Opinion
Civil Action FILE 1:23-CV-2043-TWT
07-25-2024
DAMON X. MILLER, on behalf of himself and all others similarly situated, Plaintiff, v. NEXTGEN HEALTHCARE, INC., Defendant.
OPINION AND ORDER
THOMAS W. THRASH, JR., UNITED STATES DISTRICT JUDGE
This is a data breach case. It is before the Court on the Defendant's Motion to Dismiss [Doc. 60]. For the reasons outlined below, the Defendant's Motion to Dismiss [Doc. 60] is GRANTED in part and DENIED in part.
The Court accepts the facts as alleged in the Consolidated Class Action Complaint as true for purposes of the present Motion to Dismiss. Wildling v. DNC Servs. Corp., 941 F.3d 1116, 1122 (11th Cir. 2019).
This case involves the breach of an electronic health record (“EHR”) system. The Defendant NextGen Healthcare, Inc. is a health information technology company that develops and provides EHR and practice management services to healthcare providers. (Consolidated Class Action Compl. ¶ 28). EHR systems typically:
(1) identify and maintain a patient records [sic]; (2) manage patient demographics; (3) manage problem lists; (4) manage medication lists; (5) manage patient histories; (6) manage clinical documents and notes; (7) capture external clinical
documents; (8) present care plans, guidelines, and protocols; (9) manage guidelines, protocols and patient-specific care plans; and (10) generate and record patient-specific instructions.(Id. ¶ 32). One of NextGen's most popular EHR and practice management solutions is its NextGen Office Software, which provides many of the features described above. (Id. ¶¶ 30, 32). NextGen provides its services to healthcare providers. (Id. ¶ 1). Then, to receive healthcare services at a NextGen-affiliated healthcare provider, patients-such as the Plaintiffs- must agree to provide and entrust their private information to NextGen. (See id. ¶¶ 156, 165, 175, 184, 193, 202, 212, 222, 232, 241, 249, 258).
The named Plaintiffs include Corina Alvarado, Elizabeth Appleton, Abolanle Abikoye, Brooke Bailey, Shawna Kerr, Damon Miller, Carter Bundy, Rosa Akhras, Srinkanth Alturi, Scott Phillips, Corey Benn, and Bellvinia Brickle. (Consolidated Class Action Compl. ¶¶ 13-24).
Between at least March 29, 2023 and April 14, 2023, a hacker infiltrated the NextGen Office system and proceeded to access and exfiltrate private information stored on NextGen systems. (Id. ¶¶ 39, 45). The private information accessed and exfiltrated included full names, dates of birth, addresses, and Social Security numbers. (Id.). The Plaintiffs are individuals whose private information was accessed during the data breach. (Id. ¶¶ 151-265). NextGen claims to have discovered the data breach on or about March 30, 2023. (Id. ¶ 40). It began notifying state attorneys general and affected patients on or about April 28, 2023. (Id.). Following the data breach, NextGen offered each of the affected patients 24 months of free credit monitoring through Experian's Identity Works. (Id. ¶ 293)
The Plaintiffs allege that NextGen could have prevented the Data Breach by properly securing and encrypting the systems containing the Plaintiffs' private information. (Id. ¶ 99). However, it failed to do so, even though NextGen was previously breached in January 2023. (Id. ¶¶ 52-64, 106). As a result of the data breach, the Plaintiffs have, inter alia, had bad actors attempting to access their accounts or open new ones, had their money stolen by bad actors, had their credit scores drop because of hard inquiries initiated by bad actors, and been harassed by spam texts, phone calls, and unwanted food deliveries. (Id. ¶¶ 159, 169, 205, 216, 226). To mitigate the effects of the data breach, the Plaintiffs have been required to take various forms of remedial action, including taking time to review their credit profiles and financial statements, changing account passwords and other information, freezing their credit, paying for credit monitoring, and closing accounts, among other things. (Id. ¶¶ 158-59, 168-69, 178, 187-88, 196-97, 205, 215, 225-26, 235, 244, 252, 261). Based on these alleged events, the Plaintiffs assert 25 claims on behalf of themselves and similarly situated individuals. (Id. ¶¶ 301-657). NextGen now moves to dismiss most of those claims.
“Given the difficulty of eliminating malware once it has infiltrated a company's network,” it is possible that the data breach that affected the Plaintiffs “may be a continuation of the January 2023 data breach that NextGen failed to discover” rather than an additional and independent breach. (Consolidated Class Action Compl. ¶ 57).
II. Legal Standard
A complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a “plausible” claim for relief. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); Fed.R.Civ.P. 12(b)(6). A complaint may survive a motion to dismiss for failure to state a claim, however, even if it is “improbable” that a plaintiff would be able to prove those facts; even if the possibility of recovery is extremely “remote and unlikely.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007). In ruling on a motion to dismiss, the court must accept the facts pleaded in the complaint as true and construe them in the light most favorable to the plaintiff. See Quality Foods de Centro Am., S.A. v. Latin Amwi. Agribusiness Dev. Corp., S.A., 711 F.2d 989, 994-95 (11th Cir. 1983); see also Sanjuan v. American Bd. of Psychiatry & Neurology, Inc., 40 F.3d 247, 251 (7th Cir. 1994) (noting that at the pleading stage, the plaintiff “receives the benefit of imagination”). Generally, notice pleading is all that is required for a valid complaint. See Lombard's, Inc. v. Prince Mfg., Inc., 753 F.2d 974, 975 (11th Cir. 1985). Under notice pleading, the plaintiff need only give the defendant fair notice of the plaintiff's claim and the grounds upon which it rests. See Erickson v. Pardus, 551 U.S. 89, 93 (2007) (citing Twombly, 550 U.S. at 555).
III. Discussion
NextGen contends that 22 of the Plaintiffs' 25 claims should be dismissed for failure to state a claim. The Court addresses each argument in order.
A. Unjust Enrichment (Count III)
The Plaintiffs raise a claim of unjust enrichment on behalf of themselves and a nationwide class. (Consolidated Class Action Compl. ¶¶ 366-85). To state a claim for unjust enrichment, a plaintiff must allege the following: “(1) the plaintiff has conferred a benefit on the defendant; (2) the defendant has knowledge of the benefit; (3) the defendant has accepted or retained the benefit conferred; and (4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying for it.” Jenkins v. BAC Home Loan Servicing, LP, 822 F.Supp.2d 1369, 1377 (M.D. Ga. 2011) (citation omitted). NextGen challenges the Plaintiffs' claim on two grounds. First, NextGen argues that the claim fails because the Plaintiffs have not conferred a direct benefit on NextGen. (Def.'s Br. in Supp. of Mot. to Dismiss, at 6-7). Second, NexGen contends that the Plaintiffs have failed to allege that NextGen had knowledge of any benefit that was conferred by the Plaintiffs. (Id., at 7-8). The Court agrees that the failure to confer a direct benefit dooms the Plaintiffs' claim.
Under Georgia law, “unjust enrichment claims lie only in those situations where a defendant has received a direct benefit from a plaintiff.” Archer v. Holmes, 2018 WL 534475, at *5 (N.D.Ga. Jan. 23, 2018) (citations omitted); see also In re White, 559 B.R. 787, 807 (Bankr. N.D.Ga. 2016); Peterson v. Aaron's, Inc., 2015 WL 5479877, at *2 (N.D.Ga. Sept. 16, 2015); Brown v. Cooper, 237 Ga.App. 348, 350-51 (1999). The Plaintiffs do not allege that they directly conferred any benefit to NextGen. Instead, they allege that they conferred a benefit to their healthcare providers and those providers conferred a benefit to NextGen. (Consolidated Class Action Compl. ¶ 368). This is insufficient to allege a claim for unjust enrichment. Count III should be dismissed.
The only Georgia case the parties cite to involving a data breach is In re Equifax. There, the court granted the motion to dismiss as to anyone who did not have a contract with Equifax and instead had their private information “conferred on Equifax by third parties, and not by the Plaintiffs themselves.” In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1329-30 (N.D.Ga. 2019).
B. Intrusion Upon Seclusion (Count IV)
The Plaintiffs assert an intrusion upon seclusion claim against NextGen. (Consolidated Class Action Compl. ¶¶ 386-403). NextGen moves to dismiss the claim because third-party hackers rather than NextGen invaded the Plaintiffs' privacy. (Def.'s Br. in Supp. of Mot. to Dismiss, at 8-9). Moreover, NextGen notes that the Plaintiffs do not allege any sort of unreasonable surveillance by NextGen. (Id. at 9-10). The Plaintiffs counter that NextGen unreasonably failed to take sufficient steps to protect Plaintiffs' private information, which they assert is sufficient to state a claim. (Pls.' Br. in Opp'n of Mot. to Dismiss, at 13-14). The Court disagrees.
“The tort of intrusion involves an unreasonable and highly offensive intrusion upon another's seclusion.” Summers v. Bailey, 55 F.3d 1564, 1566 (11th Cir. 1995). “The ‘unreasonable intrusion' aspect of the invasion of privacy involves a prying or intrusion, which would be offensive or objectionable to a reasonable person, into a person's private concerns.” Yarbray v. S. Bell Tel. & Tel. Co., 261 Ga. 703, 705 (1991) (citation omitted). This tort requires “a plaintiff [to] show a physical intrusion which is analogous to a trespass; however, this ‘physical' requirement can be met by showing that the defendant conducted surveillance on the plaintiff or otherwise monitored [plaintiff's] activities.” Sitton v. Print Direction, Inc., 312 Ga.App. 365, 369 (2011) (quotation marks and citations omitted).
