Weisenberger v. Ameritas Mut. Holding Co.
| Decision Date | 07 April 2022 |
| Docket Number | 4:21-CV-3156 |
| Parties | Cynthia WEISENBERGER, individually and on behalf of others similarly situated, Plaintiff, v. AMERITAS MUTUAL HOLDING COMPANY, Defendant. |
| Court | U.S. District Court — District of Nebraska |
Jason S. Rathod, Nicholas Migliaccio, Migliaccio, Rathod Law Firm, Washington, DC, Vincent M. Powers, Powers Law Firm, Lincoln, NE, for Plaintiff.
Kristine M. Brown, Pro Hac Vice, Marguerite A. Miller, Pro Hac Vice, Alston, Bird Law Firm, Atlanta, GA, Victoria H. Buter, Kutak, Rock Law Firm, Omaha, NE, for Defendant.
The plaintiff, Cynthia Weisenberger, alleged in her amended complaint class action claims concerning a data breach affecting at least 39,675 of the defendant's customers. Filing 12 at 1. The defendant has moved to dismiss the plaintiff's amended complaint pursuant to Fed. R. Civ. P. 12(b)(1) arguing that the plaintiff lacks Article III standing, and pursuant to Fed. R. Civ. P. 12(b)(6) arguing that the plaintiff failed to state a plausible claim upon which relief may be granted. Filing 14. The Court will deny the defendant's motion in part, and grant the motion in part.
A motion pursuant to Fed. R. Civ. P. 12(b)(1) challenges whether the court has subject matter jurisdiction. The party asserting subject matter jurisdiction bears the burden of proof. Great Rivers Habitat Alliance v. Federal Emergency Management Agency , 615 F.3d 985, 988 (8th Cir. 2010). The court has substantial authority to determine whether it has jurisdiction. Osborn v. United States , 918 F.2d 724, 730 (8th Cir. 1990). A Rule 12(b)(1) motion can be presented as either a "facial" or "factual" challenge. Osborn , 918 F.2d at 729 n.6. This case presents a facial challenge. When reviewing a facial challenge, the court restricts itself to the face of the pleadings, and the nonmovant receives the same protections as it would facing a Rule 12(b)(6) motion. Id.
To survive a Rule 12(b)(6) motion to dismiss, a complaint must set forth a short and plain statement of the claim showing that the pleader is entitled to relief. Fed. R. Civ. P. 8(a)(2). This standard does not require detailed factual allegations, but it demands more than an unadorned accusation. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). The complaint must provide more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not suffice. Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007).
A complaint must also contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. Id. Where the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged—but it has not shown—that the pleader is entitled to relief. Id. at 679, 129 S.Ct. 1937.
In assessing a motion to dismiss, a court must take all the factual allegations in the complaint as true, but is not bound to accept as true a legal conclusion couched as a factual allegation. Twombly , 550 U.S. at 555, 127 S.Ct. 1955. The facts alleged must raise a reasonable expectation that discovery will reveal evidence to substantiate the necessary elements of the plaintiff's claim. See id. at 545, 127 S.Ct. 1955. The court must assume the truth of the plaintiff's factual allegations, and a well-pleaded complaint may proceed, even if it strikes a savvy judge that actual proof of those facts is improbable, and that recovery is very remote and unlikely. Id. at 556, 127 S.Ct. 1955.
A motion to dismiss under Rule 12(b)(6) tests only the sufficiency of the allegations in the complaint, not the sufficiency of the evidence alleged in support of those allegations. Stamm v. Cty. of Cheyenne, Neb. , 326 F. Supp. 3d 832, 847 (D. Neb. 2018) ; Harrington v. Hall Cty. Bd. of Supervisors , No. 4:15-CV-3052, 2016 WL 1274534, at *4 (D. Neb. Mar. 31, 2016).
