Opinion
Civil Action 22-cv-10797
09-11-2023
MEMORANDUM AND ORDER ON DEFENDANT'S RENEWED AND SUPPLEMENTED MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM
STEARNS, D.J.
Plaintiffs Alexsis Webb and Marsclette Charley filed this putative class action against defendant Injured Workers Pharmacy (IWP) for alleged injuries arising out of a data breach that compromised the personally identifiable information (PII) of over 75,700 customers. The Complaint consists of six state law counts: negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty. IWP moves to dismiss all claims for failure to state a claim upon which relief can be granted pursuant to Fed.R.Civ.P. 12(b)(6). In the alternative, IWP moves to strike certain allegations from the Complaint under Fed.R.Civ.P. R. 12(f). For the reasons below, the court will allow in part and deny in part IWP's motion.
Plaintiffs voluntarily dismissed their negligence per se claim without prejudice. See Pls.' Opp'n to Def.'s Mot. to Dismiss (Dkt. # 22) at 15 n.2; Pls.' Opp'n to Def.'s Renewed Mot. to Dismiss (Dkt. # 38) at 1 n.1, 3 n.3.
IWP previously moved to dismiss the Complaint, and the court allowed the motion, finding that plaintiffs lacked Article III standing. See Webb v. Injured Workers Pharmacy, LLC, 2022 WL 10483751, at *2 (D. Mass. Oct. 17, 2022). The First Circuit Court of Appeals affirmed in part, reversed in part, and remanded for further proceedings. See Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023).
BACKGROUND
Accepting all well-pleaded facts as true, the relevant facts are as follows. In January of 2021, hackers - whose identities remain unknown -breached the patient records system of IWP, a pharmaceutical home delivery service. The patient records system contained patients' credit-card information, Social Security numbers, dates of birth, medical information, and Medicare and Medicaid identification numbers. IWP did not discover the breach until May of 2021. IWP did not notify affected customers of the breach until February of 2022. Both Ms. Webb, a former IWP customer, and Ms. Charley, a current IWP customer, had PII in IWP's custody that was compromised by the breach. After learning of the breach, Mses. Webb and Charley claim to have suffered anxiety, sleep disruption, stress, and fear, and spent time and effort monitoring their accounts. Compl. (Dkt. # 1) ¶¶ 56, 86, 97. Ms. Webb also alleges that she spent hours on the phone with the Internal Revenue Service resolving a fraudulent 2021 tax return filed by an unknown third party. Id. ¶ 88. Both plaintiffs allege that they suffered “damages to and diminution in the value of [their] PII,” which they allege has a monetary value of at least $1,000 for scammers on the dark web. Id. ¶¶ 5758, 91, 99.
DISCUSSION
“To survive a motion to dismiss, [plaintiffs'] complaint ‘must contain sufficient factual matter . . . to state a claim that is plausible on its face.'” Saldivar v. Racine, 818 F.3d 14, 18 (1st Cir. 2016), quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (second alteration in original). “[T]he Court may look only to the facts alleged in the pleadings, documents attached as exhibits or incorporated by reference in the complaint and matters of which judicial notice can be taken.” Clean Water Action v. Searles Auto Recycling, Corp., 288 F.Supp.3d 477, 480 (D. Mass. 2018). The analysis is “whether the well-pleaded factual allegations, viewed in the light most favorable to the plaintiff, state a claim for which relief can be granted.” Germanowski v. Harris, 854 F.3d 68, 71 (1st Cir. 2017). “If the facts articulated in the complaint are ‘too meager, vague, or conclusory to remove the possibility of relief from the realm of mere conjecture,' the complaint is vulnerable to a motion to dismiss.” In re Curran, 855 F.3d 19, 25 (1st Cir. 2017), quoting SEC v. Tambone, 597 F.3d 436, 442 (1st Cir. 2010).
