Opinion
23 CV 1108
01-17-2024
TRACY WITTMEYER and AUDREY APPIAKORANG, Plaintiffs v. HEARTLAND ALLIANCE FOR HUMAN NEEDS & RIGHTS, et al., Defendants
MEMORANDUM OPINION AND ORDER
JEREMY C. DANIEL, JUDGE
Plaintiffs Tracy Wittmeyer and Audrey Appiakorang, on behalf of themselves and all others similarly situated, bring suit against Heartland Alliance for Human Needs & Rights and its four sister entities (collectively, “Heartland”), alleging various claims that stem from a 2022 data breach. (R. 27, hereinafter “FAC”). Heartland moves to dismiss the plaintiffs' first amended complaint (“FAC”) under Federal Rule of Civil Procedure 12(b)(6). (R. 29.) For the reasons discussed below, Heartland's motion is granted in part and denied in part.
The plaintiffs identify Heartland Alliance for Human Needs & Human Rights, Heartland Alliance Health, Heartland Alliance International, LLC, Heartland Housing, Inc., and Heartland Human Care Services as defendants to this action. (FAC ¶¶ 24-28.)
BACKGROUND
Heartland is a non-profit, anti-poverty organization that provides healthcare and other services to more than 500,000 individuals annually throughout the Midwest. (FAC ¶¶ 3, 24-28, 32.) As a condition of receiving its services, Heartland collects personally identifiable information (“PII”) from its clients, including names, Social Security numbers, dates of birth, driver's license numbers, and financial account numbers. (Id. ¶ 33.) For those receiving health-related services, Heartland maintains records of individuals' personal health information (“PHI”), including medical diagnoses, medication, dental scans, and patient notes. (Id. ¶¶ 33, 41-42.)
In January 2022, Heartland experienced a “disruption to its digital environment” during which unauthorized users obtained access to PII and PHI of Heartlands' clients, employees, and independent contractors. (Id. ¶¶ 6, 41-42.) Plaintiffs Tracy Wittmeyer and Audrey Appiakorang were both clients of Heartland at the time of the data breach and each received notice in December 2022 that their PII and PHI was compromised. (Id. ¶¶ 40, 42, 96.) They claim that the data breach was caused by Heartland's failure to properly secure and safeguard PII and PHI. (Id. ¶¶ 44, 49, 62-63.)
Following the data breach, Appiakorang noticed unauthorized activity on her credit report, specifically that someone had obtained car insurance in her name. (Id. ¶ 101.) The plaintiffs allege other damages as a result of the breach, including increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with the breach, loss of value in their PII and PHI, and emotional harms like anxiety and stress. (Id. ¶¶ 97-100, 104-109.) These injuries, according to the plaintiffs, were further compounded by Heartland's failure to provide prompt notice that their data had been compromised. (Id. ¶¶ 42, 64, 110.)
Wittmeyer and Appiakorang now bring suit against Heartland on behalf of themselves and two putative classes-a nationwide class defined as “[a]ll individuals in the United States who were impacted by the Data Breach, including all who were sent a notice of the Data Breach,” and an Illinois subclass defined as “[a]ll residents of Illinois who were impacted by the Data Breach, including all who were sent a notice of the Data Breach.” (Id. at ¶¶ 116-17.) The FAC asserts claims for negligence (Count I), negligence per se (Count II), breach of contract (Count III), breach of implied contract (Count IV), and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 ILCS 505/1, et seq. (Count V). (Id. at 31-45.) The plaintiffs also seek a declaratory judgment in their favor and prospective injunctive relief (Count VI). (Id. at 45-48.) Heartland moves to dismiss the FAC in its entirety under Rule 12(b)(6). (R. 29.)
LEGAL STANDARD
A motion to dismiss tests the sufficiency of a claim, not the merits of a case. Gociman v. Loyola Univ. of Chi., 41 F.4th 873, 885 (7th Cir. 2022). To survive a motion to dismiss under Rule 12(b)(6), a claim “must provide enough factual information to state a claim to relief that is plausible on its face and raise a right to relief above the speculative level.” Haywood v. Massage Envy Franchising, LLC, 887 F.3d 329, 333 (7th Cir. 2018) (quoting Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 736 (7th Cir. 2014)). In deciding a Rule 12(b)(6) motion, the Court accepts as true all well-pleaded factual allegations and draws all reasonable inferences in the plaintiff's favor. Lax v. Mayorkas, 20 F.4th 1178, 1181 (7th Cir. 2021). Dismissal is proper where “the allegations in a complaint, however true, could not raise a claim of entitlement to relief.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 558 (2007).
