DISMISSED with prejudice.

DONE AND ORDERED.


Summaries of

In re Mednax Servs., Customer Data Sec. Breach Litig.

United States District Court, Southern District of Florida
Aug 18, 2022
No. 21-MD-02994-RAR (S.D. Fla. Aug. 18, 2022)
Case details for

In re Mednax Servs., Customer Data Sec. Breach Litig.

Case Details

Full title:In re MEDNAX SERVICES, INC., CUSTOMER DATA SECURITY BREACH LITIGATION

Court:United States District Court, Southern District of Florida

Date published: Aug 18, 2022

Citations

No. 21-MD-02994-RAR (S.D. Fla. Aug. 18, 2022)

Citing Cases

MacuHealth, LP v. Vision Elements, Inc.

Courts have interpreted this provision as establishing a lower threshold for injunctive relief than that…

In re Fortra File Transfer Software Data Sec. Breach Litig.

Despite Defendants' assertion that NationsBenefits is headquartered in Florida and not New York, this Court…