Count I - Negligence
Under Massachusetts law, “[t]he elements of a negligence claim are that ‘the defendant owed the plaintiff a duty of reasonable care, that the defendant breached this duty, that damage resulted, and that there was a causal relation between the breach of the duty and the damage.'” Correa v. Schoeck, 479 Mass. 686, 693 (2018), quoting Jupin v. Kask, 447 Mass. 141, 146 (2006). “To state a claim for negligence, a plaintiff typically must allege damages beyond pure economic loss, as ‘purely economic losses are unrecoverable . . . in the absence of personal injury or property damage.'” Zoll Med. Corp. v. Barracuda Networks, Inc., 565 F.Supp.3d 101, 106 (D. Mass. 2021), quoting FMR Corp. v. Boston Edison Co., 415 Mass. 393, 395 (1993) (alteration in original). “[T]he economic loss rule is ‘founded on the theory that parties to a contract may allocate their risks by agreement and do not need the special protections of tort law.'” Arthur D. Little Int'l, Inc. v. Dooyang Corp., 928 F.Supp. 1189, 1202 (D. Mass. 1996), quoting South Carolina Elec. & Gas Co. v. Westinghouse Elec. Corp., 826 F.Supp. 1549, 1557 (D.S.C. 1993).
Plaintiffs plausibly allege a negligence claim. The Complaint alleges that IWP owed plaintiffs a duty of reasonable care to protect their PII and that IWP breached this duty by failing to implement proper safeguards to protect against a data breach.The Complaint lists publicly available “best practices” to prevent and detect cyberattacks published by the federal government, the U.S. Cybersecurity & Infrastructure Security Agency, and the Microsoft Threat Protection Intelligence Team. Compl. ¶¶ 49-51. These best practices plausibly establish that IWP's security procedures were deficient, permitting an inference that it breached its duty of care.
The Complaint does not successfully allege that IWP had a duty to inform plaintiffs of the “scope, nature, and occurrence” of the data breach. Compl. ¶ 112. The Complaint contains no factual allegations to support this duty, other than the bare assertion that the duty is “required and necessary.” Id. This is merely “a legal conclusion couched as a factual allegation,” which the court will not accept. Pappasan v. Allain, 478 U.S. 265, 286 (1986).
The Complaint also plausibly alleges that the data breach and the resulting injuries to plaintiffs were foreseeable results of IWP's failure to implement sufficient security safeguards, and that but for IWP's failure, plaintiffs would not have been harmed. The Complaint notes that several contemporaneous high-profile data breaches should have sufficed to put IWP on notice of the risks and consequences of its failure to adequately safeguard sensitive customer PII. Id. ¶¶ 46-48. Plaintiffs also allege that as a direct and foreseeable result of IWP's failure to implement proper security measures, plaintiffs have suffered damages. E.g., id. ¶¶ 118-119. IWP does not contest the sufficiency of this allegation, and causation is a fact-intensive question that the court cannot resolve at the pleading stage of the litigation. See Jupin, 447 Mass. at 146 (“[W]hether the defendant's breach and the damage were causally related” is in “the special province of the jury.”).
In marshalling their alleged harms, plaintiffs state that: (1) they have “spent considerable time and effort monitoring [their] accounts to protect [themselves] from additional identity theft”; (2) they suffer from some combination of feelings of rage, anxiety, fear, sleep disruption, stress, and physical pain; (3) they have suffered “damages to and diminution in the value of [their] PII”; (4) an unauthorized user used Ms. Webb's PII, including her name and Social Security Number, in an unspecified manner; (5) an “unknown and unauthorized third-party” filed a 2021 tax return using Ms. Webb's name, causing her to spend “considerable time” communicating with the IRS; and (6) plaintiffs “remain at a continued risk of harm due to the exposure and potential misuse of their personal data by criminal hackers.” Compl. ¶¶ 82-101. These factual allegations of harm taken together limn a plausible case that plaintiffs were harmed by IWP's breach of its duty.
Finally, plaintiffs' negligence claim is not barred by the economic loss doctrine. Although precedential cases almost uniformly hold that only a tangible physical injury to person or property can overcome the economic loss doctrine's bar, see, e.g., In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498-499 (1st Cir. 2009); Garweth Corp. v. Boston Edison Co., 415 Mass. 303, 305 (1993), other (non-precedential) cases have held that the “personal injury” can be satisfied by a claim of emotional distress, see McCormick v. Lischynsky, 2019 WL 3429242, at *5 (D. Mass. July 30, 2019). Here, at the pleading stage, plaintiffs have alleged sufficient nonmonetary harm, including palpable emotional distress, sufficient to satisfy the “personal injury” exception to the economic loss doctrine. See Maio v. TD Bank, N.A., 2023 WL 2465799, at *4 (D. Mass. Mar. 10, 2023) (allegations of “lost sleep, anxiety, and depression” were sufficient to overcome motion to dismiss negligence claim on economic loss doctrine grounds).
