Polanco v. Omnicell, Inc.

988 F. Supp. 2d 451, 2013 WL 6823265, 2013 U.S. Dist. LEXIS 180322

• Court: District Court, D. New Jersey
• Decided: December 26, 2013
• Docket: Civ. No. 13-1417 (NLH/KMW)
• Status: Published

Opinion

OPINION

HILLMAN, District Judge.

This matter comes before the Court by way of several motions [Doc. Nos. 28, 29, 30, 31] seeking to dismiss Plaintiffs First Amended Class Action Complaint (the “Amended Complaint”) [Doc. No. 12] pursuant to Federal Rules of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction and 12(b)(6) for failure to state a claim upon which relief can be granted made by Defendants Omnieell, Inc., Sentara Healthcare, South Jersey Health System, Inc., Inspira Health Network, Inc., and the Board of Regents of the University of Michigan.

Plaintiff opposes all of the pending motions to dismiss, and filed an omnibus response in opposition. The Court has considered the parties’ submissions, and decides this matter pursuant to Federal Rule of Civil Procedure 78. For the reasons expressed below, Defendants’ motions will be granted.

I. JURISDICTION

The Court exercises jurisdiction over this putative class action pursuant to 28 U.S.C. § 1332(d)(2)(A),¹ the Class Action Fairness Act (“CAFA”) because the aggregate amount in controversy exceeds $5 million and minimal diversity exists between Plaintiff, a citizen of New Jersey, and Defendants, citizens of Delaware, California, New Jersey, Virginia, and Michigan.

II. BACKGROUND

Plaintiff Bobbi Polanco brings this putative class action on behalf of herself and all others similarly situated asserting claims for: (1) breaches of state security notification laws; (2) violations of consumer fraud laws in New Jersey, Virginia, and Michigan; (3) fraud; (4) negligence; and (5) conspiracy.² (Am. Compl. ¶¶ 78-116.) Plaintiffs Amended Complaint names several Defendants. Defendant Omnieell, Inc. (“Omnieell”) is a corporation that “sells automatic and analytics solutions designed to enable healthcare facilities to acquire, manage, dispense and administer medications and medical-surgical supplies.” (Am. Compl. ¶ 15.) According to the Amended Complaint, Omnicell’s “systems provide medication control and dispensing starting from the point of entry into the hospital and other health care providers, through the central pharmacy, to the nursing station and to the patient’s bedside.” (Id.) Plaintiff asserts that Omnicell’s medication-use products are in more than 2,500 healthcare facilities across the country. (Id. ¶ 16.)

The remaining Defendants are hospitals or healthcare providers for which Omnieell provides automated medication dispensing services. By virtue of the nature of the services it provides to hospitals and healthcare providers, Omnieell is entrusted with patient information. The specific hospitals or healthcare providers named as Defendants in this suit are as follows. Defendant Sentara Healthcare (“Sentara”) is a Virginia corporation that owns and operates approximately twelve (12) hospitals throughout the state of Virginia. (Id. ¶¶ 24-25.) Defendant the Board of Regents of the University of Michigan (“the Board of Regents”) is “the body corporate of the University of Michigan” which supervises, controls, and authorizes the actions of the departments of the University including the Department of Medicine. (Id. ¶¶ 26-27.) The University of Michigan owns and operates a medical center known as the University of Michigan Health System³ which provides medical care for “over 1.8 million outpatient and emergency visits, 44,000 hospital stays, 46,000 surgeries and 4,000 births” in a typical year. (Id. ¶¶ 28-29.)

Defendant South Jersey Health System, Inc. (“SJHS”) is a non-profit corporation, which, prior to November 1, 2012, owned and operated two hospitals — SJHS’s Regional Medical Center in Vineland, New Jersey, and SJHS’s Elmer Hospital in Elmer, New Jersey. (Id. ¶¶ 17, 19-20.) On November 1, 2012, SJHS merged with Underwood-Memorial Health Systems, Inc., resulting in the formation of a new company now known as Inspira Health Network, Inc. (“Inspira”). (Id. ¶¶ 18-20.) After the merger, SJHS’s Regional Medical Center in Vineland was renamed Inspira Medical Center Vineland, and SJHS’s Elmer Hospital was renamed Inspira Medical Center Elmer.⁴ (Id. 121.)

According to Plaintiff, her claims and the claims of the putative Class arise out of the November 14, 2012 theft of a laptop computer, owned by Omnicell, which was stolen out of the locked vehicle of an Omnicell employee. (Am. Compl. ¶¶2, 42-43.) Plaintiff alleges that the stolen laptop computer contained the unencrypted Personal Confidential Information (“PCI”) of Plaintiff, and thousands of other individuals, all of whom provided their information to Defendants Sentara, Inspira, and the University of Michigan during the course of seeking healthcare treatment for themselves and their loved ones at these medical institutions.⁵ (Id. ¶¶ 2, 43, 45.) Plaintiff apparently learned of the data breach associated with the laptop in question by receipt of a letter from Omnicell dated December 31, 2012, attached as Exhibit A to the Amended Complaint. (Ex. A to Pl.’s Am. Compl. [Doc. No. 12-1], 1-2.) Plaintiff alleges that tens of thousands of patients were affected by Omnicell’s data breach including 8,500 patients of SJHS, 4,000 patients of the University of Michigan Health System, and 56,000 patients from Sentara. (Id. ¶ 48.)

Plaintiff asserts that the unencrypted PCI contained on the laptop in question included a patient’s: name, date of birth, gender, allergies, patient number, medical record number, hospital room number, treatment site, physician’s name, admission and/or discharge dates, and patient type (i.e., inpatient, emergency room, outpatient). (Id. ¶ 45.) In addition to this general information, Plaintiff asserts that the unencrypted PCI also included the names of the medications used to treat the patient, as well as the dosage amount, the rate, the route (i.e., oral, infusion, etc.), the frequency, administration instructions, and start/stop times for the medication.⁶ (Id.)

Plaintiff claims that her PCI came to be stored on the Omnicell laptop in question in connection with medical treatment Plaintiff sought for her minor daughter at two SJHS hospitals now owned and operated by Inspira. Specifically, Plaintiff alleges that on at least five occasions since 2011, she brought her daughter to the emergency room of either the SJHS Regional Medical Center or SJHS’s Elmer Hospital for treatment of sudden on-set symptoms for upper respiratory infections, bronchitis, fevers, and throat-swelling episodes. (Id. ¶¶ 35-37.) As part of her treatment, Plaintiffs daughter received antibiotics which were administered intravenously. (Id. ¶ 39.) During her initial visit to a SJHS hospital, Plaintiff provided SJHS with her Social Security number, her insurance information, dates of birth for her and her daughter, and a summary of the medical condition giving rise to that visit. (Id. ¶ 40.) On each subsequent visit, Plaintiff was asked to confirm the accuracy of the information she had previously provided and to provide a summary of the reason for her daughter’s current visit. (Id.)

The Amended Complaint does not explicitly allege that one of Omnieell’s automation and analytics systems or products was utilized to administer antibiotics to Plaintiffs daughter during her treatments at these two SJHS hospitals. However, the December 31, 2012 letter from Omnicell to Plaintiff makes clear that Omnicell “provides automated medication dispensing services on behalf of various healthcare providers, including” SJHS (now Inspira) and that in doing so, “Omnicell is entrusted with patient information.” (Ex. A to Pl.’s Am. Compl. [Doc. No. 12-1], 1-2.)

