Opinion
Civil Action 23-2263 (LLA)
09-18-2024
BYRON ANTHONY JOHNSON, Plaintiff, v. UNITED STATES DEPARTMENT OF HEALTH & HUMAN SERVICES CENTERS FOR MEDICARE & MEDICAID SERVICES, Defendant.
MEMORANDUM OPINION AND ORDER
LOREN L. ALIKHAN UNITED STATES DISTRICT JUDGE
Plaintiff Byron Anthony Johnson, an insurance broker, sues Defendant Centers for Medicare & Medicaid Services (“CMS”). ECF No. 1. Mr. Johnson alleges that CMS violated the Privacy Act, 5 U.S.C. § 552a, by disclosing inaccurate or incomplete information about his company's practices to insurance carriers and violated the Freedom of Information Act (“FOIA”), 5 U.S.C. § 552, by failing to respond to his request for information under that statute. ECF No. 1, at 1. CMS moves to dismiss Mr. Johnson's claims under the Privacy Act (Counts I and II), arguing that he has failed to state a claim under Federal Rule of Civil Procedure 12(b)(6). ECF No. 12, at 1. For the reasons explained below, the court will deny CMS's partial motion to dismiss.
I. Factual Background
For purposes of evaluating CMS's motion, the following allegations, which are taken from Mr. Johnson's complaint, ECF No. 1, are accepted as true. See Am. Nat'l Ins. Co. v. FDIC, 642 F.3d 1137, 1139 (D.C. Cir. 2011).
Mr. Johnson owns and operates an insurance agency, Obamacare Enrollment Center/Star Insurance LLC (“Star”). ECF No. 1 ¶ 6. Mr. Johnson, who self-identifies as an African American man, sought to address racial health disparities by “target[ing] and enroll[ing] African Americans and other historically underrepresented communities in healthcare insurance under the Affordable Care Act [‘ACA'].” Id. ¶¶ 15-17. Star contracted with insurance carriers Florida Blue and Oscar Health and with insurance referral service HealthSherpa (collectively, the “Insurance Companies”). Id. ¶¶ 18-19, 29-31.
In February 2021, during the COVID-19 pandemic, CMS oversaw a special enrollment period (“SEP”) to encourage individuals to sign up for insurance under the ACA. Id. ¶¶ 21, 26. During the SEP, insurance agencies received escalating bonuses based on the number of individuals they enrolled. Id. ¶ 21. Mr. Johnson and Star signed up more than 12,000 new members during the SEP and therefore qualified for bonus commissions of $200 per person. Id. ¶¶ 23-24.
CMS launched an investigation into Star's sign-up practices. Id. ¶¶ 33-34, 36-37, 40. Mr. Johnson alleges that “[t]his was not done to white, Caucasian owners of brokerages who produced equally or greater numbers of sign-ups.” Id. ¶ 41. CMS subsequently disclosed to Florida Blue “that CMS was investigating improprieties in the manner in which Plaintiff operated his agency, that Plaintiff did not have consent for the sign-ups he was doing and that Florida Blue should immediately terminate Plaintiff's contractual relationship.” Id. ¶ 59. Florida Blue “immediately terminated” its contract with Mr. Johnson. Id. ¶ 61. Per Mr. Johnson, this cost Star more than $2,000,000 in unpaid commissions. Id. ¶¶ 62-64.
On January 12, 2022, CMS employee Joshua Halsey sent the following email to HealthSherpa:
Hi HealthSherpa Team,
We chatted about Byron Johnson and his insurance agency, Star Insurance, in April or so of last year. After our discussion, we did confirm that Mr. Johnson was sharing his login credentials with several of his employees. I believe Mr. Johnson and his employees have corrected this behavior, however, I did want to update based on something I noticed this morning. Before I get into what I noticed though, note that one insurer has already banned this agency and has submitted recissions for a large number of policies submitted by this agency. A second issuer has also expressed concerns about this agency and has inquired about submitting recissions for potentially fraudulent policies. Furthermore, we have interviewed several consumers enrolled by this agency, and several consumers indicated they were enrolled without their consent. This said, I noticed this morning that it appears this agency may now be using HealthSherpa referral functionality for the vast majority of their enrollments. I looked at ¶ 2022 applications and policies submitted by a subset of three Star Insurance agents this morning and 90% of the submitted policies include either George or Morgan's name and NPN. 99% of the same policies have $0 Individual Responsibility Amount (IRA), which is well above the average rate of $0 IRA policies across the Marketplace. I intend to share what I am seeing with the policy names and NPNs with a couple state departments of insurance that I believe are looking into Star Insurance but thought you should know as well, given you[r] names and NPNs now appear to be tied to the activity of this agency.Id. ¶¶ 70-72. That same day, HealthSherpa terminated its contract with Star. Id. ¶ 78. When CMS asked HealthSherpa why it had terminated the contract, HealthSherpa's Chief Executive Officer replied:
The primary basis was this email thread [with CMS] that contained a lot of new information we did not have (issuers banning agency, recissions). We have not shared any of that information with anyone outside our organization. Prior to this communication we had a handful of consumer complaints we were investigating (<0.10% complaint rate), and had planned to meet with Mr. Johnson to discuss best practices around capturing and storing consumer content as we believed him to be a legitimate actor who was struggling to deal with the scale/volume of applications that his newly formed agency was submitting. The new information provided changed our view significantly.Id. ¶ 81. Per Mr. Johnson, HealthSherpa's decision to terminate its contract cost Star at least $400,000 in unpaid commissions “and hundreds of thousands if not millions more in future signup commissions and renewal commissions.” Id. ¶ 84.
Mr. Johnson further alleges that CMS “disclosed to Oscar Health that CMS was investigating improprieties in the manner by which Plaintiff operated [Star]” and that this disclosure “was done in similar fashion to the CMS disclosure to HealthSherpa.” Id. ¶¶ 94-95. Oscar Health initially suspended its contract with Star while it investigated “a number of suspected fraudulent Individual and Family Plan (IFP) enrollments,” noting that CMS had recently “approved the cancellation of such members' coverage.” Id. ¶ 97. On May 6, 2022, Oscar notified Star that it had concluded its investigation and decided to terminate its contract. Id. ¶ 98. Per Mr. Johnson, this cost Star $600,000 in unpaid commissions “and millions more in new business and renewal business.” Id. ¶ 100.
Mr. Johnson learned about CMS's disclosures to the Insurance Companies from “an anonymous CMS source.” Id. ¶ 86. The source told Mr. Johnson that “he had been put on a hit list of brokers that had been illegally flagged by CMS . . . based on his race and the large number of signups he had been making,” and that “Caucasian high-volume producers were not flagged for extra scrutiny and placed on the CMS hit list.” Id. ¶¶ 87-88. Mr. Johnson “[f]ollow[ed] information from the source . . . to obtain the January 12, 2022 email from CMS'[s] Josh Halsey to the HealthSherpa team.” Id. ¶ 89.
On January 19, 2022, Mr. Johnson made a FOIA request to CMS and the Department of Health and Human Services (“HHS”), which houses CMS. Id. ¶ 90. In it, he requested communications related to the above allegations. Id. ¶ 93. HHS acknowledged his request on January 21, 2022, but it did not provide the requested information. Id. ¶ 91, 103 (“To date, CMS has not released any records responsive to Plaintiff's request.”).
II. Procedural History
Mr. Johnson filed this suit in August 2023, alleging that CMS had violated the Privacy Act by disclosing information to the Insurance Companies and had violated FOIA by failing to respond to his January 19, 2022 request. See generally ECF No. 1. CMS moves to dismiss Mr. Johnson's Privacy Act claims (Counts I and II) for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). ECF No. 12, at 1. Mr. Johnson filed an opposition, ECF No. 13, and CMS filed a reply, ECF No. 15. The motion is now ripe for decision.
III. Legal Standard
Under Rule 12(b)(6), the court will dismiss a complaint that does not “contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. In evaluating a motion to dismiss under Rule 12(b)(6), the court will accept the factual allegations in the complaint as true and draw all reasonable inferences in the plaintiff's favor. Id. The court may consider only the facts alleged in the complaint and “any documents either attached to or incorporated in the complaint and matters of which [the court] may take judicial notice.” N. Am. Butterfly Ass'n v. Wolf, 977 F.3d 1244, 1249 (D.C. Cir. 2020) (quoting Hurd v. District of Columbia, 864 F.3d 671, 678 (D.C. Cir. 2017) (alteration in original)).
