Rodriguez v. Mena Hosp. Comm'n

• Docket Number: 2:23-cv-2002[1]
• Decision Date: 01 November 2023
• Parties: DAVID RODRIGUEZ, individually and on behalf of all others similarly situated PLAINTIFFS v. MENA HOSPITAL COMMISSION d/b/a MENA REGIONAL HEALTH SYSTEM DEFENDANT
• Court: U.S. District Court — Western District of Arkansas

1

DAVID RODRIGUEZ, individually and on behalf of all others similarly situated PLAINTIFFS v. MENA HOSPITAL COMMISSION d/b/a MENA REGIONAL HEALTH SYSTEM DEFENDANT

No. 2:23-cv-2002^[1]

United States District Court, W.D. Arkansas, Fort Smith Division

November 1, 2023

OPINION AND ORDER

P.K HOLMES, III U.S. DISTRICT JUDGE

Before the Court is Defendant Mena Hospital Commission's (“Mena”) motion to dismiss and incorporated brief in support. (Doc. 47). Plaintiffs David Rodriguez, Jessica Smedley, P.S., A.S., Daniel Smedley, Tananda Smith, Chris Cant, Timothy Craig, and Carl Schoolfield (“Plaintiffs”) filed a response in opposition. (Doc. 48). Mena replied. (Doc. 51). For the reasons given below, the motion will be GRANTED IN PART and DENIED IN PART.

I. Background

This case arises out of a data breach. Mena is a regional medical service provider located in Polk County, Arkansas. (Doc. 45, ¶ 26). Mena provides both inpatient and outpatient services. Id. Plaintiffs are all patients, or parents of patients, of Mena. Id. ¶ 33. To receive healthcare from Mena, Plaintiffs had to provide their personal information to Mena, including names, addresses, phone numbers, emails, dates of birth, Social Security numbers, insurance information, driver's licenses, and more. Id. Mena collects this information, and Mena also creates medical records for the patients that include protected health information. Id. ¶ 35. The Court will refer to this personally identifiable information and personal health information as “PII.”

On October 30, 2021, Mena was targeted by cybercriminals. Id. ¶ 1. These criminals accessed Mena's computer network and removed a number of files containing PII. Id. ¶ 2. In total, Plaintiffs allege the data breach affected 88,814 individuals. Id. ¶ 1. Mena investigated the incident and, over a year later, began notifying victims of the data breach that cybercriminals accessed the victims' PII. Id. ¶ 4. Mena did so by sending letters to patients notifying them of the data breach. Id. Plaintiffs attached examples of the letters to their complaint. See Doc. 45-2, pp. 2-4. Plaintiffs allege the cybercriminals took the following PII: “full names, dates of birth, Social Security numbers, driver's license/government identification numbers, financial account information, medical record/patient account numbers, medical diagnosis/treatment information, medical provider names, lab results, prescription information, and health insurance information.” (Doc. 45, ¶ 3). Mena offered Plaintiffs a year of complimentary credit monitoring to help mitigate any consequences of the breach. Id. ¶ 48.

Plaintiffs allege that Mena's inadequate security practices led to the breach. Id. ¶ 37. Plaintiffs also allege that “Mena does not follow industry standard practices in securing patients' Private Information, as evidenced by the Data Breach.” Id. ¶ 41. Plaintiffs' complaint includes over three pages of actions “Mena could and should have implemented.” See id. ¶¶ 77-83. Plaintiffs drew these recommendations from the United States Government, the United States Cybersecurity & Infrastructure Security Agency, and the Microsoft Threat Protection Intelligence Team. Id. ¶¶ 78-80. Plaintiffs also cite studies about the value of PII, why healthcare organizations are targets of cyberattacks, and how long it takes victims of cyberattacks to resolve any problems resulting from the attacks. See id. ¶¶ 49-70.

Plaintiffs generally allege various injuries, including (1) diminished value of their PII, (2) out-of-pocket expenses associated with mitigating the effects of the data breach, (3) lost time and opportunity mitigating the effects of the data breach, (4) loss of the benefits of their bargains with Mena, and (5) the ongoing increased risk to their PII, “which remains unencrypted and available for unauthorized third parties to access and abuse and may remain backed up in Mena's possession. . . .” Id. ¶ 12. Plaintiffs also allege each one of them “has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from [their] Private Information being placed in the hands of unauthorized third parties and possibly criminals.” Id. ¶ 105; see also id. ¶¶ 116, 129, 142, 153, 164.