By filing this action, Plaintiff now “seeks to remedy the harmful effects of the breach of ... privacy interests of Plaintiff and the Class, the failure to timely and reasonably notify [Plaintiff and the Class] of such breach ..., and the misleading and deceptive notification sent on December 31, 2012.” (Id. ¶ 6.)

III. DISCUSSION

In general, Defendants now move to dismiss Plaintiffs complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction, 12(b)(2) for lack of personal jurisdiction, and 12(b)(6) for failure to state a claim upon which relief can be granted.

A. Standard for Dismissal Under Rule 12(b)(1)

A motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(1) challenges the existence of a federal court’s subject matter jurisdiction. “ ‘When subject matter jurisdiction is challenged under Rule 12(b)(1), the plaintiff must bear the burden of persuasion.’ ” Symczyk v. Genesis HealthCare Corp., 656 F.3d 189, 191 n. 4 (3d Cir.2011) (citing Kehr Packages, Inc. v. Fidelcor, Inc., 926 F.2d 1406, 1409 (3d Cir.1991)).

A motion to dismiss for lack of subject matter jurisdiction may either (1) “attack the complaint on its face” or (2) “attack the existence of subject matter jurisdiction in fact, quite apart from any pleadings.” Mortensen v. First Fed. Sav. & Loan Ass’n, 549 F.2d 884, 891 (3d Cir.1977). “The defendant may facially challenge subject matter jurisdiction by arguing that the complaint, on its face, does not allege sufficient grounds to establish subject matter jurisdiction.” D.G. v. Somerset Hills School Dist., 559 F.Supp.2d 484, 491 (D.N.J.2008). On a facial attack, “the court must consider the allegations of the complaint as true.” Mortensen, 549 F.2d at 891. “A defendant can also attack subject matter jurisdiction by factually challenging the jurisdictional allegations set forth in the complaint.” D.G., 559 F.Supp.2d at 491.

Upon a factual attack, by contrast, the court need not presume the truth of the allegations and “is free to weigh the evidence and satisfy itself as to the existence of its power to hear the case.” Mortensen, 549 F.2d at 891. Moreover, when considering a factual challenge to the Court’s jurisdiction under Rule 12(b)(1), the Court is “not confined to the allegations in the complaint ... and can look beyond the pleadings to decide factual matters relating to jurisdiction.” Cestonaro v. United States, 211 F.3d 749, 752 (3d Cir.2000) (citing Mortensen, 549 F.2d at 891). “The defendant may factually attack subject matter jurisdiction at any stage in the litigation, including before the answer has been filed.” D.G., 559 F.Supp.2d at 491.

In the present motions, several Defendants argue that Plaintiff lacks standing to bring her claims and thus the Court lacks subject matter jurisdiction over this case. Federal Rule of Civil Procedure 12(b)(1) governs a motion to dismiss for lack of standing, since “standing is a jurisdictional matter.” Ballentine v. United States, 486 F.3d 806, 810 (3d Cir.2007). Standing “is a threshold jurisdictional requirement, derived from the ‘case or controversy’ language of Article III of the Constitution.” Pub. Interest Research Grp. ofN.J., Inc. v. Magnesium Elektron, Inc., 123 F.3d 111, 117 (3d Cir.1997). A plaintiff must establish his or her standing to bring a case in order for the court to possess jurisdiction over his or her claim. Id.

To establish standing, Plaintiff must demonstrate that (1) she “suffered an injury in fact, an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural, or hypothetical”; (2) there is a “causal connection between the injury and the conduct complained of — the injury has to be fairly ... traceable to the challenged action of the defendant, and not ... the result of the independent action of some third party not before the court”; and (3) “that the injury will be redressed by a favorable decision.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992); see also Anjelino v. N.Y. Times Co., 200 F.3d 73, 88 (3d Cir.2000) (“Standing is established at the pleading stage by setting forth specific facts that indicate that the party has been injured in fact or that injury is imminent, that the challenged action is causally connected to the actual or imminent injury, and that the injury may be redressed by the cause of action.”)

B. Standard for Dismissal under Rule 12(b)(2)

Federal Rule of Civil Procedure 12(b)(2) provides for dismissal of an action when the Court does not have personal jurisdiction over a defendant. “Once challenged, the plaintiff bears the burden of establishing personal jurisdiction.” O’Connor v. Sandy Lane Hotel Co., Ltd., 496 F.3d 312, 316 (3d Cir.2007) (citing Gen. Elec. Co. v. Deutz AG, 270 F.3d 144, 150 (3d Cir.2001)). In deciding a motion to dismiss for lack of personal jurisdiction, the Court must “accept all of the plaintiffs allegations as true and construe disputed facts in favor of the plaintiff.” Carteret Sav. Bank v. Shushan, 954 F.2d 141, 142 n. 1 (3d Cir.), cert. denied, 506 U.S. 817, 113 S.Ct. 61, 121 L.Ed.2d 29 (1992) (citations omitted).

C. Standard for Dismissal under Rule 12(b)(6)

In considering a motion to dismiss a complaint for failure to state a claim upon which relief can be granted pursuant to Rule 12(b)(6), a court must accept all well-pleaded allegations in the complaint as true and view them in the light most favorable to the plaintiff. Evancho v. Fisher, 423 F.3d 347, 350 (3d Cir.2005). It is well settled that a pleading is sufficient if it contains “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2).

A district court, in weighing a motion to dismiss, asks “ ‘not whether a plaintiff will ultimately prevail but whether the claimant is entitled to offer evidence to support the claims[.]’ ” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 563 n. 8, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) (quoting Scheuer v. Rhodes, 416 U.S. 232, 236, 94 S.Ct. 1683, 40 L.Ed.2d 90 (1974)); see also Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 1953, 173 L.Ed.2d 868 (2009) (“Our decision in Twombly expounded the pleading standard for ‘all civil actions[.]’ ”) (citation omitted). First, under the Twombly/Iqbal standard, a district court “must accept all of the complaint’s well-pleaded facts as true, but may disregard any legal conclusions.” Fowler v. UPMC Shadyside, 578 F.8d 208, 210-11 (3d Cir.2009) (citing Iqbal, 129 S.Ct. at 1949).

Second, a district court “must then determine whether the facts alleged in the complaint are sufficient to show that the plaintiff has a ‘plausible claim for relief.’ ” Fowler, 578 F.3d at 211 (citing Iqbal, 129 S.Ct. at 1950). “[A] complaint must do more than allege the plaintiffs entitlement to relief.” Fowler, 578 F.3d at 211; see also Phillips v. County of Allegheny, 515 F.3d 224, 234 (3d Cir.2008) (“The Supreme Court’s Twombly formulation of the pleading standard can be summed up thus: ‘stating ... a claim requires a complaint with enough factual matter (taken as true) to suggest’ the required element. This ‘does not impose a probability requirement at the pleading stage,’ but instead ‘simply calls for enough facts to raise a reasonable expectation that discovery will reveal evidence of the necessary element.”) (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955). “The defendant bears the burden of showing that no claim has been presented.” Hedges v. U.S., 404 F.3d 744, 750 (3d Cir.2005).

IV. ANALYSIS

A. The Board of Regents’ Motion to Dismiss

The Board of Regents of the University of Michigan makes three arguments in support of its motion to dismiss Plaintiffs Amended Complaint. As a threshold issue, the Board of Regents argues that it is an arm of the state of Michigan entitled to Eleventh Amendment immunity which therefore bars Plaintiffs suit. (Br. in Supp. of Univ. of Mich.’s Mot. to Dismiss [Doc. No. 29-1] (hereinafter, “Regents’ Br.”) 6-7.) Moreover, the Board of Regents argues both that the Court lacks personal jurisdiction over the University of Michigan and that Plaintiff lacks standing to sue the University in this case. (Id. at 7-10.) Finally, the Board of Regents contends that none of the counts of Plaintiffs complaint state a claim upon which relief can be granted, and therefore they must be dismissed pursuant to Federal Rule of Civil Procedure 12(b)(6). (Id. at 10-16.)

The Eleventh Amendment provides that “[t]he Judicial power of the United States shall not be construed to extend to any suit in law or equity, commenced or prosecuted against one of the United States by Citizens of another State, or by Citizens or Subjects of any Foreign State.” U.S. CONST. AMEND. XI. Accordingly, the Supreme Court has made clear for over a century “that the Constitution does not provide for federal jurisdiction over suits against nonconsenting States.” Kimel v. Florida Bd. of Regents, 528 U.S. 62, 73, 120 S.Ct. 631, 145 L.Ed.2d 522 (2000).⁷

Unless Eleventh Amendment immunity has been waived by the state or abrogated by a federal statute, private parties who seek to impose liability which must be paid from public funds in the state treasury are barred by the Eleventh Amendment from bringing suit in federal court. Quern v. Jordan, 440 U.S. 332, 337, 99 S.Ct. 1139, 59 L.Ed.2d 358 (1979); see also Pa. Fed’n of Sportsmen’s Clubs, Inc. v. Hess, 297 F.3d 310, 323 (3d Cir.2002) (“the Eleventh Amendment ... has been interpreted to render states — and, by extension, state agencies and departments and officials when the state is the real party in interest — generally immune from suits by private parties in federal court”).

Here, the Board of Regents of the University of Michigan argues that it is an arm of the State of Michigan and as such it is entitled to Eleventh Amendment immunity from suit in federal court. (Regents’ Br. 6.) The Board of Regents further asserts none of the very limited exceptions⁸ to Eleventh Amendment immunity apply in this case because: (1) the Board of Regents has not consented to suit; (2) none of Plaintiffs claims are premised upon a statute which abrogates the Board of Regents’ immunity; and (3) Plaintiff is not seeking to enjoin a state official from engaging in future conduct.

The Third Circuit has acknowledged that “[t]he majority of cases addressing the question of Eleventh Amendment immunity for public colleges and universities have found such institutions to be arms of their respective states and thus immune from suit.” Kovats v. Rutgers, The State University, 822 F.2d 1303, 1312 (3d Cir.1987); see also U.S. ex rel. Diop v. Wayne Cnty. Cmty. College Dist., 242 F.Supp.2d 497, 526 (E.D.Mich.2003) (observing that “[s]tate universities and colleges almost always enjoy Eleventh Amendment immunity.”) In this case, the Court agrees with the Board of Regents that — as the body corporate for the University of Michigan — it is entitled to Eleventh Amendment immunity with respect to the claims alleged in Plaintiffs Amended Complaint because the Board of Regents (and therefore the University of Michigan itself) is an arm of the state.⁹

As the Board of Regents points out, the Court of Appeals for the Sixth Circuit has consistently found that the Board of Regents, and thus the University of Michigan, is an arm of the state of Michigan entitled to Eleventh Amendment immunity for claims brought in against it in federal court. See, e.g., Ali v. University of Michigan Health System-Risk Management, 523 Fed.Appx. 319, 320 (6th Cir.2013) (recognizing that “[t]he Board of Regents, as a state instrumentality, is entitled to Eleventh Amendment immunity from ... [state law] claims [seeking damages for medical malpractice and defamation] brought in federal court and has not waived that immunity, having raised it as a defense in its motion to dismiss.”); Dillon-Barber v. Regents of University of Michigan, 51 Fed.Appx. 946, 949 (6th Cir.2002) (acknowledging that plaintiffs ADA claims against the University for money damages must be dismissed because the University enjoys Eleventh Amendment immunity from such claims in federal court); Estate of Ritter by Ritter v. Univ. of Michigan, 851 F.2d 846, 848 (6th Cir.1988) (concluding, after examination of the relevant state law as to the relationship between the Board of Regents and the state of Michigan, that the Board of Regents is an arm of the state to which Eleventh Amendment immunity applies); Karmanos v. Baker, 816 F.2d 258, 259 n. 2 (6th Cir.1987) (“The U[niversity] of Michigan] defendants are immune from suit for damages in their official capacities under the Eleventh Amendment.”).¹⁰

Plaintiff opposes the Board of Regents’ motion arguing that “because the actions of the Regents violated ... Polanco’s and the Class’ constitutionally protected right to privacy, sovereign immunity does not apply” here. (Pl.’s Omnibus Response in Opp’n to the Pending Mots. To Dismiss [Doc. No. 40] (hereinafter, “PL’s Opp’n”) 43.) Although Plaintiff concedes that the first and third exceptions to Eleventh Amendment immunity set forth supra are not applicable here, (see id. at 44, n. 22), Plaintiff contends that the second exception, “which allows Congress to abrogate states’ sovereign immunity applies [to this case] because a state’s immunity will be abrogated when it has violated the United States Constitution.” (Id. at 44.)

According to Plaintiff, “if Congress can limit the sovereign immunity of states by statute, then a state’s sovereign immunity must be abrogated when [a state] violates the United States Constitution.” (Id.) Relying on this unsupported proposition, Plaintiff asserts that the Board of Regents is not entitled to Eleventh Amendment in this case because it allegedly violated her constitutional right of privacy, and that of the Class, when the Board of Regents allowed her PCI “to be maintained in an unsecure manner, then stored on an unsecure laptop without any encryption or other protection.” (Id. at 47.)

This argument is a red herring. Initially, a fair reading of Plaintiffs Amended Complaint demonstrates that it does not assert, in any manner, a Constitutional claim that any of the Defendants violated Plaintiffs Constitutional right of privacy, or those of the putative class. The Amended Complaint is completely devoid of any factual allegations that could be construed to allege such a claim, and it expressly limits Plaintiffs purported claims to those arising under state law for breaches of state security notification laws, violations of consumer fraud laws, fraud, negligence, and conspiracy. (See generally Am. Compl. ¶¶ 78-116.)

Moreover, to the extent that the Amended Complaint alleges such a Constitutional claim, the proper vehicle to bring a claim for the purported violation of one’s right to privacy, if at all, would be 42 U.S.C. § 1983. However, even if the Court were to construe Plaintiffs Amended Complaint to assert a Section 1983 claim, the Board of Regents would still be entitled to Eleventh Amendment immunity here. Section 1983 provides a civil remedy for the deprivation of rights established by the Constitution or federal law. Kaucher v. County of Bucks, 455 F.3d 418, 423 (3d Cir.2006). While Section 1983 allows for a federal forum to remedy many such claims, it does not create a forum for litigants who seek a remedy against a State for alleged deprivations of their civil rights. Will v. Michigan Dept. of State Police, 491 U.S. 58, 66, 109 S.Ct. 2304, 105 L.Ed.2d 45 (1989). The Supreme Court has previously found that Congress did not intend to rescind the States’ Eleventh Amendment immunity in enacting Section 1983. See Quern v. Jordan, 440 U.S. 332, 345, 99 S.Ct. 1139, 59 L.Ed.2d 358 (1979); see also Will, 491 U.S. at 66, 109 S.Ct. 2304 (“That Congress, in passing § 1983, had no intention to disturb the States’ Eleventh Amendment immunity and so to alter the federal-state balance in that respect was made clear in our decision in Quern.”). Therefore, even if Plaintiffs Amended Complaint alleged a Constitutional deprivation actionable under Section 1983, the Board of Regents’ Eleventh Amendment immunity would remain unaffected here.

Having concluded that the Board of Regents is entitled to Eleventh Amendment immunity here,¹¹ the Court will dismiss all of Plaintiffs claims against the Board of Regents without prejudice for lack of jurisdiction.¹²

B. Sentara’s Motion to Dismiss

Sentara makes three main arguments in support of its motion to dismiss Plaintiffs Amended Complaint in its entirety as brought against Sentara. Initially, pursuant to Rule 12(b)(1), Sentara challenges the Court’s subject matter jurisdiction to hear Plaintiffs claims asserting that Plaintiff does not have Article III standing because she has not suffered an injury that is traceable to conduct on the part of Sentara. (Mem. of Law in Supp. of Sentara’s Mot. to Dismiss [Doc. No. 28-1] (hereinafter, “Sentara’s Mem.”), 1-2.) Sentara further argues, pursuant to Rule 12(b)(2), that the Court lacks personal jurisdiction over Sentara, a Virginia-based hospital, which has no meaningful contacts with New Jersey. (Id. at 3.) Finally, Sentara challenges the sufficiency of Plaintiffs Amended Complaint pursuant to Rule 12(b)(6) for failure to state a claim upon which relief can be granted. (Id. at 2-3.)

Because Plaintiffs standing to bring a claim against Sentara is a threshold jurisdictional requirement, see Pub. Interest Research Grp., 123 F.3d at 117, the Court considers this argument at the outset. As set forth supra, there are three elements a plaintiff must establish in order to have Constitutional standing under Article III. “First, the plaintiff must suffer an injury-in-fact that is concrete and particularized and actual or imminent, as opposed to conjectural or hypothetical. Second, there must be a causal connection between the injury and the conduct complained of — the injury has to be ‘fairly ... trace[able] to the challenged action of the defendant, and not ... th[e] result [of] the independent action of some third party not before the court.’ ... Third, it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Edmonson v. Lincoln Nat. Life Ins. Co., 725 F.3d 406, 415 (3d Cir.2013) (citations and internal quotations omitted).

Here, Sentara challenges the first two elements: whether Plaintiff suffered an injury-in-fact, and whether there is a causal connection between the alleged injury and Sentara’s conduct. Even assuming that Plaintiff were able to satisfy the first element of standing regarding her alleged injury,¹³ the Court finds that Plaintiff still lacks standing to bring claims against Sentara here because the facts alleged in the Amended Complaint fail to demonstrate any causal connection between the alleged injury and any conduct on the part of Sentara. Thus, Plaintiffs claims against Sentara must be dismissed for lack of subject matter jurisdiction.

As the Third Circuit has explained, “[t]he second requirement of Article III standing, causation, requires that ‘the alleged injury-in-fact is causally connected and traceable to an action of the defendant ].’ ” Edmonson, 725 F.3d at 418 (citing The Pitt News v. Fisher, 215 F.3d 354, 360 (3d Cir.2000); Lujan, 504 U.S. at 560, 112 S.Ct. 2130). The causation requirement of standing is “akin to ‘but for’ causation and ... the traceability requirement [can be] met even where the conduct in question might not have been a proximate cause of the harm, due to intervening events.” Edmonson, 725 F.3d at 418.

The fact “[t]hat a suit may be a class action ... adds nothing to the question of standing, for even named plaintiffs who represent a class ‘must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.’ ” Lewis v. Casey, 518 U.S. 343, 356, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996) (citations omitted). Moreover, “plaintiff may not maintain an action on behalf of a class against a specific defendant if the plaintiff is unable to assert an individual cause of action against that defendant[,]” “[w]hether for reasons of lack of standing ... or for lack of Rule 23(a)(3) typicality[.]” See Haas v. Pittsburgh Nat. Bank, 526 F.2d 1083, 1086 n. 18 (3d Cir.1975) (citations omitted).

Sentara argues that Plaintiff cannot meet this standard because she has not alleged any relationship with Sentara. (Sentara’s Mem. 7.) Sentara points out that the Amended Complaint alleges only that Plaintiff had a relationship with S JHA (and therefore, Inspira), but that Sentara is not related to either of these Defendants. (Id.) Moreover, Sentara contends that because Plaintiff fails to allege that she provided any of her PCI or her protected health information (“PHI”) to Sentara she cannot allege an injury traceable to Sentara, which is essentially a legal stranger to Plaintiff. (Id.)

A thorough review of the Amended Complaint makes clear that Plaintiff has failed to allege any specific conduct by Sentara that is “fairly traceable” to her alleged injury. The conduct of which Plaintiff primarily complains is the unsecured storage and subsequent loss of her PCI and PHI. This information was provided by Plaintiff directly to SJHS (and thus Inspira) during the course of obtaining medical treatment for her daughter. The information was then transmitted to Omnicell, and ultimately, while that information was in Omnicell’s possession, there was a data breach when a third-party stole the Omnicell laptop.

As alleged, the Amended Complaint demonstrates that Sentara was not involved in any way in this specific chain of events. Neither Plaintiff, nor her daughter, were ever patients of any Sentara hospital. Sentara never possessed Plaintiffs information in the first instance, and therefore could not have transmitted her Omnicell from which it was later compromised. The fact that similar information belonging to Sentara patients was allegedly on the same laptop is not sufficient to confer standing on Plaintiff with respect to Sentara’s conduct.¹⁴ The Amended Complaint simply fails to allege any direct contact between Plaintiff and Sentara that could have resulted in any purported injury to Plaintiff by Sentara’s conduct. The Court notes that Plaintiffs opposition does not address this specific argument by Sentara in any meaningful way, and it appears to the Court that Plaintiff concedes the lack of any relationship between her and Sentara.

In short, the Amended Complaint does not allege that Plaintiff provided her PCI or PHI to Sentara, or that Sentara, specifically, was in anyway involved in the loss of her information. In the absence of any direct contact between Plaintiff and Sentara, Plaintiff cannot show an injury that is traceable to Sentara’s conduct, and as a result Plaintiff lacks standing to sue Sentara. See Buetow v. A.L.S. Enterprises, Inc., 564 F.Supp.2d 1038, 1044-1046 (D.Minn.2008) (dismissing counts I — III of plaintiffs amended class action complaint as to defendants Bass Pro and Browning for lack of standing after finding that the complaint did not allege any direct contact between the named plaintiffs and these defendants and thus could not show an injury traceable to their conduct). In light of the Court’s finding that Plaintiff lacks standing to sue Sentara, the Court need not address Sentara’s remaining arguments as to the Court’s lack of personal jurisdiction and Plaintiffs failure to state a claim for which relief can be granted.

