Abernathy v. Brandywine Urology Consultants, P.A., 012121 DESUP, N20C-05-057 MMJ CCLD

Docket NºC. A. N20C-05-057 MMJ CCLD
Opinion JudgeHonorable Mary M. Johnston, Judge
Party NameCECILIA ABERNATHY, FLINT DELON, TINA MURPHY and JEFFREY WASKO, INDIVIDUALLY AND ON BEHALF OF ALL OTHERS SIMILARLY SITUATED, Plaintiffs, v. BRANDYWINE UROLOGY CONSULTANTS, P.A., Defendant.
AttorneyGary M. Klinger, Esq., (Argued) Mason Lietz & Klinger LLP, Chicago, Illinois, Gary E. Mason, Esq., David K. Lietz, Esq., Mason Lietz & Klinger LLP, Washington, District of Columbia, Jared T. Green, Esq., Seitz, Van Ogtrop & Green, P.A., Wilmington, Delaware, Attorneys for Plaintiffs and the Propo...
Case DateJanuary 21, 2021
CourtSuperior Court of Delaware

CECILIA ABERNATHY, FLINT DELON, TINA MURPHY and JEFFREY WASKO, INDIVIDUALLY AND ON BEHALF OF ALL OTHERS SIMILARLY SITUATED, Plaintiffs,

v.

BRANDYWINE UROLOGY CONSULTANTS, P.A., Defendant.

C. A. No. N20C-05-057 MMJ CCLD

Superior Court of Delaware

January 21, 2021

Submitted: October 30, 2020

On Defendant's Motion to Dismiss GRANTED.

Gary M. Klinger, Esq., (Argued) Mason Lietz & Klinger LLP, Chicago, Illinois, Gary E. Mason, Esq., David K. Lietz, Esq., Mason Lietz & Klinger LLP, Washington, District of Columbia, Jared T. Green, Esq., Seitz, Van Ogtrop & Green, P.A., Wilmington, Delaware, Attorneys for Plaintiffs and the Proposed Class.

William E. Manning, Esq., Saul Ewing Arnstein & Lehr LLP, Wilmington, Delaware, Turner A. Broughton, Esq. (Argued), Brendan D. O'Toole, Esq. (Argued), Amanda Bird, Esq., Williams Mullen, Richmond, Virginia, Attorneys for Defendant.

OPINION

Honorable Mary M. Johnston, Judge

FACTUAL AND PROCEDURAL CONTEXT

Parties

This case arises from a data breach. On January 27, 2020, Brandywine Urology Consultants, P.A. ("Defendant") discovered that it was the victim of a ransomware attack (the "Attack") on its network.1 The Attack blocked access to Defendant's computer system and data, which included sensitive patient medical records.2 During the Attack, cyberthieves accessed and encrypted records that included patient names, addresses, Social Security numbers, medical file numbers, claim data, and other financial and personal data.3 During and after the attack, there was no attempt to extract a ransom.

Plaintiffs Cecilia Abernathy, Flint Delong, Tina Murphy, and Jeffrey Wasko (collectively, "Plaintiffs") bring this suit individually and on behalf of a Proposed Class.[4] Defendant is a Delaware-based urology practice.5 Plaintiffs are patients of Defendant.6

Defendant's Response to the Attack

Defendant states that it took immediate steps to "isolate and mitigate the intrusion to its network" after the Attack was discovered.7 Defendant removed the malicious software from its network.8 Defendant also hired an outside security firm to investigate whether protected health information ("PHI") on the network had been compromised by the Attack.9 After examining the extent of the Attack, the security firm confirmed that no PHI had been compromised.10

On March 27, 2020, Defendant notified all of its patients of the Attack.11 On March 28, 2020, Defendant issued an updated Notice of Potential Data Breach (the "Notice").12 The Notice informed Defendant's patients that it was possible, though Defendant believed that it was "unlikely," that their personal and financial information was compromised.[13] The Notice also stated that Defendant would inform patients as soon as possible of the results of its ongoing investigation.14

Procedural History

Plaintiffs filed suit on May 06, 2020.15 Plaintiffs assert claims for: (1) negligence; (2) invasion of privacy; (3) breach of express contract; (4) breach of implied contract; (5) negligence per se; (6) breach of fiduciary duty; (7) noncompliance with the Delaware Computer Security Breach Act; and (8) violation of the Delaware Consumer Fraud Act.

Defendant filed a Motion to Dismiss and supporting brief on July 15, 2020. Plaintiffs filed their Response on August 28, 2020. Defendant filed its Amended Reply on September 25, 2020.

STANDARD OF REVIEW

Lack of Standing

Rule 12(b) provides for dismissal of a claim when a court lacks subject matter jurisdiction or a plaintiff lacks standing to appear and be heard.16 Factual challenges under Rule 12(b)(1) permit a court to consider matters outside the pleading, such as testimony and affidavits.17 The burden is on the plaintiff to demonstrate that it meets the elements for standing.18

Failure to State a Claim Upon Which Relief Can Be Granted

In a Rule 12(b)(6) Motion to Dismiss, the Court must determine whether the claimant "may recover under any reasonably conceivable set of circumstances susceptible of proof."19 The Court must accept as true all well-pleaded allegations.20 Every reasonable factual inference will be drawn in the non-moving party's favor.21 If the claimant may recover under that standard of review, the Court must deny the Motion to Dismiss.22

ANALYSIS

Defendant 's Contentions

Defendant argues that Plaintiffs lack standing to bring this case. Defendant contends that Plaintiffs have failed to allege an injury in fact. Further, Plaintiffs' alleged injuries cannot be traced back to Defendant. Defendant asserts that Plaintiffs have failed to state a claim for Counts 1-5. As for Plaintiffs' other claims, Defendant argues that: (1) the economic loss doctrine bars any recovery; (2) the breach of fiduciary duty claim must be dismissed because the Court lacks subject matter jurisdiction; (3) the Delaware Computer Security Breach Act claim must be dismissed because Plaintiffs lack standing and Defendant satisfied the statute's notice requirement; and (4) the Delaware Consumer Fraud Act claim must be dismissed because Plaintiffs have failed to state a claim under the statute.

Plaintiffs' Contentions

Plaintiffs maintain that they have sustained an injury in fact sufficient to confer standing. Plaintiffs specifically allege the following harms: (1) the imminent risk of future harm; (2) mitigation expenses; (3) loss of privacy; (4) anxiety; (5) failure to receive the benefit of a bargain; (6) loss of value of property in personally identifying information; and (7) disruption to Plaintiffs' medical care. Plaintiffs contend that these alleged harms are legally cognizable and can be traced back to Defendant.

In response to Defendant's other arguments, Plaintiffs argue that the economic loss doctrine does not foreclose the possibility of recovery because Defendant denies the existence of any contract. Further, Plaintiffs properly state claims for negligence, negligence per se, invasion of privacy, breach of express contract, and breach of implied contract. Plaintiffs maintain that they properly stated a claim under Delaware's Consumer Fraud Act. Plaintiffs concede that the Court lacks subject matter jurisdiction over their fiduciary duty claim. Finally, Plaintiffs elect to withdraw their claim under the Delaware Computer Security Breach Act.

Standing

Plaintiffs bear the burden of establishing all of the elements for standing.23 Plaintiffs must demonstrate: (1) an injury in fact; (2) a causal relationship between the injury and the challenged conduct; and (3) a likelihood that the injury will be redressed by a favorable decision.24 The requisite injury-in-fact must be concrete, particularized, and actual or imminent-not conjectural or hypothetical.25Additionally, it must be "fairly traceable to the challenged action of the defendant."26

"A plaintiff alleging that it will suffer future injuries from a defendant's allegedly improper conduct must show that such injuries are certainly impending."[27] In data breach cases, Plaintiffs must provide at least some plausible specific allegations of actual or likely misuse of data to satisfy the standing requirement and avoid dismissal under rule 12(b)(1).28 "Standing is a threshold question that must be answered by a court affirmatively to ensure that the litigation before the tribunal is a 'case or controversy' that is appropriate for the exercise of the court's judicial powers."29

Delaware courts have not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact sufficient to confer standing. Defendant argues that it does not. To support its assertion, Defendant relies on Reilly v. Ceridian Corporation.30 In Reilly, hackers accessed information stored on the computer system of a payroll processing company. The hackers potentially gained personal and financial information of 27, 000 individuals.31 The Third Circuit noted in that case that "it [was] not known whether the hacker read, copied, or understood the data."[32] There "was no evidence that the intrusion was intentional or malicious" and "no identifiable taking occurred."33 The Third Circuit was unwilling to recognize the plaintiff's injury because it was too attenuated to confer standing and amounted to nothing more than speculation.34

Various federal courts have held that a plaintiff lacks standing to sue the party who failed to protect its data-in a lost data or potential identity theft case- where there is no proof of actual misuse or fraud.35 Although some lower courts have disagreed, those courts still require a plaintiff to allege a "credible threat."[36]"Furthermore, the passage of months, and then, years, only renders any [] conjectural threat increasingly less imminent." 37

The Notice that Defendant sent to its patients, including Plaintiffs, stated there was a possibility that personal and financial information was compromised during the Attack.38 However, such notice is not a concession of a plausible, concrete, imminent, or certain threat.39

As the direct victim of a hacker, Defendant appeared to take swift and appropriate measures to investigate and mitigate the data breach. The Notice sent to those whose information possibly was breached is part of the standard process under such circumstances. Defendant should not be punished for sending out the Notice. So long as the Notice is accurate, it cannot be the basis for liability, or deemed to be an admission. The Court is reluctant to make any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution.

The injury alleged by Plaintiffs-imminent risk of future harm from the Attack-is nothing more than conjecture and a collection of hypothetical risks. Additionally, the time that has elapsed since the Attack...

To continue reading

FREE SIGN UP