Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Fox v. Iowa Health System

United States District Court, W.D. Wisconsin

July 25, 2019

YVONNE MART FOX, GRANT NESHEIM, DANIELLE DUCKLEY, and SHELLY KITSIS, on behalf of themselves and all others similarly situated, Plaintiffs,



         Defendant UnityPoint Health runs a network of hospitals, clinics, home care services, and health insurers throughout Wisconsin, Iowa, and Illinois. In 2017 and 2018, UnityPoint's email system was hacked. Plaintiffs, all customers of UnityPoint, say that hackers obtained their private health information and other personal identifying information (such as Social Security numbers) that can be used to commit identity theft. Plaintiffs filed this proposed class action, asserting 14 different claims under Wisconsin, Illinois, and Iowa law. UnityPoint moves to dismiss under Federal Rule of Civil Procedure 12(b)(1) for lack of standing and under Rule 12(b)(6) for failure to state a claim upon which relief may be granted. Dkt. 27.

         The court will grant the motion only in part. Plaintiffs allegations are sufficient to establish standing under Article III of the Constitution. The court will dismiss some of plaintiffs' claims for failure to state a claim: (1) Shelly Kitsis and Danielle Duckley's claims for negligence and negligence per se because they are barred by the Illinois and Iowa economic loss doctrines; (2) plaintiffs' claims for invasion of privacy because they do not allege that UnityPoint intentionally released their information; (3) plaintiffs' common law and statutory misrepresentation claims because plaintiffs have not pleaded reliance or damages; and (4) plaintiffs' claim under Wisconsin's data breach notification statute, Wis.Stat. § 134.98, because it does not create a private right of action. The court will also exercise its discretion to decline to hear plaintiffs' claim for declaratory relief under the Declaratory Judgment Act. Plaintiffs may proceed on all other claims. Plaintiffs ask for leave to amend their complaint to cure any deficiencies that lead to claims being dismissed. But because any amendment would likely be futile, the court will deny the request.

         Also before the court is plaintiffs' notice of supplemental authority, Dkt. 51, and UnityPoint's motion for leave to respond to the supplemental authority, Dkt. 52, which plaintiffs oppose. Plaintiffs' motion is granted; UnityPoint's is denied. But the supplemental authority is a district court case from outside this jurisdiction which addresses the issue of standing in data breach cases. There is already binding authority in this jurisdiction on the issue of standing, so the supplemental authority adds little to the analysis. UnityPoint has also its own notice of supplemental authority. Dkt. 54. The court will accept UnityPoint's supplemental authority, but it too adds little to the analysis. That case is about standing to sue for violations of the Fair Credit Reporting Act. It did not involve a data breach, or any other allegations that are analogous to this case.


         The court draws the following facts from plaintiffs' amended complaint. Dkt. 22.

         Plaintiffs are customers of UnityPoint. Yvonne Fox and Grant Nesheim live and use UnityPoint services in Wisconsin, Danielle Duckley lives and uses UnityPoint services in Illinois, and Shelly Kitsis lives and uses UnityPoint services in Iowa.

         As part of its health care and insurance business, UnityPoint stores the personal information of its patients and customers. This information includes patient names, Social Security numbers, payment information, phone numbers, and email addresses. UnityPoint also keeps patient health care information, such as lab results, treatment notes, and diagnoses. Its privacy policy promises to use security procedures to protect personal information from misuse or unauthorized disclosure. The policy says that UnityPoint will store personal information “in a secure database behind an electronic firewall.” Dkt. 22, ¶ 156. In the event of a data breach, UnityPoint says it will notify customers “without unreasonable delay but in no case later than 60 days after we discover the breach.” Id. A copy of the privacy policy was given to all UnityPoint customers.

         A. First data breach

         Around November 1, 2017, hackers gained access to UnityPoint employee email accounts and stole the personal health information of more than 16, 000 UnityPoint patients. The hackers were “motivated to steal” and “specifically targeted” health information and other sensitive information like Social Security numbers. Id., ¶ 24. UnityPoint discovered the data breach between February 7 and February 15, 2018, but it did not notify the public until two months later, when it sent a letter to those affected by the breach. The letter stated:

[UnityPoint] discovered your protected health information was contained in an impacted email account, including your name and one or more of the following: date of birth, medical record number, treatment information, surgical diagnosis, lab results, medication(s), provider(s), date(s) of service and/or insurance information . . . The information did not include your Social Security number.

Id., ¶¶ 20-21.

         UnityPoint knew that this letter was not accurate. On the same day that it sent the letter, it disclosed to the Wisconsin Department of Agriculture, Trade and Consumer Protection that the breach actually did include Social Security numbers.

         Fox and Nesheim each received a copy of the letter. Fox called UnityPoint to get more information about what specific health information had been stolen. She spoke to two representatives, but neither was able to give her further information about the breach. Both representatives told her to “take precautions to protect [her] information.” Id., ¶¶ 55, 58. Fox asked if UnityPoint would pay for any “precautions, ” and UnityPoint said that it would not. After these conversations, Fox subscribed to an online credit monitoring service so that she could be notified of any future identity theft. Id., ¶ 63.

         B. Second data breach

         On May 31, 2018, UnityPoint discovered that hackers had again accessed its employee's email accounts. This time, hackers stole the private information of about 1.4 million patients. Once again, UnityPoint waited two months before it disclosed the breach to the public. On July 30, it sent a letter to affected class members:

[Stolen information] included your name and one or more of the following information: address, date of birth, Social Security number, driver's license number, medical record number, medical information, treatment information, surgical information, diagnosis, lab results, medication(s), provider(s), date(s) of service and/or insurance information

Id., ¶ 33.

         The letter advised recipients to protect themselves against identity theft by monitoring their health information. UnityPoint also offered a complimentary, one-year membership with Experian, which provides identity-theft prevention services. All four plaintiffs received a copy of this letter.

         C. Incidents following the data breaches

         Since the data breaches, plaintiffs have been victims of attempted identity theft and fraud as well as scam phone calls and emails.

         In 2018, Fox noticed an increase in autodialed phone calls and spam emails. From April 13 to July 7, she received about 63 autodialed calls to her landline. Several of these calls came from a number identified as “BC Health Clinics, ” and involved a medical scam. Id., ¶ 52. (Plaintiffs do not provide any further detail about the medical scam.) Fox did not receive any scam medical calls before the data breaches.

         Nesheim also received more autodialed calls after the data breaches. These calls were so frequent that Nesheim bought a second phone to use for work. In May or June 2018, Nesheim discovered a suspicious charge on his credit card. He canceled his card and asked his bank to issue a new one. Later, in early July, Nesheim was notified that someone had used his private health information to open a new credit card at a different bank. Nesheim is currently working with that bank to ensure that it did not keep open an account in his name. Had Nesheim known about the data breaches as soon as they occurred, he would have “made a timely and informed decision to take action to mitigate the injury.” Id., ¶ 73.

         Duckley also received more spam emails and autodialed phone calls after the data breaches. After the second data breach, Duckley became locked out of her pre-existing Experian account due to repeated, unauthorized log-in attempts. When Duckley called Experian to change her password and regain access to the account, Experian told her that the UnityPoint data breach “had undoubtedly been the cause” of the repeated log in attempts. Id., ¶ 76. Had Duckley known about the second data breach as soon as it occurred, she would have “made a more timely and informed decision to take action to mitigate the injury.” Id., ¶ 79.

         Finally, Kitsis, like the other plaintiffs, received more spam emails and autodialed phone calls after the data breaches. Also, her health information is “extraordinarily sensitive, ” and the stress caused by the data breach is taking a “significant emotional and physical toll.” Id., ¶ 84.

         The threat of identity theft is exacerbated by what hackers refer to as “fullz packages.” Id., ¶ 66. A fullz package is a dossier that compiles information about a victim from a variety of legal and illegal sources. Hackers can take information obtained in one data breach and cross-reference it against information obtained in other hacks and data breaches. So, for example, if a hacker obtains a victim's Social Security number and health information from UnityPoint, the hacker can combine it with the same victim's Social Security number and phone number from a different data breach. This allows the hacker to compile a full record of information about the individual, which the hacker then sells to others as a package.

         The court will discuss additional facts as they become relevant to the analysis.


         UnityPoint moves to dismiss plaintiffs' complaint for lack of standing and for failure to state a claim. On all aspects of UnityPoint's motion, the court accepts plaintiffs' well-pleaded factual allegations as true and draws all reasonable inference from those facts in plaintiffs' favor. Lee v. City of Chicago, 330 F.3d 456, 459, 468 (7th Cir. 2003). In deciding the jurisdictional issue of standing, the court may consider supporting evidence adduced by the parties. Id. at 468. But the court may not consider any evidence from outside the pleadings in deciding the motion to dismiss under Rule 12(b)(6) for failure to state a claim. Id. at 459. The question under Rule 12(b)(6) is “simply whether the complaint includes factual allegations that state a plausible claim for relief.” BBL, Inc. v. City of Angola, 809 F.3d 317, 325 (7th Cir. 2015).

         A. Standing

         Plaintiffs bear the burden to establish standing to sue in federal court. Lee, 330 F.3d at 468. Standing requires (1) an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision. See Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016). UnityPoint contends that plaintiffs cannot establish the first two elements.

         1. Injury in fact

         “To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, 136 S.Ct. at 1548 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (internal quotation marks omitted)). “Allegations of possible future injury are not sufficient.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013) (emphasis in original; internal quotations omitted). An injury must be “certainly impending” to constitute an injury in fact. Id.

         Plaintiffs have alleged several injuries: lost time due to increased spam calls and emails, time spent dealing with fraud attempts, the threat of future identity theft, and money spent mitigating that threat. Any of these allegations would be sufficient to establish standing; even an “identifiable trifle” can constitute an injury in fact. Craftwood II, Inc. v. Generac Power Sys., Inc., 920 F.3d 479, 481 (7th Cir. 2019) (holding that the time lost reading a junk fax before discarding it is a concrete injury) (quoting United States v. SCRAP, 412 U.S. 669, 689 n.14 (1973)). And the Court of Appeals for the Seventh Circuit has repeatedly held that injuries like plaintiffs' injuries are sufficient to establish standing in data breach cases.

         For example, in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), and Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), hackers stole customer credit-card data from the defendant business. Some customers experienced fraudulent charges on their cards. Their banks reversed the charges, but even with no monetary loss, the customers suffered an injury in the time spent resolving the fraudulent charges. Lewert, 819 F.3d at 967. The other customers, who did not experience fraudulent charges, still faced the impending risk of future identity theft. Id. at 966. After the data breach, the risk of fraud was more than speculative. “[P]laintiffs ‘should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such injury will occur.'” Lewert, 819 F.3d at 966 (quoting Remijas, 794 F.3d at 693). The risk of future harm was also evident from the statements of the defendants, who both encouraged their customers to protect themselves from future fraudulent activity. See Lewert, 819 F.3d at 967 (defendant acknowledged the risk of fraud in a press release, when it “encouraged consumers to monitor their credit reports”); Remijas, 794 F.3d at 694 (“It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014”).

         UnityPoint argues that under Remijas and Lewert, the threat of identity theft is not an injury in fact unless plaintiffs allege that hackers “specifically targeted” personal information and that “a certain percentage of that information [was] used to commit fraud.” Dkt. 28, at 21. But Remijas and Lewert did not create a special test for data breach cases. The ultimate question is the same as any case in which a plaintiff alleges a threat of future injury: whether there is an “objectively reasonable likelihood” that an injury will occur. Remijas, 794 F.3d at 693 (quoting Clapper, 568 U.S. at 410). And in this case, plaintiff have alleged facts sufficient to establish an objectively reasonable likelihood of future identity theft. Personal information, including Social Security numbers, was stolen in the data breaches. The breaches were serious enough that UnityPoint offered identity-theft protection services to the affected customers. And plaintiffs say that thieves used the information to target Fox for a medical scam, open a new credit card in Nesheim's name, and attempt to gain access to Duckley's Experian account. Even if plaintiffs had not already lost time resolving fraud attempts and answering spam calls, the looming threat of fraud would qualify as an injury in fact.

         2. Fairly traceable

         UnityPoint says that hackers may have obtained plaintiffs' information from other sources, and that plaintiffs cannot show that any of their alleged injuries were caused by the UnityPoint data breaches. In the context of standing, the complaint need only allege that “but for” some act or omission of the defendant, the injury would not have occurred. See, e.g., Lac du Flambeau Band of Lake Superior Chippewa Indians v. Norton, 422 F.3d 490, 501 (7th Cir. 2005). If a defendant puts forth evidence that challenges standing as a factual matter, then the burden shifts to the plaintiff to “come forward with competent proof that standing exists.” Laurens v. Volvo Cars of N. Am., LLC, 868 F.3d 622, 626 (7th Cir. 2017) (quoting Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 444 (7th Cir. 2009)) (internal alterations omitted).

         UnityPoint says that it has put forth unrebutted evidence that challenges plaintiffs' allegations of causation: a declaration from UnityPoint's privacy officer that says that no email addresses, passwords, credit card numbers, or “account login information” were stolen in the data breach, Dkt 29, ¶¶ 5-6, and screenshots of Fox's personal website that show that her email address and phone number are publicly available, Dkt. 11. This evidence casts doubt on the traceability of some of plaintiffs' allegations, namely the increases in spam calls and emails (particularly those received by Fox, who published her contact information) and the fraudulent charge on Nesheim's credit card (because credit card numbers weren't included in the breach). But UnityPoint has not rebutted plaintiffs' allegations that hackers also stole patient names, addresses, Social Security numbers, dates of birth, and medical records. Plaintiffs have plausibly alleged injuries that can be linked to this information. Nesheim says that someone attempted to open a credit card in his name using his personal health information, Dkt. 22, ¶ 71, and Duckley says that someone used information from the data breach to try to log in to her Experian account, [1] id., ¶ 76. Plaintiffs also allege that the information exposed in the first data breach was serious enough that UnityPoint encouraged Fox to “take precautions to protect [her] information.” Id., ¶ 55, 58.

         Furthermore, UnityPoint's evidence does not challenge plaintiffs' allegations that hackers cross-referenced the data from the breaches and combined it with data from other sources to create “fullz packages.” Id., ¶¶ 66-67. UnityPoint argues that the court is not required to accept these allegations as true in a motion under Rule 12(b)(1). But when a defendant does not submit evidence that contradicts a specific allegation, the court accepts that allegation as true-even if the defendant has made factual challenges to other allegations in the complaint. See Laurens, 868 F.3d at 626. These allegations plausibly explain why, for example, Fox started getting phone calls related to medical scams after ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.