Worix v. MedAssets, Inc.
Filing
47
MEMORANDUM OPINION AND ORDER signed by the Honorable Matthew F. Kennelly on 4/24/12. (mk)
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
BRANDON WORIX, individually and on
behalf of all others similarly situated,
Plaintiff,
vs.
MEDASSETS, INC.
Defendant.
)
)
)
)
)
)
)
)
)
)
Case No. 11 C 8088
MEMORANDUM OPINION AND ORDER
MATTHEW F. KENNELLY, District Judge:
Brandon Worix, on behalf of himself and a putative class of similarly situated
individuals, has sued MedAssets, Inc. for its alleged failure to implement adequate
safeguards to protect his personal information and to notify him properly when a
computer hard drive containing that information was stolen. In an earlier decision, the
Court dismissed Worix’s complaint pursuant to Federal Rule of Civil Procedure 12(b)(6)
and gave him the opportunity to submit an amended complaint. See Worix v.
MedAssets, Inc., No. 11 C 8088, 2012 WL 787210 (N.D. Ill. Mar. 8, 2012). Worix has
filed a combined motion asking the Court to reconsider its dismissal of count one and
allow him to amend counts two and three (formerly counts two and four). For the
reasons stated below, the Court denies the motion to reconsider and grants in part the
motion to amend.
Background
Worix’s claims concern the theft from a MedAssets employee’s car of a hard
drive containing information about him and thousands of other patients of the Cook
County Health & Hospitals System. The Court assumes familiarity with the more
detailed factual summary in its previous decision. See Worix, 2012 WL 787210, at *1.
In that decision, the Court dismissed Worix’s claim under the Stored Communications
Act (SCA) after concluding that MedAssets’ alleged failure to implement certain dataprotecting safeguards could not constitute “knowingly divulging” information under the
SCA. Id. at *2. The Court also dismissed Worix’s claims for negligence and violation of
the Illinois Consumer Fraud Act (ICFA), 815 ILCS 505/2, after concluding that his
allegations that he is subject to an increased risk of identity theft and must pay for credit
monitoring did not constitute compensable injury.
In his proposed amended complaint, Worix alleges that after MedAssets notified
him of the theft, he “fell into a state of extreme emotional distress and depression as he
worried that the exposure of his personal information would make him vulnerable to
identity theft or credit-card theft.” Am. Compl. ¶ 17. He alleges that he also
“experienced distress over the serious and permanent invasion of his privacy” that
“caused him to have problems concentrating during the day and problems sleeping at
night.” Id. ¶ 18. These problems eventually “prevented him from meeting performance
expectations at work, and he was terminated in late 2011 as a result.” Id. ¶ 19.
Discussion
A.
Motion to reconsider
Worix has moved the Court to reconsider its dismissal of count one. “Motions for
reconsideration serve a limited function: to correct manifest errors of law or fact or to
present newly discovered evidence.” Caisse Nationale de Crédit Agricole v. CBI Indus.,
2
Inc., 90 F.3d 1264, 1269 (7th Cir. 1996) (internal quotation marks and citation omitted).
“A ‘manifest error’ is not demonstrated by the disappointment of the losing party.” Oto
v. Metro. Life Ins. Co., 224 F.3d 601, 606 (7th Cir. 2000). Rather, “[i]t is the wholesale
disregard, misapplication, or failure to recognize controlling precedent.” Id. (internal
quotation marks and citation omitted).
In count one, Worix seeks relief under the SCA, which provides that “a person or
entity” providing either an “electronic communication service” or a “remote computing
service to the public shall not knowingly divulge to any person or entity the contents of a
communication” stored or carried on that service. 18 U.S.C. § 2702(a)(1)-(2). In its
previous decision, the Court determined that the question of whether information had
been “knowingly divulge[d]” should be analyzed according to “the common meaning of
knowing conduct[, which] includes willful blindness, but not recklessness or negligence.”
Worix, 2012 WL 787210 at *3. The Court then concluded that “the failure to take
reasonable steps to safeguard data,” which was all Worix had alleged, “does not,
without more, amount to divulging that data knowingly or with willful blindness.” Id. at
*4.
Worix argues that the Court erred in dismissing his claim at the pleading stage,
because “evidence procured during the discovery phase of this case [may] provide the
required proof that MedAssets took deliberate actions to turn a blind eye to the critical
security threat created by its lax practices.” Pl.’s Mem. at 3. As the Court explained in
its previous decision, however, Worix nowhere alleges an actual act by MedAssets that
constituted knowing disclosure, only that MedAssets’ actions created or contributed to
an unacceptable risk that data would be compromised. And the question is whether
3
Worix’s allegations are sufficient now, not whether evidence he might later obtain could
give rise to a viable claim.
The cases referenced in the Court’s decision, despite the fact that they
addressed motions for summary judgment rather than dismissal, support this analysis.
See Global-Tech Appliances, Inc. v. SEB S.A., 131 S.Ct. 2060, 2070-71 (2011)
(comparing “a willfully blind defendant [who] almost can be said to have actually known
the critical facts” with “a reckless defendant . . . who merely knows of a substantial and
unjustified risk of such wrongdoing”); Freedman v. America Online, Inc., 329 F. Supp.
2d 745, 749 (E.D. Va. 2004) (noting that the SCA requires a plaintiff to show that
“defendant was aware, or possessed a firm belief, that his act would result in”
disclosure) (emphasis added); Muskovich v. Crowell, No. 3-95-CV-20007, 1996 WL
707008, at *5 (S.D. Iowa Aug. 30, 1996) (finding that employer whose failure to
implement safeguards had resulted in data breach did not “knowingly divulge” because
“[a]wareness of a ‘possibility’ does not rise to the level of a ‘substantial certainty’
required for liability under the [SCA]”).
The Seventh Circuit’s interpretation of “willful blindness” in other contexts also
supports the proposition that conscious awareness of unauthorized disclosure is
required, not simply an unjustifiable risk that a defendant’s actions will lead to further
wrongdoing. See, e.g., United States v. Pedroza, 176 Fed. Appx. 698, 700-01 (7th Cir.
2006) (“[A] court may instruct a jury as to willful blindness when the facts support an
inference that the defendant participated in a drug deal but left the scene of the sale to
insulate himself from guilty knowledge of the transaction.”); Hard Rock Cafe Licensing
Corp v. Concession Servs., Inc., 955 F.2d 1143 (7th Cir. 1992) (“To be willfully blind [for
4
purposes of the Lanham Act], a person must suspect wrongdoing and deliberately fail to
investigate.”).
For these reasons, the Court denies Worix’s motion to reconsider its dismissal of
count one.
B.
Motion to amend
MedAssets argues that Court should not grant Worix’s motion to amend because
the complaint, even as amended, would not withstand a motion to dismiss. A court may
deny a plaintiff the opportunity to amend when this is the case. General Elec. Capital
Corp. v. Lease Resolution Corp., 128 F.3d 1074, 1085 (7th Cir. 1997). “Dismissal for
failure to state a claim under Rule 12(b)(6) is proper ‘when the allegations in a
complaint, however true, could not raise a claim of entitlement to relief.’” Virnich v.
Vorwald, 664 F.3d 206, 212 (7th Cir. 2011) (quoting Bell Atlantic Corp. v. Twombly, 550
U.S. 544, 558 (2007)). “In reviewing a plaintiff’s claim, the court must construe all of the
plaintiff’s factual allegations as true, and must draw all reasonable inferences in the
plaintiff’s favor.” Id. “To survive a motion to dismiss, a complaint must contain sufficient
factual matter, accepted as true, to state a claim to relief that is plausible on its face.”
Iqbal, 129 S. Ct. at 1949 (internal quotation marks and citation omitted).
1.
Negligence
As the Court explained above, Worix has amended his negligence claim to assert
that he suffered from emotional distress as a result of the theft of his data. MedAssets
argues that the claim nonetheless cannot survive because, as a matter of negligence
law, MedAssets owed Worix no duty to protect his information or notify him of the theft,
and Worix suffered no compensable injuries.
5
MedAssets contends first that the letter it sent notifying customers of the theft,
which Worix has attached to his complaint, stated that the compromised information
“included names, encounter numbers and administrative information but NOT Plaintiff’s
address, birth date or social security number.” Def.’s Resp. at 9. It argues that Worix
has therefore pleaded himself out of court because none of the stolen information was
sensitive. As Worix points out, however, the complaint alleges that the hard drive
contained more than just this information. The fact MedAssets’ letter only described
certain information does not conclusively indicate that only that information was
revealed. Moreover, the terms “encounter numbers” and “administrative information”
are not defined, and it is therefore possible that even the information referenced in the
letter was sensitive in some way.
MedAssets also argues, however, that it had no legal duty to protect even
sensitive information. “[U]nless a duty is owed, there is no negligence.” Washington v.