The Plaintiffs' allegations fail to plausibly state a claim under these standards. In Purvis v. Aveanna Healthcare, LLC, 563 F.Supp.3d 1360, 1377-78 (N.D.Ga. 2021), the court dismissed a similar claim of intrusion upon seclusion based on the failure to keep sensitive information safe. Contrary to the Plaintiffs' suggestion, however, the court did not hang its hat entirely on the conclusory nature of the allegations. It stated:
Aside from [the Plaintiffs'] conclusory allegations . . ., Plaintiffs have not plausibly alleged any facts indicating that Defendant-
as opposed to the third party that allegedly carried out the Data Breach-actively participated in the alleged intrusion into Plaintiffs' affairs. Instead, the central narrative of Plaintiffs' factual allegations is that Defendant failed to take sufficient precautions to prevent this intrusion.Id. at 1377 (citations omitted). Accordingly, the court held that “even if one accepts Plaintiffs' allegations for the sake of argument, they are still insufficient for stating a claim for intrusion upon seclusion under Georgia law.” Id. at 1378 (citation omitted); cf. Prutsman v. Nonstop Admin. & Ins. Servs., Inc., 2023 WL 5257696, at *1 (N.D. Cal. Aug. 16, 2023) (dismissing under California law an intrusion upon seclusion claim related to a data breach because “[n]othing in the complaint suggests that Nonstop was anything but negligent and passive.”); In re Accellion, Inc. Data Breach Litig., 2024 WL 333893, at *15 (N.D. Cal. Jan. 29, 2024) (applying California law to dismiss an intrusion upon seclusion claim related to a data breach and noting “there is no authority that suggests that failure to take adequate measures to protect against the intentional intrusion of a third party satisfies the first element of a claim for intrusion on seclusion.” (quotation marks and citation omitted)).
Similar to the above cases, the Plaintiffs here do not allege that NextGen participated with the third-party hackers to steal the Plaintiffs' private information. Rather, the claim is predicated on the fact that NextGen did not do enough to fend off the third-party hackers. While the failure to put adequate protections in place may be sufficient for other causes of action, it does not state a claim for intrusion upon seclusion. The Court will therefore dismiss Count IV of the Consolidated Class Action Complaint.
C. Breach of Implied Contract (Count V)
The Plaintiffs raise a claim for breach of implied contract. (Consolidated Class Action Compl. ¶¶ 404-20). NextGen argues that the Plaintiffs have failed to plausibly allege a meeting of the minds. (Def.'s Br. in Supp. of Mot. to Dismiss, at 10-11). In response, the Plaintiffs abandon this claim. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 14). The Court construes the Plaintiffs' abandonment as a request for leave to amend the Consolidated Class Action Complaint to omit and withdraw Count V pursuant to Rule 15, which the Court grants. See Perry v. Schumacher Grp. Of La., 891 F.3d 954, 958 (11th Cir. 2018) (“There are multiple ways to dismiss a single claim without dismissing an entire action. The easiest and most obvious is to seek and obtain leave to amend the complaint to eliminate the remaining claim, pursuant to Rule 15.”). This Order effectuates this amendment such that the Plaintiffs shall not be required to docket an Amended Consolidated Class Action Complaint in order to conform the pleadings to the directives of this Order. See Silver Comet Terminal Partners, LLC v. Paulding Cnty. Airport Auth., 2023 WL 2988443, at *9-10 (11th Cir. Apr. 18, 2023).
D. Breach of Bailment (Count VI)
NextGen's next argument is that the Plaintiffs fail to plausibly state their breach of bailment claim. (Def.'s Br. in Supp. of Mot. to Dismiss, at 12-13). “A bailment is a delivery of goods or property upon a contract, express or implied, to carry out the execution of a special object beneficial either to the bailor or bailee or both and to dispose of the property in conformity with the purpose of the trust.” O.C.G.A. § 44-12-40. NextGen contends that the claim fails because there is no alleged agreement between the parties and because it never had exclusive possession of the Plaintiff's information. (Id.). For their part, the Plaintiffs argue that there does not need to be direct contact between the parties for a breach of bailment claim and that medical providers' access to the information does not preclude this claim. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 15-17). The Court finds that the Plaintiffs have failed to state a breach of bailment claim.
Courts have generally rejected bailment theories against defendants who allegedly did not adequately protect private information from data breaches. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 2017 WL 4918634, at *1-2 (S.D. Ohio Oct. 31, 2017) (“A number of courts across the country have considered bailment claims in the context of data security breaches and concluded that the scenario in which a person provides personally identifiable information to a business and the information is stolen does not give rise to bailment liability.” (citations omitted)); In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1177 (D. Minn. 2014); In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F.Supp.2d 942, 974-75 (S.D. Cal. 2012); Richardson v. DSW, Inc., 2005 WL 2978755, at *4 (N.D. Ill. Nov. 3, 2005). But see Krupa v. TIC Int'l Corp., 2023 WL 143140, at *3-5 (S.D. Ind. Jan. 10, 2023).
The Plaintiffs seek to distinguish the cases that rejected their theory because the statutes at issue in those cases had a requirement to return the property to the bailor, whereas here the statute requires the bailee to “dispose of the property in conformity with the purpose of the trust.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 16-17); O.C.G.A. § 44-12-40. Even assuming the word “dispose” is broader than “return,” the Plaintiffs do not meet this requirement. The Plaintiffs do not allege any requirement-contractual or legal-that NextGen had to return, destroy, or otherwise dispose of the Plaintiffs' information within a certain period of time or upon the Plaintiffs' demand. Without such an allegation, the Plaintiffs fail to allege the basic requirements of a bailment under O.C.G.A. § 44-12-40. Count VI will therefore be dismissed.
E. Breach of Fiduciary Duty (Count VII)
The Plaintiffs assert a breach of fiduciary duty claim against NextGen. (Consolidated Class Action Compl. ¶¶ 436-47). “To state a claim for breach of fiduciary duty, [a plaintiff] must show (1) the existence of a fiduciary duty; (2) breach of that duty; and (3) damage proximately caused by the breach.” Ewing v. Scott, 366 Ga.App. 466, 472 (2023) (citation omitted). NextGen moves to dismiss this claim, arguing that NextGen did not owe a fiduciary duty to the Plaintiffs. The Court finds that dismissal is improper at this time.
“Fiduciary duties and obligations are owed by those in confidential relationships.” Atlanta Mkt. Ctr. Mgmt., Co. v. McLane, 269 Ga. 604, 606 (1998). Under Georgia law, a confidential relationship exists under two circumstances. First, a relationship is confidential where “one party is so situated as to exercise a controlling influence over the will, conduct, and interest of another.” O.C.G.A. § 23-2-58. Second, there is a confidential relationship “where, from a similar relationship of mutual confidence, the law requires the utmost good faith, such as the relationship between partners; principal and agent; guardian or conservator and minor or ward; personal representative or temporary administrator and heir, legatee, devisee, or beneficiary; trustee and beneficiary; and similar fiduciary relationships.” Id. “Such relationship may be created by law, contract, or the facts of a particular case.” Douglas v. Bigley, 278 Ga.App. 117, 120 (2006) (citation omitted). Because “a confidential relationship may be found whenever one party is justified in reposing confidence in another, the existence of [this] relationship is generally a factual matter for the jury to resolve.” Id. (citation omitted).
The Plaintiffs allege that “[a]s the business associate of its healthcare clients, and recipient of Plaintiffs' and Class Members' Private Information, NextGen has a fiduciary relationship with Plaintiffs and Class Members.” (Consolidated Class Action Compl. ¶ 439). NextGen contends that it lacked a direct relationship with the Plaintiffs and that the mere receipt and storage of confidential information does not create a fiduciary relationship. (Reply Br. in Supp. of Mot. to Dismiss, at 6-7). However, in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law. See Purvis, 563 F.Supp. at 1382-85. Whether or not the circumstances in the present case rise to that level is not a question that can be resolved in a motion to dismiss. Thus, the Court will not dismiss Count VII at this time.
F. Litigation Expenses (Count VIII)
The Plaintiffs seek litigation expenses pursuant to O.C.G.A. § 13-6-11. (Consolidated Class Action Compl. ¶¶ 448-59). That provision provides:
The expenses of litigation generally shall not be allowed as a part of the damages; but where the plaintiff has specially pleaded and has made prayer therefor and where the defendant has acted in bad faith, has been stubbornly litigious, or has caused the plaintiff unnecessary trouble and expense, the jury may allow them.O.C.G.A. § 13-6-11. The Plaintiffs pursue this claim under the “bad faith” prong of the statute. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 19-20). Under O.C.G.A. § 13-6-11, bad faith is “connected with the transaction and dealings out of which the cause of action arose, rather than bad faith in defending or resisting the claim after the cause of action has already arisen.'” In re Equifax, at 1345 (citation omitted). “Bad faith requires more than ‘bad judgment' or ‘negligence,' rather the statute imports a ‘dishonest purpose' or some ‘moral obliquity' and implies ‘conscious doing of wrong' and a ‘breach of known duty through some motive of interest of ill will.'” Lewis v. D. Hays Trucking, Inc., 701 F.Supp.2d 1300, 1313 (N.D.Ga. 2010) (citation omitted). NextGen argues that the Plaintiffs have failed to plausibly allege bad faith. (Reply Br. in Supp. of Mot. to Dismiss, at 7-8). The Court disagrees.
In In re Equifax, 362 F.Supp.3d at 1345, the court declined to dismiss a claim for litigation expenses under O.C.G.A. § 13-6-11 because “the Plaintiffs have alleged that the Defendants knew of severe deficiencies in their cybersecurity, and of serious threats, but nonetheless declined to act.” The Plaintiffs here make similar allegations. They allege that NextGen was subjected to a ransomware attack on January 17, 2023, two months before the breach at issue here. (Consolidated Class Action Compl. ¶ 53). They assert that the group that attacked NextGen in January 2023 promptly published a “proof pack” that showed they possessed the breached data. (Id. ¶ 54). Despite being aware of the vulnerability of its network, NextGen allegedly failed to implement adequate data security measures, such as encrypting its system. (Id. ¶¶ 63, 99, 450-51). The Court concludes that these allegations plausibly state a claim for litigation expenses premised on bad faith under O.C.G.A. § 13-6-11.
The only case that NextGen cites in support of its position is Peeples v. Caroline Container, LLC, 2019 WL 12338071, at *7 (N.D.Ga. Apr. 4, 2019). The case is inapposite. The court there found that “Plaintiff's negligence arguments are without merit, which forecloses any finding of bad faith, stubborn litigiousness, or unnecessary expense. Defendants cannot be sanctioned under O.C.G.A. § 13-6-11 for opposing what ultimately proves to be a baseless claim.” Id. By contrast, several of the claims asserted by the Plaintiffs here are continuing past the pleading stage. The Court cannot say at this time that any of those claims are “baseless.”
G. Georgia Uniform Deceptive Trade Practice Act (“GUDTPA”) (Count IX)
The Plaintiffs assert a GUDTPA claim against NextGen. (Consolidated Class Action Compl. ¶¶ 460-80). The GUDTPA states in relevant part:
The subsections reproduced here are the ones that the Plaintiffs allege NextGen violated. (Consolidated Class Action Compl. ¶¶ 462-63).
