`
`
`ACCESS HEALTHCARE PHYSICIANS,
`LLC,
`
`Case No. 8:21-cv-2306
`
`Plaintiff,
`
`
`
`vs.
`
`IT POSSIBLE, LLC, a Maryland limited
`liability company and KIRIT DESAI
`
`Defendants.
`
`UNITED STATES DISTRICT COURT
`MIDDLE DISTRICT OF FLORIDA
`TAMPA
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`VERIFIED COMPLAINT AND INJUNCTIVE RELIEF REQUESTED
`
`
`
`
`
`
`Plaintiff, Access Health Care Physicians, LLC, a Florida limited liability
`
`company (“Access Health”) hereby files this Verified Complaint against
`
`Defendants, IT Possible, LLC, a Maryland limited liability company (“IT
`
`Possible”), and Kirit Desai (“Mr. Desai”)(collectively “Defendants”), and states as
`
`follows:
`
`INTRODUCTION
`
`1.
`
`The plotline of this controversy starts out in an all too familiar fashion:
`
`after Access Health rejected their business proposal, the disgruntled Defendants
`
`steal something of value of Access Health’s and use the property for leverage. This
`
`case is about Defendants’ computer and data abuse, unauthorized access through
`
`domain hijacking, and ongoing wrongful retention of Access Health’s cyber
`
`property without a right of possession.
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 2 of 39 PageID 2
`
`2.
`
`Plaintiff in this action, Access Health, is a medical group that has
`
`thousands of patients through the State of Florida, with 88 medical offices and over
`
`213 health care providers in 25 different cities. Access Health’s internet presence
`
`is one of the most valuable assets to its wide-spread business, as evinced by Access
`
`Health’s 14 different active websites and domains. Indeed, over the last decade,
`
`Access Health, along with its founder and primary owner, Dr. Pariksith Singh (“Dr.
`
`Singh”), have purchased, registered and maintained 78 domain names over the last
`
`decade through the domain registrar, GoDaddy Operating Company, LLC
`
`(“GoDaddy”), in order to house their websites.
`
`3.
`
`Defendant, Desai, and his non-party wife, Dr. Pratibha Desai (“Dr.
`
`Desai”) operate multiple Hematology and Oncology practices and related
`
`businesses. In 2018, Defendant, Mr. Desai and Dr. Desai solicited Access Health to
`
`jointly form an entity named Comprehensive Hematology Oncology, LLC (“CHO”).
`
`Thus, in anticipation of its new business venture, Access Health purchased 12
`
`domain names under its existing account with GoDaddy to be used for CHO.
`
`Notably, Access Health never provided the login credentials or authorized Desai to
`
`access or use its GoDaddy account. Shortly after the initiation of CHO, the parties
`
`fell into a dispute, and Access Health withdrew from its involvement in CHO.
`
`Sometime thereafter, Desai hired Defendant, IT Possible, as its technology vendor
`
`in connection with CHO.
`
`4.
`
`The issues in this case arose three weeks ago, when Defendants
`
`hijacked Access Health’s domain names by gaining unauthorized access to Access
`
`2
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 3 of 39 PageID 3
`
`Health’s GoDaddy account. Typically, when one hears “cyber theft”, they imagine
`
`a shady character sitting behind a slew of monitors, working hours on end to
`
`infiltrate secured networks through intensive coding and password cyphering. In
`
`reality, cyber theft has surfaced through much simpler social engineering attacks
`
`known as domain hijacking, which is the simple act of modifying or transferring
`
`control of the registration of a domain name without the permission of its original
`
`registrant. As further alleged below, Defendants here “hijacked” the Access
`
`Health’s domains by making misrepresentations to persuade Access Health’s
`
`domain registrar, GoDaddy, into modifying the primary email address linked to
`
`the account, and then, Defendants simply changed the login credentials to “lock”
`
`Access Health out of its own account.
`
`5.
`
`Despite multiple requests, Defendants refuse to return Access
`
`Health’s GoDaddy account information and currently retain possession of Access
`
`Health’s domains. Defendants have impaired the availability of Access Health’s
`
`data and prevented Access Health from its ability to effectively maintain its domain
`
`names, and in turn, its online business presence. Unless Defendants are enjoined
`
`immediately, there will be substantial, imminent, and irreparable financial and
`
`reputational harm to Access Health. This is a civil action for injunctive relief and
`
`damages against Defendants for violations under the Computer Fraud and Abuse
`
`3
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 4 of 39 PageID 4
`
`Act1 and the Florida Computer Abuse and Data Recovery Act2, and for civil
`
`conversion.
`
`PARTIES
`
`6.
`
`Plaintiff, Access Health, is a Florida limited liability company with a
`
`principal address in Spring Hill, Florida. Access Health is a Florida-based multi-
`
`service medical facility that provides primary care services and diagnostic testing
`
`for thousands of Florida patients.
`
`7.
`
`Defendant, Mr. Kirit Desai, is an individual who, upon information
`
`and belief, resides in Saint Petersburg, Florida. Mr. Desai assists his wife, Dr.
`
`Desai, in the operation of various Hematology and Oncology practices and related
`
`businesses.
`
`8.
`
`Defendant, IT Possible, is a Maryland limited liability company with
`
`a principal address in Salisbury, Maryland. Upon information and belief, IT
`
`Possible provides computer and IT solutions and services to CHO, the company
`
`currently managed by Dr. and Mr. Desai.
`
`JURISDICTION AND VENUE
`
`9.
`
`This Court has jurisdiction over the subject matter of this action
`
`pursuant to 28 U.S.C. § 1331, as the action arises under the federal Computer Fraud
`
`and Abuse Act (18 U.S.C. § 1030)(“CFAA”).
`
`1 18 U.S.C. § 1030
`2 §668.801, et. seq., Florida Statutes
`
`
`
`4
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 5 of 39 PageID 5
`
`10. This Court has subject matter jurisdiction under 28 U.S.C. §1367 over
`
`the claims for violation of the Florida Computer Abuse and Data Recovery Act
`
`(§668.801, et. seq., Fla. Stat.)(“CADRA”) and state law conversion, as the
`
`supplemental claims form part of the same case and controversy as the CFAA
`
`claim.
`
`11.
`
`This Court has personal jurisdiction over Defendant, Mr. Desai,
`
`because he is a citizen of and domiciled in Florida, living within the jurisdiction of
`
`the U.S. District Court for the Middle District of Florida, Tampa Division.
`
`12.
`
` This Court has personal jurisdiction over Defendant, IT Possible, as a
`
`result of IT Possible’s unauthorized access into, and retention of property from, a
`
`“protected computer” as defined in 18 U.S.C. § 1030(e)(2)(B) that is used for
`
`commerce or communication with persons and entities in Florida, and also as a
`
`result of IT Possible’s tortious conduct causing injurious effect in Florida.
`
`13. Venue is proper in this judicial district pursuant to 28 U.S.C. §
`
`1391(b)(2) because a substantial part of the events or omissions giving rise to
`
`Access Health’s claims occurred in this judicial district.
`
`FACTS
`
`14.
`
` Access Health is a multi-service medical facility that provides primary
`
`care services and diagnostic testing for thousands of patients throughout the State
`
`of Florida. Due to its wide-spread practice, Access Health relies heavily on their
`
`websites to effectively run their businesses, as described further below.
`
`5
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 6 of 39 PageID 6
`
`15. Over the past ten years, Access Health and Dr. Singh have registered
`
`or purchased internet domains used in connection with Dr. Singh’s business
`
`ventures (the “Access Health Domains”). The registration services used in
`
`connection with the Access Health Domains have been provided by non-party,
`
`GoDaddy, a well-known internet domain registrar and web hosting company
`
`headquartered in Arizona. A true and correct copy of the list of the Access Health
`
`Domains is attached as Exhibit A.