IV. Discussion
A. Audio Recording
Before turning to the merits, the court addresses a threshold question. Mr. Johnson attached an exhibit to his opposition: an audiotape of his conversation with the anonymous CMS source. ECF No. 13-2. CMS argues that Mr. Johnson may not “impermissibly . . . amend the complaint” in this way and urges the court to disregard the exhibit. ECF No. 15, at 2. Because the court finds that Mr. Johnson's complaint survives CMS's motion to dismiss even without considering the audiotape's contents, the court need not decide whether it would be proper to consider the exhibit.
B. Merits
The Privacy Act imposes “a comprehensive and detailed set of requirements for the management of confidential records held by Executive Branch agencies,” FAA v. Cooper, 566 U.S. 284, 287 (2012), and “provides for various sorts of civil relief to individuals aggrieved” by the government's failure to comply, Doe v. Chao, 540 U.S. 614, 618 (2004). Mr. Johnson seeks damages pursuant to Subsection 522a(g)(1)(D) of the Act, which provides relief when an agency “fails to comply with any other provision [of the Privacy Act] . . . in such a way as to have an adverse effect on an individual.” 5 U.S.C. § 552a(g)(1)(D). Mr. Johnson argues that CMS violated the Privacy Act by (1) disclosing records without his consent in violation of 5 U.S.C. § 552a(b), see ECF No. 1 ¶¶ 121-32; and (2) failing to “make reasonable efforts to assure that such records [were] accurate, complete, timely, and relevant for agency purposes,” in violation of 5 U.S.C. § 552a(e)(6), see ECF No. 1 ¶¶ 111-20.
CMS moves to dismiss on four grounds: (1) that Mr. Johnson has not adequately alleged that the records in question were maintained in and released from a “system of records,” as required by the Privacy Act, ECF No. 12, at 4-5; (2) that any disclosure falls under the statute's “routine use” exception, Id. at 6-9; (3) that Mr. Johnson has not sufficiently alleged that the disclosed records were inaccurate, Id. at 9-11; and (4) that Mr. Johnson has not alleged that any improper disclosure was “intentional or willful” such that he can recover damages, id. at 11-12. The court disagrees and will therefore deny CMS's partial motion to dismiss.
1. System of Records
Mr. Johnson's claims under Subsections 552a(b) and 552a(e)(6) share a threshold requirement: they apply only to records maintained within a “system of records.” See 5 U.S.C. § 552a(b); Id. § 552a(e). The Privacy Act defines a “system of records” as a “group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” Id. § 552a(a)(5). A “system of records exists only if the information contained within the body of material is both retrievable by personal identifier and actually retrieved by personal identifier.” Paige v. DEA, 665 F.3d 1355, 1359 (D.C. Cir. 2012) (quoting Maydak v. United States, 630 F.3d 166, 178 (D.C. Cir. 2010)).
CMS argues that Mr. Johnson has failed to plausibly allege a system of records because he merely “recites” the “formulaic legal conclusion that the records were contained within a system of records.” ECF No. 12, at 6; see id. at 4-6. It is true that, at various points in his complaint, Mr. Johnson simply asserts that the information in question “was contained within a system of CMS records.” ECF No. 1 ¶ 48; see id. ¶¶ 49, 53, 58, 74. That is a legal conclusion the court need not accept as true. See Iqbal, 556 U.S. at 678.
However, construing all inferences in Mr. Johnson's favor-as the court must at the motion-to-dismiss stage, see id.-the communications between CMS and the Insurance Companies themselves suggest that a “system of records” is in play. For example, Mr. Halsey's January 2022 email to HealthSherpa explains: “I looked at ¶ 2022 applications and policies submitted by a subset of three Star Insurance agents this morning and 90% of the submitted policies include either George or Morgan's name and NPN.” ECF No. 1 ¶ 72. The email also references information CMS collected by interviewing consumers. Id. After construing all reasonable inferences in Mr. Johnson's favor, the court finds it plausible that CMS stored and retrieved this information “by the name of [Mr. Johnson] or by some identifying number, symbol, or other identifying particular assigned to [him].” 5 U.S.C. § 552a(a)(5).
