Summary
finding that General Business Law § 899-aa does not create a private right of action
Summary of this case from Smahaj v. Retrieval-Masters Creditors BureauOpinion
08-14-2015
Denise R. ABDALE, Helene Butler, Paulette Schramm, Charleen Solomon, Lena Vetere, Charles Billups, Diane Peterman, M.D., Katherine Cross, Linda Kiehl, Elizabeth Caporaso, Richard Ertl and Jarrett Akins, on behalf of themselves and all others similarly situated, Plaintiff, v. NORTH SHORE–LONG ISLAND JEWISH HEALTH SYSTEM, INC., North Shore–Long Island Jewish Medical Care, PLLC, North Shore–Lij Network, Inc. and North Shore University Hospital, Defendant.
Law Offices of Bonita Zelman, Lake Success, for plaintiffs. Ropes & Gray, LLP, New York City (Jason Brownand Joseph G. Cleemannof counsel), for defendants.
Law Offices of Bonita Zelman, Lake Success, for plaintiffs.
Ropes & Gray, LLP, New York City (Jason Brownand Joseph G. Cleemannof counsel), for defendants.
Opinion
ROBERT J. McDONALD, J.
This motion is determined as follows: Plaintiffs commenced the within action on behalf of themselves and others similarly situated on February 5, 2013 to recover damages for, among other things, defendants' “failure to adequately protect the confidential personal and medical information of their current and former patients, conduct that ultimately resulted in identity and medical identity data breaches”. Plaintiffs are thirteen patients, or relatives of patients, who allegedly received medical services at medical facilities owned or operated by defendants North Shore–Long Island Jewish Health System, Inc. (Health System), North Shore–Long Island Jewish Medical Care, PLLC, (Medical Care), North Shore–LIJ Network, Inc. (Network) and North Shore University Hospital (NSUH). Plaintiffs allege that defendants Health System, Medical Care and NSUH each operate under the corporate umbrella of defendant Network; and that defendants Network, Health System and Medical Care own, operate, manages, maintains and secures defendant NSUH. The complaint refers to all four defendants collectively as North–Shore LIJ.
Plaintiffs allege that at the time they received medical treatment they provided personal information to the defendants, and that on or before Fall 2010 and continuing at least through 2012, medical record Face Sheets and unencrypted computer network data were stolen from defendants North–Shore LIJ. It is also alleged that patient's physical (hard copy) hospital Face Sheets were unsecured and were stolen from inside the premises of the defendants's facilities, including NSUH. These Face Sheets consist of cover sheets containing information about each patient, including their full name, their spouse's full name if married, date of birth, address, telephone number, medical record number, Social Security number, insurance information, and current medical information and history. Plaintiffs allege that the stolen data contains private, personal information, including but not limited to protected health information as defined by HIPPA, Social Security numbers, medical information and other information of hundreds of patients. Plaintiffs allege that as a result of the defendants' failure to implement and follow basic security procedures, their personal information is now in the hands of thieves, and that they face a substantial increased risk of identity theft. Each of the thirteen plaintiffs allege that they have experienced repeated instances of identity theft since said data breach and as that a consequence of said breach, plaintiffs, as well as current and former patients, have had to spend and will continue to spend significant time and money in the future to protect themselves. In addition, plaintiff Peterman alleges that as a result of the data breach her credit rating was substantially damaged; plaintiff Vetere alleges that as a result of the data breach her income tax refund for 2010 was fraudulently claimed and sent to a third party; and plaintiff Akins alleges that identity thieves fraudulently filed state and federal income tax returns for 2011, causing him substantial financial losses.
The complaint alleges that Health System through its Patients' Bill of Rights, and website, advised patients that it, and each of its owned of sponsored Article 28 not-for-profit corporations are required by law to follow HIPPA regulations and protect the privacy of health information that may reveal a patient's identity. The complaint further alleges that patients were also advised that they have a right to be notified of any breaches of “Unsecured Protected Health” information as soon as possible, but in any event no later than 60 days following the discovery of the breaches.
