IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
April 24, 2012
BRANDON WORIX, INDIVIDUALLY AND ON BEHALF OF ALL OTHERS SIMILARLY SITUATED, PLAINTIFF,
MEDASSETS, INC. DEFENDANT.
The opinion of the court was delivered by: Matthew F. Kennelly, District Judge:
MEMORANDUM OPINION AND ORDER
Brandon Worix, on behalf of himself and a putative class of similarly situated individuals, has sued MedAssets, Inc. for its alleged failure to implement adequate safeguards to protect his personal information and to notify him properly when a computer hard drive containing that information was stolen. In an earlier decision, the Court dismissed Worix's complaint pursuant to Federal Rule of Civil Procedure 12(b)(6) and gave him the opportunity to submit an amended complaint. See Worix v. MedAssets, Inc., No. 11 C 8088, 2012 WL 787210 (N.D. Ill. Mar. 8, 2012). Worix has filed a combined motion asking the Court to reconsider its dismissal of count one and allow him to amend counts two and three (formerly counts two and four). For the reasons stated below, the Court denies the motion to reconsider and grants in part the motion to amend.
Worix's claims concern the theft from a MedAssets employee's car of a hard drive containing information about him and thousands of other patients of the Cook County Health & Hospitals System. The Court assumes familiarity with the more detailed factual summary in its previous decision. See Worix, 2012 WL 787210, at *1. In that decision, the Court dismissed Worix's claim under the Stored Communications Act (SCA) after concluding that MedAssets' alleged failure to implement certain data-protecting safeguards could not constitute "knowingly divulging" information under the SCA. Id. at *2. The Court also dismissed Worix's claims for negligence and violation of the Illinois Consumer Fraud Act (ICFA), 815 ILCS 505/2, after concluding that his allegations that he is subject to an increased risk of identity theft and must pay for credit monitoring did not constitute compensable injury.
In his proposed amended complaint, Worix alleges that after MedAssets notified him of the theft, he "fell into a state of extreme emotional distress and depression as he worried that the exposure of his personal information would make him vulnerable to identity theft or credit-card theft." Am. Compl. ¶ 17. He alleges that he also "experienced distress over the serious and permanent invasion of his privacy" that "caused him to have problems concentrating during the day and problems sleeping at night." Id. ¶ 18. These problems eventually "prevented him from meeting performance expectations at work, and he was terminated in late 2011 as a result." Id. ¶ 19.
A. Motion to reconsider
Worix has moved the Court to reconsider its dismissal of count one. "Motions for reconsideration serve a limited function: to correct manifest errors of law or fact or to present newly discovered evidence." Caisse Nationale de Credit Agricole v. CBI Indus., Inc., 90 F.3d 1264, 1269 (7th Cir. 1996) (internal quotation marks and citation omitted). "A 'manifest error' is not demonstrated by the disappointment of the losing party." Oto v. Metro. Life Ins. Co., 224 F.3d 601, 606 (7th Cir. 2000). Rather, "[i]t is the wholesale disregard, misapplication, or failure to recognize controlling precedent." Id. (internal quotation marks and citation omitted).
In count one, Worix seeks relief under the SCA, which provides that "a person or entity" providing either an "electronic communication service" or a "remote computing service to the public shall not knowingly divulge to any person or entity the contents of a communication" stored or carried on that service. 18 U.S.C. § 2702(a)(1)-(2). In its previous decision, the Court determined that the question of whether information had been "knowingly divulge[d]" should be analyzed according to "the common meaning of knowing conduct[, which] includes willful blindness, but not recklessness or negligence." Worix, 2012 WL 787210 at *3. The Court then concluded that "the failure to take reasonable steps to safeguard data," which was all Worix had alleged, "does not, without more, amount to divulging that data knowingly or with willful blindness." Id. at *4.
