Fox v. Iowa Health Sys.

Decision Date24 July 2019
Docket Number18-cv-327-jdp
Citation399 F.Supp.3d 780
Parties Yvonne Mart FOX, Grant Nesheim, Danielle Duckley, and Shelly Kitsis, on behalf of themselves and all others similarly situated, Plaintiffs, v. IOWA HEALTH SYSTEM d/b/a UnityPoint Health, Defendant.
CourtU.S. District Court — Western District of Wisconsin

Ronald Albert Marron, Law Offices of Ronald A. Marron, San Diego, CA, Christopher Londergan Springer, Keller Rohrback L.L.P., Santa Barbara, CA, Thomas David Copley, Cari Campen Laufenberg, Keller Rohrback L.L.P., Robert Teel, Seattle, WA, for Plaintiffs.

Casie Dell Collignon, Baker & Hostetler LLP, Denver, CO, Emily Marie Feinstein, Quarles & Brady, Madison, WI, for Defendants.

OPINION and ORDER

JAMES D. PETERSON, District Judge

Defendant UnityPoint Health runs a network of hospitals, clinics, home care services, and health insurers throughout Wisconsin, Iowa, and Illinois. In 2017 and 2018, UnityPoint's email system was hacked. Plaintiffs, all customers of UnityPoint, say that hackers obtained their private health information and other personal identifying information (such as Social Security numbers) that can be used to commit identity theft. Plaintiffs filed this proposed class action, asserting 14 different claims under Wisconsin, Illinois, and Iowa law. UnityPoint moves to dismiss under Federal Rule of Civil Procedure 12(b)(1) for lack of standing and under Rule 12(b)(6) for failure to state a claim upon which relief may be granted. Dkt. 27.

The court will grant the motion only in part. Plaintiffs allegations are sufficient to establish standing under Article III of the Constitution. The court will dismiss some of plaintiffs' claims for failure to state a claim: (1) Shelly Kitsis and Danielle Duckley's claims for negligence and negligence per se because they are barred by the Illinois and Iowa economic loss doctrines; (2) plaintiffs' claims for invasion of privacy because they do not allege that UnityPoint intentionally released their information; (3) plaintiffs' common law and statutory misrepresentation claims because plaintiffs have not pleaded reliance or damages; and (4) plaintiffs' claim under Wisconsin's data breach notification statute, Wis. Stat. § 134.98, because it does not create a private right of action. The court will also exercise its discretion to decline to hear plaintiffs' claim for declaratory relief under the Declaratory Judgment Act. Plaintiffs may proceed on all other claims. Plaintiffs ask for leave to amend their complaint to cure any deficiencies that lead to claims being dismissed. But because any amendment would likely be futile, the court will deny the request.

Also before the court is plaintiffs' notice of supplemental authority, Dkt. 51, and UnityPoint's motion for leave to respond to the supplemental authority, Dkt. 52, which plaintiffs oppose. Plaintiffs' motion is granted; UnityPoint's is denied. But the supplemental authority is a district court case from outside this jurisdiction which addresses the issue of standing in data breach cases. There is already binding authority in this jurisdiction on the issue of standing, so the supplemental authority adds little to the analysis. UnityPoint has also its own notice of supplemental authority. Dkt. 54. The court will accept UnityPoint's supplemental authority, but it too adds little to the analysis. That case is about standing to sue for violations of the Fair Credit Reporting Act. It did not involve a data breach, or any other allegations that are analogous to this case.

ALLEGATIONS OF FACT

The court draws the following facts from plaintiffs' amended complaint. Dkt. 22.

Plaintiffs are customers of UnityPoint. Yvonne Fox and Grant Nesheim live and use UnityPoint services in Wisconsin, Danielle Duckley lives and uses UnityPoint services in Illinois, and Shelly Kitsis lives and uses UnityPoint services in Iowa.

As part of its health care and insurance business, UnityPoint stores the personal information of its patients and customers. This information includes patient names, Social Security numbers, payment information, phone numbers, and email addresses. UnityPoint also keeps patient health care information, such as lab results, treatment notes, and diagnoses. Its privacy policy promises to use security procedures to protect personal information from misuse or unauthorized disclosure. The policy says that UnityPoint will store personal information "in a secure database behind an electronic firewall." Dkt. 22, ¶ 156. In the event of a data breach, UnityPoint says it will notify customers "without unreasonable delay but in no case later than 60 days after we discover the breach." Id. A copy of the privacy policy was given to all UnityPoint customers.

A. First data breach

Around November 1, 2017, hackers gained access to UnityPoint employee email accounts and stole the personal health information of more than 16,000 UnityPoint patients. The hackers were "motivated to steal" and "specifically targeted" health information and other sensitive information like Social Security numbers. Id. , ¶ 24. UnityPoint discovered the data breach between February 7 and February 15, 2018, but it did not notify the public until two months later, when it sent a letter to those affected by the breach. The letter stated:

[UnityPoint] discovered your protected health information was contained in an impacted email account, including your name and one or more of the following: date of birth, medical record number, treatment information, surgical diagnosis, lab results, medication(s), provider(s), date(s) of service and/or insurance information ... The information did not include your Social Security number.

Id. , ¶¶ 20–21.

UnityPoint knew that this letter was not accurate. On the same day that it sent the letter, it disclosed to the Wisconsin Department of Agriculture, Trade and Consumer Protection that the breach actually did include Social Security numbers.

Fox and Nesheim each received a copy of the letter. Fox called UnityPoint to get more information about what specific health information had been stolen. She spoke to two representatives, but neither was able to give her further information about the breach. Both representatives told her to "take precautions to protect [her] information." Id. , ¶¶ 55, 58. Fox asked if UnityPoint would pay for any "precautions," and UnityPoint said that it would not. After these conversations, Fox subscribed to an online credit monitoring service so that she could be notified of any future identity theft. Id. , ¶ 63.

B. Second data breach

On May 31, 2018, UnityPoint discovered that hackers had again accessed its employee's email accounts. This time, hackers stole the private information of about 1.4 million patients. Once again, UnityPoint waited two months before it disclosed the breach to the public. On July 30, it sent a letter to affected class members:

[Stolen information] included your name and one or more of the following information: address, date of birth, Social Security number, driver's license number, medical record number, medical information, treatment information, surgical information, diagnosis, lab results, medication(s), provider(s), date(s) of service and/or insurance information

Id. , ¶ 33.

The letter advised recipients to protect themselves against identity theft by monitoring their health information. UnityPoint also offered a complimentary, one-year membership with Experian, which provides identity-theft prevention services. All four plaintiffs received a copy of this letter.

C. Incidents following the data breaches

Since the data breaches, plaintiffs have been victims of attempted identity theft and fraud as well as scam phone calls and emails.

In 2018, Fox noticed an increase in autodialed phone calls and spam emails. From April 13 to July 7, she received about 63 autodialed calls to her landline. Several of these calls came from a number identified as "BC Health Clinics," and involved a medical scam. Id. , ¶ 52. (Plaintiffs do not provide any further detail about the medical scam.) Fox did not receive any scam medical calls before the data breaches.

Nesheim also received more autodialed calls after the data breaches. These calls were so frequent that Nesheim bought a second phone to use for work. In May or June 2018, Nesheim discovered a suspicious charge on his credit card. He canceled his card and asked his bank to issue a new one. Later, in early July, Nesheim was notified that someone had used his private health information to open a new credit card at a different bank. Nesheim is currently working with that bank to ensure that it did not keep open an account in his name. Had Nesheim known about the data breaches as soon as they occurred, he would have "made a timely and informed decision to take action to mitigate the injury." Id. , ¶ 73.

Duckley also received more spam emails and autodialed phone calls after the data breaches. After the second data breach, Duckley became locked out of her pre-existing Experian account due to repeated, unauthorized log-in attempts. When Duckley called Experian to change her password and regain access to the account, Experian told her that the UnityPoint data breach "had undoubtedly been the cause" of the repeated log in attempts. Id. , ¶ 76. Had Duckley known about the second data breach as soon as it occurred, she would have "made a more timely and informed decision to take action to mitigate the injury." Id. , ¶ 79.

Finally, Kitsis, like the other plaintiffs, received more spam emails and autodialed phone calls after the data breaches. Also, her health information is "extraordinarily sensitive," and the stress caused by the data breach is taking a "significant emotional and physical toll." Id. , ¶ 84.

The threat of identity theft is exacerbated by what hackers refer to as "fullz packages." Id. , ¶ 66. A fullz package is a dossier that compiles information about a victim from a variety of legal and illegal sources. Hackers can take information obtained in one data...

To continue reading

Request your trial
10 cases
  • Reetz v. Advocate Aurora Health, Inc.
    • United States
    • Court of Appeals of Wisconsin
    • November 22, 2022
    ...of future identity theft, and money spent mitigating that threat … [are] sufficient to establish standing[.]" Fox v. Iowa Health Sys., 399 F.Supp.3d 780, 790 (W.D. Wis. 2019). We agree that Reetz has established an injury in fact and standing to pursue this action. ¶9 Nevertheless, Aurora a......
  • Reetz v. Advocate Aurora Health, Inc.
    • United States
    • Court of Appeals of Wisconsin
    • November 22, 2022
    ...of future identity theft, and money spent mitigating that threat … [are] sufficient to establish standing[.]" Fox v. Iowa Health Sys., 399 F.Supp.3d 780, 790 (W.D. Wis. 2019). We agree that Reetz has established an injury in fact and standing to pursue this action. ¶9 Nevertheless, Aurora a......
  • Reetz v. Advocate Aurora Health, Inc.
    • United States
    • Court of Appeals of Wisconsin
    • November 22, 2022
    ...future identity theft, and money spent mitigating that threat ... [are] sufficient to establish standing[.]" Fox v. Iowa Health Sys. , 399 F. Supp. 3d 780, 790 (W.D. Wis. 2019). We agree that Reetz has established an injury in fact and standing to pursue this action.405 Wis.2d 312 ¶9 Nevert......
  • In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., MDL No. 19-md-2879
    • United States
    • United States District Courts. 4th Circuit. United States District Court (Maryland)
    • February 21, 2020
    ...economic loss rule did not bar negligence claim under California law).In response, Defendants cite Fox v. Iowa Health System , 399 F. Supp. 3d 780 (W.D. Wis. 2019). In that case, which involved a data breach of a health system, the court dismissed the plaintiffs' Illinois negligence claims ......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT