Learn About the Law
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Arturo BRUNO, individually and on behalf of all others similarly situated, Plaintiff, v. Robert DONOHOE, AS TRUSTEE OF the TEXAS MEDICAL LIABILITY TRUST, Defendant.
ORDER: (1) GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS; AND (2) DENYING MOTION TO STRIKE
Before the Court is Defendant Texas Medical Liability Trust's (“Defendant”) Motion to Dismiss Plaintiff's Amended Class Action Complaint, filed on March 7, 2024. (Dkt. # 17.) Plaintiff Arturo Bruno (“Plaintiff”) filed his response on May 20, 2024. (Dkt. # 20.) Defendant filed its reply on May 28, 2024. (Dkt. # 21.)
The Court finds this matter suitable for disposition without a hearing. After careful consideration of the filings and relevant case law, the Court, for the following reasons, GRANTS in part and DENIES in part the Motion to Dismiss and DENIES the Motion to Strike.
BACKGROUND
Plaintiff Arturo Bruno, individually and as personal representative of a putative class, brings this action against Robert Donohoe, as Trustee of the Texas Medical Liability Trust (collectively “TMLT”), claiming that TMLT failed to protect his personal information from a potential data breach. (Dkt. # 16.) TMLT is a non-profit trust organization which provides medical professional and general liability insurance to physicians, physician partnerships, providers, and healthcare facilities. (Id. at 6.)
Plaintiff alleges he and the proposed class members are “customers of medical providers that were in turn customers or potential customers of TMLT.” (Id. at 1.) Plaintiff alleges he gave his personally identifiable information and/or protected health information (collectively, “personal information”) to TMLT “customers,” who in turn provided the information to TMLT during the course of purchasing health care services from it. (Id. at 2.) The personal information, stored on TMLT servers, included names, social security numbers, drivers’ license numbers, financial account information, protected health information, EIN/Tax Identification Numbers, and dates of birth. (Id. at 1.)
On September 6, 2023, TMLT mailed Plaintiff, and other consumers, a letter to notify them that unauthorized actors gained access to and acquired files on TMLT's network. (Id. at 4.) TMLT reported that certain personal and health information maintained on their systems was potentially accessed by an unauthorized party between October 2, 2022, and October 13, 2022 (the “Data Breach”). (Id. at 7.) The information involved includes the name, Social Security number, EIN/Tax Identification number, and date of birth information of approximately 60,000 individuals. (Id. at 2, 5.) TMLT offered basic identity monitoring services for one year to the affected individuals. (Id. at 3.)
Since learning of the Data Breach, Plaintiff alleges he has spent time changing passwords on his accounts and monitoring his credit reports for unauthorized activity. (Id. at 5.) Plaintiff does not allege whether he has paid for credit monitoring report services. Plaintiff asserts, as a result of the Data Breach, he and the class members suffered actual damages including, without limitation, time and expenses related to monitoring his financial accounts for fraudulent activity, facing an increased and imminent risk of fraud and identity theft, the lost value of their personal information, and other economic and non-economic harm.
LEGAL STANDARD
I. Rule 12(b)(1)
A motion to dismiss under Rule 12(b)(1) of the Federal Rules of Civil Procedure challenges a federal court's subject matter jurisdiction. See Fed. R. Civ. P. 12(b)(1). Under Rule 12(b)(1), a claim is properly dismissed for lack of subject matter jurisdiction when a court lacks statutory or constitutional authority to adjudicate the claim. Home Builders Assoc. of Mississippi, Inc. v. City of Madison, 143 F.3d 1006, 1010 (5th Cir. 1998). Challenges to a plaintiff's standing to bring a claim may be brought under 12(b)(1). See In re Wilson, 527 B.R. 253, 255 (Bankr. N.D. Tex. 2015) (“A motion to dismiss that attacks a party's standing ‘is a jurisdictional matter.”) (quoting Broadhollow Funding LLC v. Bank of America, N.A., 390 B.R. 120, 128 (Bankr. D. Del. 2008)). “Standing goes to the ‘case or controversy’ limitation on federal court jurisdiction ․ and a plaintiff's lack of standing ‘robs the court of jurisdiction to hear the case.’ ” In re Hunt, 149 B.R. 96, 99 (Bankr. N.D. Tex. 1992) (citations omitted).