`
`16. Access Health uses these Access Health Domain to operate its six
`
`websites. These websites are a central means of communication with Access
`
`Health’s patients and a primary method of marketing the services of Access to the
`
`public. As such, these websites are necessary for Access Health’ continued
`
`corporate existence. Any modification to the Access Health Domain can leave
`
`these websites non-operational. Such disfunction can interfere with Access
`
`Health’s communications with its patients and substantially affect Access Health’s
`
`reputation, brand image, and the public perception of Access Health. Access
`
`Health has spent the past decade managing these websites to maximize their value
`
`as a tool to communicate with the public at large and with Access Health’s patients
`
`in particular. Modifications to these Access Health Domains can negatively impact
`
`Access Health’s reputation, image and goodwill in a manner which cannot be
`
`corrected. Because the damage is to the perception of Access Health by unknown
`
`members of the public, the amount of damages cannot be easily quantified and
`
`6
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 7 of 39 PageID 7
`
`their perception of Access Health cannot be corrected by the payment of monetary
`
`damages.
`
`17. GoDaddy has provided services relating to the Access Health Domains
`
`under an overarching account owned by Access Health and assigned Customer No.
`
`90763401 by GoDaddy (the “Access Health GoDaddy Account”).
`
`18. The Access Health GoDaddy Account was opened by Access Health.3
`
`Services provided by GoDaddy under the umbrella of the Access Health GoDaddy
`
`Account include registration services in connection with the Access Domains, as
`
`well as hosting services in which GoDaddy’s servers host Domain Name System
`
`(“DNS”) software packages integral to the operation and functionality of active
`
`websites associated with the Access Domains.
`
`19. GoDaddy’s hosting of the DNS software packages for active websites
`
`involves a substantial number of technically complex discretionary choices to be
`
`made by the website owner. There are various settings and features of GoDaddy’s
`
`hosting infrastructure that have to be selected and configured in particular ways in
`
`order to shape the functionality and user experience associated with an active
`
`website. For the active websites associated with the Access Health Domains, Access
`
`Health has devoted substantial time and financial resources to analyzing the
`
`pertinent features and settings, and creating specific proprietary configurations
`
`
`3 Access Health cannot confirm the date the account was opened at this time due to its inability to
`access the GoDaddy Access Health Account dashboard.
`
`7
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 8 of 39 PageID 8
`
`that optimize website performance in conjunction with the DNS hosting services
`
`provided by GoDaddy through the Access Health GoDaddy Account.
`
`20. Customer management of the Access Health GoDaddy Account occurs
`
`using an “owner dashboard” that is essentially an online interface through which
`
`an account owner can log in, review pertinent information concerning the domains
`
`associated with the account, add, subtract, or modify services provided by
`
`GoDaddy in relation to those domains, review invoices and charges from GoDaddy,
`
`and make payments to GoDaddy for services associated with particular domains
`
`within the account.
`
`21. Access to the GoDaddy dashboard occurs through a “Customer
`
`Number + owner password” combination in which the GoDaddy Customer
`
`Number is the user name, and the password is created by the account owner. Dr.
`
`Singh created the owner password for the Access Health GoDaddy Account. The
`
`owner password is stored in a secure enterprise password management system
`
`used by Access Health, and this password management tool only permits an
`
`account password to be entered by the specific individuals associated with that
`
`password.
`
`22. Dr. Singh and the Director of IT for Access Health, Ed Laughman, are
`
`the only two individuals associated with the Access Health GoDaddy Account
`
`owner password, and thus, the only two individuals who are able to access that
`
`password in the enterprise password management system, and use it (in
`
`8
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 9 of 39 PageID 9
`
`combination with the GoDaddy Customer Number) when logging into the owner
`
`dashboard for the Access Health GoDaddy Account.
`
`23. Using the delegation powers associated with the GoDaddy owner
`
`dashboard, three other Access Health employees were granted
`
`limited
`
`authorization to view a subset of the information contained on the GoDaddy owner
`
`dashboard, using separate “user name + password” combinations that differ from
`
`the “Customer Number + owner password” combination used to access the owner
`
`dashboard.
`
`24. However, no one else employed by or associated with Access Health
`
`or Dr. Singh has access to the owner password for the Access Health GoDaddy
`
`Account, and no one else employed by or associated with Access Health or Dr.
`
`Singh is authorized to access the GoDaddy owner dashboard.
`
`25. Through the GoDaddy owner dashboard, an account owner is able to
`
`designate an official email address to which GoDaddy can send email
`
`communications relating to the account. The email address designated by Dr.
`
`Singh for these purposes was Purchasing@ahcpllc.com.
