UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK ----------------------------------------------------------------x LORRELL DUMAY, et. al., : : SUMMARY ORDER OF REMAND Plaintiffs, : 19-CV-06213 (DLI) (CLP) : -against- : : EPISCOPAL HEALTH SERVICES, INC., : : Defendant. : ----------------------------------------------------------------x DORA L. IRIZARRY, United States District Judge:
On November 4, 2019, Episcopal Health Services, Inc. (“Defendant”) timely removed the instant class action from New York State Supreme Court, Queens County to this Court. See, Notice of Removal (the “Notice”), Dkt. Entry No. 1. For the reasons set forth below, this case is remanded to state court sua sponte. BACKGROUND On September 11, 2019, Lorrell Dumay, Dian Dumay, and Jodi Wolfson (collectively, “Plaintiffs”) commenced this class action in state court alleging that Defendant failed to maintain adequate cyber security procedures and policies to safeguard Plaintiffs’ financial, medical and other personal information. (Complaint (“Compl.”) ¶ 1, Ex. A to the Notice.). Plaintiffs each were patients at St. John’s Episcopal Hospital, and claim that, as a condition of their treatment, they supplied sensitive information to Defendant, including, inter alia, their social security numbers, dates of birth and financial information. Id. at ¶ 2. Plaintiffs allege that one or more of the Defendant’s employees’ email accounts were subject to unauthorized access or “hacked” between August 28, 2018 and October 5, 2018, and Plaintiffs suffered injuries arising from the unauthorized disclosure of their confidential information. Id. at ¶ 3. On November 4, 2019, Defendant removed the action to this Court, invoking this Court’s federal question jurisdiction pursuant to 28 U.S.C. § 1331. Notice at ¶ 8. Defendant contends that Plaintiffs’ claims arise under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Federal Trade Commission Act (“FTCA”). Id. On December 3, 2019,
Defendant moved to dismiss this case for lack of standing and failure to state a claim upon which relief can be granted pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Defendant’s Mem. of Law in Support of Mot. to Dismiss, Dkt. Entry No. 13. Plaintiffs opposed the motion. Plaintiffs’ Mem. of Law in Opp. to Mot. to Dismiss, Dkt. Entry No. 18. Defendant replied. Defendant’s Reply Mem. of Law, Dkt. Entry No. 20. No party moved for remand. For the reasons set forth below, the Court finds that it lacks subject matter jurisdiction and this case is remanded to state court for further proceedings. DISCUSSION A state court action may be removed if it is a “civil action . . . of which the district courts
of the United States have original jurisdiction[.]” 28 U.S.C. § 1441(a). A federal district court has original jurisdiction of all civil actions “arising under the Constitution, laws or treaties of the United States.” 28 U.S.C. § 1331. Whether a claim arises under federal law is determined by the well pled complaint rule, which provides that “federal jurisdiction exists only when a federal question is presented on the face of the plaintiff’s properly pleaded complaint.” Rivet v. Regions Bank, 522 U.S. 470, 475 (1998). “[A] right or immunity created by the Constitution or laws of the United States must be an element, and an essential one, of the plaintiff’s cause of action.” Greenblatt v. Delta Plumbing & Heating Corp., 68 F.3d 561, 568 (2d Cir. 1995). The party seeking removal bears the burden of proving that the jurisdictional requirement has been met. See, Cal. Pub. Emps. Ret. Sys. v. Worldcom, Inc., 368 F.3d 86, 100 (2d Cir. 2004) (“Where, as here, jurisdiction is asserted by a defendant in a removal petition, it follows that the defendant has the burden of establishing that removal is proper.”). “[I]n light of the congressional intent to restrict federal court jurisdiction, as well as the importance of preserving the independence of state governments, federal courts construe the removal statute narrowly, resolving any doubts against removability.” Purdue Pharma L.P. v. Kentucky, 704 F.3d 208, 213 (2d Cir. 2013). If the
Court determines that it does not have subject matter jurisdiction over an action removed from state court, the Court must remand the action to state court for further proceedings. See, 28 U.S.C. § 1447(c). The Court may raise the issue of subject matter jurisdiction sua sponte. See, Henderson v. Shinseki, 562 U.S. 428, 434 (2011) (“[F]ederal courts have an independent obligation to ensure that they do not exceed the scope of their jurisdiction, and therefore they must raise and decide jurisdictional questions that the parties either overlook or elect not to press.”). Here, Defendant has failed to meet its burden of proving that this Court has subject matter jurisdiction. Defendant argues that removal to this Court is proper under 28 U.S.C. § 1331 because Plaintiffs’ claims are “expressly and affirmatively premised on duties allegedly arising under HIPAA and the Federal Trade Commission Act.” Notice at ¶ 8. Plaintiffs allege that Defendant
violated HIPAA and FTCA regulations by not safeguarding their confidential information, including their financial, medical and other personal information. Compl. at ¶¶ 1, 40, 64-66. Plantiffs list as one of the common questions of law and fact among the putative class members, “[w]hether Defendant’s data security systems . . . met the requirements of laws including, for instance, HIPAA.” Id. at ¶ 54. Plaintiffs also characterize their causes of action as “sounding in common negligence, negligent hiring and training of employees, breach of fiduciary duty, implied contract, and delay in notification of the data breach,” all of which are common law causes of action Id. at ¶ 4. While Plaintiffs may have cited to HIPAA and the FTCA in their state court complaint, neither statute provides private causes of action in federal court for their violation. See, Bond v. Conn. Bd. of Nursing, 622 F. App’x 43, 44 (2d Cir. 2015) (“It is doubtful that HIPAA provides a private cause of action[.]”); Scott v. AOL Time Warner, 109 F. App’x 480, 481 (2d Cir. 2004) (“[T]he Federal Trade Commission Act . . . do[es] not provide for a private cause of action.”). “It is well-established that there is no private right of action under the HIPAA law.” Gaines v. Nassau
Univ. Med. Ctr., 2018 WL 3973015, at *3 (E.D.N.Y. Aug. 16, 2018). HIPAA enforcement actions fall within the exclusive purview of the Department of Health and Human Services. See, 42 U.S.C. § 300gg-22(a). FTCA enforcement actions also fall within the exclusive purview of the Federal Trade Commission. See, 15 U.S.C. § 45(a)(2); Alfred Dunhill, Ltd. v.
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK ----------------------------------------------------------------x LORRELL DUMAY, et. al., : : SUMMARY ORDER OF REMAND Plaintiffs, : 19-CV-06213 (DLI) (CLP) : -against- : : EPISCOPAL HEALTH SERVICES, INC., : : Defendant. : ----------------------------------------------------------------x DORA L. IRIZARRY, United States District Judge:
On November 4, 2019, Episcopal Health Services, Inc. (“Defendant”) timely removed the instant class action from New York State Supreme Court, Queens County to this Court. See, Notice of Removal (the “Notice”), Dkt. Entry No. 1. For the reasons set forth below, this case is remanded to state court sua sponte. BACKGROUND On September 11, 2019, Lorrell Dumay, Dian Dumay, and Jodi Wolfson (collectively, “Plaintiffs”) commenced this class action in state court alleging that Defendant failed to maintain adequate cyber security procedures and policies to safeguard Plaintiffs’ financial, medical and other personal information. (Complaint (“Compl.”) ¶ 1, Ex. A to the Notice.). Plaintiffs each were patients at St. John’s Episcopal Hospital, and claim that, as a condition of their treatment, they supplied sensitive information to Defendant, including, inter alia, their social security numbers, dates of birth and financial information. Id. at ¶ 2. Plaintiffs allege that one or more of the Defendant’s employees’ email accounts were subject to unauthorized access or “hacked” between August 28, 2018 and October 5, 2018, and Plaintiffs suffered injuries arising from the unauthorized disclosure of their confidential information. Id. at ¶ 3. On November 4, 2019, Defendant removed the action to this Court, invoking this Court’s federal question jurisdiction pursuant to 28 U.S.C. § 1331. Notice at ¶ 8. Defendant contends that Plaintiffs’ claims arise under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Federal Trade Commission Act (“FTCA”). Id. On December 3, 2019,
Defendant moved to dismiss this case for lack of standing and failure to state a claim upon which relief can be granted pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Defendant’s Mem. of Law in Support of Mot. to Dismiss, Dkt. Entry No. 13. Plaintiffs opposed the motion. Plaintiffs’ Mem. of Law in Opp. to Mot. to Dismiss, Dkt. Entry No. 18. Defendant replied. Defendant’s Reply Mem. of Law, Dkt. Entry No. 20. No party moved for remand. For the reasons set forth below, the Court finds that it lacks subject matter jurisdiction and this case is remanded to state court for further proceedings. DISCUSSION A state court action may be removed if it is a “civil action . . . of which the district courts
