UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS
CIVIL ACTION NO. 22-cv-10797
ALEXSIS WEBB and MARSCLETTE CHARLEY, on behalf of themselves and all others similarly situated
v.
INJURED WORKERS PHARMACY, LLC
MEMORANDUM AND ORDER ON DEFENDANT’S RENEWED AND SUPPLEMENTED MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM
September 11, 2023
STEARNS, D.J.
Plaintiffs Alexsis Webb and Marsclette Charley filed this putative class action against defendant Injured Workers Pharmacy (IWP) for alleged injuries arising out of a data breach that compromised the personally identifiable information (PII) of over 75,700 customers. The Complaint consists of six state law counts: negligence, negligence per se,1 breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty. IWP moves to dismiss all claims for failure to state a claim
1 Plaintiffs voluntarily dismissed their negligence per se claim without prejudice. See Pls.’ Opp’n to Def.’s Mot. to Dismiss (Dkt. # 22) at 15 n.2; Pls.’ Opp’n to Def.’s Renewed Mot. to Dismiss (Dkt. # 38) at 1 n.1, 3 n.3. upon which relief can be granted pursuant to Fed. R. Civ. P. 12(b)(6). In the alternative, IWP moves to strike certain allegations from the Complaint
under Fed. R. Civ. P. R. 12(f).2 For the reasons below, the court will allow in part and deny in part IWP’s motion. BACKGROUND Accepting all well-pleaded facts as true, the relevant facts are as
follows. In January of 2021, hackers – whose identities remain unknown – breached the patient records system of IWP, a pharmaceutical home delivery service. The patient records system contained patients’ credit-card
information, Social Security numbers, dates of birth, medical information, and Medicare and Medicaid identification numbers. IWP did not discover the breach until May of 2021. IWP did not notify affected customers of the breach until February of 2022. Both Ms. Webb, a former IWP customer, and
Ms. Charley, a current IWP customer, had PII in IWP’s custody that was compromised by the breach. After learning of the breach, Mses. Webb and Charley claim to have suffered anxiety, sleep disruption, stress, and fear, and
2 IWP previously moved to dismiss the Complaint, and the court allowed the motion, finding that plaintiffs lacked Article III standing. See Webb v. Injured Workers Pharmacy, LLC, 2022 WL 10483751, at *2 (D. Mass. Oct. 17, 2022). The First Circuit Court of Appeals affirmed in part, reversed in part, and remanded for further proceedings. See Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023). spent time and effort monitoring their accounts. Compl. (Dkt. # 1) ¶¶ 56, 86, 97. Ms. Webb also alleges that she spent hours on the phone with the
Internal Revenue Service resolving a fraudulent 2021 tax return filed by an unknown third party. Id. ¶ 88. Both plaintiffs allege that they suffered “damages to and diminution in the value of [their] PII,” which they allege has a monetary value of at least $1,000 for scammers on the dark web. Id. ¶¶ 57-
58, 91, 99. DISCUSSION “To survive a motion to dismiss, [plaintiffs’] complaint ‘must contain
sufficient factual matter . . . to state a claim that is plausible on its face.’” Saldivar v. Racine, 818 F.3d 14, 18 (1st Cir. 2016), quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (second alteration in original). “[T]he Court may look only to the facts alleged in the pleadings, documents attached as exhibits
or incorporated by reference in the complaint and matters of which judicial notice can be taken.” Clean Water Action v. Searles Auto Recycling, Corp., 288 F. Supp. 3d 477, 480 (D. Mass. 2018). The analysis is “whether the well- pleaded factual allegations, viewed in the light most favorable to the plaintiff,
state a claim for which relief can be granted.” Germanowski v. Harris, 854 F.3d 68, 71 (1st Cir. 2017). “If the facts articulated in the complaint are ‘too meager, vague, or conclusory to remove the possibility of relief from the realm of mere conjecture,’ the complaint is vulnerable to a motion to dismiss.” In re Curran, 855 F.3d 19, 25 (1st Cir. 2017), quoting SEC v.
