IN RE HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION
Filing
157
OPINION. Signed by Judge Claire C. Cecchi on 12/21/2021. (ld, )
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 1 of 14 PageID: 2176
NOT FOR PUBLICATION
UNITED STATES DISTRICT COURT
DISTRICT OF NEW JERSEY
IN RE HORIZON HEALTHCARE SERVICES
INC. DATA BREACH LITIGATION
Civil Action No.: 2:13-cv-07418
OPINION
CECCHI, District Judge.
This matter comes before the Court on the motion of Defendant Horizon Healthcare
Services, Inc. (“Defendant”) to dismiss the amended putative class complaint (the “Amended
Complaint”) of Plaintiffs Mark Meisel, Karen Pekelney, and Mitchell Rindner 1 (“Plaintiffs”). ECF
No. 40. The Court held oral argument in this matter. ECF No. 100 (“Tr.”). For the reasons set
forth below, Defendant’s motion to dismiss is granted.
I.
BACKGROUND
Defendant is a New Jersey-based company that provides health insurance products and
services to approximately 3.7 million members. ECF No. 36 (“Am. Compl.”) ¶¶ 11–12. In its
normal course of business, Defendant maintains its members’ personal and medical information,
including names, birth dates, Social Security numbers, addresses, medical histories, and insurance
information. Id. ¶ 1. During the weekend of November 1–3, 2013, an unknown thief stole two
password-protected laptop computers—containing information of more than 839,000 members—
from Defendant’s headquarters in Newark, New Jersey. Id. ¶¶ 2, 32, 37. Defendant reported the
incident to the Newark Police Department on November 4, 2013 and began an investigation into
the amount and type of information stored on the stolen laptops. Id. ¶ 37. On December 6, 2013,
Defendant notified potentially affected members of the theft via letter and press release. Id. The
press release stated that “the laptops may have contained files with differing amounts of member
1
Plaintiff Courtney Diana voluntarily dismissed her individual claims in July 2017. ECF No. 94.
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 2 of 14 PageID: 2177
information, including name and demographic information (e.g., address, member identification
number, date of birth), and in some instances, a Social Security number and/or limited clinical
information.” Id. As a result of the breach, Defendant offered potentially affected members “one
year of credit monitoring and identity theft protection services through Experian’s ProtectMyId
Alert.” Id. ¶ 62.
On December 11, 2013, Plaintiffs filed a putative class action complaint on behalf of
themselves and all others similarly situated (ECF No. 1), which was later amended on June 27,
2014. Am. Compl. ¶ 4. In the Amended Complaint, Plaintiffs asserted federal causes of action
under the Fair Credit Reporting Act (“FCRA”) and several state law causes of action. Id. ¶¶ 76–
170. Thereafter, Defendant moved to dismiss Plaintiffs’ Amended Complaint for lack of standing.
ECF No. 40. On March 31, 2015, the Court granted Defendant’s motion to dismiss Plaintiffs’
Amended Complaint without prejudice, finding that Plaintiffs lacked Article III standing to bring
their federal claims. ECF Nos. 47, 48.
In lieu of filing an amended pleading, Plaintiffs asked the Court to enter a final judgement,
and subsequently filed a notice of appeal on May 21, 2015. ECF No. 51. On January 20, 2017,
the Third Circuit, reviewing this Court’s March 31, 2015 Opinion and Order, observed that “a pair
of recent cases touching upon this question” were rendered after this Court’s March Opinion and
that its “pronouncements in this area have not been entirely consistent.” ECF No. 55-1 at 19.
Accordingly, the Third Circuit vacated this Court’s Opinion and Order, finding that standing
existed, and remanded for further proceedings on the merits, which had not yet been addressed by
the District Court. Id. at 32. On April 17, 2017, the Court entered a consent order establishing a
briefing schedule for revised memoranda of law regarding Defendant’s motion to dismiss. ECF
No. 68. The Court held oral argument. ECF No. 100. The parties thereafter filed several
2
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 3 of 14 PageID: 2178
submissions (ECF Nos. 70, 75, 78), including Defendant’s Notice of Supplemental Authority, on
January 31, 2019 (ECF No. 125) and Plaintiffs’ response, on February 20, 2019 (ECF No. 128).
