Opinion
Civil Action No. 9:21-3016-BHH
2022-09-26
Constance Cooper, Hach Rose Schirripa and Cheverie LLP, New York, NY, for Plaintiffs. Christopher A. Wiech, Pro Hac Vice, John P. Hutchins, Baker and Hostetler LLP, Atlanta, GA, for Defendant.
Constance Cooper, Hach Rose Schirripa and Cheverie LLP, New York, NY, for Plaintiffs. Christopher A. Wiech, Pro Hac Vice, John P. Hutchins, Baker and Hostetler LLP, Atlanta, GA, for Defendant. ORDER Bruce H. Hendricks, United States District Judge
This matter is before the Court upon Defendant St. Joseph/Candler Health System, Inc.'s ("Defendant" or "SJ/C") motion to dismiss the first amended complaint filed by Plaintiff Heather Erica Betz ("Plaintiff" or "Betz") on behalf of herself and all others similarly situated. In its motion, Defendant seeks dismissal pursuant to Rules 12(b)(1), (2), (3), and (6) of the Federal Rules of Civil Procedure. The issues have been fully briefed, and the Court finds no hearing necessary at this time. For the reasons set forth below, the Court grants in part Defendant's motion and dismisses this action for lack of subject matter jurisdiction.
BACKGROUND
I. Procedural History
Plaintiff initially filed her complaint against Defendant in the Southern District of Georgia on September 14, 2021, but she voluntarily dismissed that action on September 17, 2021, and filed her complaint in this Court the same day. See Betz v. St. Joseph's/Candler Health Sys., Inc., No. 4:21-cv-260-WTM-CLR (S.D. Ga.). (See also ECF No. 13-4.) Defendant responded to Plaintiff's complaint with a motion to dismiss or, alternatively, to stay or transfer Plaintiff's complaint on October 13, 2021. (ECF No. 8.) In lieu of responding to Defendant's motion, Plaintiff filed an amended complaint on November 12, 2021. (ECF No. 16.) Defendant then filed the instant motion to dismiss, to which Plaintiff filed a response, and Defendant filed a reply.
II. The Amended Complaint
In Plaintiff's first amended class action complaint, she seeks damages, restitution, and injunctive relief on behalf of herself and others similarly situated as a result of a security breach of Defendant's network ("data breach"). Specifically, Plaintiff alleges:
On or about December 18, 2020, unauthorized individuals hacked SJ/C's information technology ("IT") network and accessed the private and confidential medical information of approximately 1,400,000 individuals (the "Data Breach"), including names, addresses, Social Security numbers, dates of birth, driver's license numbers, billing account information, financial information, health insurance information, employment information, provider names, and medical and clinical treatment information (collectively, "Personally Identifiable Information" or "PPI" and "Personal Health Information" or "PHI").(ECF No. 16 ¶ 2.) According to Plaintiff, for six months after the data breach, cyber criminals were able to move freely and undetected through the hospital system's network, and Defendant did not identify suspicious activity until June 17, 2021. (Id. ¶ 3.) Plaintiff contends that on June 17, 2021, the hackers held Defendant's network hostage and demanded payment to release their hold on the system. (Id. ¶¶ 4-5.) Plaintiff further asserts that the hospital's network slowly came back online on July 2, 2021. (Id. ¶ 6.) According to Plaintiff's amended complaint, Defendant was on notice that cyber criminals were planning this kind of attack on hospitals, and Plaintiff asserts that Defendant nevertheless failed to implement the most basic security protocols. (Id. ¶¶ 7-10.)
Plaintiff, a former sheriff's deputy in Jasper County, South Carolina, alleges that she regularly visited her primary care physician and cardiologist in Bluffton, South Carolina, who were both members of Defendant's medical system. (Id. ¶¶ 36-38.) Plaintiff asserts that she provided PII and PHI to Defendant in Bluffton as a condition of receiving treatment, and she asserts that her information was stored by Defendant in locations outside the state of South Carolina. (Id. ¶ 40.) Plaintiff further asserts that she attempted to obtain her medical records on two occasions between June 17, 2021, and August 31, 2021, but was unable to do so and was told by SJ/C staff "on one occasion, that 'the fax is down,' and on another that 'the computers are being worked on.' " (Id. ¶ 43.) Plaintiff contends that her medical providers had no access to her list of prescribed medications when she visiting during the weeks following June 17, 2021, and she claims that "[b]y the time [she] learned of the Data Breach, her Social Security Disability application had been denied for failure to timely provide medical records." (Id. ¶¶ 44, 46.)
According to Plaintiff's amended complaint, Defendant undertakes a duty to protect the PII and PHI that it collects from patients as a condition of treatment, and Plaintiff asserts that Defendant maintains a patient Privacy Policy that outlines certain privacy rights of patients. (See id. ¶¶ 5-63.) Plaintiff alleges that Defendant knew that patients' PII and PHI was at risk and that such information has established value to cyber criminals, but that Defendant failed to act to protect the information. (See generally id. ¶¶ 64-117.)
Plaintiff purports to bring this action on a class of "[a]ll SJ/C patients whose PHI/ PII was compromised during the SJ/C Data Breach beginning on or about December 18, 2020, through the present and to whom notice of the Data Breach was sent," and she alleges a sub-class of "[a]ll persons whose medical records were inaccessible as a result of the SJ/C Data Breach for any period beginning on June 17, 2021, through the present, either by said persons or their medical providers." (Id. ¶ 119-120.) In her amended complaint, Plaintiff asserts the following claims: (1) negligence, (2) gross negligence; (3) breach of express or implied contract; (4) breach of fiduciary duty; (5) breach of bailment duty of care; and (6) unjust enrichment. (Id. ¶¶ 129-185.)
As previously mentioned, the matter is currently before the Court upon Defendant's motion to dismiss Plaintiff's amended complaint filed pursuant to Rules 12(b)(1), (2), (3), and (6) of the Federal Rules of Civil Procedure. More specifically, in its motion, Defendant asserts: (1) the Court lacks personal jurisdiction over Defendant, which is a health system headquartered in Savannah, Georgia, because none of the allegedly actionable conduct was directed at South Carolina, nor did any of the events at issue occur in South Carolina; (2) venue is only proper in the Southern District of Georgia, where Defendant resides and where all of the alleged events and conduct occurred; (3) the Court lacks subject matter jurisdiction because Plaintiff fails to plead that she has suffered a concrete and traceable injury; and (4) Plaintiff's complaint fails to plead any plausible claims for relief.
DISCUSSION
I. Personal Jurisdiction
A. Federal Rule of Civil Procedure 12(b)(2)
When a non-resident defendant challenges a court's power to exercise personal jurisdiction over it by filing a motion pursuant to Rule 12(b)(2) of the Federal Rules of Civil Procedure, "the jurisidictional question thus raised is one for the judge, with the burden on the plaintiff ultimately to prove the existence of a ground for jurisdiction by a preponderance of the evidence." In re Celotex Corp., 124 F.3d 619, 628 (4th Cir. 1997) (quoting Combs v. Bakker, 886 F.2d 673, 676 (4th Cir. 1989)) (internal quotation marks omitted); see also Grayson v. Anderson, 816 F.3d 262, 267 (4th Cir. 2016). ("[A] defendant must affirmatively raise a personal jurisdiction challenge, but the plaintiff bears the burden of demonstrating personal jurisdiction at every stage following such a challenge.").
When the court resolves a Rule 12(b)(2) motion on written submissions (as opposed to an evidentiary hearing), the plaintiff need only make a "prima facie showing of a sufficient jurisdictional basis." Combs, 886 F.2d at 676. However, the plaintiff's showing must be based on specific facts set forth in the record. Magic Toyota, Inc. v. S.E. Toyota Distribs., Inc., 784 F. Supp. 306, 310 (D.S.C. 1992). The Court may consider the parties' pleadings, affidavits, and other supporting documents but must construe them "in the light most favorable to plaintiff, drawing all inferences and resolving all factual disputes in his favor, and assuming plaintiff's credibility." Sonoco Prods. Co. v. ACE INA Ins., 877 F. Supp. 2d 398, 404-05 (D.S.C. 2012) (internal quotation and alteration marks omitted); see also Carefirst of Md., Inc. v. Carefirst Pregnancy Ctrs., Inc., 334 F.3d 390, 396 (4th Cir. 2003) ("In deciding whether the plaintiff has made the requisite showing, the court must take all disputed facts and reasonable inferences in favor of the plaintiff"). However, a court "need not credit conclusory allegations or draw farfetched inferences." Sonoco, 877 F. Supp. 2d at 405 (internal quotation marks omitted). Whenever a defendant's sworn affidavit contests the allegations in the complaint, the plaintiff can no longer rest on those allegations. Callum v. CVS Health Corp., 137 F. Supp. 3d 817, 835 (D.S.C. 2015). Instead, the plaintiff bears the burden to present an affidavit or other evidence showing jurisdiction exists over the non-resident defendant. Id.
B. Analysis
A federal court may exercise personal jurisdiction over a defendant in the manner provided by state law. Fed. R. Civ. P. 4(k)(1)(A); ESAB Grp., Inc. v. Centricut, Inc., 126 F.3d 617, 623 (4th Cir. 1997). "Thus, for a district court to assert personal jurisdiction over a nonresident defendant, two conditions must be satisfied: (1) the exercise of jurisdiction must be authorized under the state's long-arm statute; and (2) the exercise of jurisdiction must comport with the due process requirements of the Fourteenth Amendment. Christian Sci. Bd. of Dirs. of the First Church of Christ v. Nolan, 259 F.3d 209, 215 (4th Cir. 2001). "South Carolina's long-arm statute has been interpreted to reach the outer bounds permitted by the Due Process Clause." ESAB Grp., 126 F.3d at 623. Therefore, the appropriate question for a court considering a personal jurisdiction defense raised by an out-of-state defendant is whether that defendant has "minimum contacts with [South Carolina] such that the maintenance of the suit does not offend 'traditional notions of fair play and substantial justice.' " Id. (quoting Int'l Shoe Co. v. Washington, 326 U.S. 310, 316, 66 S.Ct. 154, 90 L.Ed. 95 (1945) (stating that the exercise of jurisdiction over a nonresident defendant comports with due process if the defendant has "minimum contacts" with the forum state, such that requiring the defendant to defend its interests in that state "does not offend traditional notions of fair play and substantial justice.")); see Callum v. CVS Health Corp., 137 F. Supp. 3d 817, 834 (D.S.C. 2015) ("Because the South Carolina long-arm statute is coextensive with the Due Process Clause, the sole question on a motion to dismiss for lack of personal jurisdiction is whether the exercise of personal jurisdiction would violate due process.") (citing Tuttle Dozer Works, Inc. v. Gyro-Trac (USA), Inc., 463 F. Supp. 2d 544, 547 (D.S.C. 2006); and Cockrell v. Hillerich & Bradsby Co., 363 S.C. 485, 611 S.E.2d 505, 508 (2005)).
South Carolina's long arm statute provides as follows:
A court may exercise personal jurisdiction over a person who acts directly or by an agent as to a cause of action arising from the person's: (1) transacting any business in this State; (2) contracting to supply services or things in the State; (3) commission of a tortious act in whole or in part in this State; (4) causing tortious injury or death in this State by an act or omission outside this State if he regularly does or solicits business, or engages in any other persistent course of conduct, or derives substantial revenue from goods used or consumed or services rendered in this State; (5) having an interest in, using, or possessing real property in this State; (6) contracting to insure any person, property, or risk located within this State at the time of contracting; (7) entry into a contract to be performed in whole or in part by either party in this State; or (8) production, manufacture, or distribution of goods with the reasonable expectation that those goods are to be used or consumed in this State and are so used or consumed.S.C. Code Ann. § 36-2-803(A) (2005).
Personal jurisdiction may arise generally or specifically based on the conduct alleged in the suit. CFA Inst. v. Inst. of Chartered Fin. Analysts of India, 551 F.3d 285, 292 n. 15 (4th Cir. 2009); ALS Scan, Inc. v. Digital Serv. Consultants, Inc., 293 F.3d 707, 711 (4th Cir. 2002). Under general jurisdiction, a defendant's contacts or activities in the forum state are not the basis for the suit, but the defendant may be sued in this court "for any reason, regardless of where the relevant conduct occurred," because the defendant's activities in South Carolina are "continuous and systematic." CFA Inst., 551 F.3d at 292 n.15. These activities must be "so substantial and of such a nature as to justify suit against [a defendant] on causes of action arising from dealings entirely distinct from those activities." Int'l Shoe Co., 326 U.S. at 318, 66 S.Ct. 154. Here, Plaintiff does not allege general jurisdiction over Defendant pursuant to S.C. Code Ann. § 36-2-802; rather, Plaintiff alleges specific jurisdiction pursuant to Rule 4(k)(1) and S.C. Code Ann. § 36-2-803(1). (ECF No. 16 at 48.)
