Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Savidge v. Pharm-Save, Inc.

United States District Court, W.D. Kentucky, Louisville Division

December 1, 2017




         This matter is before the Court on several pending motions. First, Defendants Pharm-Save Inc. and Neil Medical Group, Inc. filed a motion to dismiss, [DN 5.] Plaintiffs Andrea Savidge and Beth Lynch responded, [DN 13], and Defendants replied, [DN 15.] For the reasons discussed in detail below, Defendants' motion to dismiss is GRANTED IN PART AND DENIED IN PART. Second, Plaintiffs filed a motion to remand this action back to Kentucky state court, [DN 11.] Defendants responded, [DN 14], and Plaintiffs replied, [DN 16.] However, because the parties no longer dispute that this Court has jurisdiction to hear this case, the motion to remand is DENIED AS MOOT.

         Third, Plaintiffs filed a motion for leave to file a first amended class action complaint, [DN 17.] Defendants responded, [DN 19], and Plaintiffs replied, [DN 22.] For the reasons discussed below, that motion is GRANTED.

         Finally, Plaintiffs filed a motion to stay the ruling on Defendants' motion to dismiss until after Plaintiffs have had an opportunity to conduct limited discovery, [DN 18.] Defendants responded, [DN 20] and Plaintiffs replied, [DN 21.] Defendants then moved to file a sur-reply, [DN 23], to which Plaintiffs responded, [DN 24], and Defendants replied, [DN 25.] The Court will GRANT Defendants' motion to file a sur-reply and, though it agrees with Plaintiffs that limited discovery is warranted, will DENY Plaintiffs' motion to stay. Rather, the Court will DENY WITHOUT PREJUDICE Defendants' 12(b)(2) motion at this time pending further limited discovery.


         Plaintiffs Andrea Savidge and Beth Lynch were employees of Defendant Pharm-Save Inc. (“Pharm-Save”) from 2013 to 2015 and 2013 to 2014, respectively. [DN 1-1 at 4 (Complaint).] On March 3, 2016, after the each of the Plaintiffs' employment with Pharm-Save had ended, a data breach occurred through which “an outside individual or group obtained copies of the W-2 forms which [Pharm-Save] sent to [its employees] and the IRS which would have included [employees'] social security number[s], address[es] and [their] 2015 salary information.” [DN 1-1 at 21, 24 (Letters from Pharm-Save to Plaintiffs).] In letters dated March 26, 2016, Pharm-Save notified all affected employees, including Savidge and Lynch, of the incident. [DN 1-1 at 21-23, 24-26.] Therein, Pharm-Save explained the security breach and told employees that “[i]t is possible that the criminal(s) may have filed or may try to file fraudulent tax refunds in the names of our employees.” [Id. at 21, 24.] Also in the letters, Pharm-Save offered employees “a complimentary two-year membership of Experian's ProtectMyID Alert. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.” [Id.] The letters also contained instructions on how to activate the ProtectMyID service. [Id.]

         In a letter dated March 29, 2016, the IRS notified Savidge that it had received a federal income tax return for the 2015 tax year with her name and social security number. [Id. at 28.] However, the IRS stated that, [t]o protect [Savidge] from identity theft, we need to verify your identity before we process your return.” [Id.] Additionally, the IRS wrote “[w]e won't process this . . . tax return until we hear from you.” [Id.] Indeed, that tax return was fraudulent. [Id. at 9.]

         On March 2, 2017, Plaintiffs brought suit against Pharm-Save Inc. (d/b/a Neil Medical Group) and Neil Medical Group, Inc. in Kentucky state court, alleging several causes of action related to the theft of their personally identifiable information (“PII”). Defendants removed the action to this Court on March 27, 2017, [DN 1 (Notice of Removal)], and simultaneously filed the instant motion to dismiss, [DN 5.]


