Purvis v. Aveanna Healthcare, LLC

Citation563 F.Supp.3d 1360
Decision Date27 September 2021
Docket NumberCIVIL ACTION NO. 1:20-CV-02277-LMM
Parties Teairra PURVIS, individually and on behalf of her minor child, J.A., and Aramah Johnson, and on behalf of all others similarly situated, Plaintiffs, v. AVEANNA HEALTHCARE, LLC, Defendant.
CourtU.S. District Court — Northern District of Georgia

David K. Lietz, Pro Hac Vice, Gary Edward Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Gary M. Klinger, Pro Hac Vice, Mason Lietz & Klinger LLP, Chicago, IL, Shireen Hormozdi, Hormozdi Law Firm, LLC, Norcross, GA, for Plaintiffs.

Douglas H. Meal, Pro Hac Vice, Seth Harrington, Pro Hac Vice, Orrick, Herrington & Sutcliffe LLP, Boston, MA, James Chong Liu, Pro Hac Vice, Orrick, Herrington & Sutcliffe LLP, Sacramento, CA, Rebecca Harlow, Pro Hac Vice, Orrick Herrington & Sutcliffe, San Francisco, CA, Austin Jared Hemmer, Robert B. Remar, Rogers & Hardin, LLP, Cameron Blaine Roberts, Caplan Cobb LLP, Atlanta, GA, for Defendant.

ORDER

Leigh Martin May, United States District Judge This case comes before the Court on Defendant Aveanna Healthcare, LLC's ("Aveanna") Motion to Dismiss [41]. After due consideration, the Court enters the following Order.

I. BACKGROUND

This putative class action arises out of a July 2019 cyberattack and data breach (the "Data Breach") involving Defendant Aveanna. Dkt. No. [32] ¶ 6. Defendant is a healthcare entity that is alleged to be the nation's largest pediatric home-care provider, offering treatment and related healthcare services to patients and their families in numerous states. See id. ¶¶ 21–24. Plaintiffs in this case include Aveanna patients and their legal guardians or parents (Plaintiffs Purvis and J.A.) and a former employee of Aveanna (Plaintiff Johnson). Id. ¶¶ 40–41, 46.

Plaintiffs allege that their sensitive personal information—including personally identifiable information ("PII") and protected health information ("PHI")—was compromised and unlawfully accessed through the Data Breach. Id. ¶ 6. Moreover, Plaintiffs allege that, as a result of the Data Breach, their identities are now at risk of being compromised and that they face a heightened risk of fraud and identity theft (and, in some cases, have in fact already experienced identity theft and fraud as a result of the Data Breach). Id. ¶¶ 10–12. Though acknowledging that the Data Breach was carried out unlawfully by third-party individuals through phishing techniques, Plaintiffs assert that Defendant was reckless and negligent in maintaining Plaintiffs’ sensitive private information. See id. ¶¶ 6–8, 50–52. Plaintiffs maintain that Defendant was aware of the risk of such a breach and failed to take the necessary precautions to protect Plaintiffs’ information. See id. ¶¶ 8, 85.

Plaintiffs assert the following claims for relief: (1) negligence; (2) intrusion into private affairs or invasion of privacy; (3) breach of express contract; (4) breach of implied contract; (5) negligence per se; (6) breach of fiduciary duty; (7) breach of confidence; and (8) a second claim for breach of express contract.1 Id. ¶¶ 159–275. Defendant has moved to dismiss Plaintiffs’ Second Amended Complaint in its entirety. Dkt. No. [41].

II. LEGAL STANDARD

Federal Rule of Civil Procedure 8(a)(2) requires that a pleading contain a "short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). While this pleading standard does not require "detailed factual allegations," the Supreme Court has held that "labels and conclusions" or "a formulaic recitation of the elements of a cause of action will not do." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ).

To withstand a Rule 12(b)(6) motion to dismiss, "a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Id. (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955 ). A complaint is plausible on its face when the plaintiff pleads factual content necessary for the court to draw the reasonable inference that the defendant is liable for the conduct alleged. Id. (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955 ).

At the motion to dismiss stage, "all well-pleaded facts are accepted as true, and the reasonable inferences therefrom are construed in the light most favorable to the plaintiff." FindWhat Inv'r Grp. v. FindWhat.com, 658 F.3d 1282, 1296 (11th Cir. 2011) (quoting Garfield v. NDC Health Corp., 466 F.3d 1255, 1261 (11th Cir. 2006) ). However, this principle does not apply to legal conclusions set forth in the complaint. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937.

III. DISCUSSION

Defendant has moved to dismiss each of Plaintiffs’ claims. The Court addresses each claim separately.

A. Negligence

In Count One, Plaintiffs assert a claim for negligence. Dkt. No. [32] ¶¶ 159–171. Defendant moves to dismiss Plaintiffs’ negligence claim for a variety of reasons. The Court begins with Defendant's first argument, which is that Defendant did not owe Plaintiffs a duty of care. Dkt. No. [41-1] at 13–17.

1. Duty

Under Georgia law, a negligence claim has four elements: "the existence of a duty on the part of the defendant, a breach of that duty, causation of the alleged injury, and damages resulting from the alleged breach of the duty." Rasnick v. Krishna Hosp., Inc., 289 Ga. 565, 713 S.E.2d 835, 837 (2011) (citation omitted). "The threshold issue in any cause of action for negligence is whether, and to what extent, the defendant owes the plaintiff a duty of care." Smith v. United States, 873 F.3d 1348, 1352 (11th Cir. 2017) (quoting City of Rome v. Jordan, 263 Ga. 26, 426 S.E.2d 861, 862 (1993) ).