Worix argues that the Court erred in dismissing his claim at the pleading stage, because "evidence procured during the discovery phase of this case [may] provide the required proof that MedAssets took deliberate actions to turn a blind eye to the critical security threat created by its lax practices." Pl.'s Mem. at 3. As the Court explained in its previous decision, however, Worix nowhere alleges an actual act by MedAssets that constituted knowing disclosure, only that MedAssets' actions created or contributed to an unacceptable risk that data would be compromised. And the question is whether Worix's allegations are sufficient now, not whether evidence he might later obtain could give rise to a viable claim.
The cases referenced in the Court's decision, despite the fact that they addressed motions for summary judgment rather than dismissal, support this analysis. See Global-Tech Appliances, Inc. v. SEB S.A., 131 S.Ct. 2060, 2070-71 (2011) (comparing "a willfully blind defendant [who] almost can be said to have actually known the critical facts" with "a reckless defendant . . . who merely knows of a substantial and unjustified risk of such wrongdoing"); Freedman v. America Online, Inc., 329 F. Supp. 2d 745, 749 (E.D. Va. 2004) (noting that the SCA requires a plaintiff to show that "defendant was aware, or possessed a firm belief, that his act would result in" disclosure) (emphasis added); Muskovich v. Crowell, No. 3-95-CV-20007, 1996 WL 707008, at *5 (S.D. Iowa Aug. 30, 1996) (finding that employer whose failure to implement safeguards had resulted in data breach did not "knowingly divulge" because "[a]wareness of a 'possibility' does not rise to the level of a 'substantial certainty' required for liability under the [SCA]").
The Seventh Circuit's interpretation of "willful blindness" in other contexts also supports the proposition that conscious awareness of unauthorized disclosure is required, not simply an unjustifiable risk that a defendant's actions will lead to further wrongdoing. See, e.g., United States v. Pedroza, 176 Fed. Appx. 698, 700-01 (7th Cir. 2006) ("[A] court may instruct a jury as to willful blindness when the facts support an inference that the defendant participated in a drug deal but left the scene of the sale to insulate himself from guilty knowledge of the transaction."); Hard Rock Cafe Licensing Corp v. Concession Servs., Inc., 955 F.2d 1143 (7th Cir. 1992) ("To be willfully blind [for purposes of the Lanham Act], a person must suspect wrongdoing and deliberately fail to investigate.").
For these reasons, the Court denies Worix's motion to reconsider its dismissal of count one.
B. Motion to amend
MedAssets argues that Court should not grant Worix's motion to amend because the complaint, even as amended, would not withstand a motion to dismiss. A court may deny a plaintiff the opportunity to amend when this is the case. General Elec. Capital Corp. v. Lease Resolution Corp., 128 F.3d 1074, 1085 (7th Cir. 1997). "Dismissal for failure to state a claim under Rule 12(b)(6) is proper 'when the allegations in a complaint, however true, could not raise a claim of entitlement to relief.'" Virnich v. Vorwald, 664 F.3d 206, 212 (7th Cir. 2011) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 558 (2007)). "In reviewing a plaintiff's claim, the court must construe all of the plaintiff's factual allegations as true, and must draw all reasonable inferences in the plaintiff's favor." Id. "To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Iqbal, 129 S. Ct. at 1949 (internal quotation marks and citation omitted).
As the Court explained above, Worix has amended his negligence claim to assert that he suffered from emotional distress as a result of the theft of his data. MedAssets argues that the claim nonetheless cannot survive because, as a matter of negligence law, MedAssets owed Worix no duty to protect his information or notify him of the theft, and Worix suffered no compensable injuries.
MedAssets contends first that the letter it sent notifying customers of the theft, which Worix has attached to his complaint, stated that the compromised information "included names, encounter numbers and administrative information but NOT Plaintiff's address, birth date or social security number." Def.'s Resp. at 9. It argues that Worix has therefore pleaded himself out of court because none of the stolen information was sensitive. As Worix points out, however, the complaint alleges that the hard drive contained more than just this information. The fact MedAssets' letter only described certain information does not conclusively indicate that only that information was revealed. Moreover, the terms "encounter numbers" and "administrative information" are not defined, and it is therefore possible that even the information referenced in the letter was sensitive in some way.
MedAssets also argues, however, that it had no legal duty to protect even sensitive information. "[U]nless a duty is owed, there is no negligence." Washington v. City of Chicago, 188 Ill. 2d 235, 238, 720 N.E.2d 1030, 1032 (1999) (internal quotation marks and citation omitted). MedAssets cites a case in which the Illinois Appellate Court considered the claims of employees whose personal information was sent to other employees along with a routine medical insurance mailing. The court determined that, although "[a] violation of a statute designed to protect human life and property may be used as prima facie evidence of negligence," neither the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320(d)(6), nor Illinois' Personal Information Protection Act (PIPA), 815 ILCS 530/1, provided a basis for finding that the defendant had a duty not to disclose the disputed information. Cooney v. Chi. Pub. Schs., 407 Ill. App. 3d 358, 361-62, 943 N.E.2d 23, 28 (2010).
Worix does not dispute this aspect of the holding in Cooney. He argues, however, that his case is distinguishable because "MedAssets' duty derives from its responsibility to consumers to reasonably handle and safeguard the patient medical information with which it is entrusted." Pl.'s Reply at 7-8. Worix cites no authority for this proposition, nor does he address the fact that the court in Cooney specifically declined to recognize a "new common law duty" to safeguard information. [Plaintiffs] claim a duty is justified by the sensitive nature of personal data such as dates of birth and social security numbers. Plaintiffs do not cite to an Illinois case that supports this argument. While we do not minimize the importance of protecting this information, we do not believe that the creation of a new legal duty beyond legislative requirements already in place is part of our role on appellate review. Cooney, 407 Ill. App. 3d at 363, 943 N.E.2d at 28-29. In light of this statement, the Court -- as with Worix's injury claims in its previous decision -- "decline[s] to adopt a 'substantive innovation' in [Illinois] law or 'to invent what would be a truly novel tort claim' on behalf of the state absent some authority to suggest that the approval of the Supreme Court of [Illinois] is forthcoming." Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 640 (7th Cir. 2007) (citations omitted). Worix's claim that MedAssets breached its duty to protect his information fails.
Worix also alleges in his complaint that MedAssets "breached its duty of care by failing to provide accurate, prompt, and clear notification to Plaintiff and members of the Class that their personal and/or medical data had been compromised." Am. Compl. ¶ 11. MedAssets argues in its response that, because none of the information was sensitive, there was no duty to notify Worix about the theft. As the Court described above, this argument fails because Worix's allegations that the information was sensitive must be taken as true.
Worix does not respond to MedAssets' argument in his reply, but the parties discussed this issue in their earlier round of briefs. In his response to MedAssets' motion to dismiss, Worix argued that both PIPA and HIPAA can serve as statutory sources for MedAssets' duty to disclose the breach promptly. The relevant provision of PIPA states:
Any data collector that maintains computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 815 ILCS 530/10(b). In response, MedAssets pointed out that the previous section of the statute establishes that "[a]ny data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident" in the event of a breach. 815 ILCS 530/10(a) (emphasis added). Thus, the statute as a whole treats an "owner or licensee" differently from an "Illinois resident" in connection with disclosure obligations. Because Worix is the latter rather than the former -- he is not the "owner or licensee" of the information that MedAssets held -- MedAssets did not owe him a duty of prompt disclosure under section 10(b). (Worix did not argue that MedAssets was an owner or licensee of information and was therefore bound by section 10(a).) The Court finds this reading of the statute persuasive and concludes that Worix cannot rely on PIPA to establish MedAssets' duty to inform him of the theft.
In their earlier briefing, the parties agreed that for HIPAA to provide a statutory basis for the duty to inform (or to protect the data in the first place), MedAssets must be a "covered entity" according to the statute and its regulations. A "covered entity" is defined "a health plan," a "health care clearinghouse," or a "health care provider who transmits any health information in electronic form . . . ." 45 C.F.R. § 160.103. Worix argued that MedAssets is a "health care clearinghouse," which is defined as a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Although Worix states in his complaint that MedAssets is a "covered entity," Am Compl. ¶ 7, "legal conclusions and conclusory allegations merely reciting the elements of the claim are not entitled to [the] presumption" of truth. Virnich, 664 F.3d at 212 (citing Ashcroft v. Iqbal, 129 S. Ct. 1937, 1951 (2009)). Worix argues that MedAssets' description of itself as a "financial improvement partner for healthcare providers," coupled with the fact that it had patient data in its possession, establishes that it meets the definition of a health care clearinghouse. The only allegations in the complaint specifically describing MedAssets, however, state that it "provides physicians and hospitals with the ability to communicate patients' medical records electronically," Am. Compl. ¶ 37; MedAssets' "equipment is used for the electronic storage and remote processing of patient medical records," id. ¶ 41; and MedAssets "agree[d] to accept Plaintiff's and Class members' non-public personal and/or medical information through its partnership with various hospitals," id. ¶ 47. As MedAssets argues, none of these statements amounts to an allegation that MedAssets performs the functions specified under the regulatory definition of a health care clearinghouse.
Worix also argued that MedAssets is a "business associate" of Cook County hospitals, which MedAssets did not dispute, and that MedAssets therefore "qualifies as a 'covered entity' . . . because . . . a covered entity may be a business associate of another covered entity." Pl.'s Resp. to Def.'s Mot. to Dismiss at 13. The fact that a covered entity may be a business associate, however, does not mean that a business associate is automatically a covered entity, and Worix provides no authority to suggest otherwise. And as MedAssets points out, HIPAA's obligations regarding business associates do not establish a basis for Worix's claims in this case. See Floyd v. SunTrust Banks, Inc., 1:10-CV-2620, 2011 WL 2441744, at *4 (N.D. Ga. June 13, 2011).
For these reasons, the Court concludes that neither Illinois common law, PIPA, nor HIPAA provides a basis for Worix's negligence claims. The Court therefore denies Worix's motion to amend count two of his complaint. The Court's earlier order dismissing this count stands.
MedAssets argues that Worix's ICFA claim cannot survive because he has failed to allege a deceptive or unfair trade practice. MedAssets first contends that Worix has not identified the circumstances of the alleged deception with the necessary particularity. Worix responds that he has alleged unfair, rather than deceptive, conduct under ICFA. "Because neither fraud nor mistake is an element of unfair conduct under Illinois' Consumer Fraud Act, a cause of action for unfair practices . . . need only meet the notice pleading standard of Rule 8(a), not the particularity requirement in Rule 9(b)." Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs., Inc., 536 F.3d 663, 669 (7th Cir. 2008).
MedAssets next argues that Worix has not identified a specific instance of deceptive communication. Again, however, ICFA does not require a plaintiff alleging an unfair act to plead fraud or deception. Instead, unfair acts are analyzed based on "(1) whether the practice offends public policy; (2) whether it is immoral, unethical, oppressive, or unscrupulous; (3) whether it causes substantial injury to all consumers." Id. (quoting Robinson v. Toyota Motor Credit Corp., 201 Ill.2d 403, 417-18, 775 N.E.2d 951, 961 (2002)) (internal quotation marks omitted). "A court may find unfairness even if the claim does not satisfy all three criteria . . . 'because of the degree to which it meets one of the criteria or because to a lesser extent it meets all three.'" Id. The statute also states that courts construing it shall give "consideration . . . to the interpretations of the Federal Trade Commission and the federal courts relating to Section 5(a) of the Federal Trade Commission Act." 815 ILCS 505/2.