C. Defendants’ Arguments Regarding Plaintiffs Injury

Defendants Sentara, Inspira, and Omnicell each argue in their respective motions [Doc. Nos. 28, 30, 31] that Plaintiffs Amended Complaint should be dismissed for lack of subject matter jurisdiction because Plaintiff fails to adequately allege an injury-in-fact and thus lacks standing to bring her claims. (Sentara’s Mem. 11-14; Mem. of Law in Supp. of Mot. to Dismiss by SJHS and Inspira [Doc. No. 30-1] (hereinafter, “Inspira’s Mem.”), 4-11; Mem. of Law in Supp. of Def.’s Omnicell’s Mot. to Dismiss Pl.’s First Am. Class Action Compl. [Doc. No. 31-1] (hereinafter, “Omnicell Mem.”), 4.)¹⁵ Defendants contend that the only injury allege in the Amended Complaint consists of Plaintiffs “self-imposed ‘increased costs’ based on pure speculation” whereby Plaintiff sought treatment for her daughter at a different hospital, farther away, at an increased cost because she did not receive reassurance from Defendants that her PCI and PHI would be adequately secured from subsequent losses. (Sentara’s Mem. 13; see also Inspira’s Mem. 11) (“The only loss Polanco alleges, however, is for her travel costs to avoid potential future disclosure of her confidential information.”). Defendants assert that Plaintiffs purported injury comprises the “sort of speculative and manufactured damages prohibited” under Supreme Court and Third Circuit precedent. (Sentara’s Mem. 14.)

According to Defendants, “[a]t most, Polanco fears that, if she continued to take her daughter to [Inspira] hospitals, her or her daughter’s confidential information may be accessed by a thief who may steal [an Inspira] contractor’s laptop that may have her or her daughter’s confidential information on it that may be unencrypted.” (Inspira’s Mem. 5.) Defendants assert, “[b]ecause the damages that Polanco alleges were voluntarily incurred to avoid a speculative injury, she has failed to show standing for any of her common law claims.” (Id. at 10.) Defendants specifically point to Plaintiffs failure to allege that her PCI or PHI was actually read, reviewed, understood and misused for criminal purposes by the unknown third party who stole the laptop in question.

In support of their arguments that Plaintiffs Amended Complaint should be dismissed for lack of standing because she has not alleged a sufficient injury-in-fact, Defendants rely primarily on the Supreme Court’s opinion in Clapper v. Amnesty International USA, — U.S. —, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) and the Third Circuit’s opinion in Reilly v. Ceridian Corporation, 664 F.3d 38 (3d Cir.2011). As Defendants point out, in Clapper, the Supreme Court analyzed Article III standing, noting it has “repeatedly reiterated that ‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient.” 133 S.Ct. at 1147 (citations omitted). The Third Circuit similarly articulated in Reilly that “[ajllegations of ‘possible future injury’ are not sufficient to satisfy Article III.” 664 F.3d at 42. The Court’s review of Reilly and Clapper indicates that these two cases are controlling for purposes of evaluating Plaintiffs standing in the present action.¹⁶

Reilly is a data security breach case. Id. at 43. In Reilly, the defendant Ceridian Corporation was “a payroll processing firm” which collected “information about its customers’ employees” including their “names, addresses, social security numbers, dates of birth, and bank account information” in order to process the payrolls of its business customers. Id. at 40. In December of 2009, Ceridian suffered a security breach when an unidentified hacker infiltrated Ceridian’s systems and potentially gained access to personal and financial information of the plaintiffs and 27,000 other employees at 1,900 different businesses. Id. It was unknown to the parties “whether the hacker read, copied, or understood the data.” Id. The plaintiffs brought a class action suit alleging that they: “(1) ha[d] an increased risk of identity theft, (2) incurred costs to monitor their credit activity, and (3) suffered from emotional distress.” Id.

Ceridian moved to dismiss under Rules 12(b)(1) and 12(b)(6) for lack of standing and failure to state claim. Id. at 41. The district court granted Ceridian’s motion holding that the plaintiffs lacked Article III standing, and finding in the alternative that even if the plaintiffs had standing, they failed to adequately allege the damage, injury, and ascertainable loss elements of their claims. Id. On appeal, the Third Circuit affirmed the district court’s ruling that the plaintiffs lacked standing and thus did not reach the merits of the plaintiffs’ claims. Id. at 40-41.

The Third Circuit recognized that the plaintiffs’ contentions relied on “speculation that the hacker: (1) read, copied, and understood their personal information; (2) intend[ed] to commit future criminal acts by misusing the information; and (3) [was] able to use such information to the detriment of [the plaintiffs] by making unauthorized transactions in [their] names.” Id. at 42. The Third Circuit concluded that these “allegations of hypothetical, future injury [were] insufficient to establish standing” because the plaintiffs had “not yet suffered any injury” and would not suffer an injury “[u]nless and until [their] conjectures [came] true[.]” Id. The Third Circuit summed it up as follows: “there has been no misuse of the information, and thus, no harm.” Id.

The Circuit Court went on to note that “[i]n this increasingly digitized world, a number of courts have had occasion to decide whether the ‘risk of future harm’ posed by data security breaches confers standing on persons whose information may have been accessed[,]” but that “[m]ost courts [to consider the issue] have held that such plaintiffs lack standing because the harm is too speculative.” Id. at 43 (emphasis in original) (citations omitted). The Third Circuit explicitly “agree[d] with the holdings in those cases.” Id. Thus, where there is an absence of evidence suggesting that “the data ha[d] been — or w[ould] ever be — misused” the plaintiffs’ allegations of an increased risk of identity theft resulting from a security breach were insufficient to establish standing. Id.

In her opposition, Plaintiff essentially concedes that she has not alleged either: (1) any misuse of her PCI or PHI; or (2) that she is now at an increased risk for the misuse of her information in the future based on the theft of the laptop. (PL’s Opp’n 21.) She also expressly denies that she has any “ ‘fear’ [of] what the thief who allegedly stole the ■Omnicell laptop might do with her PHI and PCI[.]” (Id.) Instead, Plaintiff summarizes that her “claims involve the actual loss of personal property, the failure to secure such property going forward, and monies lost due to Inspira’s failure to fulfill its express promises made to Plaintiff.” (Id. at 27.)

Plaintiff attempts to argue that her “claim is different” than the data breach security cases cited and relied upon by Defendants. (Id.) Plaintiff asserts that unlike those cases, the Amended Complaint alleges “the actual loss of her PHI and PCI” which “revealed to [Plaintiff] the fact that Inspira is not HIPAA-complaint in handling her PHI and PCI.” (Id.) Plaintiff asserts that because of Inspira’s “refusal to acknowledge its failings, and to take steps to remedy such failings, she has sued to prevent any further dissemination of her PHI and PCI by Inspira, and to force Inspira and Omnicell to purge their files of her sensitive information (or to secure it going forward).”¹⁷ (Id.)