The United States Supreme Court has suggested the same, although without deciding the issue. See TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2211 & n.7 (2021)
Count II - Negligence Per Se
Massachusetts does not recognize negligence per se, meaning that a violation of a statute “does not create a duty in a plaintiff where one does not exist independently.” Lev v. Beverly Enters.-Massachusetts, Inc., 457 Mass. 234, 245 (2010), quoting Goulart v. Canton Hous. Auth., 57 Mass.App.Ct. 440, 444 (2003). Instead, “[i]t is only where a duty of care exists that the violation of a statute, ordinance, regulation, or policy is relevant because it constitutes some evidence of a defendant's negligence. The violation does not constitute negligence per se.” Id. As previously noted, plaintiffs have voluntarily dismissed their negligence per se claim without prejudice. Because Massachusetts does not recognize negligence per se as a matter of law, Count II will be dismissed with prejudice.
Count III - Breach of Implied Contract
An implied contract “may be inferred from (1) the conduct of the parties and (2) the relationship of the parties.” T.F. v. B.L., 442 Mass. 522, 526-527 (2004); see also Sullivan v. O'Connor, 81 Mass.App.Ct. 200, 212213 (2009) (implicit contract existed obligating homeowners to pay homeowner association assessments where owners had actual knowledge of the association, “paid the semiannual assessments for six consecutive years, and consistently availed themselves of the services provided by the association”).
The Complaint alleges that: (1) IWP required its patients to provide PII to acquire its services; (2) plaintiffs believed IWP would protect their PII; (3) IWP “impliedly promised to maintain safeguards to protect its patients' PII”; and (4) IWP impliedly promised to provide individuals whose PII it possessed “with prompt and adequate notice of all unauthorized access or theft of their PII.” Compl. ¶¶ 23, 83-84, 95, 131-132, 135-136. These allegations are insufficient to support the plausible existence of an implied contract between plaintiffs and IWP.
While the Complaint adequately alleges that plaintiffs had a good faith belief that their PII would be protected by IWP, there is no allegation that IWP agreed - explicitly or implicitly - to provide such protection. The factual allegations plaintiffs lay out in support of the existence of such a contract consist exclusively of post-breach assurances given by IWP (one year after the breach) that it was in the process of implementing the very security measures that plaintiffs contend should have been put in place well before the breach occurred. As such, they have no value in any assessment of whether a contract existed at the time that plaintiffs allege.
The Complaint does allege that IWP “agreed it would not disclose the PII it collects from patients to unauthorized persons.” Compl. ¶ 132. However, the Complaint does not specify whether IWP offered this assurance before or after the data breach occurred. If given before, the assurance, standing alone, is “too meager, vague, [and] conclusory to remove the possibility of relief from the realm of mere conjecture.” Tambone, 597 F.3d at 442. And if offered after the breach, it cannot form the basis of a prebreach implicit contract.
The court sees no foundational support in the law for plaintiffs' sweeping statement that “[e]very transaction in which a party supplies confidential information necessarily includes the implicit promise that the recipient will maintain that confidentiality.” Pls.' Opp'n to Def.'s Renewed Mot. to Dismiss at 10.
Count IV - Unjust Enrichment
“Unjust enrichment is defined as ‘retention of money or property of another against the fundamental principles of justice or equity and good conscience.'” Santagate v. Tower, 64 Mass.App.Ct. 324, 329 (2005), quoting Taylor Woodrow Blitman Constr. Corp. v. Southfield Gardens Co., 534 F.Supp. 340, 347 (D. Mass. 1982). “A plaintiff asserting a claim for unjust enrichment must establish not only that the defendant received a benefit, but also that such a benefit was unjust, ‘a quality that turns on the reasonable expectations of the parties.'” Metro. Life Ins. Co. v. Cotter, 464 Mass. 623, 644 (2013), quoting Glob. Inv. Agent Corp. v. Nat. Fire Ins. Co., 76 Mass.App.Ct. 812, 826 (2010). “[A] claim of unjust enrichment will not lie ‘where there is a valid contract that defines the obligations of the parties.'” Chang v. Winklevoss, 95 Mass.App.Ct. 202, 210-211 (2019), quoting Metro. Life Ins. Co. v. Cotter, 464 Mass. 623, 641 (2013). However, at the pleading stage, a plaintiff is permitted to plead claims in law and equity in the alternative. Id. at 211.
Plaintiffs' theory of unjust enrichment consists of their belief that their payments for pharmaceutical services implicitly included the costs entailed in the protection of their PII and that IWP was unjustly enriched by the difference between what plaintiffs actually paid and what plaintiffs would have paid had they known IWP was not taking adequate steps to secure their data. Compl. ¶¶ 84, 95, 147-149. A theory like the one advanced by plaintiffs was considered - and rejected - by the District Court in In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154 (D. Minn. 2014). In Target, plaintiffs alleged that Target violated various state laws because of a data breach and sought relief on, among other grounds, unjust enrichment. Specifically, plaintiffs relied on an “overcharge” theory, claiming that they were overcharged for goods they purchased because “the purchase price of the goods Target sold included a premium for adequate data security.” Id. at 1177-1178.
The court does not read the Complaint to allege, as IWP asserts, that “it is unjust for IWP to retain money paid for the pharmaceutical services it provided to and which were received by Plaintiffs.” Def.'s Renewed Mot. to Dismiss at 14.
This court agrees with the result reached by the District Court in Target. The instant Complaint does not allege that plaintiffs paid extra for a security package that they were promised and did not receive, see e.g., Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012) (allowing unjust enrichment claim where plaintiffs paid a premium for data security but defendant did not have adequate security standards), or that IWP itself profited in any way from plaintiffs' PII, see, e.g., In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 412-413 (E.D. Va. 2020) (valid unjust enrichment claim against Amazon where Amazon profited from storing PII and failed to adequately secure it). Plaintiffs paid IWP for (and received) pharmaceutical services; they do not allege that they paid separately for storage of their PII.
Count V - Invasion of Privacy
“‘Massachusetts has never recognized a common-law cause of action for invasion of privacy,' but ‘recognizes an actionable right of privacy' under the privacy statute.” Axford v. TGM Andover Park, LLC, 2021 WL 681953, at *13 (D. Mass. Feb. 22, 2021), first quoting Spencer v. Roche, 755 F.Supp.2d 250, 271 (D. Mass. 2010), and then quoting Dasey v. Anderson, 304 F.3d 148, 153 (1st Cir. 2002). A plaintiff bringing a statutory invasion of privacy claim must plead two elements: “[1] a gathering and dissemination of facts of a private nature that [2] resulted in an unreasonable, substantial, or serious interference with his privacy.” Hayes v. Mirick, 378 F.Supp.3d 109, 117 (D. Mass. 2019), quoting Branyan v. S.W. Airlines Co., 105 F.Supp.3d 120, 126 (D. Mass. 2015) (alterations in original). Invasion of privacy, however, is an intentional tort. Elliot-Lewis v. Abbott Lab'ys, 378 F.Supp.3d 67, 71 (D. Mass. 2019); White v. City of Boston, 2022 WL 2704404, at *10 (D. Mass. July 12, 2022).
It is on the element of intentionality that the Complaint fails in its attempt to sketch a successful claim for invasion of privacy. While the Complaint plausibly alleges that plaintiffs' private information was negligently disseminated resulting in an unreasonable interference with plaintiffs' privacy, it fails to allege any intentional acts on the part of IWP that could be said to have been the legal cause of the dissemination.Indeed, the Complaint nowhere alleges that IWP disseminated anything. It merely claims that IWP acted negligently. See, e.g., Hayes, 378 F.Supp.3d at 117; see also Purvis v. Aveanna Healthcare, LLC, 563 F.Supp.3d 1360, 1377 (N.D.Ga. 2021) (allowing motion to dismiss invasion of privacy claim where “central narrative” of the complaint was that defendant “failed to take sufficient precautions to prevent [the] intrusion”); In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1225 (S.D. Fla. 2022) (“[C]ourts routinely dismiss invasion-of-privacy claims where a plaintiff fails to allege that a defendant ‘intentionally divulged his PII' and instead asserts that ‘an unknown [person] stole the PII from [the defendant's] computer system.”), quoting Burrows v. Purchasing Power, LLC, 2012 WL 9391827, at *6 (S.D. Fla. Oct. 18, 2012) (second and third alterations in original).
