
    Miguel A. CRUZ, Plaintiff, v. The UNITED STATES of America, Defendant.
    Civ. No. 08-1905(PG).
    United States District Court, D. Puerto Rico.
    Feb. 4, 2010.
    
      Maria H. Sandoval, Maria H. Sandoval Law Office, San Juan, PR, for Plaintiff.
    Hector Ramirez-Carbo, United States Attorneys Office, District of Puerto Rico, San Juan, PR, for Defendant.
   OPINION AND ORDER

JUAN M. PEREZ-GIMENEZ, District Judge.

Plaintiff Miguel A. Cruz brings suit against the United States of America under the Federal Tort Claims Act (“FTCA”), 28 U.S.C. §§ 1346(b), 2671-2680. Before the Court are Defendant’s Motion to Dismiss (Docket No. 12) pursuant to Feb.R.Civ.P. 12(b)(6) for failure to state a claim upon which relief can be granted, as well as Plaintiffs Opposition (Docket No. 14) and Defendant’s Response thereto (Docket No. 20). For the reasons set forth below, the Court GRANTS Defendant’s Motion to Dismiss.

I. Factual Background

The Court draws the following facts from Plaintiffs Complaint (Docket No. 1) and takes them as true for purposes of resolving Defendant’s Motion to Dismiss.

Plaintiff worked as an electrical engineer at the Veterans Medical Center (“VAMC”) in San Juan, Puerto Rico, from 2003 to 2006. The VAMC is a hospital that provides health services to veterans administered and funded by the Department of Veterans Affairs of the United States federal government. Plaintiff was injured in 1992 at Fort Hamilton, New York, while participating in Army Reserve duties. As a result, he suffered physical and psychiatric injuries that have had long term consequences to his health. He was treated by a psychiatrist employed at the VAMC for several years, visiting him approximately five times each year in 2003 and 2004. In 2005, Plaintiff began to suspect that his medical records were being read by unauthorized personnel and stopped seeing his psychiatrist as often as his condition required; his visits dropped to about twice a year in 2005 and 2006.

In June 2005, Plaintiff complained to the Department of Veteran Affairs and asked the VAMC to investigate his claim to determine if his medical records were being accessed illegally. On May 15, 2007, Plaintiff was informed by the VAMC’s privacy officer that the investigation had been completed and that the hospital had taken “corrective actions” without stating specifically what corrective actions had been taken or who specifically had accessed Plaintiffs medical files without proper authorization. (Compl. ¶ 26-28.) On June 27, 2007, Plaintiff filed an FTCA claim for damage or injury on a Standard Form 95 (“SF-95”) naming the VAMC in Puerto Rico as the appropriate federal agency. On August 14, 2008, he filed the instant suit in federal district court.

In his Complaint, Plaintiff states that “at least ten persons or more accessed plaintiffs medical records without legal authorization and for no legitimate reason or purpose.” (Compl. ¶20.) These persons read Plaintiffs medical records “although it was not related to their jobs or their assigned work or duties.” (Compl. ¶ 22.) They were able to do this “only because the VAMC was negligent” and because “[t]he VAMC in Puerto Rico took no precautions and had not installed ... adequate security measures to prevent employees, agents or third parties from seeing and reading medical records of VAMC employees and patients.” (Compl. ¶ 23.)

Plaintiff alleges that he was injured because the decrease in visits to his psychiatrist were detrimental to his health and well-being. He also states that he was required to resign from his position at the VAMC because of the hospital’s tortious conduct. Finally, he claims that his right to privacy was seriously violated. As a result of these injuries, Plaintiff pleads claims for relief based on: (1) violations of his rights to privacy, dignity, family, and honor under the Puerto Rico Constitution, specifically Article II §§ 1 and 8, and case law; (2) negligence under Article 1802 and 1803 of the Puerto Rico Civil Code; and (3) negligent infliction of emotional distress under the same provisions of Puerto Rico law. Plaintiff requests a declaratory judgment holding that the Defendant’s acts violated and continue to violate his constitutional rights and constituted negligent infliction of emotional distress. He also requests compensatory damages in excess of $75,000.00, plus attorneys fees.

II. Rule 12(b)(6) Standard of Review

“The general rules of pleading require a short and plain statement of the claim showing that the pleader is entitled to relief.... This short and plain statement need only give the defendant fair notice of what the ... claim is and the grounds upon which it rests.” Gargano v. Liberty Intern. Underwriters, Inc., 572 F.3d 45, 48 (1st Cir.2009) (internal citations and quotation marks omitted).

Motions to dismiss brought under Federal Rule of Civil Procedure 12(b)(1) and 12(b)(6) are subject to the same standard of review. See Negron-Gaztambide v. Hernandez-Torres, 35 F.3d 25, 27 (1st Cir.1994). When ruling on a motion to dismiss for failure to state a claim, a district court “must accept as true the well-pleaded factual allegations of the complaint, draw all reasonable inferences therefrom in the plaintiffs favor, and determine whether the complaint, so read, limns facts sufficient to justify recovery on any cognizable theory.” Rivera v. Centro Medico de Turabo, Inc., 575 F.3d 10, 15 (1st Cir.2009) (citing LaChapelle v. Berkshire Life Ins. Co., 142 F.3d 507, 508 (1st Cir.1998)). Courts “may augment the facts in the complaint by reference to (i) documents annexed to the complaint or fairly incorporated into it, and (ii) matters susceptible to judicial notice.” Gagliardi v. Sullivan, 513 F.3d 301, 306 (1st Cir.2008) (internal citations and quotation marks omitted).

“Yet [the Court] need not accept as true legal conclusions from the complaint or naked assertions devoid of further factual enhancement.” Maldonado v. Fontanes, 568 F.3d 263, 266 (1st Cir.2009) (citing Ashcroft v. Iqbal, — U.S. -, 129 S.Ct. 1937, 1960, 173 L.Ed.2d 868 (2009)). Although a complaint attacked by a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6) “does not need detailed factual allegations, ... a plaintiffs obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) (internal citations and quotation marks omitted).

Moreover, “even under the liberal pleading standard of Federal Rule of Civil Procedure 8, the Supreme Court has ... held that to survive a motion to dismiss, a complaint must allege a plausible entitlement to relief.” Rodriguez-Ortiz v. Margo Caribe, Inc., 490 F.3d 92, 95 (1st Cir.2007) (citing Twombly, 550 U.S. 544, 127 S.Ct. 1955 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 129 S.Ct. at 1949 (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955). That is, “[f]actual allegations must be enough to raise a right to relief above the speculative level ... on the assumption that all the allegations in the complaint are true (even if doubtful in fact)....” Twombly, 550 U.S. at 555, 127 S.Ct. 1955 (internal citations and quotation marks omitted). “Determining whether a complaint states a plausible claim for relief will ... be a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Iqbal, 129 S.Ct. at 1950.

III. Discussion

In its Motion to Dismiss, Defendant submits that Plaintiff fails to plead a viable cause of action under the FTCA. Defendant argues that the United States is not liable to Plaintiff for the negligent acts or omissions of its employees acting outside the scope of their employment. In his Opposition, Plaintiff responds that the Complaint points the finger not at “snooping employees” but at “the negligence of [the VAMC s] administrators and its systems programmers who designed, implemented and maintained inadequate computer systems and computer safeguards.” (Opp. Mot. Dismiss ¶ 17.) He blames VAMC officials for not installing adequate ‘security measures “to prevent the foreseeable harm” and for employing “a computer system containing medical records which it knew were [sic] susceptible to breach by nosy employees.” (Id. at ¶ 18.)

Defendant’s Response raises the discretionary function exception to the FTCA, which the First Circuit Court of Appeals has explained wrests subject matter jurisdiction away from the Court. If the discretionary exception applies, the jurisdiction-granting provision of 28 U.S.C. § 1346(b) does not, such that “the [government] is completely immune from suit, and the claim must be dismissed for lack of subject matter jurisdiction.” Santoni v. Potter, 369 F.3d 594, 602 (1st Cir.2004) (citing Kelly v. United States, 924 F.2d 355, 360 (1st Cir.1991)); see also Bolduc v. United States, 402 F.3d 50, 60 (1st Cir.2005). Therefore, even though Defendant’s dispositive motion is brought under Fed.R.Civ.P. 12(b)(6), we must first address whether the discretionary function applies, since subject matter jurisdiction challenges are not waivable and can be raised at any time. “Whether the complaint states a cause of action on which relief could be granted is a question of law [which] must be decided after and not before the court has assumed jurisdiction over the controversy.” Bell v. Hood, 327 U.S. 678, 682, 66 S.Ct. 773, 90 L.Ed. 939 (1946). “After all, if the court lacks subject matter jurisdiction, assessment of the merits becomes a matter of purely academic interest.” Deniz v. Municipality of Guaynabo, 285 F.3d 142, 150 (1st Cir.2002).

1. Discretionary Function Exception

The FTCA provides a limited waiver of the federal government’s sovereign immunity for claims of “injury or loss of property ... caused by the negligent or wrongful act or omission of any employee of the Government ... under circumstances where the United States, if a private person, would be liable to the claimant in accordance with the law of the place where the act or omission occurred.” See 28 U.S.C. § 1346(b)(1). “[F]or liability to arise under the FTCA, a plaintiffs cause of action must be comparable to a cause of action against a private citizen recognized in the jurisdiction where the tort occurred, and his allegations, taken as true, must satisfy the necessary elements of that comparable state cause of action.” Abreu v. United States, 468 F.3d 20, 23 (1st Cir.2006) (internal citations and quotation marks omitted).

However, the waiver effected by the FTCA is closely circumscribed by the terms of the statute and is subject to several statutory exceptions. Even where the government conduct would create state tort liability in a suit against a private party, the FTCA does not waive sovereign immunity if the challenged governmental action involved the exercise of discretion. See id. This provision, known as the discretionary function exception, provides that sovereign immunity is not waived for claims “based upon the exercise or performance or the failure to exercise or perform a discretionary function or duty on the part of a federal agency or an employee of the Government, whether or not the discretion involved be abused.” 28 U.S.C. § 2680(a).

In determining whether the discretionary function applies and bars Plaintiffs suit for lack of subject matter jurisdiction, we employ the following analytic framework. “A court first must identify the conduct that is alleged to have caused the harm, then determine whether that conduct can fairly be described as discretionary, and if so, decide whether the exercise or non-exercise of the granted discretion is actually or potentially influenced by policy considerations.” Fothergill v. United States, 566 F.3d 248, 252 (1st Cir.2009) (citing Bolduc, 402 F.3d at 60; Shansky v. United States, 164 F.3d 688, 691-92 (1st Cir.1999)).

A. Is the Government’s Conduct Discretionary?

Conduct is considered discretionary when it involves an element of judgment or choice for the acting employee. See Abreu, 468 F.3d at 25. This meaning of discretionary, however, “excludes actions prescribed by federal statute, regulation, or policy.” Bolduc, 402 F.3d at 60 (citing Berkovitz v. U.S., 486 U.S. 531, 536, 108 S.Ct. 1954, 100 L.Ed.2d 531 (1988)). “The discretionary function exception does not shield the conduct of an employee who violates a mandatory regulation ... In that situation, the employee’s action cannot be deemed in furtherance of the policies of the statute that the regulation implements ... Nor does his conduct reflect a permissible exercise of the discretion that Congress delegated.” Abreu, 468 F.3d at 27 (emphasis in original). If a government employee violates a mandatory regulation, “there will be no shelter from liability because there is no room for choice and the action will be contrary to policy.” United States v. Gaubert, 499 U.S. 315, 324, 111 S.Ct. 1267, 113 L.Ed.2d 335 (1991). If the Court concludes that the conduct is not discretionary, “the analysis ends and the discretionary function proviso drops out of the case.” Bolduc, 402 F.3d at 60 (citing Kelly, 924 F.2d at 360).

The Court must now analyze Plaintiffs specific allegations of governmental wrongdoing in light of the applicable statutory and regulatory scheme governing the privacy of veterans’ medical records. In particular, we must identify a specific mandatory directive that Defendants had a clear duty under federal law to perform. If the specific mandatory directive nevertheless involves an element of judgment or choice, then application of the discretionary function exception will turn on whether the officials were actually or potentially influenced by policy considerations.

Federal administrative regulations detail the Department of Veterans Affairs’ duties in maintaining records in its custody. 38 C.F.R. § 1.576 provides in pertinent part:

(a) The Department of Veterans Affairs will safeguard an individual against an invasion of personal privacy. Except as otherwise provided by law or regulations its officials and employees will:
(4) Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is correct and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information.

(emphasis ours). These regulations appear to constrain the way in which the VAMC maintains and safeguards its patients’ private medical records. The operative language for purposes of resolving this motion is found in the mandatory “will” that describes the duty of the Department as a whole — which “will safeguard an individual against an invasion of personal privacy” — and the duty of its officials and employees — who “will ... collect, maintain, use, or disseminate ... [patient records] ... in a manner that assures that such action is for a necessary and lawful purpose, ... and that adequate safeguards are provided to prevent misuse of such information.” We must resolve whether this seemingly mandatory language is specific enough in its textual interpretation and practical application to prescribe a specific course of conduct for VAMC officials and employees to follow with respect to Plaintiffs allegations of governmental wrongdoing: the designing, implementing, and maintaining of computer systems that do not adequately safeguard private medical records.

We conclude that the above-referenced regulation, while seemingly mandatory in its plain language, does not specifically prescribe a course of conduct for the VAMC’s operation or implementation of its computer systems and other non-electronic means of safeguarding private medical records. The regulation is contained in subheading Part 1., “General Provisions,’ ” and section 1.576, “General policies, conditions of disclosure, accounting of certain disclosures, and definitions.” The descriptive term “general” reveals the overview nature of this general policy directive, allowing substantial room for judgment or choice for VAMC officials to carry it out. The regulation only specifically prohibits the disclosure of private records by employees to persons not entitled to receive them in the form of criminal penalties for wilful disclosure. See 38 C.F.R. § 1.576(e)(1). “Although words like ‘will’ and ‘must’ are generally of mandatory effect, they may have other meanings and may be used, as here, in merely a directory sense.” Kelly, 924 F.2d at 360 (holding the discretionary function exception applied where mandatory regulatory language afforded discretion in both its textual interpretation and practical application).

We engage in this meticulous textual analysis because we indulge every reasonable inference in Plaintiffs favor at the motion to dismiss stage, even though Plaintiff never raised or pointed to any federal law, including this regulation, that constrained the VAMC’s discretion in safeguarding the privacy of its patients’ medical records. Under prior First Circuit case law, we simply find that the above-quoted regulatory language is not specific enough for us to conclude that the VAMC has violated a mandatory regulation and has thus engaged in non-discretionary conduct. As the First Circuit stated in Shansky v. United States:

[T]his passage does not specifically prescribe that any particular safety measure be employed at any particular place or in any particular facility. To the contrary, it suggests that the [government officials] will have to make discretionary judgments about how to apply concretely the aspirational goal embedded in the statement ... Statements made at this level of generality do not satisfy Gaubert’s and Berkovitz’s specific prescription requirement. Were the law otherwise, the discretionary function exception would be a dead letter.

164 F.3d at 691. The fact that the regulation mandates that VAMC employees maintain and use private medical records “in a manner that assures” that such action is for a necessary and lawful purpose, and, that adequate safeguards are provided to prevent the misuse of such information, does not tell us: “in what manner, or, how?”