The Court has duly considered all submissions. All efforts at mediation have been unsuccessful.
See, e.g., ECF No. 95.
II.
LEGAL STANDARD
To survive dismissal pursuant to Federal Rule of Civil Procedure 12(b)(6), a complaint
“must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible
on its face.’” Ashcroft v. Iqbal, 556 U.S. 662 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S.
544, 570 (2007)). In evaluating the sufficiency of a complaint, the Court accepts all well-pleaded
factual allegations in the complaint as true and draws all reasonable inferences in favor of the nonmoving party. See Phillips v. Cty. of Allegheny, 515 F.3d 224, 234 (3d Cir. 2008).
“Factual
allegations must be enough to raise a right to relief above the speculative level.” Twombly, 550
U.S. at 555. “A pleading that offers ‘labels and conclusions . . . will not do.’ Nor does a complaint
suffice if it tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement.’” Iqbal, 556 U.S.
at 678 (citations omitted). Additionally, “the tenet that a court must accept as true all of the
allegations contained in a complaint is inapplicable to legal conclusions. Threadbare recitals of
the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id.
III.
DISCUSSION
A.
Fair Credit Reporting Act
Preliminarily, the Court notes that the Third Circuit, in its opinion vacating this Court’s
March 31, 2015 Opinion and Order, did not pass judgment on the merits of Plaintiffs’ FCRA
3
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 4 of 14 PageID: 2179
claims as it assumed, only for the purposes of the standing inquiry, that FCRA was violated. 2
Accordingly, the question of whether Defendant is subject to liability under FCRA is properly
before this Court.
Plaintiffs allege that Defendant willfully (Count I) and negligently (Count II) violated
FCRA by failing to adopt and maintain reasonable procedures to protect the confidentiality and
proper utilization of Plaintiffs’ personal and insurance information. Am. Compl. ¶¶ 76–102.
Defendant moves to dismiss Plaintiffs’ FCRA claims on the grounds that (1) Defendant is not
subject to liability under FCRA because it not a consumer reporting agency and (2) even if it were,
Defendant did not furnish or disclose information in violation of FCRA. ECF No. 70 (“Def. Br.”)
at 7–18. The Court addresses each argument in turn.
1.
Consumer Reporting Agency
First, Defendant argues that it is “not a ‘consumer reporting agency’ subject to FCRA
liability” because, as the Amended Complaint notes, it is a health insurance company. Id. at 9; Tr.
at 10:8–11, 35:20–36:16. As this Court has previously stated:
The purpose of FCRA [i]s to “require that consumer reporting agencies adopt
reasonable procedures for meeting the needs of commerce for consumer credit,
personnel, insurance, and other information in a manner which is fair and equitable
to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper
utilization of such information.”
Crisafulli v. Amertias Life Ins. Corp., No. 13-5937, 2015 WL 1969176, at *6 (D.N.J. Apr. 30,
2015) (quoting 15 U.S.C. § 1681(b)). Plaintiffs are attempting to bring FCRA claims against
2
See ECF No. 55-1 at 13–14 n.9 (“In its 12(b)(6) motion, which is not before us, [Defendant]
questions whether it is bound by FCRA. . . . Because we are faced solely with an attack on
standing, we do not pass judgment on the merits of those questions. Our decision should not be
read as expanding a claimant’s rights under FCRA. Rather, we assume for purposes of this appeal
that FCRA was violated, as alleged, and analyze standing with that assumption in mind.”); see also
id. at 22 n.16 (“Again, whether [Plaintiffs’] injur[ies are] actionable under FCRA is a different
question, one which we are presently assuming (without deciding) has an affirmative answer.”)).
4
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 5 of 14 PageID: 2180
Defendant on the basis that it is a consumer reporting agency. See id. (“FCRA imposes duties on
two types of entities,” including “consumer reporting agencies[.]”). “Thus, to successfully state
a claim for a willful or negligent violation of FCRA, Plaintiff[s] must first sufficiently plead that
Defendant is a ‘consumer reporting agency.’” Dolmage v. Combined Ins. Co. of Am., No. 14-3809,
2015 WL 292947, at *3 (N.D. Ill. Jan. 21, 2015). 3 Plaintiffs have failed to do so.
A consumer reporting agency is defined as “any person which, for monetary fees, dues, or
on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling
or evaluating consumer credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f). 4 “Although ‘furnish’ is not
defined in FCRA, courts generally use the term to describe the active transmission of information
to a third-party rather than a failure to safeguard the data.” Dolmage, 2015 WL 292947, at *3.
Plaintiffs argue that Defendant is a CRA because:
On a cooperative nonprofit basis or for monetary fees, Defendant regularly
assembles consumer information including, among other things, insurance policy
information, such as names, dates of birth, and Social Security Numbers of those
insured; claims information, such as the date of loss, type of loss, and amount paid
for claims submitted by an insured; and a description of insured items. Defendant
also regularly utilizes interstate commerce to furnish such information on
consumers (consumer reports) to third parties.
3
Although FCRA contains provisions that create certain requirements and prohibitions applicable
to persons or entities other than consumer reporting agencies (such as users of consumer reports
and furnishers of information to consumer reporting agencies), the Complaint proceeds on the
basis that Defendant is a consumer reporting agency. See Am. Compl. ¶ 80; ECF 41 at 29 (Plaintiffs
argue that “FCRA applies to [Defendant] because [Defendant] is a consumer reporting agency
under the statute.”) (citing 15 U.S.C. § 1681a(f)).
4
“Person” is broadly defined under FCRA as “any individual, partnership, corporation, trust,
estate, cooperative, association, government or governmental subdivision or agency, or other
entity.” 15 U.S.C. § 1681a(b). “Consumer” is defined simply as “an individual.” Id. at § 1681a(c).
There is no question that Defendant is a “person” or that Plaintiffs qualify as “individual[s]” under
FCRA.
5
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 6 of 14 PageID: 2181
Am. Compl. ¶ 80.
In Dolmage v. Combined Insurance Company of America, the Northern
District of Illinois evaluated almost identical allegations 5 against an insurance provider and held
that the defendant was not a consumer reporting agency because: (1) the plaintiff did not allege
“that Defendant collects personal information on consumers for the purpose of furnishing
consumer reports to third parties” and; (2) her other allegations “support[ed] Defendant’s
contention that it is an ‘insurance provider’ that collects personal information on consumers for
the purpose of providing them with insurance coverage.” 2015 WL 292947, at *3 (emphasis in
original). Accordingly, the court held that the plaintiff failed to state a claim upon which relief
may be granted under FCRA. Id. at *3-4. Similarly, here, Plaintiffs have failed to allege that
Defendant assembles consumer information for the purpose of furnishing consumer reports, and
their contentions actually substantiate Defendant’s averment that it is a health insurance company
that collects its consumers’ information for the purpose of providing health insurance coverage
and administering health benefits plans. See Am. Compl. ¶ 11 (“[Defendant] is a health insurance
company with approximately 3.7 million members.”), ¶ 12 (“[Defendant] provides health
insurance products and services to individuals and employers in New Jersey.”).
Thus, as in
Dolmage, the Court finds that Plaintiffs in this matter have failed to sufficiently allege that
Defendant is a consumer reporting agency under FCRA.
5
The plaintiff in Dolmage alleged that “[d]efendant, on a cooperative nonprofit basis and/or for
monetary fees, ‘regularly assembles consumer information including, among other things,
insurance policy information, such as names, dates of birth, and Social Security numbers of those
insured; claims information, such as the date of loss, type of loss, and amount paid for claims
submitted by an insured; and a description of insured items.’ Plaintiff further allege[d] that
[d]efendant ‘regularly utilizes interstate commerce to furnish such information[] on consumers
(consumer reports) to third parties, including the Medical Information Bureau.’” 2015 WL
292947, at *3 (citations omitted).
6
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 7 of 14 PageID: 2182
In addition, Plaintiffs have failed to sufficiently allege that Defendant actually furnishes
consumer reports to third parties. While Plaintiffs make the conclusory allegation that Defendant
“furnish[es] . . . consumer reports[] to third parties,” (Am. Compl. ¶ 80) they have not identified
any such reports or alleged sufficient facts to allow the Court to infer that Defendant transmits
consumer reports. See Iqbal, 556 U.S. at 678 (“Threadbare recitals of the elements of a cause of
action, supported by mere conclusory statements, do not suffice” to survive Rule 12(b)(6)
dismissal). A consumer report is defined as any communication of information by a consumer
reporting agency “which is used or expected to be used . . . for the purpose of serving as a factor
in establishing the consumer’s eligibility for” credit, insurance, or employment purposes. 15
U.S.C. § 1681a(d)(1). That is, to qualify as a consumer report, the transmitted information must
be used or expected to be used by a third party to make credit, insurance, or employment
determinations. Adams v. LexisNexis Risk & Info. Analytics Grp., Inc., No. 08-4708, 2010 WL
1931135, at *7 (D.N.J. May 12, 2012) (when determining whether information qualifies as a
consumer report, courts evaluate “both the ‘purpose’ for which the information contained in the
report was ‘used or expected to be used or collected,’ as well as how a third party actually used
the information”) (collecting cases) (emphasis added). Here, Plaintiffs assert that Defendant
collected information, which was intended and expected to be used by Defendant to make internal
insurance determinations about its customers. Am. Compl. ¶ 16. Plaintiffs do not contend that
Defendant shared any information with third parties to help those third parties make credit,
insurance, or employment determinations, but rather that Defendant assembled and shared
information to inform its own insurance determinations. See Am. Compl. ¶¶ 15–19, 80–81; see
also Tr. 30:3–7 (when Defendant was asked “[w]ho makes . . . eligibility determinations here,”
7
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 8 of 14 PageID: 2183
Defendant responded, “Horizon solely”). These actions do not render Defendant a consumer
reporting agency. See 15 U.S.C. § 1681a(d), (f); Adams, 2010 WL 1931135, at *7.
In their supplemental briefing, Plaintiffs argue that Defendant, when answering a complaint
in another data breach matter, “admitted to transmitting certain of its insureds’ [personal
information] to other insurance companies for insurance purposes.” ECF No. 75 at 12 (citing ECF
No. 75-6 at 28–30; see also Tr. 22:25-26:22. The answer cited in support of Plaintiffs’ allegation
indicates that Defendant participates in a “BlueCard Program,” which “enables their members
traveling away from home or living in another Blue Cross and Blue Shield (BCBS) Plan area to
receive health care services through a claims processing network of BlueCard-participating,
independent Blue Plans.” ECF No. 75-6 at 28–30; see also Tr. 26:8–27:17 (Defendant explains
that, “when you’re a Horizon customer and you travel to some other place, another ‘Blue’ plan
may process your payments for insurance for which you were eligible because Horizon made a
determination that you were eligible for insurance. Another ‘Blue’ plan just acts as a
processor . . .”). Plaintiffs argue that Defendant’s representation “firmly demonstrate[s] that
[Defendant] collected consumer information with the intent of providing consumer reports to third
parties.” ECF No. 75 at 12. First, the Court notes that it need not consider this assertion because
Plaintiffs “raised the issue for the first time in their brief in opposition to [Defendant’s] motion [to
dismiss.]” Aldinger v. Spectrum Control, Inc., 207 F. App’x 177, 181 n.1 (3d Cir. 2006); see
D’Amelio v. Indep. Healthcom Strategies Grp., Inc., No. 16-3055, 2016 WL 6909102, at *2
(D.N.J. Nov. 22, 2016) (“[T]he Court cannot consider . . . allegations where they appear in
Plaintiff’s briefing and not in [the] Complaint.”). Second, even if the Court were to consider it,
this allegation does not indicate that Defendant sent consumer reports to third parties. Rather, the
statements indicate that, after Defendant determines a consumer is eligible for insurance, a third-
8
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 9 of 14 PageID: 2184
party sometimes processes the consumer’s claims through the BlueCard Program. Because
Defendant has already determined that the individual is eligible for insurance, the information that
it sends to a third party for claims processing is not a consumer report because it is not being sent
“. . . for the purpose of serving as a factor in establishing the consumer’s eligibility for . . .