`
`26. Kirit Desai is an individual who from 2019 through early 2021 was
`
`involved with Dr. Singh in discussions concerning a possible joint venture relating
`
`to a healthcare provider called Comprehensive Hematology & Oncology (“CHO”).
`
`As part of this effort, several internet domains associated with the CHO brand (the
`
`“CHO Domains”) were registered for potential future use. These registrations were
`
`accomplished through the Access Health GoDaddy Account, and GoDaddy’s
`
`9
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 10 of 39 PageID 10
`
`registration services were paid for using Access Health’s American Express
`
`corporate credit card. A true and correct copy of a table listing the CHO Domains
`
`is attached as Exhibit B.
`
`27. The discussions surrounding the potential CHO joint venture with
`
`Access Health did not succeed.
`
`28. However, Dr. Singh did not cancel the CHO Domains because Mr.
`
`Desai agreed that he would have his IT vendor at the time, Ghanshyam Patel of
`
`Fusion IT Services, LLC, move the CHO Domains to a separate account, and in the
`
`interim, Mr. Desai also agreed to provide credit card information to Access Health
`
`in order to arrange for Mr. Desai to pay for any future GoDaddy registration or
`
`hosting services associated with the CHO Domains under the Access Health
`
`GoDaddy Account until Mr. Desai’s IT vendor had completed the transfer of the
`
`CHO Domains to a new account.
`
`29. One of the CHO Domains is associated with an active website,
`
`www.comphemeonc.com, and the other CHO Domains registered through the
`
`Access GoDaddy Account are essentially variations on this name. GoDaddy
`
`provides hosting of DNS software packages for the www.comphemeonc.com
`
`website, just as it does for the active websites associated with various Access
`
`Domains encompassed within the Access GoDaddy Account.
`
`30. Upon Mr. Desai’s approval, Access Health entered his credit card
`
`information into the Access Health GoDaddy Account and stored it as an approved
`
`payment method in anticipation for when GoDaddy issued a bill or invoice for a
`
`10
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 11 of 39 PageID 11
`
`service associated with a CHO domain, so that Access Health could select his credit
`
`card as the payment method when making an online payment (through the
`
`GoDaddy owner dashboard).
`
`31. Upon information and belief, only one charge was levied by GoDaddy
`
`in relation to a CHO Domain since April 2021, and that charge was paid by Access
`
`Health via Mr. Desai’s stored credit card, per the process described above.4
`
`32. For charges associated with any of the Access Health Domains,
`
`payment has always been made via an Access Health corporate credit card, which
`
`was likewise stored as an approved payment method for the Access Health
`
`GoDaddy Account on the GoDaddy owner dashboard.
`
`33. On August 27, 2021, the Director of IT for Access Health, Ed
`
`Laughman, attempted to log in to the GoDaddy owner dashboard for the Access
`
`Health GoDaddy Account, using the “Customer Number + owner password”
`
`credentials linked to the account. The login attempts failed, and the screen
`
`displayed an error message stating that the login information entered was
`
`incorrect.
`
`34. After discovering the incident, Ed Laughman, on behalf of Access
`
`Health, acted promptly and submitted a “password reset” request to GoDaddy.
`
`Subsequently, Access Health
`
`received an email
`
`from GoDaddy via
`
`Pruchasing@ahcpll.com, the email account originally designated on the Access
`
`
`4 Access Health cannot confirm this information at this time due to its inability to access the
`GoDaddy Access Health Account dashboard.
`
`11
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 12 of 39 PageID 12
`
`Health GoDaddy Account, stating “We emailed a password reset link to
`
`k*****@comphemeonc.com.” A true and correct screenshot of this email message
`
`is attached as Exhibit C.
`
`35. Thereafter, the three other Access Health employees who had
`
`previously been delegated limited access to the GoDaddy Access Health Account
`
`attempted to use their own “user name + password” credentials to log in to the
`
`limited subsections of the GoDaddy dashboard to which they had previously been
`
`given access to no avail.
`
`36. These Access Health employees received automated email replies
`
`from GoDaddy, stating in bold “Your account access has been removed.” This
`
`bolded heading was followed by a message stating “I removed your account access.
