throbber
Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 1 of 39 PageID 1
`
`
`ACCESS HEALTHCARE PHYSICIANS,
`LLC,
`
`Case No. 8:21-cv-2306
`
`Plaintiff,
`
`
`
`vs.
`
`IT POSSIBLE, LLC, a Maryland limited
`liability company and KIRIT DESAI
`
`Defendants.
`
`UNITED STATES DISTRICT COURT
`MIDDLE DISTRICT OF FLORIDA
`TAMPA
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`VERIFIED COMPLAINT AND INJUNCTIVE RELIEF REQUESTED
`
`
`
`
`
`
`Plaintiff, Access Health Care Physicians, LLC, a Florida limited liability
`
`company (“Access Health”) hereby files this Verified Complaint against
`
`Defendants, IT Possible, LLC, a Maryland limited liability company (“IT
`
`Possible”), and Kirit Desai (“Mr. Desai”)(collectively “Defendants”), and states as
`
`follows:
`
`INTRODUCTION
`
`1.
`
`The plotline of this controversy starts out in an all too familiar fashion:
`
`after Access Health rejected their business proposal, the disgruntled Defendants
`
`steal something of value of Access Health’s and use the property for leverage. This
`
`case is about Defendants’ computer and data abuse, unauthorized access through
`
`domain hijacking, and ongoing wrongful retention of Access Health’s cyber
`
`property without a right of possession.
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 2 of 39 PageID 2
`
`2.
`
`Plaintiff in this action, Access Health, is a medical group that has
`
`thousands of patients through the State of Florida, with 88 medical offices and over
`
`213 health care providers in 25 different cities. Access Health’s internet presence
`
`is one of the most valuable assets to its wide-spread business, as evinced by Access
`
`Health’s 14 different active websites and domains. Indeed, over the last decade,
`
`Access Health, along with its founder and primary owner, Dr. Pariksith Singh (“Dr.
`
`Singh”), have purchased, registered and maintained 78 domain names over the last
`
`decade through the domain registrar, GoDaddy Operating Company, LLC
`
`(“GoDaddy”), in order to house their websites.
`
`3.
`
`Defendant, Desai, and his non-party wife, Dr. Pratibha Desai (“Dr.
`
`Desai”) operate multiple Hematology and Oncology practices and related
`
`businesses. In 2018, Defendant, Mr. Desai and Dr. Desai solicited Access Health to
`
`jointly form an entity named Comprehensive Hematology Oncology, LLC (“CHO”).
`
`Thus, in anticipation of its new business venture, Access Health purchased 12
`
`domain names under its existing account with GoDaddy to be used for CHO.
`
`Notably, Access Health never provided the login credentials or authorized Desai to
`
`access or use its GoDaddy account. Shortly after the initiation of CHO, the parties
`
`fell into a dispute, and Access Health withdrew from its involvement in CHO.
`
`Sometime thereafter, Desai hired Defendant, IT Possible, as its technology vendor
`
`in connection with CHO.
`
`4.
`
`The issues in this case arose three weeks ago, when Defendants
`
`hijacked Access Health’s domain names by gaining unauthorized access to Access
`
`2
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 3 of 39 PageID 3
`
`Health’s GoDaddy account. Typically, when one hears “cyber theft”, they imagine
`
`a shady character sitting behind a slew of monitors, working hours on end to
`
`infiltrate secured networks through intensive coding and password cyphering. In
`
`reality, cyber theft has surfaced through much simpler social engineering attacks
`
`known as domain hijacking, which is the simple act of modifying or transferring
`
`control of the registration of a domain name without the permission of its original
`
`registrant. As further alleged below, Defendants here “hijacked” the Access
`
`Health’s domains by making misrepresentations to persuade Access Health’s
`
`domain registrar, GoDaddy, into modifying the primary email address linked to
`
`the account, and then, Defendants simply changed the login credentials to “lock”
`
`Access Health out of its own account.
`
`5.