insurance.” 15 U.S.C. § 1681a(d)(1); see Houghton v. NJ Manufacturers Ins. Co., 795 F.2d 1144,
1148 (3d Cir. 1986) (finding that, where defendant was requesting a report for claims processing
purposes, the defendant was not requesting an investigative consumer report under FCRA).
Moreover, Plaintiffs have failed to allege that Defendant receives compensation in
exchange for assembling consumer information, which also precludes the Court from finding that
Defendant is a consumer reporting agency. See 15 U.S.C. § 1681a(f) (defining a consumer
reporting agency as “any person which, for monetary fees, dues, or on a cooperative nonprofit
basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose of furnishing consumer
reports to third parties.”); Kidd v. Thomson Reuters Corp., 925 F.3d 99, 101 (2d Cir. 2019)
(characterizing consumer reporting agencies as entities that “sell consumer reports to lenders,
credit card companies, insurers, and employers for credit, insurance and employment decisions”).
In Tierney v. Advocate Health & Hospitals Corporation, the Seventh Circuit found that the
defendant hospital network was not a consumer reporting agency because, despite collecting and
sharing personal consumer information with third party insurance companies and government
agencies in order to get paid, the defendant was not “receiv[ing] fees in exchange for compiling
and transmitting patient information.” 797 F.3d 449, 452 (7th Cir. 2015). Rather, the defendant
hospital network was receiving compensation “for health care services that its physicians have
rendered.” Id. As in Tierney, here, the allegations in the complaint do not demonstrate that
9
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 10 of 14 PageID: 2185
Defendant receives compensation from third parties in exchange for compiling and transmitting
its members’ information. Instead, Plaintiffs allege that Defendant receives premiums from its
members for its provision of health insurance. Am. Compl. ¶ 128. Plaintiffs have failed to plead
sufficient facts to show that Defendant Horizon receives any monetary compensation for
furnishing consumer information, as required of consumer reporting agencies under FCRA.
Based on the foregoing, the Court finds that Plaintiffs have not sufficiently pleaded that
Defendant, an insurance company, is a consumer reporting agency under FCRA. See Tierney, 797
F.3d at 452; Dolmage, 2015 WL 292947, at *3; Strautins v. Trustwave Holdings, Inc., 27 F. Supp.
3d 871, 882 (N.D. Ill. Mar. 12, 2014) (holding that data security company was not a consumer
reporting agency under FCRA where plaintiff did not allege that company assembled consumer
credit information for purpose of furnishing consumer reports to third parties); Menefee v. City of
Country Club Hills, No. 08-2948, 2008 WL 4696146, at *2–3 (N.D. Ill. Oct. 23, 2008) (finding
that defendant was not a consumer reporting agency, despite collecting credit and criminal
histories of potential employees, because it was not collecting this information for the purpose of
furnishing consumer reports).
Plaintiffs have not cited any authority, from this district or
elsewhere, wherein a court held otherwise and found that an insurance provider qualifies as a
consumer reporting agency under FCRA. See, e.g., Griffin v. Welch, 581 F. App’x 365, 368 (5th
Cir. 2014) (finding that an insurance company and its adjuster “indisputably are not consumer
reporting agencies” under FCRA). 6 Therefore, Plaintiffs have failed to state a claim under FCRA.
6
Plaintiffs’ cited case law is inapposite. See, e.g., Ori v. Fifth Third Bank, 674 F. Supp. 2d 1095,
1097–98 (E.D. Wis. Dec. 14, 2009) (analyzing definition of “reseller” under 15 U.S.C. § 1681a(u),
a different provision than at issue here, to determine that defendant who resold consumer credit
information about mortgage applications was a consumer reporting agency); Adams, 2010 WL
1931135, at *5 (finding that defendant who assisted debt collectors with collecting delinquent
accounts, by selling reports with economic data about the consumer’s home, assets, and property,
10
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 11 of 14 PageID: 2186
2.