ANALYSIS
I. Negligence and Negligence PER SE Claims
Heartland first argues that the FAC fails to state claims for negligence (Count I) and negligence per se (Count II) because the plaintiffs cannot plausibly show that Heartland owed them a duty to safeguard their personal information, nor have they alleged actionable damages as a result of the data breach. (R. 30 at 3-4.)
A. Negligence
The Court begins with the plaintiffs' negligence claim. To state a claim for negligence in Illinois, a plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) that the defendant breached that duty, and (3) that the breach was the proximate cause of the plaintiff's injuries. Flores v. Aon Corp., - N.E.3d -, 2023 IL App (1st) 230140, ¶ 23 (citing Cowper v. Nyberg, 28 N.E.3d 768, 772 (Ill. 2015)). The first element-duty of care-may be derived from statute or common law. Zissu v. IHS Prop. Ill., L.P., 157 F.Supp.3d 797, 800 (N.D. Ill. 2016) (citing Barnett v. Zion Park Dist., 665 N.E.2d 808, 812 (Ill. 1996)). Whether a duty exists is a question of law that may be resolved on a motion to dismiss. Id.
“Though duty is a basic concept in tort law, the Illinois Supreme Court has not directly spoken to this question in the context of data breaches.” Cmty. Bank of Treton v. Schnuck Mkts. Inc., 887 F.3d 803, 816 (7th Cir. 2018). In Cooney v. Chicago Public Schools, the Illinois Appellate Court rejected the theory that either the Health and Insurance Portability and Accountability Act (“HIPAA”) or the Illinois Personal Information Protection Act (“PIPA”) imposed any duty to safeguard personal information. 943 N.E.2d 23, 28 (Ill.App.Ct. 2010). Instead, the Illinois Appellate Court explained that the only duty owed, pursuant to PIPA, is the duty to provide notice of a security breach. Id. The Cooney court further declined to recognize a common law duty to safeguard personal information, explaining “we do not believe that the creation of a new legal duty beyond legislative requirements already in place” (i.e., notice) “is part of our role on appellate review.” Id. at 29. In Community Bank of Trenton v. Schnuck Markets, Inc., the Seventh Circuit addressed, among other issues, whether a retail merchant owed a common law duty to safeguard banking information of the plaintiff banks' customers. 887 at 816. In so doing, the Seventh Circuit looked to Cooney and predicted that the Illinois Supreme Court would agree that there exists no common law data security duty under Illinois law. Id.
Heartland asks this Court to follow Schnuck and Cooney and find that there exists no common law duty in Illinois to protect personal information. (R. 30 at 5.) But PIPA has been amended since Cooney was decided, and the statute now requires data collectors to “implement and maintain reasonable security measures to protect” records from “unauthorized access, acquisition, destruction, use, modification, or disclosure.” In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 590 (N.D. Ill. 2022) (citing 815 ILCS 530/45(a)). Indeed, the Illinois Appellate Court recently explained that, given this amendment to PIPA, “the reasoning of the Cooney court no longer applies.” Flores, 2023 IL App (1st) 230140, ¶ 23. And in addressing anew whether there exists a duty of care to protect personal information, the Illinois Appellate Court held that such a duty exists under both PIPA and the common law. Id. at ¶ 24. The Court therefore declines to find, as a matter of law, that Heartland owed no duty to the plaintiffs to safeguard their personal information.