We also agree with Defendant that the VAMC’s decision of how to supervise misbehaving employees is a discretionary act clearly within the discretionary function exception. The First Circuit “has recognized, in the context of supervision, that in the absence of a statutory or regulatory regime that sets out particulars as to how an agency must fulfill its mandate, the development and management of a supervisory model is a matter of agency discretion.” Bolduc, 402 F.3d at 61; see also Attallah v. United States, 955 F.2d 776, 784-85 (1st Cir.1992) (“[H]ow, and to what extent the [agency] supervises its employees certainly involves a degree of discretion and policy considerations of the kind that Congress sought to protect through the discretionary function exception.”)

B. Is the Discretion Influenced by Policy Considerations?

Having determined that the challenged conduct is discretionary, we must next consider whether the exercise of that discretion is actually or potentially influenced by policy considerations. See Bolduc, 402 F.3d at 60 (“Only if the conduct is both discretionary and policy-driven will [the FTCA] strip the court of subject matter jurisdiction.”) (citing Muniz-Rivera v. U.S., 326 F.3d 8, 15 (1st Cir.2003); Attallah, 955 F.2d at 783). We must be cognizant that the discretionary function exception “marks the boundary between Congress’ willingness to impose tort liability upon the United States and its desire to protect certain governmental activities from exposure to suit by private individuals.” United States v. Varig Airlines, 467 U.S. 797, 808, 104 S.Ct. 2755, 81 L.Ed.2d 660 (1984). In enacting the exception, Congress intended to “prevent judicial ‘second-guessing’ of legislative and administrative decisions grounded in social, economic, and political policy through the medium of an action in tort.” Id. at 814, 104 S.Ct. 2755.

Decisions are thought to be influenced by policy considerations “if they involve an unrestrained balancing of incommensurable values, including a differential allocation of resources among various political objectives.” Bolduc, 402 F.3d at 60 (citing Shansky, 164 F.3d at 695). The law presumes that the exercise of official discretion implicates policy judgments and, in order to prevail, Plaintiff must demonstrate that the VAMC’s decision to adopt a computer system prone to breach by nosy employees was not susceptible to policy analysis. See Shansky, 164 F.3d at 692. In this case, the decision to maintain a computer system with strong security measures to prevent unauthorized access does implicate policy judgments about how the VAMC is to allocate resources among various objectives (e.g. safeguarding privacy v. reducing operational costs). For example, whether to purchase the most protective and expensive security software or a more vulnerable but cost-efficient one requires the agency to make a policy choice about its budgetary priorities. In his Complaint, Plaintiff nowhere shows that implementing a secure computer system and an effective supervisory model that disciplines employee misconduct is not susceptible to policy analysis. How an agency decides to make the most effective use of its resources is certainly influenced by policy considerations of the kind Congress intended to shield from liability under the FTCA.

Even if the VAMC had acted negligently in choosing a security system and supervisory model that failed to protect its patients’ private medical records and that was and remains prone to breach by snooping employees, this is a policy-driven choice for which the agency may not be held liable. Whether the agency abused its discretion or not is of no consequence if the discretionary function exception applies. See 28 U.S.C. § 2680(a)(excepting claims based on the exercise of discretion “whether or not the discretion involved be abused.”) To hold otherwise would allow plaintiffs to regulate federal agencies through the medium of a tort suit demanding that the agency act in a particular way among varying alternatives properly within its scope of delegated powers. The VAMC cannot be held liable for adopting or failing to adopt security measures that mischievous employees find ways of exploiting, especially in the absence of a specific directive under federal law requiring that any be in place.

IY. Conclusion

While we lament the intrusive and unbecoming conduct of the VAMC employees who felt compelled to invade Plaintiffs privacy, if his allegations are truthful indeed, we must deny his claims under the FTCA for the foregoing reasons. The Court GRANTS Defendant’s Motion to Dismiss. Plaintiffs claims under the FTCA are hereby DISMISSED WITH PREJUDICE.

IT IS SO ORDERED.  