Fero v. Excellus Health Plain, Inc.

• Citation: 236 F.Supp.3d 735
• Decision Date: 22 February 2017
• Docket Number: 6:15–CV–06569 EAW
• Parties: Matthew FERO, et al., Plaintiffs, v. EXCELLUS HEALTH PLAIN, INC., et al., Defendants.
• Court: U.S. District Court — Western District of New York

236 F.Supp.3d 735

Matthew FERO, et al., Plaintiffs,

v.EXCELLUS HEALTH PLAIN, INC., et al., Defendants.

6:15–CV–06569 EAW

United States District Court, W.D. New York.

Signed February 22, 2017

Hadley L. Matarazzo, Kathryn Lee Bruns, Stephen G. Schwarz, Faraci Lange LLP, Rochester, NY, James J. Bilsborrow, Robin L. Greenwald, Weitz & Luxenberg, P.C., New York, NY, for Plaintiff.

Jennifer A. Beckage, John G. Schmidt, Jr., Phillips Lytle LLP, Buffalo, NY, Paul G. Karlsgodt, Baker & Hostetler LLP, Denver, CO, Karin Scholz Jenson, Baker & Hostetler LLP, New York, NY, Mark J. Moretti, Phillips Lytle LLP, Rochester, NY, Adam P Feinberg, Miller & Chevalier Chartered, Washington, DC, Brian P. Kavanaugh, Jessica L. Staiger, Luke C. Ruse, Timothy C. Pickert, Kirkland & Ellis LLP, Chicago, IL, Jeffrey J. Harradine, Thomas S. D'Antonio, Ward Greenberg Heller & Reidy LLP, Rochester, NY, for Defendant.

DECISION AND ORDER

ELIZABETH A. WOLFORD, United States District Judge

INTRODUCTION

Those who are entrusted with details about an individual's health care should guard against even the inadvertent disclosure of that confidential information. Those duties were allegedly breached in this case when hackers secured access to confidential health care information through a cyberattack. Nonetheless, while legal remedies may be pursued by those who were injured, the law only allows for the pursuit of plausible claims—and only by those who have standing based on an alleged legally compensable injury. Not all parties or all claims in this case meet that standard.

This case arises out of a data breach involving Excellus Health Plan, Inc. ("Excellus"), a healthcare provider. Plaintiffs, who allege various claims and injuries arising from the data breach, bring this putative class action against the following eight defendants: Excellus, Lifetime Healthcare, Inc. ("Lifetime"), Lifetime Benefit Solutions, Inc., Genesee Region Home Care Association, Inc. d/b/a Lifetime Care, Genesee Valley Group Health Association d/b/a Lifetime Health Medical Group, MedAmerica, Inc., Univera Healthcare, and Blue Cross and Blue Shield Association ("BCBSA").¹ In their Consolidated Master Complaint ("CMC"), Plaintiffs assert claims under various federal and state laws and seek, inter alia , class certification, injunctive relief, and damages. (Dkt. 99).

Presently before the Court are two motions to dismiss Plaintiffs' CMC. (Dkt. 107; Dkt. 111). The Excellus Defendants and BCBSA—i.e., all Defendants—move to dismiss the CMC pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6), on the basis that the Court lacks jurisdiction because Plaintiffs lack standing to sue, and that Plaintiffs have failed to state a claim. (Dkt. 107–1 ("Excellus Mot.")); (Dkt. 111–1 ("BCBSA Mot.)). For the reasons that follow, the Court grants in part and denies in part both motions.

BACKGROUND

I. Factual Background

The following factual allegations are drawn from Plaintiffs' CMC.

A. The Parties

Excellus is "the primary healthcare provider in Upstate New York" and a licensee of BCBSA. (CMC at ¶ 37). Excellus is a subsidiary of Lifetime and a parent company to all other defendants, except Lifetime and BCBSA. (Id. at ¶ 40). Lifetime is "the parent and/or holding company of a $6.6 billion family of companies, known as the Lifetime Healthcare Companies, that finances and delivers health care in New York State, as well as long-term care nationwide." (Id. at ¶ 42). The following five defendants are affiliate companies of the Lifetime Healthcare Companies, and they are owned and controlled by Lifetime and Excellus: (1) Lifetime Benefit Solutions, Inc.; (2) Genesee Region Home Care Association, Inc. d/b/a Lifetime Care; (3) Genesee Valley Group Health Association d/b/a Lifetime Health Medical Group; (4) MedAmerica, Inc.; and (5) Univera Healthcare. (Id. at ¶¶ 45–49). The final defendant, BCBSA, "is a federation of 36 health insurance organizations and companies that provides health insurance to over 106 million individuals." (Id. at ¶ 50). Excellus "cooperates with BCBSA and other independent Blue Cross Blue Shield ... licensees to participate in the BlueCard program. Under the BlueCard program, members of one BCBS licensee may access another BCBS licensee's provider networks and discounts." (Id. at ¶ 55).

Plaintiffs allege three different types of classes. First, Plaintiffs allege "separate statewide classes for the states of California, Florida, Indiana, North Carolina, New Jersey, New York, and Pennsylvania," defined as "[a]ll citizens of [name of state] whose [personally identifiable information ("PII") ] or [protected health information ("PHI") ] was compromised by the Excellus data breach" ("Statewide Classes"). (Id. at 64). Second, Plaintiffs allege a federal employee class, defined as "[a]ll enrollees in the Federal Employee Health Benefits Plan whose Personal Information was compromised by the Excellus data breach" ("Federal Employee Class"). (Id. at 65). Third, Plaintiffs allege a healthcare provider class, defined as "[a]ll healthcare providers and/or medical professionals who submitted PII directly or indirectly to Defendants and whose PII was compromised by the Excellus data breach" ("Healthcare Provider Class"). (Id. at 66).

B. The Data Breach

On December 23, 2013, hackers gained access to Excellus's computer network systems, which stored the personal information belonging to millions of individuals. (Id. at ¶¶ 52, 131, 133). During this data breach, the hackers had access to individuals' names, dates of birth, social security numbers, mailing addresses, telephone numbers, member identification numbers, financial payment information (including credit card numbers), and medical insurance claims information. (Id. at ¶¶ 1–3, 52, 134). The hackers also had access to healthcare providers' personal information, including medical licenses. (Id. at ¶ 135). The breach continued for 20 months, until at least August 18, 2014; however, the hackers may have had access to the systems more recently, on May 11, 2015. (Id. at ¶ 133).

"In the wake of other high-profile healthcare data breaches ..., Defendants hired cybersecurity company Mandiant to forensically assess their systems." (Id. at ¶ 132). On August 4, 2015, Mandiant's analysis revealed malware on Defendants' systems. (Id. ) On September 9, 2015, Defendants publicly announced that the breach had occurred and that it affected 10 to 10.5 million people, including past and current Excellus policyholders, as well as those who are insured by or receive healthcare services from Defendants' affiliates. (Id. at ¶ 138). According to that announcement, Mandiant's investigation did not determine that any personal information was removed from Excellus's systems, and Excellus had no evidence that the personal information was used inappropriately. (Dkt. 107–3, Ex. A). Defendants offered two years of free credit monitoring to adult victims of the breach. (CMC at ¶ 138).

Plaintiffs allege that Defendants had reason to know that their data security was inadequate both before the data breach started and after it was discovered by Defendants. (Id. at ¶¶ 114, 120). For example, in May 2012, the Department of Health and Human Services' Office for Civil Rights hired KPMG to conduct an audit of Univera (a Defendant and Lifetime affiliate company) in order to review its compliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). (Id. at ¶ 115). The audit revealed, inter alia , that Univera's "Risk Assessment Policies & Procedures failed to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI." (Id. at ¶ 117). As another example, in April 2014, the FBI Cyber Division "issued a ‘Private Industry Notification’ that explained how ‘the health care industry is not technically prepared to combat against cyber criminals' basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs). The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.’ " (Id. at ¶ 123). This information, along with other data breaches in the health care industry, allegedly "put Defendants on notice that healthcare and health insurance companies were a target of cyberattack, and that these companies had an obligation to implement reasonable safeguards to keep pace. Defendants, quite simply, failed to heed the clear and unequivocal warning." (Id. at 129).

C. Plaintiffs' Alleged Injuries

Plaintiffs allege that the data breach caused them various types of injuries, both present and future. The following present injuries from the breach are alleged in the CMC. Four plaintiffs allege that false tax returns were filed in their names using their personal information, or that their personal information was accessed through the IRS portal. (Id. at ¶¶ 12, 19–20, 24, 29). Three plaintiffs allege that they are the victims of identity theft. (Id. at ¶¶ 18, 21, 22). Twelve plaintiffs have experienced fraudulent credit or debit card charges. (Id. at ¶¶ 21–28, 31–32, 34–35). Five plaintiffs allege that they spent money in order to remediate the breach or protect from future identity theft; this included purchasing additional credit monitoring services. (Id. at ¶¶ 20–23, 34). Three plaintiffs had delays in the receipt of their tax returns. (Id. at ¶¶ 19–20, 29). All plaintiffs spent time and effort to freeze their credit, place fraud alerts on their accounts, monitor credit reports and bank statements, and/or report identity theft to the relevant authorities. (Id. at ¶¶ 17–35). All plaintiffs allege anxiety and fear of identity theft as a result of the data breach. (Id. at ¶ 12). Plaintiffs also allege a risk of future, certainly impending harm as a result of the breach. (See, e.g. , id. at ¶¶ 13, 19–35).

The...