IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND * BARBARA REYNOLDS BURGER, individually and on behalf of all others * similarly situated, * Plaintiff, * v. Civil Action No. RDB-23-1215 * HEALTHCARE MANAGEMENT SOLUTIONS, LLC, AND * ASRC FEDERAL DATA SOLUTIONS, LLC, *
Defendants. * * * * * * * * * * * * * * MEMORANDUM OPINION This case involves a proposed putative class action seeking damages and injunctive relief for a data breach involving the Centers for Medicare and Medicaid Services (“CMS”), a federal agency within the U.S. Department of Health and Human Services (“DHHS”). Defendant ASRC Federal Data Solutions, LLC, is a contractor for CMS and provides services to CMS and other federal health agencies involving the security and exchange of health data and systems. Defendant Healthcare Management Solutions, LLC (“HMS”), is a subcontractor to ASRC and handles CMS data as part of processing Medicare eligibility and entitlement records and premium payments. In this role, HMS maintains files containing the personally identifiable information (“PII”) and personal health information (“PHI”) of Medicare beneficiaries. On October 8, 2022, HMS experienced a data breach in the form of a ransomware attack and notified CMS of the data breach the next day. On October 18, 2022, CMS determined the incident potentially included PII and PHI for Medicare enrollees, and it later announced that the breach had the potential to impact up to 254,000 Medicare beneficiaries.
Plaintiff Barbara Reynolds Burger is a Medicare beneficiary who alleges that she suffered injury as a result of the data breach. She brings this suit individually and on behalf of a proposed putative class of all others similarly situated against Defendants ASRC and HMS. (ECF No. 1.) In her five-count complaint, Burger initially sought damages and injunctive relief for negligence (Count I), negligence per se (Count II), breach of implied contract (Count III), breach of fiduciary duty (Count IV), and declaratory judgment (erroneously listed in the
Complaint as Count VII, the Court will treat this claim as Count V because it is the fifth count included in the Complaint). Essentially, Burger alleges that ASRC and HMS failed to implement and follow basic security procedures, which resulted in the disclosure of her and class members’ PII and PHI to cybercriminals. She now has conceded that her breach of implied contract claim (Count III) and her breach of fiduciary duty claim (Count IV) should be DISMISSED.1 Furthermore, she concedes that there is no independent cause of action for
negligence per se under Maryland law.2 Therefore, her negligence per se claim (Count II) shall be DISMISSED.3
1 “Plaintiffs concede that the breach of implied contract and breach of fiduciary duty claims can be dismissed.” (ECF No. 29 at 2 n.1.) Counts III and IV are therefore not within the ambit of this decision. 2 “. . . Maryland does not recognize an independent cause of action for negligence per se . . . .” (ECF No. 29 at 29.) 3 Burger requests that “[i]n the event the Court is inclined to grant Defendants’ motions to dismiss Count II as a standalone cause of action, Plaintiff respectfully requests leave to amend her negligence cause of action (Count I) to include the per se liability allegations in Count II.” (ECF No. 29 at 32 n.9.) As Burger has already conceded that there is not a separate cause of action for Accordingly, presently pending are the motions of Defendant HMS (ECF No. 20) and Defendant ASRC (ECF No. 21) to dismiss Count I (negligence) and Count V (declaratory judgment). HMS argues that Burger lacks standing to sue and that she fails to state a claim for
each of her asserted causes of action. ASRC similarly argues that Burger fails to state a claim. For the reasons that follow, Defendants’ motions to dismiss (ECF Nos. 20, 21) are GRANTED, and this case is DISMISSED. In sum, Burger fails to allege a concrete injury that is actual or imminent, and even if she did, she cannot plausibly trace it to either defendant. Moreover, even if Burger had standing to sue, she cannot state a claim for negligence or declaratory judgment.
BACKGROUND In ruling on a motion to dismiss, this Court “accept[s] as true all well-pleaded facts in a complaint and construe[s] them in the light most favorable to the plaintiff.” Wikimedia Found. v. Nat’l Sec. Agency, 857 F.3d 193, 208 (4th Cir. 2017) (citing SD3, LLC v. Black & Decker (U.S.) Inc., 801 F.3d 412, 422 (4th Cir. 2015)). Except where otherwise indicated, the following facts are derived from Plaintiffs’ Complaint, and accepted as true for the purpose of Defendant’s
Motion to Dismiss. This proposed class action arises out of a data breach involving the Centers for Medicare and Medicaid Services (“CMS”), a federal agency within the U.S. Department of Health and Human Services (“DHHS”). (ECF No. 1 ¶ 2.) Defendant ASRC Federal Data Solutions, LLC, is a contractor for CMS and provides services to CMS and other federal health
negligence per se, this Court shall consider her arguments as to Count II in its consideration of Count I (negligence). agencies involving the security and exchange of health data and systems. (Id.) Defendant Healthcare Management Solutions, LLC (“HMS”), is a subcontractor to ASRC and handles CMS data as part of processing Medicare eligibility and entitlement records and premium
payments. (Id. ¶ 3.) In this role, HMS maintains files containing the personally identifiable information (“PII”) and personal health information (“PHI”) of Medicare beneficiaries. (Id.) PII generally includes information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information. (Id. at 1 n.1 (citing 2 C.F.R. § 200.79).) PHI generally comprises individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or
paper) by a covered entity or its business associates, excluding certain educational and employment records. (ECF No. 1 at 1–2 n.2 (citing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104–191, 110 Stat. 1936 (codified as amended in scattered sections of 42 U.S.C.)).) PII, PHI, and healthcare data are very valuable on the black market and can be used to commit identity theft and “exhaust financial accounts, received medical treatment, start new utility accounts, and incur charges and credit in a
person’s name.” (ECF No. 1 ¶ 46.) As a result, “there has been a year-over-year trend of increased cyberattacks against healthcare-related entities.” (Id. ¶ 61.) In fact, CMS previously experienced a data breach incident before October 8, 2022. (Id. ¶ 64.) On October 8, 2022, HMS experienced a data breach in the form of a ransomware attack (the “Data Breach”). (Id. ¶ 20.) On October 9, 2022, CMS was notified that HMS’ systems had been subject to a cybersecurity incident. (Id.) On October 18, 2022, CMS
determined the incident potentially included PII and PHI for Medicare enrollees. (Id.) Two months later, on December 14, 2022, CMS published a press release on its website that the Data Breach had the potential to impact up to 254,000 Medicare beneficiaries. (Id.) On December 1, 2022, CMS determined that the Data Breach constituted a “major incident,” as
defined in the Federal Information Security Modernization Act of 2014 (“FISMA”), 44 U.S.C. § 3541, et seq., triggering a legal obligation to inform Congress of the incident. (Id. ¶ 22.) On December 16, 2022, CMS mailed postal letters to Medicare enrollees who were affected, stating that the information compromised in the Data Breach included names, addresses, dates of birth, phone numbers, social security numbers, Medicare beneficiary identifiers, banking information (including routing and account numbers), and Medicare
entitlement, enrollment, and premium information. (Id. ¶ 25.) The letter indicated that recipients would be issued new Medicare cards and recommended that recipients contact their banking institutions to “let them know your banking information may have been compromised.” (Id. ¶ 26–27.) CMS provided instructions on how to enroll in a free Equifax Complete Premier credit monitoring service, the deadline for which was March 31, 2023. (Id. ¶ 28.) CMS apologized for the Data Breach and stated that “HMS acted in violation of its
obligations to CMS.” (Id. ¶ 29.) Plaintiff Barbara Reynolds Burger is a Medicare beneficiary who alleges she was impacted by the Data Breach. (Id. ¶¶ 7–8.) Since the breach, Burger and her husband have received new Medicare cards. (Id. ¶ 8.) Since January 23, 2023, more than a dozen unauthorized purchases have been made with Burger’s credit card, which she alleges “is tied to the bank account that HMS/ASRC Federal would have used to process [her] Medicare payments.” (Id.)
Burger and her husband have also received phishing e-mail scams claiming to be from that same bank account, and Burger has received an increased number of spam calls to her phone number. (Id. ¶ 9–10.) On May 5, 2023, Burger filed the initial five-count Complaint in this case on behalf of
a class of similarly situated members against Defendants ASRC and HMS. (ECF No. 1.) Plaintiff’s proposed class under Federal Rule of Civil Procedure 23(b)(2) and (23)(b)(3) comprises “all persons who had their PII or PHI accessed in the October 8, 2022 Centers for Medicare and Medicaid Services Data Breach.” (Id. ¶ 91.) The five causes of action included negligence (Count I), negligence per se (Count II), breach of implied contract (Count III), breach of fiduciary duty (Count IV), and declaratory judgment (Count V).4
The Complaint alleges that “Plaintiff and Class Members are presently experiencing substantial risk of out-of-pocket fraud losses, such as loans opened in their names, tax return fraud, utility bills opened in their names, and similar identity theft.” (Id. ¶ 83.) The Complaint further alleges that “Plaintiff and Class Members are also incurring and may continue incurring out-of-pocket costs for protective measures such as credit monitoring fees (for any credit monitoring obtained in addition to or in lieu of the inadequate monitoring offered by CMS),
credit report fees, credit freeze fees, and similar costs directly or indirectly related to the Data Breach.” (Id. ¶ 85.) Moreover, “[m]any victims suffered ascertainable losses in the form of out- of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach . . . .” (Id. ¶ 87.)
4 Although styled as “Count VII” in the Complaint (see ECF No. 1 at 34), it is the fifth count listed and will therefore be referred to as “Count V.” HMS (ECF No. 20) and ASRC (ECF No. 21) have both filed motions to dismiss. HMS argues that Burger lacks standing to pursue her claims because she has failed to allege an injury and she has failed to allege her purported injury is fairly traceable to HMS. HMS also argues
that Burger fails to state a claim. ASRC does not challenge Burger’s standing, but it similarly argues that she fails to state a claim. Burger filed a joint response to both motions. (ECF No. 29.) In her Response, Burger “concede[s] that the breach of implied contract and breach of fiduciary duty claims can be dismissed.” (ECF No. 29 at 2 n.1.) She further concedes that “Maryland does not recognize an independent cause of action for negligence per se . . . .” (Id. at 29.) Accordingly, the two counts properly before the Court are negligence (Count I) and
declaratory judgment (Count V). The Court will consider Burger’s arguments as to negligence per se in its analysis of her claim for negligence. (See ECF No. 29 at 32 n.9.) The matter is now ripe for review. STANDARD OF REVIEW Defendants move to dismiss the present Complaint pursuant to Rule 12(b)(1) and Rule 12(b)(6) of the Federal Rules of Civil Procedure. A motion to dismiss under Rule 12(b)(1) of
the Federal Rules of Civil Procedure for lack of subject matter jurisdiction challenges a court’s authority to hear the matter brought by a complaint. See Davis v. Thompson, 367 F. Supp. 2d 792, 799 (D. Md. 2005). This challenge under Rule 12(b)(1) may proceed either as a facial challenge, asserting that the allegations in the complaint are insufficient to establish subject matter jurisdiction, or a factual challenge, asserting “that the jurisdictional allegations of the complaint [are] not true.” Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009) (citation
omitted). With respect to a facial challenge, a court will grant a motion to dismiss for lack of subject matter jurisdiction “where a claim fails to allege facts upon which the court may base jurisdiction.” Davis, 367 F. Supp. 2d at 799. Where the challenge is factual, “the district court is entitled to decide disputed issues of fact with respect to subject matter jurisdiction.” Kerns,
585 F.3d at 192. “[T]he court may look beyond the pleadings and ‘the jurisdictional allegations of the complaint and view whatever evidence has been submitted on the issue to determine whether in fact subject matter jurisdiction exists.’” Khoury v. Meserve, 268 F. Supp. 2d 600, 606 (D. Md. 2003) (quoting Capitol Leasing Co. v. Fed. Deposit Ins. Corp., 999 F.2d 188, 191 (7th Cir. 1993)). The court “may regard the pleadings as mere evidence on the issue and may consider evidence outside the pleadings without converting the proceeding to one for summary
judgment.” Velasco v. Gov’t of Indon., 370 F.3d 392, 398 (4th Cir. 2004); see also Sharafeldin v. Md. Dep’t of Pub. Safety & Corr. Servs., 94 F. Supp. 2d 680, 684–85 (D. Md. 2000). A plaintiff carries the burden of establishing subject matter jurisdiction. Lovern v. Edwards, 190 F.3d 648, 654 (4th Cir. 1999). Rule 12(b)(6) of the Federal Rules of Civil Procedure authorizes the dismissal of a complaint if it fails to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6).
The purpose of Rule 12(b)(6) is “to test the sufficiency of a complaint and not to resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses.” Presley v. City of Charlottesville, 464 F.3d 480, 483 (4th Cir. 2006) (quoting Edwards v. City of Goldsboro, 178 F.3d 231, 243 (4th Cir. 1999)) (internal quotation marks omitted). To survive a motion under Fed. R. Civ. P. 12(b)(6), a complaint must contain facts sufficient to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl.,
Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Under the plausibility standard, a complaint must contain “more than labels and conclusions” or a “formulaic recitation of the elements of a cause of action.” Twombly, 550 U.S. at 555; see Painter’s Mill Grille, LLC v. Brown, 716 F.3d 342, 350 (4th Cir. 2013). A complaint need not include “detailed factual allegations.” Twombly, 550
U.S. at 555. A complaint must, however, set forth “enough factual matter (taken as true) to suggest” a cognizable cause of action, “even if . . . [the] actual proof of those facts is improbable, and that a recovery is very remote and unlikely.” Id. at 556 (internal quotation marks omitted). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678; see A Soc’y Without a Name v. Virginia, 655 F.3d 342, 346 (4th. Cir. 2011).