A person engages in a deceptive trade practice when, in the course of his business, vocation, or occupation, he:
...
(5) Represents that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities that they do not have or that a person has a sponsorship, approval, status, affiliation, or connection that he does not have; ...
(7) Represents that goods or services are of a particular standard, quality, or grade or that goods are of a particular style or model, if they are of another; [or] ...
(12) Engages in any other conduct which similarly creates a likelihood of confusion or of misunderstanding.O.C.G.A. § 10-1-372(a). Under the GUDTPA, “[a] person likely to be damaged by a deceptive trade practice of another may be granted an injunction against it under the principles of equity and on terms that the court considers reasonable.” O.C.G.A. § 10-1-373(a). A plaintiff must allege “a likelihood of future harm by a deceptive trade practice” to obtain an injunction under this statute. Amin v. Mercedes-Benz USA, LLC, 301 F.Supp.3d 1277, 1293 (N.D.Ga. 2018) (citation omitted). If the future harm alleged is hypothetical or based on mere speculation, it is insufficient to plausibly allege a claim under the GUDTPA. See Byung Ho Cheoun v. Infinite Energy, Inc., 363 Fed.Appx. 691, 695 (11th Cir. 2010). NextGen argues that the Plaintiffs have failed to meet this burden. (Def.'s Br. in Supp. of Mot. to Dismiss, at 17-18). The Court disagrees.
The Plaintiffs allege that NextGen continues to retain their private information after the Data Breach. (Consolidated Class Action Compl. ¶ 477). They assert facts that show repeated cyberattacks of the same company are common. (Id. ¶¶ 60-62). NextGen itself allegedly faced a data breach just two months before the Data Breach at issue here. (Id. ¶¶ 52-53). When NextGen sent a notice to the Plaintiffs informing them that their private information was accessed during the Data Breach, NextGen stated that it “took measures to contain the incident.” (Id. ¶ 46). However, the Plaintiffs state that NextGen did not specify how it fixed the root cause of the breach. (Id.). They further allege that NextGen failed to implement suitable data security measures following the previous breach, which could have prevented the Data Breach at issue here. (Id. ¶¶ 63, 106). The Plaintiffs assert that NextGen will continue to misrepresent the adequacy of their data security practices and systems in the future. (Id. ¶ 477).
The parties have not provided-and the Court has not found-any cases applying the GUDTPA to similar facts. However, courts have found allegations like these to be sufficient to plead non-speculative future harm in the context of the Declaratory Judgment Act. See, e.g., In re Arby's Rest. Grp. Inc. Litig., 2018 WL 2128441, at *15 (N.D.Ga. Mar. 5, 2018) (“Plaintiffs made specific allegations that they would be harmed without declaratory relief because Arby's has not taken steps to address their allegedly inadequate security system. This is enough to survive a motion to dismiss.” (citation omitted)); In re The Home Depot, Inc., Customer Data Sec. Breach Litig., 2016 WL 2897520, at *4 (N.D.Ga. May 18, 2016) (“The Plaintiffs have pleaded that the Defendant's security measures continue to be inadequate and that they will suffer substantial harm. The Plaintiffs have pleaded sufficient facts to survive a motion to dismiss regarding a future breach.” (citation omitted)). NextGen offers no basis to distinguish these cases nor any reason to find that the GUDTPA has a more stringent standard of showing non-speculative risk of future harm than the Declaratory Judgment Act. Looking at the well-pled allegations of the Consolidated Class Action Complaint, the Court concludes that the Plaintiffs plausibly allege that they are likely to suffer future harm.
The Court has found two data breach cases in which GUDTPA claims were raised, but the plaintiffs in those cases apparently did not make any factual allegations that they were at a greater risk of a future data breach as a result of the defendant's post-breach retention of private information. See Serveco N. Am., LLC v. Bramwell, 2023 WL 2583275, at *6 (N.D.Ga. Mar 20, 3023); Collins v. Athens Orthopedic Clinic, 356 Ga.App. 776, 779-80 (2020).
NextGen also contends that the Plaintiffs' GUDTPA claim should fail because they have not proven reliance. (Def.'s Br. in Supp. of Mot. to Dismiss, at 18-19). NextGen does not point to any language in the statute to demonstrate that the Plaintiffs must plausibly allege reliance. Instead, NextGen's argument is entirely dependent on Willingham v. Glob. Payments, Inc., 2013 WL 440702 (N.D.Ga. Feb. 5, 2013), an unadopted Report and Recommendation. There are at least two issues with NextGen's position. For starters, Willingham does not appear to state what NextGen claims it does. The court there said:
A plaintiff who demonstrates past harm, but does not allege ongoing or future harm, has not shown that he is likely to be damaged within the meaning of section 10-1-373(a). Plaintiffs have not pled that they read, relied upon and, thus, were harmed by Defendant's “representations” and, even if they could replead such facts, Plaintiffs could, at most, demonstrate only past harm which is not a basis for injunctive relief under the [G]UDTPA.Id. (alteration, quotation marks, and citation omitted). The Court reads this passage as asserting that the plaintiffs failed to state past or future harm and, even if they could amend their complaint to assert past harm, it would not fix the deficient allegation of future harm. This is far different than requiring all GUDTPA plaintiffs to plausibly allege reliance.
Furthermore, NextGen's position is incongruent with the nature of the GUDTPA. The GUDTPA provides a forward-looking remedy. See Moore-Davis Motors, Inc. v. Joyner, 252 Ga.App. 617, 619 (2001) (“[T]he sole remedy available under the [G]UDTPA is injunctive relief.”). Yet, NextGen seeks to require the Plaintiffs to demonstrate past reliance that led to the Plaintiffs' harm. If the Plaintiff can show-as the statute requires-that they are likely to be damaged by a deceptive trade practice in the future and that the principles of equity permit an injunction, it strikes the Court as puzzling to require them to also plausibly allege past reliance that led to harm. At the very least, the Court will not glean such a requirement from a strained reading of an unadopted Report and Recommendation. Accordingly, NextGen's Motion to Dismiss is denied with respect to Count IX.
H. California Customer Records Act (“CRA”) (Count XI)
NextGen moves to dismiss the California Plaintiffs' CRA claim on the grounds that the California Plaintiffs were not “customers” under the terms of the CRA and that the Plaintiffs failed to assert any injury resulting from the alleged delay in notifying the Plaintiffs of the breach. The Court agrees that the California Plaintiffs were not “customers” of NextGen under the CRA's definition.
The named California Plaintiffs are Corina Alvarado and Elizabeth Appleton.
The CRA requires those who conduct business in California and own or license computerized data containing personal information to disclose a breach of the security of their system to certain affected California residents. Cal. Civ. Code § 1798.82(a). “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” Id. “Any customer injured by a violation of this title may institute a civil action to recover damages.” Cal. Civ. Code § 1798.84(b). The CRA defines a “customer” as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.” Cal. Civ. Code § 1798.80(c).
The California Plaintiffs do not fit within the CRA's definition of “customer.” In In re Waste Mgmt. Data Breach Litig., the court held that the plaintiffs were not “customers” under the CRA because the complaint did “not allege that the plaintiffs provided their PII to Waste Management in exchange for a product or service. Instead, it allege[d] that they were required to give Waste Management their PII as part of their employment.” In re Waste Mgmt., 2022 WL 561734, at *7 (S.D.N.Y. Feb. 24, 2022) (citation omitted). Similarly here, the California Plaintiffs did not provide their private information to NextGen in exchange for NextGen's software or services. (Consolidated Class Action Compl. ¶¶ 156, 165). Rather, they were required to do so as patients of their healthcare providers. (Id.).
The cases to which the Plaintiffs cite do not demand a different result. In Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 924-25 (S.D. Cal. 2020), the court denied a motion to dismiss a CRA claim, but the only issue regarding the CRA that the court addressed was whether there was an unreasonable delay in notifying the plaintiffs of the breach. The California Plaintiffs are correct that the CRA claim was allowed to proceed after the court stated that the Stasi plaintiffs “were not Inmediata's customers or otherwise in privity with Inmediata.” Id. at 915. However, that quote was in the court's discussion of the plaintiffs' negligence claim. Id. It cannot be inferred that the court was using the CRA's definition of “customer” during its negligence analysis. At bottom, there was no discussion whatsoever about whether the plaintiffs in Stasi were “customers” under the CRA. Id. at 924-25. The case therefore does not provide any basis for holding that the California Plaintiffs fall under the statutory definition of “customer.”
Even making the tremendous assumptions that (1) the Stasi court held in its negligence analysis that the plaintiffs were not “customers” under the CRA, (2) the defendant raised the argument that the CRA claim should be dismissed because the plaintiffs were not “customers”, and (3) the Stasi court rejected that argument without saying a word on the subject, the Court would simply not follow the case. Since Cal. Civ. Code § 1798.84(b) only provides a cause of action to a “customer,” such a ruling would be contrary to the plain text of the statute.
Similarly unavailing is In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573 (N.D. Ill. 2022). The defendants in that case were “a leading insurance brokerage, risk management, and HR & benefits company” and “a third-party administrator and claims manager.” Id. at 581. The plaintiffs whose claims were not dismissed provided the defendants their information when they filed worker compensation claims and the defendants were acting as the third-party administrator. Id. at 594. Since the plaintiffs provided their information in order to obtain the defendants' services, the court found that the plaintiffs qualified as “customers” under the CRA. Id. Unlike that case, the California Plaintiffs here “do not fall within [the CRA's] definition because they did not obtain products or services from the Defendant.” In re The Home Depot, 2016 WL 2897520, at *5. Thus, NextGen's Motion to Dismiss is granted with respect to Count XI.
There were two plaintiffs in the case whose CRA claims were dismissed because they were not “customers.” In re Gallagher Data Breach Litig., 631 F.Supp.3d at 593-94. One provided her information in the course of her employment. Id. at 593. The other did not “know how his PII and/or PHI became compromised during the Data Breach; he ple[d] only that he entrusted his PII and/or PHI to Defendants, ‘possibly through a third-party that provided human resources services to Prolacta.'” Id. at 593-94. These plaintiffs are more similar to the California Plaintiffs than the plaintiffs whose claims survived the motion to dismiss are.
I. California Unfair Competition Law (“UCL”) (Count XII)
The California Plaintiffs also raise a UCL claim against NextGen. “California's UCL prohibits unfair competition by means of any unlawful, unfair or fraudulent business practice.” Birdsong v. Apple, Inc., 590 F.3d 955, 959 (9th Cir. 2009) (citation omitted). “Each prong of the UCL is a separate and distinct theory of liability.” Kearns v. Ford Motor Co., 567 F.3d 1120, 1127 (9th Cir. 2009) (citation omitted). In other words, “unlawful” business practices, “unfair” business practices, and “fraudulent” business practices are each independent bases for relief. See id. NextGen moves to dismiss this claim for various reasons.
i. UCL Standing
First, NextGen argues that the California Plaintiffs do not have standing to assert a UCL claim. (Def.'s Br. in Supp. of Mot. to Dismiss, at 22). To have standing under the UCL, “plaintiffs must establish that they (1) suffered an injury in fact and (2) lost money or property as a result of the unfair competition.” Birdsong, 590 F.3d at 959 (citations omitted). “A plaintiff's personal information does not constitute property under the UCL.” In re Facebook Privacy Litig., 791 F.Supp.2d 705, 714 (N.D. Cal. 2011) (quotation marks and citation omitted). Nor does time spent monitoring and repairing one's credit after a breach occurs. See Ruiz v. Gap Inc., 2009 WL 250481, at *3 (N.D. Cal. Feb. 3, 2009). “But payments toward enhanced credit monitoring that arise from a data breach and that are not reimbursed do constitute economic injury, sufficient to confer UCL standing.” Huynh v. Quora, Inc., 508 F.Supp.3d 633, 661 (N.D. Cal. 2020) (quotation marks omitted) (compiling cases). Here, Plaintiff Alvarado failed to allege any payments for enhanced credit monitoring or other economic injury. (See Consolidated Class Action Compl. ¶¶ 155-63). Therefore, she does not have UCL standing, and the claim is dismissed with respect to her.
Because economic injury is necessary to assert a UCL claim, standing under the UCL is “substantially narrower than federal standing under article III, section 2 of the United States Constitution.” Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 324 (2011) (citations omitted).
By contrast, Plaintiff Appleton alleged that she was charged $24.99 for the Experian credit monitoring that NextGen claimed it would be offering for free. (Id. ¶ 169). NextGen argues that Plaintiff Appleton is attempting to manufacture standing by paying for the service and cites to Davis v. HSBC Bank Nev., N.A., 691 F.3d 1152 (9th Cir. 2012), for support. (Reply Br. in Supp. of Mot. to Dismiss, at 13). NextGen's argument is woefully inadequate. First, the discussion in Davis was not about standing at all; it was about whether the plaintiff alleged an “unlawful” business practice under Section 5 of the Federal Trade Commission Act. Davis, 691 F.3d at 1168. Second, the court found that the harm there was reasonably avoidable because multiple forms discussed the annual fee at issue and there was an opportunity to close the account without incurring the fee. Id. at 1168-69. Here, NextGen offered a free credit monitoring service, Plaintiff Appleton enrolled in it, and she was charged for it anyway. There is nothing to suggest that this charge was foreseeable and avoidable. The Court therefore finds that Plaintiff Appleton has standing to assert a UCL claim.
ii. Fraud Prong
NextGen argues that Plaintiff Appleton fails to sufficiently allege a claim under the UCL's fraudulent business practice prong. (Def.'s Br. in Supp. of Mot. to Dismiss, at 23). Federal Rule of Civil Procedure 9(b)'s heightened pleading standards apply to this claim. Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009). Because Plaintiff Appleton's claim is based on an alleged omission, the heightened standard is “somewhat relaxed.” Motich v. Miele USA, Inc., 849 F.Supp.2d 439, 451 (D.N.J. 2012); see also In re Anthem, 2016 WL 3029783, at *35 (N.D. Cal. May 27, 2016) (“In most cases, a plaintiff in a fraud by omission suit will not be able to specify the time, place, and specific content of an omission as precisely as would a plaintiff in a false representation claim.” (quotation marks and citations omitted)). However, simply alleging fraud by omission does not absolve a plaintiff of the necessity to plead with particularity. See Kearns, 567 F.3d at 1127 (“Because the Supreme Court of California has held that nondisclosure is a claim for misrepresentation in a cause of action for fraud, it (as any other fraud claim) must be pleaded with particularity under Rule 9(b). Therefore, Kearns's contention that his nondisclosure claims need not be pleaded with particularity is unavailing.”).
This argument and the following argument were addressed toward both California Plaintiffs. However, since the Court has ruled that Plaintiff Alvarado does not have UCL standing, the Court will not analyze her claim any further.
Here, Plaintiff Appleton fails to adequately plead reliance. “To prove reliance in a fraudulent omission case, Plaintiff must establish that ‘had the omitted information been disclosed, [she] would have been aware of it and behaved differently.'” Montich, 849 F.Supp.2d at 451 (quoting Mirkin v. Wasserman, 5 Cal.4th 1082, 1093 (1993)). For example, in MacDonald v. Ford Motor Co., 37 F.Supp.3d 1087, 1096 (N.D. Cal. 2014), “Plaintiffs adequately allege[d] the ‘who what when and how,'” for their fraudulent omission claim. “In short, the ‘who' [wa]s Ford, the ‘what' [wa]s its knowledge of a defect, the ‘when' [wa]s prior to the sale of Class Vehicles, and the ‘where' [wa]s the various channels of information through which Ford sold Class Vehicles.” Id. The court in Marolda v. Symantec Corp., 672 F.Supp.2d 992, 1002 (N.D. Cal. 2009), required even more rigorous allegations. It dismissed a fraud-by-omission claim for a particular transaction because the plaintiff did not “describe the content of the omission and where the omitted information should or could have been revealed, as well as provide representative samples of advertisements, offers, or other representations that plaintiff relied on to make her purchase and that failed to include the allegedly omitted information.” Id.
“As other courts have recognized, the Marolda requirements are not necessarily appropriate for all cases alleging a fraudulent omission.” Velasco v. Chrysler Grp. LLC, 2014 WL 4187796, at *4 (C.D. Cal. Aug. 22, 2014) (citation omitted). Even if they do not apply here, Plaintiff Appleton has failed to plausibly allege reliance. Namely, Plaintiff Appleton has not pled the “where” or “how” of NextGen's alleged omission. Unlike the cases that she cites, Plaintiff Appleton does not allege any direct interaction between herself and NextGen. See, e.g., In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d 1284, 1293 (S.D. Cal. 2020) (“Defendant Solara is a direct-to-consumer supplier of medical devices related to the care of diabetes as well as a registered pharmacy in the state of California.”); In re Anthem, 2016 WL 3029783, at *2 (“According to Plaintiffs, both the Anthem and Non-Anthem Defendants promised their members that their PII would be protected through privacy notices, online website representations, and other advertising.”); Collins v. eMachines, Inc., 202 Cal.App.4th 249, 253 (2011) (describing allegations that defendants marketed and sold defective computers to the plaintiffs). Plaintiff Appleton does not allege that she talked with any agent or employee of NextGen, viewed any advertisements by NextGen, bought any products or services from NextGen, or otherwise received any representations from NextGen's “various channels of information.” MacDonald, 37 F.Supp.3d at 1096. Rather, she alleges that she was a patient at a healthcare provider, and the provider required her to entrust NextGen with her private information. (Consolidated Class Action Compl. ¶ 165).
Given that Plaintiff has not alleged any direct interactions with NextGen, the Court cannot reasonably infer “that had the omitted information been disclosed, [she] would have been aware of it and behaved differently.” Montich, 849 F.Supp.2d at 451 (emphasis added) (quotation marks and citation omitted); see also Ehrlich v. BMW of N. Am., LLC, 801 F.Supp.2d 908, 919-20 (C.D. Cal. 2010) (“Plaintiff does not allege that, before he bought his MINI, he reviewed any brochure, website, or promotional material that might have contained a disclosure of the cracking defect ...the Court agrees with BMW that the FAC is devoid of allegations that Plaintiff would have plausibly been aware of the cracking defect before he purchased his MINI had BMW publicized this information.” (citation omitted)). While the Court agrees with NextGen regarding reliance, this argument only applies to the fraudulent practice prong. NextGen does not argue that Plaintiff Appleton failed to plausibly plead unlawful or unfair business practices. As such, the Court does not reach those issues. Since a plaintiff need only plausibly allege one prong of the UCL, Plaintiff Appleton's claim survives, and the Court will move on to the final objection.
iii. Remedies
The two types of remedies recoverable under the UCL are injunctive relief and restitution. In re Sony Gaming., 903 F.Supp.2d at 970. NextGen contends that Plaintiff Appleton failed to plausibly allege that she is entitled to either. (Def.'s Br. in Supp. of Mot. to Dismiss, at 24-25). Starting with injunctive relief, NextGen argues that Plaintiff Appleton failed to allege an inadequate remedy at law and pursues monetary damages in other counts. (Id. at 24). It is true that a plaintiff “must establish that she lacks an adequate remedy at law before securing equitable restitution for past harm under the UCL.” Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020). However, this matter is at the pleading stage and the Court is persuaded that plaintiffs are permitted to seek alternative remedies at this time. See, e.g., Collyer v. Catalina Snacks Inc., 2024 WL 202976, at *7 (N.D. Cal. Jan. 18, 2024) (compiling cases); Bolling v. Mercedes-Benz USA, LLC, 2024 WL 371876, at *20 (N.D.Ga. Jan. 30, 2024); Wildin v. FCA U.S. LLC, 2018 WL 3032986, at *7 (S.D. Cal. June 19, 2018). Plaintiff Appleton and the California Subclass request “all monetary and non-monetary relief allowed by law,” including various forms of equitable relief. (Consolidated Class Action Compl. ¶ 518). The Court finds this allegation is sufficient at this stage to plead equitable relief at this stage.
NextGen also asserts that Plaintiff Appleton cannot recover restitution under the UCL because NextGen did not benefit from the breach. (Def.'s Br. in Supp. of Mot. to Dismiss, at 24). However, Plaintiff Appleton alleges that she and the putative subclass members lost money and property in the form of, inter alia, costs passed through to NextGen from their healthcare providers. (Consolidated Class Action Compl. ¶ 516). Allegations that a defendant accepted payment to securely keep data and then failed to take reasonable security measures is sufficient to state a claim for restitution. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *31 (N.D. Cal. Aug. 30, 2017). Moreover, the fact that Plaintiff Appleton conferred the money to NextGen indirectly does not doom the claim. See, e.g., In re Anthem, 2016 WL 3029783, at *32; Troyk v. Farmers Grp., Inc., 171 Cal.App.4th 1305, 1339 (2009) (“For a benefit to be conferred, it is not essential that money be paid directly to the recipient by the party seeking restitution.” (citations omitted)). Therefore, the Court will not dismiss Plaintiff Appleton's UCL claim.