Plaintiffs arguments seeking to distinguish her case from the data breach security cases cited by Defendants based on the allege “loss” of her PCI and PHI are unpersuasive here.¹⁸ At the outset, Plaintiffs Amended Complaint makes only limited references to the purported “loss” of her information.¹⁹ Moreover, to the extent Plaintiff alleges that the injury she suffered here is the “loss” (or presumably, disclosure) of her information in violation of HIPAA and Defendants’ failure to secure her information going forward as required by HIPAA, the Court notes that HIPAA does not provide a private right of action to remedy HIPAA violations. See Mebuin v. United States, Nos. 12-7220, 13-0446, 2013 WL 5411145, at *9 (D.N.J. Sept. 25, 2013) (observing that “[ajlthough the Court of Appeals for the Third Circuit has not addressed the question, every other federal Circuit Court to consider the matter has found that HIPAA provides neither an express nor an implied private right of action to an aggrieved patient” with regard to the disclosure of confidential medical information) (citing cases).²⁰

The ability to bring an enforcement action to remedy HIPAA violations, and ensure that a healthcare provider is HIPAA complaint, lies within the exclusive province of the Secretary of Health and Human Services, not the hands of private citizens. Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006) (“HIPAA limits enforcement of the statute to the Secretary of Health and Human Services.”) Accordingly, to the extent Plaintiff contends that her injury — for purposes of conferring standing — is the alleged loss of her information in violation of HIPAA and the failure to secure such information going forward, the Court rejects that argument. Because Plaintiff cannot assert a private right of action with respect to any alleged violations of HIPAA by Defendants, Plaintiff cannot claim any deprivation, and consequently, cannot establish a “concrete and particularized” injury sufficient to confer standing here related to the “loss” of her PCI and PHI.

More importantly though, Plaintiffs assertions in the Amended Complaint and in her opposition that her PCI and PHI were “lost” are directly contradicted by the December 31, 2012 letter from Omnicell, attached as Exhibit A to the Amended Complaint. (Ex. A to PL’s Am. Compl. [Doc. No. 12-1], 1-2.) In that letter, Omnicell explicitly confirms that “[t]he patient’s medical records were not on the device [i.e., the laptop], and that the patient’s medical information has not been lost.” (Id. at 2) (emphasis added). Omnicell’s letter goes on to state that there is “no reason to believe that the device was taken for the information it contained, or that the information has been accessed or used improperly.” (Id.) Thus, to the extent Plaintiff claims that the injury she suffered was the “loss” of her information, her allegations of “loss” are belied by the representations made in the December 31, 2012 letter.

In general, the Amended Complaint sets forth only broad and conclusory allegations of harm that fail to satisfy Plaintiffs burden to demonstrate that she suffered an invasion of a legally protected interest which is both “concrete and particularized” — meaning she was injured in a personal and individual way — and “actual or imminent” as opposed to conjectural and hypothetical. (See, e.g., Am. Compl. ¶ 6 (asserting that Plaintiffs suit “seeks to remedy the harmful effects” related to the “loss” of her PCI without specifying any such “harm”); id. ¶ 13 (alleging that “Plaintiff suffered direct injury and damages as a result of the data breach and compromise of her PCI” without describing the nature of this “direct injury”); id. ¶ 74 (contending that “Plaintiff and members of the Class have all suffered, and will continue to suffer, harm and damages as a result of the Defendant’ unlawful and wrongful conduct” without any factual support)).

In her opposition, Plaintiff seemingly relies on Defendants’ purported breaches of various statutes in support of her argument that she has suffered an injury-in-fact. (See PL’s Opp’n 21-23 (alleging a variety of violations of state and federal statutes with respect to security of data and notification requirements when data is compromised)). However, merely asserting violations of certain statutes is not sufficient to demonstrate an injury-in-fact for purposes of establishing standing under Article III, and the Court rejects Plaintiffs assertions on this point. See Doe v. Nat’l Bd. of Med. Exam’rs, 199 F.3d 146, 153 (3d Cir.1999) (observing that it is “incorrect” to “equate[ ] a violation of a statute with an injury sufficient to confer standing” and explaining that “[t]he proper analysis of standing focuses on whether the plaintiff suffered an actual injury, not on whether a statute was violated.”).

Arguably, the only harm that Plaintiff alleges in the Amended Complaint is that she incurred unspecified increased out-of-pocket expenses in seeking treatment for her daughter at medical facilities other than Defendants’ because she was “unwilling to return to” SJHS and Inspira “until such time as per PCI is secure, her rights under [HIPAA] are protected, and the deficiencies that led to the November 14 [sic] incident have been corrected to her satisfaction.” (Am. Compl. ¶ 12; see also id. ¶¶ 49-50; PL’s Opp’n 13 (asserting that Plaintiff “suffered further losses of money in taking prudent steps to respond to Inspira’s disclosure of its HIPAA violations and refusal to comply with HIPAA going forward” by “prudently ... [choosing] to not go to a hospital that is not HIPAAcomplaint for emergency care” and instead “reasonably [seeking] treatment for her daughter at HIPAA-complaint hospitals, albeit at great expense of time and money[.]”)).

Important for purposes of the present motion, the Third Circuit expressly determined in Reilly that the “alleged time and money expenditures [of the plaintiffs] to monitor their financial information [did] not establish standing ... because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the allege ‘increased risk of injury’ which form[ed] the basis for” the plaintiffs’ claims. 664 F.3d at 46. “That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury.” Id.

Here, while Plaintiff has incurred these expenses in seeking treatment for her daughter at what she terms “HIPAA-complaint” hospitals, rather than at Defendants’ medical facilities, she has not done so as a result of any actual injury such as the misuse of her PCI or PHI, or medical insurance fraud of some kind by a third-party. Much like the Plaintiffs in Reilly, Plaintiff has “prophylactically spent money to ease [her] fears of [a] future” “loss” of her PCI and PHI by a “HIPAA-noncompliant”²¹ medical facility and therefore made an independent decision to seek treatment elsewhere. See 664 F.3d at 46. Plaintiffs decision to do so was based entirely on her speculative belief that her PCI or PHI would be “lost” again by Defendants.²² Therefore, her assertion is one that claims injury for expenses incurred in anticipation of future harm, and is not sufficient for purposes of establishing Article III standing. See Reilly, 664 F.3d at 46; see also Clapper, 133 S.Ct. at 1151 (rejecting plaintiffs’ contention “that they have standing because they incurred certain costs as a reasonable reaction to a risk of harm” where district court found standing based on travel expenses incurred to avoid such a future risk).²³

Despite her attempts to argue otherwise,²⁴ for the reasons set forth above, it is clear that Plaintiff has not alleged an injury sufficient to confer standing here, and accordingly her Amended Complaint must be dismissed without prejudice²⁵ in its entirety. Having dismissed the Amended Complaint for lack of standing, the Court need not address Defendants’ further arguments regarding the sufficiency of Plaintiffs Amended Complaint under Rule 12(b)(6).

V. CONCLUSION

For the reasons set forth herein, Defendants’ motions [Doc. Nos. 28, 29, 30, 31] are granted. An Order consistent with this Opinion will be entered.

