Fero v. Excellus Health Plain, Inc.
236 F. Supp. 3d 735
W.D.N.Y.2017Background
- In December 2013 hackers accessed Excellus Health Plan’s systems and (allegedly) took names, DOBs, SSNs, addresses, member IDs, financial/payment data and medical claim information for ~10–10.5 million people; breach discovered in 2015 after forensic review.
- Plaintiffs filed a consolidated putative class action asserting negligence, breach of contract, negligent misrepresentation, unjust enrichment, consumer-protection/statutory privacy claims, and other causes of action against Excellus, affiliates (Lifetime group), and the Blue Cross Blue Shield Association (BCBSA).
- Twenty named plaintiffs from seven states seek statewide classes, a Federal Employee Class (FEHB enrollees), and a Healthcare Provider Class; some named plaintiffs allege concrete misuse (fraudulent charges, tax fraud, identity theft), four named plaintiffs alleged no misuse but mitigation steps and anxiety.
- Defendants moved to dismiss under Fed. R. Civ. P. 12(b)(1) (standing) and 12(b)(6) (failure to state claims); court considered both Article III standing (injury-in-fact and traceability) and the merits of several statutory and common-law claims.
- Court dismissed four “non-misuse” named plaintiffs for lack of Article III injury-in-fact (future risk too speculative given facts and forensic report), but held remaining named plaintiffs had standing and traceability at the pleading stage.
- On the merits the court: denied dismissal of the express breach-of-contract and unjust enrichment claims (pleaded in alternative); dismissed implied covenant claim as duplicative; dismissed negligent misrepresentation for failure to plead reliance/special relationship (leave to replead); dismissed several state statutory claims in part (CCRA, NJ/N.C. insurance privacy statutes, certain GBL § 349 theories) and limited damages against BCBSA under the filed-rate doctrine.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing — injury-in-fact for plaintiffs who allege only increased risk (non-misuse plaintiffs) | Increased risk of identity theft, mitigation expenses, and anxiety constitute concrete and imminent injury sufficient for Article III | Risk is speculative; absence of any alleged misuse and forensic report showing no evidence of exfiltration make future harm not "certainly impending" | Dismissed four non-misuse plaintiffs for lack of injury-in-fact (speculative risk and mitigation expenses cannot manufacture standing) |
| Standing — causation/traceability for plaintiffs who allege actual misuse | Misuse (fraudulent charges, tax fraud) is plausibly fairly traceable to the Excellus breach; plaintiffs need not rule out other possible sources at pleading stage | Alleged misuse could have arisen from other breaches or actors; plaintiffs must tie specific misuse to Excellus | Plaintiffs who allege misuse plausibly plead traceability at pleading stage; dismissal on causation denied |
| Breach of contract and implied covenant | Privacy notices and statements ("we are committed to safeguarding PHI") were incorporated into contracts and impose definite promises; breach claimed | Privacy notices are not definite promises of specific security standards; implied covenant cannot add substantive contractual terms | Breach of express contract survives motion; implied covenant dismissed as duplicative (may be pursued as part of contract claim) |
| Third-party beneficiary / FEHB claims against BCBSA & GBL § 349 damages cap | Federal enrollees (Mottern) are intended third-party beneficiaries of BCBSA–OPM FEHB contract and can sue; GBL § 349 claim seeks benefit-of-the-bargain damages | FEHBA and the contract show OPM’s central enforcement role; contract does not clearly intend private enforcement by enrollees; filed-rate doctrine bars benefit-of-the-bargain damages against BCBSA | Third-party beneficiary claim dismissed with prejudice (no clear intent to permit private enforcement); GBL §349 claim against BCBSA survives only to the extent it does not seek benefit-of-the-bargain damages (those are barred by the filed-rate doctrine) |
| Negligent misrepresentation | Defendants represented they would maintain adequate data security; plaintiffs relied and purchased insurance | Plaintiffs cannot plausibly plead they actually read/relied on the statements and have not alleged a special/privity-like relationship | Negligent misrepresentation dismissed for failure to plead justifiable reliance and special relationship; leave to replead granted |
| State privacy/consumer statutes (GBL § 349, CCRA, NJ/N.C. insurance privacy statutes) | Statutory and consumer-protection claims actionable based on misleading privacy representations and omissions and unlawful disclosure | Some statutes provide no private right of action; some statutes prohibit affirmative disclosure (theft ≠ disclosure); FEHBA preemption and filed-rate concerns as to FEHB carrier | GBL § 349 generally survives at pleading stage but claims grounded on statutes that lack private rights dismissed with prejudice; CCRA claim dismissed as inapplicable to covered entities; NJ/N.C. insurance-disclosure claims dismissed (theft not treated as ‘‘disclosure’’) |
Key Cases Cited
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (standing requires concrete, particularized, actual or imminent injury)
- Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) (future injury must be "certainly impending"; substantial risk sometimes sufficient)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (statutory injury requires concreteness for Article III standing)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (plausibility pleading standard)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility and not merely conceivable allegations)
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (data-breach plaintiffs had standing based on increased risk)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (increased-risk allegations too speculative without evidence of misuse)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (post-breach increased risk and mitigation costs sufficient for standing at pleading stage)
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (increased-risk allegations too speculative where no misuse alleged)
- Carter v. HealthPort Techs., LLC, 822 F.3d 47 (2d Cir. 2016) (fairly traceable causation standard is less stringent than proximate cause)