In their Opposition to Defendant's Renewed and Supplemental Motion to Dismiss, plaintiffs claim for the first time that IWP acted intentionally in “skimp[ing] on its data security.” Pls.' Opp'n to Def.'s Renewed Mot. to Dismiss at 15. This new allegation is not only untimely but also wholly unsupported.
Count VI - Breach of Fiduciary Duty
“Fiduciary duties may arise in two ways: (a) as a matter of law, where parties to the subject relationship are cast in archetypal roles, . . . or (b) as ‘determined by the facts established,' upon ‘evidence indicating that one person is in fact dependent on another's judgment in business affairs or property matters.'” UBS Fin. Servs., Inc. v. Aliberti, 483 Mass. 396, 406 (2019), first quoting Warsofsky v. Sherman, 326 Mass. 290, 293 (1950), and then quoting Markell v. Sidney B. Pfeifer Found., Inc., 9 Mass.App.Ct. 412, 444 (1978). To establish a claim for breach of fiduciary duty, plaintiffs must allege “(1) the existence of a duty of a fiduciary nature, based on the relationship of the parties, (2) breach of that duty, and (3) a causal relationship between that breach and some resulting harm to the plaintiff.” Amorim Holding Financeria, S.G.P.S., S.A. v. C.P. Baker & Co., 53 F.Supp.3d 279, 293 (D. Mass. 2014).
The Massachusetts Superior Court has twice considered the issue whether the law imposes a fiduciary duty on a pharmacist to keep confidential her patient's PII and has both times concluded that such a fiduciary relationship exists, relying in part on 247 Mass. Code Regs. 9.01(19). See Kelly v. CVS Pharmacy, Inc., 23 Mass. L. Rptr. 87 (Mass. Super. Ct. 2007); Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. 217 (Mass. Super. Ct. 1999). Section 9.01(19) requires a pharmacist to “maintain patient confidentiality at all times” subject to limited exceptions. 247 Mass. Code Regs. 9.01(19).
Absent any statement to the contrary by the Massachusetts Supreme Judicial Court or the Appeals Court, this court will for present purposes accept the holding of the Superior Court that Massachusetts law does recognize the fiduciary duty on which plaintiffs rely. This said, the court also agrees that the Complaint successfully alleges that IWP breached its duty to its patients to protect the confidentiality of the PII, and that the plaintiffs were harmed as a result.
Motion to Strike
Pursuant to Fed.R.Civ.P. 12(f), the court may strike from a pleading any “redundant, immaterial, impertinent, or scandalous matter.” Such motions are “rarely granted absent a showing of prejudice to the moving party,” Hayes v. McGee, 2011 WL 39341, at *2 (D. Mass. Jan. 6, 2011), or where the allegations have “no possible relation to the controversy,” DeMoulis v. Sullivan, 1993 WL 81500, at *5 (D. Mass. Feb. 26, 1993). See also Boreri v. Fiat, 763 F.2d 17, 23 (1st Cir. 1985) (motions to strike are “disfavored in practice, and not calculated readily to invoke the court's discretion”).
IWP moves to strike paragraphs 45-46, 55, and 57-74 of the Complaint, claiming that the allegations they set out are “immaterial and generalized” and are “designed to improperly inflame the issues and a jury and invite speculation.” Def.'s Renewed Mot. to Dismiss (Dkt. # 37) at 17. The court disagrees. Most of these allegations relate to plaintiffs' argument that IWP was on notice of the potential harm of a data breach, an argument that is not unfairly prejudicial to IWP under the circumstances. The court sees no reason to strike these allegations.
ORDER
For the foregoing reasons, IWP's motion to dismiss the Complaint is DENIED as to Counts I and VI. The court hereby DISMISSES WITH PREJUDICE Counts II, III, IV, and V. IWP's motion to strike paragraphs 4546, 55, and 57-74 of the Complaint is DENIED.
SO ORDERED.