Under specific jurisdiction, a defendant may be sued in this Court if the litigation results from alleged injuries that arose out of or is related to the defendant's contacts with South Carolina, and those contacts were sufficient. See, e.g., Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 U.S. 408, 414, 104 S.Ct. 1868, 80 L.Ed.2d 404 (1984). To determine whether specific jurisdiction exists, courts employ a "minimum contacts" analysis that examines "(1) the extent to which the defendant 'purposefully avail[ed]' itself of the privilege of conducting activities in the State; (2) whether the plaintiffs' claims arise out of those activities directed at the State; and (3) whether the exercise of personal jurisdiction would be constitutionally 'reasonable.' " ALS Scan, Inc., 293 F.3d at 712.
In its motion, Defendant asserts that the Court lacks specific personal jurisdiction over it because all of Defendant's conduct that gives rise to Plaintiff's claims occurred in Georgia, where Defendant is headquartered and where it maintains its IT network and all patient medical records. Defendant asserts:
All of Plaintiff's claims against SJ/C are built on the premise that SJ/C's allegedly bad cybersecurity failed to prevent the ransomware attack which resulted in compromised patient data. At the outset, this is problematic for Plaintiff because none of SJ/C's in-state conduct gave rise to her claims. [ ] SJ/C's IT network servers, on which patient files are stored, are located in SJ/C's headquarters in Savannah, Georgia. All of SJ/C's efforts to protect those servers (and files) from cyberattacks occurred in Savannah, Georgia. And Savannah, Georgia is where the ransomware attack ultimately occurred and was felt, including efforts by SJ/C to thwart the attack and later investigate it.(ECF No. 22-1 at 2.)
In support of its motion, Defendant has submitted the declaration of Mary Parks, the Director of Health Information Management ("HIM") at SJ/C, who indicates, inter alia, that SJ/C's medical records offices are located in Georgia; "SJ/C does not have any records offices located in South Carolina"; and "[a]ll record requests from the Bluffton campus are processed in Georgia." (ECF No. 22-2 at 3.) Defendant also has submitted the declaration of John Takats, a Network Administrator II in Information Services as SJ/C, who indicates, inter alia: "SJ/C's information technology ("IT") network servers are entirely located and maintained in Georgia at 5401 Paulsen Street, Savannah, Georgia 31405. SJ/C's files, including patient files, are stored on SJ/C's IT network servers in Savannah, Georgia." (ECF No. 22-3 at 3.) With respect to the allegations that Plaintiff added in her amended complaint, namely, her assertion that the data breach caused her to receive reduced quality of medical services and to be deprived of the benefit of her medical records, thereby resulting in the denial of her request for disability benefits, Defendant argues that even if these allegations could be tied to the data breach, the appropriate question is not where Plaintiff may have experienced injury but whether Defendant's suit-related conduct adequately connects it to the forum. In other words, Defendant argues that all of Plaintiff's alleged injuries flow from the lack of access to her medical records, and Defendant notes that Plaintiff does not refute that Defendant maintained and processed all patient medical records in Georgia, not South Carolina. (See ECF No. 22-1 at 12.)
In response to Defendant's motion, Plaintiff asserts that Defendant more than satisfies the minimum contacts analysis to support specific personal jurisdiction. Plaintiff states:
Defendant maintains its Bluffton Campus, where Plaintiff sought treatment from her primary care physician and cardiologist. See AC ¶ 38. Plaintiff entrusted her PII/PHI to employees or agents of SJ/C at those South Carolina facilities while treating there. See id. ¶ 39. Medical providers at SJ/C's Bluffton campus entered information regarding Plaintiff's health, healthcare and treatment into Plaintiff's electronic health record. See id. ¶ 40. Simply put, Plaintiff would not have brought this suit had she not been a patient of SJ/C doctors operating out of SJ/C's Bluffton Campus, and entrusted her PII/PHI to SJ/C in South Carolina so she could get medical care in South Carolina. The fact Defendant's servers are located in Georgia is of no avail. The Data Breach affected its South Carolina patients-patients of SJ/C because SJ/C conducts business and maintains facilities, agents and employees in South Carolina-just as it did in Georgia.(ECF No. 25 at 11-12.)
SJ/C further satisfies the requirements for personal jurisdiction because SJ/C reached into this State to obtain PII/PHI from Plaintiff and the putative Class, and SJ/C provided its patients access to that information in South Carolina. On two separate occasions after SJ/C's IT system was frozen by hackers on June 17, 2021, Plaintiff visited Defendant's Bluffton Campus and attempted to obtain medical records, which she had successfully done before, and both times she was turned away without her records. See AC ¶¶ 42, 43, 45. As a result of the cyber-attack and Data Breach, (a) Plaintiff was denied disability benefits because SJ/C's Bluffton Campus also could not access her records (see AC ¶ 46); (b) Plaintiff's medical providers at SJ/C's Bluffton campus also could not access her records, and so Plaintiff received a reduced quality of medical care (see id. ¶ 30, 44, 105, 137, 138, 162, 176); and (c) Plaintiff's and putative Class Members' PII/PHI was compromised, such that they now face a substantial and imminent risk of identity theft (see id. ¶¶ 29, 30, 36, 101, 105).
In reply, Defendant contends that Plaintiff's arguments focus on her contacts with South Carolina and overlook whether Defendant's conduct related to Plaintiff's causes of action creates a substantial connection to South Carolina. Defendant again asserts that all of its suit-related conduct occurred in Georgia because that is where it maintains and processes all patient medical records, and that is where the data breach occurred. According to Defendant, Plaintiff's argument "essentially proposes that any entity affected by a cyber incident, regardless of where that incident occurred or where the entity is headquartered, can be sued for claims arising out of that incident anywhere the entity does business," which Defendant argues would be contrary to the Supreme Court's decision in Bristol-Myers Squibb Co. v. Superior Court of California, San Francisco Cty., 582 U.S. 255, 137 S.Ct. 1773, 1780, 198 L.Ed.2d 395 (2017). (ECF No. 29 at 5.)
After review, the Court finds the question of personal jurisdiction to be a close call. On the one hand, Plaintiff is correct that this suit would not exist but for the fact that Plaintiff sought medical treatment from Defendant's facilities in South Carolina, in connection with which she entrusted her PII and PHI to Defendant. In other words, there is no question that Defendant purposefully availed itself of the privilege of conducting certain activities in South Carolina.
Nevertheless, Defendant is also correct that Plaintiff's claims do not arise out of the actual medical treatment Defendant provides in South Carolina. Rather, Plaintiff's claims all arise out of Defendant's failure to properly safeguard its IT network and securely maintain Plaintiff's PII and PHI, and/or Defendant's failure to promptly process her requests for her medical records, all of which occurred in Georgia. Plaintiff does not dispute Defendant's evidence indicating that: SJ/C's IT personnel and its network servers are entirely located in Georgia; all patient files are stored on SJ/C's network servers in Georgia; the data breach affected SJ/S's IT systems, which are located and maintained in Georgia; SJ/C's efforts to secure its systems after the data breach occurred in Georgia; and all record requests (including requests from the Bluffton campus) are processed in Georgia. (See ECF Nos. 22-2 and 22-3.) In fact, Plaintiff even asserts in her amended complaint that "[t]he PII/PHI Plaintiff entrusted to SJ/C was transmitted from those South Carolina facilities for storage at other locations, including locations outside the State of South Carolina." (ECF No. 16 ¶¶ 39-40.) Thus, the Court tends to agree with Defendant that its suit-related conduct all occurred in Georgia, insofar as all of Plaintiff's claims arise out of Defendant's handling (or rather, mishandling) of Plaintiff's PII and PHI in Georgia.
That being said, however, the Court is mindful of the Supreme Court's instruction that to exercise specific jurisdiction, "the suit must aris[e] out of or relat[e] to the defendant's contacts with the forum." Bristol-Myers, 582 U.S. 255, 137 S.Ct. at 1780 (quoting Daimler AG v. Bauman, 571 U.S. 117, 127, 134 S.Ct. 746, 754, 187 L.Ed.2d 624 (2014)) (internal quotation marks omitted) (emphasis in original); see also Goodyear Dunlop Tires Operations, S.A., v. Brown, 564 U.S. 915, 919, 131 S.Ct. 2846, 180 L.Ed.2d 796 (2011) (explaining that there must be "an affiliation between the forum and the underlying controversy, principally, [an] activity or an occurrence that takes place in the forum State and is therefore subject to the State's regulation") (internal quotation marks and brackets omitted).
Here, while the Court tends to agree with Defendant that the suit arises out of Defendant's contacts with Georgia and not South Carolina, it appears that reasonable minds could differ as to whether the suit at least relates to Defendant's contacts with South Carolina, insofar as Defendant would not be responsible for storing and maintaining Plaintiff's PII and PHI if Defendant did not offer medical treatment to patients in South Carolina in the first place. Ultimately, however, the Court finds that it is not necessary to definitely decide whether the exercise of specific personal jurisdiction over Defendant would be constitutionally reasonable because the Court agrees with Defendant that the Court lacks subject matter jurisdiction based on Plaintiff's failure to plausibly plead that she has suffered a concrete and traceable injury, as discussed in greater detail below. In other words, the Court will simply assume for the sake of argument that Plaintiff has made a prima facie showing of personal jurisdiction, and the Court will consider Defendant's argument that subject matter jurisdiction is lacking.
The Court notes that if Plaintiff has failed to meet her burden of showing that personal jurisdiction exists, then the case likely is also subject to dismissal pursuant to Rule 12(b)(3) of the Federal Rules of Civil Procedure based on improper venue. On a motion to dismiss pursuant to Rule 12(b)(3), the plaintiff "bears the burden of establishing that venue is proper." Butler v. Ford Motor Co., 724 F. Supp. 2d 575, 586 (D.S.C. 2010). But the plaintiff need "make only a prima facie showing of proper venue in order to survive a motion to dismiss." Aggarao v. MOL Ship Mgmt. Co., 675 F.3d 355, 365-66 (4th Cir. 2012) (citation omitted). Courts must view the facts in the light most favorable to the plaintiff when determining whether plaintiff has made a prima facie showing of proper venue.
Here, Plaintiff asserts that venue is proper in the District of South Carolina because "a substantial part of the events or omissions giving rise to the claim occurred" in South Carolina, in accordance with 28 U.S.C. § 1391(b)(2). "The test of determining venue [under § 1391(b)] is not the defendant's 'contacts' with a particular district, but rather the location of the events or omissions giving rise to the claim.' " EmeryAllen, LLC v. MaxLite Inc., No. 2:20-cv-4332-RMG, 2021 WL 2111159, (D.S.C. May 25, 2021) (quoting Cottman Transmission Sys., Inc. v. Martino, 36 F.3d 291, 294 (3d Cir. 1994)) (internal quotation marks omitted). As previously described in connection with the Court's analysis of personal jurisdiction, the events leading to Plaintiff's claims, namely, Defendant's failure to properly safeguard patient PII and PHI and process Plaintiff's requests for medical records, all occurred in Georgia, where Defendant maintains its network servers and stores all patient information.
II. Subject Matter Jurisdiction
A. Federal Rule of Civil Procedure 12(b)(1)
Rule 12(b)(1) governs motions to dismiss for lack of subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1). Under Rule 12(b)(1), a plaintiff bears the burden of proving the existence of subject matter jurisdiction by a preponderance of the evidence. A challenge to subject matter jurisdiction pursuant to Rule 12(b)(1) may occur in two ways: either by a facial challenge, asserting that the complaint fails to allege facts upon which subject matter jurisdiction can be based, or by a factual challenge, asserting that the jurisdictional allegations of the complaint are not true. Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982). See also Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009) (providing the same); Richmond, Fredericksburg & Potomac R.R. Co. v. U.S., 945 F.2d 765, 768 (4th Cir. 1991) (providing the same). In determining whether jurisdiction exists, the district court regards the pleadings' allegations as mere evidence and may consider evidence outside the pleadings without converting the proceeding to one for summary judgment. Richmond, Fredericksburg & Potomac R.R. Co., 945 F.2d at 768.
B. Standing
Article III of the U.S. Constitution limits the jurisdiction of federal courts to "Cases" and "Controversies." U.S. Const. art. III, § 2. "One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue." Clapper v. Amnesty Int'l USA, 568 U.S. 398, 408, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (internal citations and quotation marks omitted). To invoke federal jurisdiction, a plaintiff bears the burden of establishing the "irreducible constitutional minimum" of standing by demonstrating (1) an injury in fact; (2) that is fairly traceable to the challenged conduct of the defendant; and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 578 U.S. 330, 338, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)).
"At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim." Beck v. McDonald, 848 F.3d 262, 270 (4th Cir. 2017) (quoting Lujan, 504 U.S. at 561, 112 S.Ct. 2130) (internal quotation marks omitted). Also, in a class action, "[e]very class member must have Article III standing in order to recover individual damages." TransUnion LLC v. Ramirez, — U.S. —, 141 S. Ct. 2190, 2208, 210 L.Ed.2d 568 (2021). The Court analyzes standing based on the allegations of personal injury made by the named plaintiff. Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017) (citing Doe v. Obama, 631 F.3d 157, 160 (4th Cir. 2011)). "Without a sufficient allegation of harm to the named plaintiff in particular, plaintiffs cannot meet their burden of establishing standing." Id. at 270 (quoting Doe, 631 F.3d at 160) (internal quotation marks omitted).
