The opinion of the court was delivered by: Matthew F. Kennelly, District Judge:
MEMORANDUM OPINION AND ORDER
Brandon Worix, on behalf of himself and a putative class of similarly situated individuals, has sued MedAssets, Inc. for its alleged failure to implement adequate safeguards to protect his personal information and to notify him properly when a computer hard drive containing that information was stolen. Worix asserts claims under the Stored Communications Act (SCA), 18 U.S.C. § 2702, the Illinois Consumer Fraud Act (ICFA), 815 ILCS 505/2, and Illinois common law. He filed the case in state court, and MedAssets removed it to federal court, citing the Class Action Fairness Act, 28 U.S.C. § 1332(d)(3), as well as federal question jurisdiction under 28 U.S.C. § 1331.
MedAssets has moved to dismiss all of Worix's claims pursuant to Federal Rule of Civil Procedure 12(b)(6). For the reasons stated below, the Court grants the motion.
The Court takes the following facts from Worix's complaint and accepts them as true for purposes of the motion to dismiss. Virnich v. Vorwald, 664 F.3d 206, 212 (7th Cir. 2011).
MedAssets describes itself as a "financial improvement partner for health care providers." Compl. ¶ 6. It handles personal and confidential information involving thousands of individuals, including patients of the Cook County Health & Hospitals System (CCHHS). Worix is one of these patients.
On June 24, 2011, an unknown person stole a computer hard drive from a MedAssets employee's car. Worix alleges that the hard drive contained information including the names, birthdays, and social security numbers of over 82,000 patients, including 32,000 CCHHS patients. The information was neither encrypted nor password protected.
Worix later received a letter dated August 19, 2011. The letter, written on CCHHS letterhead and signed by officials of both CCHHS and MedAssets, stated that the hard drive had been stolen. The letter also stated that the hard drive contained "names, encounter numbers and administrative information" but not "addresses, birth date[s], and social security number[s]." It also stated that the information was not password-protected or encrypted. The letter offered an apology as well as a call-in number if the recipient wanted more information, but no other form of relief. Id. Ex. A.
Worix claims that "MedAssets failed to adequately secure patients' personal health records" and that "[t]he security breach and corresponding data breach arising therefrom was caused by MedAssets' knowing violation of its government-mandated obligations to abide by best practices and industry standards concerning the security of medical information." Id. ¶¶ 9-10. He claims that MedAssets then "sent a deficient notification of the breach, inadequately describing exactly what information was accessible and failing to mention what remedial steps CCHHS patients -- or better yet, MedAssets -- could take to ensure CCHHS patients' identities were not stolen." Id. ¶ 11.
Worix asserts a claim under the SCA on behalf of himself and a putative class of "[a]ll persons residing in the United States whose personal and/or medical information was contained on the stolen hard drive in June 2011." Id. ¶ 14. He argues that as a result of MedAssets' alleged violations of the SCA, he and the other class members have "suffered injuries, including lost money and the costs associated with the need for vigilant credit monitoring and/or identity theft protection services to protect against additional identity theft." Id. ¶ 32. He also asserts claims for negligence and negligence per se, contending that he and the class members "suffered theft of sensitive, non-public, information, and . . . incurred the additional costs associated with increased risk of identity theft, all of which have ascertainable value to be proven at trial." Id. ¶ 40. Finally, Worix asserts a claim under the ICFA on behalf of himself and a putative subclass of Illinois residents. He argues that MedAssets violated the statute by failing to take proper security precautions and provide immediate notice of the breach to affected customers.
"Dismissal for failure to state a claim under Rule 12(b)(6) is proper 'when the allegations in a complaint, however true, could not raise a claim of entitlement to relief.'" Virnich, 664 F.3d at 212 (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 558 (2007)). "In reviewing a plaintiff's claim, the court must construe all of the plaintiff's factual allegations as true, and must draw all reasonable inferences in the plaintiff's favor. However, legal conclusions and conclusory allegations merely reciting the elements of the claim are not entitled to this presumption." Id. (citing Ashcroft v. Iqbal, 129 S. Ct. 1937, 1951 (2009)). "To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Iqbal, 129 S. Ct. at 1949 (internal quotation marks and citation omitted).
A. Stored Communications Act
In count one of his complaint, Worix seeks relief under 18 U.S.C. § 2702(a)(1), which provides that "a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." Alternatively, he seeks relief under 18 U.S.C. § 2702(a)(2), which provides that "a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service."
MedAssets argues for dismissal of count one on three grounds: the company is neither an "electronic communication service" nor a "remote computing service" provider; it does not provide its services "to the public"; and it did not "knowingly divulge" any protected information. Worix does not dispute that he must establish all three of these elements. Because the Court concludes that Worix cannot show that MedAssets knowingly divulged his information, it need not reach the other two arguments.
MedAssets argues that its alleged failure to take steps that would protect the information in the event of the hard drive's theft, even if true, did not constitute "knowingly divulg[ing]" information under the SCA. MedAssets relies primarily on Muskovich v. ...