This conclusion is only bolstered by CMS's own filings. CMS notes elsewhere in its motion to dismiss that “[t]he CMS system of records that is closest to what [Mr. Johnson] has alleged in the Complaint is the CMS Fraud Investigation Database,” and that this database includes “the name, work address, work phone number, social security number, [and] Unique Provider Identification Number (UPIN) . . . of individuals alleged to have violated” health insurance statutes. ECF No. 12, at 6-7. “[W]here an agency compiles information about individuals for investigatory purposes, ‘Privacy Act concerns are at their zenith, and if there is evidence of even a few retrievals of information keyed to [personal identifiers], it may well be the case that the agency is maintaining a system of records.'” Maydak, 363 F.3d at 520 (alteration in original) (quoting Henke v. U.S. Dep't of Com., 83 F.3d 1453, 1461 (D.C. Cir. 1996)). With this in mind, the court concludes that-at this early stage of the litigation-Mr. Johnson has plausibly alleged a “system of records” within the meaning of the Privacy Act.
2. Subsection 552a(b) Claim: Routine Use Exception
CMS argues that Mr. Johnson's claim under Subsection 552a(b) fails because any disclosure by it qualifies as a “routine use” and is therefore permissible. ECF No. 12, at 6 (quoting 5 U.S.C. § 552a(b)(3)); see id. at 6-9. The Privacy Act defines “routine use” as “the use of [a] record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. § 552a(a)(7). Agencies must “publish in the Federal Register . . . each routine use of the records contained in the system, including the categories of users and the purpose of such use.” Id. § 552a(e)(4)(D). Here, CMS points to its Fraud Investigation Database as the “system of records that is closest to what [Mr. Johnson] has alleged.” ECF No. 12, at 6. The routine uses of that system include “allowing CMS to disclose to its contractors to ‘prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, and abuse in [its] programs.'” Id. at 8-9.
The parties' core disagreement here turns not on law, but on facts. CMS argues that it made the disclosures in question only “to convey information to insurance companies about potentially fraudulent policies obtained by [Mr. Johnson] or his agency”-a routine use. Id. at 8. Mr. Johnson claims that the disclosures were not made pursuant to a legitimate investigation, but rather “done maliciously, based on racial animus.” ECF No. 13, at 14. In support of that claim, he alleges that “an anonymous CMS source” informed him “that he had been put on a hit list of brokers that had been illegally flagged . . . based on his race and the large number of signups he had been making.” ECF No. 1 ¶¶ 86-87. The source also told Mr. Johnson “that Caucasian high-volume producers were not flagged for extra scrutiny and placed on the CMS hit list.” Id. ¶ 88. Accepting Mr. Johnson's version of events as true, see Iqbal, 556 U.S. at 678, it is plausible that CMS made its disclosures not for the purpose of combatting fraud (a permissible “routine use”), but rather for the purpose of discriminating against Mr. Johnson. Therefore, the court cannot conclude today that CMS's disclosures fall into the “routine use” exception.
3. Subsection 552a(e)(6) Claim: Factual Inaccuracy
Subsection 552a(e)(6) of the Privacy Act requires that agencies make “reasonable efforts to assure that . . . records are accurate, complete, timely, and relevant for agency purposes.” 5 U.S.C. § 552a(e)(6). “It is well-established that, ‘generally speaking, the Privacy Act allows for correction of facts but not correction of opinions or judgments.'” Mueller v. Winter, 485 F.3d 1191, 1197 (D.C. Cir. 2007) (quoting McCready v. Nicholson, 465 F.3d 1, 19 (D.C. Cir. 2006)). Only if “the information contained in an agency's files is capable of being verified” does the agency need to “take reasonable steps to maintain the accuracy of the information.” McCready, 465 F.3d at 19 (quoting Sellers v. Bureau of Prisons, 959 F.2d 307, 312 (D.C. Cir. 1992)).
