Blahous v. Sarrell Reg'l Dental Ctr. for Pub. Health, Inc.
| Decision Date | 16 July 2020 |
| Docket Number | Case No. 2:19-cv-798-RAH-SMD (WO) |
| Parties | LINDSEY BLAHOUS, on behalf of herself, as guardian for her minor children L.B., F.B., and D.I. and on behalf of all others similarly situated, Plaintiff, v. SARRELL REGIONAL DENTAL CENTER FOR PUBLIC HEALTH, INC., Defendant. |
| Court | U.S. District Court — Middle District of Alabama |
For many, the phrase "data breach" provokes dread and invokes disquiet. Suddenly, a person's once private information roams untrammeled, and a degree of uncertainty as to its location and possessor now unexpectedly exists. Of course, for as long as individuals and companies have maintained documentary records and stored private information, data has been poached. Then, as even now, cabinets were jimmied, trashcans were rifled through, and manila envelopes were haphazardly left open, furtively glimpsed. Once companies committed to storing files on local machines, enterprise databases, and cloud servers, however, breaching a company's every bit of data required no more than gaining access to restricted networks. Soon enough, data breaches became inescapable features of a digitized world.
This case grew from one such breach, its extent and depth still murky. Sometime in January 2019, hackers successfully infiltrated the computer network of Sarrell Regional Dental Center for Public Health, Inc. ("Sarrell" or "Defendant"), installing ransomware that could allow the hackers to demand payment for its deactivation (the "Breach"). Among Sarrell's thousands of unsuspecting patients were Lindsey Blahous ("Blahous") and her three minor children, L.B., F.B., and D.I. ("Minor Plaintiffs") (collectively, "Plaintiffs"). Months later, after its investigation had purportedly yielded no evidence of copied, downloaded, or removed files, Sarrell notified each of the four Plaintiffs of the Breach in four substantively identical missives ("Notice" individually, and collectively, "Notices").
Faulting Sarrell for the personal data that the Breach may have exposed, Blahous sued on behalf of herself, her children, and others similarly situated in both tort and contract. Sarrell responded to Plaintiffs' Complaint, (Doc. 1), with the Defendant's Motion to Dismiss for Lack of Standing and Failure to State a Claim (the "Motion"), (Doc. 21), which sought dismissal pursuant to Rule 12 of the FederalRules of Civil Procedure.1 As explained more fully below, this Court will grant the Motion pursuant to Rule 12(b)(1).
Though variously defined by governments and private organizations, the term "data breach" generally encompasses any security incident in which sensitive, protected or confidential data is copied, transmitted, accessed, viewed, stolen, or used by an individual unauthorized to do so. See, e.g., Ala. Code § 8-38-2(1). In the usual case, these attacks target data like financial information, personal health information, personally identifiable information ("PII"), trade secrets, and intellectual property.
States like Alabama have enacted statutes that place obligations on businesses and government agencies regarding the protection of sensitive data they acquire or use such as social security numbers, driver's license numbers, and financial account numbers; defining what constitutes a data breach; providing for what types of notice of a breach and the timing of the notice that must be provided to the parties whose data has been compromised; and creating certain exemptions. See, e.g., Ala. Code §8-38-1 et seq.; see also Fla. Stat. Ann. §§ 282.318, 282.0041, 501.171; Ga. Code Ann. § 10-1-910 et seq.
Sarrell is "the largest provider of dental services in Alabama," one principally focused on children's "dental and optical" needs. (Doc. 1 , p. 2.) Founded in 2004, its employees, totaling 250 by October 2019, had "serviced more than 845,000 children." (Doc. 1, p. 4.)
Preceding the Breach, the Minor Plaintiffs visited Sarrell with their mother.3 (Doc. 1, p. 3; see also Doc. 21, p. 16.) On September 12, 2019, Sarrell mailed notices of the Breach to approximately 391,472 patients and their guardians.4 (Doc. 1, pp. 2-3; Doc. 21, pp. 16, 41.) As the Notices explained, "[i]n July 2019, . . . Sarrell [had] detected ransomware on . . . [its] computer that appear[ed] to have been the result of an in intrusion that may have begun in January 2019," a gap of seven months. (Doc. 1-1, p. 2; Doc. 1-2, p. 2; Doc. 1-3, p. 2; Doc. 1-4, p. 2; see also Doc. 21, p.16.)According to the Notices, the Breach "may" have resulted in the disclosure of the Plaintiffs' "personal health information." (Doc. 1-1, p. 2.)5
In response, "out of an abundance of caution" and as a claimed demonstration of the seriousness with which it takes "the security of patient information," Sarrell "immediately deactivated . . . [its] network, temporarily closed . . . [its] practices, engaged an independent computer security firm to investigate, and did not pay a ransom." (Id.) When this investigation concluded, Sarrell's "investigation ha[d] not found evidence that any files or information were copied, downloaded, or removed from . . . [its]
network" or "discovered any evidence that the information that may be involved in this incident ha[d] been misused." (Id. (emphasis in original).) The latter point is repeated in the Notices' penultimate paragraph: "Again, at this time, we have found no evidence that your information had been misused." (Doc. 21-1, p. 5.)
