From Casetext: Smarter Legal Research

In re U.S. Vision Data Breach Litig.

United States District Court, D. New Jersey
Apr 30, 2024
1:22-cv-06558 (D.N.J. Apr. 30, 2024)

Opinion

1:22-cv-06558

04-30-2024

IN RE U.S. VISION DATA BREACH LITIGATION

APPEARANCES: Janine L. Pollack GEORGE FELDMAN MCDONALD, PLLC Vicki Maniatis MILBERG COLEMAN BRYSON PHILLIPS GROSSMAN, LLC Gamaliel B. Delgado MORGAN & MORGAN On behalf of Plaintiffs. Rebecca Lynne Rakoski XPAN LAW PARTNERS LLP On behalf of USV Defendants.


APPEARANCES:

Janine L. Pollack

GEORGE FELDMAN MCDONALD, PLLC

Vicki Maniatis

MILBERG COLEMAN BRYSON PHILLIPS GROSSMAN, LLC

Gamaliel B. Delgado

MORGAN & MORGAN

On behalf of Plaintiffs.

Rebecca Lynne Rakoski

XPAN LAW PARTNERS LLP

On behalf of USV Defendants.

OPINION

CHRISTINE P. O'HEARN, UNITED STATES DISTRICT JUDGE

This matter comes before the Court on Defendants U.S. Vision, Inc. and USV Optical, Inc.'s Motion to Dismiss (ECF No. 53) the Amended Class Action Complaint filed by Plaintiffs Ian Torres, Lacie Morgan, and Bonita Odell. (ECF No. 46). The Court did not hear oral argument pursuant to Local Rule 78.1. For the reasons that follow, Defendants' Motion is GRANTED in part and DENIED in part.

I. BACKGROUND

This class action arises from a data breach that occurred between April 20 and May 17, 2021. (Am. Compl., ECF No. 46 at ¶ 5). During that time, an unauthorized individual or group of individuals gained access to Defendant U.S. Vision, Inc.'s (“U.S. Vision”) network systems, which allowed them to access and acquire the personally identifying information (“PII”) and/or protected health information (“PHI”) of Plaintiffs and other Class members. (ECF No. 46 at ¶ 5).

U.S. Vision and its subsidiary USV Optical, Inc. (“USV”) (collectively, “USV Defendants”) are “retailer[s] of optical products and services” and provide eye exams, contact lens fittings, and other eye-related services. (ECF No. 46 at ¶¶ 50-51). Defendant Nationwide Optometry, P.C. (“Nationwide”) provides similar services. (ECF No. 46 at ¶ 52). USV Defendants “provided medical practice management and other administrative services for Nationwide.” (ECF No. 46 at ¶ 55). This required exchange of the PII and PHI of Nationwide's patients, which USV Defendants “then collected, stored, and maintained.” (ECF No. 46 at ¶ 55).

“Plaintiffs and Class members are, or were, patients of Defendants.” (ECF No. 46 at ¶ 56).

USV Defendants notified Nationwide of the data breach on May 12, 2021, and Nationwide posted a notice to its website alerting its customers that their PII and/or PHI “may have been viewed and/or taken by [an] unauthorized individual.” (ECF No. 46 at ¶¶ 66-67).

II. PROCEDURAL HISTORY

Plaintiff Ian Torres commenced this action on November 10, 2022, by filing a Class Action Complaint on his behalf and all others similarly situated against the USV Defendants. (ECF No. 1). On February 21, 2023, the Court granted a Motion to Consolidate Torres' case with those of Plaintiffs Lacie Morgan and Bonita Odell, (ECF No. 18), after which Plaintiffs filed a Consolidated Class Action Complaint against USV Defendants and Nationwide. (ECF No. 20). On July 31, 2023, Plaintiffs filed an Amended Consolidated Class Action Complaint against Defendants alleging Negligence (Counts I and II), Negligence Per Se (Counts III and IV), Breach of Fiduciary Duty (Counts V and VI), Breach of Implied Contract (Counts VII and VIII), Unjust Enrichment (Counts IX and X), and related state law claims (Counts XI-XV). (ECF No. 46 at ¶¶ 99-238).