CMS argues that Mr. Johnson cannot maintain a claim under Subsection 552a(e)(6) because he “has not identified any factual errors in the allegedly disclosed records.” ECF No. 12, at 10; see id. at 9-11. Mr. Johnson takes issue with CMS's decision to tell insurance companies that he was under investigation-but, as CMS points out, he does not allege that such statements were factually inaccurate. See id. at 10; see generally ECF No. 1. In fact, Mr. Johnson's entire complaint turns on the proposition that the agency was investigating him. See ECF No. 1 ¶¶ 34, 36-37.
Instead, Mr. Johnson's argument seems to be that CMS lied by omission: CMS told the Insurance Companies that it was investigating him but “did not reveal the fact that CMS had made a determination that [he] did not violate the ACA program rules and regulations.” ECF No. 13, at 18; see ECF No. 1 ¶¶ 45-46 (“CMS did not find violations sufficient enough to warrant termination from the ACA signup program .... In fact, [Mr. Johnson] and his agency ha[ve] still not been terminated from the ACA program.”). After drawing all reasonable inferences in Mr. Johnson's favor, the court construes this as an argument that CMS violated Subsection 552a(e)(6) by disclosing incomplete records. See 5 U.S.C. § 552a(e)(6) (requiring agencies to make “reasonable efforts to assure that . . . records are . . . complete”). Whether those records were in fact incomplete is a question for another day. At this stage, Mr. Johnson has done enough to allege a claim under Subsection 552a(e)(6).
4. Intentional or Willful Disclosure
Mr. Johnson seeks damages under the Privacy Act; he does not seek injunctive relief. ECF No. 1, at 29; see ECF No. 12, at 2. Damages are available under the Privacy Act only where “the court determines that the agency acted in a manner which was intentional or willful.” 5 U.S.C. § 552a(g)(4). “Under the Privacy Act, willfulness means more than ‘gross negligence.'” In re U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 63 (D.C. Cir. 2019) (quoting Maydak, 630 F.3d at 179). “Section 552a(g)(4) imposes liability only when the agency acts in violation of the Act . . . either by committing the act without grounds for believing it to be lawful, or by flagrantly disregarding others' rights under the Act.” Maydak, 630 F.3d at 180 (quoting Albright v. United States, 732 F.2d 181, 189 (D.C. Cir. 1984)).
Mr. Johnson's theory of the case is that CMS's disclosures were racially motivated. See ECF No. 1 ¶¶ 32-36, 40-41, 43, 55. He alleges a “discriminatory plot” in which “rogue” CMS employees launched a “pretextual investigation into Plaintiff's sign-up practices for the purpose of destroying Plaintiffs' [sic] business success.” Id. ¶¶ 36, 40, 55. Standing alone, such “naked assertions” would-as CMS argues, ECF No. 12, at 12; see id. at 11-12-be insufficient to survive a motion to dismiss, Iqbal, 556 U.S. at 678.
However, Mr. Johnson does more. He alleges that an anonymous CMS source contacted him and communicated that “he had been put on a hit list of brokers that had been illegally flagged by CMS . . . based on his race and the large number of signups he had been making” and that “Caucasian high-volume producers were not flagged for extra scrutiny and placed on the CMS hit list.” ECF No. 1 ¶¶ 86-88. Mr. Johnson “[f]ollow[ed] information from the source . . . to obtain the January 12, 2022 email from CMS' Josh Halsey to the HealthSherpa team”-the email that Mr. Johnson alleges to be an improper disclosure in violation of the Privacy Act. Id. ¶ 89. Taken together and assumed true, these allegations allow the court to reasonably infer that CMS employees intentionally targeted Mr. Johnson and made incomplete, misleading disclosures because of his race-“a violation ‘so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.'” Toolasprashad v. Bureau of Prisons, 286 F.3d 576, 584 (D.C. Cir. 2002) (quoting Deters v. U.S. Parole Comm'n, 85 F.3d 655, 660 (D.C. Cir. 1996)). Because Mr. Johnson has plausibly alleged that CMS intentionally and willfully disregarded his rights under the Privacy Act, his claim for damages withstands CMS's motion to dismiss.
V. Conclusion
For the foregoing reasons, Defendant's Partial Motion to Dismiss, ECF No. 12, is hereby DENIED. CMS shall file an answer to Mr. Johnson's complaint on or before October 2, 2024. Fed.R.Civ.P. 12(a)(4)(A).
SO ORDERED.