`
`Despite multiple requests, Defendants refuse to return Access
`
`Health’s GoDaddy account information and currently retain possession of Access
`
`Health’s domains. Defendants have impaired the availability of Access Health’s
`
`data and prevented Access Health from its ability to effectively maintain its domain
`
`names, and in turn, its online business presence. Unless Defendants are enjoined
`
`immediately, there will be substantial, imminent, and irreparable financial and
`
`reputational harm to Access Health. This is a civil action for injunctive relief and
`
`damages against Defendants for violations under the Computer Fraud and Abuse
`
`3
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 4 of 39 PageID 4
`
`Act1 and the Florida Computer Abuse and Data Recovery Act2, and for civil
`
`conversion.
`
`PARTIES
`
`6.
`
`Plaintiff, Access Health, is a Florida limited liability company with a
`
`principal address in Spring Hill, Florida. Access Health is a Florida-based multi-
`
`service medical facility that provides primary care services and diagnostic testing
`
`for thousands of Florida patients.
`
`7.
`
`Defendant, Mr. Kirit Desai, is an individual who, upon information
`
`and belief, resides in Saint Petersburg, Florida. Mr. Desai assists his wife, Dr.
`
`Desai, in the operation of various Hematology and Oncology practices and related
`
`businesses.
`
`8.
`
`Defendant, IT Possible, is a Maryland limited liability company with
`
`a principal address in Salisbury, Maryland. Upon information and belief, IT
`
`Possible provides computer and IT solutions and services to CHO, the company
`
`currently managed by Dr. and Mr. Desai.
`
`JURISDICTION AND VENUE
`
`9.
`
`This Court has jurisdiction over the subject matter of this action
`
`pursuant to 28 U.S.C. § 1331, as the action arises under the federal Computer Fraud
`
`and Abuse Act (18 U.S.C. § 1030)(“CFAA”).
`
`1 18 U.S.C. § 1030
`2 §668.801, et. seq., Florida Statutes
`
`
`
`4
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 5 of 39 PageID 5
`
`10. This Court has subject matter jurisdiction under 28 U.S.C. §1367 over
`
`the claims for violation of the Florida Computer Abuse and Data Recovery Act
`
`(§668.801, et. seq., Fla. Stat.)(“CADRA”) and state law conversion, as the
`
`supplemental claims form part of the same case and controversy as the CFAA
`
`claim.
`
`11.
`
`This Court has personal jurisdiction over Defendant, Mr. Desai,
`
`because he is a citizen of and domiciled in Florida, living within the jurisdiction of
`
`the U.S. District Court for the Middle District of Florida, Tampa Division.
`
`12.
`
` This Court has personal jurisdiction over Defendant, IT Possible, as a
`
`result of IT Possible’s unauthorized access into, and retention of property from, a
`
`“protected computer” as defined in 18 U.S.C. § 1030(e)(2)(B) that is used for
`
`commerce or communication with persons and entities in Florida, and also as a
`
`result of IT Possible’s tortious conduct causing injurious effect in Florida.
`
`13. Venue is proper in this judicial district pursuant to 28 U.S.C. §
`
`1391(b)(2) because a substantial part of the events or omissions giving rise to
`
`Access Health’s claims occurred in this judicial district.
`
`FACTS
`
`14.
`
` Access Health is a multi-service medical facility that provides primary
`
`care services and diagnostic testing for thousands of patients throughout the State
`
`of Florida. Due to its wide-spread practice, Access Health relies heavily on their
`
`websites to effectively run their businesses, as described further below.
`
`5
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 6 of 39 PageID 6
`
`15. Over the past ten years, Access Health and Dr. Singh have registered
`
`or purchased internet domains used in connection with Dr. Singh’s business
`
`ventures (the “Access Health Domains”). The registration services used in
`
`connection with the Access Health Domains have been provided by non-party,
`
`GoDaddy, a well-known internet domain registrar and web hosting company
`
`headquartered in Arizona. A true and correct copy of the list of the Access Health
`
`Domains is attached as Exhibit A.
