Summary
In Brush, there is no evidence that the defendant advertised its services, whereas cases finding an implied contract have found significant the invitation to pay with a card.
Summary of this case from In re Brinker Data Incident Litig.Opinion
CASE NO. 16–21373–CIV–LENARD/GOODMAN
02-17-2017
Benjamin S. Thomassen, Eve–Lynn J. Rapp, pro hac vice, Edelson PC, Chicago, IL, Steven R. Jaffe, Farmer Jaffe Weissing Edwards Fistos & Lehrman PL, Fort Lauderdale, FL, for Plaintiff. Stephen Jay Bronis, Gavrila Alexa Brotz, Magda Christina Rodriguez, Walter J. Tache, Tache, Bronis, Christianson and Descalzo, P.A., Adam Michael Schachter, Daniel S. Gelber, Freddy Funes, Gelber Schachter & Greenberg, P.A., Miami, FL, for Defendants.
Benjamin S. Thomassen, Eve–Lynn J. Rapp, pro hac vice, Edelson PC, Chicago, IL, Steven R. Jaffe, Farmer Jaffe Weissing Edwards Fistos & Lehrman PL, Fort Lauderdale, FL, for Plaintiff.
Stephen Jay Bronis, Gavrila Alexa Brotz, Magda Christina Rodriguez, Walter J. Tache, Tache, Bronis, Christianson and Descalzo, P.A., Adam Michael Schachter, Daniel S. Gelber, Freddy Funes, Gelber Schachter & Greenberg, P.A., Miami, FL, for Defendants.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS' MOTION TO DISMISS (D.E. 21) AND DISMISSING COUNTS TWO, THREE AND FOUR WITHOUT PREJUDICE
JOAN A. LENARD, UNITED STATES DISTRICT JUDGE
THIS CAUSE is before the Court on Miami Beach Healthcare Group, LTD and HCA–EmCare Holdings, LLC's (hereinafter, "Defendants") Motion to Dismiss (D.E. 21), filed on June 10, 2016. Barbara Brush (hereinafter, "Plaintiff") filed her Response in Opposition (D.E. 44) on July 8, 2016. Defendants filed their Reply on July 25, 2016. (D.E. 51.) Having reviewed the Motion to Dismiss and response and reply thereto, the Court finds as follows.
I. Background
Defendants jointly provide healthcare services to patients at Aventura Hospital and Medical Center in South Florida. (D.E. 1, Pl.'s Compl. at ¶¶ 13 and 14). In October 2008, Plaintiff was admitted to Defendants' hospital to receive medical treatment. (Id. at ¶ 43). As part of the patient-admission process, she provided Defendants with sensitive information, including, among other things: her name, date of birth, social security number and protected health information. (Id. at ¶¶ 44 and 90.) Plaintiff paid Defendants for their services. (Id. at ¶ 33.)
In September 2014, nearly six years after Plaintiff had received treatment, Defendants informed their patients that a hospital employee, who was unauthorized to do so, had been accessing patients' sensitive information. (Id. at ¶ 8.) This security breach persisted between September 13, 2012 and June 9, 2014. (Id. )
Defendants' employee subsequently disclosed and/or sold Plaintiff's information to a third party. (Id. at ¶ 50.) Thereafter, the third party used Plaintiff's personal data to steal her identity and file a fraudulent tax return using her name and Social Security number. (Id. )
After her identity was stolen, Plaintiff spent (and continues to spend) time and resources remedying the harmful effects and mitigating future harm. (Id. at ¶ 51.) Prior to her visit to Defendants' hospital, Plaintiff's identity had never been stolen and she took considerable precautions to protect her private data. (Id. at ¶ 52–53.) Specifically, Plaintiff avoided transmitting her sensitive information over insecure sources, she stored documents containing private data in a safe and secure location and she destroyed any documents that she received in the mail that contained any identifying information. (Id. )
On April 18, 2016, Plaintiff filed a four-count Complaint for negligence, breach of contract, breach of implied contract and unjust enrichment. (D.E. 1.) She claims that:
Defendants [failed to] comply with safeguards mandated by HIPAA regulations, Florida law or industry standards.
...
Defendants failed to implement sufficient information security policies and procedures to (1) protect (e.g., via encryption) or otherwise safeguard their patients' electronically-stored Sensitive Information; (2) restrict access (i.e., segment) their electronic database to
limit access to such Sensitive Information to only those employees and personnel that need to access such information for treatment related reasons; and (3) supervise employees and personnel with access to patient Sensitive Information and enforce their data protection and confidentiality policies.