Tambone, 597 F.3d 436, 442 (1st Cir. 2010). Count I – Negligence Under Massachusetts law, “[t]he elements of a negligence claim are that ‘the defendant owed the plaintiff a duty of reasonable care, that the
defendant breached this duty, that damage resulted, and that there was a causal relation between the breach of the duty and the damage.’” Correa v. Schoeck, 479 Mass. 686, 693 (2018), quoting Jupin v. Kask, 447 Mass. 141,
146 (2006). “To state a claim for negligence, a plaintiff typically must allege damages beyond pure economic loss, as ‘purely economic losses are unrecoverable . . . in the absence of personal injury or property damage.’” Zoll Med. Corp. v. Barracuda Networks, Inc., 565 F. Supp. 3d 101, 106 (D.
Mass. 2021), quoting FMR Corp. v. Boston Edison Co., 415 Mass. 393, 395 (1993) (alteration in original). “[T]he economic loss rule is ‘founded on the theory that parties to a contract may allocate their risks by agreement and do not need the special protections of tort law.’” Arthur D. Little Int’l, Inc. v.
Dooyang Corp., 928 F. Supp. 1189, 1202 (D. Mass. 1996), quoting South Carolina Elec. & Gas Co. v. Westinghouse Elec. Corp., 826 F. Supp. 1549, 1557 (D.S.C. 1993). Plaintiffs plausibly allege a negligence claim. The Complaint alleges that IWP owed plaintiffs a duty of reasonable care to protect their PII and
that IWP breached this duty by failing to implement proper safeguards to protect against a data breach.3 The Complaint lists publicly available “best practices” to prevent and detect cyberattacks published by the federal government, the US Cybersecurity & Infrastructure Security Agency, and the
Microsoft Threat Protection Intelligence Team. Compl. ¶¶ 49-51. These best practices plausibly establish that IWP’s security procedures were deficient, permitting an inference that it breached its duty of care.
The Complaint also plausibly alleges that the data breach and the resulting injuries to plaintiffs were foreseeable results of IWP’s failure to implement sufficient security safeguards, and that but for IWP’s failure, plaintiffs would not have been harmed. The Complaint notes that several
contemporaneous high-profile data breaches should have sufficed to put IWP on notice of the risks and consequences of its failure to adequately safeguard sensitive customer PII. Id. ¶¶ 46-48. Plaintiffs also allege that as
3 The Complaint does not successfully allege that IWP had a duty to inform plaintiffs of the “scope, nature, and occurrence” of the data breach. Compl. ¶ 112. The Complaint contains no factual allegations to support this duty, other than the bare assertion that the duty is “required and necessary.” Id. This is merely “a legal conclusion couched as a factual allegation,” which the court will not accept. Pappasan v. Allain, 478 U.S. 265, 286 (1986). a direct and foreseeable result of IWP’s failure to implement proper security measures, plaintiffs have suffered damages. E.g., id. ¶¶ 118-119. IWP does
not contest the sufficiency of this allegation, and causation is a fact-intensive question that the court cannot resolve at the pleading stage of the litigation. See Jupin, 447 Mass. at 146 (“[W]hether the defendant’s breach and the damage were causally related” is in “the special province of the jury.”).
In marshalling their alleged harms, plaintiffs state that: (1) they have “spent considerable time and effort monitoring [their] accounts to protect [themselves] from additional identity theft”; (2) they suffer from some
combination of feelings of rage, anxiety, fear, sleep disruption, stress, and physical pain; (3) they have suffered “damages to and diminution in the value of [their] PII”; (4) an unauthorized user used Ms. Webb’s PII, including her name and Social Security Number, in an unspecified manner;
(5) an “unknown and unauthorized third-party” filed a 2021 tax return using Ms. Webb’s name, causing her to spend “considerable time” communicating with the IRS; and (6) plaintiffs “remain at a continued risk of harm due to the exposure and potential misuse of their personal data by criminal
hackers.” Compl. ¶¶ 82-101. These factual allegations of harm taken together limn a plausible case that plaintiffs were harmed by IWP’s breach of its duty. Finally, plaintiffs’ negligence claim is not barred by the economic loss doctrine. Although precedential cases almost uniformly hold that only a
tangible physical injury to person or property can overcome the economic loss doctrine’s bar, see, e.g., In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498-499 (1st Cir. 2009); Garweth Corp. v. Boston Edison Co., 415 Mass. 303, 305 (1993), other (non-precedential) cases have held that the
“personal injury” can be satisfied by a claim of emotional distress, see McCormick v. Lischynsky, 2019 WL 3429242, at *5 (D. Mass. July 30, 2019).4 Here, at the pleading stage, plaintiffs have alleged sufficient non-
monetary harm, including palpable emotional distress, sufficient to satisfy the “personal injury” exception to the economic loss doctrine. See Maio v. TD Bank, N.A., 2023 WL 2465799, at *4 (D. Mass. Mar. 10, 2023) (allegations of “lost sleep, anxiety, and depression” were sufficient to
overcome motion to dismiss negligence claim on economic loss doctrine grounds). Count II – Negligence Per Se Massachusetts does not recognize negligence per se, meaning that a
violation of a statute “does not create a duty in a plaintiff where one does not
4 The United States Supreme Court has suggested the same, although without deciding the issue. See TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2211 & n.7 (2021) exist independently.” Lev v. Beverly Enters.-Massachusetts, Inc., 457 Mass. 234, 245 (2010), quoting Goulart v. Canton Hous. Auth., 57 Mass. App. Ct.
440, 444 (2003). Instead, “[i]t is only where a duty of care exists that the violation of a statute, ordinance, regulation, or policy is relevant because it constitutes some evidence of a defendant’s negligence. The violation does not constitute negligence per se.” Id. As previously noted, plaintiffs have
voluntarily dismissed their negligence per se claim without prejudice. Because Massachusetts does not recognize negligence per se as a matter of law, Count II will be dismissed with prejudice.
Count III – Breach of Implied Contract An implied contract “may be inferred from (1) the conduct of the parties and (2) the relationship of the parties.” T.F. v. B.L., 442 Mass. 522, 526-527 (2004); see also Sullivan v. O’Connor, 81 Mass. App. Ct. 200, 212-
213 (2009) (implicit contract existed obligating homeowners to pay homeowner association assessments where owners had actual knowledge of the association, “paid the semiannual assessments for six consecutive years, and consistently availed themselves of the services provided by the
association”). The Complaint alleges that: (1) IWP required its patients to provide PII to acquire its services; (2) plaintiffs believed IWP would protect their PII; (3) IWP “impliedly promised to maintain safeguards to protect its patients’ PII”; and (4) IWP impliedly promised to provide individuals whose PII it
possessed “with prompt and adequate notice of all unauthorized access or theft of their PII.” Compl. ¶¶ 23, 83-84, 95, 131-132, 135-136. These allegations are insufficient to support the plausible existence of an implied contract between plaintiffs and IWP.
While the Complaint adequately alleges that plaintiffs had a good faith belief that their PII would be protected by IWP, there is no allegation that IWP agreed — explicitly or implicitly — to provide such protection.5 The
factual allegations plaintiffs lay out in support of the existence of such a contract consist exclusively of post-breach assurances given by IWP (one year after the breach) that it was in the process of implementing the very security measures that plaintiffs contend should have been put in place well
5 The Complaint does allege that IWP “agreed it would not disclose the PII it collects from patients to unauthorized persons.” Compl. ¶ 132. However, the Complaint does not specify whether IWP offered this assurance before or after the data breach occurred. If given before, the assurance, standing alone, is “too meager, vague, [and] conclusory to remove the possibility of relief from the realm of mere conjecture.” Tambone, 597 F.3d at 442. And if offered after the breach, it cannot form the basis of a pre- breach implicit contract. before the breach occurred. As such, they have no value in any assessment of whether a contract existed at the time that plaintiffs allege.6
Count IV – Unjust Enrichment “Unjust enrichment is defined as ‘retention of money or property of another against the fundamental principles of justice or equity and good conscience.’” Santagate v. Tower, 64 Mass. App. Ct. 324, 329 (2005),
quoting Taylor Woodrow Blitman Constr. Corp. v. Southfield Gardens Co., 534 F. Supp. 340, 347 (D. Mass. 1982). “A plaintiff asserting a claim for unjust enrichment must establish not only that the defendant received a
benefit, but also that such a benefit was unjust, ‘a quality that turns on the reasonable expectations of the parties.’” Metro. Life Ins. Co. v. Cotter, 464 Mass. 623, 644 (2013), quoting Glob. Inv. Agent Corp. v. Nat. Fire Ins. Co., 76 Mass. App. Ct. 812, 826 (2010). “[A] claim of unjust enrichment will not
lie ‘where there is a valid contract that defines the obligations of the parties.’” Chang v. Winklevoss, 95 Mass. App. Ct. 202, 210-211 (2019), quoting Metro. Life Ins. Co. v. Cotter, 464 Mass. 623, 641 (2013). However, at the pleading
6 The court sees no foundational support in the law for plaintiffs’ sweeping statement that “[e]very transaction in which a party supplies confidential information necessarily includes the implicit promise that the recipient will maintain that confidentiality.” Pls.’ Opp’n to Def.’s Renewed Mot. to Dismiss at 10. stage, a plaintiff is permitted to plead claims in law and equity in the alternative. Id. at 211.
Plaintiffs’ theory of unjust enrichment consists of their belief that their payments for pharmaceutical services implicitly included the costs entailed in the protection of their PII and that IWP was unjustly enriched by the difference between what plaintiffs actually paid and what plaintiffs would
have paid had they known IWP was not taking adequate steps to secure their data.7 Compl. ¶¶ 84, 95, 147-149. A theory like the one advanced by plaintiffs was considered — and rejected — by the District Court in In re Target Corp.
Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014). In Target, plaintiffs alleged that Target violated various state laws because of a data breach and sought relief on, among other grounds, unjust enrichment. Specifically, plaintiffs relied on an “overcharge” theory, claiming that they
were overcharged for goods they purchased because “the purchase price of the goods Target sold included a premium for adequate data security.” Id. at 1177-1178.
7 The court does not read the Complaint to allege, as IWP asserts, that “it is unjust for IWP to retain money paid for the pharmaceutical services it provided to and which were received by Plaintiffs.” Def.’s Renewed Mot. to Dismiss at 14. This court agrees with the result reached by the District Court in Target. The instant Complaint does not allege that plaintiffs paid extra for a
security package that they were promised and did not receive, see e.g., Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012) (allowing unjust enrichment claim where plaintiffs paid a premium for data security but defendant did not have adequate security standards), or that IWP itself
profited in any way from plaintiffs’ PII, see, e.g., In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 412-413 (E.D. Va. 2020) (valid unjust enrichment claim against Amazon where Amazon profited from
storing PII and failed to adequately secure it). Plaintiffs paid IWP for (and received) pharmaceutical services; they do not allege that they paid separately for storage of their PII. Count V – Invasion of Privacy
“‘Massachusetts has never recognized a common-law cause of action for invasion of privacy,’ but ‘recognizes an actionable right of privacy’ under the privacy statute.” Axford v. TGM Andover Park, LLC, 2021 WL 681953, at *13 (D. Mass Feb. 22, 2021), first quoting Spencer v. Roche, 755 F. Supp.
2d 250, 271 (D. Mass. 2010), and then quoting Dasey v. Anderson, 304 F.3d 148, 153 (1st Cir. 2002). A plaintiff bringing a statutory invasion of privacy claim must plead two elements: “[1] a gathering and dissemination of facts of a private nature that [2] resulted in an unreasonable, substantial, or serious interference with his privacy.” Hayes v. Mirick, 378 F. Supp. 3d 109,
117 (D. Mass. 2019), quoting Branyan v. S.W. Airlines Co., 105 F. Supp. 3d 120, 126 (D. Mass. 2015) (alterations in original). Invasion of privacy, however, is an intentional tort. Elliot-Lewis v. Abbott Lab’ys, 378 F. Supp. 3d 67, 71 (D. Mass. 2019); White v. City of Boston, 2022 WL 2704404, at *10
(D. Mass. July 12, 2022). It is on the element of intentionality that the Complaint fails in its attempt to sketch a successful claim for invasion of privacy. While the
Complaint plausibly alleges that plaintiffs’ private information was negligently disseminated resulting in an unreasonable interference with plaintiffs’ privacy, it fails to allege any intentional acts on the part of IWP that could be said to have been the legal cause of the dissemination.8 Indeed,
the Complaint nowhere alleges that IWP disseminated anything. It merely claims that IWP acted negligently. See, e.g., Hayes, 378 F. Supp. 3d at 117; see also Purvis v. Aveanna Healthcare, LLC, 563 F. Supp. 3d 1360, 1377 (N.D. Ga. 2021) (allowing motion to dismiss invasion of privacy claim where
8 In their Opposition to Defendant’s Renewed and Supplemental Motion to Dismiss, plaintiffs claim for the first time that IWP acted intentionally in “skimp[ing] on its data security.” Pls.’ Opp’n to Def.’s Renewed Mot. to Dismiss at 15. This new allegation is not only untimely but also wholly unsupported. “central narrative” of the complaint was that defendant “failed to take sufficient precautions to prevent [the] intrusion”); In re Mednax Servs., Inc.,
Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183, 1225 (S.D. Fla. 2022) (“[C]ourts routinely dismiss invasion-of-privacy claims where a plaintiff fails to allege that a defendant ‘intentionally divulged his PII’ and instead asserts that ‘an unknown [person] stole the PII from [the
defendant’s] computer system.”), quoting Burrows v. Purchasing Power, LLC, 2012 WL 9391827, at *6 (S.D. Fla. Oct. 18, 2012) (second and third alterations in original).
Count VI – Breach of Fiduciary Duty “Fiduciary duties may arise in two ways: (a) as a matter of law, where parties to the subject relationship are cast in archetypal roles, . . . or (b) as ‘determined by the facts established,’ upon ‘evidence indicating that one
person is in fact dependent on another’s judgment in business affairs or property matters.’” UBS Fin. Servs., Inc. v. Aliberti, 483 Mass. 396, 406 (2019), first quoting Warsofsky v. Sherman, 326 Mass. 290, 293 (1950), and then quoting Markell v. Sidney B. Pfeifer Found., Inc., 9 Mass. App. Ct. 412,
444 (1978). To establish a claim for breach of fiduciary duty, plaintiffs must allege “(1) the existence of a duty of a fiduciary nature, based on the relationship of the parties, (2) breach of that duty, and (3) a causal relationship between that breach and some resulting harm to the plaintiff.” Amorim Holding Financeria, S.G.P.S., S.A. v. C.P. Baker & Co., 53 F. Supp.
3d 279, 293 (D. Mass. 2014). The Massachusetts Superior Court has twice considered the issue whether the law imposes a fiduciary duty on a pharmacist to keep confidential her patient’s PII and has both times concluded that such a
fiduciary relationship exists, relying in part on 247 Mass. Code Regs. 9.01(19). See Kelly v. CVS Pharmacy, Inc., 23 Mass. L. Rptr. 87 (Mass. Super. Ct. 2007); Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. 217 (Mass.
Super. Ct. 1999). Section 9.01(19) requires a pharmacist to “maintain patient confidentiality at all times” subject to limited exceptions. 247 Mass. Code Regs. 9.01(19). Absent any statement to the contrary by the Massachusetts Supreme
Judicial Court or the Appeals Court, this court will for present purposes accept the holding of the Superior Court that Massachusetts law does recognize the fiduciary duty on which plaintiffs rely. This said, the court also agrees that the Complaint successfully alleges that IWP breached its duty to
its patients to protect the confidentiality of the PII, and that the plaintiffs were harmed as a result. Motion to Strike Pursuant to Fed. R. Civ. P. 12(f), the court may strike from a pleading
any “redundant, immaterial, impertinent, or scandalous matter.” Such motions are “rarely granted absent a showing of prejudice to the moving party,” Hayes v. McGee, 2011 WL 39341, at *2 (D. Mass. Jan. 6, 2011), or where the allegations have “no possible relation to the controversy,”
DeMoulis v. Sullivan, 1993 WL 81500, at *5 (D. Mass. Feb. 26, 1993). See also Boreri v. Fiat, 763 F.2d 17, 23 (1st Cir. 1985) (motions to strike are “disfavored in practice, and not calculated readily to invoke the court’s
discretion”). IWP moves to strike paragraphs 45-46, 55, and 57-74 of the Complaint, claiming that the allegations they set out are “immaterial and generalized” and are “designed to improperly inflame the issues and a jury and invite
speculation.” Def.’s Renewed Mot. to Dismiss (Dkt. # 37) at 17. The court disagrees. Most of these allegations relate to plaintiffs’ argument that IWP was on notice of the potential harm of a data breach, an argument that is not unfairly prejudicial to IWP under the circumstances. The court sees no
reason to strike these allegations. ORDER For the foregoing reasons, IWP’s motion to dismiss the Complaint is
DENIED as to Counts I and VI. The court hereby DISMISSES WITH PREJUDICE Counts II, III, IV, and V. IWP’s motion to strike paragraphs 45- 46, 55, and 57-74 of the Complaint is DENIED. SO ORDERED.
/s/ Richard G. Stearns UNITED STATES DISTRICT JUDGE