         A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). In order to survive a motion to dismiss under Rule 12(b)(6), a party must “plead enough ‘factual matter' to raise a ‘plausible' inference of wrongdoing.” 16630 Southfield Ltd. P'ship v. Flagstar Bank, F.S.B., 727 F.3d 502, 504 (6th Cir. 2013) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). A claim becomes plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007)). When considering a Rule 12(b)(6) motion to dismiss, the court must presume all of the factual allegations in the complaint are true and draw all reasonable inferences in favor of the non-moving party. Total Benefits Planning Agency, Inc. v. Anthem Blue Cross & Blue Shield, 552 F.3d 430, 434 (6th Cir. 2008) (citing Great Lakes Steel v. Deggendorf, 716 F.2d 1101, 1105 (6th Cir. 1983)). “The court need not, however, accept unwarranted factual inferences.” Id. (citing Morgan v. Church's Fried Chicken, 829 F.2d 10, 12 (6th Cir. 1987)). Should the well-pleaded facts support no “more than the mere possibility of misconduct, ” then dismissal is warranted. Iqbal, 556 U.S at 679. The Court may grant a motion to dismiss “only if, after drawing all reasonable inferences from the allegations in the complaint in favor of the plaintiff, the complaint still fails to allege a plausible theory of relief.” Garceau v. City of Flint, 572 F. App'x. 369, 371 (6th Cir. 2014) (citing Iqbal, 556 U.S. at 677-79).


         Defendants seek dismissal of Plaintiffs' claims of negligence, negligence per se, invasion of privacy, breach of implied contract, and intentional and negligent infliction of emotional distress. [DN 5 at 12-28; see DN 1-1.] Defendants make three primary arguments in their motion regarding why dismissal is proper. First, Defendants argue that Neil Medical Group, Inc. is not an appropriately named Defendant because it “was not in operation at the time of the alleged conduct.” [DN 5-1 at 4.] Second, Defendants argue that Plaintiffs lack Article III standing to bring their claims in this Court. [Id. at 6.] Third, Defendants argue that Plaintiffs fail to state a claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6). [Id. at 12.] However, Defendants have withdrawn their standing argument, [DN 12 (Notice of Withdrawal)], [1] and therefore only Defendants' first and third arguments for dismissal remain for the Court to address.

         A. Whether Plaintiffs' Claims State a Claim Upon Which Relief Can Be Granted

         The Court will first address whether the claims made in Plaintiffs' Complaint are cognizable under Rule 12(b)(6). These include negligence, negligence per se, invasion of privacy, breach of implied contract, intentional infliction of emotional distress, and negligent infliction of emotional distress. [See DN 1-1.]

         1. Negligence

         The parties agree that Kentucky law governs this action. [See DN 5 at 13; DN 13 at 3- 12.] Under Kentucky law, “[a] common law negligence claim requires proof of (1) a duty owed by the defendant to the plaintiff, (2) breach of that duty, (3) injury to the plaintiff, and (4) legal causation between the defendant's breach and the plaintiff's injury.” Wright v. House of Imports, Inc., 381 S.W.3d 209, 213 (Ky. 2012) (citing Pathways, Inc. v. Hammons, 113 S.W.3d 85, 88-89 (Ky. 2003)). “The standard of care applicable to a common-law negligence action is that of ordinary care-that is, ‘such care as a reasonably prudent person would exercise under the circumstances.'” Id. (quoting Slusher v. Brown, 323 S.W.2d 870, 872 (Ky. 1959)).

         a. Duty and Breach

         With regard to the first two elements of common law negligence, Defendants argue that Plaintiffs have failed to plausibly allege that Defendants breached a duty they owed to Plaintiffs. Specifically, Defendants argue that Plaintiffs “allege, without any support, that [Defendants'] security measures must have been inadequate.” [DN 5-1.] In their complaint, Plaintiffs assert that “the Defendants' duty to the Plaintiffs and other class members included, inter alia, establishing processes and procedures to protect the personal and sensitive information from wrongful disclosure and training employees who had access to that information as to those processes and procedures.” [DN 1-1 at 10.] Plaintiffs further assert that, because Plaintiffs' information was ultimately disclosed, “the Defendants clearly breached those duties.” [Id. at 11.]

         True, Plaintiffs' allegations are scant. However, at the motion to dismiss stage, the Court is required to construe the allegations in the light most favorable to Plaintiffs “and reasonable inferences must be made in favor of the non-moving party.” Total Benefits Planning Agency, 552 F.3d at 434. See also Keenan v. Marker, 23 Fed.Appx. 405, 406 (6th Cir. 2001) (“In determining whether a complaint fails to state a claim, the court must construe the complaint in a light most favorable to the plaintiff, accept all the factual allegations as true, and determine whether the plaintiff undoubtedly can prove no set of facts . . . that would entitle him to relief.”) Here, the Court can draw the reasonable inference that, because Plaintiffs' information was released to unauthorized individuals, Defendants breached their duties to safeguard that information. Whether Plaintiffs can prove such a breach is matter reserved for summary judgment or trial. However, at this early stage, it is enough that Plaintiffs have plausibly alleged a breach of Defendants' duties.

         b. Injury

         With regard to the third element of common law negligence, Defendants argue that Plaintiffs have failed to plead any cognizable injury. [DN 5-1 at 16-19.] In detail, Defendants argue that Plaintiffs have pointed only to speculative damages and the risk of future harm, which are insufficient. Indeed, Plaintiffs spend much of their complaint alleging that the cybercriminals who obtained their information may misuse that information in the future. For instance, Plaintiffs allege that the cybercriminals “may continue to exploit the data . . . or sell the data in the so-called ‘dark markets.'” [DN 1-1 at 9.] Next, Plaintiffs allege that the cybercriminals now have the ability “to commit a broad range of fraud . . . including but not limited to” “ obtaining employment, ” “obtaining a loan, ” “applying for credit cards or spending money, ” “obtaining medical care, ” “stealing Social Security and other governmental benefits, ” or “applying for a driver's license, birth certificate, or other public document.” [Id.] In addition, Plaintiffs allege that, “if a Plaintiff's Social Security number is used to create a false identification for someone who commits a crime, that individual may become entangled in the criminal justice system, impairing his or her ability to gain employment or obtain a loan.” [Id. (emphasis added)] Finally, Plaintiffs assert that, “for the rest of their lives . . . [they] will bear a heightened risk of all manners of identity theft.” [Id.]

         The Court agrees that Plaintiffs' allegations about heightened risks and the possibility of future harm are insufficient. Kentucky law is clear that “[a] cause of action does not exist until the conduct causes injury that produces loss or damage.” Capital Holding Corp. v. Bailey, 873 S.W.2d 187, 192 (Ky. 1994) (emphasis added). Accordingly, “Kentucky law . . . prohibits the possibility of future harm from constituting an element of damages if that possibility is considered outside the realm of damages for mental anguish.” Gill v. Burress, 382 S.W.3d 57, 64 (Ky. Ct. App. 2012). Indeed, this Court has previously held that “an increased threat of an injury that may never materialize cannot satisfy the injury requirement” for damages under Kentucky law. Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00205-R, 2012 WL 2873892, at *6 (W.D. Ky. July 12, 2012) (Russell, J.). Similarly, federal courts deciding data breach cases have held that a risk of future harm is insufficient to plead cognizable injury. See Krottner v. Starbucks Corp., 406 Fed.Appx. 129, 131 (9th Cir. 2010) (“The alleged injuries here stem from the danger of future harm. Even Shamasa, the only plaintiff who claims his personal information has been misused, alleges no loss related to the attempt to open a bank account in his name.”). Therefore, Plaintiffs' allegations regarding future harm they may suffer are insufficient.

         Nor does it appear that the mere filing of a fraudulent tax return in Plaintiff Savidge's name, by itself, caused her cognizable injury. Rather, the IRS, apparently skeptical of the authenticity of the return, notified Savidge that it had been filed and stated that it would not process it until she verified that it was genuine. [DN 1-1 at 28-29.] See Whalen v. Michaels Stores, Inc., 689 Fed.Appx. 89, 90 (2d Cir. 2017) (“Whalen asserts . . . she has lost time and money resolving the attempted fraudulent charges and monitoring her credit. Whalen does not allege a particularized and concrete injury suffered from the attempted fraudulent purchases, however; she never was either asked to pay, nor did pay, any fraudulent charge.”); Krottner, 406 F. App'x at 131 (“[Plaintiff] alleges no loss related to the attempt to open a bank account in his name.”); Holmes, 2012 WL 2873892, at *8 (“The Beneficial Letter is the only evidence that might show a threat of identity theft. Still, Plaintiffs concede this attempt to secure an automobile loan was unsuccessful and did not result in any actual injury.”). Contrast In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *14 (N.D. Cal. Aug. 30, 2017) (“Dugas alleges that a fraudulent tax return was filed under his Social Security number and that he was not able to timely file his own taxes as a result. Because Dugas could not file his own tax return, Dugas was unable to timely file a financial aid application for his daughters. This resulted in Dugas needing to pay an additional $9, 000 in tuition expenses that he would not otherwise have had to pay.” (internal citations omitted)).

         The Court also does not find persuasive Plaintiffs' argument, made in response to Defendants' motion to dismiss, that they can plead a cognizable injury due to the diminished value of their PII itself. “Plaintiffs here posit that their PII (with which Defendants were entrusted as Plaintiffs' employer) constitutes property, ” and argue that they are “entitled to recover for any injury to their PII that they have sustained because of Defendants' unauthorized disclosure.” [DN 13 at 8.] In detail, Plaintiffs argue that “[a]n intrusion (or encroachment) which is an unreasonable interference with the property owner's possessory use of his/her property is sufficient evidence of an actual injury (or damage to the property) to award actual damages.” [DN 13 at 8 (quoting Smith v. Carbide & Chemicals Corp., 226 S.W.3d 52, 57 (Ky. 2007)).] Further, Plaintiffs contend that their PII has been damaged “by losing the sales value of that information.” [Id. at 10 (quoting In re Facebook Privacy Litig., 572 Fed.Appx. 496 (9th Cir. 2014)).] However, Plaintiffs do not adequately allege how the value of their PII has been diminished, nor that they would have attempted to sell their PII in the future. See Khan v. Children's Nat'l Health Sys., 188 F.Supp.3d 524, 533-34 (D. Md. 2016) (“Khan alleges that the value of her personally identifiable information has been diminished by the data breach. She does not, however, explain how the hackers' possession of that information has diminished its value, nor does she assert that she would ever actually sell her own personal information . . . the data breach has not deprived her of the use of her personal information.”); Fernandez v. Leidos, Inc., 127 F.Supp.3d 1078, 1088 (E.D. Cal. 2015) (“Where the plaintiff has not alleged that he ‘attempted to sell his PII [;] that he would to do so in the future[;] or that he was foreclosed from entering into a ... transaction relating to his PII[ ] as a result of [the defendant's] conduct, ' the plaintiff has ‘not alleged facts sufficient to show [an] injury[ ] in [ ]fact based on the purported diminution in value of his PII.'”). Accordingly, Plaintiffs have failed to adequately plead injury to their PII itself as a property interest.

         Next, Plaintiffs allege in their response to Defendants' motion to dismiss that “the mental distress that Plaintiffs suffered and continue to suffer because of the increased likelihood of identity theft is an injury that is compensable.” [DN 13 at 10.] Indeed, Kentucky law allows recovery in tort “of damages for mental anguish.” Gill, 382 S.W.3d at 64. However, nowhere in Plaintiffs' complaint did they allege that they suffer and will continue to suffer from emotional distress related to their fear of identity theft. [See DN 1-1.] The most Plaintiffs allege, for purposes of their intentional and negligent infliction of emotional distress claims, is that Defendants' conduct “did indeed cause severe emotional distress.” [Id. at 17.] However, as the Court discusses in detail below, this mere recitation of the element of an intentional and negligent infliction of emotional distress claim, without more, is insufficient. Because Plaintiffs did not adequately plead mental anguish damages in their complaint, this, also, does not qualify as a cognizable injury.

         However, Plaintiffs also allege that they have incurred “additional expense[s] associated with mitigating the risk of identity theft.” [DN 1-1 at 11.] Further, they allege that they “have suffered and will continued to suffer” such injuries as

(a) out-of-pocket costs associated with addressing false tax returns filed with the IRS and state tax agencies; . . . (c) out-of-pocket costs associated with procuring identity protection and restoration services; . . . and (c) lost productivity and enjoyment as a result of time spent monitoring, addressing and correcting future consequences of the breach.

[Id. at 12.] In recent years, a growing number of Courts have recognized that the purchase of credit monitoring services and the costs expended to deal with fraudulent activity following the theft of PII, when spent with the knowledge that stolen information has already been misused, can constitute cognizable injuries.[2]See Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012) (“The Complaint specifically alleges that both Curry and Moore suffered financial injury; monetary loss is cognizable under Florida law for damages in contract, quasi-contract, negligence, and breach of fiduciary duty . . . Plaintiffs have therefore alleged a cognizable injury under Florida law.”) (internal citations omitted); Anderson v. Hannaford Bros. Co., 659 F.3d 151, 166 (1st Cir. 2011) (“Knowing her personal data had been breached and misused, and knowing the thieves were sophisticated and had rung up thousands of unauthorized charges, plaintiff Valburn had a reasonable basis for purchasing identity theft insurance to avoid further damage.”); Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 14, 2016) (“Only some of the plaintiffs have actually incurred out-of-pocket expenses so far . . . Those who have incurred such out-of-pocket expenses have pleaded cognizable injuries, whereas those who claim only that they may incur ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.