Furthermore, because standing is not a pleading requirement but rather an "indispensable part of the plaintiff's case" that speaks directly to whether the claims establish a "case or controversy" within the parameters of federal court jurisdiction, "each element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof" at that stage in the litigation. Lujan, 504 U.S. at 561, 112 S.Ct. 2130. Accordingly, here, the Court considers Plaintiff's burden regarding standing with the same scrutiny that it would within the context of a motion to dismiss at the pleading stage.
A motion to dismiss filed pursuant to Federal Rule of Civil Procedure 12(b)(6) tests the legal sufficiency of a complaint or pleading. Francis v. Giacomelli, 588 F.3d 186, 192 (4th Cir. 2009). "[T]he legal sufficiency of a complaint is measured by whether it meets the standard stated in Rule 8 [of the Federal Rules of Civil Procedure] . . . and Rule 12(b)(6) (requiring that a complaint state a claim upon which relief can be granted)." Id. Rule 8(a)(2) requires that a pleading must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). This pleading standard requires that a complaint contain "more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Bell Atl. Corp v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007).
In Ashcroft v. Iqbal, the United States Supreme Court stated that to survive a 12(b)(6) motion to dismiss, "a complaint must contain sufficient factual matter, accepted as true, 'to state a claim to relief that is plausible on its face.' " 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955). "A claim has facial plausibility when [a party] pleads factual content that allows the court to draw the reasonable inference that the [opposing party] is liable for the misconduct alleged." Id. The plausibility standard "asks for more than a sheer possibility that a [party] has acted unlawfully." Id. Rather, "[i]t requires [a party] to articulate facts, when accepted as true, that 'show' that [the party] has stated a claim entitling [them] to relief[.]" Francis, 588 F.3d at 193 (quoting Twombly, 550 U.S. at 557, 127 S.Ct. 1955). Such "factual allegations must be enough to raise a right to relief above the speculative level." Twombly, 550 U.S. at 555, 127 S.Ct. 1955. "Determining whether a complaint states [on its face] a plausible claim for relief [which can survive a motion to dismiss] will . . . be a context-specific task that requires the reviewing court to draw on its judicial experience and common sense." Iqbal, 556 U.S. at 679, 129 S.Ct. 1937. However, "where the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged—but it has not 'show[n]'—" 'that the pleader is entitled to relief.' " Id. (quoting Fed. R. Civ. P. 8(a)(2)).
C. Analysis
In its motion to dismiss, Defendant asserts that Plaintiff lacks standing because she does not plead a plausible injury-in-fact that is fairly traceable to the challenged conduct of Defendant. As the Supreme Court has explained, "[t]o establish injury in fact, a plaintiff must show that he or she suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.' " Id. (quoting Lujan, 504 U.S. at 560, 112 S.Ct. 2130). "Particularization is necessary to establish injury in fact, but it is not sufficient. An injury in fact must also be 'concrete.' " Id. While " 'threatened rather than actual injury can satisfy Article III standing requirements,' not all threatened injuries constitute an injury-in-fact." Beck, 848 F.3d at 271 (quoting Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000) (en banc)). Furthermore, "[a]lthough 'imminence' is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes." Id. (quoting Lujan, 504 U.S. at 564-65, n.2, 112 S.Ct. 2130) (internal quotation marks omitted). Ultimately, a "threatened injury must be certainly impending to constitute injury in fact." Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (internal citations and quotation marks omitted) (emphasis in original).
In its motion, Defendant notes that Plaintiff must show that she personally has been injured, and not that other unidentified members of the class may have been injured. Next, Defendant argues that Plaintiff does not plead any concrete and particularized injury to herself that can be plausibly connected to the data breach. Instead, Defendant asserts that Plaintiff impermissibly relies upon a scattered list of "including, but not limited to" alleged harms but nowhere identifies which of the list of harms she actually suffered because of the data breach. According to Defendant, Plaintiff's alleged injury of the increased risk of future identify theft is akin to the injuries alleged in Beck, where the Fourth Circuit flatly rejected the plaintiffs' claim "that 'emotional upset' and 'fear [of] identity theft and financial fraud' resulting from data breaches are 'adverse effects' sufficient to confer Article III standing." 848 F.3d at 272. Likewise, Defendant asserts that Plaintiff's contention that she has incurred or will incur future expenses to guard against identity theft is insufficient to confer Article III standing. Lastly, Defendant asserts that Plaintiff's new allegations of reduced quality healthcare and denial of disability benefits are completely untethered to her cybersecurity allegations, and Defendant argues that Plaintiff fails to plausibly allege any facts to show that these individualized harms are fairly traceable to the data breach.
In response, Plaintiff asserts that she has suffered concrete and particularized injury-in-fact. In short, Plaintiff argues that the threatened injury of future identity theft is sufficiently imminent and not speculative. Plaintiff asserts that the amended complaint adequately pleads the following:
(1) she was denied disability benefits because she was unable to timely retrieve her medical records; (2) Defendant could reasonably foresee that weak cybersecurity, despite repeated warnings over the years, would result in a cyber-attack; (3) in the event of such an attack, access to patients' PII/PHI would be compromised; (4) Defendant nonetheless failed to implement even basic cybersecurity protocols, despite those consistent alerts and constant warnings from its own IT employees; (5) the Data Breach occurred as a result of Defendant's reckless failure to protect itself and its IT network from cyber-attack; (6) putative Class Members' PII/PHI was in fact extracted in the Data Breach; and (7) but for Defendant's failure to prevent the Data Breach, Plaintiff would have had access to her medical records and been able to collect disability benefits.(ECF No. 25 at 17.) Plaintiff further asserts that her complaint adequately pleads that her healthcare providers did not have access to her medical records, thus diminishing the qualify of her medical care, and that "it is a virtual certainty that other Class Members also suffered from a diminished quality of healthcare." (Id.) According to Plaintiff, the facts of this case are distinguishable from the facts of Beck, and Plaintiff urges the Court to follow the Fourth Circuit's decision in Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018), where the court found standing to exist where the plaintiffs alleged that their data had been stolen, accessed, and used in a fraudulent manner.