`
`You no longer have access to products in my account…Thanks, Kirit Desai.” In the
`
`upper right-hand corner of each email reply was a notation that read “Kirit Desai
`
`– Customer Number: 90763401”, which is the same Customer Number that had
`
`always been associated with the Access Health GoDaddy Account in the roughly
`
`ten years since Dr. Singh first opened the account. A true and correct copy of one
`
`of the automated email replies is attached as Exhibit D.
`
`37. Upon information and belief, at or around August 27, 2021, and
`
`without authorized access provided by the Access Health, the owner of the Access
`
`Health GoDaddy Account, Defendants obtained unauthorized access to the owner
`
`dashboard for the Access Health GoDaddy Account, stripped Dr. Singh, Ed
`
`Laughman, and Access Health’s other authorized delegates of their credentials,
`
`12
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 13 of 39 PageID 13
`
`changed the owner password, changed the default owner email address to which
`
`official account-related communications would be sent, and thereby completely
`
`seized unauthorized control of the Access Health GoDaddy Account and the Access
`
`Health Domains.
`
`38. On September 13, 2021, Defendant, IT Possible emailed Access Health
`
`and readily admitted, “[w]e have obtained access to the GoDaddy account.” The
`
`email went on to suggest that Access Health should open a new account for the
`
`Access Health Domains, leaving the CHO Domains as the only domains in the
`
`Access Health GoDaddy Account, which Access Health has owned and
`
`administered for approximately ten years. A true and correct copy of the
`
`September 13, 2021 email is attached as Exhibit E.
`
`39. Upon information and belief, Defendants accomplished their domain
`
`hijacking by Desai and/or IT Possible calling GoDaddy, stating that they could
`
`verify an authorized payment method associated with the Access Health GoDaddy
`
`Account, providing the credit card information for the card that had been used to
`
`pay a charge associated with the CHO Domains, and then claiming to have lost the
`
`password for the owner dashboard, and likewise to have lost access to the owner
`
`email account previously used by GoDaddy for official account-related
`
`communications.
`
`40. Any representations made by Desai or IT Possible, whether express or
`
`implied, suggesting that Desai had lost his password for the GoDaddy account, and
`
`13
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 14 of 39 PageID 14
`
`lost access
`
`to
`
`the email account previously used
`
`for account-related
`
`communications, were false.
`
`41.
`
`Specifically, Access Health never provided authorized access (limited
`
`or otherwise) to Defendants, and Defendants never had authorized possession of
`
`any password for the Access Health GoDaddy Account, much less the specific
`
`owner password used to access the GoDaddy owner dashboard. Likewise, Access
`
`Health never provided, and Defendants never received, authorized access to the
`
`Purchasing@ahcpllc.com email account designated as the official email of the
`
`Access Health GoDaddy Account.
`
`42. At no time did Access Health or any employee or representative
`
`thereof, provide Defendants permission or authorization to access the GoDaddy
`
`owner dashboard, or any portion thereof. Defendants were never given access to
`
`or permission to use Dr. Singh’s owner password associated with the Access Health
`
`GoDaddy Account, and at no point were Defendants given access to the
`
`Purchasing@ahcpllc.com email account, or to any emails sent by GoDaddy to that
`
`account. Access Health has never authorized Defendants to change any of the
`
`information or settings in the GoDaddy owner dashboard associated with the
`
`Access Health GoDaddy Account.
`
`43. Access Health has made numerous requests to Defendants to return
`
`Access Health’s access to the Access Health GoDaddy Account. Defendants refuse
`
`to return and continue to retain Access Health’s property without a right of
`
`possession.
`
`14
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 15 of 39 PageID 15
`
`44. Defendants’ unauthorized access and wrongful retention of Access
`
`Health’s property has impaired the availability of Access Health’s data and
`
`prevented Access Health from its ability to effectively maintain its Access Health
`
`GoDaddy Account and Access Health Domains, and in turn, its online business
`
`presence.
`
`45. Access Health has already been, and continues to be, irreparably
`
`harmed by Defendants’ actions of domain hijacking, unauthorized access and
`
`wrongful retention of the Access Health GoDaddy Account and Access Health
`
`Domains.
`
`46. Now that Defendants have wrongfully gained unauthorized access to
`
`the owner dashboard for the Access Health GoDaddy Account, Defendants’ control
`
`is nearly absolute.