Defendants filed Motions to Dismiss the Amended Complaint on September 8, 2023. (ECF Nos. 52-53). Plaintiffs filed Responses on October 2, 2023. (ECF Nos. 57-58). On November 8, 2023, the Court granted a Motion to Stay the proceedings as to Nationwide, (ECF No. 60), and administratively terminated Nationwide's Motion to Dismiss, (ECF No. 52), on November 14, 2023 upon notice that those parties resolved the claims as between them. (ECF No. 63). The USV Defendants replied to Plaintiffs' opposition on November 9, 2023. (ECF No. 61).

III. LEGAL STANDARD

To state a claim, a complaint needs only to provide a “short and plain statement of the claim showing that the pleader is entitled to relief.” FED. R. CIV. P. 8(a)(2). Although “short and plain,” this statement must “give the defendant fair notice of what the claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 545 (2007) (quotations, alterations, and citation omitted). “[A] plaintiff's obligation to provide the ‘grounds' of his ‘entitle[ment] to relief' requires more than labels and conclusions, and a formulaic recitation of a cause of action's elements will not do.” Id. (citations omitted). Rather, a complaint must contain sufficient factual allegations “to state a claim to relief that is plausible on its face.” Id. at 547.

When considering a motion to dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6), a court must accept the complaint's well-pleaded allegations as true and view them in the light most favorable to the plaintiff. Evancho v. Fisher, 423 F.3d 347, 350 (3d Cir. 2005). Through this lens, the court then conducts a three-step analysis. Malleus v. George, 641 F.3d 560, 563 (3d Cir. 2011). “First, the court must ‘tak[e] note of the elements a plaintiff must plead to state a claim.'” Id. (quoting Ashcroft v. Iqbal, 556 U.S. 662, 675 (2009)). Next, the court should identify and disregard those allegations that, because they are no more than conclusions, are not entitled to the assumption of truth. Id. Finally, the court must determine whether “the facts alleged in the complaint are sufficient to show that the plaintiff has a ‘plausible claim for relief.'” Fowler v. UPMC Shadyside, 578 F.3d 203, 211 (3d Cir. 2009) (quoting Iqbal, 556 U.S. at 679). A facially plausible claim “allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 210 (quoting Iqbal, 556 U.S. at 678).

On a Federal Rule of Civil Procedure 12(b)(6) motion, the “defendant bears the burden of showing that no claim has been presented.” Hedges v. United States, 404 F.3d 744, 750 (3d Cir. 2005). The court may only consider the facts alleged in the pleadings, any attached exhibits, and any matters of judicial notice. S. Cross Overseas Agencies, Inc. v. Kwong Shipping Grp. Ltd., 181 F.3d 410, 426 (3d Cir. 1999).

IV. DISCUSSION

A. Plaintiffs have failed to state claims for breach of fiduciary duty, breach of implied contract, and unjust enrichment.

Here, the Amended Complaint's failure to allege a relationship between Plaintiffs and the USV Defendants is fatal for many of Plaintiffs' claims. While the USV Defendants offer services to healthcare providers like Defendant Nationwide, Plaintiffs do not allege that they offer direct services to patients or grant patients any access to USV's network. Because the claims for breach of fiduciary duty, breach of implied contract, and unjust enrichment all require some basic relationship between the parties, these claims fail.

i. Breach of Fiduciary Duty

Plaintiffs allege that the USV Defendants breached their fiduciary duty by failing to 1) “properly protect the integrity of the system containing Plaintiffs' and Class members' PII/PHI,” 2) “comply with the data security guidelines set forth by HIPAA,” and 3) “safeguard Plaintiffs' and Class members' PII/PHI that they collected.” (ECF No. 46 at ¶ 147). Defendants assert that, because no relationship between them and Plaintiffs exists, Defendants were owed no duty from Plaintiffs and there can be no claim for breach a of fiduciary duty. (Def. Br., ECF No. 53-1 at 15).

To establish a claim for breach of fiduciary duty, a plaintiff must allege “1) the existence of a fiduciary duty or relationship between the parties; 2) breach of that duty; and 3) resulting damages.” Read v. Profeta, 397 F.Supp.3d 597, 633 (D.N.J. 2019) (internal quotations and citation omitted); see also Gen. Motors LLC v. Ashton, No. 20-12659, 2021 WL 2549498, at *9 (D.N.J. June 22, 2021) (explaining Plaintiff must plead that “(1) the defendant had a duty to the plaintiff, (2) the duty was breached, (3) injury to plaintiff occurred as a result of the breach, and (4) the defendant caused that injury.”). “A fiduciary relationship arises . . . when one . . . is under a duty to act for or give advice for the benefit of another on matters within the scope of their relationship.” McKelvey v. Pierce, 800 A.2d 840, 859 (N.J. 2002) (internal citation omitted).