(Id. at ¶ 28.) Plaintiff claims that because of the Defendants' security failures, her identity was stolen. She seeks damages for the purported economic and non-economic damages she has suffered as a result of a third party stealing her identity and filing a false tax return in her name.
In response, the Defendants filed a Motion to Dismiss. (D.E. 21.) They argue that the Court should dismiss Plaintiff's Complaint and strike class allegations because: (1) Plaintiff lacks Article III standing to bring this action, see Fed. R. Civ. P. 12(b)(1) ; (2) Plaintiff fails to state claims upon which relief may be granted, see Fed. R. Civ. P. 12(b)(6) ; (3) the statute of limitation bars the Plaintiff from seeking relief; and (4) Plaintiff's class action allegations are atypical of the other members of the class. (Id. )
Plaintiff replied, asserting that she satisfies Article III's standing requirements because she had suffered a concrete injury that can be remedied by this lawsuit. (D.E. 44.) She further argues that she has successfully pleaded the elements of negligence, breach of contract, breach of implied contract and quantum meruit. (Id. )
II. Legal Standards
A. Motion to Dismiss for Lack of Jurisdiction
Federal Rule of Civil Procedure 12(b)(1) governs motions to dismiss for lack of subject matter jurisdiction. Standing to bring suit is an essential component of a federal court's subject matter jurisdiction. Clapper v. Amnesty Int'l USA , 568 U.S. 398, 133 S.Ct. 1138, 1146, 185 L.Ed.2d 264 (2013). Standing "determin[es] the power of the court to entertain the suit." Hollywood Mobile Estates Ltd. v. Seminole Tribe of Florida , 641 F.3d 1259, 1265 (11th Cir. 2011) (quoting Warth v. Seldin , 422 U.S. 490, 498, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) ); see also Stalley ex rel. United States v. Orlando Reg'l Healthcare Sys., Inc. , 524 F.3d 1229, 1232 (11th Cir. 2008) (per curiam). As in any case, the Court must "first determine whether it has proper subject matter jurisdiction before addressing the substantive issues." Taylor v. Appleton , 30 F.3d 1365, 1366 (11th Cir. 1994).
B. Motion to Dismiss for Failure to State a Claim
Under Federal Rule of Civil Procedure 12(b)(6), a court may dismiss an action for "failure to state a claim upon which relief can be granted." To survive a motion to dismiss, the complaint "must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. "A formulaic recitation of the elements of the cause of action will not do," id. at 1949 (quoting Twombly , 550 U.S. at 555, 127 S.Ct. 1955 ), and the allegations must include "more than an unadorned, the-defendant-unlawfully-harmed-me-accusation." Iqbal 556 U.S. at 678, 129 S.Ct. 1937. When considering whether a complaint should be dismissed, the Court accepts the facts alleged in the Complaint as true, and construes all reasonable inferences in the light most favorable to plaintiffs. See Bank v. Pitt , 928 F.2d 1108, 1109 (11th Cir. 1991).
III. Discussion
A. Standing
To satisfy the basic constitutional requirement that there is an active case or controversy, standing must exist to assert the claims. Hollywood Mobile Estates Ltd. v. Seminole Tribe of Florida , 641 F.3d 1259, 1264 (11th Cir. 2011) (quoting Lujan v. Defenders of Wildlife , 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ) ("Article III of the United States Constitution limits the jurisdiction of federal courts to ‘Cases' and ‘Controversies,’ U.S. Const. Art. III, § 2, and the core component of standing is an essential and unchanging part of the case-or-controversy requirement of Article III.") (internal quotations omitted). To establish standing sufficient to maintain a suit, a plaintiff must show that: "(1) [she] has suffered an ‘injury in fact’ that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc. , 528 U.S. 167, 180–81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000) ; see also Hollywood Mobile Estates Ltd. , 641 F.3d at 1265 ("The Supreme Court has explained that the ‘irreducible constitutional minimum’ of standing under Article III consists of three elements: an actual or imminent injury, causation, and redressability.") (citation omitted). "At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice" to show standing, "for on a motion to dismiss [a court] presume[s] that general allegations embrace those specific facts that are necessary to support the claim." Lujan , 504 U.S. at 561, 112 S.Ct. 2130 (internal citations omitted).