Before addressing the merits of the parties' arguments, the Court will briefly outline the specific allegations of injury contained in Plaintiff's amended complaint. First, in paragraph 137 (in connection with her negligence cause of action), Plaintiff alleges the she and class members have suffered and will continue to suffer damages, including but not limited to: "(i) reduced quality of medical services as a result of SJ/C's inability to access medical records; (ii) being deprived of the benefit of medical records entrusted to and retained by SJ/C; (iii) being deprived of social services as a result of being unable to obtain SJ/C medical records; and (iv) being deprived of information that is retained in SJ/C medical records and necessary to make informed healthcare decision. (ECF No. 16 ¶ 137.) Further, in paragraph 138 (in connection with her negligence cause of action), Plaintiff alleges that she and class members suffered and will continue to suffer damages, including but not limited to: "(i) improper disclosure of PII/PHI now in the custody of cyber criminals; (ii) imminent risk of identity theft and/or medical identity theft; (iii) time, money, and energy expended mitigating the risk of identity theft; and (iv) invasion of privacy." (Id. ¶ 138.) Next, in connection with her causes of action for gross negligence, breach of contract, breach of fiduciary duty, and breach of bailment duty of care, Plaintiff alleges injuries including, but not limited to: "(i) improper disclosure of PII/PHI now in the custody of cyber criminals; (ii) imminent risk of identify theft and/or medical identity theft; (iii) time, money, and energy expended mitigating the risk of identity theft and medical identity theft; (iv) invasion of privacy; (v) lost opportunity to appropriately and timely monitor for identity theft and medical identity theft resulting from Defendant's delayed and misleading Notice of Data Breach; (vi) reduced quality of medical services as a result of SJ/C's inability to access medical records; (vii) being deprived of the benefit of medical records entrusted to and retained by SJ/C; (viii) being deprived of social services as a result of being unable to obtain SJ/C medical records; and (ix) being deprived of information that is retained in SJ/C medical records and necessary to make informed healthcare decisions. (Id., ¶¶ 152, 162, 170, and 176.) Finally, in connection with her unjust enrichment claim, Plaintiff alleges that she and class members-either themselves or through their insurers-conferred monetary benefit to SJ/C, and that "[d]amages incurred by Plaintiff and Class Members equal the difference in payment made on the reliance that Defendant would take reasonable steps to protect Plaintiff's and Class Members' PII/PHI and actual steps Defendant took to protect Plaintiff's and Class members' PII/PHI." (Id. ¶ 184.)
After review, Plaintiff's allegations of injury seem to fall into two basic categories: (1) privacy-related allegations stemming from the improper disclosure of her PII and PHI in the first instance, to include imminent risk of identify theft, expenditures related to mitigating the risk of identify theft, and lost opportunity to monitor for identity theft; and (2) deprivation-of-records-related allegations stemming from Defendant's inability to access Plaintiff's medical records on two occasions between June 17, 2021, and August 31, 2021, to include reduced quality of medical services and denial of disability benefits. The Court will address each of these basic categories in turn.
First, with respect to the privacy-based alleged injuries stemming from the improper disclosure of Plaintiff's PII and PHI, several recent Fourth Circuit cases are instructive. In Beck v. McDonald, the Fourth Circuit considered two consolidated appeals (Beck and Watson) brought by veterans who received health care at the Veterans Affairs Medical Center ("VA") in Columbia, South Carolina. 848 F.3d 262. In Beck, a laptop was stolen from the VA that contained unencrypted personal information of approximately 7,400 patients, including names, birth dates, the last four digits of Social Security numbers, and physical descriptors. Id. at 267. In Watson, the VA discovered that four boxes of pathology reports were missing or stolen, which contained identifying information of over 2,000 patients including names, Social Security numbers, and medical diagnoses. Id. at 268. The plaintiffs alleged injury-in-fact based on the increased risk of identity theft and the costs of protecting against the same, but the lower courts disagreed. Specifically, the district court in Beck dismissed the claims for lack of standing on a summary judgment record, and the district court in Watson dismissed the claims for lack of standing based on the pleadings.
On appeal, relying on Clapper v. Amnesty International USA, 568 U.S. 398, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013), where the Supreme Court discussed standing based on "threatened injuries," the Fourth Circuit affirmed the district court in both cases. Specifically, the Fourth Circuit found that the harms alleged in both Watson and Beck were too speculative because they required an "attenuated chain of possibilities." Beck, 848 F.3d at 275 (citing Clapper, 568 U.S. at 410, 133 S.Ct. 1138). Stated plainly, the court found that the chain of possibilities was not sufficient to confer standing in Beck because there was no indication that the laptop or the boxes of medical records were stolen for the purpose of identify theft, and because there was no indication that any of the plaintiffs were the victim of identity theft. Id.
In Beck, the Fourth Circuit specifically considered the circuit split regarding whether a plaintiff may establish Article III injury-in-fact standing based on an increased risk of future identity theft. Id. at 273. The court explained that "[t]he Sixth, Seventh, and Ninth Circuits have all recognized, at the pleading stage, that plaintiffs can establish an injury-in-fact based on this threatened injury." Id. (citing cases). In contrast, the Beck court noted that the First and Third Circuits have rejected such allegations. Id. (citing cases). Ultimately, the Beck court found that the cases recognizing standing based on threatened injury of future identity theft actually demonstrated why the plaintiffs' theory in Beck was "too speculative to constitute an injury-in-fact"; the court remarked, "[u]nderlying the cases are common allegations that sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent." Id. at 274 (noting that the cases involved hackers and the alleged actual misuse of information). The court remarked that in the cases of Beck and Watson "the mere theft of [the laptop and pathology reports], without more, cannot confer Article III standing." Id. The court explained:
Indeed, for the Plaintiffs to suffer the harm of identity theft that they fear, we must engage with the same "attenuated chain of possibilities" rejected by the Court in Clapper. 133 S.Ct. at 1147-48. In both cases, we must assume that the thief targeted the stolen items for the personal information they contained. And in both cases, the thieves must then select, from thousands of others, the personal information of the named plaintiffs and attempt successfully to use that information to steal their identities. This "attenuated chain" cannot confer standing.Id. In short, the court found that the plaintiffs failed to "either 'plausibly plead' factual allegations or 'set forth particular evidence' sufficient to show that the threatened harm of future identify theft was 'certainly impending.' " Id.
The court in Beck next considered the plaintiffs' claim that the threat of future identity theft led them to reasonably incur costs to mitigate or avoid that harm. Ultimately, the court rejected the plaintiff's claims and found the plaintiffs' allegations insufficient to establish a "substantial risk" of harm. Id. The court explained: "Even if we credit the Plaintiffs' allegation that 33% of those affected by the Dorn VAMC data breaches will become the victims of identity theft, it follows that over 66% of veterans will suffer no harm." Id. at 276. The court also remarked that "a threatened event can be 'reasonabl[y] likel[y]' to occur but still be insufficiently 'imminent' to constitute an injury-in-fact." Id. (citing Clapper, 133 S.Ct. at 1147-48). The court further explained:
As was the case in Clapper, the Plaintiffs here seek "to bring this action based on costs they incurred in response to a speculative threat," i.e. their fear of future identity theft based on the breaches at Dorn VAMC. Id. at 1151. But this allegation is merely "a repackaged version of [Plaintiffs'] first failed theory of standing." Id. Simply put, these self-imposed harms cannot confer standing. See, e.g., Remijas, 794 F.3d at 694 ("Mitigation expenses do not qualify as actual injuries where the harm is not imminent."); Reilly, 664 F.3d at 46 ("[P]rophylactically spen[ding] money to ease fears of [speculative] future third-party criminality . . . is not sufficient to confer standing.").Id. at 276-77.
The year after deciding Beck, the Fourth Circuit again considered the question of standing in the context of a breach of personal information. See Hutton, 892 F.3d 613. In Hutton, a group of optometrists filed complaints asserting that their personal information was stolen in a data breach of a database maintained by the National Board of Examiners in Optometry ("the Board"). The district court dismissed the complaints for lack of subject matter jurisdiction, relying on Beck and reasoning that the plaintiffs had not sufficiently alleged injury-in-fact and that they failed to allege that any injuries were fairly traceable to the conduct of the Board. The Fourth Circuit ultimately disagreed with the district court and found that the plaintiffs had standing to sue. Id. at 616. The court explained:
We reasoned in Beck that a plaintiff fails to "establish Article III standing based on the harm from the increased risk of future identity theft and the cost of measures to protect against it." See Beck, 848 F.3d at 266. We emphasized that a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft. Id. at 274-75. The situations in these consolidated appeals, however, are readily distinguishable from that in Beck. In Beck, the plaintiffs alleged only a threat of future injury in the data breach context where a laptop and boxes-containing personal information concerning patients, including partial social security numbers, names, dates of birth, and physical descriptions—had been stolen, but the information contained therein had not been misused. The Plaintiffs in these cases, on the other hand, allege that they have already suffered actual harm in the form of identity theft and credit card fraud. The Plaintiffs have been concretely injured by the data breach because the fraudsters used-and attempted to use-the Plaintiffs' personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval. Accordingly, there is no need to speculate on whether substantial harm will befall the Plaintiffs.Id. at 621-22. In other words, because the plaintiffs in Hutton alleged that their data had been stolen, accessed, and actually used in a fraudulent manner, the court found that the plaintiffs sufficiently alleged an imminent threat of injury. Likewise, because the injuries alleged by the plaintiffs were not speculative, the court found that "the costs of mitigating measures to safeguard against future identity theft support the other allegations and together readily show sufficient injury-in-fact to satisfy the first element of the standing to sue analysis." Id. at 622. Finally, with respect to traceability, the court found that the complaints at issue contained allegations demonstrating that it was both plausible and likely that the data breach resulted in the fraudulent use of the plaintiffs' personal information, and therefore the plaintiffs' allegations were plausible with respect to traceability. Id. at 623-24.
Here, it appears that Plaintiff's allegations of injury related to the improper disclosure of her PII and PHI to cyber criminals fall somewhere between the allegations in Beck and the allegations in Hutton. On the one hand, contrary to Beck, Plaintiff does allege that cyber criminals hacked Defendant's network with the specific intent to steal her private information. On the other hand, however, similar to Beck but contrary to Hutton, Plaintiff does not allege any instances of actual misuse of her private information. The Court finds this latter point critical to its analysis. Stated differently, although Plaintiff alleges that her personal information was targeted and stolen for nefarious purposes, allegations that were not present in Beck but were present in Hutton, Plaintiff does not allege any actual misuse of her information, and the Court ultimately finds that Plaintiff's allegations fail to show that a risk of future harm is "certainly impending" or concrete as opposed to merely speculative. See Hutton, 892 F.3d at 621 (explaining that in Beck "[w]e emphasized that a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft"). Likewise, absent any allegations that Plaintiff's data has been used in a fraudulent manner, the Court finds no concrete harm alleged with respect to the lost opportunity to monitor for identify theft. As for Plaintiff's alleged costs of mitigating measures to safeguard against future identity theft, the Court also finds this harm too speculative to show sufficient injury-in-fact to satisfy the first element of the standing analysis.
The Fourth Circuit has not passed upon the precise issue present here, which is whether actual misuse of data is required to establish standing in a data breach context. Cf. Stamat v. Grandizio Wilkins Little & Matthews, LLP, No. SAG-22-00747, 2022 WL 3919685, *6 (D. Md. Aug. 31, 2022).
In short, the Court finds that Plaintiff's privacy-related allegations of injury related to the improper disclosure of her personal information in the first instance (including the invasion of privacy, the alleged imminent threat of identity theft, the alleged lost opportunity to monitor for identity theft, and the alleged costs of mitigating measures to safeguard against future identity theft) all fail to sufficiently allege a concrete harm-imminent or actual, not conjectural or hypothetical-to establish injury-in-fact, the "first and foremost" of standing's three elements. Spokeo, 578 U.S. at 339, 136 S.Ct. 1540 (quoting Steel Co. v. Citizens for Better Environment, 523 U.S. 83, 103, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998)).
The Court recognizes that the concrete harm requirement of standing can be difficult to apply, and it is certainly conceivable that other individuals in the proposed class could have suffered concrete harm as a result of the data breach, particularly if there has been actual misuse of their information. Indeed, Plaintiff asserts in her response to Defendant's motion that "already identified putative Class Members have brought claims alleging 'misuse' of their data." (ECF No. 25 at 25.) But the amended complaint fails to provide examples of any actual misuse of Plaintiff's information, and for the purpose of determining standing for a class action complaint, the Court reviews Plaintiff's alleged injuries as the named Plaintiff.
In her amended complaint, perhaps in response to Defendant's initial motion to dismiss, Plaintiff adds allegations related to the second basic category of alleged injury, namely, deprivation-of-records allegations including reduced quality of medical services and denial of disability benefits. Specifically, Plaintiff alleges in her amended complaint that for several weeks after June 17, 2021, she attempted to obtain copies of her medical records for the purpose of completing her application for Social Security disability benefits, but that on two occasions she visited SJ/C's Bluffton campus and was instructed to execute a HIPAA release to obtain copies of her records, which Plaintiff contends she had previously executed. (ECF No. 16 ¶¶ 41-43.) Plaintiff asserts that when she asked why she was unable to obtain her medical records, "SJ/C staff told her, on one occasion, that 'the fax is down,' and on another that 'the computers are being worked on.' " (Id. ¶ 43.) Plaintiff also contends that her medical providers had no access to her list of prescribed medications, which presumably supports her assertion that she and other class members suffered from reduced quality medical care as a result of the data breach. Finally, Plaintiff asserts that by the time she learned of the data breach, "her Social Security Disability application had been denied for failure to timely provide medical records." (Id. ¶¶ 44, 46.)
