Opinion
Civil Action No. 1:21-cv-02851-SDG
2023-03-31
Carla TRACY, on behalf of herself individually and on behalf of all others similarly situated, and Darryl Bowsky, Plaintiffs, v. ELEKTA, INC. and Northwestern Memorial Healthcare, Defendants.
Bryan L. Bleichner, Chestnut Cambronne PA, Minneapolis, MN, David K. Lietz, Pro Hac Vice, Milberg, Washington, DC, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman PLLC, Chicago, IL, Joseph M. Lyon, Pro Hac Vice, The Lyon Firm, Cincinnati, OH, Terence R. Coates, Pro Hac Vice, Markovits, Stock & Demarco, LLC, Cincinnati, OH, MaryBeth Vassil Gibson, N. Nickolas Jackson, The Finley Firm, P.C., Atlanta, GA, Nathan D. Prosser, Pro Hac Vice, Hellmuth & Johnson PLLC, Edina, MN, for Plaintiff Carla Tracy. Bryan L. Bleichner, Chestnut Cambronne PA, Minneapolis, MN, MaryBeth Vassil Gibson, The Finley Firm, P.C., Atlanta, GA, Terence R. Coates, Pro Hac Vice, Markovits, Stock & Demarco, LLC, Cincinnati, OH, for Plaintiff Darryl Bowsky. Alex J. Dravillas, Pro Hac Vice, Seth A. Meyer, Pro Hac Vice, Keller Postman LLC, Chicago, IL, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman PLLC, Chicago, IL, Andrew White, Pro Hac Vice, Todd Garber, Pro Hac Vice, Finkelstein, Blankinship, Frei-Pearson, & Garber, LLP, White Plains, NY, Bryan L. Bleichner, Chestnut Cambronne PA, Minneapolis, MN, Joseph M. Lyon, Pro Hac Vice, The Lyon Firm, Cincinnati, OH, Terence R. Coates, Pro Hac Vice, Markovits, Stock & Demarco, LLC, Cincinnati, OH, Mara Baltabols, Pro Hac Vice, Fish Potter Bolanos, P.C., Naperville, IL, MaryBeth Vassil Gibson, N. Nickolas Jackson, The Finley Firm, P.C., Atlanta, GA, Nathan D. Prosser, Pro Hac Vice, Hellmuth & Johnson PLLC, Edina, MN, for Plaintiff Deborah Harrington. Gregory T. Parks, Pro Hac Vice, Kristin M. Hadgis, Pro Hac Vice, Liza B. Fleming, Pro Hac Vice, Morgan Lewis & Bockius LLP, Philadelphia, PA, Cameron Blaine Roberts, Michael A. Caplan, Caplan Cobb LLP, Atlanta, GA, for Defendant Elekta, Inc. Gregory T. Parks, Pro Hac Vice, Kristin M. Hadgis, Pro Hac Vice, Liza B. Fleming, Pro Hac Vice, Morgan Lewis & Bockius LLP, Philadelphia, PA, Michael A. Caplan, Caplan Cobb LLP, Atlanta, GA, for Defendant Northwestern Memorial Healthcare.
Bryan L. Bleichner, Chestnut Cambronne PA, Minneapolis, MN, David K. Lietz, Pro Hac Vice, Milberg, Washington, DC, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman PLLC, Chicago, IL, Joseph M. Lyon, Pro Hac Vice, The Lyon Firm, Cincinnati, OH, Terence R. Coates, Pro Hac Vice, Markovits, Stock & Demarco, LLC, Cincinnati, OH, MaryBeth Vassil Gibson, N. Nickolas Jackson, The Finley Firm, P.C., Atlanta, GA, Nathan D. Prosser, Pro Hac Vice, Hellmuth & Johnson PLLC, Edina, MN, for Plaintiff Carla Tracy. Bryan L. Bleichner, Chestnut Cambronne PA, Minneapolis, MN, MaryBeth Vassil Gibson, The Finley Firm, P.C., Atlanta, GA, Terence R. Coates, Pro Hac Vice, Markovits, Stock & Demarco, LLC, Cincinnati, OH, for Plaintiff Darryl Bowsky. Alex J. Dravillas, Pro Hac Vice, Seth A. Meyer, Pro Hac Vice, Keller Postman LLC, Chicago, IL, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman PLLC, Chicago, IL, Andrew White, Pro Hac Vice, Todd Garber, Pro Hac Vice, Finkelstein, Blankinship, Frei-Pearson, & Garber, LLP, White Plains, NY, Bryan L. Bleichner, Chestnut Cambronne PA, Minneapolis, MN, Joseph M. Lyon, Pro Hac Vice, The Lyon Firm, Cincinnati, OH, Terence R. Coates, Pro Hac Vice, Markovits, Stock & Demarco, LLC, Cincinnati, OH, Mara Baltabols, Pro Hac Vice, Fish Potter Bolanos, P.C., Naperville, IL, MaryBeth Vassil Gibson, N. Nickolas Jackson, The Finley Firm, P.C., Atlanta, GA, Nathan D. Prosser, Pro Hac Vice, Hellmuth & Johnson PLLC, Edina, MN, for Plaintiff Deborah Harrington. Gregory T. Parks, Pro Hac Vice, Kristin M. Hadgis, Pro Hac Vice, Liza B. Fleming, Pro Hac Vice, Morgan Lewis & Bockius LLP, Philadelphia, PA, Cameron Blaine Roberts, Michael A. Caplan, Caplan Cobb LLP, Atlanta, GA, for Defendant Elekta, Inc. Gregory T. Parks, Pro Hac Vice, Kristin M. Hadgis, Pro Hac Vice, Liza B. Fleming, Pro Hac Vice, Morgan Lewis & Bockius LLP, Philadelphia, PA, Michael A. Caplan, Caplan Cobb LLP, Atlanta, GA, for Defendant Northwestern Memorial Healthcare. OPINION AND ORDER Steven D. Grimberg, United States District Court Judge
Before the Court is Defendants Northwestern Memorial Healthcare and Elekta, Inc.'s Motion to Dismiss [ECF 43]. After careful consideration, and with the benefit of oral argument, the Court DENIES in part and GRANTS in part Defendants' motion.
I. BACKGROUND
This putative class action arises out of an April 2021 ransomware attack and data breach involving Defendant Elekta's cloud-based data systems. Elekta provides radiation therapy and related equipment and data services for cancer treatments. Part of its services include contracting with healthcare systems to provide cloud-based storage systems for oncology-related data. Defendant Northwestern Medical Hospital is one such healthcare system. Northwestern contracts with Elekta to assist with medical treatment and provide the State of Illinois with detailed medical information and all "medical, pathological, and other pertinent records and logs related to cancer diagnosis and treatment." Plaintiffs are patients of Northwestern whose data ended up in Elekta's systems as part of its relationship with Northwestern. Plaintiff Tracy seeks to represent a class of similarly situated patients of Northwestern.
ECF 33, ¶ 2.
Id. ¶ 1.
Id. ¶¶ 6-9, 28, 31-35, 65-67.
Id. ¶¶ 24-26, 28.
Plaintiffs allege that unauthorized actors gained access to Elekta's database and acquired copies of their sensitive patient information, including their personally identifiable information (PII), protected health information (PHI), and protected genetic information (PGI) (collectively, Sensitive Information). As a result of this breach, Plaintiffs allege they have suffered an array of injuries, including the disclosure, compromise and theft of their information; costs associated with the detection and prevention of identity theft; and injury arising from the actual and/or potential fraud and identity theft posed by their Sensitive Information being placed in the hands of the ill-intentioned hackers and/or criminals. While the parties agree that the data breach was carried out by third-party criminal actors, Plaintiffs allege that Defendants were fully aware of their "obligations to protect the Sensitive Information of consumers because of [their] business model of collecting Sensitive Information and storing such information for analysis and for pecuniary gain. Defendants were also aware of the significant repercussions that would result from [their] failure to do so." Additionally, Plaintiffs allege that Elekta knew or should have known the importance of safeguarding its customers' information and of the foreseeable consequences if its systems were breached.
Id. ¶ 3.
Id. ¶ 18.
Id. ¶ 72.
Id. ¶ 73.
Plaintiffs assert the following claims for relief: (1) negligence; (2) negligence per se; (3) breach of implied contract against Northwestern; (4) breach of contract against Elekta; and (5) violation of Illinois's Genetic Information Privacy Act. Plaintiffs also seek declaratory and injunctive relief and bad-faith litigation damages under O.C.G.A. § 13-6-11.
