Blahous v. Sarrell Regional Dental Center for Public Health, Inc.

CourtDistrict Court, M.D. Alabama
DecidedJuly 16, 2020
Docket2:19-cv-00798
StatusUnknown

This text of Blahous v. Sarrell Regional Dental Center for Public Health, Inc. (Blahous v. Sarrell Regional Dental Center for Public Health, Inc.) is published on Counsel Stack Legal Research, covering District Court, M.D. Alabama primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
Blahous v. Sarrell Regional Dental Center for Public Health, Inc., (M.D. Ala. 2020).

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE MIDDLE DISTRICT OF ALABAMA NORTHERN DIVISION

LINDSEY BLAHOUS, on behalf of ) herself, as guardian for her minor ) children L.B., F.B., and D.I. and on ) behalf of all others ) similarly situated, ) ) Plaintiff, ) ) v. ) Case No. 2:19-cv-798-RAH-SMD ) (WO) SARRELL REGIONAL ) DENTAL CENTER ) FOR PUBLIC HEALTH, INC., ) ) Defendant. )

MEMORANDUM OPINION AND ORDER

I. INTRODUCTION For many, the phrase “data breach” provokes dread and invokes disquiet. Suddenly, a person’s once private information roams untrammeled, and a degree of uncertainty as to its location and possessor now unexpectedly exists. Of course, for as long as individuals and companies have maintained documentary records and stored private information, data has been poached. Then, as even now, cabinets were jimmied, trashcans were rifled through, and manila envelopes were haphazardly left open, furtively glimpsed. Once companies committed to storing files on local machines, enterprise databases, and cloud servers, however, breaching a company’s every bit of data required no more than gaining access to restricted networks. Soon

enough, data breaches became inescapable features of a digitized world. This case grew from one such breach, its extent and depth still murky. Sometime in January 2019, hackers successfully infiltrated the computer network of

Sarrell Regional Dental Center for Public Health, Inc. (“Sarrell” or “Defendant”), installing ransomware that could allow the hackers to demand payment for its deactivation (the “Breach”). Among Sarrell’s thousands of unsuspecting patients were Lindsey Blahous (“Blahous”) and her three minor children, L.B., F.B., and D.I.

(“Minor Plaintiffs”) (collectively, “Plaintiffs”). Months later, after its investigation had purportedly yielded no evidence of copied, downloaded, or removed files, Sarrell notified each of the four Plaintiffs of the Breach in four substantively

identical missives (“Notice” individually, and collectively, “Notices”). Faulting Sarrell for the personal data that the Breach may have exposed, Blahous sued on behalf of herself, her children, and others similarly situated in both tort and contract. Sarrell responded to Plaintiffs’ Complaint, (Doc. 1), with the

Defendant’s Motion to Dismiss for Lack of Standing and Failure to State a Claim (the “Motion”), (Doc. 21), which sought dismissal pursuant to Rule 12 of the Federal Rules of Civil Procedure.1 As explained more fully below, this Court will grant the Motion pursuant to Rule 12(b)(1).

II. FACTUAL AND PROCEDURAL BACKGROUND A. Data Breaches Though variously defined by governments and private organizations, the term “data breach” generally encompasses any security incident in which sensitive, protected or confidential data is copied, transmitted, accessed, viewed, stolen, or used by an individual unauthorized to do so. See, e.g., Ala. Code § 8-38-2(1). In the

usual case, these attacks target data like financial information, personal health information, personally identifiable information (“PII”), trade secrets, and intellectual property.

States like Alabama have enacted statutes that place obligations on businesses and government agencies regarding the protection of sensitive data they acquire or use such as social security numbers, driver’s license numbers, and financial account numbers; defining what constitutes a data breach; providing for what types of notice

of a breach and the timing of the notice that must be provided to the parties whose data has been compromised; and creating certain exemptions. See, e.g., Ala. Code §

1 Any reference in this opinion to “Rule []” or “Rules” is to one or more provisions of the Federal Rules of Civil Procedure. 8-38-1 et seq.; see also Fla. Stat. Ann. §§ 282.318, 282.0041, 501.171; Ga. Code Ann. § 10-1-910 et seq.

B. Relevant Facts2 Sarrell is “the largest provider of dental services in Alabama,” one principally focused on children’s “dental and optical” needs. (Doc. 1 , p. 2.) Founded in 2004, its employees, totaling 250 by October 2019, had “serviced more than 845,000 children.” (Doc. 1, p. 4.)

Preceding the Breach, the Minor Plaintiffs visited Sarrell with their mother.3 (Doc. 1, p. 3; see also Doc. 21, p. 16.) On September 12, 2019, Sarrell mailed notices of the Breach to approximately 391,472 patients and their guardians.4 (Doc. 1, pp.

