IN RE: Mednax Services, Inc., Customer Data Security Breach Litigation
603 F.Supp.3d 1183
S.D. Fla.2022Background
- MDL arising from June–July 2020 phishing attacks on Mednax-related Microsoft Office 365 email accounts that exposed PHI/PII (names, DOBs, insurance, medical info, and in some instances SSNs) of patients and others.
- Plaintiffs (12 named individuals) filed a Consolidated Amended Complaint asserting multiple state statutory and common-law claims (consumer-protection statutes across several states, breach of implied contract, negligence, invasion of privacy, fiduciary-duty, etc.).
- Defendants moved to dismiss for lack of Article III standing (facial and factual attacks) and for failure to state various claims; parties disputed applicable state law (choice-of-law) because data were cloud-stored.
- Court held the breach is deemed to have occurred in Florida for choice-of-law purposes and applied Florida law to most tort and many contract issues.
- Court denied the Rule 12(b)(1) standing dismissal (found at least one plaintiff alleged concrete injury: actual access/misuse, risk of future harm, mitigation costs and emotional distress) but found traceability disputes premature to resolve without discovery.
- On Rule 12(b)(6) review the Court dismissed several counts (some with prejudice, others with leave to amend) and required a Second Amended Complaint tailored to the Court’s rulings.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing — injury-in-fact | Data breach + actual misuse (dark-web listings, spam, identity theft), mitigation costs, emotional distress and diminution in value suffice as concrete injuries | Mere risk or speculative harms and mitigation expenses are insufficient absent substantial risk or actual misuse | Standing satisfied: plaintiffs allege actual access/misuse and concrete harms; mitigation costs and emotional distress can support damages claims when paired with substantial risk (Spokeo/TransUnion/Tsao applied) |
| Standing — traceability/causation | Plaintiffs allege unauthorized access to defendants’ systems and subsequent misuse; some plaintiffs show identity theft or dark-web listings | Defendants’ expert declarations argue no evidence links plaintiffs’ compromised data to the dark web or misuse; factual record contradicts plaintiffs | Traceability plausibly alleged at pleading stage; factual attacks implicate merits and are premature — resolved after discovery |
| Shotgun/group pleading and Rule 8/10 | Complaint pleads multi-count cumulative incorporations and sometimes fails to identify which defendant is liable for which claim | Defendants argue lack of fair notice and request dismissal | Court found first-sin shotgun pleading (cumulative incorporation) and improper group pleading for implied contract; required amendment and dismissed certain counts for lack of specificity |
| Breach of implied contract | Plaintiffs: providing PHI/PII and signing privacy notices implies an agreement to safeguard data | Defendants: no meeting of the minds, privacy notices are statutory/HIPAA disclosures not contractual, no solicitation to exchange data for data-security promises | Implied contract claim dismissed with prejudice: plaintiffs failed to plead mutual assent or consideration for data-security contract |
| Negligence and negligence per se (FTC §5) | Plaintiffs: defendants owed duty to protect PHI/PII, breached it, caused damages; also invoke FTC §5 as negligence per se | Defendants: no duty to guard against criminal acts; FTC §5 does not create a private right of action; proximate causation lacking | Negligence allowed under Florida law (duty, breach, causation plausibly pleaded) but negligence per se premised on FTC §5 dismissed; negligence claim permitted subject to excising §5 theory |
| State consumer-protection claims (FDUTPA, NYGBL, etc.) — extraterritoriality & damages | Plaintiffs allege unfair/deceptive acts and diminished value, reliance and omissions | Defendants: statutes don’t reach out-of-state plaintiffs unless conduct occurred in statute state; FDUTPA damages require diminution in value of goods/services, which plaintiffs fail to allege | Court: applied Florida law (breach deemed to occur in Florida); dismissed several consumer-statute counts (some with prejudice, others with leave to amend). FDUTPA damages theory (consequential harms vs. diminished value) rejected in part |
| California CMIA / CRA claims (delay and security failures) | Rumely pleads unauthorized viewing (uptick in phishing), delayed notification, and inadequate security practices | Defendants argue no cognizable injury from delay and only conclusory allegations of insecure practices | CMIA (unauthorized viewing) and CRA (delay and unreasonable security) claims allowed to proceed at pleading stage — reasonable inferences of harm and inadequate security sustained |
| Invasion of privacy (public disclosure) and fiduciary duty | Plaintiffs: disclosure of PHI/PII supports invasion and fiduciary-duty claims | Defendants: disclosures were by third-party criminals, not intentional publication; no fiduciary relationship alleged | Intentional-publication-based invasion claim and fiduciary-duty claim dismissed with prejudice — negligence insufficient to state intentional tort or fiduciary duty |
| Negligent training & supervision | Plaintiffs allege failure to train/supervise employees leading to phishing breach | Defendants: plaintiffs do not identify unfit employees or a deficient training program | Dismissed with prejudice for lack of factual allegations and shotgun pleading defects |
Key Cases Cited
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (injury-in-fact must be concrete and particularized)
- TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021) (risk of future harm alone insufficient for damages claims; exposure-related emotional injury may be distinct)
- Tsao v. Captiva MVP Restaurant Partners, 986 F.3d 1332 (11th Cir. 2021) (threat of future harm must be substantial; mitigation costs require substantial risk)
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (traceability in data-breach identity-theft context; indirect causation can suffice)
- Weiland v. Palm Beach Cnty. Sheriff's Off., 792 F.3d 1313 (11th Cir. 2015) (shotgun pleading doctrine and the four ‘‘sins’’)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing standards: injury, traceability, redressability)
- Wilding v. DNC Servs. Corp., 941 F.3d 1116 (11th Cir. 2019) (class-representative standing and the requirement that at least one plaintiff has standing)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (data breach with unauthorized access can establish substantial risk of future harm)
- In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020) (diminution-in-value and implied-contract theories in data-breach context)
- Raines v. Byrd, 521 U.S. 811 (1997) (standing is threshold jurisdictional question)