The plaintiff is a resident of North Carolina. Filing 12 at 2. The defendant is a Nebraska-based insurance company that operates nationally, and provides several different insurance products to consumers. Filing 12 at 4. The plaintiff alleged that for the last three years, she had purchased a policy of dental insurance from the defendant. Filing 12 at 3. Sometime around May 1 to June 4, 2019, the defendant's information systems were breached by cybercriminals, and the plaintiff's personally identifiable information (PII) was accessed, along with the PII of at least 39,675 other individuals who were also insured by the defendant. Filing 12 at 1. According to the plaintiff, the PII data compromised by the data breach included names, addresses, email addresses, dates of birth, Social Security numbers, member identification numbers, policyholder names and numbers, and identification of the insureds’ employers.
The plaintiff alleged that she was not notified that her PII had been compromised until August 13, 2019. Filing 12 at 2. The notification letter the defendant sent advised the plaintiff that there had been a data breach, identified the kind of PII that may have been compromised, and advised her to contact the Federal Trade Commission (FTC). Filing 12 at 3. As advised, the plaintiff contacted the FTC and had a fraud alert put on her information. The plaintiff also reported the data breach to her local police department, who informed her that they could not help. In its notification letter, the defendant offered to provide a year of credit monitoring. The plaintiff, however, declined the defendant's offer believing that the defendant's credit monitoring offer would be ineffective to protect her PII because she would be required to share her private information with a credit monitoring agency who could not guarantee complete privacy of her PII. The plaintiff alleged that in the two years since the data breach, she's lost $280 due to fraudulent activity on her Amazon account, had two email accounts compromised, and had to replace credit cards five times. Filing 12 at 3. She has also received targeted advertising for credit monitoring services.
According to the plaintiff, the cybercriminals were able to breach the defendant's systems through a phishing attack where between May and June 2019, several of the defendant's associates gave hackers access to their email credentials, thus compromising a large number of email inboxes. Filing 12 at 5. It is likely that the PII obtained by the hackers is now for sale on the dark web. Filing 12 at 6. The plaintiff alleged that the data breach occurred because the defendant failed to take reasonable measures to protect the PII it collected and stored. The defendant, according to the plaintiff, failed to implement data security measures designed to prevent phishing attacks despite repeated warnings to the healthcare industry, insurance companies, and other associated industries, about the risk of cyberattacks, and the highly publicized occurrence of many similar attacks on healthcare providers in the recent past.
The plaintiff alleged that as part of the insurance agreement, the defendant promised the plaintiff and all of its insureds that it would maintain the security and privacy of all personal information. Filing 12 at 7. Further, according to the plaintiff, the HIPAA Notice of Privacy Practices that the defendant sent to its insureds specifically informed them that the defendant was required by law to maintain the privacy and security of protected health information, that the defendant would promptly let its insureds know if a data breach occurred which compromised an insured's privacy or security information, and that it must follow the duties and privacy practices described in its Notice.
A plaintiff invoking the jurisdiction of the court must demonstrate Article III standing to sue. In re SuperValu, Inc. , 870 F.3d 763, 768 (8th Cir. 2017). Standing is comprised of three elements. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). First, the plaintiff must have suffered an injury-in-fact—an invasion of a legally protected interest which is concrete and particularized, as well as actual or imminent, and not conjectural or hypothetical. Id. Second, the injury must be causally connected to the defendant's conduct—meaning, the injury has to be fairly traceable to the challenged action of the defendant, and not the result of independent action of some third party not before the court. Id. Third, it must be likely, and not merely speculative, that the injury will be addressed by a favorable decision. Id. at 561, 112 S.Ct. 2130.
Here, the defendant only asserts and argues that the plaintiff's amended complaint failed to plausibly demonstrate that the injuries she alleged are fairly traceable to the defendant's conduct. Filing 15 at 5-8. The defendant argues that the specific categories of PII that the plaintiff claimed were accessed by hackers are not connected to the specific harms that she suffered. Filing 15 at 7. The plaintiff's claims regarding unauthorized charges and the need to replace credit cards, according to the defendant, are not traceable to the defendant's data breach because there are no allegations that credit card data was accessed in the cyberattack. Also, according to the defendant, the plaintiff's allegation that her email accounts were compromised is not fairly traceable to the data breach because there are no allegations that passwords to access her email accounts were provided to the defendant or accessed by the cybercriminals.
The Court is unpersuaded. First, the defendant doesn't dispute that the plaintiff's...
To continue reading
Request your trial