of the United States have original jurisdiction[.]” 28 U.S.C. § 1441(a). A federal district court has original jurisdiction of all civil actions “arising under the Constitution, laws or treaties of the United States.” 28 U.S.C. § 1331. Whether a claim arises under federal law is determined by the well pled complaint rule, which provides that “federal jurisdiction exists only when a federal question is presented on the face of the plaintiff’s properly pleaded complaint.” Rivet v. Regions Bank, 522 U.S. 470, 475 (1998). “[A] right or immunity created by the Constitution or laws of the United States must be an element, and an essential one, of the plaintiff’s cause of action.” Greenblatt v. Delta Plumbing & Heating Corp., 68 F.3d 561, 568 (2d Cir. 1995). The party seeking removal bears the burden of proving that the jurisdictional requirement has been met. See, Cal. Pub. Emps. Ret. Sys. v. Worldcom, Inc., 368 F.3d 86, 100 (2d Cir. 2004) (“Where, as here, jurisdiction is asserted by a defendant in a removal petition, it follows that the defendant has the burden of establishing that removal is proper.”). “[I]n light of the congressional intent to restrict federal court jurisdiction, as well as the importance of preserving the independence of state governments, federal courts construe the removal statute narrowly, resolving any doubts against removability.” Purdue Pharma L.P. v. Kentucky, 704 F.3d 208, 213 (2d Cir. 2013). If the
Court determines that it does not have subject matter jurisdiction over an action removed from state court, the Court must remand the action to state court for further proceedings. See, 28 U.S.C. § 1447(c). The Court may raise the issue of subject matter jurisdiction sua sponte. See, Henderson v. Shinseki, 562 U.S. 428, 434 (2011) (“[F]ederal courts have an independent obligation to ensure that they do not exceed the scope of their jurisdiction, and therefore they must raise and decide jurisdictional questions that the parties either overlook or elect not to press.”). Here, Defendant has failed to meet its burden of proving that this Court has subject matter jurisdiction. Defendant argues that removal to this Court is proper under 28 U.S.C. § 1331 because Plaintiffs’ claims are “expressly and affirmatively premised on duties allegedly arising under HIPAA and the Federal Trade Commission Act.” Notice at ¶ 8. Plaintiffs allege that Defendant
violated HIPAA and FTCA regulations by not safeguarding their confidential information, including their financial, medical and other personal information. Compl. at ¶¶ 1, 40, 64-66. Plantiffs list as one of the common questions of law and fact among the putative class members, “[w]hether Defendant’s data security systems . . . met the requirements of laws including, for instance, HIPAA.” Id. at ¶ 54. Plaintiffs also characterize their causes of action as “sounding in common negligence, negligent hiring and training of employees, breach of fiduciary duty, implied contract, and delay in notification of the data breach,” all of which are common law causes of action Id. at ¶ 4. While Plaintiffs may have cited to HIPAA and the FTCA in their state court complaint, neither statute provides private causes of action in federal court for their violation. See, Bond v. Conn. Bd. of Nursing, 622 F. App’x 43, 44 (2d Cir. 2015) (“It is doubtful that HIPAA provides a private cause of action[.]”); Scott v. AOL Time Warner, 109 F. App’x 480, 481 (2d Cir. 2004) (“[T]he Federal Trade Commission Act . . . do[es] not provide for a private cause of action.”). “It is well-established that there is no private right of action under the HIPAA law.” Gaines v. Nassau
Univ. Med. Ctr., 2018 WL 3973015, at *3 (E.D.N.Y. Aug. 16, 2018). HIPAA enforcement actions fall within the exclusive purview of the Department of Health and Human Services. See, 42 U.S.C. § 300gg-22(a). FTCA enforcement actions also fall within the exclusive purview of the Federal Trade Commission. See, 15 U.S.C. § 45(a)(2); Alfred Dunhill, Ltd. v. Interstate Cigar Co., 499 F.2d 232, 237 (2d Cir. 1974) (“[T]he provisions of the Federal Trade Commission Act may be enforced only by the Federal Trade Commission. Nowhere does the Act bestow upon either competitors or consumers standing to enforce its provisions.”). Accordingly, based on the information contained in the state court complaint and the Notice, the Court finds that Plaintiffs’ claims do not give rise to a federal question as required by
28 U.S.C. § 1331.1 As the Court lacks subject matter jurisdiction, the Court declines to rule on Defendant’s motion to dismiss and remands this action to state court for further proceedings.
1 This Court also lacks diversity jurisdiction pursuant to 28 U.S.C. § 1332(d)(2)(a) as the parties share New York citizenship. Compl. ¶¶ 5-8. CONCLUSION For the reasons set forth above, this case is dismissed, without prejudice, and remanded to New York State Supreme Court, Queens County, under Index No. 715629/2019, for further proceedings.2
SO ORDERED.
Dated: Brooklyn, New York June 18, 2020
__________/s/______________ Dora L. Irizarry United States District Judge
2 The parties engaged in mediation after briefing Defendant’s motion to dismiss and, on June 5, 2020, a report that the parties had settled this matter was filed with the Court. See, Dkt Entry No. 25. The Mediation Report is due to be filed on June 19, 2020. As the dismissal is without prejudice, the Court hopes the parties will abide by their settlement agreement and, thus, avoid further proceedings in state court.