The Court's analysis of Plaintiff's alleged injuries stemming from her inability to access her medical records differs slightly from the Court's above analysis of her privacy-related alleged injuries, and that is because Plaintiff's alleged injuries stemming from her inability to access her medical records are, quite simply, entirely conclusory. In other words, even assuming that the alleged injuries stemming from Plaintiff's inability to access her medical records are "concrete and particularized" and "actual or imminent, not conjectural or hypothetical," the Court finds that Plaintiff nonetheless fails to plead sufficient factual matter to (1) render the alleged injuries plausible on their face or (2) plausibly show how they are fairly traceable to the data breach.
For example, Plaintiff claims in an entirely conclusory fashion that she and other class members suffered from reduced quality of medical services as a result of Defendant's inability to access medical records. However, the only factual allegation that arguably supports this contention is her assertion that Defendant did not have access to a list of her prescribed medications during the weeks following the data breach. Leaving aside the question of whether Plaintiff herself knows which medications she has been prescribed, or whether this information was readily available through other avenues, i.e., her pharmacy, Plaintiff fails to include any facts to plausibly allege, for example, that she actually sought medical services from Defendant during the relevant time period (as opposed to requesting copies of her medical records), or that she experienced reduced quality of medical services in any substantive way. In other words, Plaintiff simply asserts the she and other class members suffered "reduced quality of medical services," but nowhere does she allege sufficient factual matter to (1) render the injury plausible on its face or (2) plausibly show how it is tied to the data breach.
Likewise, although Plaintiff asserts in an entirely conclusory fashion that she and other class members were deprived of information that is retained in their medical records that is necessary to make informed healthcare decisions, nowhere does Plaintiff allege any factual matter to show either that she was actually deprived of information she needed to make an informed healthcare decision or that any such deprivation was plausibly traceable to the data breach.
Finally, Plaintiff's allegation that her application for disability benefits was denied for failure to timely provide medical records, is perhaps the most conclusory of all of her allegations of injury. She simply states that she was denied disability benefits as a result of being unable to obtain her medical records, but she includes no factual matter whatsoever to render her assertion plausible on its face or to plausibly tie the denial to the data breach. As Defendant aptly points out in its reply brief:
Plaintiff contends that because she was told the delay in obtaining her records was due to the "fax is down," or the "computers are being worked on" [ ] that must be but for the Incident. Plaintiff, however, fails to plead any facts from which the Court can plausibly sustain this inference. Plaintiff fails to plead what are the "denied" disability benefits and whether they are permanently and irrevocably gone. She fails to plead what specific records she was required to submit and that SJ/C was the
only source of those records. She fails to plead that the only reason SJ/C did not timely process her records requests was but for the Incident, not human error or some other reason. In other words, Plaintiff's denial-of-benefits "injury" presupposes that a hospital would never take too long or make a mistake in processing a patient request for records but for a cyber incident affecting its network; and such delays foreseeably result in denials of disability benefits among its patient population.(ECF No. 29 at 10.)
It is without question that social service benefits arise out of complex administrative schemes, and claims can be denied for myriad reasons. Nevertheless, Plaintiff simply asks this Court to assume, without alleging any factual matter in support, that her disability benefits were denied because Defendant failed to properly safeguard its IT network and process her request for medical records, but without any factual allegations to this is simply a bridge too far.
It is without question that social service benefits arise out of complex administrative schemes, and claims can be denied for myriad reasons. Nevertheless, Plaintiff simply asks this Court to assume, without alleging any factual matter in support, that her disability benefits were denied because of Defendant's failure to properly safeguard its IT network and process her request for medical records, but this is simply a bridge too far. See Beck, 848 F.3d at 270 (explaining that in assessing a Rule 12(b)(1) facial challenge to standing, courts accept factual allegations as true but "do not [ ] apply the same presumption of truth to 'conclusory statements' and 'legal conclusions' contained in [the] complaint"); see Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 ("Nor does a complaint suffice if it tenders naked assertions devoid of further factual enhancement.").
For all of the foregoing reasons, the Court agrees with Defendant that Plaintiff's amended complaint fails to plausibly allege the "irreducible constitutional minimum" of standing by showing (1) an injury that is imminent, concrete, and particularized to Plaintiff; (2) that is fairly traceable to the challenged conduct of Defendant; and (3) that is likely to be redressed by a favorable judicial decision. Spokeo, Inc., 578 U.S. at 338, 136 S.Ct. 1540 (quoting Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130). Accordingly, the Court grants Defendant's motion to dismiss Plaintiff's complaint for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. Furthermore, because the Court concludes it lacks subject matter jurisdiction based on Plaintiff's lack of standing, the Court declines to address Defendants' supplemental arguments for dismissal pursuant to Rule 12(b)(6). See Taylor v. Cudd, Civ. A. No. 7:18-cv-765-TMC, 2020 WL 967447, at *4 (D.S.C. Feb. 28, 2020) (noting that "it is well-established that a court need not consider or discuss every argument presented by a party, particularly when one issue is dispositive of the matter as a whole").
CONCLUSION
Based on the foregoing, the Court hereby grants in part Defendant's motion to dismiss (ECF No. 22) and dismisses this action without prejudice for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure.
Plaintiff buries a request to amend her complaint in a footnote on the final page of her response to Defendant's motion, but she does not offer any proposed amendment or otherwise identify any additional information that she would include in a second amended complaint. While Plaintiff is correct that a court "should freely give" leave to amend "when justice so requires," Fed. R. Civ. P. 15(a), Plaintiff has not formally moved to amend, and the Court declines to give Plaintiff a "blank authorization to 'do over' her complaint," where there is simply no reason to believe that a second amended complaint would not suffer from the same defects as her initial complaint and her first amended complaint. Estrella v. Wells Fargo Bank, N.A., 497 F. App'x 361, 362 (4th Cir. 2012) (unpublished) (quoting Francis v. Giacomelli, 588 F.3d 186, 197 (4th Cir. 2009), and declining to permit amendment "where, as here, the plaintiff fails to formally move to amend and fails to provide the district court with any proposed amended complaint or other indication of the amendments he wishes to make"); Cozzarelli v. Inspire Pharms. Inc., 549 F.3d 618, 630 (4th Cir. 2008) (finding no abuse of discretion in "declining to grant a motion that was not properly made" but raised only in opposition to a motion to dismiss and in objections to the magistrate judge's report).
IT IS SO ORDERED.