Heartland next argues that the plaintiffs' negligence claim must be dismissed under Illinois' economic loss doctrine. (R. 30 at 9-11.) The economic loss doctrine, also known as the Moorman doctrine, bars tort recovery for purely economic losses based on the failure to perform contractual obligations. Catalan v. GMAC Mortg. Corp., 629 F.3d 676, 692-93 (7th Cir. 2011) (citing Moorman v. Mfg Co. v. Nat'l Tank Co., 435 N.E.2d 443, 448-49 (Ill. 1982)). Economic loss is defined as “damages for inadequate value, costs of repair and replacement of the defective product, or consequent loss of profits-without any claim of personal injury or damage to other property.” Ctr. PC v. Auctus Grp., No. 22 C 959, 2023 WL 5854398, at *3 (N.D. Ill. Sept. 10, 2023) (citing Moorman, 435 N.E.2d at 449). The theory behind the economic loss doctrine is that “parties to a contract may allocate their risks by agreement and do not need the special protections of tort law to recover damages caused by a breach of contract.” Flores, 2023 IL App (1st) 230140, ¶ 56 (citing Mars, Inc. v. Heritage Builders of Effingham, Inc., 763 N.E.2d 428, 434 (Ill. 2002)).
In the context of the service industry, however, the Illinois Supreme Court has held that the economic loss doctrine applies only where the duty of the party performing the service is defined by contract executed with the client. Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994). “Where a duty arises outside of the contract, the economic loss doctrine does not prohibit recovery in tort for the negligent breach of that duty.” Id. The Illinois Appellate Court has applied this principle in the context of data breaches to limit application of the economic loss doctrine where there is no express contract defining the defendant's obligation to safeguard the plaintiff's data. Flores, 2023 IL App (1st) 230140, ¶ 56 (“Although the Congregation of the Passion decision concerned a professional malpractice claim against an accounting firm, its reasoning equally applies to data breach cases.”).
As discussed below, the plaintiffs do not allege an express contract between the parties that would establish a duty by Heartland to safeguard the plaintiffs' personal information. See infra p. 9-11. The economic loss doctrine therefore does not preclude the plaintiffs from asserting their negligence claim. See Flores, 2023 IL App (1st) 230140, ¶ 57. Heartland's motion to dismiss Count I is therefore denied.
B. Negligence Per Se
The Court next turns to the plaintiffs' negligence per se claim. The plaintiffs allege that Heartland's violations of HIPAA, 42 U.S.C. §§ 1301, et seq., and the Fair Trade Commission Act (“FTCA”), 15 U.S.C. § 45, constitute negligence per se. (FAC ¶¶ 48, 69, 153-54, 156-59, 161.) Heartland argues that neither HIPAA nor the FTCA creates a private right of action and, thus, “do[es] not support a duty in negligence.” (R. 30 at 8.)
Ordinarily, the duty of care owed by a defendant is defined by common law. Cuyler v. Illinois, 362 F.3d 949, 952 (7th Cir. 2004). But where a statute or ordinance is designed to protect human life or property, Illinois law provides that the statute establishes the standard of care required of a reasonable person and thus “fix[es] the measure of legal duty.” Price ex rel. Massey v. Hickory Point Bank & Tr., Tr. No. 0192, 841 N.E.2d 1084, 1089 (Ill.App.Ct. 2006). Once a violation of such a statute is shown, there is no question of duty; rather, the focus turns to whether: (1) the plaintiff is a member of the class of persons protected by the statute, (2) the plaintiff's injury is the type the statute intended to protect against, and (3) the defendant's violation of the statute proximately caused the injury. Kalata v. Anheuser-Busch Cos., Inc., 581 N.E.2d 656, 434 (Ill. 1991). Illinois law provides, however, that the violation of a statute “is not negligence per se, which refers to strict liability. . ., but rather only prima facie evidence of negligence.” Abbasi ex rel. Abbasi v. Paraskevoulakos, 718 N.E.2d 181, 186 (Ill. 1999); see also Cuyler, 362 F.3d at 952. A violation of a statute constitutes negligence per se only when it is clear that the legislature intended for the act to impose strict liability. Abbasi, 718 N.E.2d at 186.
Here, the plaintiffs allege that they fall into the class of persons that the FTCA is intended to protect and that Heartland's failure to comply with the FTCA and its corresponding obligations under HIPAA proximately caused their injuries. (FAC ¶¶ 154-55, 159, 162-63.) The plaintiffs, however, do not allege that either the FTCA or HIPAA imposes strict liability; nor does the Court have any authority before it that would a support a finding of strict liability. Though the plaintiffs' allegations that Heartland violated certain statutes may constitute prima facie evidence of negligence, they do not, as currently pleaded, state a claim for negligence per se. See e.g., Flores, 2023 IL App (1st) 230140, ¶ 28.
