Abdale v. N. Shore-Long Island Jewish Health Sys., Inc.

• Decision Date: 14 August 2015
• Citation: 19 N.Y.S.3d 850,2015 N.Y. Slip Op. 25274,49 Misc.3d 1027
• Parties: Denise R. ABDALE, Helene Butler, Paulette Schramm, Charleen Solomon, Lena Vetere, Charles Billups, Diane Peterman, M.D., Katherine Cross, Linda Kiehl, Elizabeth Caporaso, Richard Ertl and Jarrett Akins, on behalf of themselves and all others similarly situated, Plaintiff, v. NORTH SHORE–LONG ISLAND JEWISH HEALTH SYSTEM, INC., North Shore–Long Island Jewish Medical Care, PLLC, North Shore–Lij Network, Inc. and North Shore University Hospital, Defendant.
• Court: New York Supreme Court

49 Misc.3d 1027

19 N.Y.S.3d 850

2015 N.Y. Slip Op. 25274

Denise R. ABDALE, Helene Butler, Paulette Schramm, Charleen Solomon, Lena Vetere, Charles Billups, Diane Peterman, M.D., Katherine Cross, Linda Kiehl, Elizabeth Caporaso, Richard Ertl and Jarrett Akins, on behalf of themselves and all others similarly situated, Plaintiff,

v.NORTH SHORE–LONG ISLAND JEWISH HEALTH SYSTEM, INC., North Shore–Long Island Jewish Medical Care, PLLC, North Shore–Lij Network, Inc. and North Shore University Hospital, Defendant.

Supreme Court, Queens County, New York.

Aug. 14, 2015.

Law Offices of Bonita Zelman, Lake Success, for plaintiffs.

Ropes & Gray, LLP, New York City (Jason Brownand Joseph G. Cleemannof counsel), for defendants.

Opinion

ROBERT J. McDONALD, J.

This motion is determined as follows:

Plaintiffs commenced the within action on behalf of themselves and others similarly situated on February 5, 2013 to recover damages for, among other things, defendants' “failure to adequately protect the confidential personal and medical information of their current and former patients, conduct that ultimately resulted in identity and medical identity data breaches”. Plaintiffs are thirteen patients, or relatives of patients, who allegedly received medical services at medical facilities owned or operated by defendants North Shore–Long Island Jewish Health System, Inc. (Health System), North Shore–Long Island Jewish Medical Care, PLLC, (Medical Care), North Shore–LIJ Network, Inc. (Network) and North Shore University Hospital (NSUH). Plaintiffs allege that defendants Health System, Medical Care and NSUH each operate under the corporate umbrella of defendant Network; and that defendants Network, Health System and Medical Care own, operate, manages, maintains and secures defendant NSUH. The complaint refers to all four defendants collectively as North–Shore LIJ.

Plaintiffs allege that at the time they received medical treatment they provided personal information to the defendants, and that on or before Fall 2010 and continuing at least through 2012, medical record Face Sheets and unencrypted computer network data were stolen from defendants North–Shore LIJ. It is also alleged that patient's physical (hard copy) hospital Face Sheets were unsecured and were stolen from inside the premises of the defendants's facilities, including NSUH. These Face Sheets consist of cover sheets containing information about each patient, including their full name, their spouse's full name if married, date of birth, address, telephone number, medical record number, Social Security number, insurance information, and current medical information and history. Plaintiffs allege that the stolen data contains private, personal information, including but not limited to protected health information as defined by HIPPA, Social Security numbers, medical information and other information of hundreds of patients. Plaintiffs allege that as a result of the defendants' failure to implement and follow basic security procedures, their personal information is now in the hands of thieves, and that they face a substantial increased risk of identity theft. Each of the thirteen plaintiffs allege that they have experienced repeated instances of identity theft since said data breach and as that a consequence of said breach, plaintiffs, as well as current and former patients, have had to spend and will continue to spend significant time and money in the future to protect themselves. In addition, plaintiff Peterman alleges that as a result of the data breach her credit rating was substantially damaged; plaintiff Vetere alleges that as a result of the data breach her income tax refund for 2010 was fraudulently claimed and sent to a third party; and plaintiff Akins alleges that identity thieves fraudulently filed state and federal income tax returns for 2011, causing him substantial financial losses.

The complaint alleges that Health System through its Patients' Bill of Rights, and website, advised patients that it, and each of its owned of sponsored Article 28 not-for-profit corporations are required by law to follow HIPPA regulations and protect the privacy of health information that may reveal a patient's identity. The complaint further alleges that patients were also advised that they have a right to be notified of any breaches of “Unsecured Protected Health” information as soon as possible, but in any event no later than 60 days following the discovery of the breaches.

Plaintiffs allege that on January 26, 2012, Clincy M. Robinson was arrested and charged with Identity Theft in the First Degree (one count) and Criminal Possession of Computer Related Materials (two counts), Scheme to Defraud in the First Degree (2 counts) and Unlawful Possession of Personal Information in the Third Degree (1 count). Mr. Robinson was charged with being in possession of 25 Face Sheets from NSUH, data that is maintained on the computer network of NSUH, and being in possession of computer data consisting of personal identifying information for over 900 individuals, without authorization, and it is alleged that he pled guilty to these charges and was sentenced on December 13, 2012 in the District Court of Nassau County.

Plaintiffs also alleges that on June 1, 2012, Dennis Messias was arrested and charged with Identity Theft in the First Degree (four counts), Grand Larceny in the Third Degree, and Scheme to Defraud in the First Degree, in connection with the theft and unauthorized use of patients' personal information from the premises of NSUH.

Plaintiffs allege that the defendants were aware of these thefts and security breaches and that they failed to notify its patients within 60 days of the breach; that defendants failed to notify the Secretary of the U.S. Department of Health and Human Services of said security breaches in the year in which they discovered said breaches; and that defendants failed to maintain a written log of security breaches since 2007, on an annual basis.

The complaint alleges eleven causes of action for (1) negligence per se based upon violations of General Business Law § 899–aa; (2) negligence per se based on violations of Public Health Law § 18; (3) negligence per se based upon violations of General Business Law § 399–dd(4); (4) negligence per se based on violations of the Health Insurance Portability and Accountability Act of 1996 (HIPPA), Pub.L. No. 104–191, 110 Stat.1936 (1996); (5) negligence per se based on violations of the Health Information Technology for Economic and Clinical Health Act (HITECH), 42 U.S.C. § 17921–53; (6) violations of General Business Law § 349; (7) breach of contract; (8) breach of fiduciary duty; (9) negligence; (10) breach of the implied covenant of good faith and fair dealing; and (11) misrepresentation.

Defendants, prior to serving an answer, filed a notice of removal on March 8, 2013, which removed this action to the United States District Court for the Eastern District of New York (District Court), asserting that a federal jurisdiction question existed and that removal was appropriate under the Class Action Fairness Act of 2005(CAFA). On April 16, 2013, the defendants filed a motion in District Court to dismiss the complaint and on June 10, 2013, plaintiffs filed a motion to remand the matter to this court. The District Court, in an order dated June 14, 2014, denied the plaintiffs' motion to remand with leave to renew 30 days after the conclusion of expedited discovery pertaining to CAFA exceptions, and reserved judgment on the defendants' motion to dismiss (Abdale, et al. v. North Shore–Long Island Jewish Health System, Inc., et al.,2014 U.S. Dist Lexis 88881 [United States District Court for the Eastern District of New York, 2014] ). The parties were unable to formulate a joint discovery plan as directed by the court, and the matter was assigned to a magistrate. A status conference was held on October 2, 2014, at which time the magistrate made certain rulings pertaining to discovery. However, no discovery was had and defendants conceded that the matter should be remanded to this court, as the 268 individuals they sent letters to regarding the subject data breach were all New York State citizens. On November 13, 2014, the District Court remanded the matter back to this court, without any limit as to the size of the class.

Defendants, in this pre-answer motion seek to dismiss the complaint on the grounds of failure to state a cause of action, pursuant to CPLR 3211(a)(7).

It is well settled that “[o]n a motion to dismiss pursuant to CPLR 3211(a)(7)for failure to state a cause of action, the complaint must be construed liberally, the factual allegations deemed to be true, and the nonmoving party must be given the benefit of all favorable inferences” (Leon v. Martinez,84 N.Y.2d 83, 87, 614 N.Y.S.2d 972, 638 N.E.2d 511 [1994]; see AG Capital Funding Partners, L.P. v. State St. Bank & Trust Co.,5 N.Y.3d 582, 591, 808 N.Y.S.2d 573, 842 N.E.2d 471 [2005]; Goshen v. Mutual Life Ins. Co. of NY,98 N.Y.2d 314, 326, 746 N.Y.S.2d 858, 774 N.E.2d 1190 [2002]; Nasca v. Sgro,130 A.D.3d 588, 13 N.Y.S.3d 188 [2d Dept.2015]; Dolphin Holdings, Ltd. v. Gander & White Shipping, Inc.,122 A.D.3d 901, 901–902, 998 N.Y.S.2d 107 [2d Dept.2014]). The court is limited to “an examination of the pleadings to determine whether they state a cause of action,” and the “plaintiff may not be penalized for failure to make an evidentiary showing in support of a complaint that states a claim on its face” (Miglino v. Bally Total Fitness of Greater N.Y., Inc.,20 N.Y.3d 342, 351, 961 N.Y.S.2d 364, 985 N.E.2d 128 [2013]). “The test of the sufficiency of a pleading is whether it gives sufficient notice of the transactions, occurrences, or series of transactions or occurrences intended to be proved and whether the requisite elements of any cause of action known to our law can be discerned from its averments' ” (V. Groppa Pools, Inc. v. Massello,106 A.D.3d 722, 723, 964 N.Y.S.2d 563 [2d Dept.2013], quo...