The threshold issues in this case are whether Plaintiff suffered an actual, concrete injury, and if so, whether her injury is fairly traceable to the conduct of the Defendants.
The Eleventh Circuit recently addressed whether a victim of identity theft resulting from a data breach has standing to assert a claim in Resnick v. AvMed, Inc. , 693 F.3d 1317 (11th Cir.2012). In Resnick , the plaintiffs alleged that their personal data was compromised after laptops were stolen from the office of their health care plan operator. One plaintiff's sensitive information was used by an unknown third party to open and overdraw an account with E*Trade Financial and another's personal data was used to open credit accounts with Bank of America and make unauthorized purchases in her name. The Eleventh Circuit held that these plaintiffs had alleged injuries sufficient to confer Article III standing. Id. at 1323.
The Resnick court did not clarify whether the identity theft, or the identity theft plus monetary damages, constituted the injury in fact.
After determining the plaintiffs had alleged actual, concrete injuries, the Resnick court considered whether the plaintiffs' injuries were "fairly traceable" to the defendant's failure to secure their personal information. The Eleventh Circuit explained that:
A showing that an injury is fairly traceable requires less than a showing of ‘proximate cause,’ Focus on the Family v. Pinellas Suncoast Transit Auth. , 344 F.3d 1263, 1273 (11th Cir.2003). Even a showing that a plaintiff's injury is indirectly caused by a defendant's actions satisfies the fairly traceable requirement. Plaintiffs allege that [Defendant] failed to secure their information on
company laptops, and that those laptops were subsequently stolen. Despite Plaintiff's personal habits of securing their sensitive information, Plaintiffs became victims of identity theft after the unencrypted laptops containing their sensitive information were stolen. For purposes of standing, these allegations are sufficient to ‘fairly trace’ their injury to [Defendant's] failures.
Resnick , at 1324.
Following the Resnik decision, two district courts in this circuit have addressed the exact issue before this Court, namely: does a plaintiff have standing to sue when her identity is stolen and an unknown third party files a tax return in her name. See Smith v. Triad of Alabama, LLC , No. 1:14-CV-324-WKW, 2015 WL 5793318, at *8–11 (M.D. Ala. Sept. 29, 2015) (Watkins, CJ.) and Burrows v. Purchasing Power, LLC , No. 1:12-CV-22800-UU, 2012 WL 9391827, at *2 (S.D. Fla. Oct. 18, 2012) (Ungaro, J.) Both the Smith and Burrows courts held that the theft of personal information accompanied by the filing of an unauthorized tax return constitutes an injury in fact. (Id. ) These courts further held that the injury is fairly traceable to the defendants' data breaches if the plaintiffs had previously guarded their sensitive personal data and had never suffered identity theft before. (Id. ) The Court agrees with Chief Judge Watkins and Judge Ungaro's reasoning, and finds that the Plaintiff has articulated an actual, concrete injury that is fairly traceable to the Defendant's alleged malfeasance. Accordingly, Plaintiff has standing to sue.
B. Failure to State a Claim
1. Count One: Negligence
Under Florida law, a negligence claim has four elements: "a duty, breach of that duty, causation, and damages." Virgilio v. Ryland, Grp., Inc. , 680 F.3d 1329, 1339 (11th Cir. 2012) (citing Curd v. Mosaic Fertilizer, LLC , 39 So.3d 1216, 1227 (Fla. 2010) ). It is well-established that entities that collect sensitive, private data from consumers and store that data on their networks have a duty to protect that information:
Financial institutions and health care providers possess a very high duty to protect consumer data residing on their networks and therefore a serious potential level of loss exposure. Firms that collect and retain such statutorily protected data must comply with internal controls and reporting standards set by the state and federal government. Even entities that are not specifically covered by laws or regulations pertaining to their specific industry are charged with a general duty to safeguard the consumer data under their control.
Liam M. D. Bailey, Mitigating Moral Hazard in Cyber–Risk Insurance , 3 J.L. & Cyber Warfare 1, 11 (2014) ; see also Resnick , 693 F.3d at 1327 (finding, implicitly, that healthcare providers owe patients a duty to protect their sensitive data); Weinberg v. Advanced Data Processing, Inc. , 147 F.Supp.3d 1359, 1363 (S.D. Fla. 2015) (holding that ambulance service had a duty to exercise reasonable care in safeguarding and protecting the plaintiff's sensitive information). Therefore, Defendants owed Plaintiff a duty to protect her private data.
In Resnick , the Eleventh Circuit discussed the causation element at length. 693 F.3d at 1326 ("[T]o prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence."). In Resnik , the plaintiffs alleged that they "became victims of identity theft for the first time in their lives ten and fourteen months after the laptops containing their sensitive information were stolen." ( Id. ) They further alleged that: (1) "the sensitive information on the stolen laptop was the same sensitive information used to steal their identit[ies]," (2) "the identity thief used [p]laintiffs' sensitive information" to change their addresses and open bank account, (3) "prior to the data breach, [none of the plaintiffs] had ever had their identities stolen or their sensitive information ‘compromised in any way,’ " and (4) " ‘[plaintiffs] took substantial precautions to protect [themselves from identity theft,’ including not transmitting sensitive information over the Internet or any unsecured source; not storing [their] sensitive information on a computer or media device; storing sensitive information in a ‘safe and secure physical location;’ and destroying ‘documents [they] receive in the mail that may contain any of her sensitive information.’ " ( Id. )
Considering the plaintiffs' Complaint and "applying common sense to [its] understanding of [the] allegation[s]," the Resnik court held that the plaintiffs' claims "that the data breach caused their identities to be stolen move[d] from the realm of the possible into the plausible." ( Id. ) The panel noted, however, that "[h]ad [p]laintiffs alleged fewer facts, we doubt whether the Complaint could have survived a motion to dismiss. ( Id. at 1327 ).
In this case, the Plaintiff alleges that:
• "Beginning in September 2012, [the Defendants'] employee began to continuously and systematically use their databases to access and remove tens of thousands of their patients' Sensitive Information." (D.E. 1 at ¶ 22.)
• "The excessive and unauthorized access of patients' Sensitive Information by the Aventura Hospital employee went uncorrected for two consecutive years." (Id. at ¶ 23.)
• "The records accessed and viewed by Defendants' employee without authorization included Plaintiff's Sensitive Information." (Id. at ¶ 49.)
• Plaintiff's "Sensitive Information was thereafter disclosed to or sold to a third party by Defendants' employee. This third party subsequently used that information to steal her identity and file a fraudulent tax return using her name and Social Security number." (Id. at ¶ 50.)
• "Prior to her visit to Defendants' Aventura Hospital and Medical Center facilities in Florida, [Plaintiff's] identity had never been stolen." (Id. at ¶ 52.)
• "[P]rior to the data breach, Brush took considerable precautions to protect her Sensitive Information. Brush avoids transmitting her Sensitive Information over insecure sources, she stores documents containing Sensitive Information in a safe and secure location, and she destroys any documents that she receives in the mail that contain any of her Sensitive Information or that contain any information that could otherwise be used to steal her identity." (Id. at ¶ 53.)
These allegations, like those in Resnik , move Plaintiff's claims "from the realm of the possible into the plausible." Therefore, Plaintiff has sufficiently pleaded the element of causation.
Because Plaintiff has stated a claim for negligence, Defendants' Motion to Dismiss Count One must be denied.
2. Count Two: Breach of Contract
Under Florida law, the elements of a breach of contract claim are "(1) a valid contract; (2) a material breach; and (3) damages." Hartford Steam Boiler Inspection & Ins. Co. v. Brickellhouse Condo. Ass'n, Inc. , No. 16-CV-22236, 2016 WL 5661636, at *2 (S.D. Fla. Sept. 30, 2016) (quoting Friedman v. N.Y. Life Ins. Co. , 985 So.2d 56, 58 (Fla. 4th DCA 2008) ). A breach of contract claim must be dismissed "where it is unclear what provision or obligation under the contract has been violated." Regal v. Butler & Hosch , P.A., No. 15-CIV-61081, 2015 WL 11198248, at *5 (S.D. Fla. Oct. 8, 2015) (collecting cases). "Plaintiffs are required to point toward an express provision in the contract that creates the obligation allegedly breached." Alvarez v. Royal Caribbean Cruises, Ltd. , 905 F.Supp.2d 1334, 1340 (S.D. Fla. 2012).
Here, Plaintiff claims Defendant was obligated to protect her private, personal data from security breaches. Specifically, she identifies provisions in the Defendants' Notice of Privacy Practices which she claims establish a contractual duty to protect her private information:
Each time you visit a hospital, physician, or other healthcare provider, a record of your visit is made. Typically, this record contains your symptoms, examination and test results, diagnoses, treatment, a plan for future care or treatment, and billing related information. This notice applies to all of the records of your care generated by the facility, whether made by facility personnel, agents of the facility, or your personal doctor
....