II. LEGAL STANDARD
Federal Rule of Civil Procedure 8(a)(2) requires a pleading to contain a "short and plain statement of the claim showing that the pleader is entitled to relief." While this standard does not require "detailed factual allegations," the Supreme Court has held that "labels and conclusions" or "a formulaic recitation of the elements of a cause of action will not do." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)).
To withstand a motion to dismiss for failure to state a claim under Rule 12(b)(6), "a complaint must now contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.' " Am. Dental Ass'n v. Cigna Corp., 605 F.3d 1283, 1289 (11th Cir. 2010) (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955). "However, conclusory allegations, unwarranted deductions of facts[,] or legal conclusions masquerading as facts will not prevent dismissal." Oxford Asset Mgmt. v. Jaharis, 297 F.3d 1182, 1187-88 (11th Cir. 2002).
A complaint is plausible on its face when a plaintiff pleads sufficient factual content for the court to draw the reasonable inference that the defendant is liable for the conduct alleged. Am. Dental Ass'n, 605 F.3d at 1289 (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955). "A complaint does not state a facially plausible claim for relief if it shows only a sheer possibility that the defendant acted unlawfully." Waters Edge Living, LLC v. RSUI Indem. Co., 355 F. App'x 318, 322 (11th Cir. 2009). "The plausibility standard is not akin to a 'probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Iqbal, 556 U.S. at 678, 129 S.Ct. 1937.
At the motion to dismiss stage, "all well-pleaded facts are accepted as true, and the reasonable inferences therefrom are construed in the light most favorable to the plaintiff." FindWhat Inv'r Grp. v. FindWhat.com, 658 F.3d 1282, 1296 (11th Cir. 2011) (quoting Garfield v. NDC Health Corp., 466 F.3d 1255, 1261 (11th Cir. 2006)). This principle, however, does not apply to legal conclusions. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937.
Georgia's choice-of-law rules determine which state's law should be applied here. Interface Kanner, LLC v. JPMorgan Chase Bank, N.A., 704 F.3d 927, 932 (11th Cir. 2013). For contract cases, "Georgia follows the traditional rule of lex loci contractus." McGill v. Am. Trucking & Trans., Ins. Co., 77 F. Supp. 3d 1261, 1264 (N.D. Ga. 2015). Contracts are governed by the law of the place where "the last act essential to the completion of the contract was done." Gen. Tel. Co. of Se. v. Trimm, 252 Ga. 95, 95, 311 S.E.2d 460 (1984) (citing Peretzman v. Borochoff, 58 Ga. App. 838, 200 S.E. 331 (1938)). For tort cases, Georgia applies lex loci delicti, applying the substantive law of the state where "the tort was committed," Dowis v. Mud Slingers, Inc., 279 Ga. 808, 809, 621 S.E.2d 413 (2005), that is, the place "where the injury sustained was suffered rather than the place where the act was committed." Bullard v. MRA Holding, LLC, 292 Ga. 748, 750-51, 740 S.E.2d 622 (2013) (citation omitted).
While Elekta is based in Georgia, Northwestern is located in Illinois and Plaintiffs all appear to have received treatment in Illinois. However, as Defendants' brief argues, Georgia and Illinois law are substantially similar for the bulk of the claims Plaintiffs are attempting to state. Accordingly, the Court applies Georgia substantive law to Plaintiffs' cause of action unless otherwise indicated since unnecessary conflict-of-laws analyses should be avoided. Kahn v. Visador Holding Corp., No. 2:07-CV-73, 2009 WL 10669538, at *3 (N.D. Ga. July 17, 2009) ("The court has reviewed the agency law of Virginia, North Carolina, and Georgia, and finds that there is no true conflict between the agency law of these states because each state law commands the same outcome. Accordingly, the court will apply Georgia law to the facts of this case.").
III. ANALYSIS
Defendants move to dismiss the Amended Complaint in its entirety. The Court addresses each claim separately.
ECF 43.