Sarrell further admitted that "[t]he information potentially impacted may [have] include[d a patient's] name, address, and health insurance number," and in one letter, (see Doc. 1-2), social security numbers and health treatment information.(Doc. 1-1, p. 2.) Sarrell stated that it could not "rule out the possibility that the hacker [had] obtained sensitive information from . . . [its] network." (Id.)
The Notices conveyed more than just these details as to the Breach. Opening with an apology for the inconvenience that the Breach and resulting shutdown of its operation "may" have caused, each of these two-page documents contained "information about steps . . . [its recipients could] take to protect . . . [their] information and the resources . . . [Sarrell was] making available..." (Id.) Among the most notable, Sarrell offered identity theft protection services, under the MyIDCare™ trademark, through ID Experts®, which included "twelve months of credit and CyberScan monitoring," "a $1,000,000 insurance reimbursement policy," and "fully managed ID theft recovery services." (Id.)
Towards the end of each Notice, Sarrell once more urged the recipient to utilize the data protection services. (Doc. 21-1, p. 5.) To be eligible for this benefit, a patient had to be over the age of eighteen and possess established credit within the U.S., a Social Security Number, and a U.S. residential address. (Doc. 1-1, p. 2.) Finally, Sarrell asserted that it had "rebuilt . . . [its] business systems with updated security and virus protection for the entire Sarrell network before reopening . . . [its] practices," and that its systems and network were now "monitored with upgraded capabilities to ensure that . . . [its] system and the information . . . [it] store[s] will remain secure." (Id.)
Upon receipt of the Notices, Blahous acted, and apparently, suffered. She contacted "all three major credit bureaus in order to put credit freezes on her children's credit." (Doc. 1, p. 4.) She could not do this online, and she thus needed to "obtain [paper] copies of her children's birth certificates to send to the credit bureaus along with a letter confirming her identity." (Id.) Through the date of the Complaint, Blahous "continue[d] to monitor her accounts and pristine credit of her minor children,"6 and "remain[ed] concerned that the exposed PII, which included the birthdays and home addresses of her children, poses significant security and safety concerns"; up to that point at least, she had spent "her valuable time" on "protect[ing] the integrity of her children's physical and fiscal well-being." (Id.)
As a result of the exposure of the Plaintiffs' PII, they allegedly suffered four related injuries: (1) an increased risk of their identities being stolen in the future; (2) the costs to mitigate that risk (namely, monitoring their credit); (3) overpayment for dental services, on the theory that an unspecified portion of their payment was for securing their data, which Sarrell allegedly failed to do; and (4) the diminishment of the value of their PII by virtue of the possibility that it was exposed by the ransomware attack. (Id.)
Plaintiffs' allegations can be summed as follows: The Breach was "a direct result of Defendant's failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect Patient PII." (Id. (emphasis added).) The Plaintiffs claim that Sarrell should have "take[n] adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions; . . . disclose[d] that it did not have adequately robust computer systems and security practices to safeguard Patient PII; . . . take[n] standard and reasonably available steps to prevent the . . . Breach; . . . monitor and timely detect the . . . Breach; and . . . provide Plaintiff and Class Members prompt and accurate notice of the . . . Breach." (Id.) As a result, "Patient PII is now likely in the hands of thieves," forcing the Plaintiffs to "spend," now and in the future, "significant amounts of time and money in an effort to protect themselves from the adverse ramification of the . . . Breach" and "forever" endure "a heightened risk of identity theft and fraud." (Id. (emphasis added).)
B. Procedural Posture
On October 21, 2019, Plaintiffs filed the Complaint and advanced four causes of action—Negligence (Count I); Negligence Per Se (Count II); Breach of Implied Contract (Count III);...
To continue reading
Request your trial