In addition to these general allegations, two of the named Plaintiffs have more specific allegations. First, David Rodriguez alleges that after the data breach he received a letter from a collection agency about a fraudulent account opened in his name. Id. ¶ 99. The collection agency claimed he owed $1,400. Mr. Rodriguez alleges this has impacted his credit score and required him “to spend significant time attempting to remediate the fraud.” Id. Second, Carl Schoolfield alleges that after the data breach he received an unwanted package from Home Depot. Id. ¶ 110. He contacted Home Depot because he did not order the package. Home Depot stated a gift card was used to send the package to Mr. Schoolfield. Because the value of the package was of little value, Home Depot instructed Mr. Schoolfield to keep the package or throw it out. Home Depot said it would report the fraudulent purchase, and Mr. Schoolfield filed a police report about the fraudulent use of his home address. Id. Finally, three Plaintiffs also allege they have received increased spam texts or spam phone calls. Id. ¶¶ 117, 130, 159.

As a result of the data breach, the named Plaintiffs brought five lawsuits against Mena. The Court consolidated those actions and directed the Plaintiffs to file a consolidated amended complaint. (Doc. 28). In their consolidated class action complaint, Plaintiffs bring seven claims against Mena: (1) negligence, (2) breach of implied contract, (3) breach of fiduciary duty, (4) unjust enrichment, (5) invasion of privacy, (6) declaratory judgment, and (7) violation of the Stored Communications Act, 18 U.S.C. §§ 2701-2713. (Doc. 45).

II. Legal Standard

In ruling on a motion to dismiss, the Court must “accept as true all facts pleaded by the non-moving party and grant all reasonable inferences from the pleadings in favor of the nonmoving party.” Gallagher v. City of Clayton, 699 F.3d 1013, 1016 (8th Cir. 2012) (quoting United States v. Any & All Radio Station Transmission Equip., 207 F.3d 458, 462 (8th Cir. 2000)). “[A] complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quotations omitted). Pleadings that contain mere “labels and conclusions” or “a formulaic recitation of the elements of the cause of action will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2009). However, “Twombly and Iqbal did not abrogate the notice pleading standard of Rule 8(a)(2). Rather, those decisions confirmed that Rule 8(a)(2) is satisfied ‘when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.'” Hamilton v. Palm, 621 F.3d 816, 817 (8th Cir. 2010) (quoting Iqbal, 556 U.S. at 678). When, taken as true, the facts “raise a reasonable expectation that discovery will reveal evidence” to support a plaintiff's claim, the Court should deny a motion to dismiss. Twombly, 550 U.S. at 556.

III. Analysis

Mena has moved to dismiss all of Plaintiffs' claims for failure to state a claim upon which relief can be granted. Fed.R.Civ.P. 12(b)(6). The Court will address each claim in turn. The parties and the Court agree that Arkansas law governs the state law claims. See Doc. 47, p. 12; Doc. 48, p. 11 n.2.1F^[2]

A. Negligence

Plaintiffs allege that Mena was negligent in that Mena's inadequate security practices led to the breach. Doc. 45, ¶ 37. To state a claim for negligence under Arkansas law, Plaintiffs must allege Mena owes Plaintiffs a duty, Mena breached that duty, and Mena's breach was the proximate cause of Plaintiff's injuries. Shanner v. United States, 998 F.3d 822, 825 (8th Cir. 2021) (citing Yanmar Co. v. Slater, 386 S.W.3d 439, 449 (Ark. 2012)). The Court will decide if Mena owes Plaintiffs a duty because that is a question of law. Id. (citing D.B. Griffin Warehouse Inc. v. Sanders, 76 S.W.3d 254, 262 (Ark. 2002)).

Mena argues Plaintiffs cannot show (1) Mena owed any duty, (2) Mena breached any duty, or (3) Plaintiffs suffered any damages. (Doc. 47, p. 12). Plaintiffs assert Mena owes a duty under two theories. (Doc. 48, p. 12). First, they argue Mena owes a common law duty “based on the known risks that a failure to exercise due care would injure those who had entrusted their private information to Mena.” Id. Second, Plaintiffs argue Mena owes a statutory duty to protect their PII under a negligence per se theory. Id. The Court will address each argument in turn.

1. Common Law Duty

“Duty is a concept that arises out of the recognition that relations between individuals may impose upon one a legal obligation for the other.” Yanmar, 386 S.W.3d at 449 (citation omitted). Mena contends Plaintiffs are asking the Court to impose a new duty. (Doc. 47, p. 12). Mena describes this new duty as that of a hospital or health care entity “to protect its patients' PII from cyberattacks perpetrated by third party criminals.” Id. Plaintiffs counter that they seek no new duty under Arkansas law, but rather they seek to apply the traditional negligence principle that a duty arises out of foreseeability. (Doc. 48, p. 12).

The parties have not cited, and the Court has not found, an Arkansas case on point with the facts of this case. In this instance, “[i]f Arkansas law is unclear on whether a duty is owed, we must do our best to predict how the Arkansas Supreme Court would rule in the circumstances.” I Square Mgmt., LLC v. McGriff Ins....