A. Plaintiffs have stated a claim for negligence.
Under Georgia law, a negligence claim has four elements: "the existence of a duty on the part of the defendant, a breach of that duty, causation of the alleged injury, and damages resulting from the alleged breach of the duty." Rasnick v. Krishna Hosp., Inc., 289 Ga. 565, 566, 713 S.E.2d 835 (2011) (citation omitted). Defendants move to dismiss Plaintiffs' negligence claims, arguing that Plaintiffs failed to allege both injury and duty.
1. Plaintiffs have sufficiently alleged injury.
Defining harm in data breach cases like this one is a complicated endeavor. It requires courts to draw a line in the sand—to delineate when harm transforms from purely speculative to imminent and substantial. Data breaches involve the entry into private data systems and often, the exfiltration of highly sensitive personal data by a criminal third-party. For a negligence claim related to a data breach to withstand a motion to dismiss, the chain of inferences required to show that a plaintiff faces imminent risk must be so short that the risk is no longer speculative. The Georgia Supreme Court's opinion in Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555, 837 S.E.2d 310 (2019), guides the Court's analysis in this case.
In Collins, clinic patients brought a class action suit against the healthcare provider defendant, asserting claims that included negligence arising out of a data breach of the defendant's computer systems by a hacker and theft of the plaintiffs' PII. The plaintiffs alleged that
(1) a thief stole a large amount of personal data by hacking into a business's computer databases and demanded a ransom for the data's return, (2) the thief offered at least some of the data for sale, and (3) all class members now face the 'imminent and substantial risk' of identity theft given criminals' ability to use the stolen data to assume the class members' identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names.The Georgia Supreme Court reversed the intermediate appellate court and concluded that the plaintiffs had alleged a legally cognizable injury for a negligence claim. The primary difference between the allegations pleaded in Collins and this case is that Plaintiffs here have not alleged that their data is being sold on the dark web.
Id. at 562, 837 S.E.2d 310.
The allegation that the stolen data in Collins was offered for sale on the dark web was part of the totality of circumstances that established injury. But the allegation that the data was in the hands of criminals seemed to weigh most heavily in the Georgia Supreme Court's analysis. For example, when summarizing its holding, the court concluded that "allegations that the criminal theft of [plaintiffs'] personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation." And, the court further noted that "plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is 'imminent and substantial.' This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach." The harm, therefore, was that data was in the hands of criminals.
Id. at 563-64, 837 S.E.2d 310.
Id. at 561, 837 S.E.2d 310.
Ultimately, this Court interprets Collins as holding that an injury exists where, at the very least, criminals have hacked into a data system and exfiltrated personally identifiable information and protected health information. That conclusion is consistent both with Collins and common sense. Once criminals have stolen personal data, they can offer it for sale, hold it for ransom, or use it for any other criminal purpose they desire. There is no meaningful difference at the motion to dismiss stage between data that is in the hands of criminals and data that plaintiffs know exists on the dark web; both present an imminent and substantial risk of harm as the data is capable of being used by criminals for illicit purposes.
Drawing the line here is also consistent with the distinction in Collins of both Rite Aid of Georgia v. Peacock, 315 Ga.App. 573, 726 S.E.2d 577 (2012) and Finnerty v. State Bank & Trust Co., 301 Ga.App. 569, 687 S.E.2d 842 (2009). In both Rite Aid and Finnerty, the Georgia Court of Appeals held that plaintiffs failed to allege harm where their data was shared with non-criminal third parties without plaintiffs' consent. But, the defining difference between those cases and Collins is that in neither Rite Aid nor Finnerty was "there any reason to believe that the data in question had in fact fallen into a criminal's hands." Collins, 307 Ga. at 561, 837 S.E.2d 310. Accordingly, "to conclude that the claimants in Finnerty and Rite Aid would likely suffer identity theft as a result of the opposing parties' actions would have required a long series of speculative inferences, including that someone with malicious intent would obtain the data in the first place . . . ." Id. This case is much more similar to Collins than Rite Aid and Finnerty.
The Court concludes that Plaintiffs have sufficiently alleged harm in this case. While they have not alleged that their data is actually for sale on the dark web or elsewhere, they have alleged that it is in the hands of criminals. Plaintiffs also allege that this type of personal information is often trafficked on the "dark web" and used to "gain access to various areas of the victim's digital life, including bank accounts, social media, credit, and tax details." There is a short chain of inferences required in this case from Plaintiffs' allegations to actual injury. Accordingly, Plaintiffs have sufficiently pleaded harm.
ECF 33, ¶¶ 83-84.
2. Defendants owed Plaintiffs a duty to safeguard their information.
"The threshold issue in any cause of action for negligence is whether, and to what extent, the defendant owes the plaintiff a duty of care." Smith v. United States, 873 F.3d 1348, 1352 (11th Cir. 2017) (quoting City of Rome v. Jordan, 263 Ga. 26,426 S.E.2d 861, 862 (1993)). Plaintiffs here allege that Defendants owed them a duty to safeguard their data based on the foreseeable risk of a data breach. Defendants disagree, arguing that in Department of Labor v. McConnell, 305 Ga. 812, 828 S.E.2d 352, 358 (2019), the Georgia Supreme Court abandoned the practice of implying a duty based on foreseeability when it held that there is no general duty "to all the world not to subject" another "to an unreasonable risk of harm." According to Defendants, McConnell overruled Bradley Center v. Wessner, 250 Ga. 199, 296 S.E.2d 693 (1982), which encompassed a duty based on foreseeability. This Court disagrees with Defendants' reading of the relevant case law and concludes that a negligence claim can be supported by a duty to safeguard data based on the foreseeable risk of a data breach.
Id. ¶¶ 71-99, 130-31.
Another court in this district addressed this issue in an almost identical factual scenario in Purvis v. Aveanna Healthcare, LLC, 563 F. Supp. 3d 1360 (N.D. Ga. 2021). While the holding of that case is not binding on this Court, its analysis is sound. In Purvis, the court held that the "Defendant owed [Plaintiffs] a duty based on Defendant's alleged knowledge of the foreseeable risk of a data breach and the resulting exposure of Plaintiffs' information." Id. at 1368. In coming to this conclusion, the court relied on Atlantic Coast Line R. Co. v. Godard, 211 Ga. 373, 86 S.E.2d 311 (1955), a Georgia Supreme Court case recognizing negligence principles based on foreseeability.
In Godard, a railroad employee was required to work through the night in a one-room building in an isolated part of the defendants' railyard, where he was attacked. The Georgia court held that, because the plaintiff alleged that "defendants well knew that dangerous, reckless, and lawless characters and persons who were strangers frequented the premises described during the nighttime[,] . . . [this] was sufficient to charge the defendants with the duty to anticipate the criminal act alleged, and to exercise ordinary care to protect its employees therefrom." 86 S.E.2d at 315. The Georgia Supreme Court held that the defendants owed the plaintiff a duty based on the foreseeable risk of harm. Id.
Additionally, the Purvis court analyzed Collins and concluded that it does not stand for the proposition that McConnell entirely foreclosed the existence of a duty to safeguard personal information under Georgia law. Purvis, 563 F. Supp. 3d at 1367. The Georgia Supreme Court in Collins explained that McConnell held simply that there is no duty under Bradley Center, O.C.G.A. § 10-1-393.8, or O.C.G.A. § 10-1-910. Collins, 307 Ga. at 562-64, 837 S.E.2d at 316. As Purvis notes, Collins "did not cite McConnell for the broad proposition that a duty to safeguard personal information simply does not exist under Georgia law." Id. While Collins ultimately makes no express holding with regard to duty, it certainly did not foreclose the existence of a duty to protect personal information.
This Court agrees with the Purvis analysis and accordingly finds that Defendants owed Plaintiffs a duty to safeguard their information based on the foreseeable risk of a data breach. As to the existence of a duty based on foreseeability, this Court agrees that, if the Georgia Supreme Court had intended to foreclose the existence of such a duty, it could have done so in Collins and it did not. Plaintiffs' allegations are similar to the Purvis plaintiffs' allegations—that Defendants knew the risk of cyberattacks and therefore had a duty to protect their customers from such an attack. The Amended Complaint further alleges it was foreseeable that these known risks would lead to the very injuries sustained by Plaintiffs and the putative class members. Plaintiffs' allegations are sufficient to allege that Defendants knew or should have known that they were targets for criminals looking to steal sensitive data, giving rise to a duty to protect such data based on the foreseeable risk of a data breach.
ECF 33, ¶¶ 71-99, 130-31.