2-3; Doc. 21, pp.16, 41.) As the Notices explained, “[i]n July 2019, . . . Sarrell [had] detected ransomware on . . . [its] computer that appear[ed] to have been the result of an in intrusion that may have begun in January 2019,” a gap of seven months. (Doc.

1-1, p. 2; Doc. 1-2, p. 2; Doc. 1-3, p. 2; Doc. 1-4, p. 2; see also Doc. 21, p.16.)

2 Pursuant to Rule 12(b), the “facts” recounted here and throughout this opinion are presumed true solely for purposes of the Motion’s adjudication. 3 Tellingly, Plaintiffs tender no detail as to the date, time, or frequency of their visits. 4 The Notices, as appended to the Complaint, omitted the second page. (Doc. 21, p. 16, n.2.) Sarrell included that page as an exhibit to the Motion. (Doc. 21-1.) According to the Notices, the Breach “may” have resulted in the disclosure of the Plaintiffs’ “personal health information.” (Doc. 1-1, p. 2.)5

In response, “out of an abundance of caution” and as a claimed demonstration of the seriousness with which it takes “the security of patient information,” Sarrell “immediately deactivated . . . [its] network, temporarily closed . . . [its] practices,

engaged an independent computer security firm to investigate, and did not pay a ransom.” (Id.) When this investigation concluded, Sarrell’s “investigation ha[d] not found evidence that any files or information were copied, downloaded, or removed from . . . [its] network” or “discovered any evidence that the information

that may be involved in this incident ha[d] been misused.” (Id. (emphasis in original).) The latter point is repeated in the Notices’ penultimate paragraph: “Again, at this time, we have found no evidence that your information had been misused.”

(Doc. 21-1, p. 5.) Sarrell further admitted that “[t]he information potentially impacted may [have] include[d a patient’s] name, address, and health insurance number,” and in one letter, (see Doc. 1-2), social security numbers and health treatment information.

5 For brevity purposes, since all four notices, (Doc. 1-1, p. 2; Doc. 1-2, p. 2; Doc. 1- 3, p. 2; Doc. 1-4, p. 2; see also Doc. 21, p.16), are virtually identical, the Court will simply refer to the first referenced Notice, (Doc. 1-1, p. 2), for the remainder of this Opinion. (Doc. 1-1, p. 2.) Sarrell stated that it could not “rule out the possibility that the hacker [had] obtained sensitive information from . . . [its] network.” (Id.)

The Notices conveyed more than just these details as to the Breach. Opening with an apology for the inconvenience that the Breach and resulting shutdown of its operation “may” have caused, each of these two-page documents contained

“information about steps . . . [its recipients could] take to protect . . . [their] information and the resources . . .

Free access — add to your briefcase to read the full text and ask questions with AI

Related

McElmurray v. CONSOLIDATED GOV'T, AUGUSTA-RICHMOND COUNTY
501 F.3d 1244 (Eleventh Circuit, 2007)
Warth v. Seldin
422 U.S. 490 (Supreme Court, 1975)
FW/PBS, Inc. v. City of Dallas
493 U.S. 215 (Supreme Court, 1990)
Lujan v. Defenders of Wildlife
504 U.S. 555 (Supreme Court, 1992)
Krottner v. Starbucks Corp.
628 F.3d 1139 (Ninth Circuit, 2010)
Larry Bonner v. City of Prichard, Alabama
661 F.2d 1206 (Eleventh Circuit, 1981)
Reilly Ex Rel. Pluemacher v. Ceridian Corp.
664 F.3d 38 (Third Circuit, 2011)
Jean Resnick v. AvMed, Inc.
693 F.3d 1317 (Eleventh Circuit, 2012)
Clapper v. Amnesty International USA
133 S. Ct. 1138 (Supreme Court, 2013)
Key v. DSW, INC.
454 F. Supp. 2d 684 (S.D. Ohio, 2006)
Doe 1 v. AOL LLC
719 F. Supp. 2d 1102 (N.D. California, 2010)
James Laurence Butler, Sr. v. Tim Morgan
562 F. App'x 832 (Eleventh Circuit, 2014)
Hilary Remijas v. Neiman Marcus Group, LLC
794 F.3d 688 (Seventh Circuit, 2015)
Spokeo, Inc. v. Robins
578 U.S. 330 (Supreme Court, 2016)
Melissa Alleruzzo v. SuperValu, Inc.
870 F.3d 763 (Eighth Circuit, 2017)
Strautins v. Trustwave Holdings, Inc.
27 F. Supp. 3d 871 (N.D. Illinois, 2014)
Peters v. St. Joseph Services Corp.
74 F. Supp. 3d 847 (S.D. Texas, 2015)

Cite This Page — Counsel Stack

Bluebook (online)
Blahous v. Sarrell Regional Dental Center for Public Health, Inc., Counsel Stack Legal Research, https://law.counselstack.com/opinion/blahous-v-sarrell-regional-dental-center-for-public-health-inc-almd-2020.