UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
BYRON ANTHONY JOHNSON,
Plaintiff,
v. Civil Action No. 23-2263 (LLA) UNITED STATES DEPARTMENT OF HEALTH & HUMAN SERVICES CENTERS FOR MEDICARE & MEDICAID SERVICES,
Defendant.
MEMORANDUM OPINION AND ORDER
Plaintiff Byron Anthony Johnson, an insurance broker, sues Defendant Centers for
Medicare & Medicaid Services (“CMS”). ECF No. 1. Mr. Johnson alleges that CMS violated the
Privacy Act, 5 U.S.C. § 552a, by disclosing inaccurate or incomplete information about his
company’s practices to insurance carriers and violated the Freedom of Information Act (“FOIA”),
5 U.S.C. § 552, by failing to respond to his request for information under that statute. ECF No. 1,
at 1. CMS moves to dismiss Mr. Johnson’s claims under the Privacy Act (Counts I and II), arguing
that he has failed to state a claim under Federal Rule of Civil Procedure 12(b)(6). ECF No. 12,
at 1. For the reasons explained below, the court will deny CMS’s partial motion to dismiss.
I. Factual Background
For purposes of evaluating CMS’s motion, the following allegations, which are taken from
Mr. Johnson’s complaint, ECF No. 1, are accepted as true. See Am. Nat’l Ins. Co. v. FDIC, 642
F.3d 1137, 1139 (D.C. Cir. 2011). Mr. Johnson owns and operates an insurance agency, Obamacare Enrollment Center/Star
Insurance LLC (“Star”). ECF No. 1 ¶ 6. Mr. Johnson, who self-identifies as an African American
man, sought to address racial health disparities by “target[ing] and enroll[ing] African Americans
and other historically underrepresented communities in healthcare insurance under the Affordable
Care Act [‘ACA’].” Id. ¶¶ 15-17. Star contracted with insurance carriers Florida Blue and Oscar
Health and with insurance referral service HealthSherpa (collectively, the “Insurance
Companies”). Id. ¶¶ 18-19, 29-31.
In February 2021, during the COVID-19 pandemic, CMS oversaw a special enrollment
period (“SEP”) to encourage individuals to sign up for insurance under the ACA. Id. ¶¶ 21, 26.
During the SEP, insurance agencies received escalating bonuses based on the number of
individuals they enrolled. Id. ¶ 21. Mr. Johnson and Star signed up more than 12,000 new
members during the SEP and therefore qualified for bonus commissions of $200 per person. Id.
¶¶ 23-24.
CMS launched an investigation into Star’s sign-up practices. Id. ¶¶ 33-34, 36-37, 40.
Mr. Johnson alleges that “[t]his was not done to white, Caucasian owners of brokerages who
produced equally or greater numbers of sign-ups.” Id. ¶ 41. CMS subsequently disclosed to
Florida Blue “that CMS was investigating improprieties in the manner in which Plaintiff operated
his agency, that Plaintiff did not have consent for the sign-ups he was doing and that Florida Blue
should immediately terminate Plaintiff’s contractual relationship.” Id. ¶ 59. Florida Blue
“immediately terminated” its contract with Mr. Johnson. Id. ¶ 61. Per Mr. Johnson, this cost Star
more than $2,000,000 in unpaid commissions. Id. ¶¶ 62-64.
On January 12, 2022, CMS employee Joshua Halsey sent the following email to
HealthSherpa:
2 Hi HealthSherpa Team,
We chatted about Byron Johnson and his insurance agency, Star Insurance, in April or so of last year. After our discussion, we did confirm that Mr. Johnson was sharing his login credentials with several of his employees. I believe Mr. Johnson and his employees have corrected this behavior, however, I did want to update based on something I noticed this morning. Before I get into what I noticed though, note that one insurer has already banned this agency and has submitted recissions for a large number of policies submitted by this agency. A second issuer has also expressed concerns about this agency and has inquired about submitting recissions for potentially fraudulent policies. Furthermore, we have interviewed several consumers enrolled by this agency, and several consumers indicated they were enrolled without their consent. This said, I noticed this morning that it appears this agency may now be using HealthSherpa referral functionality for the vast majority of their enrollments. I looked at PY2022 applications and policies submitted by a subset of three Star Insurance agents this morning and 90% of the submitted policies include either George or Morgan’s name and NPN. 99% of the same policies have $0 Individual Responsibility Amount (IRA), which is well above the average rate of $0 IRA policies across the Marketplace. I intend to share what I am seeing with the policy names and NPNs with a couple state departments of insurance that I believe are looking into Star Insurance but thought you should know as well, given you[r] names and NPNs now appear to be tied to the activity of this agency.
Id. ¶¶ 70-72. That same day, HealthSherpa terminated its contract with Star. Id. ¶ 78. When CMS
asked HealthSherpa why it had terminated the contract, HealthSherpa’s Chief Executive Officer
replied:
The primary basis was this email thread [with CMS] that contained a lot of new information we did not have (issuers banning agency, recissions). We have not shared any of that information with anyone outside our organization. Prior to this communication we had a handful of consumer complaints we were investigating (<0.10% complaint rate), and had planned to meet with Mr. Johnson to discuss best practices around capturing and storing consumer content as we believed him to be a legitimate actor who was struggling to deal with the scale/volume of applications that his newly formed agency was submitting. The new information provided changed our view significantly.
3 Id. ¶ 81. Per Mr. Johnson, HealthSherpa’s decision to terminate its contract cost Star at least
$400,000 in unpaid commissions “and hundreds of thousands if not millions more in future sign-
up commissions and renewal commissions.” Id. ¶ 84.
Mr. Johnson further alleges that CMS “disclosed to Oscar Health that CMS was
investigating improprieties in the manner by which Plaintiff operated [Star]” and that this
disclosure “was done in similar fashion to the CMS disclosure to HealthSherpa.” Id. ¶¶ 94-95.
Oscar Health initially suspended its contract with Star while it investigated “a number of suspected
fraudulent Individual and Family Plan (IFP) enrollments,” noting that CMS had recently
“approved the cancellation of such members’ coverage.” Id. ¶ 97. On May 6, 2022, Oscar notified
Star that it had concluded its investigation and decided to terminate its contract. Id. ¶ 98. Per
Mr. Johnson, this cost Star $600,000 in unpaid commissions “and millions more in new business
and renewal business.” Id. ¶ 100.
Mr. Johnson learned about CMS’s disclosures to the Insurance Companies from “an
anonymous CMS source.” Id. ¶ 86. The source told Mr. Johnson that “he had been put on a hit
list of brokers that had been illegally flagged by CMS . . . based on his race and the large number
of signups he had been making,” and that “Caucasian high-volume producers were not flagged for
extra scrutiny and placed on the CMS hit list.” Id. ¶¶ 87-88. Mr. Johnson “[f]ollow[ed]
information from the source . . . to obtain the January 12, 2022 email from CMS’[s] Josh Halsey
to the HealthSherpa team.” Id. ¶ 89.
On January 19, 2022, Mr. Johnson made a FOIA request to CMS and the Department of
Health and Human Services (“HHS”), which houses CMS. Id. ¶ 90. In it, he requested
communications related to the above allegations. Id. ¶ 93. HHS acknowledged his request on
4 January 21, 2022, but it did not provide the requested information. Id. ¶ 91, 103 (“To date, CMS
has not released any records responsive to Plaintiff’s request.”).
II. Procedural History
Mr. Johnson filed this suit in August 2023, alleging that CMS had violated the Privacy Act
by disclosing information to the Insurance Companies and had violated FOIA by failing to respond
to his January 19, 2022 request. See generally ECF No. 1. CMS moves to dismiss Mr. Johnson’s
Privacy Act claims (Counts I and II) for failure to state a claim under Federal Rule of Civil
Procedure 12(b)(6). ECF No. 12, at 1. Mr. Johnson filed an opposition, ECF No. 13, and CMS
filed a reply, ECF No. 15. The motion is now ripe for decision.
III. Legal Standard
Under Rule 12(b)(6), the court will dismiss a complaint that does not “contain sufficient
factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft
v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
“A claim has facial plausibility when the plaintiff pleads factual content that allows the court to
draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. In
evaluating a motion to dismiss under Rule 12(b)(6), the court will accept the factual allegations in
the complaint as true and draw all reasonable inferences in the plaintiff’s favor. Id. The court may
consider only the facts alleged in the complaint and “any documents either attached to or
incorporated in the complaint and matters of which [the court] may take judicial notice.” N. Am.
Butterfly Ass’n v. Wolf, 977 F.3d 1244, 1249 (D.C. Cir. 2020) (quoting Hurd v. District of
Columbia, 864 F.3d 671, 678 (D.C. Cir. 2017) (alteration in original)).
