BETH BLOOM, UNITED STATES DISTRICT JUDGE.
Plaintiff Yehonatan Weinberg ("Plaintiff") commenced this class action lawsuit on August 4, 2015, against Defendants Advanced Data Processing, Inc. ("ADP") and Intermedix Corp. ("Intermedix," together with ADP, "Defendants"),
At some point in 2012, Plaintiff was taken by ambulance to a hospital for emergency medical treatment. Compl. ¶ 36. In order to use the ambulance, Plaintiff was required to provide the ambulance service with his Sensitive Information. Id. ¶ 37. "Unbeknownst to Plaintiff," the ambulance services he used, Philadelphia Fire Department Emergency Medical Services ("EMS"), engaged Defendants to handle its billing and payment-related processing services. Id. ¶ 38. As a result, Defendants received Plaintiff's Sensitive Information. Id. Between June 1 and October 2, 2012, "an Intermedix employee systematically accessed and viewed the Sensitive Information of hundreds (if not thousands) of emergency medical service patients [the Class] who used ambulances ([for] which Intermedix provided, among other things, billing and payment processing []). This Sensitive Information was then provided to third parties who used it to file fraudulent tax returns with the Internal Revenue Service." Id. ¶¶ 4, 21.
The records accessed and viewed by the Intermedix employee included Plaintiff's Sensitive Information. Id. ¶ 39. Plaintiff's Sensitive Information was "thereafter disclosed to or sold to a group of individuals who subsequently used that information to steal his identity and file a fraudulent tax return using his name and Social Security number." Id. ¶ 40. Plaintiff alleges that "after learning that his identity was stolen, Plaintiff Weinberg spent (and continues to spend) a substantial amount of time and resources fixing the identity theft that he experienced." Id. ¶ 41. Plaintiff further claims that these instances of identity theft, both for him and for the Class, were caused directly by Intermedix's failure to protect his Sensitive Information. Id. ¶¶ 6, 44-46.
Intermedix's alleged security failures include, but are not limited to, the following:
Id. ¶¶ 30-31. The Complaint also alleges that Defendants failed to comply with industry standards relating to data security.
The Complaint states three counts — one for negligence, a second for breach of fiduciary duty, and a third for unjust enrichment. As to the negligence claim, Plaintiff asserts that Defendants "had a duty to exercise reasonable care in safeguarding and protecting" Sensitive Information, id. ¶ 55, as well as "a duty to employ procedures to detect and prevent the improper access and misuse of the Plaintiff's and the Class's Sensitive Information," id. ¶ 56. Plaintiff alleges that Defendants unlawfully breached these duties. Id. ¶¶ 56-57. "But for [Defendants'] breach of its duties, Plaintiff's and the Class's Sensitive Information would not have been compromised. Plaintiff's and the Class's Sensitive Information was stolen and accessed as the proximate result of Intermedix failing to exercise reasonable care in safeguarding such information by adopting, implementing, and maintaining appropriate security measures." Id. ¶ 59. Pursuant to the claim for breach of fiduciary duty, Defendants "owed a fiduciary duty to Plaintiff and the Class to: (1) protect their Sensitive Information; (2) timely notify them of a data breach; and (3) maintain complete and accurate records of what and where their Sensitive Information was stored and who had access to that information." Id. ¶ 63. Defendants breached this duty to Plaintiff and the Class by failing to safeguard their Sensitive Information, which failures are articulated in more detail above and in the Complaint. See id. ¶ 64. For counts one and two, Plaintiff alleges actual damages that proximately flow from Defendants' breach of fiduciary duty, as well as "other forms of injury and/or harm including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses." Id. ¶¶ 60-61, 65-66.
A pleading in a civil action must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed.R.Civ.P. 8(a)(2). Although a complaint "does not need detailed factual allegations," it must provide "more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007); see Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (explaining that Rule 8(a)(2)'s pleading standard "demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation"). Nor can a complaint rest on "`naked assertion[s]' devoid of `further factual enhancement.'" Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Twombly, 550 U.S. at 557, 127 S.Ct. 1955 (alteration in original)). When reviewing such a motion, a court, as a general rule, must accept the plaintiff's allegations as true and evaluate all plausible inferences derived from those facts in favor of the plaintiff. See Chaparro v. Carnival Corp., 693 F.3d 1333, 1337 (11th Cir.2012); Miccosukee Tribe of Indians of Fla. v. S. Everglades Restoration Alliance, 304 F.3d 1076, 1084 (11th Cir.2002); AXA Equitable Life Ins. Co. v. Infinity Fin. Grp., LLC, 608 F.Supp.2d 1349, 1353 (S.D.Fla.2009) ("On a motion to dismiss, the complaint is construed in the light most favorable to the non-moving party, and all facts alleged by the non-moving party are accepted as true.").
A court considering a Rule 12(b) motion is generally limited to the facts contained in the complaint and attached exhibits, including documents referred to in the complaint that are central to the claim. See Wilchombe v. TeeVee Toons, Inc., 555 F.3d 949, 959 (11th Cir.2009); Maxcess, Inc. v. Lucent Technologies, Inc., 433 F.3d 1337, 1340 (11th Cir.2005) ("[A] document outside the four corners of the complaint may still be considered if it is central to the plaintiff's claims and is undisputed in terms of authenticity.") (citing Horsley v. Feldt, 304 F.3d 1125, 1135 (11th Cir.2002)).
Defendants argue that Plaintiff's allegations are conclusory and, thus, insufficient. See Motion at 2. For this reason, they argue that none of Plaintiff's three counts state a claim upon which relief can be granted. See id. Plaintiff counters that Defendants' arguments are unsupported and improperly rely on facts outside of the four corners of the complaint. See ECF No. [18] ("Plaintiff's Response") at 2.
Defendants argue that dismissal of Plaintiff's negligence claim is warranted because Plaintiff has failed to establish any direct relationship between the parties — and even explicitly conceded as much. See Motion at 5-6 (quoting Compl. ¶ 24) ("Plaintiff pleads that he `did not have a direct relationship (business or otherwise) with [Defendants].'"). Plaintiff responds that Defendants owed him a duty that
A negligence claim requires a plaintiff to show that (1) defendant owes plaintiff a duty, (2) defendant breached the duty, (3) defendant's breach injured plaintiff, and "(4) [plaintiff's] damage [was] caused by the injury to the plaintiff as a result of the defendant's breach of duty." Resnick v. AvMed, Inc., 693 F.3d 1317, 1325 (11th Cir.2012) (quoting Delgado v. Laundromax, Inc., 65 So.3d 1087, 1089 (Fla. 3d DCA 2011)). Here, Defendants only dispute the first element of the negligence claim — the duty Owed by them to Plaintiff. "Duty for purposes of a negligence claim encompasses concepts of foreseeability and may arise from: (1) legislative enactments or administration regulations; (2) judicial interpretations of such enactments and regulations; (3) other judicial precedent; and (4) a duty arising from the general facts of the case." Zinn v. United States, 835 F.Supp.2d 1280, 1311 (S.D.Fla.2011) (citing Clay Elec. Coop., Inc. v. Johnson, 873 So.2d 1182, 1185 (Fla.2003)). The third category, judicial precedent, dictates that a defendant may assume a duty "whenever one undertakes to provide a service to others, whether one does so gratuitously or by contract, the individual who undertakes to provide the service thereby assumes a duty to act carefully and to not put others at undue risk of harm." Zinn, 835 F.Supp.2d at 1312 (citing Clay Electric Coop., Inc. v. Johnson, 873 So.2d 1182, 1186 (Fla.2003)). This case law principle is known as the "undertaker's doctrine." See id. The fourth category encompasses "that class of cases in which the duty arises because of a foreseeable zone of risk arising from the acts of the defendant." McCain v. Florida Power Corp., 593 So.2d 500, 503 n. 2 (Fla.1992); see Lamm v. State Street Bank and Trust, 749 F.3d 938, 947 (11th Cir.2014) (citations omitted) ("Florida recognizes that a legal duty arises whenever a human endeavor creates a generalized and foreseeable risk of harming others."). Plaintiffs argue that Defendants' duty in this instance arose from three independent sources: (1) HIPAA; (2) the undertaker's doctrine; and (3) the foreseeable zone of risk created by Defendants. See Pl. Resp. at 6-7.
HIPAA provides no private right of action — a fact which Plaintiff does not contest. See Pl. Resp. at 7-8; Jenkins v. Grant Thornton LLP, 2014 WL 860547, at *7 (S.D.Fla. March 5, 2014) (citing Sneed v. Pan American Hosp., 370 Fed.Appx. 47, 50 (11th Cir.2010) ("We decline to hold that HIPAA creates a private clause of action.")); see also Bradley v. Pfizer, Inc., 440 Fed.Appx. 805, 809 (11th Cir.2011) (relying on Fifth Circuit decision in holding for first time that "there is no private right of action for a violation of HIPAA's confidentiality provisions"). Yet, Plaintiff still maintains that he has stated a claim for negligence based upon alleged HIPAA violations.
"Florida courts have refused to recognize a private right of action for negligence per se based on an alleged violation of a federal statute that does not provide for a private right of action." Stevens v. Danek Medical, Inc., 1999 WL 33217282, at *5-6 (S.D.Fla.1999) (citing Jupiter Inlet Corp. v. Brocard, 546 So.2d 1, 2-3 (Fla. 4th DCA 1998) ("OSHA [Occupational Safety and Health Act] does not provide the basis for a private right of action.... [Thus,] "violation of OSHA does not constitute per se negligence); see Zarrella v. Pacific Life Ins. Co., 755 F.Supp.2d 1218, 1228-29 (S.D.Fla. Nov. 10, 2010) ("Plaintiffs cannot use negligence per se to create a private
"The undertaker's doctrine imposes a duty of care not only on the parties to a contract but also to any third parties that perform services under the contract." Hogan v. Provident Life & Acc. Ins. Co., 665 F.Supp.2d 1273, 1285 (M.D.Fla.2009) (holding that, pursuant to the undertaker's doctrine, "[t]he duty of care owed by [defendant] Unum to Hogan is plausibly established by Hogan's allegation that Unum's employees "adjusted, reviewed, evaluated, handled, approved, and/or denied Hogan's disability insurance benefits."); see also Clay Elec. Co-op., Inc., 873 So.2d at 1186. This implied legal obligation or duty to act with reasonable care exists "to the end that the person or property of others may not be injured." Ramjeawan v. Bank of America Corp., 2010 WL 1645097, at *3 (S.D.Fla. Apr. 21, 2010) (emphasis added) (citing Union Park Memorial Chapel v. Hutt, 670 So.2d 64, 67 (Fla.1996)); see Assouman v. Bank of America Corp., 2008 WL 2262031, at *3 (M.D.Fla. May 30, 2008) (denying defendant's motion where, "taking all the allegations in a light most favorable to plaintiff, the Court finds that it is foreseeable" that defendant "may have undertaken a duty").
Here, Plaintiff alleges that Defendants voluntarily agreed to provide EMS with medical billing and payment processing services, through which Defendants knowingly received Plaintiff's (as well as the Class's) Sensitive Information. Compl. ¶¶ 38, 55. Defendants, therefore, "assume[d] a duty to act carefully and to not put [those patients] at an undue risk of harm" by, for example, neglecting to implement data security policies and procedures. Id. ¶¶ 3235. These allegations are sufficient to state a claim for negligence pursuant to the undertaker's doctrine.
In their Motion, Defendants rely on cases with no-duty findings predicated upon factual circumstances that are conspicuously absent in the instant action. See, e.g., Willingham v. Glob. Payments, Inc., 2013 WL 440702, at *18 (N.D.Ga. Feb. 5, 2013) (finding no duty because plaintiffs, non-Georgia residents, alleged negligence claim predicated on Georgia's Data Breach Notification statute, which created a duty with respect to Georgia residents only); Hammond v. The Bank of N.Y. Mellon Corp., 2010 WL 2643307, at *9 (S.D.N.Y. June 25, 2010) (holding no duty in case with defendant bank because, "generally, banks owe no duty of care to their non-customers"). Defendants fail to present any other bases for dismissal of Plaintiff's negligence claim for the Court's analysis. Thus, Defendants' one-note attack must fail. Because the Court concludes that Plaintiff has sufficiently alleged a duty pursuant to the undertaker's doctrine, the Court refrains from analyzing Plaintiff's final argument for imposition of a duty arising under the "foreseeable zone of risk" standard. See, e.g., Virgilio v.
The elements of a claim for breach of fiduciary duty are: (1) the existence of a fiduciary relationship; (2) breach of a duty owed by the fiduciary; and (3) proximate cause. Combe v. Flocar Inv. Grp. Corp., 977 F.Supp.2d 1301, 1307 (S.D.Fla.2013) (citation omitted). Fiduciary relationships must be either expressly or impliedly created. See Greenberg v. Miami Children's Hosp. Research Inst., Inc., 264 F.Supp.2d 1064, 1071 (S.D.Fla.2003) (citing Capital Bank v. MVB, Inc., 644 So.2d 515, 518 (Fla. 3d DCA 1994)); see also Bldg. Educ. Corp. v. Ocean Bank, 982 So.2d 37, 41 (Fla. 3d DCA 2008) (quoting Doe v. Evans, 814 So.2d 370, 374 (Fla.2002) ("While a contractual relationship between the parties is not required to form a fiduciary relationship, a party must be `under a duty to act for or to give advice for the benefit of another upon matters within the scope of that relation.'").
"A fiduciary relationship which is implied in law is based on the specific factual circumstances surrounding the transaction and the relationship of the parties." First Nat'l Bank & Trust Co. of Treasurer Coast v. Pack, 789 So.2d 411, 415 (Fla. 4th DCA 2001) (citations omitted). "To establish a fiduciary relationship, a party must allege some degree of dependency on one side and some degree of undertaking on the other side to advise, counsel, and protect the weaker party." Jaffe v. Bank of Am., N.A., 667 F.Supp.2d 1299, 1319 (S.D.Fla.2009). Generally, "in an arms-length transaction, however, there is no duty imposed on either party to act for the benefit or protection of the other party, or to disclose facts that the other party could, by its own diligence have discovered." Id. (citing Watkins v. NCNB Nat'l Bank, N.A., 622 So.2d 1063, 1065 (Fla. 3d DCA 1993)).
By Plaintiff's own admissions, Plaintiff did not depend upon either Defendant nor did either Defendant undertake to counsel, act for, or protect Plaintiff in any capacity. Compl. ¶ 24 (Plaintiff "did not have a direct relationship (business or otherwise) with Intermedix."). Because he cannot plead facts to establish any direct relationship, let alone a fiduciary one, Plaintiff appears to improperly base his claim on the conclusory allegation that "[a]s guardians of Plaintiffs' ... Sensitive Information, Defendant owed a fiduciary duty to Plaintiff and the Class." Id. ¶ 63. But the mere receipt of confidential information is insufficient by itself to transform an arm's-length transaction into a fiduciary relationship. See Winter Park Condo. Ltd. P'ship v. Wachovia Bank, N.A., 2009 WL 290992, at *1 (M.D.Fla. Feb. 6, 2009) (citing Barnett Bank of Marion Cty., N.A. v. Shirey, 655 So.2d 1156 (Fla. 5th DCA 1995)) (Florida law "does not stand for the proposition attributed to it by the Plaintiff ... that the bank's receipt of confidential information gave rise to a fiduciary obligation."). See, e.g., Silver v. Countrywide Home Loans, Inc., 760 F.Supp.2d 1330, 1338 (S.D.Fla.2011), aff'd, 483 Fed.Appx. 568 (11th Cir.2012) (holding that "the mere communication of confidential information between the borrower and the bank is not enough to establish a fiduciary obligation."); see also Dolmage v. Combined Insurance Company of America, 2015 WL 292947, at *6 (N.D.Ill. Jan. 21, 2015) (plaintiff's allegations, that she and the class members placed their trust in defendant with regard to the handling, maintenance, and disposition of their confidential personal information, were insufficient to establish that defendant owed them a fiduciary duty to secure and protect their information). Accordingly, Plaintiff's claim for breach of fiduciary duty must be dismissed.
