Summary
holding that plaintiff did not have standing even though she alleged that the defendants "breached their contractual obligation to protect her sensitive information"
Summary of this case from Dinerstein v. Google, LLCOpinion
Case Number: 14–24583–CIV–MARTINEZ–GOODMAN
02-26-2016
Kellie Lynn Case, individually and on behalf of a class of similarly situated individuals, Plaintiff, v. Miami Beach Healthcare Group, Ltd., et al., Defendants.
Steven R. Jaffe, Farmer Jaffe Weissing Edwards Fistos & Lehrman PL, Fort Lauderdale, FL, for Plaintiff. Gavrila Alexa Brotz, Irma T. Reboso-Solares, Magda Christina Rodriguez, Stephen Jay Bronis, Walter J. Tache, Carlton Fields Jorden Burt, P.A., Freddy Funes, Daniel S. Gelber, Adam Michael Schachter, Freddy Funes, Gelber Schachter & Greenberg, P.A., Miami, FL, for Defendants.
Steven R. Jaffe, Farmer Jaffe Weissing Edwards Fistos & Lehrman PL, Fort Lauderdale, FL, for Plaintiff.
Gavrila Alexa Brotz, Irma T. Reboso-Solares, Magda Christina Rodriguez, Stephen Jay Bronis, Walter J. Tache, Carlton Fields Jorden Burt, P.A., Freddy Funes, Daniel S. Gelber, Adam Michael Schachter, Freddy Funes, Gelber Schachter & Greenberg, P.A., Miami, FL, for Defendants.
ORDER GRANTING MOTION TO DISMISS AND DISMISSING SECOND AMENDED COMPLAINT FOR LACK OF JURISDICTION
JOSE E. MARTINEZ, UNITED STATES DISTRICT JUDGE
THIS CAUSE came before the Court upon Defendants Miami Beach Healthcare Group, Ltd. d/b/a Aventura Hospital and Medical Center (“Miami Beach Healthcare”) and HCA–Emcare Holdings, LLC d/b/a Valesco Ventures' (“Valesco”) (collectively “Defendants”) Motion to Dismiss the Second Amended Complaint and to Strike Class Allegations. (D.E. No. 64). Plaintiff Kellie Lynn Case, individually and on behalf of a class of similarly situated individuals, filed her Second Amended Class Action Complaint (“Second Amended Complaint”) against Defendants for breach of express contract, and, alternatively, breach of implied contract or restitution/unjust enrichment arising out of a data breach that affected over 85,000 of the Defendants' patients. (D.E. No. 58).
Defendants argue that the Court should dismiss the Second Amended Complaint and strike class allegations for three reasons. First, Defendants argue that Case lacks Article III standing to bring this action. See Fed.R.Civ.P. 12(b)(1). Second, Defendants assert that Case fails to state a claim upon which relief may be granted. See Fed.R.Civ.P. 12(b)(6). Finally, Defendants argue that, even if Case's Second Amended Complaint survives this Motion to Dismiss, the Court should strike Case's class action allegations because her claims are atypical of the other members of the class. After careful consideration and for the reasons set forth below, the Court grants the Defendants' Motion to Dismiss for lack of subject matter jurisdiction.
I. Factual Background
Defendants jointly work together to provide healthcare services to patients at Aventura Hospital and Medical Center. (D.E. No. 58, Pl.'s 2d Am. Compl. at ¶ 2). Prior to September 2014, Case received medical care at Aventura Hospital and Medical Center. (Id. at ¶ 33). As part of the patient-admission process, she provided Defendants with sensitive information, including, among other things, her name, date of birth, and protected health information (collectively “sensitive information”). (Id. at ¶¶ 1, 34). Case also agreed to pay Defendants in exchange for any health care services. (Id. at ¶ 34). In return, the Defendants promised to provide her with healthcare services and protect her sensitive information. (Id. at ¶ 33).
Generally, the Defendants store and maintain their patients' records, including sensitive information, on a commercial database on their servers. (Id. at ¶ 18). In September 2014, the Defendants announced that, sometime during 2012, an employee of Miami Beach Healthcare gained unauthorized access to their patient database, and, over the course of two years, removed the records of over 85,000 patients, including Case. (Id. at ¶¶ 6, 19–21, 37). As a result of this breach, Case claims that she did not receive the entirety of the services for which she paid, and as a result, “she paid more than she otherwise would have.” (Id. at ¶¶ 35, 38). In other words, Case alleges that had she known of Defendants' “substandard security procedures and methods of protecting and storing her [s]ensitive [i]nformation,” she would have paid substantially less for the healthcare services she received, or would not have paid at all. (Id. at ¶ 36).