5 IV. Discussion
A. Audio Recording
Before turning to the merits, the court addresses a threshold question. Mr. Johnson
attached an exhibit to his opposition: an audiotape of his conversation with the anonymous CMS
source. ECF No. 13-2. CMS argues that Mr. Johnson may not “impermissibly . . . amend the
complaint” in this way and urges the court to disregard the exhibit. ECF No. 15, at 2. Because
the court finds that Mr. Johnson’s complaint survives CMS’s motion to dismiss even without
considering the audiotape’s contents, the court need not decide whether it would be proper to
consider the exhibit.
B. Merits
The Privacy Act imposes “a comprehensive and detailed set of requirements for the
management of confidential records held by Executive Branch agencies,” FAA v. Cooper, 566 U.S.
284, 287 (2012), and “provides for various sorts of civil relief to individuals aggrieved” by the
government’s failure to comply, Doe v. Chao, 540 U.S. 614, 618 (2004). Mr. Johnson seeks
damages pursuant to Subsection 522a(g)(1)(D) of the Act, which provides relief when an agency
“fails to comply with any other provision [of the Privacy Act] . . . in such a way as to have an
adverse effect on an individual.” 5 U.S.C. § 552a(g)(1)(D). Mr. Johnson argues that CMS
violated the Privacy Act by (1) disclosing records without his consent in violation of 5 U.S.C.
§ 552a(b), see ECF No. 1 ¶¶ 121-32; and (2) failing to “make reasonable efforts to assure that such
records [were] accurate, complete, timely, and relevant for agency purposes,” in violation of
5 U.S.C. § 552a(e)(6), see ECF No. 1 ¶¶ 111-20.
CMS moves to dismiss on four grounds: (1) that Mr. Johnson has not adequately alleged
that the records in question were maintained in and released from a “system of records,” as required
by the Privacy Act, ECF No. 12, at 4-5; (2) that any disclosure falls under the statute’s “routine
6 use” exception, id. at 6-9; (3) that Mr. Johnson has not sufficiently alleged that the disclosed
records were inaccurate, id. at 9-11; and (4) that Mr. Johnson has not alleged that any improper
disclosure was “intentional or willful” such that he can recover damages, id. at 11-12. The court
disagrees and will therefore deny CMS’s partial motion to dismiss.
1. System of Records
Mr. Johnson’s claims under Subsections 552a(b) and 552a(e)(6) share a threshold
requirement: they apply only to records maintained within a “system of records.” See 5 U.S.C.
§ 552a(b); id. § 552a(e). The Privacy Act defines a “system of records” as a “group of any records
under the control of any agency from which information is retrieved by the name of the individual
or by some identifying number, symbol, or other identifying particular assigned to the individual.”
Id. § 552a(a)(5). A “system of records exists only if the information contained within the body of
material is both retrievable by personal identifier and actually retrieved by personal identifier.”
Paige v. DEA, 665 F.3d 1355, 1359 (D.C. Cir. 2012) (quoting Maydak v. United States, 630 F.3d
166, 178 (D.C. Cir. 2010)).
CMS argues that Mr. Johnson has failed to plausibly allege a system of records because he
merely “recites” the “formulaic legal conclusion that the records were contained within a system
of records.” ECF No. 12, at 6; see id. at 4-6. It is true that, at various points in his complaint,
Mr. Johnson simply asserts that the information in question “was contained within a system of
CMS records.” ECF No. 1 ¶ 48; see id. ¶¶ 49, 53, 58, 74. That is a legal conclusion the court need
not accept as true. See Iqbal, 556 U.S. at 678.
However, construing all inferences in Mr. Johnson’s favor—as the court must at the
motion-to-dismiss stage, see id.—the communications between CMS and the Insurance
Companies themselves suggest that a “system of records” is in play. For example, Mr. Halsey’s
January 2022 email to HealthSherpa explains: “I looked at PY2022 applications and policies 7 submitted by a subset of three Star Insurance agents this morning and 90% of the submitted policies
include either George or Morgan’s name and NPN.” ECF No. 1 ¶ 72. The email also references
information CMS collected by interviewing consumers. Id. After construing all reasonable
inferences in Mr. Johnson’s favor, the court finds it plausible that CMS stored and retrieved this
information “by the name of [Mr. Johnson] or by some identifying number, symbol, or other
identifying particular assigned to [him].” 5 U.S.C. § 552a(a)(5).
This conclusion is only bolstered by CMS’s own filings. CMS notes elsewhere in its
motion to dismiss that “[t]he CMS system of records that is closest to what [Mr. Johnson] has
alleged in the Complaint is the CMS Fraud Investigation Database,” and that this database includes
“the name, work address, work phone number, social security number, [and] Unique Provider
Identification Number (UPIN) . . . of individuals alleged to have violated” health insurance
statutes. ECF No. 12, at 6-7. “[W]here an agency compiles information about individuals for
investigatory purposes, ‘Privacy Act concerns are at their zenith, and if there is evidence of even
a few retrievals of information keyed to [personal identifiers], it may well be the case that the
agency is maintaining a system of records.’” Maydak, 363 F.3d at 520 (alteration in original)
(quoting Henke v. U.S. Dep’t of Com., 83 F.3d 1453, 1461 (D.C. Cir. 1996)). With this in mind,
the court concludes that—at this early stage of the litigation—Mr. Johnson has plausibly alleged a
“system of records” within the meaning of the Privacy Act.
2. Subsection 552a(b) Claim: Routine Use Exception
CMS argues that Mr. Johnson’s claim under Subsection 552a(b) fails because any
disclosure by it qualifies as a “routine use” and is therefore permissible. ECF No. 12, at 6 (quoting
5 U.S.C. § 552a(b)(3)); see id. at 6-9. The Privacy Act defines “routine use” as “the use of [a]
record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C.
§ 552a(a)(7). Agencies must “publish in the Federal Register . . . each routine use of the records 8 contained in the system, including the categories of users and the purpose of such use.” Id.
§ 552a(e)(4)(D). Here, CMS points to its Fraud Investigation Database as the “system of records
that is closest to what [Mr. Johnson] has alleged.” ECF No. 12, at 6. The routine uses of that
system include “allowing CMS to disclose to its contractors to ‘prevent, deter, discover, detect,
investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise
combat fraud, waste, and abuse in [its] programs.’” Id. at 8-9.
The parties’ core disagreement here turns not on law, but on facts. CMS argues that it
made the disclosures in question only “to convey information to insurance companies about
potentially fraudulent policies obtained by [Mr. Johnson] or his agency”—a routine use. Id. at 8.
Mr. Johnson claims that the disclosures were not made pursuant to a legitimate investigation, but
rather “done maliciously, based on racial animus.” ECF No. 13, at 14. In support of that claim,
he alleges that “an anonymous CMS source” informed him “that he had been put on a hit list of
brokers that had been illegally flagged . . . based on his race and the large number of signups he
had been making.” ECF No. 1 ¶¶ 86-87. The source also told Mr. Johnson “that Caucasian
high-volume producers were not flagged for extra scrutiny and placed on the CMS hit list.” Id.
¶ 88. Accepting Mr. Johnson’s version of events as true, see Iqbal, 556 U.S. at 678, it is plausible
that CMS made its disclosures not for the purpose of combatting fraud (a permissible “routine
use”), but rather for the purpose of discriminating against Mr. Johnson. Therefore, the court cannot
conclude today that CMS’s disclosures fall into the “routine use” exception.
3. Subsection 552a(e)(6) Claim: Factual Inaccuracy
Subsection 552a(e)(6) of the Privacy Act requires that agencies make “reasonable efforts
to assure that . . . records are accurate, complete, timely, and relevant for agency purposes.”
5 U.S.C. § 552a(e)(6). “It is well-established that, ‘generally speaking, the Privacy Act allows for
correction of facts but not correction of opinions or judgments.’” Mueller v. Winter, 485 F.3d 9 1191, 1197 (D.C. Cir. 2007) (quoting McCready v. Nicholson, 465 F.3d 1, 19 (D.C. Cir. 2006)).
Only if “the information contained in an agency’s files is capable of being verified” does the
agency need to “take reasonable steps to maintain the accuracy of the information.” McCready,
465 F.3d at 19 (quoting Sellers v. Bureau of Prisons, 959 F.2d 307, 312 (D.C. Cir. 1992)).
CMS argues that Mr. Johnson cannot maintain a claim under Subsection 552a(e)(6)
because he “has not identified any factual errors in the allegedly disclosed records.” ECF No. 12,
at 10; see id. at 9-11. Mr. Johnson takes issue with CMS’s decision to tell insurance companies
that he was under investigation—but, as CMS points out, he does not allege that such statements
were factually inaccurate. See id. at 10; see generally ECF No. 1. In fact, Mr. Johnson’s entire
complaint turns on the proposition that the agency was investigating him. See ECF No. 1 ¶¶ 34,
36-37.