Furnishing or Disclosing Information
Even if Defendant was a consumer reporting agency, Plaintiffs would still fail to state a
claim under FCRA because the allegations in the complaint are insufficient to demonstrate any
violation of FCRA. Def. Br. at 16–23. Plaintiffs assert claims under two FCRA provisions: 15
U.S.C. §§ 1681b(g) 7 and 1681e. Am. Compl. ¶¶ 89–91; ECF No. 41 at 23–26. An entity violates
these provisions by either improperly disclosing (§ 1681b(g)) or furnishing (§ 1681e) consumer
information. Defendant argues that it cannot be found to have disclosed or furnished consumer
information because its information was stolen. Def. Br. at 22; ECF No. 60 at 16–23.
First, the Court finds that Plaintiffs have not sufficiently pleaded a violation of § 1681b(g)
because Defendant did not “disclose” information to the thieves. Section § 1681b(g) prohibits any
person that receives medical information for a permissible purpose from “disclos[ing] such
information to any other person, except as necessary to carry out the purpose for which the
information was initially disclosed.” § 1681b(g)(4). Courts interpreting data privacy laws have
held that defendants whose information was stolen did not “disclose” that stolen information. For
example, in In re Anthem, Inc. Data Breach Litigation, the court held that a statute prohibiting
unlawful disclosure of personal information did not apply to theft of that information because
and any liens, judgments, or bankruptcy filings by the consumer, was a consumer reporting
agency); Olwell v. Medical Info. Bureau, No. 01-1481, 2003 WL 79035, at *5 (D. Minn. Jan. 7,
2003) (the defendant insurance company was sued as a furnisher of information, not a consumer
reporting agency, and other defendant conceded that it was a consumer reporting agency as its
business involves collecting information from member insurance companies and providing that
information to other life insurance companies for the purpose of preventing fraud). Furthermore,
in Rowe v. UniCare Life & Health Ins. Co., although the Court found that the plaintiff stated a
FCRA claim against the defendant insurance company, there was no discussion concerning
whether the defendant was a consumer reporting agency. No. 09-2286, 2010 WL 86391, at *2–3
(N.D. Ill. Jan. 5, 2010).
7
Plaintiffs argue that Defendant failed to protect medical information in violation of 15 U.S.C. §§
1681b(g)(4) and 1681b(g)(3)(A).
11
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 12 of 14 PageID: 2187
“disclosure” requires “the information holder [to] commit some affirmative, voluntary act.” 162
F. Supp. 3d 953, 1004 (N.D. Cal. 2016) (finding that insurance company did not disclose data in
violation of state data privacy laws when company was hacked by a third party). Similarly, in
Fero v. Excellus Health Plan, Inc., the court interpreted two state information privacy statutes and
found that theft of personal information did not constitute disclosure under either statute. 236 F.
Supp. 3d 735, 783–84 (W.D.N.Y. Feb. 22, 2017). The courts in both cases found the defendants
not liable because hackings do not qualify as disclosures of information in violation of the relevant
statutes. Id.; In re Anthem, 162 F. Supp. 3d at 1003.
Plaintiffs argue that Defendant’s failure to take protective measures, such as data
encryption, is “tantamount to disclosure.” ECF No. 75 at 18. However, the only case that they cite
in support of this proposition, Tabata v. Charleston Area Med. Ctr., Inc., is inapposite and makes
no such finding. 759 S.E.2d 459, 466 (W.V. 2014). There, the defendant itself posted personal
and medical information on a “website which was accessible to the public,” and thus, for the
purposes of a class certification analysis, the Court described the events giving rise to the claims
as a “disclosure.” Id. at 462–67. By contrast, here, Plaintiffs do not allege that Defendant
voluntarily revealed data on a publicly available forum, rather, they allege that a third party stole
the data. In both Fero and In re Anthem Data Breach Litigation, the plaintiffs similarly alleged
that the defendants failed to take adequate protective measures, but the courts nevertheless found
that such failures alone did not qualify as disclosures because, as here, there were no “affirmative
acts of revealing personal information.” Fero, 236 F. Supp. 3d at 784; see In re Anthem Data
Breach Litig., 162 F. Supp. 3d at 1004–07. Therefore, based on the purpose and language of
§ 1681b(g) and on case law analyzing disclosure in similar statutory schemes, the Court finds that
Defendant did not disclose information in violation of FCRA.
12
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 13 of 14 PageID: 2188
Likewise, the Court concludes that Plaintiffs have not alleged facts showing that Defendant
“furnished” information to the thieves. Under § 1681e, a consumer reporting agency is liable when
it furnishes information to third parties. Courts interpret “furnish” under FCRA to describe the
“active transmission of information to a third-party rather than a failure to safeguard the data.”
Dolmage, 2015 WL 292947, at * 3. Accordingly, courts have concluded that information stolen
from a defendant is not furnished within the meaning of FCRA. Id.; see also In re Equifax, Inc.,
Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1312–13 (N.D. Ga. 2019) (finding that
defendant did not “furnish” plaintiffs’ consumer reports where it was hacked by a third party, even
though plaintiff alleged that defendant’s protective conduct was “egregious”); In re Experian Data
Breach Litig., No. 15-1592, 2016 WL 7973595, at *2 (C.D. Cal. Dec. 29, 2016) (dismissing FCRA
claim because plaintiff could not allege that credit reports were “furnished” where information was
stolen from defendant). Here, Plaintiffs allege that the data at issue was stolen from Defendant,
without any voluntary act of furnishing by Defendant. Therefore, the Court finds that the
Complaint does not properly allege that Defendant furnished Plaintiffs’ information within the
meaning of FCRA. Accordingly, as Plaintiffs have failed to allege a violation of FCRA by
Defendant, Defendant’s motion to dismiss Counts I and II of Plaintiffs’ Amended Complaint will
be granted. 8
B.
Remaining State Law Claims
As to Plaintiffs’ remaining state law claims, the Court declines to exercise supplemental
jurisdiction at this time. Federal courts have subject matter jurisdiction pursuant to either 28
U.S.C. § 1331 (federal question), or 28 U.S.C. § 1332 (diversity of citizenship). Arbaugh v. Y&H
8
As such, the Court need not consider the parties’ remaining arguments as to Counts I and II of
Plaintiffs’ amended complaint. ECF Nos. 70 at 16–23; 75 at 16–19; 78 at 6–8.
13
Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 14 of 14 PageID: 2189
Corp., 546 U.S. 500, 513 (2006). “A plaintiff properly invokes § 1331 jurisdiction when she
pleads a colorable claim ‘arising under’ the Constitution or laws of the United States.” Id. Here,
because Plaintiffs failed to state a cognizable federal claim under FCRA, the Court lacks federal
question jurisdiction.
To invoke § 1332, Plaintiffs must state “a claim between parties of diverse citizenship that
exceeds the required jurisdictional amount, currently $75,000.” Id. According to the allegations,
complete diversity does not exist. 9 The Court declines to exercise supplemental jurisdiction
pursuant to 28 U.S.C. § 1367(c) over any remaining state-law claims arising in the Amended
Complaint. Accordingly, the Court dismisses Plaintiffs’ Amended Complaint in its entirety.
IV.
CONCLUSION
For the reasons set forth above, Defendant’s motion to dismiss (ECF No. 40) is granted
and the Amended Complaint (ECF No. 36) is dismissed. To the extent that Plaintiffs are able to
cure the pleading deficiencies discussed herein, they may file a second amended complaint within
thirty (30) days of the date of this Opinion. An appropriate Order accompanies this Opinion.
DATED: December 21, 2021
s/ Claire C. Cecchi
CLAIRE C. CECCHI, U.S.D.J.
9
Plaintiffs concede that the amended complaint does not allege diversity jurisdiction but request
“permission to replead” diversity jurisdiction. Tr. 64:15–25. The Court grants Plaintiffs’ request
to replead facts to support diversity jurisdiction.
14
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?