`
`16. Access Health uses these Access Health Domain to operate its six
`
`websites. These websites are a central means of communication with Access
`
`Health’s patients and a primary method of marketing the services of Access to the
`
`public. As such, these websites are necessary for Access Health’ continued
`
`corporate existence. Any modification to the Access Health Domain can leave
`
`these websites non-operational. Such disfunction can interfere with Access
`
`Health’s communications with its patients and substantially affect Access Health’s
`
`reputation, brand image, and the public perception of Access Health. Access
`
`Health has spent the past decade managing these websites to maximize their value
`
`as a tool to communicate with the public at large and with Access Health’s patients
`
`in particular. Modifications to these Access Health Domains can negatively impact
`
`Access Health’s reputation, image and goodwill in a manner which cannot be
`
`corrected. Because the damage is to the perception of Access Health by unknown
`
`members of the public, the amount of damages cannot be easily quantified and
`
`6
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 7 of 39 PageID 7
`
`their perception of Access Health cannot be corrected by the payment of monetary
`
`damages.
`
`17. GoDaddy has provided services relating to the Access Health Domains
`
`under an overarching account owned by Access Health and assigned Customer No.
`
`90763401 by GoDaddy (the “Access Health GoDaddy Account”).
`
`18. The Access Health GoDaddy Account was opened by Access Health.3
`
`Services provided by GoDaddy under the umbrella of the Access Health GoDaddy
`
`Account include registration services in connection with the Access Domains, as
`
`well as hosting services in which GoDaddy’s servers host Domain Name System
`
`(“DNS”) software packages integral to the operation and functionality of active
`
`websites associated with the Access Domains.
`
`19. GoDaddy’s hosting of the DNS software packages for active websites
`
`involves a substantial number of technically complex discretionary choices to be
`
`made by the website owner. There are various settings and features of GoDaddy’s
`
`hosting infrastructure that have to be selected and configured in particular ways in
`
`order to shape the functionality and user experience associated with an active
`
`website. For the active websites associated with the Access Health Domains, Access
`
`Health has devoted substantial time and financial resources to analyzing the
`
`pertinent features and settings, and creating specific proprietary configurations
`
`
`3 Access Health cannot confirm the date the account was opened at this time due to its inability to
`access the GoDaddy Access Health Account dashboard.
`
`7
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 8 of 39 PageID 8
`
`that optimize website performance in conjunction with the DNS hosting services
`
`provided by GoDaddy through the Access Health GoDaddy Account.
`
`20. Customer management of the Access Health GoDaddy Account occurs
`
`using an “owner dashboard” that is essentially an online interface through which
`
`an account owner can log in, review pertinent information concerning the domains
`
`associated with the account, add, subtract, or modify services provided by
`
`GoDaddy in relation to those domains, review invoices and charges from GoDaddy,
`
`and make payments to GoDaddy for services associated with particular domains
`
`within the account.
`
`21. Access to the GoDaddy dashboard occurs through a “Customer
`
`Number + owner password” combination in which the GoDaddy Customer
`
`Number is the user name, and the password is created by the account owner. Dr.
`
`Singh created the owner password for the Access Health GoDaddy Account. The
`
`owner password is stored in a secure enterprise password management system
`
`used by Access Health, and this password management tool only permits an
`
`account password to be entered by the specific individuals associated with that
`
`password.
`
`22. Dr. Singh and the Director of IT for Access Health, Ed Laughman, are
`
`the only two individuals associated with the Access Health GoDaddy Account
`
`owner password, and thus, the only two individuals who are able to access that
`
`password in the enterprise password management system, and use it (in
`
`8
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 9 of 39 PageID 9
`
`combination with the GoDaddy Customer Number) when logging into the owner
`
`dashboard for the Access Health GoDaddy Account.
`
`23. Using the delegation powers associated with the GoDaddy owner
`
`dashboard, three other Access Health employees were granted
`
`limited
`
`authorization to view a subset of the information contained on the GoDaddy owner
`
`dashboard, using separate “user name + password” combinations that differ from
`
`the “Customer Number + owner password” combination used to access the owner
`
`dashboard.
`
`24. However, no one else employed by or associated with Access Health
`
`or Dr. Singh has access to the owner password for the Access Health GoDaddy
`
`Account, and no one else employed by or associated with Access Health or Dr.
`
`Singh is authorized to access the GoDaddy owner dashboard.
`
`25. Through the GoDaddy owner dashboard, an account owner is able to
`
`designate an official email address to which GoDaddy can send email
`
`communications relating to the account. The email address designated by Dr.
`
`Singh for these purposes was Purchasing@ahcpllc.com.
`
`26. Kirit Desai is an individual who from 2019 through early 2021 was
`
`involved with Dr. Singh in discussions concerning a possible joint venture relating
`
`to a healthcare provider called Comprehensive Hematology & Oncology (“CHO”).
`
`As part of this effort, several internet domains associated with the CHO brand (the
`
`“CHO Domains”) were registered for potential future use. These registrations were
`
`accomplished through the Access Health GoDaddy Account, and GoDaddy’s
`
`9
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 10 of 39 PageID 10
`
`registration services were paid for using Access Health’s American Express
`
`corporate credit card. A true and correct copy of a table listing the CHO Domains
`
`is attached as Exhibit B.
`
`27. The discussions surrounding the potential CHO joint venture with
`
`Access Health did not succeed.
`
`28. However, Dr. Singh did not cancel the CHO Domains because Mr.
`
`Desai agreed that he would have his IT vendor at the time, Ghanshyam Patel of
`
`Fusion IT Services, LLC, move the CHO Domains to a separate account, and in the
`
`interim, Mr. Desai also agreed to provide credit card information to Access Health
`
`in order to arrange for Mr. Desai to pay for any future GoDaddy registration or
`
`hosting services associated with the CHO Domains under the Access Health
`
`GoDaddy Account until Mr. Desai’s IT vendor had completed the transfer of the
`
`CHO Domains to a new account.
`
`29. One of the CHO Domains is associated with an active website,
`
`www.comphemeonc.com, and the other CHO Domains registered through the
`
`Access GoDaddy Account are essentially variations on this name. GoDaddy
`
`provides hosting of DNS software packages for the www.comphemeonc.com
`
`website, just as it does for the active websites associated with various Access
`
`Domains encompassed within the Access GoDaddy Account.
`
`30. Upon Mr. Desai’s approval, Access Health entered his credit card
`
`information into the Access Health GoDaddy Account and stored it as an approved
`
`payment method in anticipation for when GoDaddy issued a bill or invoice for a
`
`10
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 11 of 39 PageID 11
`
`service associated with a CHO domain, so that Access Health could select his credit
`
`card as the payment method when making an online payment (through the
`
`GoDaddy owner dashboard).
`
`31. Upon information and belief, only one charge was levied by GoDaddy
`
`in relation to a CHO Domain since April 2021, and that charge was paid by Access
`
`Health via Mr. Desai’s stored credit card, per the process described above.4
`
`32. For charges associated with any of the Access Health Domains,
`
`payment has always been made via an Access Health corporate credit card, which
`
`was likewise stored as an approved payment method for the Access Health
`
`GoDaddy Account on the GoDaddy owner dashboard.
`
`33. On August 27, 2021, the Director of IT for Access Health, Ed
`
`Laughman, attempted to log in to the GoDaddy owner dashboard for the Access
`
`Health GoDaddy Account, using the “Customer Number + owner password”
`
`credentials linked to the account. The login attempts failed, and the screen
`
`displayed an error message stating that the login information entered was
`
`incorrect.
`
`34. After discovering the incident, Ed Laughman, on behalf of Access
`
`Health, acted promptly and submitted a “password reset” request to GoDaddy.
`
`Subsequently, Access Health
`
`received an email
`
`from GoDaddy via
`
`Pruchasing@ahcpll.com, the email account originally designated on the Access
`
`
`4 Access Health cannot confirm this information at this time due to its inability to access the
`GoDaddy Access Health Account dashboard.
`
`11
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 12 of 39 PageID 12
`
`Health GoDaddy Account, stating “We emailed a password reset link to
`
`k*****@comphemeonc.com.” A true and correct screenshot of this email message
`
`is attached as Exhibit C.
`
`35. Thereafter, the three other Access Health employees who had
`
`previously been delegated limited access to the GoDaddy Access Health Account
`
`attempted to use their own “user name + password” credentials to log in to the
`
`limited subsections of the GoDaddy dashboard to which they had previously been
`
`given access to no avail.
`
`36. These Access Health employees received automated email replies
`
`from GoDaddy, stating in bold “Your account access has been removed.” This
`
`bolded heading was followed by a message stating “I removed your account access.