Instead, Mr. Johnson’s argument seems to be that CMS lied by omission: CMS told the
Insurance Companies that it was investigating him but “did not reveal the fact that CMS had made
a determination that [he] did not violate the ACA program rules and regulations.” ECF No. 13,
at 18; see ECF No. 1 ¶¶ 45-46 (“CMS did not find violations sufficient enough to warrant
termination from the ACA signup program . . . . In fact, [Mr. Johnson] and his agency ha[ve] still
not been terminated from the ACA program.”). After drawing all reasonable inferences in
Mr. Johnson’s favor, the court construes this as an argument that CMS violated
Subsection 552a(e)(6) by disclosing incomplete records. See 5 U.S.C. § 552a(e)(6) (requiring
agencies to make “reasonable efforts to assure that . . . records are . . . complete”). Whether those
records were in fact incomplete is a question for another day. At this stage, Mr. Johnson has done
enough to allege a claim under Subsection 552a(e)(6).
10 4. Intentional or Willful Disclosure
Mr. Johnson seeks damages under the Privacy Act; he does not seek injunctive relief. ECF
No. 1, at 29; see ECF No. 12, at 2. Damages are available under the Privacy Act only where “the
court determines that the agency acted in a manner which was intentional or willful.” 5 U.S.C.
§ 552a(g)(4). “Under the Privacy Act, willfulness means more than ‘gross negligence.’” In re
U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 63 (D.C. Cir. 2019) (quoting
Maydak, 630 F.3d at 179). “Section 552a(g)(4) imposes liability only when the agency acts in
violation of the Act . . . either by committing the act without grounds for believing it to be lawful,
or by flagrantly disregarding others’ rights under the Act.” Maydak, 630 F.3d at 180 (quoting
Albright v. United States, 732 F.2d 181, 189 (D.C. Cir. 1984)).
Mr. Johnson’s theory of the case is that CMS’s disclosures were racially motivated. See
ECF No. 1 ¶¶ 32-36, 40-41, 43, 55. He alleges a “discriminatory plot” in which “rogue” CMS
employees launched a “pretextual investigation into Plaintiff’s sign-up practices for the purpose
of destroying Plaintiffs’ [sic] business success.” Id. ¶¶ 36, 40, 55. Standing alone, such “naked
assertions” would—as CMS argues, ECF No. 12, at 12; see id. at 11-12—be insufficient to survive
a motion to dismiss, Iqbal, 556 U.S. at 678.
However, Mr. Johnson does more. He alleges that an anonymous CMS source contacted
him and communicated that “he had been put on a hit list of brokers that had been illegally flagged
by CMS . . . based on his race and the large number of signups he had been making” and that
“Caucasian high-volume producers were not flagged for extra scrutiny and placed on the CMS hit
list.” ECF No. 1 ¶¶ 86-88. Mr. Johnson “[f]ollow[ed] information from the source . . . to obtain
the January 12, 2022 email from CMS’ Josh Halsey to the HealthSherpa team”—the email that
Mr. Johnson alleges to be an improper disclosure in violation of the Privacy Act. Id. ¶ 89. Taken
together and assumed true, these allegations allow the court to reasonably infer that CMS 11 employees intentionally targeted Mr. Johnson and made incomplete, misleading disclosures
because of his race—“a violation ‘so patently egregious and unlawful that anyone undertaking the
conduct should have known it unlawful.’” Toolasprashad v. Bureau of Prisons, 286 F.3d 576, 584
(D.C. Cir. 2002) (quoting Deters v. U.S. Parole Comm’n, 85 F.3d 655, 660 (D.C. Cir. 1996)).
Because Mr. Johnson has plausibly alleged that CMS intentionally and willfully disregarded his
rights under the Privacy Act, his claim for damages withstands CMS’s motion to dismiss.
V. Conclusion
For the foregoing reasons, Defendant’s Partial Motion to Dismiss, ECF No. 12, is hereby
DENIED. CMS shall file an answer to Mr. Johnson’s complaint on or before October 2, 2024.
Fed. R. Civ. P. 12(a)(4)(A).
SO ORDERED.
/s/ Loren L. AliKhan LOREN L. ALIKHAN United States District Judge
Date: September 18, 2024