Id. ¶¶ 131, 137-39.
B. Plaintiffs have stated a claim for negligence per se pursuant to Section 5 of the FTC Act.
Defendants move to dismiss the negligence per se claim, which is based on Section 5 of the Federal Trade Commission Act (FTC Act). "In Georgia, negligence per se arises when a defendant violates a statute or ordinance, satisfying, as a matter of law, the first two elements of a negligence claim." Amick v. BM & KM, Inc., 275 F. Supp. 2d 1378, 1381 (N.D. Ga. 2003) (citing Hubbard v. Dep't of Transp., 256 Ga.App. 342, 568 S.E.2d 559 (2002)). Additionally, Plaintiffs must demonstrate, and the court must consider, (1) whether "the person injured by the violation is within the class of persons the statute was intended to protect[,]" and (2) whether "the harm complained of was the harm the statute was intended to guard against." Goldstein, Garber & Salama, LLC v. J.B., 300 Ga. 840, 797 S.E.2d 87, 93 (2017).
Defendants first argue that Section 5 cannot form the basis of a negligence per se claim because it does not set forth duties, require the performance of certain acts, or articulate a standard of conduct to establish a duty—a requirement of a negligence per se claim. They rely exclusively on Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162, 744 S.E. 2d 686, 688 (2013) to support their position that Section 5's prohibition on "unfair" trade practices is not sufficient to support a negligence per se claim. The Court does not agree.
As Plaintiffs point out, courts addressing this exact issue under Georgia law in the data breach context have found that Section 5 of the FTC Act "is a statute that creates enforceable duties." In re Marriott Int'l, Inc. Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 478-82 (D. Md. 2020). The Marriott court went even further, determining that a duty applies in data breach cases based on "the text of the statute and a body of precedent interpreting the statute and applying it to the data breach context." Id. There is an abundance of case law supporting this position, and this Court agrees that Section 5 imposes certain duties. See, e.g., Purvis, 563 F. Supp. 3d at 1375-76; In re Equifax, Inc. Customer Data Sec. Breach Litig., 371 F. Supp. 3d 1150, 1175 (N.D. Ga. 2019) (holding that the plaintiffs' complaint "adequately pleads a violation of Section 5 of the FTC Act, that the [p]laintiffs are within the class of persons intended to be protected by the statute, and that the harm suffered is the kind the statute meant to protect"); In re Arby's Rest. Grp. Inc. Litig., No. 1:17-CV-0514-AT, 2018 WL 2128441, at *7-*9 (N.D. Ga. Mar. 5, 2018) (negligence per se claim under Georgia law based on violation of Section 5 of the FTC Act); In re: The Home Depot, Inc. Customer Data Sec. Breach Litig., No. 1:14-MD-2583-TWT, 2016 WL 2897520, at *4 (N.D. Ga. May 18, 2016) (same).
Second, Defendants argue that, while Section 5 prohibits "unfair" practices, it does not itself qualify that term—its scope must be well-established elsewhere in law. LabMD, Inc. v. Fed. Trade Comm'n, 894 F.3d 1221, 1231 (11th Cir. 2018). According to Defendants, the only possible source of the standard of unfairness is the common law of negligence, which they argue does not impose such a duty. However, this Court has already held otherwise. As detailed above, Defendants owed Plaintiffs a duty to safeguard their data based on the foreseeable risk of a data breach. Accordingly, Defendants' argument to the contrary must fail.
ECF 43, at 24 (citing LabMD, 894 F.3d at 1221).
Finally, Defendants argue that there is no private right of action under Section 5, and therefore, it cannot provide the basis of Plaintiffs' negligence per se claim. But Section 5 can provide the basis of a negligence per se claim regardless of whether the statute itself supplies a private right of action. Defendants rely primarily on Govea v. City of Norcross, 271 Ga.App. 36, 608 S.E.2d 677, 683 (2004) to support the proposition that a negligence per se claim must fail absent a private right of action in the underlying statute. In Govea, the Georgia Court of Appeals held that the Peace Officer Standards and Training (POST) Act did not provide a private right of action and dismissed a negligence per se claim based on that statute, with little discussion of the interplay between the two. However, the court made no broader finding that a negligence per se claim must be based on a statute for which a private right of action exists. And, considering the abundance of case law permitting negligence per se claims based on statutes that do not provide a private right of action, this Court finds Defendants' reading of Govea to be too broad. See, e.g., Legacy Acad., Inc. v. Mamilove, LLC, 328 Ga. App. 775, 761 S.E.2d 880 (2014), rev'd in part on other grounds, 297 Ga. 15, 771 S.E.2d 868 (2015); Purvis, 563 F. Supp. 3d at 1375-76; In re Equifax, 371 F. Supp. 3d at 1175; In re Arby's, 2018 WL 2128441, at *7-*9; Home Depot, 2016 WL 2897520, at *4; cf. Grable & Sons Metal Prod., Inc. v. Darue Eng'g & Mfg., 545 U.S. 308, 318, 125 S.Ct. 2363, 162 L.Ed.2d 257 (2005) (quoting Restatement (Third) of Torts § 14, cmt. a, p. 195 (Tent. Draft No. 1, Mar. 28, 2001)) ("The violation of federal statutes and regulations is commonly given negligence per se effect in state tort proceedings."). Ultimately, this Court, like many others, concludes that Section 5 of the FTC Act can support a negligence per se claim.
C. Plaintiffs have stated a claim for breach of implied contract against Northwestern.
Plaintiffs allege that they and Northwestern, mutually assented to an implied contract since they "reasonably expected that their Sensitive Information entrusted to Northwestern would remain confidential"; that they had "an understanding that Defendant Northwestern would take steps to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect patients' Sensitive Information;" and that these understandings were based on Northwestern's written policies and statements. Defendants argue that there was no mutual assent, and Plaintiffs have failed to allege any "meeting of the minds" with Northwestern such that an implied contract could have been formed.
ECF 33, ¶¶ 160-61.
ECF 43, at 29.
The Georgia Court of Appeals has explained that, for both express and implied contract claims, "[t]he concept of a contract requires that the minds of the parties shall meet and accord at the same time, upon the same subject matter, and in the same sense." Donaldson v. Olympic Health Spa, Inc., 175 Ga.App. 258, 333 S.E.2d 98, 100 (1985). The only difference between an express and implied contract is the type of proof used to prove its existence. In re Equifax, 371 F. Supp. 3d at 1175. A meeting of the minds is still required.
While Defendants rely on Equifax to argue that the parties lacked mutual assent, this case is different. In Equifax, the court found no breach of implied contract largely due to the existence of a merger clause that explicitly precluded the assertion of an implied contract claim. Defendants here have not alleged that any such merger clause existed, and certainly not one that would prohibit Plaintiffs from bringing an implied contract claim. Moreover, Plaintiffs have alleged additional facts that support an implied contract claim. For example: "Plaintiffs and Class Members reasonably expected that their Sensitive Information that they entrusted to Northwestern, as part of their medical treatment, would remain confidential and would not be shared or disclosed to criminal third parties"; Plaintiffs had "an understanding that Defendant Northwestern would take steps to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect patients' Sensitive Information"; and Plaintiffs had an "expectation that Northwestern will not share or disclose, whether intentionally or unintentionally, Sensitive Information in the absence of authorization for any purpose that is not directly related to or beneficial to patient care." Plaintiffs have alleged sufficient facts to plead a meeting of the minds that supports an implied breach of contract claim.
ECF 33, ¶ 17.
Id.
Id. ¶ 108.
D. Plaintiffs have failed to state a claim for breach of contract against Elekta.
Plaintiffs also allege that they are third-party beneficiaries of the contract between Northwestern and Elekta, such that they may sue Elekta for its breach. Defendants argue that Plaintiffs have failed to demonstrate that they were intended third-party beneficiaries. Plaintiffs respond that it was their data that Elekta was contracted to store in its systems, so they were intended beneficiaries of that contract. The Court disagrees with Plaintiffs' position and concludes that they have failed to plausibly allege that they are third-party beneficiaries to the Northwestern-Elekta contract.
