`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF PENNSYLVANIA
`
`
`:
`
`BARRY K. GRAHAM, ET AL.
`:
`
`
`
`
`
`
`:
`
`
`v.
`
`
`
`:
`
`
`
`
`
`
`UNIVERSAL HEALTH SERVICE, INC. :
`
`
`
`
`
`
`
`McHUGH, J.
`
`CIVIL ACTION NO. 20-5375
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`May 17, 2021
`
`MEMORANDUM
`This is a putative class action arising out of a data breach that occurred when a health care
`
`company was subjected to a ransomware attack. Plaintiffs Barry K. Graham, Angela Morgan, and
`
`Stephen Motkowicz allege that Universal Health Services failed to safeguard their protected health
`
`information (“PHI”), with the result that their PHI was exposed to hackers in September 2020.
`
`The issue is whether Plaintiffs can show injuries sufficient to confer standing. Two of the three
`
`named Plaintiffs allege only increased risk of identity theft, as well as additional expenditures of
`
`time and money to monitor accounts for fraud. Their claims fail because of the narrow definition
`
`of injury the Third Circuit adopted for data breach cases in Reilly v. Ceridian Corp, 664 F.3d 38
`
`(3d Cir. 2011). The remaining Plaintiff, Stephen Motkowicz, alleges an additional, novel injury—
`
`that the data theft delayed his surgery, which caused his employer-provided insurance to lapse and
`
`required him to purchase alternative insurance at a higher premium. As to this claim, the economic
`
`loss qualifies as a concrete injury, but further development of the record is required to determine
`
`whether there is a sufficient causal relationship to confer standing.
`
`I.
`
`Factual Background
`
`Defendant Universal operates “one of the largest healthcare companies in North America,”
`
`First Am. Compl. ¶ 37, ECF 13, and “[i]n its ordinary course of business, … maintains PHI,
`
`including the name, address, zip code, date of birth, Social Security number, medical diagnoses,
`
`
`
`1
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 2 of 10
`
`insurance information, and other sensitive and confidential information for current and former
`
`customers/patients.” Id. ¶ 38. In late September 2020, Defendant announced that its facilities
`
`were “currently offline due to an IT security issue.” Id. ¶ 2. Plaintiffs contend that Defendant’s
`
`systems were inaccessible because of a malicious ransomware attack. Id.
`
`Barry Graham, Angela Morgan, and Stephen Motkowicz are customers of Defendant. Id.
`
`¶¶ 12, 14, 16. They claim their PHI was compromised in the September attack due to “Defendant’s
`
`failure to implement and follow appropriate security procedures.” Id. ¶ 5. Plaintiffs further allege
`
`that they have (1) experienced an increased risk of identity theft, id. ¶ 53; (2) expended additional
`
`time and money to monitor their personal and financial records for fraud, id. ¶ 62; (3) suffered the
`
`lost or diminished value of their PHI, id. ¶ 181; and (4) received a “diminished value of the services
`
`they paid Defendant to provide,” as Defendant represented that it would protect the confidentiality
`
`of their PHI. Id. ¶ 6.
`
`In addition to the injuries described above, Plaintiff Motkowicz also claims financial
`
`harms, in the form of increased insurance expenses. Id. ¶ 65. He avers that he was scheduled for
`
`a surgical procedure on September 28, 2020, but that Defendant canceled his procedure on account
`
`of the ransomware attack. Id. Motkowicz’s surgery was rescheduled for six weeks later, which
`
`caused him to miss additional time at work. Id. Because he could not return to work, Plaintiff’s
`
`insurance lapsed, requiring him to procure alternative insurance at an increased cost. Id.
`
`Plaintiffs’ suit claims that Defendant has engaged in negligence (“Count I”), breach of
`
`implied contract (“Count II”), breach of fiduciary duty (“Count III”), and breach of confidence
`
`(“Count IV”). Defendant counters with a Motion to Dismiss pursuant to Fed. R. Civ. P. 12(b)(1)
`
`and 12(b)(6), arguing that Plaintiffs lack standing and that they have otherwise failed to state a
`
`claim.
`
`
`
`2
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 3 of 10
`
`II.
`
`Standard of Review
`
`Slightly different standards of review apply for motions to dismiss claims pursuant to
`
`Federal Rules 12(b)(1) and (6). Within the Third Circuit, motions to dismiss under Fed. R. Civ.
`
`P. 12(b)(6) are governed by the well-established standard set forth in Fowler v. UPMC Shadyside,
`
`578 F.3d 203, 210 (3d Cir. 2009).
`
`To decide a motion to dismiss under 12(b)(1), “a court must first determine whether the
`
`movant presents a facial or factual attack.” In re Schering Plough Corp. Intron/Temodar
`
`Consumer Class Action, 678 F.3d 235, 243 (3d Cir. 2012). A facial attack is one that “attack[s]
`
`the sufficiency of the consolidated complaint on the grounds that the pleaded facts d[id] not
`
`establish constitutional standing.” In Re Horizon Healthcare Services Inc. Data Breach Litigation,
`
`846 F.3d 625, 632 (3d Cir. 2017). A factual challenge, by contrast, contests the validity of
`
`Plaintiffs’ factual claims. Id. Defendant raises a facial challenge; it does not directly attack
`
`Plaintiffs’ pleaded facts but instead argues that “[t]he allegations in Plaintiffs’ Amended
`
`Complaint fall far short” of conferring standing. Def.’s Mem. L. Supp. Mot. Dismiss 13, ECF 15-
`
`1. Considering this facial attack, I must “accept the Plaintiffs’ well-pleaded factual allegations as
`
`true and draw all reasonable inferences from those allegations in the Plaintiffs’ favor.” In Re
`
`Horizon, 845 F.3d at 633.
`
`III. Discussion
`
`Article III of the Constitution limits federal courts' jurisdiction to certain “Cases” and
`
`“Controversies.” U.S. CONST. art. III, § 2. At its core, “the question of standing is whether the
`
`litigant is entitled to have the court decide the merits of the dispute or of particular issues.” Warth
`
`v. Seldin, 422 U.S. 490, 498 (1975). To demonstrate standing to file suit, Plaintiffs must show
`
`
`
`3
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 4 of 10
`
`(1) an “injury in fact” or an “invasion of a legally protected interest” that is “concrete and
`
`particularized,” (2) a “causal connection between the injury and the conduct complained of,” and
`
`(3) a likelihood “that the injury will be redressed by a favorable decision.” Lujan v. Defs. of
`
`Wildlife, 504 U.S. 555, 560 (1992).
`
`These standing requirements also apply in the class action context. “[N]amed plaintiffs
`
`who represent a class must allege and show that they personally have been injured, not that injury
`
`has been suffered by other, unidentified members of the class to which they belong and which they
`
`purport to represent.” Lewis v. Casey, 518 U.S. 343, 357 (1996) (citation and internal quotation
`
`marks omitted). “[I]f none of the named plaintiffs purporting to represent a class establishes the
`
`requisite of a case or controversy with the defendants, none may seek relief on behalf of himself
`
`or any other member of the class.” O'Shea v. Littleton, 414 U.S. 488, 494 (1974). Accordingly,
`
`at least one of the three named Plaintiffs must have Article III standing to maintain this class action.
`
`See Neale v. Volvo Cars of North America, LLC, 794 F.3d 353, 364 (3d Cir. 2015).
`
`A. Injury-in-Fact
`
`Plaintiffs assert five potential injuries-in-fact: (1) increased risk of identity theft; (2)
`
`additional expenditures of time and money for monitoring; (3) lost or diminished value of their
`
`PHI; (4) a “diminished value of the services they paid Defendant to provide,” and (5) Mr.
`
`Motkowicz’s increased insurance costs. First Am. Compl. ¶¶ 6, 65. Based on the pleadings
`
`presented, I find that only Motkowicz has shown injury-in-fact. Because Graham and Morgan’s
`
`injuries are either speculative or manufactured, their claims are precluded by the Third Circuit’s
`
`opinion in Reilly v. Ceridian Corp. 664 F.3d 38.
`
`The injury-in-fact requirement is intended to “distinguish a person with a direct stake in
`
`the outcome of a litigation—even though small—from a person with a mere interest in the
`
`
`
`4
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 5 of 10
`
`problem.” United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412
`
`U.S. 669, 689 n.14 (1973). This standard is “not Mount Everest,” Danvers Motor Co., Inc. v. Ford
`
`Motor Co., 432 F.3d 286, 294 (3d Cir. 2005), and demands only that the plaintiff “allege some
`
`specific, ‘identifiable trifle’ of injury.” Cottrell v. Alcon Laboratories, 874 F.3d 154, 163 (3d Cir.
`
`2017) (citing Bowman v. Wilson, 672 F.2d 1145, 1151 (3d Cir. 1982)) (internal punctuation
`
`omitted). Even so, an injury-in-fact “must be concrete in both a qualitative and temporal sense.”
`
`Reilly, 664 F.3d at 42. For this reason, “allegations of possible future injury,” will not suffice, and
`
`a plaintiff “lacks standing if his ‘injury’ stems from an indefinite risk of future harms inflicted by
`
`unknown third parties.” Id.
`
`1. Economic loss in the form of increased insurance premiums
`
`Motkowiczs’ claim for increased insurance payments meets the injury-in-fact requirement.
`
`As noted by the Third Circuit, “[t]ypically, a plaintiff’s allegations of financial harm will easily
`
`satisfy each of these components, as financial harm is a ‘classic’ and ‘paradigmatic form’ of injury
`
`in fact.” Cottrell, 874 F.3d at 163 (internal punctuation omitted). See also Danvers, 432 F.3d at
`
`293 (stating that where a plaintiff alleges financial harm, standing “is often assumed without
`
`discussion”). Plaintiff’s injury is not speculative, as his financial expenditures allegedly occurred
`
`in response to the data breach and the corresponding cancellation of his surgery. Nor has Plaintiff
`
`“manufactured” standing, as his additional insurance payments did not arise due to voluntary
`
`prophylactic action on his part. See Clapper v. Amnesty Intern. USA, 568 U.S. 393, 416 (2013)
`
`(stating that respondents cannot create “standing merely by inflicting harm on themselves based
`
`on their fears of hypothetical future harm that is not certainly impending”). I therefore conclude
`
`that Motkowicz has sufficiently alleged an injury-in-fact.
`
`
`
`
`
`5
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 6 of 10
`
`2. Injuries premised on future risks
`
`In contrast, Plaintiffs’ claims of injury based on increased risk of identity theft do not confer
`
`standing under Reilly, where the Third Circuit outlined the contours of the “injury-in-fact”
`
`requirement in the data breach context. 664 F.3d at 42. As an initial matter, it is important to
`
`recognize that Plaintiffs are suing exclusively under common law. Where Congress has deemed
`
`certain conduct unlawful, standing can be conferred by alleging an injury recognized by statute.
`
`For example, because the Fair Credit Reporting Act confers certain protections on consumer data,
`
`it transforms what might otherwise be viewed as intangible harms into injuries-in fact. See In Re
`
`Horizon, 846 F.3d at 639. Plaintiffs here cannot rely upon any such Congressional judgment as
`
`the basis for claiming injury. See Gennock v. Kirkland’s Inc., No. 17-454, 2017 WL 6883933, at
`
`*5 (W.D. Pa. 2017) (distinguishing between Horizon and Reilly “on the basis that [Reilly] involved
`
`common law claims, whereas in Horizon the plaintiffs cited an act in which Congress elevated the
`
`unauthorized disclosure of information into a tort”). Plaintiffs must therefore meet the
`
`requirements of Reilly.
`
`The Reilly plaintiffs alleged that a hacker successfully infiltrated the defendant’s database
`
`and obtained the PHI of 27,000 employees. 664 F.3d at 40. The Third Circuit concluded that
`
`plaintiffs’ allegations, which included claims of increased risk, amounted to “hypothetical future
`
`injuries” that depended on the court assuming that the “hacker (1) read, copied, and understood
`
`their personal information; (2) intend[ed] to commit future criminal acts by misusing the
`
`information; and (3) is able to use such information to the detriment of Appellants by making
`
`unauthorized transactions in Appellants' names.” Id. at 42. The court further stated that, “unless
`
`and until these conjectures come true, Appellants have not suffered any injury; there has been no
`
`misuse of the information, and thus, no harm.” Id.
`
`
`
`6
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 7 of 10
`
`Plaintiffs’ attempts to distinguish their case from Reilly are not persuasive. They first
`
`invoke decisions from the Sixth, Seventh, Ninth, and Tenth Circuits finding standing based on
`
`increased risk of harm.1 Those cases may indeed have a more realistic view of the impact of data
`
`thefts on consumers, but I am bound by the Third Circuit’s approach. Plaintiffs next emphasize
`
`that there “was no evidence that the intrusion was intentional or malicious [in Reilly] … [h]owever,
`
`few things could be more intentional or malicious than a ransomware attack such as the attack at
`
`issue in this case.” Pls.’ Opp’n Mot. Dismiss 5, ECF 20. This distinction regarding the motives
`
`of the attacker does not render the injuries of these Plaintiffs any more concrete. The target of a
`
`ransomware attack is the holder of the confidential data; the misappropriation of the data, whether
`
`by theft or merely limitation on access to it, is generally the means to an end: extorting payment.
`
`A court is still left to speculate, as in Reilly, whether the hackers acquired Plaintiffs’ PHI in a form
`
`that would allow them to make unauthorized transactions in their names, as well as whether
`
`Plaintiffs are also intended targets of the hackers’ future criminal acts. At this juncture, the most
`
`Plaintiffs can plead is that the hackers secured their PHI through a ransomware attack against
`
`Universal.
`
`As in Reilly, Plaintiffs’ risk of identity theft “is dependent on entirely speculative, future
`
`actions of an unknown third-party.” 664 F.3d at 42. Faced with similar facts, district courts within
`
`the Third Circuit have been compelled to conclude that consumers lack standing. See Clemens v.
`
`ExecuPharm, Inc., No. CV 20-3383, 2021 WL 735728, at *3 (E.D. Pa. Feb. 25, 2021) (stating that
`
`plaintiff involved in ransomware attack had failed to allege an injury-in-fact); In Re Rutter’s Inc.
`
`Data Breach Litigation, No. 20-cv-382, 2021 WL 29054, at *5 (M.D. Pa. Jan. 5, 2021) (holding
`
`
`1 See, e.g., Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x. 384, 389 (6th Cir. 2016); Lewert v. P.F.
`Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016); In re 21st Century Oncology Customer
`Data Sec. Breach Litig., 380 F. Supp. 3d 1243, 1253 (M.D. Fla. 2019); In re Zappos.com, Inc., 888 F.3d
`1020, 1027 (9th Cir. 2018).
`
`
`
`7
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 8 of 10
`
`that plaintiffs lacked standing where they “had not alleged actual ‘misuse’ of their information”);
`
`Storm v. Paytime Inc., 90 F.Supp. 3d 359, 368 (M.D. Pa. 2015) (“Plaintiffs have not alleged that
`
`harm to their privacy interest is actual or imminent”). In contrast, the Reilly standard can be met
`
`where a plaintiff is able to plead actual or imminent misuse of their personal information. See,
`
`e.g., Enslin v. Coca Cola Company, 136 F. Supp. 3d 654, 664 (E.D. Pa. 2015) (finding standing
`
`where the plaintiff suffered “alleged theft of funds from his bank accounts on two occasions,
`
`unauthorized use of four credit cards, and the unauthorized issuance of new credit cards in
`
`Plaintiff's name”).
`
`
`
`Similarly, Plaintiffs’ preventative measures to monitor their financial records do not
`
`establish injury-in-fact. The Reilly court specifically rejected the theory that plaintiffs’
`
`expenditures to safeguard their information following a data breach conferred standing. 664 F.3d
`
`at 46. It reasoned that “costs incurred to watch for a speculative chain of future events based on
`
`hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of
`
`injury.’” Id. The circumstances are nearly identical here, where Plaintiffs’ costs similarly consist
`
`of monitoring for criminality that has not occurred yet. Id. at 44; accord Clemens, 2021 WL
`
`735728, at *5; Storm, 90 F.Supp. 3d at 367; In Re Rutter’s Inc., 2021 WL 29054, at *6.