`
`You no longer have access to products in my account…Thanks, Kirit Desai.” In the
`
`upper right-hand corner of each email reply was a notation that read “Kirit Desai
`
`– Customer Number: 90763401”, which is the same Customer Number that had
`
`always been associated with the Access Health GoDaddy Account in the roughly
`
`ten years since Dr. Singh first opened the account. A true and correct copy of one
`
`of the automated email replies is attached as Exhibit D.
`
`37. Upon information and belief, at or around August 27, 2021, and
`
`without authorized access provided by the Access Health, the owner of the Access
`
`Health GoDaddy Account, Defendants obtained unauthorized access to the owner
`
`dashboard for the Access Health GoDaddy Account, stripped Dr. Singh, Ed
`
`Laughman, and Access Health’s other authorized delegates of their credentials,
`
`12
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 13 of 39 PageID 13
`
`changed the owner password, changed the default owner email address to which
`
`official account-related communications would be sent, and thereby completely
`
`seized unauthorized control of the Access Health GoDaddy Account and the Access
`
`Health Domains.
`
`38. On September 13, 2021, Defendant, IT Possible emailed Access Health
`
`and readily admitted, “[w]e have obtained access to the GoDaddy account.” The
`
`email went on to suggest that Access Health should open a new account for the
`
`Access Health Domains, leaving the CHO Domains as the only domains in the
`
`Access Health GoDaddy Account, which Access Health has owned and
`
`administered for approximately ten years. A true and correct copy of the
`
`September 13, 2021 email is attached as Exhibit E.
`
`39. Upon information and belief, Defendants accomplished their domain
`
`hijacking by Desai and/or IT Possible calling GoDaddy, stating that they could
`
`verify an authorized payment method associated with the Access Health GoDaddy
`
`Account, providing the credit card information for the card that had been used to
`
`pay a charge associated with the CHO Domains, and then claiming to have lost the
`
`password for the owner dashboard, and likewise to have lost access to the owner
`
`email account previously used by GoDaddy for official account-related
`
`communications.
`
`40. Any representations made by Desai or IT Possible, whether express or
`
`implied, suggesting that Desai had lost his password for the GoDaddy account, and
`
`13
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 14 of 39 PageID 14
`
`lost access
`
`to
`
`the email account previously used
`
`for account-related
`
`communications, were false.
`
`41.
`
`Specifically, Access Health never provided authorized access (limited
`
`or otherwise) to Defendants, and Defendants never had authorized possession of
`
`any password for the Access Health GoDaddy Account, much less the specific
`
`owner password used to access the GoDaddy owner dashboard. Likewise, Access
`
`Health never provided, and Defendants never received, authorized access to the
`
`Purchasing@ahcpllc.com email account designated as the official email of the
`
`Access Health GoDaddy Account.
`
`42. At no time did Access Health or any employee or representative
`
`thereof, provide Defendants permission or authorization to access the GoDaddy
`
`owner dashboard, or any portion thereof. Defendants were never given access to
`
`or permission to use Dr. Singh’s owner password associated with the Access Health
`
`GoDaddy Account, and at no point were Defendants given access to the
`
`Purchasing@ahcpllc.com email account, or to any emails sent by GoDaddy to that
`
`account. Access Health has never authorized Defendants to change any of the
`
`information or settings in the GoDaddy owner dashboard associated with the
`
`Access Health GoDaddy Account.
`
`43. Access Health has made numerous requests to Defendants to return
`
`Access Health’s access to the Access Health GoDaddy Account. Defendants refuse
`
`to return and continue to retain Access Health’s property without a right of
`
`possession.
`
`14
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 15 of 39 PageID 15
`
`44. Defendants’ unauthorized access and wrongful retention of Access
`
`Health’s property has impaired the availability of Access Health’s data and
`
`prevented Access Health from its ability to effectively maintain its Access Health
`
`GoDaddy Account and Access Health Domains, and in turn, its online business
`
`presence.
`
`45. Access Health has already been, and continues to be, irreparably
`
`harmed by Defendants’ actions of domain hijacking, unauthorized access and
`
`wrongful retention of the Access Health GoDaddy Account and Access Health
`
`Domains.
`
`46. Now that Defendants have wrongfully gained unauthorized access to
`
`the owner dashboard for the Access Health GoDaddy Account, Defendants’ control
`
`is nearly absolute.
`
`47.