We are required by law to maintain the privacy of [such] health information, provide you a description of our privacy practices, and to notify you following a breach of unsecured protected health information. We will abide by the terms of this notice .... Other uses and disclosures of health information not covered by this notice or the laws that apply to us will be made only with your written authorization.
(D.E. 1 at ¶ 18.) Plaintiff also identifies the following provision in Defendants' Patient Rights and Responsibilities and Patient Visitation Rights form which states: "Patients shall have their medical records, including all computerized medical information, kept confidential ...."
These provisions, despite Plaintiff's protestations otherwise, are not contractual in nature. Instead, these provisions inform patients of their rights under federal law—specifically the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")—and the duties imposed upon the Defendants by these statutory provisions. Because the Defendants are required by law to adhere to HIPAA without receiving any consideration from the Plaintiff or any other patient, these provisions cannot create contractual obligations. Moreover, it is well-established that HIPAA provides no private right of action. Weinberg v. Advanced Data Processing, Inc. , 147 F.Supp.3d 1359, 1365 (S.D. Fla. 2015) (quoting Sneed v. Pan American Hosp. , 370 Fed.Appx. 47, 50 (11th Cir.2010) ("We decline to hold that HIPAA creates a private cause of action.")). Plaintiff cannot manipulate the common law to state a private, statutory cause of action where none exists. See Cairel v. Jessamine Cty. Fiscal Court , No. 5:15-CV-186-JMH, 2015 WL 8967884, at *4 (E.D. Ky. Dec. 15, 2015) ("Plaintiff attempts to circumvent the fact that no private right of action exists under HIPAA by characterizing her claim thereunder as one for breach of contract. Regardless of whether the contract included a HIPAA provision, there simply is no private right of action for violations of HIPAA, at the state or federal level."); cf. Astra USA, Inc. v. Santa Clara Cnty., Cal. , 563 U.S. 110, 118, 131 S.Ct. 1342, 179 L.Ed.2d 457 (2011). (Courts will not allow a breach of contract claim where "[t]he statutory and contractual obligations, ... are one and the same."); Peltier v. Almar Mgmt., Inc. , No. CV 16-00431 DKW-RLP, 229 F.Supp.3d 1160, 1169–70, 2017 WL 187137, at *7 (D. Haw. Jan. 17, 2017) ("Where contracts simply incorporate statutory obligations, a third-party suit to enforce the contract is in essence a suit to enforce the statute itself and is not consistent with the statutory scheme.") (internal marks omitted); Patel v. Catamaran Health Sols. , LLC, No. 15-CV-61891, 2016 WL 5942475, at *8 (S.D. Fla. Jan. 14, 2016) ("[It] is clear that no private right of action exists for alleged statutory violations, even on common law theories, unless the text or legislative history of the statute at issue confirms that the Legislature intended to confer such a right.").
Plaintiff has identified no contractual provision where the Defendants agreed to provide her with data security services in exchange for consideration. Furthermore, Plaintiff cannot mask a HIPAA claim as a breach of contract claim. Accordingly, Count Two fails as a matter of law and must be dismissed.
3. Counts Three and Four: Contract Implied by Fact and Contract Implied by Law
Under Florida law, a contract may be implied by law or fact. Merle Wood & Assocs., Inc. v. Trinity Yachts, LLC , 857 F.Supp.2d 1294, 1306 (S.D. Fla. 2012), aff'd, 714 F.3d 1234 (11th Cir. 2013) (quoting Commerce P'ship 8098 Ltd. P'ship v. Equity Contracting Co. , 695 So.2d 383, 386 (4th DCA 1997), as modified on clarification (June 4, 1997)). In Count Three, Plaintiff asserts that based on her dealings with the Defendants, an agreement to protect her private information can be implied. In Count Four, Plaintiff claims that a quasi-contract exists because the Defendants knew she expected them to protect her data and they received and kept compensation.
"A contract implied in fact is one form of an enforceable contract; it is based on a tacit promise, one that is inferred in whole or in part from the parties' conduct, not solely from their words." Equity Contracting Co. , 695 So.2d at 386 (quoting 17 Am.Jur.2d "Contracts" § 3 (1964) ). "A contract implied in fact is not put into promissory words with sufficient clarity, so a fact finder must examine and interpret the parties' conduct to give definition to their unspoken agreement." ( Id. ) When considering whether a contract implied in fact exists "a court should determine and give to the alleged implied contract ‘the effect which the parties, as fair and reasonable men, presumably would have agreed upon if, having in mind the possibility of the situation which has arisen, they had contracted expressly thereto.’ " ( Id. ) (quoting Bromer v. Florida Power & Light Co. , 45 So.2d 658, 660 (Fla. 1950) ). "Common examples of contracts implied in fact are where a person performs services at another's request, or where services are rendered by one person for another without his expressed request, but with his knowledge, and under circumstances fairly raising the presumption that the parties understood and intended that compensation was to be paid." ( Id. ) (quoting Lewis v. Meginniss , 30 Fla. 419, 12 So. 19, 21 (1892) ).
In contrast, a contract implied in law, or quasi contract, is "not based upon the finding, by a process of implication from the facts, of an agreement between the parties." ( Id. ) A contract implied in law "is a legal fiction, an obligation created by the law without regard to the parties' expression of assent by their words or conduct." Merle Wood & Assocs., Inc. v. Trinity Yachts, LLC , 857 F.Supp.2d 1294, 1306 (S.D. Fla. 2012), aff'd, 714 F.3d 1234 (11th Cir. 2013) (quoting Equity Contracting Co. , 695 So.2d at 386 )). "The fiction was adopted to provide a remedy where one party was unjustly enriched, where that party received a benefit under circumstances that made it unjust to retain it without giving compensation." Equity Contracting Co. , 695 So.2d at 386 (citations omitted). To prove that a quasi-contract exists, the Plaintiff must establish that: (1) the plaintiff conferred a benefit on the defendant; (2) the defendant knew of the benefit; (3) the defendant accepted or retained the benefit; and (4) it would be inequitable for the defendant to retain the benefit without paying for it. ( Id. ) (citing Hillman Const. Corp. v. Wainer , 636 So.2d 576, 577 (Fla. 4th DCA 1994) ).
Florida courts use several different terms to describe a contract implied in law including—"quasi contract," "unjust enrichment," "restitution," "constructive contract," and "quantum meruit." Equity Contracting Co. , 695 So.2d at 386 (citations omitted). Plaintiff labelled Count Four as "Restitution/Unjust Enrichment." (D.E. 1 at 26.)
--------
In this case, the Plaintiff checked into the Defendants' healthcare facility to obtain medical treatment. Nothing in the Plaintiff's Complaint gives rise to a factual inference that the Defendants tacitly agreed to secure her personal data in exchange for remuneration. It is clear from the Plaintiff's allegations that she transacted to receive healthcare services from the Defendants—not data security services beyond the privacy requirements already imposed on the Defendants by federal law. Accordingly, the Court cannot imply a contract to provide data security services based on the conduct of the parties.
Additionally, Plaintiff has not pleaded the elements of an unjust enrichment/restitution claim. The factual allegations—viewed in their entirety and in the light most favorable to the Plaintiff—do not establish that: (1) she conferred payment—above and beyond the money owed for her medical treatment; (2) the Defendant knew Plaintiff paid additional remuneration for data security; and (3) Defendants accepted more money than was owed for their healthcare services. Consequently, Plaintiff has failed to state a quasi-contract claim.
Alternatively, Plaintiff's implied contractual theories fail because—like her breach of contract claim—Plaintiff cannot create a private right of action for violations of HIPAA by recasting her claims as common law, implied contract claims.
IV. Conclusion
For the reasons set forth above, it is ORDERED AND ADJUDGED that:
1. Miami Beach Healthcare Group, LTD and HCA–EmCare Holdings, LLC's Motion to Dismiss (D.E. 21), filed on June 10, 2016, is GRANTED IN PART AND DENIED IN PART;
2. Counts Two, Three and Four of Plaintiff's Complaint (D.E. 1) are DISMISSED WITHOUT PREJUDICE;
3. Plaintiff shall have ten (10) days from the date of this Order to file an Amended Complaint, should she choose to do so; and
4. The Court will DENY WITHOUT PREJUDICE the Defendants' Motion to Strike Plaintiff's Class Allegations (D.E. 21). The Defendants may re-file this Motion at an appropriate time after some discovery has been conducted.
DONE AND ORDERED in Chambers at Miami, Florida this 17th day of February, 2017.