"The beneficiary of a contract made between other parties for his benefit may maintain an action against the promisor on the contract." Irwin v. RBS Worldpay, Inc., No. 09-33, 2010 WL 11570892, at *7 (N.D. Ga. Feb. 5, 2010) (quoting O.C.G.A. § 9-2-20(b)). However, under Georgia law, "the intent to create a third-party beneficiary must appear on the face of a contract," and parol evidence will not be considered in making this determination. Perry Golf Course Dev., LLC v. Hous. Auth. of Atlanta, 294 Ga.App. 387, 670 S.E.2d 171 (2008). Further, "[t]he mere fact that [a plaintiff] would benefit from performance of the agreement is not alone sufficient." Scott v. Mamari Corp., 242 Ga.App. 455, 530 S.E.2d 208, 211 (2000). In Heath v. ILG Techs., LLC, the court dismissed the plaintiffs' breach of contract claims based on third-party beneficiary liability because they simply made "conclusory allegations that they were an intended third-party beneficiary, and the contract language merely indicates some benefit will be conferred to them." No. 1:20-CV-3130-TWT, — F.Supp.3d —, —, 2020 WL 6889164, at *12 (N.D. Ga. Nov. 24, 2020).
The same is true here. Plaintiffs have done nothing more than state conclusory allegations that the Northwestern-Elekta contract was entered into for their benefit. While Plaintiffs also allege that the contract requires Elekta to take steps to safeguard sensitive information, they do not sufficiently allege how the contract was for their benefit. Under Georgia law, this is insufficient to convey standing to bring third-party contract claims.
ECF 33, ¶ 173.
Id. ¶ 172.
E. Only Plaintiff Bowsky has plausibly alleged a GIPA violation.
The Court finds that Plaintiffs have stated a claim for a violation of Illinois's Genetic Information Privacy Act (GIPA) only as to Plaintiff Bowsky. Defendants argues that the GIPA claims should be dismissed as purely speculative and conclusory since Plaintiffs do not allege that their genetic information was actually disclosed. Plaintiffs argue that, based on their specific factual allegations, the Court can plausibly infer that the compromised data likely contained PGI.
ECF 44, at 30.
GIPA provides that "no person may disclose . . . the identify of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test." 410 Ill. Comp. Stat. Ann. 513/30(a). While Plaintiffs argue that it is likely that, based on the type of information Northwestern gathers and Elekta's general business model, Plaintiffs' PGI was leaked as part of the breach, during oral argument Plaintiffs conceded that only Bowsky alleged that his PGI was actually provided during his treatment and is included in his medical records. The allegation that Bowsky's information was provided along with the additional factual contentions Plaintiffs make is sufficient to state a claim for relief under GIPA as to him. However, since there is no allegation that Tracy actually provided her PGI to Northwestern during her course of treatment, it is overly speculative to allow her claim for relief.
ECF 33, ¶¶ 53 and 25.
These factual allegations include that "[g]enetic testing and DNA analysis, whether in the form of biomarker testing, gene expression panels, hereditary testing, or other forms of genetic testing and evaluation, . . . all fall within the broad category of 'clinical information related to your cancer treatment,' medical history,' 'treatment plan,' " and "diagnosis and/or prescription information" that Northwestern and Elekta admitted had been disclosed in the breach. ECF 33, ¶ 68. Additionally, Plaintiffs allege that "[a]t no point following the breach have Defendants publicly announced that the compromised datasets excluded PGI or was limited to a certain subset of diagnostic or treatment data." ECF 44, at 30.
F. Plaintiffs' declaratory and injunctive relief claims and their attorney's fees claim stand.
Defendants object to Plaintiffs' claims for declaratory and injunctive relief as well as their claims for attorney's fees. Defendants' argument rests on the assumption that Plaintiffs have failed to state substantive tort claims. However, as discussed, this Court concludes that Plaintiffs have successfully stated negligence claims. Accordingly, the claims for declaratory and injunctive relief, as well as attorney's fees, are likewise viable.
IV. CONCLUSION
The Court DENIES Defendants' motion to dismiss Plaintiffs' claims of negligence, negligence per se, breach of implied contract as to Northwestern, and violations of GIPA as to Plaintiff Bowsky. It GRANTS Defendants' motion to dismiss as to Plaintiffs' claims for breach of implied contract against Elekta based on third-party beneficiary standing, and violations of GIPA claims as to Plaintiff Tracy. Defendants are ORDERED to Answer the surviving portions of Plaintiffs' Amended Complaint within 21 days of this Order.
SO ORDERED this 31st day of March, 2023.