II. Legal Standard
A motion to dismiss for lack of subject matter jurisdiction pursuant to Fed.R.Civ.P. 12(b)(1) can be based upon either a facial or factual challenge to the complaint. If the challenge is facial, the plaintiff is left with safeguards similar to those retained when a Rule 12(b)(6) motion to dismiss for failure to state a claim is raised. McElmurray v. Consolidated Gov't of Augusta–Richmond Cty., 501 F.3d 1244, 1251 (11th Cir.2007). Accordingly, the court must consider the allegations in the plaintiff's complaint as true. Id. “A ‘facial attack’ on the complaint ‘require[s] the court merely to look and see if [the] plaintiff has sufficiently alleged a basis of subject matter jurisdiction, and the allegations in [her] complaint are taken as true for the purposes of the motion.” Id. (quoting Lawrence v. Dunbar, 919 F.2d 1525, 1529 (11th Cir.1990) ). Factual attacks, however, challenge the existence of subject matter jurisdiction in fact, irrespective of the pleadings, and matters outside the pleadings, such as testimony and affidavits are considered. Id. In sum, a district court has the power to dismiss for lack of subject matter jurisdiction on any of three separate bases: (1) the complaint alone; (2) the complaint supplemented by undisputed facts evidenced in the record; or (3) the complaint supplemented by undisputed facts, plus the court's resolution of disputed facts. Williamson v. Tucker, 645 F.2d 404, 413 (5th Cir.1981).
III. Discussion
Article III of the U.S. Constitution limits federal courts' jurisdiction to certain cases and controversies. Clapper v. Amnesty Int'l USA, ––– U.S. ––––, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013). One element of the case-or-controversy requirement is that a plaintiff must establish that she has standing to sue. Id. In other words, the plaintiff bears the burden of establishing Article III standing. Id. at 1148–49. Specifically, to establish Article III standing, the plaintiff must show that:
(1) [she] has suffered an “injury in fact” that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant [s]; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.
Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir.2012) (quoting Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000) ). At the pleading stage, general factual allegations of injury resulting from a defendant's conduct may suffice to establish standing. Resnick, 693 F.3d at 1323. However, a “[f]ailure to satisfy any of these requirements is fatal.” I.L. v. Alabama, 739 F.3d 1273, 1278 (11th Cir.2014).
In Resnick, the Eleventh Circuit held that the plaintiffs, on behalf of their representative class, had standing to sue the defendant, a health care service provider, because the plaintiffs alleged that they suffered a monetary loss as a result of identity theft. 693 F.3d at 1321. The plaintiffs also asserted a breach of contract claim. Id. at 1321, 1323. There, the defendant had two laptops stolen from one of its offices. Id. at 1322. The laptops contained the sensitive information including the names, social security numbers, addresses, and phone numbers of approximately 1.2 million clients, including the plaintiffs. Id.
Both of the named plaintiffs alleged that they had taken various steps to protect their identities before the laptops were stolen. Id . at 1322. After the laptops were stolen, both of the plaintiffs became the victims of identity theft. Specifically, one of the plaintiff's sensitive information was used to open bank accounts and activate credit cards that were used to make unauthorized purchases. The second plaintiff's sensitive information was used to open online financial accounts, which were subsequently overdrawn. Id. Because the plaintiffs “alleged only actual—not speculative—identity theft,” the Eleventh Circuit did not address “whether speculative identity theft would be sufficient to confer standing.” Id. at 1323 n. 1.
However, as this Court noted in Burrows v. Purchasing Power, LLC, No. 1:12–cv–22800–UU, 2012 WL 9391827, slip op. at n. 5 (S.D.Fla.2012),
“The clear implication taken from this distinction [between plaintiffs who allege actual identity theft and those who allege speculative identity theft] is that a plaintiff who alleges actual identity theft without economic harm has an injury for standing purposes under Resnick, whereas a plaintiff who alleges only speculative harm would not have standing under that case.”
Here, while Case claims that an unauthorized person obtained her sensitive information, she does not claim that this information was actually misused, or that the unauthorized disclosure of her sensitive information caused her any type of harm, economic or otherwise. Instead, Case claims that she meets the standing requirement because the Defendants breached their contractual obligation to protect her sensitive information, and as a result, she received a diminished value of the healthcare services for which she contracted.
In support of her argument, Case relies on two cases, neither of which are binding on this Court. In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197 (N.D.Cal.2014) ; In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154 (D.Minn.2014). In In re Adobe, the defendant, a software company, announced that hackers had breached its servers and gained access to “the personal information of at least 38 million customers, including names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mail addresses.” 66 F.Supp.3d at 1206. Importantly, the court noted that the plaintiffs alleged that “[s]ome of the stolen data ha[d] already surfaced on the Internet, and other hackers [had] allegedly misused it....” Id. at 1215.
There, the plaintiffs, who were Adobe customers and had provided Adobe with personal information, alleged that they had all suffered at least one of three types of cognizable injuries-in-fact: (1) increased risk of future harms; (2) cost to mitigate the risk of future harm; and/or (3) loss of the value of their Adobe products. Id. at 1207–11. The court held, in part, that the plaintiffs established Article III standing because they “plausibly alleged that they face[d] a substantial, ‘certainly impending’ risk of harm” from the data breach. Id. at 1220. In making this determination, the court relied on the plaintiffs' allegations that some of the stolen data, although not their own, had already surfaced on the Internet. Id. at 1214.
Similarly, in In re Target, the court found that the plaintiffs had Article III standing to bring suit against Target after a data breach in Target's security system allowed hackers to access approximately 110 million customers' credit and debit card information. 66 F.Supp.3d at 1158–59. The plaintiffs asserted several causes of action, including breach of contract. Id. at 1158. There, again, the court noted that the named plaintiffs had sufficiently pleaded that they suffered injuries as a result of the data breach, “including unlawful charges, restricted or blocked access to back accounts, inability to pay other bills, and late payment charges or new card fees.” Id. at 1159.
Here, unlike the plaintiffs in these above-mentioned cases, Case did not allege that any of her sensitive information was misused, or that she suffered any negative consequences from the data breach. She merely alleged that she “did not receive the entirety of the services she paid for and, as a result, she paid more than she otherwise would have.” (D.E. No. 58, Pl.'s 2d Am. Compl. ¶¶ 35, 36, 38). This identified injury—“the difference between the price [Case] paid for Defendants' services as promised and the actual diminished value of [her] health care services[,]” is not sufficiently concrete or particularized to meet this Court's jurisdictional requirements. (Pl.'s 2d Am. Compl. ¶ 57). Based on a review of the documents submitted in support of the Motion to Dismiss, this Court is not persuaded that Defendants' charges to Plaintiff explicitly or implicitly included the cost of data protection, such that an employee's access to sensitive information, without more, would necessarily diminish the value of the services that Plaintiff received. (D.E. No. 64, Exhs.1–A, 1–B). Moreover, a further review of the supporting documentation, namely the Plaintiff's itemized bill and subsequent Statement of Account, reveal that Plaintiff only paid a de minimis amount of her total bill, thus rendering negligible any purported injury she sustained or damages she incurred based on her asserted claims. (See D.E. Nos. 64–1, Exh. 1 at 2–3; 78–2, 78–3, Exhs. 1 and 2 of the Reply, filed under seal, in Support of the Motion to Dismiss).
Therefore, even viewed in the light most favorable to Case, her present allegations alone are insufficient to confer standing. Because this Court lacks jurisdiction based on Case's lack of standing, it need not address the remaining arguments raised in Defendants' Motion to Dismiss.
Accordingly, it is hereby ORDERED AND ADJUDGED that:
1. Defendants' Motion to Dismiss the Plaintiff's Second Amended Complaint (D.E. No. 64) is GRANTED. Plaintiff's Second Amended Complaint (D.E. No. 58) is DISMISSED for lack of jurisdiction.
2. The Clerk is directed to DENY ALL PENDING MOTIONS AS MOOT.
This case is CLOSED.
DONE AND ORDERED in Chambers at Miami, Florida, this 25 day of February, 2016