ANALYSIS I. Standing In moving to dismiss the present Complaint pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, Defendant HMS argues that Burger has failed to allege a sufficient injury in fact to satisfy Article III of the Constitution. Article III, Section 2 places certain restraints on the federal courts, including limiting the courts to the resolution of actual cases
and controversies. U.S. Const. art. III, § 2. As the United States Court of Appeals for the Fourth Circuit has explained, “[a]mong ‘the several doctrines that have grown up to elaborate that requirement,’ the one ‘that requires a litigant to have “standing” to invoke the power of a federal court is perhaps the most important.’” Friends for Ferrell Parkway, LLC v. Stasko, 282 F.3d 315, 319 (4th Cir. 2002) (quoting Allen v. Wright, 486 U.S. 737, 750 (1984)); accord Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 153 (4th Cir. 2000) (en banc). “[T]o establish standing, a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC
v. Ramirez, 594 U.S. 413, 423 (2021) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560– 61 (1992)). The plaintiff bears the burden of establishing standing, as she “is the party seeking to invoke federal jurisdiction.” Friends for Ferrell Parkway, 282 F.3d at 320 (citing Lujan, 504 U.S. at 561). “As in this case, when the actions of a third party are involved, ‘[t]he “case or controversy” limitation of Art. III still requires that a federal court act only to redress injury that fairly can be traced to the challenged action of the defendant, and not injury that results
from the independent action of some third party not before the court.’” Springmeyer v. Marriott Int’l, Inc., No. 20-CV-867-PWG, 2021 WL 809894, at *2 (D. Md. Mar. 3, 2021) (alteration in original) (quoting Doe v. Obama, 631 F.3d 157, 161 (4th Cir. 2011)). Where the plaintiff is attempting to bring a putative class action, any named plaintiffs must allege that they personally have been injured. Warth v. Seldin, 422 U.S. 490, 502 (1975). The named plaintiff may not rely on injuries suffered by unknown class members to confer standing. Id.; see also O’Shea v.
Littleton, 414 U.S. 488, 494 (1974) (“[I]f none of the named plaintiffs purporting to represent a class establishes the requisite case or controversy with the defendants, none may seek relief on behalf of himself or any member of the class.”). At issue in the present case is the first criterion—whether Burger has suffered an “injury in fact” that is concrete, particularized, and actual or imminent—and the second criterion—whether that injury is fairly traceable to Defendants ASRC and HMS. Gaston Copper
Recycling Corp., 204 F.3d at 154 (citing Lujan, 504 U.S. at 560–61). When the plaintiff alleges an injury based on future harm, “the threatened injury must be certainly impending to constitute injury in fact.” Clapper v. Amnesty International USA, 568 U.S. 398, 409 (2013) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). Mere “[a]llegations of possible future injury are not
sufficient.” Id. Clapper, 568 U.S. at 409 (alteration in original) (quoting Whitmore, 495 U.S. at 158). In other words, there must be a “‘substantial risk’ that the harm will occur.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Clapper, 568 U.S. at 414 n.5). The requirement that the harm be certainly impending “ensure[s] that the alleged injury is not too speculative for Article III purposes.” Lujan, 504 U.S. at 564 n.2. Where the alleged injury requires a lengthy chain of assumptions, including “guesswork as to how independent
decisionmakers will exercise their judgment,” the injury is too speculative to be “certainly impending.” Clapper, 568 U.S. at 413. See also Roy v. Ward Mfg. LLC, Civ. A. No. RDB-13-3878, 2014 WL 4215614, at *3 (D. Md. Aug. 22, 2014) (noting that standing is absent where the plaintiffs must rely on “an extensive chain of unlikely events before establishing any potential injury.”). The United States Court of Appeals for the Fourth Circuit “has held that an alleged
injury in an identity theft case is constitutionally sufficient under two recognized circumstances: (1) through actual injury of identity theft; or (2) a threatened injury based on substantial risk of future identity theft that is sufficiently imminent.” In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., No. 19-MD-2879, 2020 WL 6290670, at *4 (D. Md. Oct. 27, 2020) (citing Hutton v. Nat’l Bd. of Exam’rs in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018)); see also Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017). As Judge Chuang of this Court has
noted, courts that have found standing to sue in data breach cases generally have “all included allegations indicating that some of the stolen data had already been misused, that there was a clear intent to use the plaintiffs’ personal data for fraudulent purposes, or both.” Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 531 (D. Md. 2016).