`
`47.
`
`Specifically, Defendants can, if they have not already, change the
`
`registrant information associated with specific internet domains encompassed
`
`within the account, thereby creating the false appearance of a change of ownership
`
`in relation to those domains.
`
`48. Defendants can likewise add, subtract, modify, or cancel any or all of
`
`the services provided by GoDaddy to Access Health in relation to any of the Access
`
`Health Domains encompassed within the account, thereby placing Access Health’s
`
`active websites at risk of failing or being taken down.
`
`49. Defendants have already stripped previously authorized users of their
`
`ability to access the account and can now add additional account users who lack
`
`15
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 16 of 39 PageID 16
`
`prior authorization by Access Health. Defendants can also delete any pre-existing
`
`authorized payment methods associated with the account, thereby rendering it
`
`impossible to use those methods to pay for services associated with the Access
`
`Health GoDaddy Account.
`
`50. More specifically, because Defendants have control over the Access
`
`Health GoDaddy Account, this control deprives Access Health of the ability to
`
`conduct server maintenance, which deprives Access Health of the ability to
`
`troubleshoot or correct issues with the server if one of its active websites goes
`
`“down.” In addition, Defendants’ control over the Access Health GoDaddy Acount
`
`prevents Access Health from making payments to GoDaddy in order to continue
`
`and protect its account/domain name services.
`
`51. As of the time Defendants gained access, GoDaddy billed Access
`
`Health for each individual service it pays for, which is then billed via the GoDaddy
`
`customer number. There is no automatic billing procedure. Thus, Access Health
`
`must take affirmative steps to pay for the services it uses or risk losing that domain.
`
`Without access to the dashboard and account, Access Health will continue to be
`
`billed, but will not be able to make those payments. If Access Health cannot pay
`
`for GoDaddy’s services, there is risk that the domain name services will be
`
`cancelled and the Access Health Domains will be “locked” and no longer work and
`
`will allow another third-party the opportunity to purchase the Access Health
`
`Domains, furthering the conversion.
`
`16
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 17 of 39 PageID 17
`
`52. Loss of the Access Health Domains damages Access Health’s ability to
`
`communicate with its customers and the public and its public image as its websites
`
`would now direct its customers and the public to another provider. This harm
`
`could not be remedied by monetary damages alone. Also, while there is no
`
`automatic billing procedure, all of Access’ payment methods are currently
`
`embedded and registered to its account.
`
`53. Furthermore, given
`
`the conversion, Defendants now have
`
`unauthorized access to all of Access Health’s company credit card payment
`
`information embedded into the Access Health GoDaddy Account.
`
`54. Thus, in obtaining unauthorized access to Access Health’s GoDaddy
`
`dashboard, Defendants have obtained information from this computer system,
`
`which includes but is not limited to Access Health’s proprietary settings, its
`
`confidential account information, its company credit card information, its
`
`intellectual property, and various other Access Health information maintained in
`
`the GoDaddy system.
`
`55. Furthermore, forcing the export of the Access Health Domains to a
`
`new GoDaddy account would require a complete re-setting of the proprietary DNS
`
`configurations used by Access Health to sustain the performance and functionality
`
`of the multiple active websites associated with various Access Domains. This
`
`process would be expensive and time-consuming and would result in at least a 48
`
`to 72 hour period in which the active Access Health websites were entirely offline,
`
`17
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 18 of 39 PageID 18
`
`which would irreparably harm not only Access Health, but its patients and
`
`customers, as well.
`
`56. Access Health has been forced to expend scores of manhours of its
`
`employees and outside counsel in an effort to detect and correct Defendants’
`
`unauthorized access to the Access Health Domains and Access Health GoDaddy
`
`Account. In addition, Access Health has been forced to outsource services with
`
`data center support and continue operation of outside datacenter vendors due to
`
`Defendants’ actions. To date, Access Health has damages in excess of $150,000
`
`due to the harm or loss that Defendants caused and is in the position to further
`
`cause due to its unauthorized access.
`
`57. All conditions precedent to the filing of this action have been satisfied,
`
`waived or have occurred.
