UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK --------------------------------------------------------------x JOSE APONTE II and LISA ROSENBERG, : individually and on behalf of all other persons : similarly situated, : Plaintiffs, : OPINION AND ORDER :
v. : 21 CV 5883 (VB) : NORTHEAST RADIOLOGY, P.C., and : ALLIANCE HEALTHCARE SERVICES, INC., : Defendants. : --------------------------------------------------------------x
Briccetti, J.: Plaintiffs Jose Aponte II and Lisa Rosenberg bring this putative class action against defendants Northeast Radiology, P.C. (“Northeast Radiology”), and Alliance HealthCare Services, Inc., alleging defendants failed to protect plaintiffs’ electronic protected health information (“e-PHI”) from unauthorized disclosure. Now pending is defendants’ motion pursuant to Rules 12(b)(1) and 12(b)(6) to dismiss the amended complaint for lack of subject matter jurisdiction and for failure to state a claim. (Doc. # 29). For the following reasons, the Rule 12(b)(1) motion is GRANTED. BACKGROUND For the purpose of ruling on the motion, the Court accepts as true all well-pleaded allegations in the amended complaint and draws all reasonable inferences in plaintiffs’ favor, as summarized below. Plaintiffs allege that, as patients of Northeast Radiology, they provided Northeast Radiology with their names, addresses, dates of birth, gender, and medical history information. Plaintiffs state unauthorized individuals accessed defendants’ computer servers where this information was stored between April 14, 2019, and January 7, 2020. Plaintiffs allege a user, upon connecting to defendants’ Picture Archiving and Communications Systems (“PACS”), was “presented with a list of all [patient] studies and the
number of related images stored on [defendants’] PACS,” comprising “approximately 62 million images associated with 300,000 patients.” (Doc. #28 (“Am. Compl.”) ¶ 58). According to plaintiffs, the file names in this list displayed e-PHI, including patient name, date of birth, patient ID (which plaintiffs allege often corresponds to social security number), date of examination, and study description, among other information, such that one accessing the PACS did not need to open an image file to see a patient’s information. According to plaintiffs, defendants’ PACS failed to include basic security features like encryption or passwords, and the list of file names containing e-PHI could be downloaded and saved. On January 10, 2020, plaintiffs allege TechCrunch, an online newspaper, published an article detailing these security weaknesses, uncovered through an analysis by independent
cybersecurity researchers. On March 11, 2020, Northeast Radiology issued a press release announcing unauthorized individuals gained access to defendants’ PACS. According to plaintiffs, the release stated at least twenty-nine patients’ information was accessed during the breach, but defendants were unable to determine if other patients’ information on the system was also compromised. Plaintiffs allege they face an ongoing imminent risk of identity theft and fraud because, unlike a credit card, there is no way to cancel e-PHI. As a result, plaintiffs contend they will need to continuously monitor their accounts, purchase credit and identity theft monitoring services, and expend additional time and effort to prevent and mitigate potential future losses. Plaintiffs also allege they would not have used defendants’ services had they known defendants did not employ reasonable security measures. Lastly, plaintiffs claim they suffered an injury-in-fact through defendants’ “intrusion upon their seclusion” because defendants’ insufficient security practices made plaintiffs’ data
available for unauthorized access. Plaintiffs bring claims for negligence, negligence per se, breach of contract, breach of implied contract, violation of New York General Business Law Section 349, and “intrusion upon seclusion.” DISCUSSION I. Standard of Review “[F]ederal courts are courts of limited jurisdiction and lack the power to disregard such limits as have been imposed by the Constitution or Congress.” Durant, Nichols, Houston, Hodgson & Cortese-Costa, P.C. v. Dupont, 565 F.3d 56, 62 (2d Cir. 2009).1 “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks
the statutory or constitutional power to adjudicate it.” Nike, Inc. v. Already, LLC, 663 F.3d 89, 94 (2d Cir. 2011), aff’d, 568 U.S. 85 (2013). A court lacks the power to hear a party’s claims when the party does not have standing. Hillside Metro Assocs., LLC v. JPMorgan Chase Bank, Nat’l Ass’n, 747 F.3d 44, 48 (2d Cir. 2014). When deciding whether subject matter jurisdiction exists at the pleading stage, the Court “must accept as true all material facts alleged in the complaint.” Conyers v. Rossides, 558 F.3d 137, 143 (2d Cir. 2009). “However, argumentative inferences favorable to the party asserting
1 Unless otherwise indicated, case quotations omit all internal citations, quotation marks, footnotes, and alterations. jurisdiction should not be drawn,” Buday v. N.Y. Yankees P’ship, 486 F. App’x 894, 895 (2d Cir. 2012) (summary order), and the Court “need not credit a complaint’s conclusory statements without reference to its factual content,” Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 146–47 (2d Cir. 2011).