City of Chicago, 188 Ill. 2d 235, 238, 720 N.E.2d 1030, 1032 (1999) (internal quotation
marks and citation omitted). MedAssets cites a case in which the Illinois Appellate
Court considered the claims of employees whose personal information was sent to
other employees along with a routine medical insurance mailing. The court determined
that, although “[a] violation of a statute designed to protect human life and property may
be used as prima facie evidence of negligence,” neither the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320(d)(6), nor Illinois’ Personal
Information Protection Act (PIPA), 815 ILCS 530/1, provided a basis for finding that the
defendant had a duty not to disclose the disputed information. Cooney v. Chi. Pub.
Schs., 407 Ill. App. 3d 358, 361-62, 943 N.E.2d 23, 28 (2010).
6
Worix does not dispute this aspect of the holding in Cooney. He argues,
however, that his case is distinguishable because “MedAssets’ duty derives from its
responsibility to consumers to reasonably handle and safeguard the patient medical
information with which it is entrusted.” Pl.’s Reply at 7-8. Worix cites no authority for
this proposition, nor does he address the fact that the court in Cooney specifically
declined to
recognize a “new common law duty” to safeguard information. [Plaintiffs] claim a
duty is justified by the sensitive nature of personal data such as dates of birth
and social security numbers. Plaintiffs do not cite to an Illinois case that supports
this argument. While we do not minimize the importance of protecting this
information, we do not believe that the creation of a new legal duty beyond
legislative requirements already in place is part of our role on appellate review.
Cooney, 407 Ill. App. 3d at 363, 943 N.E.2d at 28-29. In light of this statement, the
Court – as with Worix’s injury claims in its previous decision – “decline[s] to adopt a
‘substantive innovation’ in [Illinois] law or ‘to invent what would be a truly novel tort
claim’ on behalf of the state absent some authority to suggest that the approval of the
Supreme Court of [Illinois] is forthcoming.” Pisciotta v. Old Nat. Bancorp, 499 F.3d 629,
640 (7th Cir. 2007) (citations omitted). Worix’s claim that MedAssets breached its duty
to protect his information fails.
Worix also alleges in his complaint that MedAssets “breached its duty of care by
failing to provide accurate, prompt, and clear notification to Plaintiff and members of the
Class that their personal and/or medical data had been compromised.” Am. Compl. ¶
11. MedAssets argues in its response that, because none of the information was
sensitive, there was no duty to notify Worix about the theft. As the Court described
above, this argument fails because Worix’s allegations that the information was
7
sensitive must be taken as true.
Worix does not respond to MedAssets’ argument in his reply, but the parties
discussed this issue in their earlier round of briefs. In his response to MedAssets’
motion to dismiss, Worix argued that both PIPA and HIPAA can serve as statutory
sources for MedAssets’ duty to disclose the breach promptly. The relevant provision of
PIPA states:
Any data collector that maintains computerized data that includes personal
information that the data collector does not own or license shall notify the owner
or licensee of the information of any breach of the security of the data
immediately following discovery, if the personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
815 ILCS 530/10(b). In response, MedAssets pointed out that the previous section of
the statute establishes that “[a]ny data collector that owns or licenses personal
information concerning an Illinois resident shall notify the resident” in the event of a
breach. 815 ILCS 530/10(a) (emphasis added). Thus, the statute as a whole treats an
“owner or licensee” differently from an “Illinois resident” in connection with disclosure
obligations. Because Worix is the latter rather than the former – he is not the “owner or
licensee” of the information that MedAssets held – MedAssets did not owe him a duty of
prompt disclosure under section 10(b). (Worix did not argue that MedAssets was an
owner or licensee of information and was therefore bound by section 10(a).) The Court
finds this reading of the statute persuasive and concludes that Worix cannot rely on
PIPA to establish MedAssets’ duty to inform him of the theft.
In their earlier briefing, the parties agreed that for HIPAA to provide a statutory
basis for the duty to inform (or to protect the data in the first place), MedAssets must be
a “covered entity” according to the statute and its regulations. A “covered entity” is
8
defined “a health plan,” a “health care clearinghouse,” or a “health care provider who
transmits any health information in electronic form . . . .” 45 C.F.R. § 160.103. Worix
argued that MedAssets is a “health care clearinghouse,” which is defined as a
public or private entity, including a billing service, repricing company, community
health management information system or community health information system,
and “value-added” networks and switches, that does either of the following
functions:
(1) Processes or facilitates the processing of health information received from
another entity in a nonstandard format or containing nonstandard data content
into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or
facilitates the processing of health information into nonstandard format or
nonstandard data content for the receiving entity.