Defendants argue that Plaintiff's allegations demonstrate that any subject transaction was too tenuous to support a direct conferral of benefit, as required by a valid claim for unjust enrichment. Plaintiff responds that direct contact between the parties is unnecessary to confer a direct benefit on a defendant for purposes of an unjust enrichment claim. The Court agrees.
Unjust enrichment is an equitable doctrine that "has to do with wealth being in one person's hands when it should be in another person's." Jovine v. Abbott Labs., Inc., 795 F.Supp.2d 1331, 1341 (S.D.Fla.2011) (quoting Guyana Tel. & Tel. Co. v. Melbourne Int'l Commc'ns, Ltd., 329 F.3d 1241, 1245 n. 3 (11th Cir. 2003)). In Florida, "[t]o establish a cause of action for unjust enrichment/restitution, a Plaintiff must show that `1) the plaintiff has conferred a benefit on the defendant; 2) the defendant has knowledge of the benefit; 3) the defendant has accepted or retained the benefit conferred; and 4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying fair value for it.'" Resnick, 693 F.3d at 1328 (quoting Della Ratta v. Della Ratta, 927 So.2d 1055, 1059 (Fla.Dist.Ct.App.2006)).
The Court finds Resnick instructive. 693 F.3d at 1328. There, plaintiffs alleged as follows:
Resnick, 693 F.3d at 1328 (quoting complaint). The Eleventh Circuit found that these allegations were sufficient to survive a motion to dismiss. See id.
Similarly, under the instant facts, Plaintiff alleges that he paid EMS for his ambulance trip and, as a result of the direct relationship between EMS and Defendants, a portion of his payment was transferred to Defendants. Compl. ¶ 38. Plaintiff further alleges that a portion of Defendants' share of this payment was supposed to be, but was not, "used ... to pay for the administrative costs of data management and security." Id. ¶ 70. The only fact differentiating this case from Resnick is the fact that Plaintiff paid Defendants through EMS, an intermediary. But, the "direct benefit" element of an unjust enrichment claim may be satisfied where a benefit is conferred through an intermediary. In other words, a direct benefit can derive from a transaction with no direct contact. See, e.g., Williams v. Wells Fargo Bank, N.A., 2011 WL 4901346, at *5 (S.D.Fla. Oct. 14, 2011) (unjust enrichment claim survived even though the at-issue benefit did not pass directly between the parties and, instead, passed through a third party); Ulbrich v. GMAC Mortg., LLC, 2012 WL 3516499, at *2 (S.D.Fla. Aug. 15, 2012) (allegations that third-party Balboa charged plaintiff inflated premiums and "skimmed the excess for themselves" was sufficient to show that plaintiff, by paying the allegedly excessive premiums, conferred a direct benefit on third-party); Carriuolo v. Gen. Motors LLC, 72 F.Supp.3d 1323, 1326 (S.D.Fla.2014) ("Plaintiffs have alleged that they have conferred the required direct
Plaintiff alleges that he made a one-time payment to EMS for its services and, as part and parcel to those services, reasonably expected that his Sensitive Information would remain confidential and protected. Compl. ¶¶ 68-70. EMS, in turn, decided to hire and pay Defendants to perform the portion of those services relating to billing and payment processing, which, as alleged, also involved the transmittal of Sensitive Information belonging to Plaintiff and the Class. Id. ¶ 38. Thus, Plaintiff's single payment directly benefited both EMS and Defendants — even if Defendants received it by way of EMS. See, e.g., Romano v. Motorola, Inc., 2007 WL 4199781, at *2 (S.D.Fla. Nov. 26, 2007) (denying motion to dismiss unjust enrichment claim against cell phone manufacturer, even though plaintiff directly paid a non-defendant retailer, because "[d]efendant erroneously equates direct contact with direct benefit"). The fact that EMS functioned as a payment intermediary has no legal significance for Plaintiff's unjust enrichment claim. Because the remainder of Plaintiff's unjust enrichment claim stands unchallenged, Defendants' Motion is denied on this count.
Accordingly, it is