`
`
`
`Plaintiffs further assert the diminished value of their PHI, citing In re Marriott Int'l, Inc.,
`
`Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020). There, Judge Grimm
`
`cogently explained how personal data can have intrinsic value in an economy that relies heavily
`
`upon personally identifying information. Id. at 460–61. But the potential value of the information
`
`is not the issue. The issue remains whether Plaintiffs’ admittedly valuable information has been
`
`misused, and that remains speculative. See Clemons, 2021 WL 735728, at *4 (denying standing
`
`where claim was “still only ascertainable using the word ‘if’—if anyone actually downloaded her
`
`
`
`8
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 9 of 10
`
`information from the dark web, if they attempt to use her information, and if they do so
`
`successfully, only then will she experience actual harm”).
`
`
`
`And finally, without more, Plaintiffs may not achieve standing on the allegation that
`
`Defendant breached an implied contract. See First Am. Compl. ¶ 6 (alleging injury based on the
`
`“diminished value of the services they paid Defendant to provide”). A review of the district court
`
`record in Reilly reveals that the plaintiff there also asserted breach of contract, No. 10–5142, 2011
`
`WL 735512, at *2 (D.N.J. Feb. 22, 2011), and that this claim did not prevent the Court of Appeals
`
`from affirming dismissal for lack of standing. Moreover, even assuming a contractual undertaking
`
`by Universal to protect the data, the harms flowing from the breach would remain speculative and
`
`therefore problematic under Reilly.
`
`B. Causation
`
`Mr. Motkowicz, the remaining named Plaintiff, has demonstrated injury-in-fact. To claim
`
`standing, he must further show that the injury-in-fact is “fairly traceable to the challenged conduct
`
`of the defendant.” Cottrell, 874 F.3d at 162. The Third Circuit has recently reiterated that the
`
`“[t]he traceability element is akin to ‘but for’ causation in tort.” LaSpina v. SEIU Pennsylvania
`
`State Council, 985 F.3d 278, 284 (3d Cir. 2021). And at the pleading stage, “standing may be
`
`satisfied even if the plaintiff alleges an indirect (or multistep) causal relationship between the
`
`defendant's conduct and her injury.” Id. at 287.
`
`Plaintiff’s theory of causation appears to proceed as follows: “but for” Defendant’s
`
`negligence, the data breach would not have occurred, Motkowicz’s appointment would not have
`
`been canceled, and he would have returned to work on time and maintained his prior insurance.
`
`This causal chain presents Plaintiff with a significant challenge, but a definitive answer as to
`
`standing requires further development of the record. The Third Circuit has held that “[t]he District
`
`
`
`9
`
`
`
`Case 2:20-cv-05375-GAM Document 22 Filed 05/17/21 Page 10 of 10
`
`Court, rather than a jury, resolves factual issues relevant to determining whether a party has
`
`standing.” Freedom from Religion Found., Inc. v. New Kensington Arnold Sch. Dist., 832 F.3d
`
`469, 475 n.4 (3d Cir. 2016). “District courts, when assessing pre-discovery challenges to standing,
`
`may consider plaintiffs' affidavits or conduct preliminary evidentiary hearings.” Finkelman v.
`
`National Football League, 810 F.3d 187, 202 n.97 (3d Cir. 2016) (citing Doherty v. Rutgers Sch.
`
`of Law–Newark, 651 F.2d 893, 898 n. 6 (3d Cir.1981)).
`
`The pandemic presents logistical challenges to in-person hearings. I will therefore give the
`
`parties sixty days within which to conduct discovery and supplement the record with affidavits or
`
`deposition testimony pertinent to the issue of causation.
`
`IV. Conclusion
`
`For the reasons set forth above, Defendant’s Motion to Dismiss Plaintiff’s First Amended
`
`Complaint will be granted in part. An appropriate order follows.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` /s/ Gerald Austin McHugh
`
` United States District Judge
`
`
`
`
`
`
`
`
`
`10
`
`
`
`
`
`
`
`
`
`
`
`
`