Id.
Although Worix states in his complaint that MedAssets is a “covered entity,” Am
Compl. ¶ 7, “legal conclusions and conclusory allegations merely reciting the elements
of the claim are not entitled to [the] presumption” of truth. Virnich, 664 F.3d at 212
(citing Ashcroft v. Iqbal, 129 S. Ct. 1937, 1951 (2009)). Worix argues that MedAssets’
description of itself as a “financial improvement partner for healthcare providers,”
coupled with the fact that it had patient data in its possession, establishes that it meets
the definition of a health care clearinghouse. The only allegations in the complaint
specifically describing MedAssets, however, state that it “provides physicians and
hospitals with the ability to communicate patients’ medical records electronically,” Am.
Compl. ¶ 37; MedAssets’ “equipment is used for the electronic storage and remote
processing of patient medical records,” id. ¶ 41; and MedAssets “agree[d] to accept
Plaintiff’s and Class members’ non-public personal and/or medical information through
9
its partnership with various hospitals,” id. ¶ 47. As MedAssets argues, none of these
statements amounts to an allegation that MedAssets performs the functions specified
under the regulatory definition of a health care clearinghouse.
Worix also argued that MedAssets is a “business associate” of Cook County
hospitals, which MedAssets did not dispute, and that MedAssets therefore “qualifies as
a ‘covered entity’ . . . because . . . a covered entity may be a business associate of
another covered entity.” Pl.’s Resp. to Def.’s Mot. to Dismiss at 13. The fact that a
covered entity may be a business associate, however, does not mean that a business
associate is automatically a covered entity, and Worix provides no authority to suggest
otherwise. And as MedAssets points out, HIPAA’s obligations regarding business
associates do not establish a basis for Worix’s claims in this case. See Floyd v.
SunTrust Banks, Inc., 1:10-CV-2620, 2011 WL 2441744, at *4 (N.D. Ga. June 13,
2011).
For these reasons, the Court concludes that neither Illinois common law, PIPA,
nor HIPAA provides a basis for Worix’s negligence claims. The Court therefore denies
Worix’s motion to amend count two of his complaint. The Court’s earlier order
dismissing this count stands.
2.
ICFA
MedAssets argues that Worix’s ICFA claim cannot survive because he has failed
to allege a deceptive or unfair trade practice. MedAssets first contends that Worix has
not identified the circumstances of the alleged deception with the necessary
particularity. Worix responds that he has alleged unfair, rather than deceptive, conduct
under ICFA. “Because neither fraud nor mistake is an element of unfair conduct under
10
Illinois’ Consumer Fraud Act, a cause of action for unfair practices . . . need only meet
the notice pleading standard of Rule 8(a), not the particularity requirement in Rule 9(b).”
Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs., Inc., 536 F.3d 663,
669 (7th Cir. 2008).
MedAssets next argues that Worix has not identified a specific instance of
deceptive communication. Again, however, ICFA does not require a plaintiff alleging an
unfair act to plead fraud or deception. Instead, unfair acts are analyzed based on “(1)
whether the practice offends public policy; (2) whether it is immoral, unethical,
oppressive, or unscrupulous; (3) whether it causes substantial injury to all consumers.”
Id. (quoting Robinson v. Toyota Motor Credit Corp., 201 Ill.2d 403, 417-18, 775 N.E.2d
951, 961 (2002)) (internal quotation marks omitted). “A court may find unfairness even
if the claim does not satisfy all three criteria . . . ‘because of the degree to which it meets
one of the criteria or because to a lesser extent it meets all three.’” Id. The statute also
states that courts construing it shall give “consideration . . . to the interpretations of the
Federal Trade Commission and the federal courts relating to Section 5(a) of the Federal
Trade Commission Act.” 815 ILCS 505/2.
Another judge in this district recently considered the case of a retailer whose
allegedly inadequate security procedures had allowed the placement of counterfeit
credit card machines in its stores, resulting in fraudulent withdrawals from customer
accounts. The judge determined that the “[p]laintiffs’ allegations show that [the
defendant] ignored its obligation to implement procedures and practices preventing the
criminal conduct” and that plaintiffs thereby alleged “an unfair practice under the ICFA.”