In this case, most of Burger’s alleged injuries are generic to the proposed putative class, including “imminent and substantial risk of future identity theft,” “payment of out-of-pocket mitigation expenses,” and “loss of value of her personal information.” (ECF No. 29 at 6.) The injuries that Burger personally alleges are unauthorized charges on her credit card and an increase in spam emails and calls. (ECF No. 1 ¶¶ 8–10.) But even taking Burger’s allegations as true, unauthorized charges on her credit card cannot be fairly traced to either of the
defendants. Burger does not allege that her credit card information itself was disclosed; she alleges only that her bank account information was disclosed. In addition to lacking plausible traceability for this alleged harm, Burger also has not alleged that she had to pay for any of the unauthorized charges, thereby undercutting any possible injury to her. As the Fourth Circuit has noted, “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.” Hutton, 892 F.3d at 621. And the
generic allegation of increased spam calls and emails, if an injury at all, fails “to plausibly show that their alleged injuries were the result of Defendant’s conduct.” Springmeyer, 2021 WL 809894, at *2. This is especially true given that Burger has not alleged that her email address was compromised as part of the Data Breach. Altogether, Burger’s alleged personal injuries “confuse[] correlation with causation.” Alvarez v. Becerra, No. 21-2317, 2023 WL 2908819, at *3 (4th Cir. Apr. 12, 2023). Burger’s other alleged injuries fare no better. Although the Complaint alleges out-of- pocket mitigation expenses, the alleged facts do not demonstrate that “a substantial risk of harm actually exists.” Hutton, 892 F.3d at 622. “[D]istrict courts have generally found that the
increased risk of identity theft does not confer standing.” Khan, 188 F. Supp. 3d at 531; see also Stamat v. Grandizio Wilkins Little & Matthews, LLP, No. CV SAG-22-00747, 2022 WL 3919685, at *6 (D. Md. Aug. 31, 2022). As Judge Gallagher of this Court has noted, “because even the actual data breach fails to establish injury-in-fact, any continued risk of another data breach is equally unsatisfactory for Article III standing purposes.” Id. And Judge Gallagher rightly notes that where, as here, there is a lack of imminent harm, costs incurred to guard against identity
theft “constitute self-imposed mitigation measures to protect against a non-imminent harm.” Id. at *7 (citing Beck, 848 F.3d at 276–77); see also Khan, 188 F. Supp. 3d at 533 (“[I]ncurring costs as a reaction to a risk of harm does not establish standing if the harm sought to be avoided is not itself ‘certainly impending.’”). Neither are allegations of loss of privacy or diminished value of personal information sufficient here. See Stamat, 2022 WL 3919685, at *7 (“The fact that someone else can profit from having access to his information does not
necessarily lower the value of that information to Mr. Stamat.”); Khan, 188 F. Supp. 3d at 533 (finding that loss of privacy does not constitute an injury in fact when the plaintiff fails to identify “any potential damages arising from such a loss”). Finally, courts have consistently rejected Burger’s overpayment theory, which is particularly appropriate here given the lack of any alleged facts plausibly supporting a conclusion that Burger paid anything to the defendants. See id.; Podroykin v. Am. Armed Forces Mut. Aid Ass’n, 634 F. Supp. 3d 265, 272 (E.D. Va. 2022) (“[T]he Fourth Circuit has never held that an overpayment or benefit-of-the-bargain theory in a data breach context is sufficient to confer standing.”). Ultimately, Burger has “failed to allege any concrete harm—imminent or actual—to
establish injury-in-fact for Article III standing.” Stamat, 2022 WL 3919685, at *7. And even if there were a concrete injury to Burger, it is not fairly traceable to either defendant. See Beck, 848 F.3d at 275 (“Indeed, for the Plaintiffs to suffer the harm of identity theft that they fear, we must engage with the same ‘attenuated chain of possibilities’ rejected by the Court in Clapper.” (quoting 568 U.S. at 410)). It is simply mere conjecture to ascribe unauthorized charges on Burger’s credit card and an increase in spam emails and calls to either defendant in
this case. Burger has not alleged facts sufficient to establish Article III standing to sue. Accordingly, this case must be DISMISSED WITHOUT PREJUDICE.5 As the Fourth Circuit has held, “[a] dismissal for lack of standing — or any other defect in subject matter jurisdiction — must be one without prejudice, because a court that lacks jurisdiction has no power to adjudicate and dispose of a claim on the merits.” Goldman v. Brink, 41 F.4th 366, 369 (4th Cir. 2022) (alteration in original) (citing S. Walk at Broadlands Homeowner’s Ass’n, Inc. v.
OpenBand at Broadlands, LLC, 713 F.3d 175, 185 (4th Cir. 2013)). “[D]ismissals for lack of jurisdiction should be without prejudice because the court, having determined that it lacks jurisdiction over the action, is incapable of reaching a disposition on the merits of the underlying claims.” S. Walk, 713 F.3d at 185 (quoting Brereton v. Bountiful City Corp., 434 F.3d 1213, 1218
5 Because Burger concedes that her breach of implied contract and breach of fiduciary duty claims can be dismissed, they are therefore withdrawn and not within the ambit of this decision, which dismisses this case without prejudice. (10th Cir. 2006)). Even if Burger had standing to sue, however, she fails to state a claim for negligence or declaratory judgment. II. Negligence (Count I) and Negligence Per Se (Count II)6
To establish negligence under Maryland law,7 a plaintiff must prove the following four elements: “(1) that the defendant was under a duty to protect the plaintiff from injury, (2) that the defendant breached that duty, (3) that the plaintiff suffered actual injury or loss, and (4) that the loss or injury proximately resulted from the defendant’s breach of the duty.” Lloyd v. Gen. Motors Corp., 916 A.2d 257, 270–71 (Md. 2007) (citations omitted). “In determining whether a tort duty should be recognized in a particular context, two major considerations are:
the nature of the harm likely to result from a failure to exercise due care, and the relationship that exists between the parties.” Currie v. Wells Fargo Bank, N.A., 950 F. Supp. 2d 788, 803 (D. Md. 2013) (quoting Jacques v. First Nat. Bank of Md., 515 A.2d 756, 759 (Md. 1986)). Generally, Maryland does not permit recovery in tort for purely economic losses. Balfour Beatty Infrastructure, Inc. v. Rummel Klepper & Kahl, LLP, 155 A.3d 445, 451–52 (2017). This principle, known as the economic loss doctrine, represents a judicial refusal to extend
tort liability to claims that more properly sound in contract. Cash & Carry Am., Inc. v. Roof Solutions, Inc., 117 A.3d 52, 60 (Md. Ct. Spec. App. 2015). The economic loss doctrine prevents “finding a tort duty absent privity or its equivalent—i.e., an ‘intimate nexus.’” Balfour Beatty,
6 As noted in Footnote 3 of this Opinion, there is no separate cause of action for negligence per se, but this Court will address Burger’s arguments as to negligence per se under its analysis of her negligence claim. 7 As the asserted basis of this Court’s jurisdiction lies in diversity of citizenship under 28 U.S.C. § 1332(d), Maryland law applies. Hartford Fire Ins. Co. v. Harleysville Mut. Ins. Co., 736 F.3d 255, 261 n.3 (4th Cir. 2013) (citing Erie R. Co. v. Tompkins, 304 U.S. 64 (1938)). 155 A.3d at 453 (citations omitted). “An ‘intimate nexus between the parties’ is the equivalent of privity, because it ensures that the plaintiff and defendant were sufficiently close to justify finding a tort duty running from the defendant to the plaintiff.” In re Marriott Int’l, Inc., Customer
Data Sec. Breach Litig., No. 19-MD-2879, 2020 WL 6290670, at *6 (D. Md. Oct. 27, 2020) (quoting Chicago Title Ins. v. Allfirst Bank, 905 A.2d 366, 379 (Md. 2006)). “[T]he reason for the privity requirement is to ‘limit the defendant’s risk exposure to an actually foreseeable extent,’ allowing a defendant to control the risk to which he or she is exposed.” Marriott, 2020 WL 6290670, at *6 (quoting Chicago Title, 905 A.2d at 380). Burger does not contend that there is privity between herself and either ASRC or HMS,
and she has conceded that her breach of implied contract claim can be dismissed. (ECF No. 29 at 2.) Instead, she focuses on an intimate nexus theory based on “Defendants’ storage and control over Plaintiff’s Private Information.” (ECF No. 29 at 22.) Burger argues that “Defendants knew that Medicare beneficiaries—including Plaintiff and Class members— relied on them to protect their Private Information.” (Id. at 35.) Citing Marriott, Burger claims that this provides the necessary “linking conduct—‘enough to show the defendant knew or
should have known of the plaintiff’s reliance.’” 2020 WL 6290670, at *6 (quoting Balfour Beatty, 155 A.3d at 457). This case is different from Marriott. In that case, the plaintiffs sufficiently alleged “the most important factor for finding an intimate nexus—that the defendant knew or should have known of the specific plaintiff’s reliance” because the defendant “explicitly acknowledged in its contract” that “it had a duty to protect the Personal Information of end-users . . . and that
to fulfill this duty it had an obligation to use nothing less than a ‘reasonable standard of care.’” 2020 WL 6290670, at *7. Moreover, the plaintiffs alleged that the defendant “publicly acknowledged Plaintiffs’ reliance on its job performance when, in public filings, it recognized the potential legal liability it could incur if a hacker were to gain unauthorized access to the
confidential information stored on the systems it develops for its clients.” Id. In this case, Burger’s assertion that Defendants knew that Medicare beneficiaries relied on them to protect their Private Information finds no support in the alleged facts or analogous cases. The caselaw Burger cites to the contrary is unpersuasive. See In re: The Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-2583-TWT, 2016 WL 2897520, at *3 (N.D. Ga. May 18, 2016). In The Home Depot, an out-of-circuit case, the plaintiffs pled “that the Defendant
knew about a substantial data security risk dating back to 2008 but failed to implement reasonable security measures to combat it.” Id. In this case, Burger has only alleged that PII and PHI are generally valuable in the healthcare context—not that Defendants were particularly vulnerable as compared to other data servicers in the industry. In Chicago Title Ins. v. Allfirst Bank, 905 A.2d 366 (Md. 2006), there were prior transactions between the plaintiff title company and the defendant bank that put the bank on notice that the title company
expected the proceeds of a check to pay off a loan rather than be used for a customer’s mortgage account. Id. 382. Here, there are no prior dealings between Burger and either of the Defendants. As Defendant HMS notes, Burger’s theory of intimate nexus is that “she provided her information to CMS, who in turn contracted with Defendant ASRC, who in turn contracted with Defendant HMS.” (ECF No. 30 at 11.) This attenuated chain cannot serve as a basis for liability under the economic loss doctrine. Burger further argues that an independent basis exists for finding Defendants owed a duty to exercise reasonable care in securing and safeguarding her and the class members’ Private Information under Section 5 of the Federal Trade Commission Act (“FTC Act”), 15
U.S.C. § 45. (ECF No. 29 at 27.) As an initial matter, Maryland caselaw states that statutory violations do not circumvent the intimate nexus requirement. See Erie Ins. Co. v. Chops, 585 A.2d 232, 236 (1991) (“[I]n the absence of some indication of a contrary intention on the part of the legislature, a tort duty ordinarily will be recognized only where there is ‘an intimate nexus between the parties.’” (quoting Jacques, 515 A.2d at 759)). Moreover, Maryland “jurisprudence is replete with holdings that, regardless of any foreseeability, a duty does not
exist to the general public, with respect to harm caused by a third party, absent the existence of a special relationship between the person sued and the injured party or the person sued and the third party.” Warr v. JMGM Grp., LLC, 70 A.3d 347, 355 (Md. 2013). “[A] ‘special duty’ to protect another from the acts of a third party may be established ‘(1) by statute or rule; (2) by contractual or other private relationship; or (3) indirectly or impliedly by virtue of the relationship between the tortfeasor and a third party.’” Remsburg v. Montgomery, 831 A.2d 18, 27
(2003) (quoting Bobo v. State, 697 A.2d 1371, 1376 (Md. 1997)). “This ‘special relationship’ exception to the general bar against liability is narrowly construed.” Chang-Williams v. Dep’t of the Navy, 766 F. Supp. 2d 604, 620 (D. Md. 2011) (quoting Patton v. U.S. of Am. Rugby Football, 851 A.2d 566, 574 (2004)). Under Maryland’s “Statute or Ordinance Rule,” a plaintiff must show (1) “the violation of a statute or ordinance designed to protect a specific class of persons [ ], and [ (2) ] that the
violation proximately caused the injury complained of.” Kiriakos v. Phillips, 139 A.3d 1006, 1016 (Md. 2016) (alterations in original) (quoting Blackburn Ltd. P’ship v. Paul, 90 A.3d 464, 471 (Md. 2014)). Burger argues that two statutes substantiate her negligence claim: the FTC Act and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104–191,
110 Stat. 1936 (codified as amended in scattered sections of 42 U.S.C.). However, neither statute provides a private right of action. See Glover v. Loan Sci., LLC, No. 8:19-CV-01880- PWG, 2020 WL 3960623, at *3 (D. Md. July 13, 2020) (“[T]he Federal Trade Commission Act does not provide a private right of action.”); Payne v. Taslimi, 998 F.3d 648, 660 (4th Cir. 2021) (“Every circuit court to consider whether HIPAA created a private right to sue has found that it does not.”). In addition to undermining Burger’s special relationship theory, the lack of a
private right of action in either the FTC Act or HIPAA vitiates Burger’s claim for negligence per se. See J.R. v. Walgreens Boots All., Inc., No. 20-1767, 2021 WL 4859603, at *7 (4th Cir. Oct. 19, 2021) (“To make out such a claim [for negligence per se], Plaintiffs must demonstrate that the statute allegedly violated allows for a private cause of action.”); Kiriakos, 139 A.3d at 1016 (“The Statute or Ordinance Rule is not a means to establishing negligence per se but only prima facie evidence of negligence.”).
Burger fails to allege any facts that support a special relationship between herself and either Defendant. In fact, Burger does not allege that she ever had any contact with either Defendant. Under Maryland caselaw, the facts alleged do not provide for Burger to recover against these third parties with whom Burger had no direct contact. In the case most favorable to Burger, Marriott, the defendant “specifically contracted . . . to protect the personal information of this class of potential claimants.” 2020 WL 6290670, at *7. In this case,
conversely, Burger does not allege that either Defendant was hired for the specific purpose of protecting data, nor does Burger allege that the Defendants “explicitly assumed the responsibility of protecting” Medicare recipients’ data. Id. Burger has therefore failed to allege facts supporting any sort of special relationship between herself and the Defendants, including
one based on the Statute or Ordinance Rule. As Burger has shown neither a special relationship nor an intimate nexus between herself and the Defendants, and therefore has failed to plead the requisite duty, she fails to state a claim for negligence. III. Declaratory Judgment (Count V) Under the Declaratory Judgment Act, federal courts have discretion to hear an action requesting declaratory judgment. 28 U.S.C. § 2201(a). The United States Court of Appeals for
the Fourth Circuit has “held that district courts have great latitude in determining whether to assert jurisdiction over declaratory judgment actions.” Aetna Cas. & Sur. Co. v. Ind-Com Elec. Co., 139 F.3d 419, 422 (4th Cir. 1998); see also Wilton v. Seven Falls Co., 515 U.S. 277, 286 (1995). A district court should consider concerns of federalism, efficiency, and comity before exercising jurisdiction over a declaratory judgment action. See Mitcheson v. Harris, 955 F.2d 235 (4th Cir. 1992). “When declaratory relief would be duplicative of claims already alleged,
dismissal is warranted.” Chevron U.S.C., Inc. v. Apex Oil Co., Inc., 113 F. Supp. 3d 807, 824 (D. Md. 2015) (quoting Sharma v. OneWest Bank, FSB, No. DKC 11-0834, 2011 WL 5167762, at *6 (D. Md. Oct. 28, 2011)); see also Geist v. Hispanic Information & Telecommunications Network, Inc., No. PX-16-3630, 2018 WL 1169084, at *7 (D. Md. 2018) (“[W]here the same conduct underlies claims for declaratory judgment and breach of contract, ‘courts generally dismiss the declaratory judgment claim as duplicative in favor of ‘the better or more effective remedy’ of ‘the underlying litigation itself.’” (quoting Dorset Indus., Inc. v. Unified Grocers, Inc., 893 F. Supp. 2d 395, 403 (E.D.N.Y. 2012))). In this case, Burger pleads a separate claim under the Declaratory Judgment Act in
addition to a request for injunctive relief in her claims for negligence per se, breach of implied contract, and breach of fiduciary duty. (ECF No. 1 ¶¶ 122, 133, 147.) Burger attempts to distinguish the relief requested in the Declaratory Judgment count from the injunctive relief requested in the other counts by asserting that it is “forward-looking.” (ECF No. 29 at 35.) However, it is unclear how the injunctive relief requested in the other counts could be anything but forward looking, as it is clear the damages Burger requests are intended to compensate any
previous injury while the requested injunctive relief is intended to prevent further alleged harm. The Declaratory Judgment count therefore serves no purpose other than to reiterate the injunctive relief requested in Burger’s other counts, as it is based on the same alleged breach of duty and harm stated in the other counts. “This type of double pleading is not the purpose of a declaratory judgment.” Penn Mut. Life Ins. Co. v. Berck, No. CIV.A DKC 09-0578, 2010 WL 3294305, at *3 (D. Md. Aug. 20, 2010) (citing Aetna Cas. & Sur. Co. v. Quarles, 92 F.2d
321, 325 (4th Cir. 1937)); see also Hanback v. DRHI, Inc., 647 F. App’x 207, 210 (4th Cir. 2016) (“[T]he Declaratory Judgment Act is only ‘procedural’ and does not create ‘substantive rights.’” (quoting Medtronic, Inc. v. Mirowski Family Ventures, LLC, 571 U.S. 191, 199 (2014)). Accordingly, even if Burger had standing, she fails to state a claim for declaratory judgment. CONCLUSION For the reasons stated above, Defendants’ Motions to Dismiss (ECF Nos. 20, 21) are GRANTED and this case is DISMISSED WITHOUT PREJUDICE.
A separate order follows.
Date: February 7, 2024
___________/_s_/_ _____________ Richard D. Bennett United States Senior District Judge