`
`58. Access Health has retained outside legal counsel, including the
`
`undersigned law firms, to represent it in this action and is obligated to pay said
`
`firm reasonable attorneys’ fees and costs incurred herein.
`
`COUNT I
`VIOLATION OF THE COMPUTER FRAUD AND ABUSE ACT
`(18 U.S.C. § 1030)
`
`59. Access Health realleges and reincorporates Paragraphs 1-58 above as
`
`if fully set forth herein.
`
`60.
`
` Access Health seeks damages and injunctive relief pursuant to the
`
`Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.
`
`18
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 19 of 39 PageID 19
`
`61.
`
` Although the thrust of the CFAA is criminal, the statute also provides
`
`a civil remedy under 18 U.S.C. § 1030(g), which states that “Any person who suffers
`
`damage or loss by reason of a violation of this section may maintain a civil action
`
`against the violator to obtain compensatory damages and injunctive relief or other
`
`equitable relief.”
`
`62.
`
` The term “computer” under the CFAA means any device for
`
`processing or storing data (excluding an automated typewriter, portable handheld
`
`calculator, or other similar device). See 18 U.S.C. § 1030(e)(1). Sections 1030(a)(1)-
`
`(7) of the CFAA define various types of prohibited conduct that constitute
`
`violations of the statute. A key element of certain of these statutory violations is
`
`that the prohibited conduct must have taken place in relation to a “protected
`
`computer.”
`
`63.
`
` A “protected computer” includes any computer used in interstate
`
`commerce. See 18 U.S.C. § 1030(e)(2). The Access GoDaddy Account, including the
`
`interactive online interface that serves as the owner dashboard, is part of an online
`
`domain name registration management platform. Online websites, databases, and
`
`interactive platforms and interfaces of this sort, when used in interstate commerce,
`
`are “protected computers” under the CFAA.
`
`64.
`
` Defendants’ conduct as alleged in paragraphs 34-56 above implicates
`
`Defendants in multiple violations of the CFAA.
`
`65.
`
` Section 1030(a)(2)(C) prohibits intentionally accessing a protected
`
`computer, without authorization or by exceeding authorized access, and thereby
`
`19
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 20 of 39 PageID 20
`
`obtaining information from a protected computer. Defendants violated this section
`
`by intentionally taking steps to access the GoDaddy owner dashboard for the
`
`Access GoDaddy Account, knowing full well that Access Health had never
`
`authorized such access. Even if Defendants believed their prior failure to move the
`
`CHO domains to a new account justified their taking steps to view information
`
`associated specifically with those domains, Defendants knew they did not have
`
`authorization to obtain the other information found within the owner dashboard
`
`– including but not limited to a list of the domains registered by Plaintiffs, a list of
`
`the registrants associated with each domain, the list of individuals designated by
`
`Plaintiffs as having various levels of access to the GoDaddy dashboard, and Access
`
`Health corporate credit card information associated with the list of authorized
`
`payment methods stored in the owner dashboard of the Access GoDaddy Account.
`
`66.
`
` Section 1030(a)(4) prohibits knowingly and with intent to defraud
`
`accessing a protected computer, without authorization or by exceeding authorized
`
`access, to obtain anything of value or further a fraud. Defendants violated this
`
`section by knowingly and intentionally making false representations (either
`
`express or implied) to GoDaddy, suggesting they once had access to the owner
`
`password and owner email address associated with the Access GoDaddy Account,
`
`but had somehow “lost” this information. Defendants perpetrated this scheme to
`
`obtain the value associated with access to and use of Access Health’s proprietary
`
`configuration of DNS software packages and account settings associated with the
`
`Access Domains (this proprietary DNS configuration intellectual property was
`
`20
`
`
`
`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 21 of 39 PageID 21
`
`developed by Access Health, at considerable expense). Defendants’ fraudulent
`
`scheme is also designed to obtain leverage against Plaintiffs, and Defendants have
`
`demanded various services, support, and data from Plaintiffs, in response to
`
`demands from Plaintiffs to restore their access and control over the Access
`
`GoDaddy Account. Defendants’ fraudulent scheme is further designed to allow
`
`them to retain the value of Access Health’s DNS configuration intellectual property
`
`described above, and to use this intellectual property in support of the CHO
`
`domains, while forcing Access Health to i