When a defendant moves to dismiss for lack of subject matter jurisdiction and on other grounds, the Court should resolve the Rule 12(b)(1) challenge first. Rhulen Agency, Inc. v. Ala. Ins. Guar. Ass’n, 896 F.2d 674, 678 (2d Cir. 1990). II. Standing Defendants argue plaintiffs do not have standing to bring this action. The Court agrees. A. Legal Standard To satisfy the “irreducible constitutional minimum of standing . . . [t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v.
Robins, 578 U.S. 330, 338 (2016). When, as here, “the Rule 12(b)(1) motion is facial, i.e., based solely on the allegations of the complaint . . . the plaintiff has no evidentiary burden.” John v. Whole Foods Mkt. Grp., Inc., 858 F.3d 732, 736 (2d Cir. 2017). “The task of the district court is to determine whether the [complaint] alleges facts that affirmatively and plausibly suggest that the plaintiff has standing to sue.” Id. An injury-in-fact is “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. at 339. This is “a low threshold which helps to ensure that the plaintiff has a personal stake in the outcome of the controversy.” John v. Whole Foods Mkt. Grp., Inc., 858 F.3d at 736. To be concrete, an injury “must actually exist.” Spokeo, Inc. v. Robins, 578 U.S. at 340. An intangible harm may be concrete, provided it “has a close relationship to a harm traditionally
recognized as providing a basis for a lawsuit in American courts.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2200 (2021).
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK --------------------------------------------------------------x JOSE APONTE II and LISA ROSENBERG, : individually and on behalf of all other persons : similarly situated, : Plaintiffs, : OPINION AND ORDER :
v. : 21 CV 5883 (VB) : NORTHEAST RADIOLOGY, P.C., and : ALLIANCE HEALTHCARE SERVICES, INC., : Defendants. : --------------------------------------------------------------x
Briccetti, J.: Plaintiffs Jose Aponte II and Lisa Rosenberg bring this putative class action against defendants Northeast Radiology, P.C. (“Northeast Radiology”), and Alliance HealthCare Services, Inc., alleging defendants failed to protect plaintiffs’ electronic protected health information (“e-PHI”) from unauthorized disclosure. Now pending is defendants’ motion pursuant to Rules 12(b)(1) and 12(b)(6) to dismiss the amended complaint for lack of subject matter jurisdiction and for failure to state a claim. (Doc. # 29). For the following reasons, the Rule 12(b)(1) motion is GRANTED. BACKGROUND For the purpose of ruling on the motion, the Court accepts as true all well-pleaded allegations in the amended complaint and draws all reasonable inferences in plaintiffs’ favor, as summarized below. Plaintiffs allege that, as patients of Northeast Radiology, they provided Northeast Radiology with their names, addresses, dates of birth, gender, and medical history information. Plaintiffs state unauthorized individuals accessed defendants’ computer servers where this information was stored between April 14, 2019, and January 7, 2020. Plaintiffs allege a user, upon connecting to defendants’ Picture Archiving and Communications Systems (“PACS”), was “presented with a list of all [patient] studies and the
number of related images stored on [defendants’] PACS,” comprising “approximately 62 million images associated with 300,000 patients.” (Doc. #28 (“Am. Compl.”) ¶ 58). According to plaintiffs, the file names in this list displayed e-PHI, including patient name, date of birth, patient ID (which plaintiffs allege often corresponds to social security number), date of examination, and study description, among other information, such that one accessing the PACS did not need to open an image file to see a patient’s information. According to plaintiffs, defendants’ PACS failed to include basic security features like encryption or passwords, and the list of file names containing e-PHI could be downloaded and saved. On January 10, 2020, plaintiffs allege TechCrunch, an online newspaper, published an article detailing these security weaknesses, uncovered through an analysis by independent
cybersecurity researchers. On March 11, 2020, Northeast Radiology issued a press release announcing unauthorized individuals gained access to defendants’ PACS. According to plaintiffs, the release stated at least twenty-nine patients’ information was accessed during the breach, but defendants were unable to determine if other patients’ information on the system was also compromised. Plaintiffs allege they face an ongoing imminent risk of identity theft and fraud because, unlike a credit card, there is no way to cancel e-PHI. As a result, plaintiffs contend they will need to continuously monitor their accounts, purchase credit and identity theft monitoring services, and expend additional time and effort to prevent and mitigate potential future losses. Plaintiffs also allege they would not have used defendants’ services had they known defendants did not employ reasonable security measures. Lastly, plaintiffs claim they suffered an injury-in-fact through defendants’ “intrusion upon their seclusion” because defendants’ insufficient security practices made plaintiffs’ data
available for unauthorized access. Plaintiffs bring claims for negligence, negligence per se, breach of contract, breach of implied contract, violation of New York General Business Law Section 349, and “intrusion upon seclusion.” DISCUSSION I. Standard of Review “[F]ederal courts are courts of limited jurisdiction and lack the power to disregard such limits as have been imposed by the Constitution or Congress.” Durant, Nichols, Houston, Hodgson & Cortese-Costa, P.C. v. Dupont, 565 F.3d 56, 62 (2d Cir. 2009).1 “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks
the statutory or constitutional power to adjudicate it.” Nike, Inc. v. Already, LLC, 663 F.3d 89, 94 (2d Cir. 2011), aff’d, 568 U.S. 85 (2013). A court lacks the power to hear a party’s claims when the party does not have standing. Hillside Metro Assocs., LLC v. JPMorgan Chase Bank, Nat’l Ass’n, 747 F.3d 44, 48 (2d Cir. 2014). When deciding whether subject matter jurisdiction exists at the pleading stage, the Court “must accept as true all material facts alleged in the complaint.” Conyers v. Rossides, 558 F.3d 137, 143 (2d Cir. 2009). “However, argumentative inferences favorable to the party asserting
1 Unless otherwise indicated, case quotations omit all internal citations, quotation marks, footnotes, and alterations. jurisdiction should not be drawn,” Buday v. N.Y. Yankees P’ship, 486 F. App’x 894, 895 (2d Cir. 2012) (summary order), and the Court “need not credit a complaint’s conclusory statements without reference to its factual content,” Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 146–47 (2d Cir. 2011).
When a defendant moves to dismiss for lack of subject matter jurisdiction and on other grounds, the Court should resolve the Rule 12(b)(1) challenge first. Rhulen Agency, Inc. v. Ala. Ins. Guar. Ass’n, 896 F.2d 674, 678 (2d Cir. 1990). II. Standing Defendants argue plaintiffs do not have standing to bring this action. The Court agrees. A. Legal Standard To satisfy the “irreducible constitutional minimum of standing . . . [t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v.
Robins, 578 U.S. 330, 338 (2016). When, as here, “the Rule 12(b)(1) motion is facial, i.e., based solely on the allegations of the complaint . . . the plaintiff has no evidentiary burden.” John v. Whole Foods Mkt. Grp., Inc., 858 F.3d 732, 736 (2d Cir. 2017). “The task of the district court is to determine whether the [complaint] alleges facts that affirmatively and plausibly suggest that the plaintiff has standing to sue.” Id. An injury-in-fact is “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. at 339. This is “a low threshold which helps to ensure that the plaintiff has a personal stake in the outcome of the controversy.” John v. Whole Foods Mkt. Grp., Inc., 858 F.3d at 736. To be concrete, an injury “must actually exist.” Spokeo, Inc. v. Robins, 578 U.S. at 340. An intangible harm may be concrete, provided it “has a close relationship to a harm traditionally
recognized as providing a basis for a lawsuit in American courts.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2200 (2021). “That inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury,” although it need not be an exact duplicate. Id. at 2204. Regarding statutory harms, it is not enough to allege that a defendant violated the law; “[o]nly those plaintiffs who have been concretely harmed by a defendant’s statutory violation” will have standing. Id. at 2205. “For an injury to be particularized, it must affect the plaintiff in a personal and individual way.” Spokeo, Inc. v. Robins, 578 U.S. at 339. And for an injury to be considered “actual or imminent,” it must be “certainly impending,” or there must be “substantial risk that the harm will occur.” Susan B. Anthony List
v. Driehaus, 573 U.S. 149, 158 (2014). Plaintiffs seeking injunctive relief to prevent future harm may establish injury-in-fact if they demonstrate “the risk of [future] harm is sufficiently imminent and substantial.” TransUnion LLC v. Ramirez, 141 S. Ct. at 2210. However, “in a suit for damages, the mere risk of future harm, standing along, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210–11. In McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021), the Second Circuit articulated a three-factor test for evaluating whether a plaintiff has alleged an injury-in- fact from an increased risk of identity theft or fraud following a data breach: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud. Id. at 303. It is unclear whether this analysis is still good law following the Supreme Court’s recent decision in TransUnion. See Bohnak v. Marsh & McLennan Cos., 2022 WL 158537, at *5 (S.D.N.Y. Jan. 17, 2022) (“The TransUnion Court’s rejection of the mere risk of future harm calls into question the continuing validity of McMorris.”); Cooper v. Bonobos, Inc., 2022 WL 170622, at *3 n.1 (S.D.N.Y. Jan. 19, 2022) (applying McMorris because “it is the task of the Second Circuit, not this Court, to determine if McMorris should be overturned”). B. Application Plaintiffs do not allege an injury-in-fact sufficient to confer standing. Plaintiffs argue they suffered an injury-in-fact in four ways: (i) plaintiffs face a substantial and imminent risk of fraud and identity theft; (ii) plaintiffs will be required to spend substantial amounts of time monitoring their accounts for identity theft and fraud; (iii) plaintiffs would not have sought defendants’ services had they known the nature of defendants’ data security practices; and (iv) defendants’ conduct caused unauthorized access by third parties that intruded upon plaintiffs’ seclusion. 1. Future Risk of Fraud and Identity Theft Here, plaintiffs have not alleged third parties misused or attempted to misuse their data. Moreover, because plaintiffs do not allege they are members of the group of twenty-nine patients whose information was determinedly accessed, “allegations that [their] personal information was even accessed is conjecture.” Allison v. Aetna, Inc., 2010 WL 3719243, at *5 (E.D. Pa. Mar. 9, 2010). Plaintiffs need not “wait until they suffer identity theft to bring their claims.” See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *9–
10 (D.N.J. Dec. 16, 2021) (facts alleged did not support that plaintiffs’ information stored on a compromised system was accessed, stolen, or misused). Nevertheless, plaintiffs’ allegations that an unauthorized user to defendants’ PACS would have viewed plaintiffs’ e-PHI in the list of file names and “it is extremely likely” that such user would have downloaded a copy are too remote to establish that plaintiffs’ risk of future harm from identity theft is substantial or imminent. (Am. Compl. ¶ 61). Claims of conceivable harm without factual support are not sufficient. See Amidax Trading Grp. V. S.W.I.F.T. SCRL, 671 F.3d at 146. Moreover, the McMorris factors support a determination of no injury-in-fact: although plaintiffs allege their data stored on defendants’ PACS was highly sensitive, except for the conclusory allegation that the unauthorized users were “hackers” (Am. Compl. ¶¶ 10, 214),
plaintiffs have not alleged facts to support the notion that the breach was a targeted attempted to perpetuate identity theft, and plaintiffs have not alleged their or any class members’ data has been misused. See In re PracticeFirst Data Breach Litig., 2022 WL 354544, at *5 (W.D.N.Y. Feb. 2, 2022) (recommending dismissal for lack of standing because data exfiltration followed by a ransomware attack not the type of targeted cyber-attack to perpetuate identity theft) (report and recommendation); cf. In re GE/CBPS Data Breach Litig., 2021 WL 3406374, at *6 (S.D.N.Y. Aug. 4, 2021) (allegations that data breach resulted from a phishing attack supported a targeted attempt to obtain data). Accordingly, even under the McMorris factors, plaintiffs’ risk of future harm is too speculative to establish standing. 2. Theft and Fraud Monitoring Plaintiffs have “failed to show that [they are] at a substantial risk of future identity theft, so the time [they] spent protecting [themselves] against this speculative threat cannot create an injury.” McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d at 304 n.7; see also Clapper v.
Amnesty Int’l USA, 568 U.S. 398, 402 (2013) (plaintiffs “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending”). Therefore, plaintiffs’ efforts and expense to monitor their accounts is not a sufficient injury-in-fact to confer standing. 3. Benefit of the Bargain Injury Plaintiffs’ claim that they would not have used defendants’ services had defendants disclosed their insufficient security practices also does not allege an injury-in-fact. As discussed above, plaintiffs do not allege any misuse or attempted misuse of their data resulting from the breach. Even if plaintiffs “lost some measure of privacy and that privacy was part of the bargain for medical services, [they] ha[ven’t] alleged any concrete harm from the alleged data breach.”
C.C. v. Med-Data Inc., 2022 WL 970862, at *9 (D. Kan. Mar. 31, 2022). “If plaintiff[s] bargained for data security, and no third party has misused [their] data, then plaintiff[s] ha[ve] received exactly what [they] paid for.” Id.; In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *11; see also Rudolph v. Hudson’s Bay Co., 2019 WL 2023713, at *8 (S.D.N.Y. May 7, 2019) (“[C]ourts have consistently rejected as too tenuous to support an injury-in-fact [claim] that a defendant’s failure to comply with the law, or to prevent an actual data breach, diminished the benefit-of-the-bargain.”). 4. Intrusion Upon Seclusion Plaintiffs’ claim that they suffered an injury-in-fact through defendants’ intrusion upon their seclusion is also insufficient to confer standing. A defendant “who intentionally intrudes, physically or otherwise, upon the solitude or
seclusion of another or his private affairs or concerns, is subject to liability to the other for intrusion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement (Second) of Torts § 652B. Importantly, the intrusion “does not depend upon any publicity given” to the invaded interest, “[i]t consists solely of an intentional interference with his interest in solitude or seclusion.” Id. cmt. a. Intrusion upon seclusion is one of the “traditionally recognized harms” that may comprise an injury-in-fact. TransUnion LLC v. Ramirez, 141 S. Ct. at 2204. However, according to plaintiffs, it is not defendants who improperly accessed plaintiffs’ data, but instead other, unauthorized third parties. See Mount v. PulsePoint, Inc., 684 F. App’x 32, 34 (2d Cir. 2017) (defendant’s unauthorized access and monitoring of plaintiffs’ web-browsing activity comprised
injury-in-fact); Nelson v. Nielsen Co., 2014 WL 2853847, at *5 (Conn. Super. Ct. May 15, 2014) (plaintiff failed to allege defendants intruded upon her seclusion by disclosing her medical results when defendants were entitled to collect and access medical results); Caro v. Weintraub, 618 F.3d 94, 101 (2d Cir. 2010) (defendant’s secret recording of a phone call comprised the intrusion). Therefore, plaintiffs have not “identified a close historical or common-law analogue” to the alleged injuries they suffered from defendants’ actions.” TransUnion LLC v. Ramirez, 141 S. Ct. at 2204. 5. Statutory Violations Finally, because plaintiffs have failed to allege a concrete injury-in-fact arising from the breach, allegations that defendants’ actions violated the Health Insurance Portability and Accountability Act of 1996, the Federal Trade Commission Act, and New York and Connecticut state law do not confer standing. “An injury in law is not an injury in fact” for purposes of Article III standing. TransUnion LLC v. Ramirez, 141 S. Ct. at 2205. Similarly, plaintiffs’ prayer for statutory damages in connection with their breach of contract claims cannot confer standing when plaintiffs have not demonstrated concrete harm from the alleged breach. Accordingly, because plaintiffs do not allege that they have suffered, or will imminently suffer, an injury-in-fact, plaintiffs have not established that they have standing. The Court thus lacks subject matter jurisdiction in this case, and the case must be dismissed under Rule 12(b)(1).? CONCLUSION The motion to dismiss is GRANTED. The Clerk is instructed to terminate the motion (Doc. # 29) and close this case. Dated: May 16, 2022 White Plains, NY SO ORDERED:
Vincent L.Briccetti United States District Judge
2 Because the Court lacks subject matter jurisdiction, it does not reach the motion to dismiss for failure to state a claim. Fed. R. Civ. P. 12(b)(6).