United States District Court, W.D. Wisconsin
YVONNE MART FOX, GRANT NESHEIM, DANIELLE DUCKLEY, and SHELLY KITSIS, on behalf of themselves and all others similarly situated, Plaintiffs,
IOWA HEALTH SYSTEM d/b/a UNITYPOINT HEALTH, Defendant.
OPINION AND ORDER
D. PETERSON, DISTRICT JUDGE
UnityPoint Health runs a network of hospitals, clinics, home
care services, and health insurers throughout Wisconsin,
Iowa, and Illinois. In 2017 and 2018, UnityPoint's email
system was hacked. Plaintiffs, all customers of UnityPoint,
say that hackers obtained their private health information
and other personal identifying information (such as Social
Security numbers) that can be used to commit identity theft.
Plaintiffs filed this proposed class action, asserting 14
different claims under Wisconsin, Illinois, and Iowa law.
UnityPoint moves to dismiss under Federal Rule of Civil
Procedure 12(b)(1) for lack of standing and under Rule
12(b)(6) for failure to state a claim upon which relief may
be granted. Dkt. 27.
court will grant the motion only in part. Plaintiffs
allegations are sufficient to establish standing under
Article III of the Constitution. The court will dismiss some
of plaintiffs' claims for failure to state a claim: (1)
Shelly Kitsis and Danielle Duckley's claims for
negligence and negligence per se because they are barred by
the Illinois and Iowa economic loss doctrines; (2)
plaintiffs' claims for invasion of privacy because they
do not allege that UnityPoint intentionally released their
information; (3) plaintiffs' common law and statutory
misrepresentation claims because plaintiffs have not pleaded
reliance or damages; and (4) plaintiffs' claim under
Wisconsin's data breach notification statute, Wis.Stat.
§ 134.98, because it does not create a private right of
action. The court will also exercise its discretion to
decline to hear plaintiffs' claim for declaratory relief
under the Declaratory Judgment Act. Plaintiffs may proceed on
all other claims. Plaintiffs ask for leave to amend their
complaint to cure any deficiencies that lead to claims being
dismissed. But because any amendment would likely be futile,
the court will deny the request.
before the court is plaintiffs' notice of supplemental
authority, Dkt. 51, and UnityPoint's motion for leave to
respond to the supplemental authority, Dkt. 52, which
plaintiffs oppose. Plaintiffs' motion is granted;
UnityPoint's is denied. But the supplemental authority is
a district court case from outside this jurisdiction which
addresses the issue of standing in data breach cases. There
is already binding authority in this jurisdiction on the
issue of standing, so the supplemental authority adds little
to the analysis. UnityPoint has also its own notice of
supplemental authority. Dkt. 54. The court will accept
UnityPoint's supplemental authority, but it too adds
little to the analysis. That case is about standing to sue
for violations of the Fair Credit Reporting Act. It did not
involve a data breach, or any other allegations that are
analogous to this case.
court draws the following facts from plaintiffs' amended
complaint. Dkt. 22.
are customers of UnityPoint. Yvonne Fox and Grant Nesheim
live and use UnityPoint services in Wisconsin, Danielle
Duckley lives and uses UnityPoint services in Illinois, and
Shelly Kitsis lives and uses UnityPoint services in Iowa.
of its health care and insurance business, UnityPoint stores
the personal information of its patients and customers. This
information includes patient names, Social Security numbers,
payment information, phone numbers, and email addresses.
UnityPoint also keeps patient health care information, such
as lab results, treatment notes, and diagnoses. Its privacy
policy promises to use security procedures to protect
personal information from misuse or unauthorized disclosure.
The policy says that UnityPoint will store personal
information “in a secure database behind an electronic
firewall.” Dkt. 22, ¶ 156. In the event of a data
breach, UnityPoint says it will notify customers
“without unreasonable delay but in no case later than
60 days after we discover the breach.” Id. A
First data breach
November 1, 2017, hackers gained access to UnityPoint
employee email accounts and stole the personal health
information of more than 16, 000 UnityPoint patients. The
hackers were “motivated to steal” and
“specifically targeted” health information and
other sensitive information like Social Security numbers.
Id., ¶ 24. UnityPoint discovered the data
breach between February 7 and February 15, 2018, but it did
not notify the public until two months later, when it sent a
letter to those affected by the breach. The letter stated:
[UnityPoint] discovered your protected health information was
contained in an impacted email account, including your name
and one or more of the following: date of birth, medical
record number, treatment information, surgical diagnosis, lab
results, medication(s), provider(s), date(s) of service
and/or insurance information . . . The information did not
include your Social Security number.
Id., ¶¶ 20-21.
knew that this letter was not accurate. On the same day that
it sent the letter, it disclosed to the Wisconsin Department
of Agriculture, Trade and Consumer Protection that the breach
actually did include Social Security numbers.
Nesheim each received a copy of the letter. Fox called
UnityPoint to get more information about what specific health
information had been stolen. She spoke to two
representatives, but neither was able to give her further
information about the breach. Both representatives told her
to “take precautions to protect [her]
information.” Id., ¶¶ 55, 58. Fox
asked if UnityPoint would pay for any “precautions,
” and UnityPoint said that it would not. After these
conversations, Fox subscribed to an online credit monitoring
service so that she could be notified of any future identity
theft. Id., ¶ 63.
Second data breach
31, 2018, UnityPoint discovered that hackers had again
accessed its employee's email accounts. This time,
hackers stole the private information of about 1.4 million
patients. Once again, UnityPoint waited two months before it
disclosed the breach to the public. On July 30, it sent a
letter to affected class members:
[Stolen information] included your name and one or more of
the following information: address, date of birth, Social
Security number, driver's license number, medical record
number, medical information, treatment information, surgical
information, diagnosis, lab results, medication(s),
provider(s), date(s) of service and/or insurance information
Id., ¶ 33.
letter advised recipients to protect themselves against
identity theft by monitoring their health information.
UnityPoint also offered a complimentary, one-year membership
with Experian, which provides identity-theft prevention
services. All four plaintiffs received a copy of this letter.
Incidents following the data breaches
the data breaches, plaintiffs have been victims of attempted
identity theft and fraud as well as scam phone calls and
2018, Fox noticed an increase in autodialed phone calls and
spam emails. From April 13 to July 7, she received about 63
autodialed calls to her landline. Several of these calls came
from a number identified as “BC Health Clinics, ”
and involved a medical scam. Id., ¶ 52.
(Plaintiffs do not provide any further detail about the
medical scam.) Fox did not receive any scam medical calls
before the data breaches.
also received more autodialed calls after the data breaches.
These calls were so frequent that Nesheim bought a second
phone to use for work. In May or June 2018, Nesheim
discovered a suspicious charge on his credit card. He
canceled his card and asked his bank to issue a new one.
Later, in early July, Nesheim was notified that someone had
used his private health information to open a new credit card
at a different bank. Nesheim is currently working with that
bank to ensure that it did not keep open an account in his
name. Had Nesheim known about the data breaches as soon as
they occurred, he would have “made a timely and
informed decision to take action to mitigate the
injury.” Id., ¶ 73.
also received more spam emails and autodialed phone calls
after the data breaches. After the second data breach,
Duckley became locked out of her pre-existing Experian
account due to repeated, unauthorized log-in attempts. When
Duckley called Experian to change her password and regain
access to the account, Experian told her that the UnityPoint
data breach “had undoubtedly been the cause” of
the repeated log in attempts. Id., ¶ 76. Had
Duckley known about the second data breach as soon as it
occurred, she would have “made a more timely and
informed decision to take action to mitigate the
injury.” Id., ¶ 79.
Kitsis, like the other plaintiffs, received more spam emails
and autodialed phone calls after the data breaches. Also, her
health information is “extraordinarily sensitive,
” and the stress caused by the data breach is taking a
“significant emotional and physical toll.”
Id., ¶ 84.
threat of identity theft is exacerbated by what hackers refer
to as “fullz packages.” Id., ¶ 66.
A fullz package is a dossier that compiles information about
a victim from a variety of legal and illegal sources. Hackers
can take information obtained in one data breach and
cross-reference it against information obtained in other
hacks and data breaches. So, for example, if a hacker obtains
a victim's Social Security number and health information
from UnityPoint, the hacker can combine it with the same
victim's Social Security number and phone number from a
different data breach. This allows the hacker to compile a
full record of information about the individual, which the
hacker then sells to others as a package.
court will discuss additional facts as they become relevant
to the analysis.
moves to dismiss plaintiffs' complaint for lack of
standing and for failure to state a claim. On all aspects of
UnityPoint's motion, the court accepts plaintiffs'
well-pleaded factual allegations as true and draws all
reasonable inference from those facts in plaintiffs'
favor. Lee v. City of Chicago, 330 F.3d 456, 459,
468 (7th Cir. 2003). In deciding the jurisdictional issue of
standing, the court may consider supporting evidence adduced
by the parties. Id. at 468. But the court may not
consider any evidence from outside the pleadings in deciding
the motion to dismiss under Rule 12(b)(6) for failure to
state a claim. Id. at 459. The question under Rule
12(b)(6) is “simply whether the complaint includes
factual allegations that state a plausible claim for
relief.” BBL, Inc. v. City of Angola, 809 F.3d
317, 325 (7th Cir. 2015).
bear the burden to establish standing to sue in federal
court. Lee, 330 F.3d at 468. Standing requires (1)
an injury in fact, (2) that is fairly traceable to the
challenged conduct of the defendant, and (3) that is likely
to be redressed by a favorable judicial decision. See
Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016).
UnityPoint contends that plaintiffs cannot establish the
first two elements.
Injury in fact
establish injury in fact, a plaintiff must show that he or
she suffered an invasion of a legally protected interest that
is concrete and particularized and actual or imminent, not
conjectural or hypothetical.” Spokeo, 136
S.Ct. at 1548 (quoting Lujan v. Defenders of
Wildlife, 504 U.S. 555, 560 (1992) (internal quotation
marks omitted)). “Allegations of possible
future injury are not sufficient.” Clapper v.
Amnesty Int'l USA, 568 U.S. 398, 409 (2013)
(emphasis in original; internal quotations omitted). An
injury must be “certainly impending” to
constitute an injury in fact. Id.
have alleged several injuries: lost time due to increased
spam calls and emails, time spent dealing with fraud
attempts, the threat of future identity theft, and money
spent mitigating that threat. Any of these allegations would
be sufficient to establish standing; even an
“identifiable trifle” can constitute an injury in
fact. Craftwood II, Inc. v. Generac Power Sys.,
Inc., 920 F.3d 479, 481 (7th Cir. 2019) (holding that
the time lost reading a junk fax before discarding it is a
concrete injury) (quoting United States v. SCRAP,
412 U.S. 669, 689 n.14 (1973)). And the Court of Appeals for
the Seventh Circuit has repeatedly held that injuries like
plaintiffs' injuries are sufficient to establish standing
in data breach cases.
example, in Remijas v. Neiman Marcus Group, LLC, 794
F.3d 688 (7th Cir. 2015), and Lewert v. P.F. Chang's
China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016),
hackers stole customer credit-card data from the defendant
business. Some customers experienced fraudulent charges on
their cards. Their banks reversed the charges, but even with
no monetary loss, the customers suffered an injury in the
time spent resolving the fraudulent charges. Lewert,
819 F.3d at 967. The other customers, who did not experience
fraudulent charges, still faced the impending risk of future
identity theft. Id. at 966. After the data breach,
the risk of fraud was more than speculative.
“[P]laintiffs ‘should not have to wait until
hackers commit identity theft or credit-card fraud in order
to give the class standing, because there is an objectively
reasonable likelihood that such injury will
occur.'” Lewert, 819 F.3d at 966 (quoting
Remijas, 794 F.3d at 693). The risk of future harm
was also evident from the statements of the defendants, who
both encouraged their customers to protect themselves from
future fraudulent activity. See Lewert, 819 F.3d at
967 (defendant acknowledged the risk of fraud in a press
release, when it “encouraged consumers to monitor their
credit reports”); Remijas, 794 F.3d at 694
(“It is telling in this connection that Neiman Marcus
offered one year of credit monitoring and identity-theft
protection to all customers for whom it had contact
information and who had shopped at their stores between
January 2013 and January 2014”).
argues that under Remijas and Lewert, the
threat of identity theft is not an injury in fact unless
plaintiffs allege that hackers “specifically
targeted” personal information and that “a
certain percentage of that information [was] used to commit
fraud.” Dkt. 28, at 21. But Remijas and
Lewert did not create a special test for data breach
cases. The ultimate question is the same as any case in which
a plaintiff alleges a threat of future injury: whether there
is an “objectively reasonable likelihood” that an
injury will occur. Remijas, 794 F.3d at 693 (quoting
Clapper, 568 U.S. at 410). And in this case,
plaintiff have alleged facts sufficient to establish an
objectively reasonable likelihood of future identity theft.
Personal information, including Social Security numbers, was
stolen in the data breaches. The breaches were serious enough
that UnityPoint offered identity-theft protection services to
the affected customers. And plaintiffs say that thieves used
the information to target Fox for a medical scam, open a new
credit card in Nesheim's name, and attempt to gain access
to Duckley's Experian account. Even if plaintiffs had not
already lost time resolving fraud attempts and answering spam
calls, the looming threat of fraud would qualify as an injury
says that hackers may have obtained plaintiffs'
information from other sources, and that plaintiffs cannot
show that any of their alleged injuries were caused by the
UnityPoint data breaches. In the context of standing, the
complaint need only allege that “but for” some
act or omission of the defendant, the injury would not have
occurred. See, e.g., Lac du Flambeau Band of
Lake Superior Chippewa Indians v. Norton, 422 F.3d 490,
501 (7th Cir. 2005). If a defendant puts forth evidence that
challenges standing as a factual matter, then the burden
shifts to the plaintiff to “come forward with competent
proof that standing exists.” Laurens v. Volvo Cars
of N. Am., LLC, 868 F.3d 622, 626 (7th Cir. 2017)
(quoting Apex Digital, Inc. v. Sears, Roebuck &
Co., 572 F.3d 440, 444 (7th Cir. 2009)) (internal
says that it has put forth unrebutted evidence that
challenges plaintiffs' allegations of causation: a
declaration from UnityPoint's privacy officer that says
that no email addresses, passwords, credit card numbers, or
“account login information” were stolen in the
data breach, Dkt 29, ¶¶ 5-6, and screenshots of
Fox's personal website that show that her email address
and phone number are publicly available, Dkt. 11. This
evidence casts doubt on the traceability of some of
plaintiffs' allegations, namely the increases in spam
calls and emails (particularly those received by Fox, who
published her contact information) and the fraudulent charge
on Nesheim's credit card (because credit card numbers
weren't included in the breach). But UnityPoint has not
rebutted plaintiffs' allegations that hackers also stole
patient names, addresses, Social Security numbers, dates of
birth, and medical records. Plaintiffs have plausibly alleged
injuries that can be linked to this information. Nesheim says
that someone attempted to open a credit card in his name
using his personal health information, Dkt. 22, ¶ 71,
and Duckley says that someone used information from the data
breach to try to log in to her Experian account,
id., ¶ 76. Plaintiffs also allege that the
information exposed in the first data breach was serious
enough that UnityPoint encouraged Fox to “take
precautions to protect [her] information.”
Id., ¶ 55, 58.
UnityPoint's evidence does not challenge plaintiffs'
allegations that hackers cross-referenced the data from the
breaches and combined it with data from other sources to
create “fullz packages.” Id.,
¶¶ 66-67. UnityPoint argues that the court is not
required to accept these allegations as true in a motion
under Rule 12(b)(1). But when a defendant does not submit
evidence that contradicts a specific allegation, the court
accepts that allegation as true-even if the defendant has
made factual challenges to other allegations in the
complaint. See Laurens, 868 F.3d at 626. These
allegations plausibly explain why, for example, Fox started
getting phone calls related to medical scams after ...