Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Horizon Healthcare Services Inc.

United States Court of Appeals, Third Circuit

January 20, 2017

In Re: HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION Courtney Diana; Mark Meisel; Karen Pekelney; Mitchell Rindner, Appellants

          Argued: July 12, 2016

         On Appeal from the United States District Court for the District of New Jersey (D.N.J. No. 2-13-cv-07418) District Judge: Honorable Claire C. Cecchi

          Ben Barnow Erich P. Schork [ARGUED] Barnow & Associates, P.C., Joseph J. DePalma Jeffrey A. Shooman Lite DePalma Greenberg, LLC, Robert N. Kaplan David A. Straite Kaplan Fox & Kilsheimer LLP, Laurence D. King Kaplan Fox & Kilsheimer LLP, Philip A. Tortoreti Wilentz, Goldman & Spitzer, Counsel for Appellants

          Kenneth L. Chernof [ARGUED] Arthur Luk Arnold & Porter LLP, David Jay Philip R. Sellinger Greenberg Traurig Counsel for Appellee

          Before: JORDAN, VANASKIE, and SHWARTZ, Circuit Judges.

          OPINION

          JORDAN, Circuit Judge.

         The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681, et seq., as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information. The District Court dismissed the suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing. According to the Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

         We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs' information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).

         I. Background

         A. Factual Background[1]

         Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey ("Horizon") is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information (e.g., names, dates of birth, social security numbers, and addresses) and protected health information (e.g., demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named Plaintiffs - Courtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner[2] - and other class members are or were participants in, or as Horizon puts it, members of Horizon insurance plans. They entrusted Horizon with their personal information.[3]

         Horizon's privacy policy states that the company "maintain[s] appropriate administrative, technical and physical safeguards to reasonably protect [members'] Private Information." (App. at 29.) The policy also provides that, any time Horizon relies on a third party to perform a business service using personal information, it requires the third party to "safeguard [members'] Private Information" and "agree to use it only as required to perform its functions for [Horizon] and as otherwise permitted by … contract and the law." (App. at 29.) Through the policy, Horizon pledges to "notify [members of its insurance plans] without unreasonable delay" of any breach of privacy. (App. at 29.)

         During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839, 000 other Horizon members were stolen from Horizon's headquarters in Newark, New Jersey. The Complaint alleges that "[t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs' and Class Members' highly sensitive and private [personal information] on them." (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers "may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information." (App. at 33.)

         Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, "Horizon confirmed that it had not encrypted all of its computers that contained [personal information]." (App. at 35.) Thereafter, "Horizon allegedly established safeguards to prevent a similar incident in the future-including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it." (App. at 35.)

         Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, "[a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner's and his wife's names and stole their 2013 income tax refund." (App. at 27.) Rindner eventually did receive the refund, but "spent time working with the IRS and law enforcement … to remedy the effects" of the fraud, "incurred other out-of-pocket expenses to remedy the identity theft[, ]" and was "damaged financially by the related delay in receiving his tax refund." (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner's credit card number in an online transaction. Rindner was also "recently denied retail credit because his social security number has been associated with identity theft." (App. at 27.)

         B. Procedural Background

         The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law.[4] FCRA was enacted in 1970 "to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy." Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52 (2007). With respect to consumer privacy, the statute imposes certain requirements on any "consumer reporting agency" that "regularly ... assembl[es] or evaluat[es] consumer credit information ... for the purpose of furnishing consumer reports to third parties." 15 U.S.C. § 1681a(f). Any such agency that either willfully or negligently "fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer." Id. §§ 1681n(a) (willful violations); 1681o(a) (negligent violations).

         In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon "furnish[ed]" their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures[5] to keep sensitive information confidential.[6] According to the Plaintiffs, Horizon's failure to protect their personal information violated the company's responsibility under FCRA to maintain the confidentiality of their personal information.[7]

         The Plaintiffs seek statutory, [8] actual, and punitive damages, an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner, reimbursement for ascertainable losses, pre- and post-judgment interest, attorneys' fees and costs, and "such other and further relief as this Court may deem just and proper." (App. at 64.)

         Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6). The District Court granted dismissal under Rule 12(b)(1), ruling that the Plaintiffs lack Article III standing. The Court concluded that, even taking the Plaintiffs' allegations as true, they did not have standing because they had not suffered a cognizable injury. Because the Court granted Horizon's Rule 12(b)(1) motion, it did not address Horizon's Rule 12(b)(6) arguments and declined to exercise supplemental jurisdiction over the remaining state law claims.

         The Plaintiffs filed this timely appeal.

         II. Discussion

         A. Jurisdiction and Standard of Review

         The District Court exercised jurisdiction over the Plaintiffs' FCRA claims pursuant to 28 U.S.C. § 1331, though it ultimately concluded that it did not have jurisdiction due to the lack of standing. Having decided that the Plaintiffs did not have standing under FCRA, the District Court also concluded that it "lack[ed] discretion to retain supplemental jurisdiction over the state law claims" under 28 U.S.C. § 1367. (App. at 23 (citation omitted).) See Storino v. Borough of Pleasant Beach, 322 F.3d 293, 299 (3d Cir. 2003) (holding that "because the [plaintiffs] lack standing, the District Court lacked original jurisdiction over the federal claim, and it therefore could not exercise supplemental jurisdiction"). We exercise appellate jurisdiction pursuant to 28 U.S.C. § 1291.

         Our review of the District Court's dismissal of a complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) is de novo. United States ex rel. Atkinson v. Pa. Shipbuilding Co., 473 F.3d 506, 514 (3d Cir. 2007). Two types of challenges can be made under Rule 12(b)(1) - "either a facial or a factual attack." Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016). That distinction is significant because, among other things, it determines whether we accept as true the non-moving party's facts as alleged in its pleadings. Id. (noting that with a factual challenge, "[n]o presumptive truthfulness attaches to [the] plaintiff's allegations … ." (internal quotation marks omitted) (second alteration in original)). Here, the District Court concluded that Horizon's motion was a facial challenge because it "attack[ed] the sufficiency of the consolidated complaint on the grounds that the pleaded facts d[id] not establish constitutional standing." (App. at 10.) We agree. Because Horizon did not challenge the validity of any of the Plaintiffs' factual claims as part of its motion, it brought only a facial challenge. It argues that the allegations of the Complaint, even accepted as true, are insufficient to establish the Plaintiffs' Article III standing.

         In reviewing facial challenges to standing, we apply the same standard as on review of a motion to dismiss under Rule 12(b)(6). See Petruska v. Gannon Univ., 462 F.3d 294, 299 n.1 (3d Cir. 2006) (noting "that the standard is the same when considering a facial attack under Rule 12(b)(1) or a motion to dismiss for failure to state a claim under Rule 12(b)(6)" (citation omitted)). Consequently, we accept the Plaintiffs' well-pleaded factual allegations as true and draw all reasonable inferences from those allegations in the Plaintiffs' favor.[9] Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Nevertheless, "[t]hreadbare recitals of the elements of [standing], supported by mere conclusory statements, do not suffice." Id. We disregard such legal conclusions. Santiago v. Warminster Twp., 629 F.3d 121, 128 (3d Cir. 2010). Thus, "[t]o survive a motion to dismiss [for lack of standing], a complaint must contain sufficient factual matter" that would establish standing if accepted as true. Iqbal, 556 U.S. at 678 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).

         There are three well-recognized elements of Article III standing: First, an "injury in fact, " or an "invasion of a legally protected interest" that is "concrete and particularized." Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). Second, a "causal connection between the injury and the conduct complained of[.]" Id. And third, a likelihood "that the injury will be redressed by a favorable decision." Id. at 561 (citation and internal quotation marks omitted).

         This appeal centers entirely on the injury-in-fact element of standing - more specifically, on the concreteness requirement of that element.[10]

         "In the context of a motion to dismiss, we have held that the [i]njury-in-fact element is not Mount Everest. The contours of the injury-in-fact requirement, while not precisely defined, are very generous, requiring only that claimant allege[ ] some specific, identifiable trifle of injury." Blunt v. Lower Merion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014) (emphasis omitted) (citation and internal quotation marks omitted) (second alteration in original). "At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presum[e] that general allegations embrace those specific facts that are necessary to support the claim." Lujan, 504 U.S. at 561 (citation and internal quotation marks omitted) (alteration in original).

         The requirements for standing do not change in the class action context. "[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Lewis v. Casey, 518 U.S. 343, 357 (1996) (citation and internal quotation marks omitted). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton, 414 ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.