ORDER

For the reasons set forth in the Court’s Opinion entered on this date,

IT IS HEREBY ORDERED this 26th of December, 2013, that Defendants’ motions [Doc. Nos. 28, 29, 30, 31] seeking to dismiss Plaintiffs First Amended Class Action Complaint [Doc. No. 12] shall be, and hereby are, GRANTED; and it is further

ORDERED that Plaintiffs Amended Class Action Complaint shall be, and hereby is, DISMISSED WITHOUT PREJUDICE, in its entirety; and it is further

ORDERED that the Clerk is directed to mark this matter as CLOSED.

1 . Section 1332(d)(2)(A) provides in pertinent part that "[t]he district courts shall have original jurisdiction of any civil action in which the matter in controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class action in which ... any member of a class of plaintiffs is a citizen of a State different from any defendant.” 28 U.S.C. § 1332(d)(2)(A).

2 . Plaintiff's count for conspiracy is misnumbered in the Amended Complaint as Count IV, rather than Count V. The Court will refer to this this conspiracy count as Count V for the sake of clarity.

3 .To the extent Plaintiff’s Amended Complaint makes allegations against the University of Michigan Health System ("UMHS”) or alleges conduct on the part of UMHS or its hospitals, the Court recognizes that UMHS and its hospitals are considered to be "adjunct of the medical department of the University, which is a state educational instrumentality maintained by the public at public expense, controlled and operated by the Board of Regents!)]” Robinson v. Washtenaw Circuit Judge, 228 Mich. 225, 199 N.W. 618, 620 (1924). Accordingly, “any suit intended to be brought against any part of the University of Michigan hospitals or health system must be brought against the Board of Regents of the University of Michigan.” Ali v. University of Michigan Health System-Risk Management, No. 11-13913, 2012 WL 3112419, at *3 (E.D.Mich. May 4, 2012), aff'd, 523 Fed.Appx. 319 (6th Cir.2013).

Therefore any and all references to the University of Michigan or UMHS in this opinion shall be construed to refer instead to the Board of Regents.

4 . In light of the status of these entities after the merger, the Court will refer to these Defendants collectively as Inspira. When referring to facts that predate the merger, the Court will refer to SJHS, but that reference will only be for purposes of clarity, as SJHS is no longer a separate entity from Inspira.

5 . Plaintiff’s proposed class includes "all individuals who had their PCI stolen from the electronic device issued to the Omnicell employee on the evening of November 14, 2012.” (Am. Compl. ¶ 66.)

6 . Plaintiff represents that it is "not known exactly all of the PCI that was included on the laptop” and alleges that the following categories of PCI were also provided to Defendants by Plaintiff and putative class members;

a. the names of patients, their relatives, and the parties responsible for payment of medical expenses;

b. their addresses (including email addresses);

c. their phone numbers (including unlisted phone numbers);

d. their Social Security numbers;

e. their financial account information (including banking, credit cards, and other financial account numbers);

f. their employer and income information; and

g. health information about their medical care and treatment at medical facilities covered by Health Insurance Portability and Accountability Act of 1996.

(Am. Compl. ¶ 3.)

To the extent Plaintiff seeks to allege that addresses, telephone numbers, Social Security numbers, financial account information, and employer and income information may have been contained on the laptop in question and thus compromised in some yet unknown manner, the December 31, 2012 letter from Omnicell attached to the Amended Complaint directly contradicts such allegations. (See Ex. A to PL’s Am. Compl. [Doc. No. 12-1], 2) ("Also, the patient's financial information, bank account information, Social Security number, and insurance information were not on the device.”) Accordingly, the Court need not accept such purported allegations as true. See, e.g., Kates v. King, 487 Fed.Appx. 704, 706 (3d Cir.2012) (upholding dismissal for failure to state a claim where documents attached to complaint contradicted plaintiff’s claims); Jeffrey Rapaport M.D., P.A. v. Robin S. Weingast & Assocs., Inc., 859 F.Supp.2d 706, 714 (D.N.J.2012) (" 'When allegations contained in a complaint are contradicted by the document it cites, the document controls.’ ”)

7 . The Third Circuit has recognized that because “the Eleventh Amendment is a jurisdictional bar which deprives federal courts of subject matter jurisdiction[,]” a motion to dismiss based on Eleventh Amendment immunity is properly considered under Federal Rule of Civil Procedure 12(b)(1). Blanciak v. Allegheny Ludlum Corp., 77 F.3d 690, 693 n. 2 (3d Cir.1996) (citing Pennhurst State School & Hosp. v. Halderman, 465 U.S. 89, 98-100, 104 S.Ct. 900, 79 L.Ed.2d 67 (1984)).

8 . "Eleventh Amendment immunity is subject to three exceptions: 1) congressional abrogation, 2) state waiver, and 3) suits against individual state officers for prospective relief to end an ongoing violation of federal law.” MCI Telecommunication Corp. v. Bell Atlantic Pennsylvania, 271 F.3d 491, 503 (3d Cir.2001).

9 . To determine whether a particular entity, such as a university, should be considered a state instrumentality and thus be entitled to share in the state's Eleventh Amendment immunity the Third Circuit utilizes a nine factor inquiry which requires the Court to examine the following:

[Ljocal law and decisions defining the status and nature of the agency involved in its relation to the sovereign are factors to be considered, but only one of a number that are of significance. Among the other factors, no one of which is conclusive, perhaps the most important is whether, in the event plaintiff prevails, the payment of the judgment will have to be made out of the state treasury; significant here also is whether the agency has the funds or the power to satisfy the judgment. Other relevant factors are whether the agency is performing a governmental or proprietary function; whether it has been separately incorporated; the degree of autonomy over its operations; whether it has the power to sue and be sued and to enter into contracts; whether its property is immune from state taxation, and whether the sovereign has immunized itself from responsibility for the agency’s operations.

Kovats v. Rutgers, The State University, 822 F.2d 1303, 1307 (3d Cir.1987) (citations omitted).

With respect to the University of Michigan, the Sixth Circuit examined several of these same factors in Ritter. 851 F.2d at 848-851. The Sixth Circuit has recognized that any judgment against the Board of Regents would be paid out of the Michigan state treasury, that the University is a department of state government created by the state constitution to carry out state functions, and that its property is held in trust as public property of the state of Michigan. Id. Accordingly, the Sixth Circuit determined that the Board of Regents and the University are an arm of the state entitled to Eleventh Amendment Immunity.

10 . Several federal district courts in Michigan have reached the same conclusion. See, e.g., Ali v. University of Michigan Health System-Risk Management, No. 11-13913, 2012 WL 3112419, at *3-4 (E.D.Mich. May 4, 2012), aff'd, 523 Fed.Appx. 319 (6th Cir.2013) (finding that the Board of Regents was entitled to Eleventh Amendment immunity on plaintiff’s claims for money damages); Ewing v. Board of Regents of the University of Michigan, 552 F.Supp. 881, 883 (E.D.Mich.1982) (concluding that the University of Michigan is "a state instrumentality entitled to Eleventh Amendment immunity.”); cf. Platt v. University of Mich., No. 2:09-CV-10886, 2010 WL 1286487, at *10-11 (E.D.Mich. Mar. 3, 2010) (observing that while not applicable to plaintiff’s claims under Title VII, ”[o]rdinarily, ... claims against defendant University of Michigan, an arm of the state, would be barred by the Eleventh Amendment”).

11 . Having dismissed all claims against the Board of Regents on the basis of Eleventh Amendment immunity, the Court need not address the Board of Regents alternative arguments regarding personal jurisdiction, Plaintiff's standing, or whether Plaintiff has sufficiently stated a claim upon which relief can be granted.

12 . A "District Court’s dismissal for lack of subject matter jurisdiction [is] by definition without prejudice.” New Jersey Physicians, Inc. v. President of U.S., 653 F.3d 234, 241 n. 8 (3d Cir.2011) (citing Figueroa v. Buccaneer Hotel Inc., 188 F.3d 172, 182 (3d Cir.1999) (recognizing that “a dismissal for lack of subject matter jurisdiction is not an adjudication on the merits and thus should be ordered ‘without prejudice.' ”)).

13 . The Court addresses the sufficiency of Plaintiff’s alleged injury infra in response to similar arguments made by Sentara, Inspira, and Omnicell.

14 . Plaintiff is required to establish standing with respect to each separate Defendant named in this suit, and she cannot rely on conduct by Sentara that relates to unidentified, potential class members. See Haas, 526 F.2d at 1096 n. 18.

15 . Omnicell's memorandum of law in support of its motion purports to "join in and incorporate[] by reference the standing arguments raised in” Senlara’s memorandum and Inspira’s memorandum. (Omnicell's Mem. 4.) Accordingly, the Court provides no further citation to Omnicell's memorandum on the issue of standing and relies on the arguments proffered by Sentara and Inspira in this deciding this issue.

16 . As set forth infra, the Court is not persuaded by Plaintiffs attempt to argue that her case is not a data security breach case and is thus different from the cases Defendants rely on to argue her lack of an injury.

17 . Plaintiff concedes that she has not suffered an injury with respect to the misuse of her information, and the portion of Plaintiff opposition highlighted here demonstrates rather clearly that Plaintiff is seeking to prevent future harm, i.e., "further dissemination” of her information and to secure her information "going forward,”

18 . Plaintiff opposition also asserts similar allegations that her information was "stored in an unsecured manner in contravention of HIPPA.” (Pl.’s Opp’n 26.)

19 . (See, e.g., Am. Compl. ¶ 46) (asserting that Omnicell’s December 31, 2012 notice letter "failed to advise Plaintiff and the Class about the material information concerning the loss of their PCI such as how and why an Omnicell employee came to have in his possession, outside a medical facility, an Omnicell laptop computer containing PCI of Plaintiff and the Class; how and why the PCI was unencrypted, in violation of the Health Insurance Portability and Accountability Act of 1996; and what concrete steps were being taken by all Defendants to secure existing PCI to ensure that the PCI of Plaintiff and the Class was not compromised in the future.”); (Id. ¶ 49) (alleging that "because she has received no reassurance from the Defendants that they are taking the necessary steps to ensure that her PCI is safe from subsequent loss by the Defendants and unauthorized access, Plaintiff has opted to seek treatment for her daughter from hospitals that are not a part of SJHS [Inspira], For example, on January 23, 2013, as a direct result of the loss of her PCI by SJHS [Inspira], Mrs. Polanco took her daughter to The Memorial Hospital of Salem County in Salem, New Jersey, as opposed to” the Inspira hospital located by her home.)

20 .The district court in Mebuin cited the following cases from the federal Circuit Courts of Appeals and other district courts within the District of New Jersey in support of the proposition that HIPAA does not provide a plaintiff with a private right of action. See, e.g., Carpenter v. Phillips, 419 Fed.Appx. 658, 659 (7th Cir.2011); Dodd v. Jones, 623 F.3d 563, 569 (8th Cir.2010); Wilkerson v. Shinseki, 606 F.3d 1256, 1267 n. 4 (10th Cir.2010); Miller v. Nichols, 586 F.3d 53, 59 (1st Cir.2009); Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1081 (9th Cir.2007); Sweeney v. Department of Homeland Security, 248 Fed.Appx. 179, 181 (Fed.Cir.2007); Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006); Carter v. Buttonwood Hosp., No. 12-6504, 2013 WL 211108, at *5 (D.N.J. Jan. 17, 2013); Hove v. Cleary, No. 10-1876, 2011 WL 2223760, *6-7 (D.N.J. June 6, 2011); L.S. v. Mount Olive Bd. of Educ., 765 F.Supp.2d 648, 664 (D.N.J.2011); Merling v. Horizon Blue Cross Blue Shield of New Jersey, No. 04-4026, 2009 WL 2382319, at *4 n. 1 (D.N.J. July 31, 2009).

21 . Nothing in this Opinion should be construed as a finding by the Court with regard to any of Defendants' compliance, or lack thereof, with HIPAA. That issue is not before the Court on this motion, and the Court makes no findings in that regard.

22 . To the extent Plaintiff argues that seeking treatment elsewhere was not a choice, was not voluntary on her part, and was not based speculation about the security of her information, these arguments are disingenuous. Plaintiff essentially claims that she had no choice because she was not reassured that her information would be secure if she sought treatment for her daughter at Defendants’ facilities.

However, OmmceH's December 31, 2012 letter clearly indicates that "Omnicell is taking steps to improve its security program and practices in response to this incident. We have assured South Jersey Hospital that we have taken steps, including technology changes and re-education of our employees, to assure that no patient information is stored on unsecured electronic devices in the future.” (Ex. A to Pl.'s Am. Compl. [Doc. No. 12-1], 2.) Omnicell further provided Plaintiff with a number to call to obtain more information or to answer any questions Plaintiff might have had about the future security of her information. {Id..)

As Defendants point out, the Amended Complaint makes no allegations that Plaintiff sought any reassurance or clarification regarding these steps as instructed by the letter before seeking treatment for her daughter elsewhere. Thus, it not accurate for Plaintiff to argue that she had no choice and was not acting on the basis of her on speculated beliefs. Allegations that Plaintiff inquired further into the security of her information, learned that it was not secure, and acted as a result might not be considered speculative. Here, however, there are no such allegations in the Amended Complaint.

23 .This finding by the Court should not be interpreted as a comment on the reasonableness of Plaintiff's actions in seeking necessary medical treatment for her sick child. The reasonableness of her actions in that regard is not at issue here. What is at issue is whether those actions constitute the type of injury contemplated by Article III for purposes of standing. Based on the pronouncements of the Supreme Court in Clapper and the Third Circuit in Reilly, this Court concludes that it does not.

24 . Plaintiff attempts to rely on the New Jersey Consumer Fraud Act ("CFA”) to argue that Defendants' alleged HIPAA violations with respect to the “loss” of her information constitute an unconscionable commercial practice in violation of the CFA. Plaintiff cites no case law in support of that proposition, and the Court’s research reveals no case where any state or federal court in New Jersey interpreted the CFA to serve as a backdoor remedy for HIPAA violations.

25 . While Defendants seek the dismissal of Plaintiff's Amended Complaint with prejudice, the Court is dismissing for lack of standing under Rule 12(b)(1), and therefore the dismissal must be without prejudice since it is one for lack of subject matter jurisdiction. See New Jersey Physicians, Inc., 653 F.3d at 241 n. 8.