`
`Specifically, Defendants can, if they have not already, change the
`
`registrant information associated with specific internet domains encompassed
`
`within the account, thereby creating the false appearance of a change of ownership
`
`in relation to those domains.
`
`48. Defendants can likewise add, subtract, modify, or cancel any or all of
`
`the services provided by GoDaddy to Access Health in relation to any of the Access
`
`Health Domains encompassed within the account, thereby placing Access Health’s
`
`active websites at risk of failing or being taken down.
`
`49. Defendants have already stripped previously authorized users of their
`
`ability to access the account and can now add additional account users who lack
`
`15
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 16 of 39 PageID 16
`
`prior authorization by Access Health. Defendants can also delete any pre-existing
`
`authorized payment methods associated with the account, thereby rendering it
`
`impossible to use those methods to pay for services associated with the Access
`
`Health GoDaddy Account.
`
`50. More specifically, because Defendants have control over the Access
`
`Health GoDaddy Account, this control deprives Access Health of the ability to
`
`conduct server maintenance, which deprives Access Health of the ability to
`
`troubleshoot or correct issues with the server if one of its active websites goes
`
`“down.” In addition, Defendants’ control over the Access Health GoDaddy Acount
`
`prevents Access Health from making payments to GoDaddy in order to continue
`
`and protect its account/domain name services.
`
`51. As of the time Defendants gained access, GoDaddy billed Access
`
`Health for each individual service it pays for, which is then billed via the GoDaddy
`
`customer number. There is no automatic billing procedure. Thus, Access Health
`
`must take affirmative steps to pay for the services it uses or risk losing that domain.
`
`Without access to the dashboard and account, Access Health will continue to be
`
`billed, but will not be able to make those payments. If Access Health cannot pay
`
`for GoDaddy’s services, there is risk that the domain name services will be
`
`cancelled and the Access Health Domains will be “locked” and no longer work and
`
`will allow another third-party the opportunity to purchase the Access Health
`
`Domains, furthering the conversion.
`
`16
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 17 of 39 PageID 17
`
`52. Loss of the Access Health Domains damages Access Health’s ability to
`
`communicate with its customers and the public and its public image as its websites
`
`would now direct its customers and the public to another provider. This harm
`
`could not be remedied by monetary damages alone. Also, while there is no
`
`automatic billing procedure, all of Access’ payment methods are currently
`
`embedded and registered to its account.
`
`53. Furthermore, given
`
`the conversion, Defendants now have
`
`unauthorized access to all of Access Health’s company credit card payment
`
`information embedded into the Access Health GoDaddy Account.
`
`54. Thus, in obtaining unauthorized access to Access Health’s GoDaddy
`
`dashboard, Defendants have obtained information from this computer system,
`
`which includes but is not limited to Access Health’s proprietary settings, its
`
`confidential account information, its company credit card information, its
`
`intellectual property, and various other Access Health information maintained in
`
`the GoDaddy system.
`
`55. Furthermore, forcing the export of the Access Health Domains to a
`
`new GoDaddy account would require a complete re-setting of the proprietary DNS
`
`configurations used by Access Health to sustain the performance and functionality
`
`of the multiple active websites associated with various Access Domains. This
`
`process would be expensive and time-consuming and would result in at least a 48
`
`to 72 hour period in which the active Access Health websites were entirely offline,
`
`17
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 18 of 39 PageID 18
`
`which would irreparably harm not only Access Health, but its patients and
`
`customers, as well.
`
`56. Access Health has been forced to expend scores of manhours of its
`
`employees and outside counsel in an effort to detect and correct Defendants’
`
`unauthorized access to the Access Health Domains and Access Health GoDaddy
`
`Account. In addition, Access Health has been forced to outsource services with
`
`data center support and continue operation of outside datacenter vendors due to
`
`Defendants’ actions. To date, Access Health has damages in excess of $150,000
`
`due to the harm or loss that Defendants caused and is in the position to further
`
`cause due to its unauthorized access.
`
`57. All conditions precedent to the filing of this action have been satisfied,
`
`waived or have occurred.
`
`58. Access Health has retained outside legal counsel, including the
`
`undersigned law firms, to represent it in this action and is obligated to pay said
`
`firm reasonable attorneys’ fees and costs incurred herein.