Another judge in this district recently considered the case of a retailer whose allegedly inadequate security procedures had allowed the placement of counterfeit credit card machines in its stores, resulting in fraudulent withdrawals from customer accounts. The judge determined that the "[p]laintiffs' allegations show that [the defendant] ignored its obligation to implement procedures and practices preventing the criminal conduct" and that plaintiffs thereby alleged "an unfair practice under the ICFA." In re Michaels Stores Pin Pad Litig., __ F. Supp. 2d __, No. 11 C 3350, 2011 WL 5878373, at *5 (N.D. Ill. Nov. 23, 2011). The judge cited a case in which the First Circuit drew upon Federal Trade Commission precedent in determining that a company's alleged disregard for required security measures could constitute "inexcusable and protracted reckless contract" that was actionable under Massachusetts' consumer fraud statute, which is similar to ICFA. In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 496 (1st Cir. 2009). The Court finds these cases persuasive and concludes that Worix has adequately alleged an unfair practice under the ICFA.
MedAssets' final argument is that Worix has not alleged that he suffered compensable injury. MedAssets maintains that Worix's assertions are insufficient because he does not state a specific amount of economic damage, his alleged anxiety is insufficiently severe, and his fear of future harm is not a compensable injury in itself. Worix himself points out that ICFA "provides remedies for purely economic injuries" and a plaintiff who alleges "only emotional damages" cannot make a successful claim. Morris v. Harvey Cycle and Camper, Inc., 392 Ill. App. 3d 399, 402, 911 N.E.2d 1049, 1053 (2009).
MedAssets provides no support for the propositions that a plaintiff must specifically state the amount of damages he seeks in his complaint or must plead emotional distress of a specific degree of severity to succeed on a claim under ICFA.*fn1
Although MedAssets is correct that fear of future harm is not an injury in itself, Worix has also pled that the theft caused him emotional distress to such a degree that he lost his job. Coupled with allegations of otherwise compensable injury, a plaintiff may claim that "an increased risk of harm is an element of damages that can be recovered for a present injury [even] if it is not the injury itself." Williams v. Manchester, 228 Ill. 2d 404, 425, 888 N.E.2d 1, 13 (2008) (emphasis in original). And although Morris establishes that Worix's alleged damages would be insufficient if he had alleged only emotional distress, he also asserts that he suffered economic damage based on his lost employment. "[D]amages for [emotional distress, inconvenience, and] aggravation are compensable under the Consumer Fraud Act only when they are part of a total award that includes actual economic damages." Morris, 392 Ill. App. 3d at 403, 911 N.E.2d at 1053. The Court concludes that the combination of damages Worix has alleged -- a risk of future harm, the cost of credit monitoring, emotional distress, and lost wages -- constitutes a sufficient allegation of compensable injury under the ICFA.
For these reasons, the Court grants Worix's motion to amend count three (formerly count four) of his complaint. The ICFA claim survives MedAssets' motion to dismiss.
3. Class allegations
MedAssets argues that the amended complaint "cannot withstand a motion to dismiss because it does not satisfy the requirements of Rule 23(b)(3), because individual issues predominate over common questions of fact or law." Def.'s Resp. at 7. This is not a basis for dismissing any of Worix's claims, which stand or fall irrespective of whether he can later persuade the Court to certify a class.
In any event, "a court may abuse its discretion by not allowing for appropriate discovery before deciding whether to certify a class." Damasco v. Clearwire Corp., 662 F.3d 891, 897 (7th Cir. 2011). The Court concludes that it would be premature to strike all or part of Worix's complaint, or to rule preemptively that no class claims may be asserted, before there is any evidence regarding the claims of other potential class members.
For the reasons stated above, the Court grants in part Worix's combined motion to reconsider and amend [docket no. 37]. The Court denies the motion to reconsider its dismissal of count one and denies Worix's request to amend count two, but it grants Worix's request to amend count three. The case remains set for a status hearing on April 24, 2012 at 9:30 a.m. to set a schedule for further proceedings.
MATTHEW F. KENNELLY United States District Judge