Plaintiffs allege that on January 26, 2012, Clincy M. Robinson was arrested and charged with Identity Theft in the First Degree (one count) and Criminal Possession of Computer Related Materials (two counts), Scheme to Defraud in the First Degree (2 counts) and Unlawful Possession of Personal Information in the Third Degree (1 count). Mr. Robinson was charged with being in possession of 25 Face Sheets from NSUH, data that is maintained on the computer network of NSUH, and being in possession of computer data consisting of personal identifying information for over 900 individuals, without authorization, and it is alleged that he pled guilty to these charges and was sentenced on December 13, 2012 in the District Court of Nassau County.
Plaintiffs also alleges that on June 1, 2012, Dennis Messias was arrested and charged with Identity Theft in the First Degree (four counts), Grand Larceny in the Third Degree, and Scheme to Defraud in the First Degree, in connection with the theft and unauthorized use of patients' personal information from the premises of NSUH.
Plaintiffs allege that the defendants were aware of these thefts and security breaches and that they failed to notify its patients within 60 days of the breach; that defendants failed to notify the Secretary of the U.S. Department of Health and Human Services of said security breaches in the year in which they discovered said breaches; and that defendants failed to maintain a written log of security breaches since 2007, on an annual basis.
The complaint alleges eleven causes of action for (1) negligence per se based upon violations of General Business Law § 899–aa; (2) negligence per se based on violations of Public Health Law § 18; (3) negligence per se based upon violations of General Business Law § 399–dd(4); (4) negligence per se based on violations of the Health Insurance Portability and Accountability Act of 1996 (HIPPA), Pub.L. No. 104–191, 110 Stat.1936 (1996); (5) negligence per se based on violations of the Health Information Technology for Economic and Clinical Health Act (HITECH), 42 U.S.C. § 17921–53; (6) violations of General Business Law § 349; (7) breach of contract; (8) breach of fiduciary duty; (9) negligence; (10) breach of the implied covenant of good faith and fair dealing; and (11) misrepresentation.
Defendants, prior to serving an answer, filed a notice of removal on March 8, 2013, which removed this action to the United States District Court for the Eastern District of New York (District Court), asserting that a federal jurisdiction question existed and that removal was appropriate under the Class Action Fairness Act of 2005(CAFA). On April 16, 2013, the defendants filed a motion in District Court to dismiss the complaint and on June 10, 2013, plaintiffs filed a motion to remand the matter to this court. The District Court, in an order dated June 14, 2014, denied the plaintiffs' motion to remand with leave to renew 30 days after the conclusion of expedited discovery pertaining to CAFA exceptions, and reserved judgment on the defendants' motion to dismiss (Abdale, et al. v. North Shore–Long Island Jewish Health System, Inc., et al.,2014 U.S. Dist Lexis 88881 [United States District Court for the Eastern District of New York, 2014] ). The parties were unable to formulate a joint discovery plan as directed by the court, and the matter was assigned to a magistrate. A status conference was held on October 2, 2014, at which time the magistrate made certain rulings pertaining to discovery. However, no discovery was had and defendants conceded that the matter should be remanded to this court, as the 268 individuals they sent letters to regarding the subject data breach were all New York State citizens. On November 13, 2014, the District Court remanded the matter back to this court, without any limit as to the size of the class.
Defendants, in this pre-answer motion seek to dismiss the complaint on the grounds of failure to state a cause of action, pursuant to CPLR 3211(a)(7). It is well settled that “[o]n a motion to dismiss pursuant to CPLR 3211(a)(7)for failure to state a cause of action, the complaint must be construed liberally, the factual allegations deemed to be true, and the nonmoving party must be given the benefit of all favorable inferences” (Leon v. Martinez, 84 N.Y.2d 83, 87, 614 N.Y.S.2d 972, 638 N.E.2d 511 [1994]; see AG Capital Funding Partners, L.P. v. State St. Bank & Trust Co., 5 N.Y.3d 582, 591, 808 N.Y.S.2d 573, 842 N.E.2d 471 [2005]; Goshen v. Mutual Life Ins. Co. of NY, 98 N.Y.2d 314, 326, 746 N.Y.S.2d 858, 774 N.E.2d 1190 [2002]; Nasca v. Sgro, 130 A.D.3d 588, 13 N.Y.S.3d 188 [2d Dept.2015]; Dolphin Holdings, Ltd. v. Gander & White Shipping, Inc., 122 A.D.3d 901, 901–902, 998 N.Y.S.2d 107 [2d Dept.2014]). The court is limited to “an examination of the pleadings to determine whether they state a cause of action,” and the “plaintiff may not be penalized for failure to make an evidentiary showing in support of a complaint that states a claim on its face” (Miglino v. Bally Total Fitness of Greater N.Y., Inc., 20 N.Y.3d 342, 351, 961 N.Y.S.2d 364, 985 N.E.2d 128 [2013]). “The test of the sufficiency of a pleading is whether it gives sufficient notice of the transactions, occurrences, or series of transactions or occurrences intended to be proved and whether the requisite elements of any cause of action known to our law can be discerned from its averments' ” (V. Groppa Pools, Inc. v. Massello, 106 A.D.3d 722, 723, 964 N.Y.S.2d 563 [2d Dept.2013], quoting Pace v. Perk, 81 A.D.2d 444, 449, 440 N.Y.S.2d 710[ 2d Dept.1981][internal quotation marks omitted]; see also Dolphin Holdings, Ltd. v. Gander & White Shipping, Inc.,122 A.D.3d at 901–902, 998 N.Y.S.2d 107).
“A court is, of course, permitted to consider evidentiary material ... in support of a motion to dismiss pursuant to CPLR 3211(a)(7)” (Sokol v. Leader, 74 A.D.3d 1180, 1181, 904 N.Y.S.2d 153 [2d Dept.2010]), and, if it does so, “the criterion then becomes whether the proponent of the pleading has a cause of action, not whether he has stated one' ” (id.at 1181–1182, 904 N.Y.S.2d 153, quoting Guggenheimer v. Ginzburg,43 N.Y.2d at 275, 401 N.Y.S.2d 182, 372 N.E.2d 17). “Yet, affidavits submitted by a defendant will almost never warrant dismissal under CPLR 3211unless they establish conclusively that [the plaintiff] has no cause of action” (Dolphin Holdings, Ltd. v. Gander & White Shipping, Inc., 122 A.D.3d at 902, 998 N.Y.S.2d 107[internal quotation marks omitted]; see Bokhour v. GTI Retail Holdings, Inc., 94 A.D.3d 682, 941 N.Y.S.2d 675 [2d Dept.2012]). “Indeed, a motion to dismiss pursuant to CPLR 3211(a)(7)must be denied unless it has been shown that a material fact as claimed by the pleader to be one is not a fact at all and unless it can be said that no significant dispute exists regarding it” (Bokhour v. GTI Retail Holdings, Inc., 94 A.D.3d at 683, 941 N.Y.S.2d 675[internal quotation marks omitted]; see Sokol v. Leader, 74 A.D.3d at 1182, 904 N.Y.S.2d 153; see also Nasca v. Sgro, supra).
Defendants assert that defendant Health System is a not-for-profit corporation that indirectly owns or sponsors a large number of separate not-for-profit health care providers, including sixteen acute care hospitals; that defendant Medical Care and defendant Network are affiliated with defendant Health System but do not provide any patient services; and that defendant NSUH is one of said sixteen hospitals and is the only defendant that provides direct patient services. It is asserted that the complaint fails to allege any facts with respect to defendants Health System, Medical Care and Network; that plaintiffs do not allege that records were stolen from these entities or that they were a patient of these entities. It is further asserted that the complaint fails to contain any specific factual allegations with respect to these three defendants and that plaintiffs seek to rely upon bald assertions that each of these defendants operate under the same “corporate umbrella” and each “owns, operates, maintains and secures” defendant NSUH. As regards defendant Network, it is asserted that the complaint appears to state in conclusory fashion that employees of that entity were responsible for the theft of certain personal information.
Defendants assert that the complaint fails to satisfy New York's pleading standards in that the allegations are conclusory; that the complaint fails to assert facts to support any claim against defendants Health System, Medical Care and Network; that the complaint fails to allege cognizable injuries; that the claims of negligence and negligence per se are barred by the economic loss doctrine; that each of the negligence per se claims fail to allege the elements of the alleged statutory violation on which the claim is based; that the claim fails to allege the elements of misrepresentation, whether framed as a common law violation or an alleged deceptive practice under General Business Law § 349; that the complaint fails to allege the elements of breach of contract and breach of the implied covenant of good faith and fair dealing; and that the complaint fails to allege the core elements necessary to support a claim of breach of fiduciary duty.
CPLR 1303requires that “[s]tatements in a pleading shall be sufficiently particular to give the court and the parties notice of the transactions, occurrences, or series of transactions or occurrences, intended to be proved and the material elements of each cause of action or defense”.
The first cause of action for negligence per se is based upon General Business Law § 899–aa. Said statute provides that any person or business which conducts business in New York state and owns or licenses computerized data which includes certain private information is required to disclose any breach of the security of the system to any resident of New York state “whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” The statute sets forth the time frame and method of giving such notice. Reviewing said statute in a light most favorable to the plaintiffs, it is clear that there is no private right of action expressly authorized pursuant to the statute. Rather, said statute expressly provides at subsection 6 that the attorney general may bring an action for a violation of said statute, and further provides that in such an action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to said article.
In the absence of an express private right of action, plaintiffs can seek civil relief in a plenary action based on a violation of the statute “only if a legislative intent to create such a right of action is fairly implied in the statutory provisions and their legislative history” (Carrier v. Salvation Army, 88 N.Y.2d 298, 302, 644 N.Y.S.2d 678, 667 N.E.2d 328 [1996][internal quotation marks and citations omitted] ). This determination is predicated on three factors: “(1) whether the plaintiff is one of the class for whose particular benefit the statute was enacted; (2) whether recognition of a private right of action would promote the legislative purpose; and (3) whether creation of such a right would be consistent with the legislative scheme” (Sheehy v. Big Flats Community Day, 73 N.Y.2d 629, 633, 543 N.Y.S.2d 18, 541 N.E.2d 18 [1989]). The Court of Appeals has repeatedly recognized the third as the most important because “the Legislature has both the right and the authority to select the methods to be used in effectuating its goals, as well as to choose the goals themselves. Thus, regardless of its consistency with the basic legislative goal, a private right of action should not be judicially sanctioned if it is incompatible with the enforcement mechanism chosen by the Legislature or with some other aspect of the over-all statutory scheme” (id.at 634–635, 543 N.Y.S.2d 18, 541 N.E.2d 18[citation omitted]; see Uhr v. East Greenbush Central School Dist., 94 N.Y.2d 32, 698 N.Y.S.2d 609, 720 N.E.2d 886 [1999]). The Court of Appeals, has declined to recognize a private right of action in instances where “[t]he Legislature specifically considered and expressly provided for enforcement mechanisms” in the statute itself (see Mark G. v. Sabol, 93 N.Y.2d 710, 720, 695 N.Y.S.2d 730, 717 N.E.2d 1067 [1999]; see also Cruz v. TD Bank, N.A., 22 N.Y.3d 61, 70–71, 979 N.Y.S.2d 257, 2 N.E.3d 221 [2013]).
Although plaintiffs arguably fall within the first two factors, permitting a private right of action for a violation of General Business Law § 899–aawould not be consistent with Legislature scheme. The enforcement of the statutory provisions has been expressly entrusted to the attorney general. In addition, the Legislature, in subdivision 6(b) stated that “the remedies provided by this section shall be in addition to any other lawful remedy available” and in subdivision 9 stated that “[t]he provisions of this section shall be exclusive and shall preempt any provisions of local law, ordinance or code, an locality shall impose requirements that are inconsistent with or more restrictive than those set forth in this section.” This language, thus, militates against any implied private right of action. In view of the fact that no private right of action exists with respect to General Business Law § 899–aa, that branch of the defendants' motion which seeks to dismiss the plaintiffs' first cause of action, is granted.
Plaintiffs second cause of action for negligence per se is based upon Public Health Law § 18. Public Health Law § 18is designed to ensure, as a general rule, that patients have access to their own medical records (see Davidson v. State, 3 A.D.3d 623, 625, 771 N.Y.S.2d 197 [3d Dept.2004]). To the extent that plaintiffs allege that the defendants disclosed their personal and health information to third parties by permitting the theft of the information contained in their data base without plaintiff's consent, this claim fails to state a cause of action. Plaintiffs do not allege that the defendants were participants in the theft of the subject data. Therefore, the theft of the subject data cannot constitute a disclosure of said information. Furthermore, plaintiffs have not established that a private right of action exists with respect to the claimed disclosure of the patients' medical records. Notably, subdivision 12 of this statute provides that “[n]o health care provider shall be subjected to civil liability arising solely from granting or providing access to any patient information in connection with this section”. Therefore that branch of defendants' motion which seeks to dismiss the second cause of action, is granted.
The third cause of action for negligence per se is based upon General Business Law § 399–dd (4)(sic). Plaintiffs' third cause of action is actually based upon General Business Law § 399–ddd (4)which institutes safeguards necessary to thwart unauthorized access to social security numbers. As the enforcement of the provisions of this statute have been entrusted to the attorney general (seeGeneral Business Law § 399–ddd [7] ), no private right of action exists with respect to a violation of General Business Law § 399–ddd (4). Therefore, that branch of the defendants' motion which seeks to dismiss the third cause of action, is granted.
Plaintiffs' fourth cause of action for negligence per se is based upon HIPPA. As HIPPA and its regulations do not create a private right of action (see Romanello v. Intesa Sanpaolo S.p.A., 97 A.D.3d 449, 455, 949 N.Y.S.2d 345 [1st Dept.2012]; Jurado v. Kalache, 29 Misc.3d 1005, 1009, 912 N.Y.S.2d 375 [Sup.Ct., Westchester County 2010]; Webb v. Smart Document Solutions, 499 F.3d 1078 [9th Cir.2007]; Acara v. Banks, 470 F.3d 569, 571 [5th Cir.2006]; Cassidy v. Nicolo,2005 U.S. Dist. LEXIS 34160, 2005 WL 3334523 [W.D.N.Y.2005]), that branch of the defendants' motion which seeks to dismiss the fourth cause of action, is granted.
Plaintiffs' fifth cause of action for negligence per se is based upon Title XIII, Section 13402, of the American Recovery and Reinvestment Act–Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH, enacted on February 17, 2009, provides for privacy and security of patient health information, and modifies HIPAA by adding new requirements concerning privacy and security for health information. Section 13402, cited in plaintiffs' complaint, is found in 42 U.S.C. § 17921. Although the failure to notify patients of the breach of their Protected Health Information may result in the imposition of penalties by the United States Department of Health and Human Services, neither HITECH nor its governing regulations create a private right of action. Therefore, that branch of the defendants' motion which seeks to dismiss the fifth cause of action, is granted.
The sixth cause of action for a violation of General Business Law § 349alleges that the defendants “maintained a privacy policy guaranteeing that plaintiffs' protected health information would not be released to any unauthorized third parties without plaintiffs' consent, and that by “ failing to safeguard plaintiffs' protected health information and permitting unauthorized third parties, employees, agents, and/or servants access to plaintiffs' protected health information for illicit and unlawful purposes, in contravention of its privacy policy and other statutory duties detailed above, defendants engaged in a deceptive and unlawful practice.”
General Business Law § 349provides that “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful” (General Business Law § 349[a]). A private right of action to recover damages for violations of General Business Law § 349has been provided to “any person who has been injured by reason of any violation of” the statute (General Business Law § 349[h]). Under General Business Law § 349(h), a prima facie case requires a showing that the defendant engaged in a consumer-oriented act or practice that was “deceptive or misleading in a material way and that [the] plaintiff has been injured by reason thereof' ” (Goshen v. Mutual Life Ins. Co. of N.Y., 98 N.Y.2d 314, 324, 746 N.Y.S.2d 858, 774 N.E.2d 1190 [2002], quoting Oswego Laborers' Local 214 Pension Fund v. Marine Midland Bank, 85 N.Y.2d 20, 25, 623 N.Y.S.2d 529, 647 N.E.2d 741 [1995]). Here, despite the broad language contained in the complaint, the statements allegedly made by defendants in the privacy policy and online notices do not constitute an unlimited guaranty that patient information could not be stolen or that computerized data could not be hacked. Defendants' alleged failure to safeguard plaintiffs' protected health information and identifying information from theft did not misled the plaintiffs in any material way and does not constitute a deceptive practice within the meaning of the statute (see Jones v. Bank of Am. N.A., 97 A.D.3d 639, 949 N.Y.S.2d 76 [2d Dept.2012]; see also Ladino v. Bank of Am., 52 A.D.3d 571, 574, 861 N.Y.S.2d 683[ 2d Dept.2008]). Therefore, that branch of the defendants' motion which seeks to dismiss the sixth cause of action for a violation of General Business Law § 349, is granted.
The seventh cause of action is for breach of contract. The essential elements of a cause of action to recover damages for breach of contract are the existence of a contract, the plaintiff's performance pursuant to the contract, the defendant's breach of its contractual obligations, and damages resulting from the breach (see El–Nahal v. FA Mgt., Inc., 126 A.D.3d 667, 668, 5 N.Y.S.3d 201 [2d Dept.2015]; Dee v. Rakower, 112 A.D.3d 204, 208–209, 976 N.Y.S.2d 470 [2d Dept.2013]). In addition, a complaint must “plead the provisions of the contract upon which the cause of action is based.” (Bello v.
New England Fin.,3 Misc.3d 1109(A), 787 N.Y.S.2d 676 [Sup.Ct., Nassau County 2004], citing Rattenni v. Cerreta, 285 A.D.2d 636, 728 N.Y.S.2d 401 [2nd Dept.2001]; see also, Sud v. Sud, 211 A.D.2d 423, 424, 621 N.Y.S.2d 37 [1st Dept.1995]).
Here, plaintiffs allege that they were patients at NSUH, Long Island Jewish Medical Center and other medical facilities, owned or operated by the defendant Health Systems; that the plaintiffs provided personal information to the defendants; that defendants were contractually obligated to the plaintiffs to protect their private health and personal information; and that defendants breached their contractual obligations by “permitting or inadequately protecting against the theft of the Face Sheets containing private health and personal information, and by not acting reasonably to notify and protect plaintiffs and the Class immediately after learning of the thefts and then maliciously failing to notify plaintiffs and the Class in order to knowingly further their own economic interests”. It is alleged that the plaintiffs suffered mentally, physically, financially and emotionally and seek to recover damages, including attorney's fees.
Plaintiffs' allegations are insufficient to state a claim against the defendants for breach of contract. Plaintiffs fail to allege that they each had a contractual relationship with each of the named defendants, and fail to allege any specific provision in an agreement that the defendants allegedly breached. To the extent that plaintiffs are relying on a privacy statement, either provided to them at the time they received medical services or posted on a website, plaintiffs do not allege that said privacy statement contained any obligation or promise regarding the theft of personal information by third parties. Therefore, that branch of the defendants' motion which seeks to dismiss the seventh cause of action for breach of contract, is granted.
The eighth cause of action is for breach of fiduciary duty. “The elements of a cause of action to recover damages for breach of fiduciary duty are (1) the existence of a fiduciary relationship, (2) misconduct by the defendant, and (3) damages directly caused by the defendant's misconduct” (Varveris v. Zacharakos, 110 A.D.3d 1059, 973 N.Y.S.2d 774 [2d Dept.2013]; quoting Rut v. Young Adult Inst., Inc., 74 A.D.3d 776, 777, 901 N.Y.S.2d 715 [2d Dept.2010]; see Faith Assembly v. Titledge of N.Y. Abstract, LLC, 106 A.D.3d 47, 61, 961 N.Y.S.2d 542 [2d Dept.2013]; Armentano v. Paraco Gas Corp., 90 A.D.3d 683, 684, 935 N.Y.S.2d 304 [2d Dept.2011]). A cause of action sounding in breach of fiduciary duty must be pleaded with the particularity required by CPLR 3016(b).
Here, plaintiffs' allegations for breach of fiduciary duty are made collectively against all defendants. Under CPLR 3016(b), a claim for breach of fiduciary must be pleaded with particularity, and the circumstances constituting the alleged wrong must be stated in detail. (see Palmetto Partners, L.P. v. AJW Qualified Partners, LLC, 83 A.D.3d 804, 808, 921 N.Y.S.2d 260 [2d Dept.2011]; Chiu v. Man Choi Chiu, 71 A.D.3d 621, 623, 896 N.Y.S.2d 132 [2d Dept.2010]). Plaintiffs' group pleading falls far short of this mark. Therefore, that branch of defendants' motion which seeks to dismiss the eighth cause of action for breach of fiduciary duty is granted.
The ninth cause of action is for negligence. “To establish a prima facie case of negligence, a plaintiff must establish the existence of a duty owed by a defendant to the plaintiff, a breach of that duty, and that such breach was the proximate cause of injury to the plaintiff” (Alvino v. Lin, 300 A.D.2d 421, 751 N.Y.S.2d 585 [2nd Dept.2002]). Here, plaintiffs allege they gave personal information to the treating facilities in order to receive medical treatment; that these facilities informed the plaintiffs that their personal information would not be disclosed to third parties without their consent; and that an employee or employees of defendants stole their personal information and sold it to third parties who used said information to open fraudulent credit card accounts, make fraudulent purchases, and fraudulently obtain income tax returns. Plaintiffs allege that they sustained emotional distress, mental anguish, and financial damages as a result of said identity theft. Under these circumstances, the court finds that the ninth cause of action sufficiently states a claim for negligence against defendants Health Systems and NSUH (see Daly v. Metropolitan Life Insurance Co., supra).
With respect to defendants Network and Medical Care, plaintiffs do not allege that they gave any personal or medical information to these entities, and do not specifically allege that these defendants maintained any patient data or were responsible for safeguarding patient data. Plaintiffs' counsel's present assertion that defendants Medical Care, Network, and NSUH are all alter egos of Health Systems, or that they are wholly owned corporate subsidiaries of Health Systems, is not alleged in the complaint. Therefore, as the complaint does not sufficiently allege any duty owed to the plaintiffs by Medical Care and Network, that branch of the motion which seeks to dismiss the ninth cause of action for negligence is granted as to defendants Network and Medical Care, and is denied as to defendants NSUH and Health Systems.
Plaintiffs, in their tenth cause of action, allege that even if there was no express contractual obligation, defendants owed them a duty of good faith and fair dealing in protecting their personal information from theft. That branch of the defendants' motion which seeks to dismiss the tenth cause of action for breach of the duty of good faith and fair dealing is granted, as such a claim may not be used as a substitute for a nonviable claim of breach of contract (see StarVest Partners II, L.P. v. Emportal, Inc., 101 A.D.3d 610, 957 N.Y.S.2d 93 [1st Dept.2012]; Sheth v. New York Life Ins. Co., 273 A.D.2d 72, 73, 709 N.Y.S.2d 74 [1st Dept.2000]).
In the eleventh cause of action for misrepresentation, plaintiffs allege that the defendants “knowingly, recklessly or negligently failed to timely disclose the material facts to plaintiffs and the Class that their private financial identity, healthy identity and personal information had been stolen, and actively acted to suppress the plaintiffs and the Class from learning of the information thefts, thereby prevented and hindered plaintiffs from taking steps to protect themselves from identity theft or other harm”. Plaintiffs allege that defendants' “misrepresentation by allowing the theft of the Face Sheets and unencrypted computer database and then by not acting reasonably to notify the Class immediately was deliberate, intentional and wanton.” Plaintiffs allege that they suffered mentally, physically, financially and emotionally.
“The elements of a cause of action sounding in fraud are a material misrepresentation of an existing fact, made with knowledge of the falsity, an intent to induce reliance thereon, justifiable reliance upon the misrepresentation, and damages' ” (High Tides, LLC v. DeMichele, 88 A.D.3d 954, 957, 931 N.Y.S.2d 377[ 2d Dept.2011]quoting Introna v. Huntington Learning Ctrs., Inc., 78 A.D.3d 896, 898, 911 N.Y.S.2d 442 [2d Dept.2010]; see also Cremosa Food Co., LLC v. Amella, 130 A.D.3d 559, 12 N.Y.S.3d 293 [2d Dept.2015]). CPLR 3016(b)requires that the circumstances of the fraud must be “stated in detail,” including specific dates and items (see Moore v. Liberty
Power Corp., LLC, 72 A.D.3d 660, 661, 897 N.Y.S.2d 723 [2d Dept.2010]). A cause of action to recover damages for fraudulent concealment requires, in addition to allegations of scienter, reliance, and damages, an allegation that the defendant had a duty to disclose material information and that it failed to do so (see High Tides, LLC v. DeMichele, 88 A.D.3d at 957, 931 N.Y.S.2d 377; Manti's Transp., Inc. v. C.T. Lines, Inc., 68 A.D.3d 937, 940, 892 N.Y.S.2d 432 [2d Dept.2009]; Barrett v. Freifeld, 64 A.D.3d 736, 738, 883 N.Y.S.2d 305 [2d Dept.2009]).
Here, plaintiffs make their fraud allegations collectively as to all defendants. Such group pleading is impermissible. A fraud claim asserted against multiple defendants must include specific and separate allegations for each defendant (see Ramos v. Ramirez, 31 A.D.3d 294, 295, 818 N.Y.S.2d 916 [1st Dept.2006]; see also Aetna Casualty & Surety Co. v. Merchants Mut. Ins. Co., 84 A.D.2d 736, 736, 444 N.Y.S.2d 79 [1st Dept.1981]; Shareholder Representative Servs. LLC v. Sandoz Inc.,46 Misc.3d 1228(A), 2015 WL 1209358 [Sup.Ct., New York County 2015]; CIFG Assur. N. Am., Inc. v. Bank of America, N.A.,41 Misc.3d 1203(A), 2013 WL 5380385 [Sup.Ct., N.Y. County 2013]; Excel Realty Advisors, L.P. v. SCP Capital, Inc.,2010 N.Y. Misc. LEXIS 6067, 2010 WL 5172417 [Sup.Ct., Nassau 2010]). Therefore, defendants' motion to dismiss the eleventh cause of action, is granted.
In view of the foregoing, defendants' motion is granted to the extent that the first, second, third, fourth, fifth, sixth, seventh, eighth, tenth and eleventh causes of action are dismissed in their entirety as to all defendants. That branch of the defendants' motion which seeks to dismiss the ninth cause of action for negligence is granted as to defendants Network and Medical Care, and is denied as to defendants NSUH and Health Systems.