J. California Consumers Legal Remedies Act (“CLRA”) (Count XIII)
NextGen moves to dismiss the California Plaintiffs' CLRA claim. The California Plaintiffs' claim requires a showing of reliance. See Ehrlich, 801 F.Supp.2d at 919; Buckland v. Threshold Enters., Ltd., 155 Cal.App.4th 798, 810 (2007) (“In view of Caro, plaintiffs asserting CLRA claims sounding in fraud must establish that they actually relied on the relevant representations or omissions.” (citation omitted)), disapproved ofon other grounds by Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 337 (2011). For the reasons discussed above, the California Plaintiffs have failed to do so. Therefore, Count XIII should be dismissed.
Plaintiff Alvarado does not make any allegations that meaningfully differentiate her claim from Plaintiff Appleton's as it relates to reliance. (Compare Consolidated Class Action Compl. ¶¶ 155-63 with id. ¶¶ 164-73).
K. California Consumer Privacy Act (“CCPA”) (Count XIV)
The final count asserted by the California Plaintiffs is their CCPA claim. (Consolidated Class Action Compl. ¶¶ 532-50). NextGen moves to dismiss this claim, arguing that the California Plaintiffs do not have a private right of action. (Def.'s Br. in Supp. of Mot. to Dismiss, at 27). The Court disagrees and declines to dismiss the count.
The CCPA provides that “[a]ny consumer whose nonencrypted and nonredacted personal information...is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Cal. Civ. Code § 1798.150(a)(1) (emphasis added). NextGen argues that it is a “service provider” under the CCPA and that the California Plaintiffs lack a cause of action as a result. (Def.'s Br. in Supp. of Mot. to Dismiss, at 27).
Regardless of whether NextGen is a “service provider,” the CCPA provides a cause of action against businesses, so the crucial question is whether NextGen fits under the statutory definition of a “business.” The CCPA defines a “business” as:
There appears to be disagreement as to whether “business” and “service provider” are mutually exclusive categories. Compare Karter v. Epiq Sys., Inc., 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021) (“Plaintiff can only state a claim against Defendants if they are businesses, not service providers.”) with In re Blackbaud, Inc., Customer Data Breach Litig., 2021 WL 3568394, at 5-6 (D.S.C. Aug. 12, 2021) (“Because Blackbaud could be both a ‘service provider' and a ‘business' under the CCPA, it would not be insulated from liability under the CCPA if it qualified as a ‘service provider.'”). The Court does not find it necessary to wade into this question because either way the dispositive issue is the same: whether NextGen is a “business” under the CCPA.
A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and [meets a revenue or customer base threshold.Cal. Civ. Code § 1798.140(d)(1). Thus, for an entity to be a “business” under the CCPA, it must: “(1) collect PII and (2) determine why and how (‘the purposes and means') the PII should be processed.” In re Accellion, 2024 WL 333893, at *10 (N.D. Cal. Jan. 29, 2024) (citation omitted).
The California Plaintiffs plead one of the revenue thresholds when it alleges that “NextGen is a corporation ... with annual gross revenues over $25 million.” (Consolidated Class Action Compl. ¶ 535). NextGen does not challenge this allegation as insufficient.
For the first requirement, the CCPA defines “collects” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.” Cal. Civ. Code § 1798.140(f). The California Plaintiffs allege that NextGen “undertook to collect, store, and securely maintain” the private information of millions of patients. (Consolidated Class Action Compl. ¶¶ 28, 51, 70, 73). Given the CCPA's “broad understanding of ‘collects,'” the Court finds this is sufficient to plausibly allege that NextGen collects private information. In re Accellion, 2024 WL 333893, at *10.
Turning to the second requirement-that the entity must determine why and how the private information should be processed-the CCPA defines “processing” as “any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.” Cal. Civ. Code § 1798.140(y). The California Plaintiffs allege that “NextGen uses consumers' personal data... to develop, improve, and test Nextgen's services.” (Consolidated Class Action Compl. ¶ 537). Using the consumers' personal data in such a way is sufficient to satisfy the second requirement. See In re Blackbaud, 2021 WL 3568394, at *5. NextGen argues that the California Plaintiffs' claim is more similar to In re Accellion, stating “NextGen Healthcare has no input or interaction with Plaintiffs' data other than to store it, making it a service provider under the CCPA.” (Reply Br. in Supp. of Mot. to Dismiss, at 18). However, the California Plaintiffs' allegations state otherwise, and the Court must accept them as true at this stage of the litigation. Doing so, the Court finds that NextGen qualifies as a “business” under the CCPA and denies NextGen's Motion to Dismiss as to Count XIV.
L. Illinois Personal Information Protection Act (“PIPA”) (Count XV)
Plaintiff Bailey, individually and on behalf of the putative Illinois subclass, asserts a violation of PIPA for NextGen's alleged failure to provide notification without unreasonable delay. (Consolidated Class Action Compl. ¶¶ 551-58). NextGen moves to dismiss the claim for multiple reasons.
First, NextGen contends that Plaintiff Bailey cannot assert this claim because PIPA does not provide a private right of action. (Def.'s Br. in Supp. of Mot. to Dismiss, at 29). NextGen is correct that PIPA does not provide an independent private cause of action. See Best v. Malec, 2010 WL 2364412, at *7 (N.D. Ill. June 11, 2010). However, a violation of PIPA constitutes an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), which in turn provides a private cause of action. 815 Ill. Comp. Stat. 530/20; 815 Ill. Comp. Stat. 505/2Z; 815 Ill. Comp. Stat. 505/10a(a). The cases to which NextGen cites do not stand for the proposition that private parties never have standing to sue for violations of PIPA. Rather, both of them dismissed the count for failure to plausibly allege a particular element of the claim. Best, 2010 WL 2364412, at *7 (dismissing claim brought against municipality when the ICFA excludes municipalities from its definition of “persons” who may be sued); In re SuperValu, Inc., Customer Data Sec. Breach Litig., 2018 WL 1189327, at *16 (D. Minn. Mar. 7, 2018) (dismissing claim for failure to allege actual damages). Thus, whether Plaintiff Bailey may assert this claim depends on whether she has plausibly alleged a violation of PIPA and otherwise meets the requirements of the ICFA.
That brings the Court to the next issue. NextGen argues that Plaintiff Bailey cannot assert any claim under the ICFA because she did not allege any conduct that occurred in Illinois. (Def.'s Br. in Supp. of Mot. to Dismiss, at 28). Plaintiff Bailey responds by citing to Israel Travel Advisory Serv., Inc. v. Israel Identity Tours, Inc., 1993 WL 239051, at *7 (N.D. Ill. June 28, 1993), to support the statement that “courts have always recognized that Illinois residents have standing to bring an ICFA claim, regardless of where the violation occurs.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 37). However, after Israel Travel Advisory Serv., Inc. was decided, the Supreme Court of Illinois ruled that the ICFA does not have extraterritorial effect. Avery v. State Farm Mut. Auto. Ins. Co., 216 Ill.2d 100, 185 (2005) (“[W]e conclude that the General Assembly did not intend the Consumer Fraud Act to apply to fraudulent transactions which take place outside Illinois.”). In doing so, the Supreme Court of Illinois held that “a plaintiff may pursue a private cause of action under the Consumer Fraud Act if the circumstances that relate to the disputed transaction occur primarily and substantially in Illinois.” Id. at 187.
Plaintiff Bailey contends that “the question of whether the wrongful conduct occurred primarily and substantially in Illinois only applies to residents outside of Illinois; it does not apply to Illinois residents.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 37). However, the only support she provides for her position is Israel Travel Advisory Serv., Inc., which was decided before the test was created, and the text of the statute that Avery was interpreting. (Id. at 37-38). Furthermore, while Avery involved non-resident plaintiffs, there is no language in the opinion that purports to categorically exclude Illinois residents from the decision's ambit. To the contrary, the court “recognize[d] that there is no single formula or bright-line test for determining whether a transaction occurs within this state. Rather, each case must be decided on its own facts.” Avery, 216 Ill.2d at 187. The court then considered the following nine factors:
(1) the claimant's residence; (2) the defendant's place of business; (3) the location of the item that was the subject of the transaction; (4) the location of the claimant's contacts with the defendant; (5) where the contracts at issue were executed; (6) the contract's choice of law provisions; (7) where the deceptive statements were made; (8) where payments for
services where sent; and (9) where complaints were to be directed.The Clearing Corp. v. Fin. & Energy Exch. Ltd., 2010 WL 2836717, at *6 (N.D. Ill. July 16, 2010) (citing Avery, 216 Ill.2d at 187-89).
The problem with Plaintiff Bailey's claim is that she has failed to allege where any of the events at issue took place. (See Consolidated Class Action Compl. ¶¶ 183-191, 551-558). The only geographic information alleged is (1) that Plaintiff Bailey is and at all relevant times was an Illinois citizen, (2) NextGen is a Delaware corporation with its principal place of business in Georgia, and (3) a substantial part of the conduct giving rise to the Plaintiffs' claims occurred in the Northern District of Georgia. (Id. ¶¶ 12, 27, 183). Thus, the only alleged connection between the PIPA claim and the state of Illinois is Plaintiff Bailey's Illinois citizenship. That alone is insufficient to maintain a private cause of action under the ICFA. See Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 773-74 (C.D. Ill. 2020) (dismissing an ICFA claim despite the plaintiff being an Illinois resident because the “disputed transaction occurred in Kansas, not Illinois.”). Since Plaintiff Bailey's PIPA claim depends on her having a cause of action under the ICFA and since she fails to allege that the events underlying her claim occurred primarily and substantially in Illinois, Count XV should be dismissed.
It would be pure speculation to assume from Plaintiff Bailey's Illinois citizenship that the relevant events took place in Illinois. The Court cannot and will not engage in such conjecture.
M. ICFA (Count XVI)
Plaintiff Bailey, individually and on behalf of the putative Illinois subclass, brings a standalone claim under the ICFA based on NextGen's allegedly deceptive, unfair, and unlawful trade practices. (Consolidated Class Action Compl. ¶¶ 559-70). The allegations specific to this count do not provide any more detail about where the events giving rise to the claim occurred. (See id.). Accordingly, Count XVI should be dismissed for the same reason as Count XV.
N. Illinois Uniform Deceptive Trade Practices Act (“IUDTPA”) (Count XVII)
The last count asserted by Plaintiff Bailey individually and on behalf of the putative Illinois subclass is the IUDTPA claim. The reasoning in Avery has been repeatedly applied to IUDTPA claims. See, e.g., Underground Sols., Inc. v. Palermo, 2014 WL 4703925, at *10 (N.D. Ill. Sept. 22, 2014) (compiling cases); Int'l Equip. Trading, Ltd. V. Illumina, Inc., 312 F.Supp.3d 725, 732-33 (N.D. Ill. 2018). The count-specific allegations here likewise do not plead any additional facts about where the underlying events took place. (See Consolidated Class Action Compl. ¶¶ 571-78). Consequently, this count will also be dismissed for failure to plausibly allege a sufficient nexus to Illinois.
O. Iowa Private Information Security Breach Protection Law (“IPISBPL”) (Count XVIII)
Plaintiff Kerr, individually, on behalf of J.K., and on behalf of the putative Iowa subclass, alleges that NextGen violated the IPISBPL. (Consolidated Class Action Compl. ¶¶ 579-87). NextGen argues that the claim should be dismissed because Plaintiff Kerr does not adequately plead an injury. (Def.'s Br. in Supp. of Mot. to Dismiss, at 35-36). The Court agrees.
The IPISBPL requires a plaintiff to plead an injury resulting from the delayed notification. See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2023 WL 6216542, at * 7 (D.N.J. Sept. 21, 2023). Plaintiff Kerr contends that the Consolidated Class Action Complaint does so. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 44-45). Specifically, she points to the following allegation: “By waiting nearly a month to disclose the Data Breach and by downplaying the risk of misuse, NextGen prevented victims from taking meaningful, proactive, and targeted mitigation measures to secure their Private Information and accounts.” (Consolidated Class Action Compl. ¶ 290). Plaintiff Kerr then cites to In re Equifax to argue that this allegation is sufficient at this stage of litigation. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 44-45).
However, Plaintiff Kerr's argument is untenable. First, Plaintiff Kerr does not allege any unauthorized charges, identity theft, fraud, or other harmful event that conceivably occurred during the delay in notification and could have been prevented had there been proper notification. Instead, she alleges she has suffered from the dissemination of her child's private information to unauthorized parties and from the risk of future harm stemming from that. (Consolidated Class Action Compl. ¶ 198). However, “privacy injuries that [arise] only from the data breach itself” are not sufficient to state a claim under the IPISBPL because the “delayed notification [has] no bearing on” whether unauthorized parties accessed the plaintiff's private information. In re Am. Med. Collection Agency, 2023 WL 6216542, at *7.
Plaintiff Kerr attempts to distinguish In re Am. Med. Collection Agency because “unlike here, the Am. Med. plaintiffs merely alleged that their information was available on the dark web.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 44 n. 8). It is unclear what additional information alleged in this case Plaintiff Kerr is suggesting nudges her claim further. She could be referring to her allegation that she will suffer ongoing harm and risk of future harm. That would be unpersuasive since NextGen notified Plaintiff Kerr of the breach approximately a year ago. (Consolidated Class Action Compl. ¶ 194). Plaintiff Kerr has provided no reason why harm that occurs so long after the notification would be the result of the delay rather than the breach itself. Plaintiff Kerr could also be referring to the allegation that the delay prevented her from taking mitigation measures to secure her child's information. (Id. ¶ 290). Yet, “[a] mere statement that plaintiffs could have done something to mitigate their injuries is insufficient to allege...damages.” Fox v. Iowa Health Sys., 399 F.Supp.3d 780, 799 (W.D. Wis. 2019). Thus, because Plaintiff Kerr does “not explain how [she] would have suffered less damages had [NextGen] notified [her] sooner, the court will dismiss” her IPISBPL claim. Id.
This quote comes from the misrepresentation discussion in Iowa Health System. When the court later discusses the IPISBPL claim, it stated “just as plaintiffs have failed to allege any damages that were caused by the misrepresentations in the breach notifications, they have failed to allege any damages that were caused by the timing of the notifications.” Iowa Health Sys., 399 F.Supp.3d at 801. Therefore, the court incorporated the same reasoning into the IPISBPL analysis.
Regarding Plaintiff Kerr's cited authorities, neither In re Equifax nor In re Target contradicts the above analysis. In those cases, the defendants challenged the alleged injury because it was not clear from the complaints that they took place during the delay. In re Equifax, 362 F.Supp.3d at 1343; In re Target, 66 F.Supp.3d at 1166. The courts reasoned that discovery was necessary to deduce who was entitled to the alleged damages and who was not. Id. Here, as explained above, Plaintiff Kerr has not alleged any damages that could have conceivably occurred because of the delay in receiving the notification.
P. Maine Unfair Trade Practices Act (“MUTPA”) (Count XIX)
Plaintiff Miller, individually and on behalf of the putative Maine subclass, asserts a MUTPA claim against NextGen. (Consolidated Class Action Compl. ¶¶ 588-97). NextGen moves to dismiss the count, and the Court agrees.
NextGen's first argument for dismissal is that Plaintiff Miller fails to adequately allege reliance. (Def.'s Br. in Supp. of Mot. to Dismiss, at 36-37). Plaintiff Miller responds by stating that he need not allege that he relied on an affirmative misrepresentation; rather, “[a] plaintiff need only allege omissions were likely to deceive, and she would have acted differently had she known the truth.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 46) (citations omitted). The Court agrees that there need not be an affirmative misrepresentation to state a MUTPA claim. See State v. Weinschenk, 868 A.2d 200, 206 (Me. 2005) (“An act or practice is deceptive if it is a material representation, omission, act or practice that is likely to mislead consumers acting reasonably under the circumstances.” (citation omitted)). However, a plaintiff must still rely on the alleged omission. Yet, similar to the California Plaintiffs, Plaintiff Miller does not allege that he had any direct interactions with or observed any representations made by NextGen prior to receiving the relevant healthcare services. (See Consolidated Class Action Compl. ¶¶ 201-10; 588-97). Without any such allegation, the Court cannot find that Plaintiff Miller relied on NextGen's omission. Count XIX will therefore be dismissed for failure to plausibly plead that NextGen's omissions caused Plaintiff Miller's (or the putative subclass's) injury.
The Maine courts have not listed “reliance explicitly as an element of a UTPA claim,” but “reliance and causation are related concepts” and “often intertwined.” Sanford v. Nat'l Ass'n for the Self Employed, Inc., 264 F.R.D. 11, 16 (D. Me. 2010) (citation omitted). The Sanford court went on to say, “it is not possible for members of the class to prove that deceptive or misleading statements caused them damage unless they show that they relied on the statements. If they did not rely, they could not have been harmed by them, and the statements, while deceptive and unfair, cannot establish a violation of the UTPA for which a private plaintiff can seek a damage remedy.” Id. (citation omitted). While Sanford was a class certification decision involving affirmative misrepresentations, pleading causation is necessary at this stage even for omissions. Plaintiff Miller seems to accept as much by stating that omissions (1) must be “likely to deceive” and (2) would cause a plaintiff to “act[] differently had she known the truth.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 46).
Q. Maine Uniform Deceptive Trade Practices Act (“MUDTPA”) (Count XX)
Plaintiff Miller, also individually and on behalf of the putative Maine subclass, alleges a violation of MUDTPA. (Consolidated Class Action Compl. ¶¶ 598-608). NextGen moves to dismiss the claim, arguing that NextGen did not make any misrepresentations to Plaintiff Miller and that MUDTPA does not have extraterritorial application. (Def.'s Br. in Supp. of Mot. to Dismiss, at 38-39). NextGen also seeks to dismiss Plaintiff Miller's request for monetary damages. (Id. at 39). Because the Court finds that Plaintiff Miller has not adequately pled events that took place in Maine, the Court dismisses Count XX.
Like the IUDTPA, the MUDTPA does not have extraterritorial application. See Marshall v. Scotia Prince Cruises Ltd., 2003 WL 22709076, at *7 (D. Me. Nov. 17, 2003). Similar to the Illinois Plaintiffs, Plaintiff Miller makes allegations that he is a Maine citizen, that NextGen is a Delaware corporation with its principal place of business in Georgia, and that a substantial part of the events in this case occurred in the Northern District of Georgia. (Consolidated Class Action Compl. ¶¶ 12, 27, 201). For the reasons explained above, those allegations are insufficient to plausibly allege that the violations took place in Maine. That is not the end of the analysis, however, because Plaintiff Miller makes an additional allegation that “NextGen advertised, offered, or sold goods or services in Maine and engaged in trade or commerce directly or indirectly affecting the people of Maine.” (Id. ¶ 600).
While there does not appear to be a state court decision addressing this issue, Plaintiff Miller does not contest the point. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 49) (refuting that Plaintiff Miller is “claiming that the MUDTPA applies extraterritorially”).
The Court does not find this to be sufficient. In Marshall, the court stated that “[t]he fact that the courts of Maine have jurisdiction over the defendant has no effect whatsoever on . . . whether any alleged violations of the Act took place in Maine.” Marshall, 2003 WL 22709076, at *6. That is because the relevant question is where the alleged violations occurred, not whether the defendant has sufficient contacts with Maine. Plaintiff Miller fails to allege any violations that occurred in Maine. He does not plead that he provided NextGen his private information in Maine, nor that he bought any goods or services from NextGen in Maine, nor that he saw any of NextGen's advertisements in Maine. Thus, the Court concludes that Plaintiff Miller has not plausibly pled that any alleged violations occurred in Maine. The Count is dismissed for that reason.
R. New Jersey Customer Security Breach Disclosure Act (“CSBDA”) (Count XXI)
The New Jersey Plaintiffs assert a CSBDA claim against NextGen. In its Motion to Dismiss, NextGen argues the count should be dismissed for lack of private right of action and for failure to allege an ascertainable loss. The claim should be dismissed because the New Jersey Plaintiffs lack a right of action. NextGen is correct that the CSBDA does not expressly provide a private right of action. N.J. Stat. Ann. § 56:8-163, et seq.; see also Holmes v. Countrywide Fin. Corp., 2012 WL 2873892, at *13 (W.D. Ky. July 12, 2012). The New Jersey Plaintiffs rely on In re Equifax to assert that they have a private right of action through the NJCFA. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 50). However, as explained below, the New Jersey Plaintiffs lack statutory standing under the NJCFA, so they cannot avail themselves of its private right of action. The Court therefore dismisses Count XXI.