Plaintiffs allege that they “allowed [the USV Defendants] to store their PII/PHI with the understanding it would be held in confidence, in the course of a medical relationship.” (ECF No. 46 at ¶ 144.) However, a conclusory statement that a “medical relationship” exists is not, standing alone, enough to establish a fiduciary duty between the parties. As acknowledged by Plaintiffs, USV Defendants “provided medical practice management and other administrative services for Nationwide,” not for Plaintiffs. (ECF No. 46 at ¶ 55). And it was Nationwide-not Plaintiffs- that “provided [the USV Defendants] with the PII/PHI of Nationwide's patients and customers.” (ECF No. 46 at ¶ 55). While there may be a relationship between Nationwide and USV Defendants, as well as between Nationwide and Plaintiffs, the requisite relationship between Plaintiffs and the USV Defendants has not been adequately pled. Plaintiffs plead no facts that establish any direct relationship between them and the USV Defendants. Therefore, “[t]he Court refuses to impute fiduciary obligations” on USV Defendants. Robinson v. Maintech Inc., No. 23-4458, 2024 WL 1598416, at *3 (D.N.J. Apr. 12, 2024); see id. (finding no breach of fiduciary duty in a data breach case where no relationship between the parties existed); see also In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1226 (S.D. Fla. 2022) (finding no fiduciary duty in a data breach case when plaintiffs failed to “plead facts to establish any direct relationship, let alone a fiduciary one,” and explaining that “the mere receipt of confidential information is insufficient by itself to transform an arm's-length transaction into a fiduciary relationship.”); In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1145-46 (C.D. Cal. 2021) (same); Stephens v. Availity, L.L.C., No. 19-236, 2019 WL 13041330, at *6 (M.D. Fla. Oct. 1, 2019) (explaining in a data breach case that, “because there was no relationship between the parties, . . . there was no fiduciary relationship.”). As such, the USV Defendants' Motion to Dismiss Count V for failure to state a claim is granted.

ii. Breach of Implied Contract

Plaintiffs allege they entered into implied contracts with the USV Defendants by “allow[ing] them to access and store their PII/PHI.” (ECF No. 46 at ¶¶ 158-59). According to Plaintiffs, “[t]he protection of PII/PHI was a material term of the implied contracts” which they allege were entered into by virtue of Plaintiffs paying Nationwide for eyecare services. (ECF No. 46 at ¶¶ 160, 162). Plaintiffs allege that the USV Defendants breached these implied contracts by “failing to implement and maintain reasonable security measures to protect and secure their PII/PHI, and in failing to implement and maintain security protocols and procedures to protect . . . PII/PHI.” (ECF No. 46 at ¶ 163). The USV Defendants respond that Plaintiffs' inability to specifically plead any facts which establish an express or implied relationship between the parties is fatal to the claim. (ECF No. 53-1 at 9). According to the USV Defendants, Plaintiffs have “fail[ed] to make out even the basic elements necessary to establish any contract.” (ECF No. 53-1 at 10) (emphasis in original).

The prima facie elements of claim for breach of an implied-in-fact contract, as well as the are the same as for express contracts. To prove the existence of an implied contract, Plaintiffs must demonstrate “mutual assent, consideration, legality of object, and capacity of the parties.” Duffy v. Charles Schwab & Co., Inc., 123 F.Supp.2d 802, 818 (D.N.J. 2000). The difference, however, between an implied and an express contract is that proof of an implied contract is “inferred from the conduct of the parties” rather than any verbal or written expression. See Fittipaldi v. Monmouth Univ., No. 20-5526, 2021 WL 2210740, at *4 (D.N.J. June 1, 2021) (quotations and citation omitted).

Here, the parties seem to acknowledge that no express contract existed between them. Therefore, the Court must look to their conduct to determine if an implied contract was created. For the same reasons that Plaintiffs' breach of fiduciary duty claim must be dismissed, so too must their breach of implied contract claim. Put simply, no relationship-express, implied, or otherwise-exists between the parties.

Unlike the cases on which Plaintiffs rely where the parties had a direct relationship such as business and customer, employee and employer, patient and hospital, or patron and restaurant- here Plaintiffs have failed to plead any facts from which the Court could find any direct relationship with the USV Defendants. As described by Plaintiffs, the USV Defendants “collected, stored, and maintained the PII/PHI of Nationwide's patients and customers.” (ECF No. 46 at ¶ 55) (emphasis added). Plaintiffs even concede that it was Nationwide “that contracted with [the USV Defendants],” and that the USV Defendants received Plaintiffs' PII/PHI “through their eyecare providers,” i.e., Nationwide, after Plaintiffs “paid for eyecare services.” (ECF No. 46 at ¶¶ 161-62).

In re Rutter's Inc. Data Sec. Breach Litig., 511 F.Supp.3d 514 (M.D. Pa. 2021); Longenecker-Wells v. Benecard Servs. Inc., 658 Fed.Appx. 659 (3d Cir. 2016); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447 (D. Md. 2020); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 19-2284, 2020 WL 2214152 (S.D. Cal. May 7, 2020); Rudolph v. Hudson's Bay Co., No. 18-8472, 2019 WL 2023713 (S.D.N.Y. May 7, 2019).

Enslin v. The Coca-Cola Co., 136 F.Supp.3d 654 (E.D. Pa. 2015); Longenecker-Wells, 658 Fed.Appx. 659; Sackin v. TransPerfect Glob., Inc., 278 F.Supp.3d 739 (S.D.N.Y. 2017); Mackey v. Belden, Inc., No. 21-0149, 2021 WL 3363174 (E.D. Mo. Aug. 3, 2021); Castillo v. Seagate Tech., LLC, No. 16-1958, 2016 WL 9280242 (N.D. Cal. Sept. 14, 2016); Perry v. Bay & Bay Transp. Servs., Inc., 650 F.Supp.3d 743 (D. Minn. 2023).

Doe v. Fertility Ctrs. of Ill., S.C., No. 21-579, 2022 WL 972295 (N.D. Ill. Mar. 31, 2022).

In re Arby's Rest. Grp. Inc. Litig., No. 17-1035, 2018 WL 2128441 (N.D.Ga. Mar. 5, 2018).

Because there are not facts pled that establish any conduct that occurred between the USV Defendants and Plaintiffs, “there is no relationship between the parties . . . that would allow the Court to imply a contract.” Stephens, 2019 WL 13041330, at *6. And Plaintiffs' Amended Complaint is devoid of any facts that would support the basic elements of an implied contract: “mutual assent, consideration, legality of object, and capacity of the parties.” Duffy, 123 F.Supp. at 818. Though the Court must assume that Plaintiffs' factual allegations are true, it is under “no obligation to consider conclusory or nonexistent allegations.” Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 51 (D. Ariz. 2021); see also id. at 51-52 (dismissing a breach of implied contract claim in a data breach case because the plaintiffs' conclusory claims “fail[ed] to allege specific terms of the implied contracts” including “when and to what extent did the contract apply”); In re Mednax, 603 F.Supp.3d at 1221-22 (dismissing a breach of implied contract claim in a data breach case when plaintiffs “only . . . provided their personal information as required to receive healthcare services,” which was deemed to be “not contractual in nature” and therefore the lacked “the mutual assent and meeting of the minds required to form an implied contract”). There are simply no facts pled that would support a breach of implied contract claim against the USV Defendants. Thus, the USV Defendants' Motion to Dismiss Count VII for failure to state a claim must be granted.

iii. Unjust Enrichment

Plaintiffs allege an unjust enrichment claim in the alternative to their breach of implied contract claim. (ECF No. 46 at ¶ 177). Plaintiffs argue that they “conferred a monetary benefit upon [the USV Defendants] in the form of monies paid for eyecare services.” (ECF No. 46 at ¶ 180). The USV Defendants respond that any eyecare services Plaintiffs received were provided by Nationwide, and therefore any allegations of unjust enrichment cannot be directed at the USV Defendants. (ECF No 53-1 at 13). The Court agrees.

