Fero v. Excellus Health Plan, Inc.
304 F. Supp. 3d 333
W.D.N.Y.2018Background
- Data breach at Excellus alleged to have exposed PII and PHI (names, DOBs, SSNs, addresses, member IDs, financial/medical claims) of millions; consolidated putative class action filed.
- Four "non-misuse" plaintiffs (Fero, Church, Boomershine, Caltagarone) alleged no post-breach misuse of their data but claimed increased risk of identity theft; Excellus moved to dismiss for lack of Article III standing under Rule 12(b)(1).
- On Feb 22, 2017 the Court dismissed those four plaintiffs without prejudice, finding their asserted risk-of-future-harm too speculative and dependent on a chain of contingencies; other claims and plaintiffs remained.
- Plaintiffs moved for reconsideration; they relied principally on (1) the Second Circuit’s then-recent summary order in Whalen and (2) evidence (Dark Web search results and analysis of the Mandiant intrusion report) indicating exfiltration and sale of compromised data.
- The Court treated the motion as an interlocutory Rule 54(b) reconsideration, concluded Whalen (though unpublished) implies the Second Circuit would accept standing based on theft of personally identifying information, and found the additional evidence would have affected its earlier analysis.
- Holding on reconsideration: the Court granted reconsideration and denied the Excellus Defendants’ Rule 12(b)(1) motion as to the four non-misuse plaintiffs; those claims may proceed. Other aspects of the prior decision (including partial 12(b)(6) dismissals) remain unchanged.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether non-misuse plaintiffs have Article III standing based on increased risk of future identity theft | Non-misuse plaintiffs allege theft of PII/PHI (SSNs, DOBs, medical records) and point to Dark Web postings and Mandiant analysis showing exfiltration — risk is certainly impending | Risk is speculative absent any actual misuse; plaintiffs knew of the evidence before the original ruling so reconsideration is improper; Whalen is distinguishable and non-precedential | Court granted reconsideration and, relying on Whalen’s implications plus Dark Web/Mandiant evidence, denied 12(b)(1) dismissal for the four non-misuse plaintiffs (standing satisfied at this stage) |
| Whether Whalen constitutes an intervening change of controlling law warranting reconsideration | Whalen supports treating theft of PII as sufficient to plead imminent risk and thus standing | Whalen is an unpublished summary order and not controlling precedent; it is distinguishable as a payment-card case | Court found Whalen’s implications persuasive despite being unpublished and relied on it as a basis to avoid manifest injustice |
| Whether allegedly "new" Dark Web and Mandiant evidence justifies reconsideration | Evidence shows PII/PHI was exfiltrated and sold; would have altered outcome | Evidence existed before the original decision (plaintiffs had it during briefing) so it is not truly newly discovered and is procedurally defective basis for reconsideration | Court acknowledged evidence was not newly discovered but nonetheless considered it persuasive when combined with Whalen and denied dismissal |
| Whether court committed clear legal error (considering extra-pleading materials; denying leave to replead) | Court erred by relying on extra-pleading materials and by not permitting repleading or recognizing alternate bases for standing (e.g., Fero’s contract claim) | Court properly exercised discretion; plaintiffs could have timely moved to amend and did not follow local rules for leave to amend | Court declined to revisit these arguments as dispositive; reiterated that, under current Second Circuit guidance as interpreted, theft of PII can suffice for standing at this stage |
Key Cases Cited
- Coopers & Lybrand v. Livesay, 437 U.S. 463 (U.S. 1978) (defining finality for appeal purposes and discussing final-judgment rule)
- Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (finding standing based on increased risk from data breach)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (holding increased risk of identity theft can support standing)
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (data-breach standing where employee laptop theft risked identity theft)
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (concluding increased risk insufficient for standing)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (finding speculative risk inadequate for standing)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (holding increased risk of identity theft sufficiently imminent after insurer breach)
- In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) (holding increased risk insufficient for Article III injury)
- Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739 (S.D.N.Y. 2017) (interpreting Whalen to suggest Second Circuit would find increased risk from theft of PII sufficiently imminent for standing)
- Ashmore v. CGI Grp., Inc., 860 F.3d 80 (2d Cir. 2017) (law-of-the-case principle: partial dismissal is not a final decision for appeal)