`
`COUNT I
`VIOLATION OF THE COMPUTER FRAUD AND ABUSE ACT
`(18 U.S.C. § 1030)
`
`59. Access Health realleges and reincorporates Paragraphs 1-58 above as
`
`if fully set forth herein.
`
`60.
`
` Access Health seeks damages and injunctive relief pursuant to the
`
`Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.
`
`18
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 19 of 39 PageID 19
`
`61.
`
` Although the thrust of the CFAA is criminal, the statute also provides
`
`a civil remedy under 18 U.S.C. § 1030(g), which states that “Any person who suffers
`
`damage or loss by reason of a violation of this section may maintain a civil action
`
`against the violator to obtain compensatory damages and injunctive relief or other
`
`equitable relief.”
`
`62.
`
` The term “computer” under the CFAA means any device for
`
`processing or storing data (excluding an automated typewriter, portable handheld
`
`calculator, or other similar device). See 18 U.S.C. § 1030(e)(1). Sections 1030(a)(1)-
`
`(7) of the CFAA define various types of prohibited conduct that constitute
`
`violations of the statute. A key element of certain of these statutory violations is
`
`that the prohibited conduct must have taken place in relation to a “protected
`
`computer.”
`
`63.
`
` A “protected computer” includes any computer used in interstate
`
`commerce. See 18 U.S.C. § 1030(e)(2). The Access GoDaddy Account, including the
`
`interactive online interface that serves as the owner dashboard, is part of an online
`
`domain name registration management platform. Online websites, databases, and
`
`interactive platforms and interfaces of this sort, when used in interstate commerce,
`
`are “protected computers” under the CFAA.
`
`64.
`
` Defendants’ conduct as alleged in paragraphs 34-56 above implicates
`
`Defendants in multiple violations of the CFAA.
`
`65.
`
` Section 1030(a)(2)(C) prohibits intentionally accessing a protected
`
`computer, without authorization or by exceeding authorized access, and thereby
`
`19
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 20 of 39 PageID 20
`
`obtaining information from a protected computer. Defendants violated this section
`
`by intentionally taking steps to access the GoDaddy owner dashboard for the
`
`Access GoDaddy Account, knowing full well that Access Health had never
`
`authorized such access. Even if Defendants believed their prior failure to move the
`
`CHO domains to a new account justified their taking steps to view information
`
`associated specifically with those domains, Defendants knew they did not have
`
`authorization to obtain the other information found within the owner dashboard
`
`– including but not limited to a list of the domains registered by Plaintiffs, a list of
`
`the registrants associated with each domain, the list of individuals designated by
`
`Plaintiffs as having various levels of access to the GoDaddy dashboard, and Access
`
`Health corporate credit card information associated with the list of authorized
`
`payment methods stored in the owner dashboard of the Access GoDaddy Account.
`
`66.
`
` Section 1030(a)(4) prohibits knowingly and with intent to defraud
`
`accessing a protected computer, without authorization or by exceeding authorized
`
`access, to obtain anything of value or further a fraud. Defendants violated this
`
`section by knowingly and intentionally making false representations (either
`
`express or implied) to GoDaddy, suggesting they once had access to the owner
`
`password and owner email address associated with the Access GoDaddy Account,
`
`but had somehow “lost” this information. Defendants perpetrated this scheme to
`
`obtain the value associated with access to and use of Access Health’s proprietary
`
`configuration of DNS software packages and account settings associated with the
`
`Access Domains (this proprietary DNS configuration intellectual property was
`
`20
`
`

`

`Case 8:21-cv-02306-TPB-AAS Document 1 Filed 09/29/21 Page 21 of 39 PageID 21
`
`developed by Access Health, at considerable expense). Defendants’ fraudulent
`
`scheme is also designed to obtain leverage against Plaintiffs, and Defendants have
`
`demanded various services, support, and data from Plaintiffs, in response to
`
`demands from Plaintiffs to restore their access and control over the Access
`
`GoDaddy Account. Defendants’ fraudulent scheme is further designed to allow
`
`them to retain the value of Access Health’s DNS configuration intellectual property
`
`described above, and to use this intellectual property in support of the CHO
`
`domains, while forcing Access Health to i

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket