Foster v. Health Recovery Servs.

Full title: Troy Foster, individually, and on behalf of all others similarly situated…

Court: UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF OHIO EASTERN DIVISION

Date published: Oct 7, 2020

493 F. Supp. 3d 622 (S.D. Ohio 2020)

Opinion

Case No. 2:19-CV-4453

2020-10-07

Troy FOSTER, individually, and on behalf of all others similarly situated, Plaintiff, v. HEALTH RECOVERY SERVICES, INC., Defendant.

Michael Fradin, Fradin Law Office, Athens, OH, for Plaintiff. Lisa Pierce Reisz, Christopher Logan Ingram, Elizabeth S. Alexander, Vorys, Sater, Seymour and Pease LLP, Columbus, OH, for Defendant.

ALGENON L. MARBLEY, CHIEF UNITED STATES DISTRICT JUDGE

Michael Fradin, Fradin Law Office, Athens, OH, for Plaintiff.

Lisa Pierce Reisz, Christopher Logan Ingram, Elizabeth S. Alexander, Vorys, Sater, Seymour and Pease LLP, Columbus, OH, for Defendant.

OPINION & ORDER

ALGENON L. MARBLEY, CHIEF UNITED STATES DISTRICT JUDGE

This matter is before the Court on Defendant's Motion to Dismiss. (ECF No. 9). Plaintiff has filed a response opposing the motion to dismiss (ECF No. 15) and Defendant has filed a reply (ECF No. 17). For the reasons set forth below, this Court GRANTS in part and DENIES in part Defendant's Motion to Dismiss.

I. BACKGROUND

Plaintiff, Troy Foster, is an Ohio resident who received services from Defendant, Health Recovery Services. (ECF No. 6 at 2). Health Recovery Services ("HRS") is a non-profit that provides services to those suffering from mental illness or substance abuse issues. Id. On February 5, 2019, HRS learned that its network had been breached since November 2018 when an unauthorized IP address remotely accessed its computer network containing the personal information of clients, including Plaintiff and the class he seeks to represent. Id. at 3. Defendant alleges that it sent notice of this data breach on April 5, 2019 and in that notice stated that it has no evidence that the unauthorized IP address had accessed or acquired protected health information. (ECF No. 9 at 2-3). In that notice, Defendant offered free credit monitoring services for clients affected by the data breach. Id. at 3.

On October 6, 2019, Mr. Foster filed a complaint for damages against HRS on behalf of a class of similarly situated individuals alleging that HRS's failure to maintain "reasonable and adequate procedures to protect and secure" his personal information as well as the failure to discover timely the data breach resulted in financial injuries to himself and other class members and placed them at risk of identity theft and other fraud and abuse. (ECF No. 6 at 4). Plaintiff alleges that as a result of the data breach, there is a strong possibility that entire batches of personal information will be "dumped on the black market," his privacy (and the privacy of class members) has been invaded, he has been forced to spend time and money to monitor his credit, and Plaintiff has suffered severe emotional distress from having his most sensitive health information disclosed. Id. at 6-7. Plaintiff brings ten causes of action under state and federal law in his personal capacity and on behalf of a class, including: (1) breach of confidence based on an unauthorized disclosure to third parties; (2) violation of Ohio Consumer Sales Practices Act, Oh. Rev. C. § 1345.01 ; (3) negligence; (4) breach of contract; (5) breach of implied contract; (6) unjust enrichment; (7) Oh. Rev. C. § 2307.60 Civil Action for Damages for Criminal Act; (8) Willful Violation of the Fair Credit Reporting Act, 15 U.S.C. § 1681 ; (9) Negligent Violation of the Fair Credit Reporting Act, 15 U.S.C. § 1681 ; and (10) Violation of Oh. Rev. C. § 3701.243 for the disclosure of HIV status. (ECF No. 6). Defendant has moved to dismiss Plaintiff's complaint, arguing that this Court does not have jurisdiction because Plaintiff has alleged no injury and cannot establish standing and that Plaintiff also has failed to state a claim for relief on each of the ten counts. (ECF No. 9). Plaintiff has responded opposing Defendant's Motion to Dismiss (ECF No. 15), and Defendant has timely replied (ECF No. 17).

II. STANDARD OF REVIEW

A. 12(b)(1)

When subject matter jurisdiction is challenged pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, the plaintiff has the burden of proving jurisdiction. Moir v. Greater Cleveland Reg'l Transit Auth. , 895 F.2d 266, 269 (6th Cir. 1990) (citing Rogers v. Stratton Industries, Inc. , 798 F.2d 913, 915 (6th Cir. 1986) ). Federal Rule of Civil Procedure 12(b)(1) motions to dismiss based upon subject matter jurisdiction generally come in two varieties: (1) a facial attack on subject matter jurisdiction; and (2) a factual attack on subject matter jurisdiction. See Ohio Nat'l Life Ins. Co. v. United States , 922 F.2d 320, 325 (6th Cir. 1990) (identifying the two types of 12(b)(1) motions to dismiss). Facial attacks on subject matter jurisdiction "merely question the sufficiency of the pleading." Id. A facial attack on subject matter jurisdiction is reviewed under the same standard as a 12(b)(6) motion to dismiss. Id.

Alternatively, when a court reviews a complaint under a factual attack, "no presumptive truthfulness applies to the factual allegations." Id. In deciding a motion to dismiss based upon a factual attack, the district court must "weigh the conflicting evidence to arrive at the factual predicate that subject matter jurisdiction exists or does not exist." Id. ; see also Golden v. Gorno Bros., Inc. , 410 F.3d 879, 881 (6th Cir. 2005) ; Madison–Hughes v. Shalala , 80 F.3d 1121, 1130 (6th Cir. 1996). While weighing conflicting evidence, a trial court has wide discretion to consider affidavits and other documents to resolve disputed jurisdictional facts. Cartwright v. Garner , 751 F.3d 752, 759 (6th Cir. 2014) ; Ohio Nat'l Life Ins. Co. , 922 F.2d at 325. This Court analyzes Defendants’ Rule 12(b)(1) motion to dismiss as a factual attack because the motion challenges Plaintiff's standing based upon evidence Plaintiff does not incorporate into the complaint. See Cartwright , 751 F.3d at 760.

B. 12(b)(6)

This Court may dismiss a cause of action under 12(b)(6) for "failure to state a claim upon which relief can be granted." A 12(b)(6) motion "is a test of the plaintiff's cause of action as stated in the complaint, not a challenge to the plaintiff's factual allegations." Golden v. City of Columbus , 404 F.3d 950, 958-59 (6th Cir. 2005). The Court must construe the complaint in the light most favorable to the non-moving party. Total Benefits Planning Agency, Inc. v. Anthem Blue Cross & Blue Shield , 552 F.3d 430, 434 (6th Cir. 2008). This Court is not required, however, to accept as true mere legal conclusions unsupported by factual allegations. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). Although liberal, Rule 12(b)(6) requires more than bare assertions of legal conclusions. Allard v. Weitzman, 991 F.2d 1236, 1240 (6th Cir. 1993) (citation omitted). Generally, a complaint must contain a "short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). In short, a complaint's factual allegations "must be enough to raise a right to relief above the speculative level." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). It must contain "enough facts to state a claim to relief that is plausible on its face." Id. at 570, 127 S.Ct. 1955.

III. ANALYSIS

A. 12(b)(1) Lack of Subject Matter Jurisdiction - Standing

Defendant argues that Plaintiff's complaint must be dismissed for lack of subject matter jurisdiction because Plaintiff has not suffered an injury in fact. Defendant argues that Plaintiff has failed to: (1) allege that he suffered any harm resulting from a delayed notification; (2) to allege that his information was actually stolen or that he has suffered any injury; and (3) to allege that he actually provided sensitive health information about himself to HRS. (ECF No. 9 at 6-10). Plaintiff argues he has standing to bring his claims personally and on behalf of a class and that he has sufficiently alleged the threat of a substantial risk of harm. (ECF No.15 at 3-4).

Article III, § 2 of the United States Constitution vests federal courts with jurisdiction to address "actual cases and controversies." Coalition for Gov't Procurement v. Fed. Prison Indus., Inc. , 365 F.3d 435, 458 (6th Cir. 2004) (citing U.S. CONST. art III, § 2). The doctrine of standing, which is derived from Article III, requires a plaintiff to have a "personal stake in the outcome of the controversy." Susan B. Anthony List v. Driehaus , 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014) (internal citations and quotation marks omitted). The Supreme Court requires a plaintiff to have: "(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins , ––– U.S. ––––, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016).

This Court will consider each of Defendant's three arguments in turn.

1. Harm From Delayed Notification of Breach

Defendant first argues that Plaintiff has failed to specify what harm he suffered as a result of HRS's failure timely to disclose the data breach. (ECF No. 9 at 6-7). Defendant argues that Plaintiff is required to allege that he suffered damages as a result of the delayed notice. Id. Plaintiff failed to address this argument in his reply and has failed to carry his burden of demonstrating that standing exists. (ECF No. 15).

The plaintiff bears the burden of demonstrating that he or she has standing and is required to allege facts demonstrating the existence of each element of standing. See Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 387 (6th Cir. 2016). Here, Plaintiff merely alleges that HRS’ failure to discover the breach and notify Plaintiff in a timely manner has "resulted in financial injuries to Plaintiff Foster and Data Breach Class members." (ECF No. 6 at 12). Plaintiff has failed to allege what specific financial injury he suffered from Defendant's delay in notifying him of the data breach. Accordingly, he has failed to carry his burden of demonstrating that he has standing to pursue a claim on the basis of an injury from delayed notification. See Savidge v. Pharm-Save, Inc. , 3:17-CV-00186-TBR, 2017 WL 5986972, at *8 (W.D. Ky. Dec. 1, 2017) ("This mere allegation of harm, without accompanying factual allegations, is insufficient to warrant an inference that the alleged delay in notifying Plaintiffs of the security breach caused them cognizable injury."); see also In re Adobe Sys., Inc. Priv. Litig. , 66 F. Supp. 3d 1197, 1217 (N.D. Cal. 2014) ("Plaintiffs have not alleged any injury traceable to Adobe's alleged failure to reasonably notify customers of the 2013 data breach ... because Plaintiffs do not allege that they suffered any incremental harm as a result of the delay."); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig. , 3:19-CV-2284-H-KSC, 2020 WL 2214152, at *8 (S.D. Cal. May 7, 2020) ("To allege a ‘cognizable injury’ arising from Defendant's alleged failure to timely notify Plaintiffs of the Data Breach, Plaintiffs must allege ‘incremental harm suffered as a result of the alleged delay in notification,’ as opposed to harm from the Data Breach itself."). Accordingly, Plaintiff has failed to state that he suffered an actual injury from the delayed notification of the data breach and has failed to establish standing on this issue.

2. Injury in Fact

Defendant also argues that Plaintiff has failed to establish that he suffered an injury in fact because the complaint fails to contain any allegation that Plaintiff was actually injured by the data breach incident. (ECF No. 9 at 7). Defendant adds that threats of future injury in the data breach context are inadequate to establish an injury in fact. Id. Plaintiff argues that the Sixth Circuit takes a broad view of Article III standing in the data breach context and would consider the injury in fact element satisfied here, as it did in Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 387 (6th Cir. 2016), also a data breach case. (ECF No. 15 at 3-4).

Injury is the first and most important of Article III standing doctrine's three elements and requires a Plaintiff to show he suffered " ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’ " Spokeo, Inc. v. Robins , ––– U.S. ––––, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016) (internal citations omitted).

The Sixth Circuit recognizes that a Plaintiff can demonstrate the existence of an injury-in-fact in three ways: (1) by showing that he suffered an actual injury as applied to him; (2) even if no actual injury in the traditional sense, by showing that Defendant violated a statute and thereby concretely harmed Plaintiff through the violation; or (3) by demonstrating an imminent risk of injury. See Huff v. TeleCheck Services, Inc. , 923 F.3d 458, 464 (6th Cir. 2019), cert. denied, ––– U.S. ––––, 140 S. Ct. 1117, 206 L.Ed.2d 185 (2020)

Defendant focuses its critique on Plaintiff's insufficient allegations of imminent harm from the data breach and ignores Plaintiff's allegations of (1) actual harm and (2) harm as a result of a statutory violation.

Defendant argues that Plaintiff cannot show an imminent risk of injury because he does not allege that his information was accessed or stolen. (ECF No. 9 at 9). Defendant attacks the factual basis of Plaintiff's complaint, noting that the data breach notification letter it mailed only states that an unknown third party accessed the network, and that "[o]ne cannot infer from mere access to the ‘computer network’ alone that Plaintiff's information was accessed, then stolen ... and has been misused." Id. at 9. Plaintiff counters that the Sixth Circuit has an expansive view of imminent injury in the context of data breach cases, citing to Galaria v. Nationwide Mut. Ins. Co. , 663 Fed. Appx. 384 (6th Cir. 2016).

A plaintiff seeking to establish standing based on an imminent injury cannot satisfy the injury in fact requirement by alleging a "possible future" injury and must show that the threatened injury is "certainly impending. " Clapper v. Amnesty Intern. USA , 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (emphasis in original). In Galaria , a divided panel of the Sixth Circuit determined that plaintiffs—whose personal information had been stolen by hackers who breached Nationwide insurance company's computer networks—had standing based on "allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs." Id. at 388. Importantly, in Galaria , the plaintiffs alleged that their information had actually been stolen and that they had incurred costs to obtain credit freezes that defendant Nationwide had recommended they obtain but did not offer to cover. Id. at 386. The Sixth circuit determined that those expenditures on credit freezes were not incurred solely to "manufacture standing ... in anticipation of non-imminent harm." Id. at 388.

The Galaria court also discussed and distinguished Reilly v. Ceridian Corp. , 664 F.3d 38 (3d Cir. 2011), a data breach case where the Third Circuit determined that plaintiffs did not have standing to bring negligence and breach of contract claims based on allegations of an increased risk of identity theft and costs to monitor credit activity. The Galaria court noted that Reilly was not on point since the Galaria plaintiffs had alleged an "intentional theft of their data" whereas in Reilly there was no "evidence the intrusion was intentional or malicious ... no identifiable taking occurred" and "all that is known is that a firewall was penetrated." Galaria , 663 Fed. Appx. at 389 (quoting Reilly , 664 F.3d at 44 ).

Accordingly, Defendants are correct that the mere allegation of a risk of harm based on a data breach, without evidence of data theft or that the intruder accessed Plaintiff's specific information, is insufficient to state an "imminent" injury for purposes of Article III standing. Defendant, however, ignores that Plaintiff is also asserting an actual injury based on emotional distress and based on a violation of the Fair Credit Reporting Act, both of which are avenues for establishing an injury in fact. See Huff , 923 F.3d at 464 (6th Cir. 2019).

As the Sixth Circuit observed in Huff , a plaintiff can demonstrate actual harm by alleging emotional distress. See Huff , 923 F.3d at 463 (6th Cir. 2019) (noting that plaintiff could not establish an actual injury because he did "not suggest that he wasted time or suffered emotional distress while looking for his linked information"). Defendant does not adduce any evidence that would cast doubt on this allegation, and at the motion to dismiss stage, this allegation is sufficient to state a claim for an actual injury. See Thompson v. Equifax Info. Services, LLC , 441 F. Supp. 3d 533, 542–43 (E.D. Mich. 2020) (noting that "while Plaintiff's allegations of emotional distress may have been sufficient to confer standing at the motion to dismiss stage, on a motion for summary judgment, Thompson must set forth by affidavit or other evidence specific facts which for purposes of the summary judgment will be taken as true.") (emphasis in original) (internal quotation marks omitted) (citing Lujan v. Defs. of Wildlife , 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ); see also Bach v. First Union Nat. Bank , 149 Fed. Appx. 354, 361 (6th Cir. 2005) (noting "[a]ctual damages for a FCRA violation may include humiliation and mental distress.").

Furthermore, Defendant also fails to acknowledge that Plaintiff is asserting an injury based on harm resulting from a violation of the Fair Credit Reporting Act. While a mere procedural violation of a statute does not establish an Article III injury, a violation of a statute that results in an intangible injury can provide the basis for standing where that injury is sufficiently concrete. See Buchholz v. Meyer Njus Tanick, PA , 946 F.3d 855, 868 (6th Cir. 2020) ("if the plaintiff alleges a violation of a procedural right that protects a concrete interest, the plaintiff need not allege any additional harm beyond the one Congress has identified.") (emphasis in original) (internal citations and quotation marks omitted); Huff , 923 F.3d at 465 (citing Spokeo v. Robins , ––– U.S. ––––, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016) ).

In evaluating whether an intangible injury produces a "concrete harm" for purposes of Article III, the Sixth Circuit requires courts to consider: (1) "congressional judgment"; and (2) "the common law." Buchholz , 946 F.3d at 868 (6th Cir. 2020). With respect to the first factor, courts are required to consider "whether Congress conferred the procedural right in order to protect an individual's concrete interests." Buchholz , 946 F.3d at 868. Although Congress’ judgment is "instructive and important" because it is "well positioned to identify intangible harms that meet minimum Article III requirements" it is not determinative. Accordingly, courts are also required to examine whether the "intangible harm ... is analogous to a harm recognized at common law." Buchholz , 946 F.3d at 868.

In a recent data breach case brought pursuant to the FCRA, the Third Circuit examined both the congressional judgment and common law factors in determining whether plaintiffs alleged an Article III injury where laptops containing the plaintiffs’ unencrypted personal information were stolen from the defendant-insurer's headquarters. In re Horizon Healthcare Services Inc. Data Breach Litig. , 846 F.3d 625 (3d Cir. 2017). In Horizon , the Third Circuit determined that Plaintiffs had standing to pursue their claims based on the defendant's alleged violation of the FCRA. Id. at 641. With respect to congressional judgment, the Third Circuit determined that in enacting the FCRA, Congress "established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm." Id. at 639. The Third Circuit also observed that the common law factor was easily satisfied since "the ‘intangible harm’ that FCRA seeks to remedy ‘has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for a lawsuit in English or American courts." Id. at 639–40.

This Court finds the Third Circuit's reasoning in Horizon persuasive. The disclosure of plaintiff's sensitive medical information to a third party—even where, as here, that third party is a hacker—constitutes an invasion of privacy, the very type of injury that Congress enacted the FCRA to remedy. While Defendant argues that "one cannot infer from mere access ... that Plaintiff's information was accessed, then stolen," Defendant has provided no evidence to support this assertion and indeed acknowledges in the data breach notice that it is "unable to definitively rule out" the possibility that patient information was accessed or stolen. (ECF No. 9-1 at 2). Defendant has failed to provide factual evidence that would definitively disprove Plaintiff's allegation of injury. Accordingly, in addition to stating an injury in fact by alleging emotional distress, Plaintiff has also alleged an Article III injury by pleading a violation of the FCRA through the disclosure of his sensitive medical information to a third party.

3. Plaintiff's Provision of Medical Information to HRS

Finally, Defendant argues that Plaintiff does not have standing to bring claims based on the disclosure of sensitive medical information¹ because he has failed to allege that he actually provided sensitive health information about himself to HRS or that Plaintiff's information was stored on HRS’ system. (ECF No. 9 at 9-10). Essentially, Defendant contests Plaintiff's ability to serve as a class representative, arguing he has failed to allege that his specific medical information was provided to HRS. Id.

1 Including count one (breach of confidence), count seven (civil action for damages for a criminal act), or count ten (violation of Oh. Rev. C. § 3701.243 ).

When bringing a class action, a class representative "must demonstrate individual standing vis-as-vis the defendant; he cannot acquire such standing merely by virtue of bringing a class action." See Fallick v. Nationwide Mut. Ins. Co. , 162 F.3d 410, 423 (6th Cir. 1998) (citing Brown v. Sibley, 650 F.2d 760, 770 (5th Cir. 1981) ).

Defendant's argument that Plaintiff cannot establish individual standing and so cannot represent a class of individuals whose sensitive medical information was disclosed, however, is belied by several of the paragraphs of the complaint. For example, in paragraphs 26-27 and 86, Plaintiff alleges that HRS collected his own sensitive medical information as part of its ordinary course intake process:

26. HRS maintains medical records that include substance testing, mental health, and HIV status.

27. HRS conducts an initial patient intakes for new patients, including Plaintiff, which includes questions about substance abuse, mental health, and HIV status.

28. The breach involved the most sensitive health information related to their patients’ mental health history, substance abuse history, Sexually Transmitted Infection (STI) history, and Human Immunodeficiency Virus (HIV). [sic] history.

...

86. Plaintiff Foster and the Data Breach Class members were required to provide Defendant HRS their Personal Information in order to receive Defendant HRS’ services.

(ECF No. 6 at 6, 17). Plaintiff also alleges that Defendant stored his sensitive medical information on its networks by alleging that an unauthorized IP address had accessed the network containing his personal information:

8. The present case stems from the unauthorized access of Defendant HRS’ computer storage systems. On February 5, 2019, Defendant HRS discovered that an unauthorized IP address had remotely accessed its computer network which contained the Personal Information of Plaintiff Foster and Data Breach Class members since November 14, 2019.

Id. at 3. These allegations are sufficient to establish an individualized injury traceable to Defendant's conduct and thus, individual standing. Spokeo, Inc. v. Robins , ––– U.S. ––––, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016).

B. 12(b)(6) Failure to State a Claim

Defendant also moved to dismiss each count of Plaintiff's complaint arguing that Plaintiff has failed to state a claim upon which relief can be granted. (ECF No. 9 at 10). This Court will consider Defendant's arguments as to each count of Plaintiff's complaint.

1. Count 1 – Breach of Confidence

First, Defendant argues that Plaintiff failed to plead a breach of confidence claim because the disclosure element of a confidence claim is not met where a third party accesses a health care provider's medical records without authorization. Id. at 10-11. Plaintiff counters that Ohio courts find that the disclosure element is satisfied even where the disclosure of the protected health information was not intentional. (ECF No. 15 at 6). According to Plaintiff, Ohio courts do not look to whether Defendant's disclosure was intentional, instead, those courts look to whether a breach of confidence was foreseeable in light of Defendant's conduct. Id. at 7.

The Supreme Court of Ohio recognizes a cause of action for breach of confidence, also known as a Biddle claim for:

the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.

Biddle v. Warren Gen. Hosp. , 86 Ohio St.3d 395, 715 N.E.2d 518, 523 (1999). In Biddle , the Ohio Supreme Court determined that a hospital who released patient medical information to a law firm for purposes of collecting unpaid medical bills could be liable for the tort of breach of confidence. Id. at 524.

Biddle did not consider situations where a disclosure was made inadvertently or unintentionally, but Ohio Courts of Appeal have observed that an intentional disclosure is not a necessary element for stating a claim for breach of confidence. See Scott v. Ohio Dept. of Rehab. & Corr. , 999 N.E.2d 231, 240 (Ohio App. 10th Dist. 2013) (granting motion for summary judgment on Biddle claim brought by prisoners whose medical information was left in trash cans accessible to other inmates noting that "[w]ithout precluding that an inadvertent disclosure might, under different facts, fulfill the elements of Biddle , the present case does not."); Sheldon v. Kettering Health Network , 40 N.E.3d 661, 675 (Ohio App. 2d Dist. 2015) (granting motion to dismiss Biddle claim where plaintiffs’ medical information was accessed by her ex-husband, an employee of defendant, covertly and without the defendant's permission, noting that "at best, the plaintiffs’ claim against KHN is predicated upon KHN's alleged failure to earlier detect Sheldon's intentional, unauthorized access through procedures required by HIPAA."). This Court, when applying Ohio law on this tort, has similarly determined that such claims do not require that the disclosure be intentional. See Doe One v. Caremark, L.L.C. , 348 F. Supp. 3d 724, 736 (S.D. Ohio 2018) (Sargus, J.) (denying motion to dismiss and determining that plaintiff had sufficiently alleged Biddle claim where plaintiffs alleged that defendant had sent a mailing that revealed plaintiffs’ personal health information through a window on the envelope).

Although the Caremark court ultimately determined that plaintiffs had stated a claim for breach of confidence, that case is distinguishable because the Caremark defendants disclosed the plaintiffs’ medical information and HIV status on the front of an envelope that was mailed using a public mail carrier. See Caremark, L.L.C. , 348 F. Supp. 3d at 736. In both Scott and Sheldon , however, Ohio courts did not allow plaintiffs to pursue claims for breach of confidence where third parties intercepted or accessed plaintiffs’ privileged information, and defendants did not disseminate or disclose this information either intentionally or unintentionally. In Scott , the court granted summary judgment to the defendants and specifically noted "the known propensity of some inmates to ingeniously and maliciously exploit any opportunity for leverage over staff or fellow inmates." See Scott , 999 N.E.2d at 240. In Sheldon , the court noted that the facts alleged did not constitute a "disclosure" by the defendant health network since the health network did not permit an ex-husband (who was also an employee) to access his ex-wife's medical information and the ex-husband acted intentionally and willfully in a clear departure from his employment. See Sheldon , 40 N.E.3d at 668.

Here, just as in Sheldon and Scott , Plaintiff alleges that Defendant was aware of security vulnerabilities but did nothing to remedy those vulnerabilities before an unauthorized third party breached the network and potentially accessed his vulnerable medical information. Pursuant to Ohio law, these allegations are not sufficient to state a claim for breach of confidence because Defendant did not commit an intentional or unintentional act of disclosure. Instead, what is alleged is that a third party has exploited Defendant's security weakness to access the information without Defendant's authorization, as in Sheldon and Scott . Accordingly, Plaintiff fails to state a claim for breach of confidence.

2. Count 2 – Violation of Ohio Consumer Sales Practices Act

Defendant also argues that Plaintiff fails to plead a violation of the Ohio Consumer Sales Practices Act ("OCSPA"), Oh. Rev. C § 1345, because: (1) Plaintiff did not allege that Defendant's failure to keep its network in compliance with industry was "unfair or deceptive" conduct in connection with the consumer transaction at issue— the provision of outpatient and residential treatment options; (2) Plaintiff does not allege that the "unfair or deceptive conduct" impacted his decision to purchase HRS’ services; (3) the complaint fails to identify the notice requirement of Oh. Rev. C § 1345; and (4) the complaint fails to identify actual damages proximately caused by HRS’ allegedly "unfair or deceptive" conduct. (ECF No. 9 at 12-13). Plaintiff argues that it has satisfied the notice requirement, citing to a recent consent judgment published by the Ohio Attorney General addressing a data breach incident resulting in the unauthorized disclosure of certain consumers’ protected health information by a health insurance provider. (ECF No. 15 at 9). Plaintiff does not address Defendant's other three arguments.

The OCSPA prohibits "unfair or deceptive act or practice in connection with a consumer transaction" and permits consumers to bring an individual cause of action to "rescind the transaction or recover the consumer's actual economic damages plus an amount not exceeding five thousand dollars in noneconomic damages." Oh. Rev. C. § 1345.02, 1345.09. A consumer is entitled to bring a class action only if the alleged violation:

was an act or practice declared to be deceptive or unconscionable by rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based, or an act or practice determined by a court of this state to violate section 1345.02, 1345.03, or

1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code ...

Oh. Rev. C. § 1345.09(B). The plaintiff's complaint must allege that defendant's conduct was substantially similar to conduct that was either: (1) established as deceptive by an Ohio administrative rule; or (2) found to be deceptive by an Ohio state Court decision. See Phillips v. Philip Morris Companies Inc. , 290 F.R.D. 476, 478 (N.D. Ohio 2013) ("The complaint contains no allegation that defendants engaged in conduct that was "substantially similar" to conduct that was found deceptive by an Ohio administrative rule or an Ohio state court decision, as required by Section 1345.09(B)"); In re Porsche Cars N.A., Inc. , 880 F. Supp. 2d 801, 868 (S.D. Ohio 2012) (noting "a plaintiff must identify in his or her complaint the rule or case that satisfies Section 1345.09(B) ’s notice requirement.").

Here, Plaintiff has failed to plead the notice requirement in his complaint. Instead, Plaintiff argues in his response that the notice requirements of Oh. Rev. C § 1345.09 are fulfilled by a recent "judgment order" entered into between the Ohio Attorney General and Premera Blue Cross relating to a "data security incident involving its computer network system which resulted in the unauthorized disclosure of certain consumers’ personal information and protected health information." (ECF No. 15 at 9-10). That order, however, is a consent judgment which explicitly states: "this Order does not constitute evidence or an admission regarding the existence or non-existence of any issue, fact, or violation of any law alleged by Plaintiff." State of Ohio ex rel. Attorney General Dave Yost v. Premera Blue Cross , 19-cv-005610 ¶1.4 (July 22, 2019). The other judgement Plaintiff cites to relating to the Target data breach is also a consent judgment. (ECF No. 15 at 10).

Consent judgments are "essentially a court sanctioned settlement." Gascho v. Glob. Fitness Holdings, LLC , 863 F. Supp. 2d 677, 693 (S.D. Ohio 2012). Courts in this district and the Northern District have consistently held that such judgments do not put a defendant on notice because they do "not contain determin[ations] by a court of this state[,] as that phrased is used in Ohio Revised Code § 1345.09(B)." Id. at 694 (internal quotation marks omitted); see also Pattie v. Coach, Inc. , 29 F. Supp. 3d 1051, 1057 (N.D. Ohio 2014) (determining that "consent decrees and default judgment cannot serve as the basis of prior notice"); Kline v. Mortg. Elec. Sec. Sys. , 2010 WL 6298271, at *8 (S.D. Ohio Dec. 30, 2010), report and recommendation adopted , 2011 WL 1125346 (S.D. Ohio Mar. 25, 2011) (same); Robins v. Glob. Fitness Holdings, LLC , 838 F. Supp. 2d 631, 649 (N.D. Ohio 2012) (same); Smith v. Transworld Sys., Inc. , C-3-96-166, 1997 WL 1774879, at *6 (S.D. Ohio July 31, 1997) (determining that "consent judgments which are of little, if any, precedential value" could not serve as basis of prior notice for OCSPA claim). Accordingly, Plaintiff cannot proceed with his Ohio OCSPA class claims because he failed to plead the notice requirement in his complaint by pointing to a rule or Ohio courts decision that would put Defendant on notice of the alleged unfair or deceptive conduct.

Plaintiff also failed to respond to Defendant's first, second, and fourth arguments which relate primarily to Plaintiff's individual capacity OCSPA claims. Plaintiff's failure to respond to these arguments constitutes a forfeiture of these claims. See Notredan, L.L.C. v. Old Republic Exch. Facilitator Co. , 531 Fed. Appx. 567, 569 (6th Cir. 2013) ("Old Republic's motion to dismiss contended that Notredan's complaint did not state a claim for breach of fiduciary duties.... Notredan's response to the motion to dismiss did not address this argument. This failure amounts to a forfeiture of the fiduciary-duty claim"); see also Ellison v. Knox County , 157 F. Supp. 3d 718, 724–25 (E.D. Tenn. 2016) ("It is well established in the Sixth Circuit that failure to respond to an argument made in support of a Rule 12(b)(6) motion to dismiss a claim results in a forfeiture of the claim."); Ohio Star Transp. LLC v. Roadway Exp., Inc. , 2:09-CV-00261, 2010 WL 3666982, at *3 (S.D. Ohio Sept. 14, 2010) ("Defendant raises this argument, but Plaintiff does not respond, thereby waiving its ability to challenge the argument and effectively conceding the point.").

3. Count 3 - Negligence

Defendant argues that the economic loss doctrine bars Plaintiff's claim for costs incurred to monitor his credit since purely economic losses are not recoverable absent personal injury or physical damage to one's property. (ECF no. 9 at 15). Plaintiff counters that the economic loss doctrine does not apply since he has alleged more than just economic loss including "severe emotional distress as a result of the exposure of his most sensitive health information, which includes mental health and substance abuse treatment." (ECF No. 15 at 11).

The economic loss rule prevents a plaintiff's recovery in tort for damages of a purely economic nature. See Corporex Dev. & Constr. Mgt., Inc. v. Shook, Inc. , 106 Ohio St.3d 412, 835 N.E.2d 701, 704 (2005) ("[T]he well-established general rule is that a plaintiff who has suffered only economic loss due to another's negligence has not been injured in a manner which is legally cognizable or compensable.") (internal citations and quotations marks omitted).

The economic loss doctrine does not bar Plaintiff's claims for emotional distress. See Lawyers Coop. Publg. Co. v. Muething , 65 Ohio St.3d 273, 603 N.E.2d 969, 972–73 (1992) (noting "Muething does not seek recovery simply for economic losses. As explained below, his allegations of humiliation and loss of reputation are allegations of personal injury ..."). Plaintiff's claims for emotional distress, however, are "virtually indistinguishable from his claim for negligent infliction of emotional distress" and Ohio courts do not permit such claims to proceed absent an allegation that Plaintiff "feared or saw some quantifiable physical loss." Id. at 975. Plaintiff has not alleged such physical injuries and so he may not proceed with his negligent infliction of emotional distress claim.

The remaining question is whether Plaintiff's negligence claim premised on monetary damages for expenditures on credit monitoring fall within the purview of the economic loss doctrine or whether that claim must instead be pursued as a contract claim. Plaintiff argues that a "special relationship" exception applies to permit these damages to be pursued as tort claims. (ECF No. 15 at 13). Plaintiff, however, misunderstands the application of the special relationship exception. Ordinarily, under the economic loss rule, a plaintiff who has suffered economic loss due to another's negligence cannot recover damages. See Corporex , 835 N.E.2d at 704. This is problematic where a party is harmed by a defendant's provision of false information but is not in contract with that party. The Supreme Court of Ohio specifically limited the application of this exception to:

those limited circumstances in which a person, in the course of business, negligently supplies false information, knowing

that the recipient either intends to rely on it in business, or knowing that the recipient intends to pass the information on to a foreseen third party or limited class of third persons who intend to rely on it in business.

Corporex , 835 N.E.2d at 705. The Ohio Supreme Court noted that this was a rule of privity and did not impose a duty apart from that which would hold an accountant liable for professional negligence. Id. Plaintiff does not explain why this exception would apply to the facts of this case where Plaintiff has simultaneously alleged a breach of contract and breach of implied contract claim based on the same set of facts. Plaintiff also cannot point to a separate duty imposed upon Defendant to prevent security breaches.²

2 To establish a claim for negligence a plaintiff must show "the existence of a duty owing from the defendant to the plaintiff or injured party, a breach of that duty, and that the breach was the proximate cause of resulting damages." Zavinski v. Ohio Dept. of Transportation , 135 N.E.3d 1170, 1179 (Ohio App. 10th Dist. 2019) (citing Strother v. Hutchinson , 67 Ohio St.2d 282, 285, 423 N.E.2d 467 (1981) ). Whether a duty exists in a negligence action is a question of law. Id. The sole Ohio Appeals court to have considered the issue determined that HIPAA regulations "cannot be the basis of a negligence per se theory of recovery" and cannot constitute evidence of a duty of care. See Sheldon v. Kettering Health Network , 40 N.E.3d 661, 676 (Ohio App. 2d Dist. 2015) (noting "we choose not to follow" decisions of other state courts that view HIPAA regulations as "evidence of a the duty of care.").

Courts in Ohio permit a plaintiff to pursue a tort claim at the same time as a breach of contract claim if "the plaintiff is able to demonstrate that tortious conduct by the defendant ... breached ‘a duty owed separately from that created by the contract, that is, a duty owed even if no contract existed.’ " Wells Fargo Bank, N.A. v. Fifth Third Bank , 931 F. Supp. 2d 834, 839 (S.D. Ohio 2013). Plaintiff must also allege "actual damages attributable to the wrongful acts of the alleged tortfeasor which are in addition to those attributable to the breach of the contract." Id. at 839. Here, Plaintiff's tort and breach of contract claims are premised on the same allegations of wrongdoing and are based on the same claims for damages. Accordingly, Plaintiff's negligence claim is barred by the economic loss doctrine.

4. Count 4 – Breach of Contract

Defendant next argues that Plaintiff has failed to plead the existence of a valid contract and Defendant's breach of any specific provisions in that contract. (ECF No. 9 at 15). Plaintiff counters that he has alleged that he and putative class members all entered into express agreements with Defendant relating to the protection of their health information and that Defendant breached these agreements. (ECF No. 15 at 13). To state a claim for breach of a contract, a plaintiff is required to plead "the existence of a contract, performance by the plaintiff, breach by the defendant, and damage or loss to the plaintiff." Shugart v. Ocwen Loan Servicing, LLC , 747 F. Supp. 2d 938, 941 (S.D. Ohio 2010).

Plaintiff argues that where a health care provider fails to comply with a privacy practice agreement, a plaintiff is entitled to pursue a breach of contract action, citing Smith v. Triad of Alabama, LLC , 1:14-CV-324-WKW, 2015 WL 5793318, at *14 (M.D. Ala. Sept. 29, 2015). In Smith , plaintiffs alleged the existence of a "Notice of Privacy Practices" and argued that notice constituted an express or implied contract between them and defendant, who was responsible for plaintiffs’ sensitive medical information. Id. The Smith defendant moved to dismiss plaintiffs’ claims, contesting the existence of the notice and that any such agreement was breached. The district court rejected this argument, on the basis that defendant's arguments were inappropriate for resolution at the motion to dismiss stage since those arguments "require fact-intensive inquiries and are ultimately based on a document outside of the pleadings." Id.

Defendant argues that Smith is inapposite because the Smith plaintiffs specifically identified the contract at issue and the provisions that were breached. It is "a basic tenet of contract law that a party can only advance a claim of breach of written contract by identifying and presenting the actual terms of the contract allegedly breached." Robinson v. Chuy's Opco, Inc. , 1:17-CV-123, 2017 WL 4247547, at *3 (S.D. Ohio Sept. 25, 2017) (citing Harris v. Am. Postal Workers Union , 198 F.3d 245 (6th Cir. 1999) ). The Sixth Circuit does not permit a party to allege, in a cursory manner, the existence of a contract without pointing to specific language that was allegedly breached. See Northampton Rest. Group, Inc. v. FirstMerit Bank, N.A. , 492 Fed. Appx. 518, 522 (6th Cir. 2012) (affirming district court's grant of motion to dismiss for failure to state a claim where plaintiff "did not attach any contracts to its complaint and did not include the language of any specific contractual provisions that had been breached by the bank" noting that it would be "inappropriate to allow Northampton to use the discovery process to find the contracts in dispute after filing suit.").

Although Plaintiff alleges that he and class members entered into an agreement with Defendant, he does not attach the agreement in question or specify what provisions of that contract were breached. In the Sixth Circuit, this is insufficient to state a claim for breach of contract. See Harris , 198 F.3d 245 (6th Cir. 1999) (determining that district court properly dismissed plaintiff's claim where she did not specifically allege or introduce the contractual terms that defendant allegedly violated).

5. Count 5 – Breach of Implied Contract

Defendant argues that Plaintiff cannot establish the existence of an implied contract because Plaintiff pleads no facts regarding the circumstances of the transaction that make it reasonably certain that HRS and Plaintiff entered into an agreement. (ECF No. 9 at 17). Plaintiff responds that no such details are necessary when pleading an implied contract, since the very nature of an implied contract claim means the existence of a contract is necessarily in dispute. (ECF No. 15 at 14-15).

A breach of implied contract claim shares the same elements of an express contractual claim, "offer, acceptance, consideration, and a meeting of the minds." Randleman v. Fid. Nat. Title Ins. Co. , 465 F. Supp. 2d 812, 818 (N.D. Ohio 2006) (citing Danko v. MBIS, Inc., 1995 WL 572021, at *3 (Ohio App. 1995) ). The terms of an implied in fact contract "are determined by the Court based upon the facts and circumstances surrounding the transaction." Macula v. Lawyers Title Ins. Corp. , 1:07 CV 1545, 2008 WL 3874686, at *3 (N.D. Ohio Aug. 14, 2008) (citing Linder v. Am. Nat'l. Ins. Co., 155 Ohio App.3d 30, 37, 798 N.E.2d 1190 (2003) ).

Here, Plaintiff alleges that he and class members entered into an implied agreement with Defendant HRS which required them to provide their personal information in exchange for treatment services. Plaintiff further alleges that Defendant HRS represented that it would keep this information secure, and that HRS breached this obligation. (ECF No. 6 at 16-17). These allegations are sufficient at this stage to state a claim for breach of implied contract since they specifically identify a contractual undertaking that Defendant allegedly breached. See Macula v. Lawyers Title Ins. Corp. , 1:07 CV 1545, 2008 WL 3874686, at *3 (N.D. Ohio Aug. 14, 2008) (denying motion to dismiss and noting "Plaintiffs have alleged offer, acceptance, and consideration, thereby establishing the existence of a contract, and they have alleged a breach of the terms that contract. Nothing more is required at this stage of the litigation."); Randleman , 465 F. Supp. 2d at 819 (N.D. Ohio 2006) (determining that plaintiff stated all essential elements of claim of breach of implied contract by alleging that it purchased insurance from defendant, defendant had an obligation to charge a certain rate, and that defendant violated that obligation). Accordingly, Plaintiff has stated a claim for breach of implied contract.

6. Count 6 – Unjust Enrichment

Defendant argues that Plaintiff fails to state a claim for unjust enrichment because Plaintiff received the good or service that Plaintiff paid money to receive, and Plaintiff does not allege that the services he received from HRS are in some way defective. (ECF No. 9 at 18). Plaintiff argues that it has stated a claim for unjust enrichment because in addition to contracting to receive health care services from HRS, Defendant also promised to maintain the privacy of Plaintiff's protected health information. (ECF No. 15 at 15). Plaintiff argues that it is unjust for Defendant to retain payments for those services when Defendant failed to keep its promise to safeguard Plaintiff's sensitive medical information. Id.

Unjust enrichment occurs when "when a party retains money or benefits which in justice and equity belong to another." Dailey v. Craigmyle & Son Farms, L.L.C. , 177 Ohio App.3d 439, 894 N.E.2d 1301, 1309 (4th Dist. 2008) (internal citations omitted). To state a claim for unjust enrichment, a plaintiff must allege: "(1) a benefit conferred by a plaintiff upon a defendant; (2) knowledge by the defendant of the benefit; and (3) retention of the benefit by the defendant under circumstances where it would be unjust to do so without payment." Id.

Here, Plaintiff has alleged all of the elements of an unjust enrichment claim. Plaintiff alleges that he conferred a benefit on Defendant by paying Defendant for health care services pursuant to an implied contract which required Defendant to safeguard Plaintiff's sensitive medical information. Plaintiff alleges that Defendant failed to safeguard this information but has retained the payment made by Plaintiff for those services. Accordingly, Plaintiff has stated a claim for unjust enrichment. See Delahunt v. Cytodyne Techs. , 241 F. Supp. 2d 827, 836 (S.D. Ohio 2003) (determining that plaintiff had stated a claim for unjust enrichment under Ohio law by alleging that plaintiff conferred a benefit on defendants in exchange for a product that was not what defendants purported it to be).

Defendant also argues that Plaintiff's claim for unjust enrichment is deficient because Plaintiff alleges the existence of an express contract. (ECF No. 9 at 18). As this Court has determined above, Plaintiff has failed to plead the existence of an express contract but has alleged the existence of an implied contract. Additionally, a party can plead both claims in the alternative. See Cristino v. Bur. of Workers’ Comp. , 977 N.E.2d 742, 753 (Ohio App. 10th Dist. 2012) (noting "[b]ecause alternative pleading is permissible, a party may plead both a breach-of-contract claim and an unjust-enrichment claim without negating the validity of either claim."). Accordingly, this is not a basis for dismissing Plaintiff's unjust enrichment claim.

7. Count 7 – Civil Action for Damages for Criminal Act

Defendant argues that Plaintiff's civil action for damages claims pursuant to Oh. Rev. C. § 2307.60 must be dismissed because Defendant has not committed a crime or been convicted of a criminal act. Plaintiff argues that this Court should decline to follow Ohio appeals courts that have required a criminal conviction to state a claim pursuant to this statute because such a requirement "removes all teeth from the statute." (ECF No. 15 at 15).

Although Defendant is correct that several courts had previously required a conviction to state a claim for a civil action for a criminal act,³ the Ohio Supreme Court recently interpreted § 2307.60 and determined that "the plain language of the statute does not require proof of an underlying criminal conviction." Buddenberg v. Weisdack , 2020-Ohio-3832, ¶11, 161 N.E.3d 603, 606 (Oh. 2020). Accordingly, Plaintiff need not allege an underlying criminal conviction in order to state a claim for civil action for damages or a criminal act.

3 See e.g., Jane v. Patterson , 2017 WL 1345242, at *4 (N.D. Ohio, 2017).

Defendant also argues that Plaintiff has failed allege that Defendant committed a criminal act and that Plaintiff's bare recitation of a list of statutes that Defendant violated is insufficient to state a claim for damages for a criminal act. Fed. R. Civ. P. 8(a)(2) requires a plaintiff's complaint to contain "a short and plain statement of the claim." In his complaint, Plaintiff alleges that Defendant violated a list of five statutes, without outlining how Defendant's conduct violated each of those statutes respectively. This is insufficient to state a claim for civil action for damages for a criminal act. C.f., Jacobson v. Kaforey , 39 N.E.3d 799, 803, 2015 -Ohio 2624, ¶ 15 (Ohio App. 9 Dist. 2015) (denying motion to dismiss § 2307.6 claim where plaintiff had satisfied civil Rule 8(A) ’s requirements because "[i]n addition to the specific criminal code sections [plaintiff] claimed were violated, each count was accompanied by claims of specific conduct."). Accordingly, Plaintiff has failed to state § 2307.60 claim.

8. Counts 8 & 9 – Willful and Negligent Violation of the FCRA

Defendant next argues that Plaintiff's claims for willful and negligent violation of the FCRA must be dismissed because the HRS is not a "consumer reporting agency" because it does not "assemble or evaluate consumer information in exchange for fees." (ECF No. 9 at 20). Plaintiff argues that Defendant is a consumer reporting agency ("CRA") because it receives a fee for coordinating "the monitoring, treatment, testing, and reporting of consumers with third parties." (ECF No. 15 at 17). Plaintiff adds that the determination of whether Defendant is a CRA is a factual dispute not suited for resolution at the motion to dismiss stage. Id.

The FCRA creates a cause of action for willful or negligent violations of its provisions. 15 U.S.C. § 1681n -o. Plaintiff alleges that Defendant failed to comply with 15 U.S.C. § 1681b which requires the adoption of reasonable procedures for safeguarding the confidentiality of personal information and § 1681e which requires CRAs to maintain procedures to limit the furnishing of consumer reports. (ECF No. 6 at 21). The FCRA defines a consumer report as:

any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for--

(A) credit or insurance to be used primarily for personal, family, or household purposes;

(B) employment purposes; or

(C) any other purpose authorized under section 1681b of this title.

§ 1681a (d)(1). The definitions section includes several exceptions to the definition of consumer reports, but those exceptions do not apply to most medical information. § 1681a(d)(3)(A). The FCRA also defines a consumer reporting agency as:

any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

§ 1681a (f).

While several courts considering the issue have determined that certain health care providers are not consumer reporting agencies,⁴ a determination of whether a health care provider is a consumer reporting agency is a fact intensive inquiry that requires a court to analyze the defendant's business offerings and whether it meets any of the specified exceptions to the FCRA.

4 See Christensen v. Saint Elizabeth Medical Center, Inc. , 2020 WL 3491371, at *4 fn 2 (E.D. Ky., 2020) (determining that defendants, a health care provider were not a CRA); Doe One v. Caremark, L.L.C. , 348 F.Supp.3d 724, 740 (S.D. Ohio, 2018) (determining that defendant, a pharmacy benefits manager, was not a consumer reporting agency within the meaning of the FCRA).

Defendant argues that health care providers can never be considered consumer reporting agencies, citing to Tierney v. Advoc. Health and Hosps. Corp. , 797 F.3d 449, 452 (7th Cir. 2015). In Tierney , however, the Seventh Circuit made a specific determination that the defendant-hospital did not meet the definition of a CRA because the payments that the defendant received in exchange for these reports were for "for health care services that its physicians have rendered" and not "for assembling patient information." Id. ; see also In re: Community Health Systems, Inc. , 2016 WL 4732630, at *21 (N.D. Ala., 2016) (granting motion to dismiss FCRA claim where plaintiffs alleged only that "the fees collected were for healthcare services, not for assembling or evaluating information on consumers.").

Here, Plaintiff has alleged facts that would permit it to pursue a cause of action for willful and negligent violations of the FCRA because Plaintiff has alleged that Defendant, in the regular course of its business, is paid a fee—separate and apart from the fee paid for the provision of its health care services—to transmit reports containing consumers’ personal information. (ECF No. 15 at 17). This is sufficient to state a claim for violations of the FCRA. 9. Count 10 – Violation of Oh. Rev. C. § 3701.243

Finally, Defendant argues that Plaintiff's Oh. Rev. C. § 3701.243 claim must be dismissed because Plaintiff has failed to allege that the violation of § 3701 was knowing and because that statute only applies to government agencies and persons. (ECF No. 9 at 20-21). Plaintiff counters that another section of the statute references that this statute applies to all health care facilities in the state. (ECF No. 15 at 18).

Oh. Rev. C. § 3701.243 prohibits the disclosure of the identify of any individual on whom an HIV test is performed, the results of any HIV test, and the identity of any individual diagnosed as having AIDS or an AIDS related virus, subject to certain restrictions. A person injured by a violation of § 3701.243 can bring an action for a violation against the individual violating § 3701.243 or that individual's employer, provided that the disclosure is a knowing violation:

(B) A person or an agency of state or local government that knowingly violates division (A) of section 3701.242, division (A) of section 3701.243, or division (E) of section 3701.248 of the Revised Code may be found liable in a civil action

(C) No person shall be held liable for damages or attorney's fees in an action based on a violation of section 3701.243 of the Revised Code by his employee or agent unless the person knew or should have known of the violation.

3701.244(B)-(C) (emphasis added). Here, Plaintiff alleges that as a result of the data breach, Defendant disclosed the HIV status of Plaintiff and putative class members. (ECF No. 6 at 24). Plaintiff does not allege that Defendant knowingly violated § 3701.42. Accordingly, Plaintiff cannot state a claim pursuant to Oh. Rev. C. § 3701.243. See Ackerman v. Med. College of Ohio Hosp. , 680 N.E.2d 1309, 1312, 113 Ohio App.3d 422, 426 (Ohio App. 10 Dist.,1996) (affirming trial court's dismissal of § 3701.244 claim where plaintiff did not allege that defendant knew of its employee's violation of the statute). Because Plaintiff fails to state that Defendant knowingly violated this statute, this Court need not determine whether § 3701.243 also applies to non-governmental entities.

IV. CONCLUSION

For the reasons set forth above, this Court GRANTS in part and DENIES in part Defendant's Motion to Dismiss. Counts one, two, three, four, seven, and ten of Plaintiff's complaint are hereby dismissed.

IT IS SO ORDERED.