When a Rule 12(b)(1) motion is filed in conjunction with other Rule 12 motions, courts should consider the “jurisdictional attack before addressing any attack on the merits.” Ramming v. United States, 281 F.3d 158, 161 (5th Cir. 2001). The Court must first address subject matter jurisdiction because, without it, the case can proceed no further. Ruhrgas Ag v. Marathon Oil Co., 526 U.S. 574, 583, 119 S.Ct. 1563, 143 L.Ed.2d 760 (1999); Ramming, 281 F.3d at 161. In considering a Rule 12(b)(1) motion to dismiss for lack of subject matter jurisdiction, “a court may evaluate (1) the complaint alone, (2) the complaint supplemented by undisputed facts evidenced in the record, or (3) the complaint supplemented by undisputed facts plus the court's resolution of disputed facts.” Den Norske Stats Oljeselskap As v. HeereMac Vof, 241 F.3d 420, 424 (5th Cir. 2001) (citation omitted).
II. Rule 12(b)(6)
Federal Rule of Civil Procedure 12(b)(6) authorizes dismissal of a complaint for “failure to state a claim upon which relief can be granted.” Review is limited to the contents of the complaint and matters properly subject to judicial notice. See Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007). In analyzing a motion to dismiss for failure to state a claim, “[t]he [C]ourt accepts ‘all well-pleaded facts as true, viewing them in the light most favorable to the plaintiff.’ ” In re Katrina Canal Breaches Litig., 495 F.3d 191, 205 (5th Cir. 2007) (quoting Martin K. Eby Constr. Co. v. Dallas Area Rapid Transit, 369 F.3d 464, 467 (5th Cir. 2004)). To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must plead “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009).
III. Rule 12(f)
Federal Rule of Civil Procedure 12(f) allows the court to strike “from any pleading any insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.” Fed. R. Civ. P. 12(f). “Although motions to strike a defense are generally disfavored, a Rule 12(f) motion to dismiss a defense is proper when the defense is insufficient as a matter of law.” Kaiser Alum. & Chem. Sales, Inc. v. Avondale Shipyards, Inc., 677 F.2d 1045, 1057 (5th Cir. 1982). What constitutes an insufficient defense depends on the nature of the claim for relief and the defense in question. EEOC v. First Nat'l Bank of Jackson, 614 F.2d 1004, 1008 (5th Cir. 1980). The trial court has “ample” discretion when considering a Rule 12(f) motion. In re Beef Indus. Antitrust Litig., 600 F.2d 1148, 1168 (5th Cir. 1979).
DISCUSSION
TMLT moves to dismiss the case for lack of subject matter jurisdiction under Rule 12(b)(1) because Plaintiff lacks standing to bring this putative class action lawsuit. (Dkt. # 17-1 at 7.) TMLT argues Plaintiff has not suffered any injuries-in-fact as there are no allegations his personal information was used by cybercriminals or that he suffered any type of economic harm stemming from the data security incident. (Id.)
TMLT also moves to dismiss for failure to state a claim under Rule 12(b)(6) because Plaintiff failed to plead sufficient facts to state a claim for any of the causes of action asserted in the First Amended Class Action Complaint (the “Complaint”). (Id. at 14.) Alternatively, TMLT moves to strike the “immaterial and impertinent allegations concerning identity theft that have nothing to do with the parties or facts of this case.” (Id. at 20.)
I. Standing
“Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases’ and ‘Controversies.’ ” Murthy v. Missouri, 603 U.S. 43, 144 S.Ct. 1972, 1985, 219 L.Ed.2d 604 (2024). “A proper case or controversy exists only when at least one plaintiff ‘establishes that [he or she] has standing to sue.’ ” Id. at 1986 (quoting Raines v. Byrd, 521 U.S. 811, 818, 117 S.Ct. 2312, 138 L.Ed.2d 849 (1997)). A plaintiff establishes standing by sufficiently alleging: “(1) an ‘injury in fact’ that is ‘concrete and particularized’ and ‘actual or imminent’; (2) is fairly traceable to the defendant's actions; and (3) is likely to be redressed by a favorable decision.” Barilla v. City of Houston, 13 F.4th 427, 431 (5th Cir. 2021) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). The Court may decide whether to dismiss a claim for lack of standing based on “(1) the complaint alone; (2) the complaint supplemented by undisputed facts evidence in the record; or (3) the complaint supplemented by undisputed facts plus the court's resolution of disputed facts.” Kling v. Hebert, 60 F.4th 281, 284 (5th Cir. 2023) (quoting Ramming, 281 F.3d at 161).
To satisfy the injury-in-fact requirement, Plaintiff must allege facts that, taken as true, establish “an invasion of a legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560, 112 S.Ct. 2130. For an injury-in-fact to be “imminent,” “there must be at least a ‘substantial risk’ that the injury will occur.” Stringer v. Whitley, 942 F.3d 715, 721 (5th Cir. 2019) (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014)). “[A]llegations of possible future injury are not sufficient.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013).
Plaintiff alleges he is at an imminent risk of identity theft resulting from the Data Breach. (Dkt. # 20 at 3.) Plaintiff also alleges harm in the form of the loss of his privacy, time and expense to mitigate the harm caused by the data breach, the loss of the benefit of his bargain, and loss of value of property in his personal information. (Id.) TMLT argues Plaintiff has not suffered any injury, such as identity theft or any other already-materialized harm stemming from the TMLT data security incident. (Dkt. # 17-1 at 10, 12.) According to Defendant, a mere risk of future identity theft is not enough to establish standing in a data breach class action. (Id. at 11.) Accordingly, the Court will focus the inquiry on the first element of Article III standing: injury-in-fact.
A. Risk of Identity Theft
The first issue is whether the risk of identity theft is a concrete injury, sufficient to confer standing, in a data breach context. In TransUnion v. Ramirez, 594 U.S. 413, 141 S.Ct. 2190, 210 L.Ed.2d 568 (2021), the Supreme Court recognized that concrete harm may be intangible, particularly where it bears a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. at 425, 141 S.Ct. 2190.
The Fifth Circuit has yet to address the issue of whether risk of identity theft is sufficient to confer standing in a data breach context. However, other district courts in the circuit have addressed this issue. Defendant cites to Green v. eBay Inc., No. 2:14-cv-01688, 2015 WL 2066531 (E.D. La. May 4, 2015) and Peters v. St. Joseph Services Corp., 74 F. Supp. 3d 847 (S.D. Tex. 2015) to support its position that a mere risk of future identity theft is not enough to establish standing in a data breach class action.1 In Peters, the court found the heightened risk of future identity theft or fraud posed by a data security breach does not confer Article III standing on persons whose information may have been exposed or accessed by third parties. Id. at 853. The court reasoned Peters’ alleged future injuries were speculative and hypothetical, but certainly not imminent. Critically, Peters could not describe how she would be injured “without beginning the explanation with the word ‘if.’ ” Id. (quoting Storino v. Borough of Point Pleasant Beach, 322 F.3d 293, 298 (3d Cir. 2003)) (internal quotation marks omitted.)
In Green, the court found the alleged injuries to be too speculative to confer standing because there was no evidence that “any financial information or Social Security numbers were accessed during the Data Breach.” Green, 2015 WL 2066531, at *4.
Defendant also relies upon Logan v. Marker Group, Inc., No. 4:22-CV-00174, 2024 WL 3489208 (S.D. Tex. July 18, 2024), a more recent case, wherein the court found plaintiff did not have standing. In Logan, the court found the plaintiffs lacked standing because “conclusory statements alleging actual incidents of identity theft are insufficient to establish an injury in fact because such injuries require a showing that ‘the information accessed was actually misused or that there has even been an attempt to use it.’ ” Id. at *5. Moreover, even if the alleged occurrences could constitute a sufficient injury-in-fact, the court reasoned the plaintiffs would still fail to meet the causation and redressability elements of the standing test. Id.
However, other Circuit Courts have begun to rely on specific factors in determining whether an injury is imminent versus hypothetical, specifically in the data breach context. See Clemens v. ExecuPharm Inc., 48 F.4th 146, 153 (3d Cir. 2022); Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 375 (1st Cir. 2023). The framework is best articulated in McMorris v. Carlos Lopez & Assocs., 995 F.3d 295 (2d Cir. 2021). First, the Court assesses whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data. Id. at 301. Where a malicious third party has intentionally targeted a defendant's system and has stolen a plaintiff's data stored on that system, courts are more willing to find a likelihood of future identity theft or fraud sufficient to confer standing. Id.
Second, courts look to whether the data was misused. Id. at 301–02 (holding that misuse cuts towards standing); Remijas v. Neiman Marcus Grp., 794 F.3d 688, 692-94 (7th Cir. 2015) (finding standing where plaintiff alleged that personal data had “already been stolen” and that 9,200 people had “incurred fraudulent charges”). However, courts have also recognized this is not a necessary component to establish standing. Id. at 693 (“[C]ustomers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur”); see also Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276, 288 (2d Cir. 2023) (observing misuse of data is not a necessary component of establishing standing).
Finally, courts look to whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft. McMorris, 995 F.3d at 302. For instance, disclosure of social security numbers, birth dates, and names is more likely to create a risk of identity theft or fraud. Id. (citing Attias v. CareFirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017)). By contrast, the disclosure of financial information alone, without corresponding personal information, is insufficient. See In re SuperValu, Inc., 870 F.3d 763, 770–71 (8th Cir. 2017); Tsao v. Captiva MVP Rest. Partners, 986 F.3d 1332, 1343 (11th Cir. 2021). This is because financial information alone generally cannot be used to commit identity theft or fraud. In re SuperValu, Inc., 870 F.3d at 770–71.
Applying this framework, the Third Circuit held that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness if he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. Clemens, 48 F.4th at 155–56.
The Third Circuit had previously reached the opposite conclusion in Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011), a case predating TransUnion, because the allegations in that case involved an unknown hacker who potentially accessed, but may not have read, copied, or understood, sensitive information. Id. at 41–42. In Reilly, there was no evidence to suggest that the data could ever be misused. Id. at 43. The allegations in Clemens differed, however, because it was a known hacker group that accessed Clemens's sensitive information and published such data on the Dark Web, “a platform that facilitates criminal activity worldwide.” Clemens, 48 F.4th at 156. The court found the hackers had acted intentionally and already misused the data by encrypting it and posting it on the dark web after holding it for ransom. Id. at 156–57. Additionally, the type of data at issue could easily be used to perpetrate identity theft, as it included Social Security numbers, dates of birth, and full names of employees. Id. The court also emphasized the fact that the lead plaintiff had alleged additional currently felt harms—emotional distress and related therapy costs and time and money involved in mitigating the fallout of the data breach. Id. at 156.
In Galaria v. Nationwide Mutual Insurance Co., 663 Fed.Appx. 384 (6th Cir. 2016), the Sixth Circuit also found that plaintiffs had standing in a case arising out of the theft of their personal information from the defendant's computer network. Id. at 385–86. The court held that the plaintiffs’ allegations that “the theft of their personal data places them at a continuing, increasing risk of fraud and identity theft” were sufficient for standing at the pleading stage of the litigation. Id. at 388. The Sixth Circuit reasoned that speculation about the possibility of future injury was unnecessary when the data had already been stolen and was in the possession of criminals. Id.
Ultimately, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or at least actual access to personal data. See Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1340 (11th Cir. 2021).
The Court finds the factual allegations in this case are sufficient to establish an injury in fact at this early stage. Plaintiff has alleged that his personal information was exposed as a result of a targeted attempt by a third party to access the data set. In particular, he alleges, based on TMLT's own report, that certain personal and health information maintained on its systems was potentially accessed by “an unauthorized party.” (Dkt. # 16 at 6.) However, Plaintiff further alleges that the Data Breach involved more than mere “potential access.” Indeed, TMLT's Notice Letter confirmed that unauthorized actors gained access to and “acquired files” on TMLT's network. (Id. at 4.) Plaintiff alleges, upon information and belief,2 the personal information contained in the files accessed by the unauthorized third parties “was not encrypted or inadequately encrypted, as the threat actors were able to acquire and steal Plaintiff's and Class Members’ [personal information].” (Id. at 9.) Thus, Plaintiff has alleged actual acquisition of sensitive personal information by an unauthorized hacker.
Unlike in McMorris, the breach here was not an inadvertent, intra-company disclosure; it can reasonably be inferred that it was targeted hack. See Remijas, 794 F.3d 688, 693 (7th Cir. 2015) (“Why else would hackers break into a store's database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”) Therefore, this factor weighs in favor of a finding of an injury in fact.
Turning to the second factor, there are no allegations that Plaintiff or any other class member's personal information was published on the dark web or to the public, or that any affected member has indeed suffered misuse of their personal information. There are no allegations that the unauthorized third party has even attempted to use the allegedly “stolen” personal information. While Plaintiff need not wait until he suffers identity theft to allege an injury in fact, allegations of a heightened risk of misuse of personal information are still necessary. See McMorris, 995 F.3d at 300 (“Indeed, requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court's recognition that ‘[a]n allegation of future injury may suffice’ to establish Article III standing ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’ ”) (quoting Susan B. Anthony List, 573 U.S. at 158, 134 S.Ct. 2334). Therefore, this factor weighs against a finding of an injury in fact.
Finally, the Court recognizes that the unauthorized disclosure of Plaintiff's social security numbers, birth dates, and names is information particularly susceptible to misuse through identity theft. See Bohnak, 79 F.4th at 289 (“This is exactly the kind of information that gives rise to a high risk of identity theft.”). Therefore, this factor weighs in favor of an increased risk of identity theft.
After considering the factors, the Court concludes Plaintiff has alleged sufficient facts to allow the Court to draw a reasonable inference that there is a substantial risk the identity theft harm will occur to satisfy the injury in fact requirement. Plaintiff need not allege actual misuse of the personal information to establish an injury.
B. Mitigation Expenses
The Court next turns to Plaintiff's allegations that he has been injured through expenses incurred to mitigate the harm cause by the data breach. TMLT argues that where the harm of identity theft failed to materialize, Plaintiff cannot use mitigation efforts to create Article III standing where it does not already exist. (Dkt. # 17-21 at 12.)
Under Article III, parties “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 568 U.S. at 416, 133 S.Ct. 1138; see also Logan, 2024 WL 3489208 at *6. However, the First Circuit joined other circuits in concluding that “time spent responding to a data breach can constitute a concrete injury sufficient to confer standing, at least when that time would otherwise have been put to profitable use.” Id. at 377. The court noted, “[b]ecause this alleged injury was a response to a substantial and imminent risk of harm, this is not a case where the plaintiffs seek to ‘manufacture standing by incurring costs in anticipation of non-imminent harm.’ ” Id. (quoting Clapper, 568 U.S. at 422, 133 S.Ct. 1138).
Because Plaintiff pled both a substantial and imminent risk of identity theft as well as the costs and time spent monitoring the effects of the data breach, these allegations qualify as a concrete injury. Given that the Court has found Plaintiff alleged an injury sufficient to confer standing to pursue damages, the Court need not address Plaintiff's other theories of standing, such as Plaintiff's loss of privacy or value in his personal information.
At the pleading stage, the Court is required to “accept as true [p]laintiffs’ allegations about the nature of the breach and the data stolen, and construe the complaints in [p]laintiffs’ favor.” In sum, because Plaintiff has sufficiently alleged a concrete and imminent injury, he has pled an injury in fact. Moreover, Plaintiff has pled, and TMLT does not challenge, that TMLT caused his injury, and his injuries would be redressed through money damages. Therefore, the Court concludes that Plaintiff has Article III standing to pursue his claims. The Court DENIES Defendant's motion to dismiss for lack of standing.
II. Failure to State a Claim
Plaintiff asserts the following causes of action against Defendant: (1) negligence; (2) negligence per se,3 (3) third party beneficiary, and (4) unjust enrichment. The Parties agree to the application of Texas law in determining whether Plaintiff states claims upon which relief can be granted. (Dkt. # 20 at 13.)
A. Negligence Claims
To support a claim for negligence, a plaintiff must establish (1) a legal duty owed by defendant to plaintiff; (2) a breach of that duty, and (3) damages proximately caused by the breach. Lee Lewis Constr., Inc. v. Harrison, 70 S.W.3d 778,782 (Tex. 2001).
TMLT argues that Plaintiff has not included any factual information in the Complaint that shows that he suffered any damages as a result of the TMLT data security incident. (Dkt. # 17-1 at 15.) For instance, Plaintiff does not allege that there is any ongoing, present harm, such as a fraudulent bank account or non-reimbursed fraudulent charges, resulting from the alleged negligence. (Id.) Nor does Plaintiff allege any specific economic damage. (Id.) He has, therefore, failed to state a cause of action for negligence.
Plaintiff contends that aside from the risk of future identity theft, he has pled additional injuries in the form of time and money spent trying to mitigate the consequences of the data breach—with respect to which damages are unquestionably capable of reasonable proof. Thus, the compromised personal information and lost time and resources mitigating the effects of the data breach constitute a cognizable injury.
The Court finds Plaintiff has sufficiently pleaded damages to state a claim for negligence. Therefore, TMLT's motion to dismiss for failure to state a claim upon which relief can be granted as to the negligence claim is DENIED.
B. Contract Claims
“[A] third party beneficiary will not be recognized unless the intent to make him or her so is clearly written or evidenced in the contract.” Maddox v. Vantage Energy, LLC, 361 S.W.3d 752, 757 (Tex. App.—Fort Worth 2012, pet. denied). Third parties can recover on a contract “only if the parties intended to secure some benefit to that third party, and only if the contracting parties entered into the contract directly and primarily for the third party's benefit.” Dorsett Bros. Concrete Supply, Inc. v. Safeco Title Ins. Co., 880 S.W.2d 417, 421 (Tex. App.—Houston [14th Dist.] 1993, writ denied). A parties’ intention is gleaned from the words of their contract, and not from what they allegedly meant. Alvarado v. Lexington Ins. Co., 389 S.W.3d 544, 552 (Tex. App.—Houston [1st Dist.] 2012, no pet.).
Texas courts presume that “a party contracts only for its own benefit and have therefore maintained a presumption against third-party beneficiary agreements.” Maddox, 361 S.W.3d at 757. “All doubts must be resolved against conferring third-party beneficiary status.” Tawes v. Barnes, 340 S.W.3d 419, 425 (Tex. 2011); see also First Union Nat'l Bank v. Richmont Capital Partners I, L.P., 168 S.W.3d 917, 929 (Tex. App.—Dallas 2005, no pet.) (“If there is any reasonable doubt as to the intent of the contracting parties to confer a direct benefit on the third party, then the third-party beneficiary claim must fail.”).
Plaintiff alleges “TMLT entered into written contracts with its customers from which it obtained the PII/PHI of Plaintiff and Class Members,” and that “TMLT and its customers intended that Plaintiff and Class Members benefit from their contracts.” (Dkt. # 16 at 22.) Plaintiff points to two specific provisions regarding data security and alleges TMLT and its customers intended for those provisions to benefit him and other class members. Those provisions include an agreement not to use, or further disclose, “Protected Health Information” and to use appropriate safeguards and prevent use or disclosure of such information. (Id. at 23.)
Defendant argues that rather than identifying specific contracts to support this assertion, Plaintiff cites to provisions from the HITECH Act and HIPAA Omnibus Rule – not from any specific contract between TMLT and its customers. Plaintiff responds that the allegations are quoted directly from the “Business Associate Agreement Between TMLT and Policyholders” (the “BAA”) that TMLT enters with each of its policyholders. (Dkt. # 20 at 17–18.) Thus, Plaintiff sufficiently establishes the existence of the contract.
Nonetheless, the Court finds Plaintiff and other class members were not intended third-party beneficiaries of the BAA's security provisions. Plaintiff does not allege that the contract was directly and primarily entered for the third party's benefit. Instead, the primary purpose of the contracts is for TMLT to provide medical malpractice insurance to physicians, physician partnerships, providers, and healthcare facilities. (Id. at 23.) While Plaintiff or class members may have incidentally benefited from the contract, this is not sufficient to confer third-party beneficiary status.
Therefore, the Court finds Plaintiff fails to state a claim under a third-party beneficiary theory. TMLT's motion to dismiss for failure to state a claim upon which relief can be granted as to the third-party beneficiary claim is GRANTED.
Because Plaintiff and other Class Members are not parties to a contract with TMLT, Plaintiff asserts a cause of action for unjust enrichment. (Dkt. # 16 at 25.) “Unjust enrichment ‘characterizes the result of a failure to make restitution of benefits either wrongfully or passively received under circumstances that give rise to an implied or quasi-contractual obligation to repay.’ ” N. Cypress Med. Ctr. Operating Co. v. Cigna Healthcare, 781 F.3d 182, 204 (5th Cir. 2015) (quoting Foley v. Daniel, 346 S.W.3d 687, 690 (Tex. App.—El Paso 2009)). It “applies ‘the principles of restitution to disputes where there is no actual contract.’ ” Bernard v. Bank of Am., N.A., No. 04-12-00088-CV, 2013 WL 441749, at *3 (Tex. App.—San Antonio Feb. 6, 2013, no pet.) (quoting Mowbray v. Avery, 76 S.W.3d 663, 679 (Tex. App.—Corpus Christi–Edinburg 2002, pet. denied)). Accordingly, courts have held unjust enrichment is unavailable when a valid, express contract governing the subject matter of the dispute exists. Eun Bok Lee v. Ho Chang Lee, 411 S.W.3d 95, 112 (Tex. App.—Houston [1st Dist.] 2013); City of The Colony v. N. Texas Mun. Water Dist., 272 S.W.3d 699, 731 (Tex. App.—Fort Worth 2008). Though unjust enrichment applies restitution principles to disputes where there is no contract, “the party must have some connection with the wrongdoing in order for a plaintiff to recover.” Casstevens v. Smith, 269 S.W.3d 222, 230 (Tex. App.—Texarkana 2008).
Plaintiff alleges that he “conferred a monetary benefit upon TMLT in the form of monies paid for healthcare services or other services” as well as the benefit in the form of the “receipt of the Plaintiff's and Class Members’ PII/PHI.” (Dkt. # 16 at 25.) Plaintiff further alleges that TMLT accepted the benefits conferred and as a result of “TMLT's conduct, Plaintiff and Class Members suffered actual damages in an amount equal to the difference in value between their payments made with reasonable data privacy and security practices and procedures that [they] paid for, and those payments without reasonable data privacy and security practices and procedures that they received.” (Id.)
Defendant argues Plaintiff has not conferred any benefit upon TMLT that would be unjust for TMLT to retain, considering TMLT provided medical malpractice insurance in exchange for monetary compensation. (Dkt. # 17-1 at 20.) As TMLT did not unjustly retain any benefits and Plaintiff did not confer any additional benefits upon TMLT, Plaintiff's unjust enrichment claim should be dismissed. (Id.) The Court agrees.
The primary purpose of the contract between TMLT and its customers is to provide medical insurance, not necessarily to secure reasonable data privacy and security practices and procedures for Plaintiff and class members’ personal information. TMLT provided that insurance coverage, and therefore did not unjustly retain Plaintiff's monetary compensation. The receipt of the Plaintiff's and class members’ personal information was not a benefit conferred on TMLT for purposes of the bargain to provide medical insurance.
Therefore, the Court finds Plaintiff fails to state a claim for unjust enrichment. TMLT's motion to dismiss for failure to state a claim upon which relief can be granted as to the unjust enrichment claim is GRANTED.
III. Motion to Strike
Defendant argues that if the Court does not dismiss the Complaint, it should strike the immaterial and impertinent allegations concerning identity theft that have nothing to do with the parties or facts of this case. (Dkt. # 17-1 at 20.) Defendant claims Plaintiff added extraneous and generalized material concerning the actions of identity thieves and statistics about cybercrime. (Id.)
The court disagrees. Most of these allegations relate to Plaintiff's argument that TMLT was on notice of the potential harm of a data breach, an argument that is not unfairly prejudicial to TMLT under the circumstances. (See Dkt. # 16 at 13.) The court sees no reason to strike these allegations. Therefore, TMLT's motion to strike is DENIED.
CONCLUSION
For the reasons stated above, the Court GRANTS IN PART and DENIES IN PART Defendant TMLT's Motion to Dismiss (Dkt. # 17) and DENIES the Motion to Strike. Plaintiff's claims for negligence per se, third-party beneficiary, and unjust enrichment are hereby DISMISSED WITHOUT PREJUDICE.
IT IS SO ORDERED.
FOOTNOTES
1. The Court acknowledges that these cases predate TransUnion LLC v. Ramirez, 594 U.S. 413, 141 S.Ct. 2190, 210 L.Ed.2d 568 (2021) and may not conform to the standards of imminent risk.
2. “The Twombly plausibility standard does not prevent a plaintiff from pleading facts alleged upon information and belief where the facts are peculiarly within the possession and control of the defendant or where the belief is based on factual information that makes the inference of culpability plausible.” Innova Hosp. San Antonio, Ltd. P'ship v. Blue Cross & Blue Shield of Ga., Inc., 892 F.3d 719, 730 (5th Cir. 2018).
3. Plaintiff concedes dismissal of his negligence per se count because HIPAA and the Federal Trade Commission Act do not provide a private right of action, as required under Texas law. (Dkt. # 20 at 16.)
David Alan Ezra, Senior United States District Judge
Thank you for your feedback!
As the largest network of trusted legal brands, we help firms build authority across the platforms consumers and AI systems rely on most. Our network helps attorneys strengthen visibility, credibility, and preference where legal decisions begin.
Docket No: No. 1:23-cv-01183-DAE
Decided: October 25, 2024
Court: United States District Court, W.D. Texas, Austin Division.
Search our directory by legal issue
Enter information in one or both fields (Required)
Harness the power of our directory with your own profile. Select the button below to sign up.
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Search our directory by legal issue
Enter information in one or both fields (Required)