To establish a claim for unjust enrichment, a plaintiff must show both that “defendant received a benefit and that retention of that benefit without payment would be unjust.” VRG Corp. v. GKN Realty Corp., 641 A.2d 519, 526 (N.J. 1994); see also Red Hawk Fire & Sec., LLC v. Siemens Indus. Inc., 449 F.Supp.3d 449, 464 (D.N.J. 2020) (“The doctrine of unjust enrichment rests on the equitable principle that a person shall not be allowed to enrich himself at the expense of another.”) (internal quotations and citation omitted). “Retention is unjust when the plaintiff expects payment for the service or the defendant retains a benefit at the expense of the plaintiff.” Maersk Line v. TJM Int'l Ltd. Liab. Co., 427 F.Supp.3d 528, 535 (D.N.J. 2019). Additionally, “a claim for unjust enrichment requires a direct relationship between the parties.” Hammer v. Vital Pharms., Inc., No. 11-4124, 2012 WL 1018842, at *10 (D.N.J. Mar. 26, 2012); see also Bedi v. BMW of N. Am., LLC, No. 15-1898, 2016 WL 324950, at *5 (D.N.J. Jan. 27, 2016).

As explained at length supra, Plaintiffs fail to plead any facts to establish a direct relationship between Plaintiffs and the USV Defendants, and therefore the claim for unjust enrichment cannot survive. See Robinson, 2024 WL 1598416, at *3 (dismissing an unjust enrichment claim in a data breach case when “no facts in the Complaint allege a direct relationship between Plaintiff and Defendants.”); see also Hughes v. Panasonic Consumer Elecs. Co., No. 10846, 2011 WL 2976839, at *27 (D.N.J. July 21, 2011) (when plaintiffs bought a product from a third party and not the defendant, dismissing a claim for unjust enrichment because plaintiffs did “not allege[] a direct relationship with [the defendant].”); Bedi, 2016 WL 324950, at *5-6 (same). For this reason, Defendants' Motion to Dismiss Count IX for failure to state a claim must be granted.

B. Consumer Fraud Act Claims

i. Arizona

The USV Defendants argue Plaintiffs fail to state a claim under Arizona's Consumer Fraud Act (“ACFA”) because (1) Plaintiffs were not customers of the USV Defendants, (2) the USV Defendants did not make any representations or omissions to Plaintiffs, and (3) Plaintiffs do not allege that they relied on any of the USV Defendants' representations when they provided data to Nationwide. (Def. Br., ECF No. 53-1 at 15-16). The Court agrees and will grant Defendants' Motion to Dismiss Count XI.

“Under the ACFA, it is unlawful for any person to use or employ ‘any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise.'” James Erickson Fam. P'ship LLLP v. Transamerica Life Ins. Co., No. 18-4566, 2019 WL 1755858, at *4 (D. Ariz. Apr. 19, 2019) (quoting A.R.S. § 44-1522(A)). To state a claim, Plaintiffs must show “(1) a false promise or misrepresentation made in connection with the sale or advertisement of ‘merchandise,' and (2) consequent and proximate injury resulting from the misrepresentation.” Id. (quoting Watts v. Medicis Pharm. Corp., 365 P.3d 944, 953 (Ariz. 2016)).

However, “[c]laims arising under the ACFA pertain to fraud and are thus subject to the pleading requirements of Rule 9(b) of the Federal Rules of Civil Procedure.” In re Banner Health Data Breach Litig., No. 16-2696, 2017 WL 6763548, at *6 (D. Ariz. Dec. 20, 2017). “Averments of fraud must be accompanied by the who, what, when, where, and how of the misconduct charged, and a plaintiff must set forth what is false or misleading about a statement, and why it is false.” Id. (internal quotation marks and citations omitted). Yet, “[a] plaintiff in a fraud-by-omission suit faces a slightly more relaxed burden, due to the fraud-by-omission plaintiff's inherent inability to specify the time, place, and specific content of an omission in quite as precise a manner.” Id. (quoting Schellenbach v. GoDaddy.com LLC, No. 16-0746, 2017 WL 192920, at *2 (D. Ariz. Jan. 18, 2017)).

In their Complaint, Plaintiffs allege that the USV Defendants (1) “made uniform representations to Plaintiffs . . . including on their website, that their PII/PHI will remain private;” (2) made “deceptive omissions . . . by failing to inform Plaintiffs . . . that [USV Defendants] would not adequately secure Plaintiffs' . . . PII/PHI;” and (3) “engaged in unfair acts and practices . . . by failing to implement and maintain reasonable security measures.” (ECF No. 46 at ¶¶ 199-201). While Plaintiffs allege generally that they were “patients of Defendants” without specifically identifying to which defendant they are referring to, (ECF No. 46 at ¶ 56), they further allege that they “obtained eyecare services from Nationwide.” (ECF No. 46 at ¶¶ 10, 22). At best, it is unclear whether Plaintiffs were patients of the USV Defendants. Thus, even applying the lower standard for fraud-by-omission, Plaintiffs' claims fail as they do not adequately plead that they relied on any of the USV Defendants' alleged misrepresentations, omissions, and unfair practices as patients of Nationwide and/or patients of the USV Defendants when providing their PII/PHI to Nationwide. Without alleging, with some specificity, that they relied on the USV Defendants' misrepresentations or omissions before providing their PII/PHI to Nationwide, there is no factual or causal link between these alleged misrepresentations, omissions, and unfair practices with the sale of the eyecare services and products. See e.g., Quinalty v. FocusIT LLC, No. 23-0207, 2024 WL 342454, at *6 (D. Ariz. Jan. 30, 2024) (dismissing ACFA claim because “Plaintiffs . . . fail to allege any facts indicating they were aware of Defendant's contracts, website, privacy policy, or advertising at the time they provided their PII to Defendant's clients.”).

And when applying the heightened standard for fraud, this case suffers from the same failures as found in Griffey, 562 F.Supp.3d 34 and Charlie v. Rehoboth McKinley Christian Health Care Servs., 598 F.Supp.3d 1145 (D.N.M. 2022). In Grifrey, the District Court dismissed the plaintiffs' ACFA claim in a data breach case after determining the plaintiffs “fail[ed] to adequately articulate the ‘how' of the data breach” and held that “the argument that a system was inadequate because a negative result occurred is conclusory.” 562 F.Supp.3d at 54. And in Charlie, the District Court held that general allegations of a promise to keep customers' PHI private, such as those alleged by Plaintiffs here, (Am. Compl., ECF No. 46 at ¶¶ 199-200), simply do not “support a conclusion that Defendants'] false or misleading statements were fraudulent, rather than simply negligent, knowing, or reckless,” nor allege “specific actions Defendants did or did not take to protect their private information that were so obviously expected and necessary that Defendants'] choice to do, or not do, certain things amounted to fraud.” 598 F.Supp.3d at 1163. Plaintiffs' Amended Complaint here, too, suffers from these same failures. As such, Plaintiffs fail to sufficiently plead a claim under the ACFA and Defendants' Motion to Dismiss Count XI must be granted.

ii. Oklahoma

The USV Defendants argue that the Oklahoma Consumer Protection Act's (“OCPA”) safe harbor provision compels dismissal of Count XIII and that, nevertheless, Plaintiffs' failure to allege they were USV Defendants' customers is fatal to such claim. (ECF No. 53-1 at 17). Plaintiffs maintain the OCPA's safe harbor provision does not apply because they are not alleging a violation of any federal regulation. (Pla. Br., ECF No. 58 at 12-13).

The OCPA protects consumers from certain business practices declared to be unlawful. Okla. Stat. tit. 15, § 751 et seq. But it includes a safe harbor provision exempting from its application “[a]ctions or transactions regulated under laws administered by” a “regulatory body or officer acting under statutory authority of this state or the United States.” Id. at § 754(2). Recently, a District Court considered whether the safe harbor provision preempted an OCPA claim based on similar alleged misrepresentations in a data breach case. See In re Mednax, 603 F.Supp.3d at 1216. The District Court concluded that it did. Id. at 1216-17. There, the plaintiffs alleged the defendant had failed to safeguard their PHI. Id. The court determined that when an OCPA claim falls within the scope of a federal law and there is an administrative recourse for remedies, it is preempted. Id. As for the plaintiffs' claim that the defendant failed to safeguard its personal information, the court concluded that this claim fell squarely within the scope of HIPAA and that there existed an administrative remedy for a HIPAA violation. Id. As such, the court deemed the plaintiffs' OCPA claim preempted. Id.

Here, Plaintiffs' claim, too, falls squarely within the scope of HIPAA, which as the Mednax court noted provides for an administrative remedy. As such, Plaintiffs' claim under the OCPA is preempted. That Plaintiffs did not specifically allege a violation of HIPAA in Count XIII does not alter the fact that their claim is governed by federal statute and as such, is preempted. To the extent that Plaintiffs' OCPA claim alleges more than a HIPAA violation, Plaintiffs' claim is devoid of sufficient facts to establish a connection between the alleged misrepresentation, omissions, and unfair practices and purchasing eyecare services and products from the USV Defendants in the Arizona subclass. For these reasons, Defendants' Motion to Dismiss Count XIII for failure to state a claim must be granted.

iii. New Jersey

The USV Defendants argue that Plaintiffs fail to state a claim under the NJCFA because they fail to allege that (1) they are consumers of the USV Defendants' products and services and (2) the USV Defendants' affirmative misrepresentations were causally related to the data breach. (ECF No. 53-1 at 18-19). The Court agrees.

To state a cause of action under the NJCFA, a plaintiff must show “1) unlawful conduct by defendant; 2) an ascertainable loss by plaintiff; and 3) a causal relationship between the unlawful conduct and the ascertainable loss.” Bosland v. Warnock Dodge, Inc., 964 A.2d 741, 749 (N.J. 2009) (citing Int'l Union of Operating Eng'rs Loc. No. 68 Welfare Fund v. Merck & Co., Inc., 929 A.2d 1076, 1086 (N.J. 2007)). The NJCFA requires the “unlawful conduct to be (1) ‘in connection' with the sale or advertisement of a product or service, and (2) ‘misleading and . . . outside the norm of reasonable business practice in that it will victimize the average consumer.'” In re Am. Fin. Res., Inc. Data Breach Litig., No. 22-1757, 2023 WL 3963804, at *10 (D.N.J. Mar. 29, 2023) (internal citation omitted) (quoting Katz v. Ambit Ne. LLC, No. 20-1289, 2021 WL 2680184, at *8 (D.N.J. June 29, 2021)). “Unlawful practices fall into three general categories: affirmative acts, knowing omissions, and regulation violations.” Penn, LLC v. Freestyle Software Inc., No. 226760, 2023 WL 5994642, at *8 (D.N.J. Sept. 15, 2023) (quoting Frederico v. Home Depot, 507 F.3d 188, 202 (3d Cir. 2007)).

To bring a claim under the NJCFA a plaintiff must also comply with the heightened pleading standard in Federal Rule of Civil Procedure 9(b). Frederico, 507 F.3d at 200. Under the Rule, “the pleadings must state what the misrepresentation was, what was purchased, when the conduct complained of occurred, by whom the misrepresentation was made, and how the conduct led plaintiff to sustain an ascertainable loss.” Francis E. Parker Mem'l Home, Inc. v. Georgia-Pac. LLC, 945 F.Supp.2d 543, 558 (D.N.J. 2013) (citation and quotations omitted). Plaintiffs have not met this heightened standard.

In their Amended Complaint, Plaintiffs allege that the USV Defendants (1) “made uniform representations to Plaintiffs . . . that their PII/PHI will remain private;” (2) made “deceptive omissions . . . by failing to inform Plaintiffs . . . that they would not adequately secure Plaintiffs' . . . PII/PHI;” and (3) “engaged in unfair acts and practices . . . by failing to implement and maintain reasonable security measures.” (ECF No. 46 at ¶¶ 234-35).

As to affirmative misrepresentations, a plaintiff asserting a NJCFA claim must plead at minimum “the what, where, and when of [the USV] Defendants'] alleged misrepresentations.” Torres-Hernandez v. CVT Prepaid Sols., Inc., No. 08-1057, 2008 WL 5381227, at *6 (D.N.J. Dec. 17, 2008). “To adequately plead an omission, a plaintiff must further allege that the defendant (1) knowingly concealed (2) a material fact (3) with the intention that the consumer rely upon the concealment.” In re Am. Fin. Res., 2023 WL 3963 804, at *10 (internal quotation marks and citation omitted). Like their claims under the Arizona statute, Plaintiffs fail to sufficiently plead a claim under New Jersey law because they fail to allege that they relied on any of the USV Defendants' alleged misrepresentations, omissions, and unfair practices as patients of Nationwide and/or the USV Defendants.

