In re 21ST Century Oncology Customer Data Sec. Breach Litig., MDL No. 2737

• Court: United States District Courts. 11th Circuit. United States District Court of Middle District of Florida
• Citation: 380 F.Supp.3d 1243
• Docket Number: Case No: 8:16-md-2737-MSS-AEP,MDL No. 2737
• Parties: IN RE: 21ST CENTURY ONCOLOGY CUSTOMER DATA SECURITY BREACH LITIGATION
• Decision Date: 11 March 2019

380 F.Supp.3d 1243

IN RE: 21ST CENTURY ONCOLOGY CUSTOMER DATA SECURITY BREACH LITIGATION

MDL No. 2737
Case No: 8:16-md-2737-MSS-AEP

United States District Court, M.D. Florida, Tampa Division.

Signed March 11, 2019

380 F.Supp.3d 1245

This Document Relates to ALL CASES

MARY S. SCRIVEN, UNITED STATES DISTRICT JUDGE

ORDER

THIS CAUSE comes before the Court for consideration of Defendants' Motion to Dismiss Plaintiffs' Consolidated Complaint, (Dkt. 116), Defendants' Notice of Filing Supplemental Authority in Support of Defendants' Motion to Dismiss, (Dkt. 119), Plaintiffs' response in opposition to Defendants' Motion to Dismiss, (Dkts. 142, 146), Plaintiffs' Notice of Supplemental Authority in Support of Plaintiffs' Opposition, (Dkt. 149), Plaintiffs' Supplemental Memorandum in Opposition to Defendants' Motion to Dismiss, (Dkt. 156), Defendants' Response to Plaintiffs' Supplemental Memorandum in Opposition to Defendants' Motion to Dismiss, (Dkt. 157), Defendants' Supplemental Memorandum in Support of

380 F.Supp.3d 1246

Motion to Dismiss Plaintiffs' Consolidated Amended Class Action Complaint, (Dkt. 195), Plaintiffs' Supplemental Memorandum in Opposition to Defendants' Motion to Dismiss, (Dkts. 199, 201), and Plaintiffs' Notice of Supplemental Authorities in Connection with Plaintiffs' Memoranda in Opposition to Defendants' Motion to Dismiss. (Dkt. 206) The Court heard argument on Defendants' first iteration of the Motion to Dismiss. (Dkts. 154, 167) Upon consideration of all relevant filings, case law, and being otherwise fully advised, the Court DENIES Defendants' Motion to Dismiss.

I. BACKGROUND

On March 4, 2016, Defendant 21st Century Oncology Holdings, Inc. announced that on October 3, 2015, an unauthorized third party might have gained access to its database containing patients' personal information ("Data Breach"). As a result of the Data Breach, the information of approximately 2.2 million current and former patients was compromised. The patients brought eighteen (18) separate putative class action suits against 21st Century Oncology Holdings, Inc. and its subsidiaries and affiliates (collectively, "Defendants") alleging, among other things, state statutory claims, negligence, and unjust enrichment stemming from the Data Breach. On October 7, 2016, the Judicial Panel on Multidistrict Litigation transferred the individual actions to this Court for pretrial proceedings. (Dkt. 1)

On January 17, 2017, Plaintiffs Matthew Benzion, Steven Brehio, Judy Cabrera, Valerie Corbel, Veneta Delucchi, Jackie Griffith, Roxanne Haavedt, Kathleen LaBarge, Sharon MacDermid, Timothy Meulenberg, Robert Russell, Carl Schmitt, Stacey Schwartz, and Stephen Wilbur (hereinafter, "Plaintiffs") filed a Consolidated Class Action Complaint merging their individual claims into a singular pleading. (Dkts. 100, 103) On July 30, 2018, Plaintiffs filed an Amended Consolidated Class Action Complaint ("Amended Complaint"), which is the currently operative complaint in this action. (Dkts. 191, 194)

On behalf of a putative nationwide class, Plaintiffs allege the following ten (10) causes of action: Negligence (Count I), Gross Negligence (Count II), Negligent Misrepresentation (Count III), Breach of Express Contracts (Count IV), Breach of Implied Contracts (Count V), Breach of Implied Duty of Good Faith and Fair Dealing (Count VI), Breach of Fiduciary Duty (Count VII), Unjust Enrichment (Count VIII), Invasion of Privacy (Count IX), and Declaratory Judgment (Count X). (Dkt. 194)

Defendants filed their initial Motion to Dismiss as against the original Consolidated Complaint, asserting that some of the Plaintiffs do not have standing in this action for failure to assert an injury in fact and that all Plaintiffs have failed to state a claim as to their asserted causes of action. (Dkt. 116) After the Motion was fully briefed and the Court heard argument on the Motion, Defendants filed a Notice of Petition in Bankruptcy, which prompted a prolonged stay of this case. Through a settlement between the Parties in the bankruptcy action, this action was permitted to proceed.¹ The Parties conducted preliminary fact discovery, and thereafter, Plaintiff filed the Amended Complaint. (Dkts. 191, 194) On August 29, 2018, Defendants filed a Supplemental Motion to Dismiss based on the currently operative Amended Complaint while preserving its

380 F.Supp.3d 1247

previous arguments contained in its initial Motion to Dismiss. (Dkt. 195) Similarly, on September 28, 2018, Plaintiff filed an opposition to the Supplemental Motion to Dismiss that preserves its previous opposition to Defendants' initial Motion to Dismiss. (Dkts. 199, 205) Thus, the Court considers all arguments and responses made by the Parties in the briefings of both the initial Motion to Dismiss and the Supplemental Motion to Dismiss to the extent that such arguments and responses are applicable as against the Amended Complaint.

In the Amended Complaint, Plaintiffs allege that prior to the Data Breach, Defendants acknowledged in a "Notice of Privacy Practices" posted on their website that they are "required by law to maintain the privacy of your protected health information, to provide you with notice of our legal duties and privacy practices with respect to that protected health information, and to notify any affected individuals following a breach of any unsecured protected health information." (Dkt. 194 at ¶ 8) Plaintiffs state that Defendants "failed to maintain reasonable and/or adequate security measures to protect Plaintiffs' and other Class members' [personally identifiable information ("PII") and protected health information ("PHI") ] from being released, disclosed, and rendered publicly accessible to unauthorized parties." (Dkt. 194 at ¶ 10)

Plaintiffs allege that on November 6, 2015, the Federal Bureau of Investigation ("FBI") "learned that ‘an unauthorized party was attempting to sell compromised 21st Century Oncology data,’ which ‘was advertised, in Russian, as approximately 10 million patient records from 21st Century Oncology available to purchase for $ 10,000’ " and that the FBI had "obtained a sample of the data from the unauthorized party." (Dkt. 194 at ¶ 114) (quoting the Declaration of FBI Special Agent Joseph Battaglia ("FBI Declaration"), Dkt. 195-1 at ¶ 3) They claim that due to Defendants' insufficient security protocols, Defendants failed to detect the Data Breach until the FBI notified them on or about November 13, 2015. (Dkt. 194 at ¶ 5) Plaintiffs allege that "on November 19, 2015, 21st Century ‘confirmed that the sample of data provided by the FBI contained its patients' information,’ and the FBI informed 21st Century ‘that the unauthorized party listed additional data beyond the sample for sale.’ " (Dkt. 194 at ¶ 119) (quoting FBI Declaration, Dkt. 195-1 at ¶ 6)

Plaintiffs assert that the Data Breach resulted in "the release, disclosure, and publication of private and highly sensitive PII/PHI including: names, Social Security numbers, physicians' names, medical diagnoses, treatment information, and insurance information." (Dkt. 194 at ¶ 6) Plaintiffs allege that the following injuries were suffered and are likely to be suffered as a direct and proximate result of the Data Breach:

(a) release, disclosure, and publication of their personal and financial information;

(b) loss or delay of tax refunds as a result of fraudulently filed tax returns;

(c) costs associated with the detection and prevention of identity theft and unauthorized use of their PII/PHI with regard to financial, business, banking, and other accounts;

(d) costs associated with time spent and the loss of productivity from taking time to address and attempt to ameliorate, mitigate, and deal with the actual and future consequences of the Data Breach, including finding fraudulent charges, cancelling credit cards, purchasing credit monitoring and identity theft protection services (beyond the one-year offered by 21st Century), the

380 F.Supp.3d 1248

imposition of withdrawal and purchase limits on compromised accounts, and the time, stress, nuisance, and annoyance of dealing with all issues resulting from the Data Breach, including phishing emails and phone scams;

(e) the imminent and certain impending injury flowing from fraud and identity theft posed by their PII/PHI being placed in the hands of hackers and being offered for sale on the Dark Web;

(f) damages to and diminution in value of their PII/PHI entrusted to 21st Century for the sole purpose of obtaining healthcare services from 21st Century;

(g) money paid to 21st Century for healthcare services during the period of the Data Breach, because Plaintiffs and Class members would not have obtained healthcare services from 21st Century had it disclosed that it lacked adequate systems and procedures to reasonably safeguard patients' PII/PHI;

(h) overpayments to 21st Century for healthcare services purchased, in that a portion of the amount paid by Plaintiffs and Class members to 21st Century was for the costs for 21st Century to take reasonable and adequate security measures to protect the Plaintiffs and Class members' PII/PHI, which 21st Century failed to do; and

(i) personal, professional, or financial harms caused as a result of having their PII/PHI exposed.

...