The named New Jersey Plaintiffs are Rosa Akhras, Srikanth Alturi, and Scott Phillips. They bring this claim and the next claim individually and on behalf of the putative New Jersey subclass.
S. New Jersey Consumer Fraud Act (“NJCFA”) (Count XXII)
The second claim that the New Jersey Plaintiffs allege is an NJCFA claim. (Consolidated Class Action Compl. ¶¶ 618-27). However, NextGen persuasively argues that the New Jersey Plaintiffs are not “consumers” under the NJCFA. As a result, they cannot assert an NJCFA claim.
“It is well-settled law that one must be a ‘consumer' in order to sue under [the NJCFA].” Conte Bros. Auto., Inc. v. Quaker State-Slci 50, Inc., 992 F.Supp. 709, 716 (D.N.J. 1998) (citation omitted). “A plaintiff does not qualify as a ‘consumer' if they do not purchase a product for consumption.” In re Blackbaud, 2021 WL 3568394, at *11 (citations omitted); see also Specialty Ins. Agency v. Walter Kaye Assocs., Inc., 1989 WL 120752, at *5 (D.N.J. Oct. 2, 1989) (“[I]n order for an entity such as SIA to recover under the Consumer Fraud Act it must be a consumer vis-a-vis the defendants.”).
Here, the New Jersey Plaintiffs allege that NextGen received their private information or the private information of their child because they sought healthcare services at a provider that contracted with NextGen. (Consolidated Class Action Compl. ¶¶ 212, 222, 232). These facts are strikingly similar to In re Blackbaud. In that case, one of the plaintiffs alleged that “Blackbaud maintained his data as a result of his relationship with Joseph Kushner Hebrew Academy and claims that the school retained his data because his children attended Joseph Kushner Hebrew Academy and he also made charitable donations during the time his children attended the school.” In re Blackbaud, 2021 WL 3568394, at *12 (quotation marks and citation omitted). However, the court held that “[s]uch assertions do not plausibly establish that Martin Roth was a ‘consumer' of Blackbaud's data management services.” Id. The court also held that another plaintiff who alleged that “Blackbaud stored her data as a result of her attendance at Joseph Kushner Hebrew Academy” did not plausibly plead that she was a “consumer” of the data management company under the NJCFA. Id. For both of these plaintiffs, the court held that they did “not assert that [they] purchased or used Blackbaud's services, knew Blackbaud existed, or perceived that Blackbaud managed [their] data.” Id.
The same can be said here of the New Jersey Plaintiffs. When they went to their providers, they were purchasing healthcare services, not data management services. Consequently, the New Jersey Plaintiffs were not “consumers” of NextGen and lack statutory standing to assert a claim under the NJCFA. Count XXII is dismissed.
T. New Mexico Unfair Practices Act (“NMUPA”) (Count XXIII)
Plaintiff Bundy-individually, on behalf of A.B., and on behalf of the putative New Mexico subclass-asserts a claim under the NMUPA. (Consolidated Class Action Compl. ¶¶ 628-38). There are four elements to an NMUPA claim:
First, the complaining party must show that the party charged made an “oral or written statement, visual description or other representation” that was either false or misleading. Ashlock [v. Sunwest Bank of Roswell, N.A.], [1988-NMSC-026, ¶ 4, 107 N.M. 100,] 753 P.2d [346,] 347. Second, the false or misleading representation must have been “knowingly made in connection with the sale, lease, rental or loan of goods or services in the extension of credit or ... collection of debts.” Id. Third, the conduct complained of must have occurred in the regular course of the representer's trade or commerce. Id. Fourth, the representation must have been of the type that “may, tends to or does, deceive or mislead any person.” Id.Apodaca v. Young Am. Ins. Co., 2023 WL 7706283, at *9 (D.N.M. Nov. 15, 2023) (quoting Stevenson v. Louis Dreyfus Corp., 112 N.M. 97, 100 (1991)). NextGen moves to dismiss this claim on the grounds that Plaintiff Bundy failed to adequately allege the second element. (Def.'s Br. in Supp. of Mot. to Dismiss, at 44-45). It argues that Plaintiff Bundy has not pled that any alleged misleading representations by NextGen were “in connection with [a] sale.” (Id.). The Court agrees.
Plaintiff Bundy, citing to Charlie v. Rehoboth McKinley Christian Health Care Services, 598 F.Supp.3d 1145, 1160-63 (D.N.M. 2022), states that the NMUPA's “prohibition of unfair trade practices applies in relation to the provision of health care.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 53). Yet, the problem with Plaintiff Bundy's claim is not that it involves healthcare; it's that he did not engage in any sort of “sale” with NextGen. The facts in Charlie are very similar to this case. It involved a data breach that exposed private information that was provided in the course of receiving health care services. Charlie, 598 F.Supp.3d at 1150. For present purposes, one salient difference exists between that case and this one. The plaintiffs in Charlie sued the healthcare service provider for failing to adequately secure their data while Plaintiff Bundy has sued the data management company that his child's healthcare provider uses. There is no dispute that NextGen never directly sold any goods or services to Plaintiff Bundy.
To account for this difference, Plaintiff Bundy invokes the downstream sale doctrine. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 54). In Lohman v. Daimler-Chrysler Corp, 142 N.M. 437, 444 (N.M. Ct. App. 2007), the New Mexico Court of Appeals held that “both the plain language of the act and the underlying policies suggest that a commercial transaction between a claimant and a defendant need not be alleged in order to sustain a[n NM]UPA claim.” Thus, Plaintiff Bundy argues that the fact he alleges some of the funds he paid for healthcare services were passed through to NextGen is sufficient to confer statutory standing. Not so.
In a more recent opinion, the New Mexico Court of Appeals further elucidated the reach of the downstream doctrine, stating “the plaintiff does not necessarily have to purchase the product from the defendant, but . . . somewhere along the purchasing chain, the claimant did purchase an item that was at some point sold by the defendant.” Hicks v. Eller, 280 P.3d 304, 309 (N.M. Ct. App. 2012). Here, NextGen sold/licensed its NextGen Office software to the healthcare provider of Plaintiff Bundy's child. (Consolidated Class Action Compl. ¶¶ 30, 90). However, Plaintiff Bundy did not purchase that item; rather, he purchased healthcare services. (Id. ¶ 241). The downstream sale doctrine therefore does not apply here. Since there was no sale between NextGen and Plaintiff Bundy, NextGen's alleged omissions were not “made in connection with the sale.of [a] good[] or service[].” Apodaca, 2023 WL 7706283, at *9 (citation omitted). Count XXIII is dismissed for that reason.
Moreover, if Plaintiff Bundy's position were taken seriously, the downstream sale doctrine would become breathtakingly expansive. A simple doctor's visit could create statutory standing for innumerable NMUPA claims. For example, if the company from which a doctor buys lightbulbs misrepresents how long those lightbulbs will last, then a patient need only allege that some of the funds he used to purchase the healthcare services were passed on to the lightbulb company and-according to Plaintiff Bailey's logic-the patient can then bring a NMUPA claim for that misrepresentation. The same would be true of any other supplies, services, or equipment that any service provider uses. Nothing in the caselaw supports such a reading of the Act.
U. New York General Business Law (“GBL”) (Count XXIV)
Plaintiff Benn, individually and on behalf of the putative New York subclass, alleges that NextGen violated GBL § 349. (Consolidated Class Action Compl. ¶¶ 639-46). “To successfully assert a section 349 (h) claim, a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice.” City of New York v. Smokes-Spirits.Com, Inc., 12 N.Y.3d 616, 621 (2009) (citation omitted). Because Plaintiff Benn has not alleged a cognizable injury under the GBL, the Court will grant NextGen's Motion to Dismiss with respect to Count XXIV.
Plaintiff Benn alleges that, because of the data breach, he has taken time monitoring his accounts and spent money on additional fraud protection. (Consolidated Class Action Compl. ¶ 252). That does not qualify as an injury under GBL § 349. See Shafran v. Harley-Davidson, Inc., 2008 WL 763177, at *3 (“Courts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy.”). Plaintiff Benn does not contest that and instead focuses his opposition to the Motion on two other kinds of alleged injuries. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 56-57).
First, he argues that he has suffered a cognizable injury because he alleges a diminution in the value of his private information. (Id.). To support that argument, Plaintiff Benn cites to In re Anthem. (Id. at 57). In In re Anthem, 162 F.Supp.3d 953, 993-95 (N.D. Cal. 2016), the court concluded that the diminution of the value of private information can be an injury after it observed “that no New York state courts have yet ruled on this question. Nor has the Second Circuit or any federal district court in the Second Circuit provided guidance on whether such losses constitute cognizable injury under GBL § 349.” The court stated “[a]bsent any state law or Second Circuit precedent that holds to the contrary, the Court finds that it would be appropriate to apply this general principle to Plaintiffs' GBL § 349 claim,” and relied on California cases to reach its conclusion. Id. at 995.
Since then, there have been multiple cases from New York that have addressed whether the diminution of value of private information can count as an injury. Those cases have taken a more stringent approach to the issue than In re Anthem did. See, e.g., Greco v. Syracuse ASC, LLC, 218 A.D.3d 1156, 1158 (N.Y.App.Div. 2023) (finding no injury “[p]erhaps most importantly” because “plaintiff has not alleged that any of the information purportedly accessed by the unknown third party has actually been misused”); In re Practicefirst Data Breach Litig., 2022 WL 354544, at *7 (W.D.N.Y. Feb. 2, 2022) (concluding there was no injury from diminution of value because “plaintiffs do not allege that they attempted to sell their personal information and were forced to accept a decreased price, nor do they allege any details as to how their specific, personal information has been devalued because of the breach.” (citations omitted)); Fero v. Excellus Health Plan, Inc., 236 F.Supp.3d 735, 755 (W.D.N.Y. 2017) (“Courts have rejected allegations that the diminution in value of personal information can support standing.” (compiling cases)).
Much like in In re Anthem, 162 F.Supp.3d at 995, these cases are “not perfectly analogous to the claim that is currently before the Court” because they “addressed the loss in value of an individual's PII in the standing context.” At the very least, as opinions from the state and district courts of New York, they are more indicative of how New York views diminution of the value of private information as a potential injury than the California cases relied on in In re Anthem.
Here, Plaintiff Benn has not alleged that his information has been actually misused, nor that he has attempted to sell his private information, nor that he has been forced to accept a lower price for his private information, nor that he would sell his private information if there had not been a data breach. Instead, Plaintiff Benn asserts that “Plaintiffs are injured every time their data is stolen and traded on underground markets” and that “[e]ach data breach increases the likelihood that a victim's Private Information will be exposed to more individuals who are seeking to misuse it at the victim's expense.” (Consolidated Class Action Compl. ¶ 275) (emphasis added). Thus, the alleged injury from the diminution of the value of private information is “solely the result of a perceived and speculative risk of future injury that may never occur.” Shafran, 2008 WL 763177, at *3. That is insufficient to assert a cognizable injury under New York law.
The Court therefore turns to Plaintiff Benn's second basis for asserting actual damages under New York law: the loss of his benefit of the bargain. Both In re Anthem, 162 F.Supp.3d at 995-96, and Wallace v. Health Quest Sys., Inc., 2021 WL 1109727, at *15 (S.D.N.Y. Mar. 23, 2021) found that plaintiffs who alleged a loss of the benefit of the bargain could assert a GBL § 349 claim. However, those cases involved transactions between the plaintiffs and the defendants. In re Anthem, 162 F.Supp.3d at 966-68; Wallace, 2021 WL 1109727, at *1-2. That is not true here. Just like the plaintiffs above, Plaintiff Benn has not alleged any transactions-or even interactions-with NextGen prior to receiving a letter informing him of the data breach. (See Consolidated Class Action Compl. ¶¶ 248-56). Plaintiff Benn contracted with his healthcare provider, and his healthcare provider contracted with NextGen. (Id. ¶¶ 28, 90, 249). Yet, there was no bargain between Plaintiff Benn and NextGen. Plaintiff Benn cannot plausibly assert that he is entitled to the benefit of a bargain that did not occur. Since neither of Plaintiff Benn's asserted injuries are cognizable under New York law, Count XXIV should be dismissed.
Even if Plaintiff Benn did assert a cognizable injury, the fact that he did not interact with NextGen or rely upon any representations from NextGen also appears to undermine any causal link between the alleged deceptive trade practice and the injury asserted. See In re USAA Data Sec. Litig., 621 F.Supp.3d 454, 472 (S.D.N.Y. 2022) (“Although justifiable reliance on the alleged misrepresentation or omission is not a requisite element for a claim under Section 349, a plaintiff must plausibly allege he or she was exposed to the deceptive conduct in the first instance.” (citation omitted); Fero, 502 F.Supp.3d 724, 740 (W.D.N.Y. 2020) (“[W]hile a plaintiff pursuing a GBL § 349 claim need not have relied on (or even necessarily have believed) the allegedly deceptive conduct, he or she must have at least been exposed to it.”). But see Bose v. Interclick, Inc., 2011 WL 4343517, at *8 (S.D.N.Y. Aug. 17, 2011) (“A claim under Section 349 need not, as Interclick argues, involve an allegation of a deceptive statement made by Interclick to Plaintiff. It need only allege that Interclick engaged in a deceptive practice that affected the consuming public.”).
V. Pennsylvania Unfair Trade Practices and Consumer Protection Law (“UTPCPL”) (Count XXV)
Plaintiff Brickle, individually and on behalf of the putative Pennsylvania subclass, asserts a claim under the UTPCPL. (Consolidated Class Action Compl. ¶¶ 647-57). “To bring a private cause of action under the UTPCPL, a plaintiff must show that he justifiably relied on the defendant's wrongful conduct or representation and that he suffered harm as a result of that reliance.” Yocca v. Pittsburgh Steelers Sports, Inc., 578 Pa. 479, 501 (2004) (citations omitted). Because Plaintiff Brickle fails to plausibly allege justifiable reliance, she does not state a claim under the UTPCPL.
Plaintiff Brickle argues that she has adequately pled justifiable reliance and points to Valley Forge Towers South Condominium v. Ron-Ike Foam Insulators, Inc., 393 Pa. Super. 339, 348-51 (1990) and Adams v. Hellings Builders, Inc., 146 A.3d 795, 801 (Pa. Super. Ct. 2016), for support. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 57-58). However, those cases stand for the proposition that technical privity is not necessary under the UTPCPL. Valley Forge Towers, 393 Pa. Super. at 351 (“Based upon the foregoing, we conclude that strict technical privity was not intended by our legislature to be required to sustain a cause of action under 73 P.S. § 201-9.2.”); Adams, 146 A.3d at 801 (“As set forth in detail above, Woodward and Valley Forge make clear that technical privity is no longer required to assert a cause of action for fraud or a violation of the UTPCPL.”). Even without technical privity, Plaintiff Brickle still must plausibly allege justifiable reliance in some form. She has failed to do so.
Plaintiff Brickle argues that “[h]ere, Plaintiff Brickle's Private Information was provided to NextGen when her healthcare provider required it in order to receive healthcare services, and she reasonably expected it to be safe. Compl. ¶ 258. Had she been informed of NextGen's data security deficiencies, Plaintiff Brickle would not have entrusted her Private Information to NextGen.” (Pls.' Br. in Opp'n to Mot. to Dismiss, at 57-58). These allegations are virtually identical to the allegations made in In re Blackbaud, 2021 WL 3568394 (D.S.C. Aug. 12, 2021). There, the plaintiff claimed “that she was ‘required to provide her PHI to her healthcare provider as a predicate to receiving healthcare services[,]' her PHI ‘was in turn provided to Blackbaud to be held for safekeeping[,]' and she suffered injuries as a result of her ‘reliance' on Blackbaud's misrepresentations and omissions.” Id. at *14. The court held that the plaintiff did not plausibly allege reliance because the complaint was “bereft of allegations suggesting that Pennsylvania Plaintiff knew that Blackbaud maintained her data or was exposed to representations Blackbaud made to her or her healthcare provider. In fact, the [complaint] does not even assert that Pennsylvania Plaintiff knew that Blackbaud existed.” Id. Moreover, the court found conclusory the allegation that the plaintiff “would not have entrusted her Private Information to one or more Social Good Entities had she known that one of the entity's primary cloud computing vendors entrusted with her Private Information failed to maintain adequate data security.” Id.
Based on all of this, the court concluded that the plaintiff had failed to adequately plead reliance. The Court will do the same here. Just as in In re Blackbaud, Plaintiff Brickle does not allege that she was exposed to any representations by NextGen (either directly or through her healthcare provider), that she ever interacted with NextGen prior to receiving the letter notifying her of the breach, or that she even knew that NextGen existed prior to that point. Without any such allegation, the Court cannot find that she justifiably relied on NextGen's conduct or representations.
Plaintiff Brickle attempts to distinguish In re Blackbaud by stating in a footnote that “unlike NextGen, the software company in Blackbaud did not specialize solely in the healthcare field.” (Pls. Br. in Opp'n to Mot. to Dismiss, at 58 n. 14). Plaintiff Brickle does not even attempt to explain why that makes any difference under the UTPCPL, let alone provide authority to support it. The Court does not find this distinction to be meaningful.
This is not the end of the analysis, however, because Plaintiff Brickle argues that reliance should be presumed from NextGen's failure to affirmatively disclose its data security shortcomings. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 58-59). “When allegations underlying a UTPCPL claim involve a defendant's nondisclosure rather than misrepresentation, the omission is actionable only if there is a duty to disclose.” DeSimone v. U.S. Claims Servs., Inc., 2020 WL 1164794, at *3 (E.D. Pa. Mar. 11, 2020). “In Pennsylvania, a duty to speak requires the presence of a fiduciary or other confidential relationship as prerequisite to liability for omissions.” Id. (quotation marks and citations omitted). Plaintiff Brickle argues that she was in a fiduciary relationship with NextGen and consequently NextGen had a duty to disclose its inadequate security measures. (Pls.' Br. in Opp'n to Mot. to Dismiss, at 58).
Under Pennsylvania law, “[f]iduciary duties do not arise merely because one party relies on and pays for the specialized skill of the other party.” Yenchi v. Ameriprise Fin., Inc., 639 Pa. 618, 637 (2017) (quotation marks and citation omitted). “A fiduciary duty may arise in the context of consumer transactions only if one party cedes decision-making control to the other party.” Id. at 638. Plaintiff Brickle has failed to allege that she ceded decision-making control to NextGen, as illustrated in Barletti v. Connexin Software, Inc., 2023 WL 6065884, at *2 (E.D. Pa. Aug. 17, 2023). In that case, the court held that the plaintiffs failed to allege a fiduciary relationship for two reasons. Id. First, the plaintiffs did not “allege any direct relationship between themselves and Connexin.” Id. They “allege only a direct relationship between themselves and their physicians.” Id.
Second, and more importantly, nothing in the Complaint suggests Connexin wielded the type of overmastering influence over Plaintiffs needed to create a fiduciary duty. Plaintiffs, through their physicians, relied on Connexin to maintain and secure their data. But there's no plausible allegation that Connexin deprived them of all decision-making power regarding who saw their data, where their data was sent, or whether their data was maintained at all, rather than erased. Their use of Connexin's services is the kind of “reliance on superior skill” that the Pennsylvania Supreme Court says is insufficient to
create a fiduciary relationship.Id. (citation omitted). Similarly, Plaintiff Brickle has failed to allege that NextGen deprived her of her decision-making power. Because Plaintiff Brickle does not plausibly allege reliance and because reliance cannot be presumed under a duty to disclose, Count XXV is dismissed for failure to state a claim.
IV. Conclusion
As explained above, the Defendant's Motion to Dismiss [Doc. 60] is GRANTED with respect to the entirety of Counts III, IV, V, VI, XI, XIII, XV, XVI, XVII, XVIII, XIX, XX, XXI, XXII, XXIII, XXIV, and XXV, and is GRANTED with respect to Count XII as to Plaintiff Alvarado. The Motion is DENIED with respect to the entirety of Counts VII, VIII, IX, and XIV, and is DENIED with respect to Count XII as to Plaintiff Appleton.
SO ORDERED.