Rather, Plaintiffs merely allege generally that they were “patients of Defendants” without specifying the USV Defendants, (ECF No. 46 at ¶ 56), while at the same time alleging, they “obtained eyecare services from Nationwide.” (ECF No. 46 at ¶¶ 10, 22). It is, thus, unclear at best what the relationship was between Plaintiffs and the USV Defendants. Without more factual specificity in the Amended Complaint as to the USV Defendants' misrepresentations or omissions and Plaintiffs' reliance on those misrepresentations before providing their PII/PHI to Nationwide, there is simply no factual or causal connection between these alleged misrepresentations, omissions, and unfair practices with the sale of eyecare services and products. Thus, Plaintiffs have not met their pleading burden under Rule 9(b) and Defendants' Motion to Dismiss their NJCFA claims must be granted.

C. Defendants have failed to properly brief negligence and negligence per se.

Finally, the USV Defendants move to dismiss Plaintiffs' negligence and negligence per se claims. (Def. Br., ECF No. 53-1 at 19, 21). However, both parties maintain that a choice-of-law analysis as to these claims is premature at this stage and request the Court refrain from making such determination. (ECF No. 53-1 at 1; Pla. Br., ECF No. 58 at 3-4). Yet, without applying the common law of a particular state, the Court cannot assess the merits of Plaintiffs' negligence and negligence per se claims.

Compounding the issue are the opinions issued in In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. 19-2904, 2021 WL 5937742, at *14 (D.N.J. Dec. 16, 2021) (recognizing that “[o]nce Defendants collected Plaintiffs' information, they had a duty to protect Plaintiffs from foreseeable harm by taking reasonable precautions to safeguard that information.”), Quinalty, 2024 WL 342454, at *3-4 (concluding in a data breach with similar facts that plaintiffs failed to plead facts sufficient to establish duty and breach in their negligence claim), and Stephens, 2019 WL 13041330, at *5 (permitting a negligence claim to continue in a motion to dismiss after determining Florida's “undertaker's doctrine and exceptions to the general rule regarding third-party misconduct both indicate that [the defendant] owed a duty to [the plaintiff] to safeguard her PII.”), among others, which, after applying state law, have reached different conclusions as to whether such a duty exists. Here, neither of the parties sufficiently brief the issue as to what law applies to these common law claims. Nor do either of the parties articulate what, if any, discovery is needed to make the determination as to what state law applies to these claims. As such, the Court cannot decide whether Plaintiffs' Amended Complaint is sufficient in this regard. The Court therefore denies the USV Defendants' Motion to Dismiss as to Plaintiffs' negligence and negligence per se claims. The Court will hold a conference at which time the parties shall be prepared to address whether discovery is needed to determine which state law applies and, if so, the necessary scope of such discovery. Defendants' Motion to Dismiss these claims is therefore denied without prejudice at this time. See In re AMCA, 2021 WL 5937742, at *17 (denying defendant's motion to dismiss after concluding “it is premature to assess the merits of Plaintiffs' negligence per se claims before determining the applicable state law.”).

CONCLUSION

For the foregoing reasons, Defendants' Motion to Dismiss (ECF No. 53) is GRANTED in part and DENIED in part. Plaintiffs are granted leave to file an Amended Complaint within thirty (30) days if, in good faith, they can allege further facts to sufficiently state a claim. An appropriate Order accompanies this Opinion.


Summaries of

In re U.S. Vision Data Breach Litig.

United States District Court, D. New Jersey
Apr 30, 2024
1:22-cv-06558 (D.N.J. Apr. 30, 2024)
Case details for

In re U.S. Vision Data Breach Litig.

Case Details

Full title:IN RE U.S. VISION DATA BREACH LITIGATION

Court:United States District Court, D. New Jersey

Date published: Apr 30, 2024

Citations

1:22-cv-06558 (D.N.J. Apr. 30, 2024)

Citing Cases

Dou v. TD Bank N.A.

” Duffy v. Charles Schwab & Co., Inc., 123 F.Supp.2d 802, 818 (D.N.J. 2000); see also In re U.S. Vision Data…

Marina Grp. v. Shirley May International U.S. Inc.

The “prima facie elements of [sic] claim for breach of an implied-in-fact contract . . . are the same as for…