Heartland's motion to dismiss Count II is therefore granted. But, as mentioned, this decision does not prevent the plaintiffs from raising alleged statutory violations as grounds for their common law negligence claim.
II. Breach of Express and Implied Contract Claims
Heartland next moves to dismiss the plaintiffs' claims for breach of an express or implied contract (Counts III and IV).
A. Express Contract
Starting with the plaintiffs' express contract claim, the elements of a breach of contract cause of action under Illinois law are “(1) offer and acceptance, (2) consideration, (3) definite and certain terms, (4) performance by the plaintiff of all required conditions, (5) breach, and (6) damages.” Ass'n Ben. Servs., Inc. v. Caremark RX, Inc., 493 F.3d 841, 849 (7th Cir. 2007) (citing MC Baldwin Fin. Co. v. DiMaggio, Rosario & Veraja, LLC, 845 N.E.2d 22, 30 (Ill.App.Ct. 2006)). Illinois law provides that the question of the existence of a contract is a matter of law for determination by the Court. Id. at 849-50.
The plaintiffs allege that they entered into a contract with Heartland for the provision of its services pursuant to which Heartland promised to secure, safeguard, and not disclose their PII and PHI. (FAC ¶ 168.) According to the plaintiffs, the rights and obligations of Heartland and its clients were memorialized in Heartland's privacy policy and its HIPAA notice of privacy practices. (Id. ¶¶ 35-36, 169.) These documents promised that Heartland would “only share personal information in specific situations, such as to comply with the law or with third-party providers [like] credit card payment processors,” and that, pursuant to HIPAA, Heartland promised to maintain the privacy and security of PHI, to promptly notify clients of a breach that may have compromised the privacy or security of PHI, and to not use or share PHI without a client's written permission. (Id. ¶¶ 35-36.)
Heartland first argues that the plaintiffs' express contract claim must be dismissed because the allegations concerning its privacy policy and its HIPAA notice of privacy practices do not establish the existence of an enforceable contract between the parties. (R. 30 at 11-13.) In particular, Heartland contends that there are no factual allegations demonstrating offer, acceptance, and definite terms. (Id.)
The Court agrees with Heartland. “No contract exists under Illinois law, and, indeed, under principles of general law, if the agreement lacks definite and certain terms; nor is a contract formed by an offer that itself lacks definite and certain material terms and does not require such terms to be supplied by an acceptance.” Ass'n Ben. Servs., Inc., 493 F.3d at 849-50 (citations omitted).
In this case, the plaintiffs' allegations regarding Heartland's privacy notices are insufficient to show that an express contract was formed between the parties regarding the security measures that would be employed to protect PII and PHI. The FAC, for example, is devoid of any allegations that the plaintiffs were required to read or agree to either of the privacy documents in order to receive services from Heartland. Nor are there allegations that the privacy notices were incorporated into any existing contract with Heartland as to the provision of its services. Compare Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2016 WL 754731, at *4-5 (N.D. Ill. Feb. 23, 2016) (finding defendant's privacy pledge constituted an enforceable contract because it was incorporated into the parties' insurance policy).
Instead, the plaintiffs' allegations show only that Heartland's privacy policy and HIPAA notice of privacy practices were available online and that the plaintiffs understood these webpages to include promises by Heartland to safeguard their data. (FAC ¶¶ 9, 35-36, 169.) But neither of the privacy policies lay out-with any sort of specificity-the terms by which Heartland agreed to be bound with respect to the security measures that it would employ to maintain and safeguard PII and PHI. See Assn. Ben. Servs., Inc., 493 F.3d at 850 (“The definite and certain terms requirement serves several important purposes, chief among them to ensure that the parties in fact have reached an agreement and to provide courts with a basis for enforcing the obligations that the parties sought to impose upon one another.”); see also Lozada v. Advoc. Health & Hosps. Corp., 2018 IL App (1st) 180320-U, ¶¶ 18, 23 (holding privacy policy did not amount to an express contract for data security where it spoke only of the use and disclosure of patient data and did not make representations regarding defendant's maintenance and storage of that data).
The FAC, thus, fails to plausibly allege that Heartland's privacy notices formed an express contract between the parties as to data security. Because the plaintiffs have failed to allege the existence of an express contract, the Court need not address Heartland's other arguments supporting dismissal of Count III. Heartland's motion to dismiss Count III is granted.
B. Implied Contract
As an alternative to their express breach of contract claim, the plaintiffs assert a claim for breach of an implied contract (Count IV). In Illinois, the elements of a breach of an implied contract claim track those of a breach of an express contract claim. Gociman, 41 F.4th at 883. Unlike an express contract, however, the terms of an implied contract are inferred from the conduct of the parties. Id. An implied contract is “one in which a contractual duty is imposed by a promissory expression which may be inferred from the facts and circumstances and the expressions [on] the part of the promisor which show an intention to be bound.” Id. (internal quotation marks and citations omitted).
Here, the plaintiffs allege that Heartland's collection of the plaintiffs' PII and PHI in exchange for its services created an implied contract under which Heartland agreed to securely maintain and store the private information that it collected. (FAC ¶¶ 179, 181, 184.) Heartland moves to dismiss on grounds that such allegations are insufficient to support the formation of an implied contract. (R. 30 at 12-13.)
The FAC plausibly alleges the existence of an implied contract between the plaintiffs and Heartland. It can be inferred from the plaintiffs' relationship to Heartland (as clients) and the requirement that the plaintiffs provide sensitive information to Heartland as a condition of receiving its services that Heartland, in turn, would keep this information private and protect it from unauthorized disclosures. Such allegations have been found sufficient to plausibly show the existence of an implied contract in the data breach context. See, e.g., Doe v. Fertility Ctrs. of Ill., S.C., No. 21 C 579, 2022 WL 972295, at *4 (N.D. Ill. Mar. 31, 2022); Flores, 2023 IL App (1st) 230140, ¶¶ 33-34; Lozada, 2018 IL App (1st) 180320-U, ¶ 27.
Nevertheless, Heartland argues that even if an implied contract exists, the FAC does not contain any allegations that the plaintiffs suffered actionable contract damages. (R. 30 at 13.) To state a breach of contract claim under Illinois law, a plaintiff must allege actual monetary damages, that is “an actual loss or measurable damages resulting from the breach.” Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 832 (Ill. 2005).
Here, the FAC is devoid of any allegations that either of the named plaintiffs suffered any monetary damages cognizable under state law as a result of the data breach. See e.g., Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 830 (7th Cir. 2018) (“Money out of pocket is a standard understanding of actual damages in contract law . . .”). Indeed, only Appiakorang alleges a specific injury in that, following the breach, her credit report showed that someone had opened up an account in her name for car insurance. (FAC ¶ 101.) Citing In re Arthur J. Gallagher Data Breach Litigation, the plaintiffs contend that the time that Appiakorang had to expend to address this unauthorized activity is sufficient to plausibly show an economic injury for the purpose of their implied contract claim. (R. 35 at 12.) (citing In re Arthur J. Gallagher, 631 F.Supp.3d at 587); see also (FAC ¶ 104.) But a recent Illinois Appellate Court decision explained that the lost-time damages theory is a product of federal law, not state law. Flores, 2013 IL App (1st) 230140, ¶ 35 (“While plaintiffs argue that lost time responding to a data breach meets the standard of actual monetary damages, they rely on federal law rather than Illinois case law.”); id. at ¶ 43 (“Plaintiffs also cite to Perdue v. Hy-Vee, Inc., [455 F.Supp.3d 749, 761 (C.D. Ill. 2020)], in which the court held that a plaintiff's time spent monitoring his account due to the data breach was an economic injury; however, this holding was based on federal law and we decline to follow it.”).
The plaintiffs' lost benefit-of-the-bargain allegations, which they clarify in their response brief relate to the market value of their PII and PHI, are similarly insufficient. (R. 35 at 12.) Illinois has “decline[d] to hold that the alleged diminution in value of plaintiffs' personal information amounts to actual monetary damages.” Flores, 2013 IL App (1st) 230140, ¶ 35.
In the absence of allegations of actual monetary damages, the plaintiffs have failed to plausibly state a breach of implied contract claim under Illinois law. Heartland's motion to dismiss Count IV is therefore granted.
III. Violation of the ICFA
Heartland next moves to dismiss the plaintiffs' ICFA claim (Count V). To state an ICFA claim, a plaintiff must plead: (1) a deceptive act or practice by the defendant, (2) the defendant's intent that the plaintiff rely on the deception, (3) the occurrence of the deception in a course of conduct involving trade or commerce, and (4) actual damage to the plaintiff that is (5) a result of the deception. Skyrise Constr. Grp., LLC v. Annex Constr., LLC, 956 F.3d 950, 960 (7th Cir. 2020) (citing De Bouse v. Bayer, 922 N.E.2d 309, 313 (Ill. 2009)). A violation of PIPA is an unlawful practice under the ICFA. In re Michaels Stores Pin Pad Litig., 830 F.Supp.2d 518, 527 (N.D. Ill. 2011).
Heartland moves to dismiss the ICFA claim on grounds that: (1) the plaintiffs do not qualify as “consumers” under the act; (2) the plaintiffs have not sufficiently pleaded proximate cause; and (3) the plaintiffs have not sufficiently pleaded actual damages. (R. 30 at 13-15.) The Court does not address Heartland's first two arguments because it finds, for the same reasons discussed above, that the plaintiffs' damages allegations are not sufficient to plausibly state a claim under the ICFA.
The element of “actual damages” under the ICFA requires that the plaintiff suffer “actual pecuniary loss.” Camasta, 761 F.3d at 739. If the plaintiff suffered an economic loss, then noneconomic injuries are compensable. Dieffenbach, 887 F.3d at 830. As explained above, the FAC does not contain any allegations that either of the two named plaintiffs suffered any “real and measurable” losses. The FAC does not allege, for example, that either plaintiff purchased credit-monitoring services, incurred fraudulent charges, or experienced any difficulty using their credit cards or making purchases following the fraudulent activity. See, e.g., id. at 830 (“A monthly $17 out of pocket is a form of ‘actual damage.' It is real and measurable.”); see Flores, 2023 IL App (1st) 230140, ¶ 43 (collecting cases involving “actual economic losses”).
Instead, the plaintiffs maintain that their allegations regarding the time spent dealing with the fallout of the data breach and the emotional harms they suffered as a result are sufficient to plausibly plead economic loss. (R. 35 at 14.) But Illinois has not recognized such injuries as actual monetary damages for purposes of an ICFA claim. See Flores, 2023 IL App (1st) 230140, ¶ 43 (explaining emotional distress due to loss of privacy, lost time spent dealing with the consequences of the data breach, increased spam messages, and imminent risk of fraud and identity theft are not specific economic damages that fall within the purview of the ICFA). Heartland's motion to dismiss Count V is therefore granted.
IV. Declaratory Judgment and Injunction
Finally, Heartland moves to dismiss Count VI wherein the plaintiffs request a declaratory judgment and injunction that addresses Heartland's obligations with respect to safeguarding the personal information that it collects. (FAC ¶¶ 220-21.)
An injunction and a declaratory judgment are forms of relief; they are not cognizable claims to be pleaded as an independent cause of action. Costa v. Ramaiah, No. 21 C 5165, 2023 WL 5581261, at *28 (N.D. Ill. Aug. 29, 2023). Heartland's motion to dismiss Count VI is therefore granted. See id. (dismissing counts for injunctive and declaratory relief on grounds that they are remedies, not claims). The Court's dismissal of Count VI does not constitute a decision on the merits as to whether the plaintiffs may be entitled to either form of relief. See e.g., Garrard v. Rust-Oleum Corp., 575 F.Supp.3d 995, 1004 (N.D. Ill. 2021) (explaining plaintiff may still seek declaratory relief despite dismissal of his standalone claim for declaratory judgment).
CONCLUSION
Heartland's motion to dismiss, (R. 29.), is granted in part and denied in part. The Court grants Heartland's motion as to Counts II, III, IV, V, and VI. These claims are dismissed without prejudice. Heartland shall answer the first amended complaint by February 7, 2024.