Brush v. Miami Beach Healthcare Group Ltd.
238 F. Supp. 3d 1359
S.D. Fla.2017Background
- Plaintiff Barbara Brush received medical care at Aventura Hospital in 2008 and provided sensitive personal and health information to the hospital.
- Between Sept. 13, 2012 and June 9, 2014, a hospital employee accessed and removed large amounts of patient data without authorization; Plaintiff’s information was accessed and then disclosed or sold to a third party.
- A third party used Plaintiff’s data to steal her identity and file a fraudulent tax return in her name; Plaintiff alleges she had never before been a victim of identity theft and had taken precautions to protect her data.
- Plaintiff sued Defendants (Miami Beach Healthcare Group, LTD and HCA‑EmCare Holdings, LLC) asserting four counts: negligence; breach of contract; breach of implied contract; and unjust enrichment/quantum meruit; she seeks damages and asserted class allegations.
- Defendants moved to dismiss for lack of standing, failure to state a claim, on statute‑of‑limitations grounds and to strike class allegations. The court denied standing challenge, allowed negligence claim to proceed, dismissed Counts Two–Four without prejudice, and denied the motion to strike class allegations without prejudice.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing (Article III) | Brush alleged concrete injury from identity theft and related mitigation costs traceable to defendants’ breach | No cognizable injury; allegations too speculative to establish Article III standing | Court: Plaintiff has Article III standing — identity theft + facts (prior precautions, first-time theft, sequence to breach) suffice to allege concrete injury fairly traceable to defendants (Resnick framework) |
| Negligence (Count I) | Defendants owed duty to safeguard patient data; their failures caused identity theft and damages | Insufficient causation and plausibility to link breach to identity theft | Court: Denied motion to dismiss Count I — allegations (unauthorized access, sale/disclosure, first-time theft, precautions) plausibly establish duty, breach, causation, and damages |
| Breach of Contract (Count II) | Notice of Privacy Practices and patient forms created contractual obligations to protect data | Those provisions reflect statutory HIPAA duties, not bargained contractual promises; HIPAA creates no private right of action | Court: Grant dismissal of Count II — plaintiff failed to identify an enforceable contractual promise distinct from HIPAA; claim dismissed without prejudice |
| Implied Contract / Unjust Enrichment (Counts III–IV) | An implied agreement or quasi‑contract existed because Plaintiff conferred benefit (payment) and expected data protection | No factual basis that Plaintiff paid specifically for heightened data‑security or that defendants were unjustly enriched beyond payment for medical services | Court: Dismissed Counts III–IV without prejudice — no plausible implied contract or quasi‑contract theory and cannot convert HIPAA duties into common‑law contract claims |
Key Cases Cited
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir.) (data‑breach victims can have standing where identity theft is plausibly traceable to defendant’s security failures)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (U.S. 2013) (standing requires concrete, particularized, actual or imminent injury)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (U.S. 1992) (Article III standing elements and pleading standard at the jurisdictional stage)
- Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167 (U.S. 2000) (standing requires injury, causation, and redressability)
- Ashcroft v. Iqbal, 556 U.S. 662 (U.S. 2009) (complaint must plead factual content sufficient for plausible liability)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (U.S. 2007) (plausibility standard for surviving Rule 12(b)(6))
- Weinberg v. Advanced Data Processing, Inc., 147 F. Supp. 3d 1359 (S.D. Fla.) (healthcare providers owe a duty to safeguard patient data)