In re Michaels Stores Pin Pad Litig., __ F. Supp. 2d __, No. 11 C 3350, 2011 WL
11
5878373, at *5 (N.D. Ill. Nov. 23, 2011). The judge cited a case in which the First
Circuit drew upon Federal Trade Commission precedent in determining that a
company’s alleged disregard for required security measures could constitute
“inexcusable and protracted reckless contract” that was actionable under
Massachusetts’ consumer fraud statute, which is similar to ICFA. In re TJX Cos. Retail
Sec. Breach Litig., 564 F.3d 489, 496 (1st Cir. 2009). The Court finds these cases
persuasive and concludes that Worix has adequately alleged an unfair practice under
the ICFA.
MedAssets’ final argument is that Worix has not alleged that he suffered
compensable injury. MedAssets maintains that Worix’s assertions are insufficient
because he does not state a specific amount of economic damage, his alleged anxiety
is insufficiently severe, and his fear of future harm is not a compensable injury in itself.
Worix himself points out that ICFA “provides remedies for purely economic injuries” and
a plaintiff who alleges “only emotional damages” cannot make a successful claim.
Morris v. Harvey Cycle and Camper, Inc., 392 Ill. App. 3d 399, 402, 911 N.E.2d 1049,
1053 (2009).
MedAssets provides no support for the propositions that a plaintiff must
specifically state the amount of damages he seeks in his complaint or must plead
emotional distress of a specific degree of severity to succeed on a claim under ICFA.1
MedAssets argues generally that under Illinois law, “emotional distress will not
constitute legally cognizable damages unless the distress is particularly severe.” Def.’s
Resp. at 11. Its particular argument on this point, however, focuses on whether a
defendant can foresee the degree of severity of a plaintiff’s distress. Although
MedAssets maintains that the claimed severit of Worix’s distress was unforeseeable,
1
(continued...)
12
Although MedAssets is correct that fear of future harm is not an injury in itself, Worix
has also pled that the theft caused him emotional distress to such a degree that he lost
his job. Coupled with allegations of otherwise compensable injury, a plaintiff may claim
that “an increased risk of harm is an element of damages that can be recovered for a
present injury [even] if it is not the injury itself.” Williams v. Manchester, 228 Ill. 2d 404,
425, 888 N.E.2d 1, 13 (2008) (emphasis in original). And although Morris establishes
that Worix’s alleged damages would be insufficient if he had alleged only emotional
distress, he also asserts that he suffered economic damage based on his lost
employment. “[D]amages for [emotional distress, inconvenience, and] aggravation are
compensable under the Consumer Fraud Act only when they are part of a total award
that includes actual economic damages.” Morris, 392 Ill. App. 3d at 403, 911 N.E.2d at
1053. The Court concludes that the combination of damages Worix has alleged – a risk
of future harm, the cost of credit monitoring, emotional distress, and lost wages –
constitutes a sufficient allegation of compensable injury under the ICFA.
For these reasons, the Court grants Worix’s motion to amend count three
(formerly count four) of his complaint. The ICFA claim survives MedAssets’ motion to
dismiss.
3.
Class allegations
MedAssets argues that the amended complaint “cannot withstand a motion to
1
(...continued)
the validity of that argument depends on (perhaps among other things) MedAssets’
contention that no sensitive information was disclosed. That contention, which would
require the Court to construe the facts in a way contrary to Worix’s allegation, is one
that the Court cannot appropriately adopt when considering a motion to dismiss for
failure to state a claim.
13
dismiss because it does not satisfy the requirements of Rule 23(b)(3), because
individual issues predominate over common questions of fact or law.” Def.’s Resp. at 7.
This is not a basis for dismissing any of Worix’s claims, which stand or fall irrespective
of whether he can later persuade the Court to certify a class.
In any event, “a court may abuse its discretion by not allowing for appropriate
discovery before deciding whether to certify a class.” Damasco v. Clearwire Corp., 662
F.3d 891, 897 (7th Cir. 2011). The Court concludes that it would be premature to strike
all or part of Worix’s complaint, or to rule preemptively that no class claims may be
asserted, before there is any evidence regarding the claims of other potential class
members.
Conclusion
For the reasons stated above, the Court grants in part Worix’s combined motion
to reconsider and amend [docket no. 37]. The Court denies the motion to reconsider its
dismissal of count one and denies Worix’s request to amend count two, but it grants
Worix’s request to amend count three. The case remains set for a status hearing on
April 24, 2012 at 9:30 a.m. to set a schedule for further proceedings.
________________________________
MATTHEW F. KENNELLY
United States District Judge
Date: April 24, 2012
14
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?