Here, Plaintiffs allege that Defendant "had a duty of care to use reasonable means to secure and safeguard its computer property ... to prevent disclosure of [Plaintiffs’] Private Information, and to safeguard the Private Information from the theft." Dkt. No. [32] ¶ 161. Defendant argues that the Georgia Supreme Court—in its recent decision in Department of Labor v. McConnell, 305 Ga. 812, 828 S.E.2d 352 (2019) —has held that no such duty to safeguard personal information exists under Georgia law. Dkt. No. [32] at 13–15. Defendant maintains that because no duty to safeguard personal information exists in the wake of McConnell, this alleged duty cannot support Plaintiffs’ negligence claim. Id.

The Court is not persuaded by Defendant's argument that McConnell forecloses the existence of a duty to protect personal information under Georgia law. A brief overview of McConnell and subsequent Georgia Supreme Court decisions is helpful in illustrating why the Court reaches this conclusion.

In McConnell, a plaintiff filed a class action lawsuit against the Georgia Department of Labor after one of the Department's employees inadvertently sent an email that included a spreadsheet containing the private information of individuals who had applied for unemployment benefits and other services from the Department. 828 S.E.2d at 356. The plaintiff's private information was disclosed through this mistake, and the plaintiff asserted a claim for negligence against the Department, in addition to various other claims. Id.

Ultimately, the Georgia Supreme Court affirmed the Georgia Court of Appeals's decision to dismiss the plaintiff's negligence claim, concluding that this claim failed because the plaintiff "has not shown that the Department owed him or the other proposed class members a duty to protect their private information." Id. at 358. Though Defendant argues that this holding confirms that there is no duty under Georgia law to safeguard personal information, the Georgia Supreme Court's holding in McConnell was narrower than Defendant suggests. Specifically, in finding that the plaintiff had failed to show that the Department of Labor owed him and others a duty to protect their personal information, the Georgia Supreme Court merely rejected that such a duty arose from the sources the plaintiff had relied upon to support his claim, namely: (1) the purported duty "to all the world not to subject [others] to an unreasonable risk of harm" that was articulated in Bradley Center v. Wessner, 250 Ga. 199, 296 S.E.2d 693 (1982) ; and (2) O.C.G.A. §§ 10-1-910 and 10-1-393.8. Id. Indeed, McConnell expressly leaves open the possibility that a duty to safeguard personal information could still arise under different circumstances and based on different arguments: "We also do not consider whether a duty might arise on these or other facts from any other statutory or common law source, as no such argument has been made here." Id. at 358 n.5.

If there remained any doubt whether McConnell entirely foreclosed the existence of a duty to safeguard personal information under Georgia law, the Georgia Supreme Court's post- McConnell decision, Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555, 837 S.E.2d 310 (2019), illustrates that McConnell does not stand for that proposition. In Collins, the plaintiffs asserted a claim for negligence (in addition to other claims) against a medical clinic after their information was compromised through a criminal data breach. Collins, 837 S.E.2d at 311–12. The plaintiffs’ negligence claim was initially dismissed for failure to allege a cognizable injury, but the Georgia Supreme Court, having determined that the plaintiffs had in fact alleged a cognizable injury, reversed that decision and remanded the case. Id. at 312, 316–18.

In discussing the plaintiffs’ negligence claim, the Collins court, citing McConnell, noted that "the easier showing of injury [in a criminal data breach case] may well be offset by a more difficult showing of breach of duty." Id. at 315–16. However, the Georgia Supreme Court did not find that the plaintiffs’ claim failed for lack of a cognizable duty, nor did it cite McConnell for the broad proposition that a duty to...

To continue reading

Request your trial
5 cases
  • Rodriguez v. Mena Hosp. Comm'n
    • United States
    • U.S. District Court — Western District of Arkansas
    • November 1, 2023
    ...In re Ambry Genetics, 567 F.Supp.3d at 1143 (denying motion to dismiss under California law), with Purvis v. Aveanna Healthcare, LLC, 563 F.Supp.3d 1360, 1377 (N.D.Ga. 2021) (granting motion to dismiss under Georgia law). The Court is persuaded by the Purvis court, which explained “Plaintif......
  • Farmer v. Humana, Inc.
    • United States
    • U.S. District Court — Middle District of Florida
    • January 25, 2022
    ...facts suggesting that Defendant[s] disclosed [Farmer's] information to a third party." Purvis v. Aveanna Healthcare, LLC, No. 1:20-CV-02277-LMM, 563 F.Supp.3d 1360, 1378 (N.D. Ga. Sept. 27, 2021). Instead, Farmer alleges that his PII and PHI were exposed in a data breach due to Humana and C......
  • Trimble v. AT&T Mobility LLC
    • United States
    • U.S. District Court — Western District of North Carolina
    • August 24, 2023
    ...included in this arbitration agreement.” (internal citations and quotation marks omitted)); see also Purvis v. Aveanna Healthcare, LLC, 563 F.Supp.3d 1360, 1369 (N.D.Ga. 2021); In re Brinker Data Incident Litigation, 3:19-cv-686-J-32MCR, 2020 WL 691848, *7-8 (M.D. Fl. Jan. 27, 2020). Indeed......
  • Feins v. Goldwater Bank Na
    • United States
    • U.S. District Court — District of Arizona
    • December 9, 2022
    ...WL 1472485, at *5 (W.D. N.C. Mar. 26, 2018). The Court finds this case akin to Purvis, 563 F.Supp.3d at 1377. Plaintiff in this case, as in Purvis, not allege non-conclusory facts showing Defendant intended any PII disclosure; indeed, Plaintiff alleges that his PII “was contained, stored, a......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT