
    [19 NYS3d 850]
    Denise R. Abdale et al., on Behalf of Themselves and All Others Similarly Situated, Plaintiffs, v North Shore-Long Island Jewish Health System, Inc., et al., Defendants.
    Supreme Court, Queens County,
    August 14, 2015
    
      APPEARANCES OF COUNSEL
    
      Law Offices of Bonita Zelman, Lake Success, for plaintiffs.
    
      Ropes & Gray, LLP, New York City (Jason Brown and Joseph G. Cleemann of counsel), for defendants.
   OPINION OF THE COURT

Robert J. McDonald, J.

Plaintiffs commenced the within action on behalf of themselves and others similarly situated on February 5, 2013 to recover damages for, among other things, defendants’ “failure to adequately protect the confidential personal and medical information of their current and former patients, conduct that ultimately resulted in identity and medical identity data breaches.” Plaintiffs are 13 patients, or relatives of patients, who allegedly received medical services at medical facilities owned or operated by defendants North Shore-Long Island Jewish Health System, Inc. (Health System), North Shore-Long Island Jewish Medical Care, PLLC (Medical Care), North Shore-LIJ Network, Inc. (Network) and North Shore University Hospital (NSUH). Plaintiffs allege that defendants Health System, Medical Care and NSUH each operate under the corporate umbrella of defendant Network; and that defendants Network, Health System and Medical Care owns, operates, manages, maintains and secures defendant NSUH. The complaint refers to all four defendants collectively as North-Shore LIJ.

Plaintiffs allege that at the time they received medical treatment they provided personal information to the defendants, and that on or before fall 2010 and continuing at least through 2012, medical record face sheets and unencrypted computer network data were stolen from defendants North-Shore LIJ. It is also alleged that patients’ physical (hard copy) hospital face sheets were unsecured and were stolen from inside the premises of the defendants’ facilities, including NSUH. These face sheets consist of cover sheets containing information about each patient, including their full name, their spouse’s full name if married, date of birth, address, telephone number, medical record number, Social Security number, insurance information, and current medical information and history. Plaintiffs allege that the stolen data contains private, personal information, including but not limited to protected health information as defined by HIPAA, Social Security numbers, medical information and other information of hundreds of patients. Plaintiffs allege that as a result of the defendants’ failure to implement and follow basic security procedures, their personal information is now in the hands of thieves, and that they face a substantial increased risk of identity theft. Each of the 13 plaintiffs allege that they have experienced repeated instances of identity theft since said data breach and that as a consequence of said breach, plaintiffs, as well as current and former patients, have had to spend and will continue to spend significant time and money in the future to protect themselves. In addition, plaintiff Peterman alleges that as a result of the data breach her credit rating was substantially damaged; plaintiff Vetere alleges that as a result of the data breach her income tax refund for 2010 was fraudulently claimed and sent to a third party; and plaintiff Akins alleges that identity thieves fraudulently filed state and federal income tax returns for 2011, causing him substantial financial losses.

The complaint alleges that Health System through its Patients’ Bill of Rights, and website, advised patients that it, and each of its owned and sponsored article 28 not-for-profit corporations are required by law to follow HIPAA regulations and protect the privacy of health information that may reveal a patient’s identity. The complaint further alleges that patients were also advised that they have a right to be notified of any breaches of “Unsecured Protected Health” information as soon as possible, but in any event no later than 60 days following the discovery of the breaches.

Plaintiffs allege that on January 26, 2012, Clincy M. Robinson was arrested and charged with identity theft in the first degree (one count) and criminal possession of computer related materials (two counts), scheme to defraud in the first degree (two counts) and unlawful possession of personal information in the third degree (one count). Mr. Robinson was charged with being in possession of 25 face sheets from NSUH, data that is maintained on the computer network of NSUH, and being in possession of computer data consisting of personal identifying information for over 900 individuals, without authorization, and it is alleged that he pleaded guilty to these charges and was sentenced on December 13, 2012 in the District Court of Nassau County.

Plaintiffs also allege that on June 1, 2012, Dennis Messias was arrested and charged with identity theft in the first degree (four counts), grand larceny in the third degree, and scheme to defraud in the first degree, in connection with the theft and unauthorized use of patients’ personal information from the premises of NSUH.

Plaintiffs allege that the defendants were aware of these thefts and security breaches and that they failed to notify their patients within 60 days of the breach; that defendants failed to notify the Secretary of the U.S. Department of Health and Human Services of said security breaches in the year in which they discovered said breaches; and that defendants failed to maintain a written log of security breaches since 2007, on an annual basis.

The complaint alleges 11 causes of action for (1) negligence per se based upon violations of General Business Law § 899-aa; (2) negligence per se based on violations of Public Health Law § 18; (3) negligence per se based upon violations of General Business Law § 399-dd (4); (4) negligence per se based on violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104-191, 110 US Stat 1936); (5) negligence per se based on violations of the Health Information Technology for Economic and Clinical Health Act (HITECH) (42 USC §§ 17921-17953, as added by Pub L 111-5, division A, tit XIII, § 13001 et seq., 123 US Stat 226); (6) violations of General Business Law § 349; (7) breach of contract; (8) breach of fiduciary duty; (9) negligence; (10) breach of the implied covenant of good faith and fair dealing; and (11) misrepresentation.

Defendants, prior to serving an answer, filed a notice of removal on March 8, 2013, which removed this action to the United States District Court for the Eastern District of New York (District Court), asserting that a federal jurisdiction question existed and that removal was appropriate under the Class Action Fairness Act of 2005 (CAFA). On April 16, 2013, the defendants filed a motion in District Court to dismiss the complaint and on June 10, 2013 plaintiffs filed a motion to remand the matter to this court. The District Court, in an order dated June 14, 2014, denied the plaintiffs’ motion to remand with leave to renew within 30 days after the conclusion of expedited discovery pertaining to CAFA exceptions, and reserved judgment on the defendants’ motion to dismiss (Abdale v North Shore-Long Is. Jewish Health Sys., Inc., 2014 WL 2945741, 2014 US Dist LEXIS 88881 [ED NY, June 30, 2014, No. 13-CV-1238 (JS)(WDW)]). The parties were unable to formulate a joint discovery plan as directed by the court, and the matter was assigned to a magistrate. A status conference was held on October 2, 2014, at which time the magistrate made certain rulings pertaining to discovery. However, no discovery was had and defendants conceded that the matter should be remanded to this court, as the 268 individuals they sent letters to regarding the subject data breach were all New York State citizens. On November 13, 2014, the District Court remanded the matter back to this court, without any limit as to the size of the class.

Defendants, in this pre-answer motion seek to dismiss the complaint on the grounds of failure to state a cause of action, pursuant to CPLR 3211 (a) (7).

It is well settled that “[o]n a motion to dismiss pursuant to CPLR 3211 (a) (7) for failure to state a cause of action, the complaint must be construed liberally, the factual allegations deemed to be true, and the nonmoving party must be given the benefit of all favorable inferences” (Dolphin Holdings, Ltd. v Gander & White Shipping, Inc., 122 AD3d 901, 901-902 [2d Dept 2014]; Leon v Martinez, 84 NY2d 83, 87 [1994]; see AG Capital Funding Partners, L.P. v State St. Bank & Trust Co., 5 NY3d 582, 591 [2005]; Goshen v Mutual Life Ins. Co. of N.Y., 98 NY2d 314, 326 [2002]; Nasca v Sgro, 130 AD3d 588 [2d Dept 2015]). The court is limited to “an examination of the pleadings to determine whether they state a cause of action,” and the “plaintiff may not be penalized for failure to make an evidentiary showing in support of a complaint that states a claim on its face” (Miglino v Bally Total Fitness of Greater N.Y., Inc., 20 NY3d 342, 351 [2013]). “The test of the sufficiency of a pleading is ‘whether it gives sufficient notice of the transactions, occurrences, or series of transactions or occurrences intended to be proved and whether the requisite elements of any cause of action known to our law can be discerned from its averments’ ” (V. Groppa Pools, Inc. v Massello, 106 AD3d 722, 723 [2d Dept 2013] [internal quotation marks omitted], quoting Pace v Perk, 81 AD2d 444, 449 [2d Dept 1981]; see also Dolphin Holdings, Ltd. v Gander & White Shipping, Inc., 122 AD3d at 901-902).

“A court is, of course, permitted to consider evidentiary material ... in support of a motion to dismiss pursuant to CPLR 3211 (a) (7)” (Sokol v Leader, 74 AD3d 1180, 1181 [2d Dept 2010]), and, if it does so,

“the criterion then becomes whether the proponent of the pleading has a cause of action, not whether he has stated one (id. at 1181-1182, quoting Guggenheimer v Ginzburg, 43 NY2d 268, 275 [1977]). Yet, affidavits submitted by a defendant will almost never warrant dismissal under CPLR 3211 unless they establish conclusively that [the plaintiff] has no cause of action” (Dolphin Holdings, Ltd. v Gander & White Shipping, Inc., 122 AD3d at 902 [internal quotation marks omitted]; see Bokhour v GTI Retail Holdings, Inc., 94 AD3d 682 [2d Dept 2012]).
“Indeed, a motion to dismiss pursuant to CPLR 3211 (a) (7) must be denied unless it has been shown that a material fact as claimed by the pleader to be one is not a fact at all and unless it can be said that no significant dispute exists regarding it” (Bokhour v GTI Retail Holdings, Inc., 94 AD3d at 683 [internal quotation marks omitted]; see Sokol v Leader, 74 AD3d at 1182; see also Nasca v Sgro).

Defendants assert that defendant Health System is a not-for-profit corporation that indirectly owns or sponsors a large number of separate not-for-profit health care providers, including 16 acute care hospitals; that defendant Medical Care and defendant Network are affiliated with defendant Health System but do not provide any patient services; and that defendant NSUH is 1 of said 16 hospitals and is the only defendant that provides direct patient services. It is asserted that the complaint fails to allege any facts with respect to defendants Health System, Medical Care and Network; that plaintiffs do not allege that records were stolen from these entities or that they were a patient of these entities. It is further asserted that the complaint fails to contain any specific factual allegations with respect to these three defendants and that plaintiffs seek to rely upon bald assertions that each of these defendants operate under the same “corporate umbrella” and each “owns, operates, maintains and secures” defendant NSUH. As regards defendant Network, it is asserted that the complaint appears to state in conclusory fashion that employees of that entity were responsible for the theft of certain personal information.

Defendants assert that the complaint fails to satisfy New York’s pleading standards in that the allegations are conclusory; that the complaint fails to assert facts to support any claim against defendants Health System, Medical Care and Network; that the complaint fails to allege cognizable injuries; that the claims of negligence and negligence per se are barred by the economic loss doctrine; that each of the negligence per se claims fail to allege the elements of the alleged statutory violation on which the claim is based; that the claim fails to allege the elements of misrepresentation, whether framed as a common-law violation or an alleged deceptive practice under General Business Law § 349; that the complaint fails to allege the elements of breach of contract and breach of the implied covenant of good faith and fair dealing; and that the complaint fails to allege the core elements necessary to support a claim of breach of fiduciary duty.

CPLR 3013 requires that “[statements in a pleading shall be sufficiently particular to give the court and the parties notice of the transactions, occurrences, or series of transactions or occurrences, intended to be proved and the material elements of each cause of action or defense.”

The first cause of action for negligence per se is based upon General Business Law § 899-aa. Said statute provides that any person or business which conducts business in New York State and owns or licenses computerized data which includes certain private information is required to disclose any breach of the security of the system to any resident of New York State “whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” The statute sets forth the time frame and method of giving such notice. Reviewing said statute in a light most favorable to the plaintiffs, it is clear that there is no private right of action expressly authorized pursuant to the statute. Rather, said statute expressly provides at subdivision (6) that the Attorney General may bring an action for a violation of said statute, and further provides that in such an action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to said article.

In the absence of an express private right of action, plaintiffs can seek civil relief in a plenary action based on a violation of the statute “only if a legislative intent to create such a right of action is fairly implied in the statutory provisions and their legislative history” (Carrier v Salvation Army, 88 NY2d 298, 302 [1996] [internal quotation marks and citations omitted]). This determination is predicated on three factors: “(1) whether the plaintiff is one of the class for whose particular benefit the statute was enacted; (2) whether recognition of a private right of action would promote the legislative purpose; and (3) whether creation of such a right would be consistent with the legislative scheme” (Sheehy v Big Flats Community Day, 73 NY2d 629, 633 [1989]). The Court of Appeals has repeatedly recognized the third as the most important because

“the Legislature has both the right and the authority to select the methods to be used in effectuating its goals, as well as to choose the goals themselves. Thus, regardless of its consistency with the basic legislative goal, a private right of action should not be judicially sanctioned if it is incompatible with the enforcement mechanism chosen by the Legislature or with some other aspect of the over-all statutory scheme” (id. at 634-635 [citation omitted]; see Uhr v East Greenbush Cent. School Dist., 94 NY2d 32 [1999]).

The Court of Appeals, has declined to recognize a private right of action in instances where “[t]he Legislature specifically considered and expressly provided for enforcement mechanisms” in the statute itself (see Mark G. v Sabol, 93 NY2d 710, 720 [1999]; see also Cruz v TD Bank, N.A., 22 NY3d 61, 70-71 [2013]).

Although plaintiffs arguably fall within the first two factors, permitting a private right of action for a violation of General Business Law § 899-aa would not be consistent with legislative scheme. The enforcement of the statutory provisions has been expressly entrusted to the Attorney General. In addition, the legislature, in subdivision (6) (b) stated that “the remedies provided by this section shall be in addition to any other lawful remedy available” and in subdivision (9) stated that “[t]he provisions of this section shall be exclusive and shall preempt any provisions of local law, ordinance or code, and no locality shall impose requirements that are inconsistent with or more restrictive than those set forth in this section.” This language, thus, militates against any implied private right of action. In view of the fact that no private right of action exists with respect to General Business Law § 899-aa, that branch of the defendants’ motion which seeks to dismiss the plaintiffs’ first cause of action, is granted.

Plaintiffs second cause of action for negligence per se is based upon Public Health Law § 18. Public Health Law § 18 is designed to ensure, as a general rule, that patients have access to their own medical records (see Davidson v State of New York, 3 AD3d 623, 625 [3d Dept 2004]). To the extent that plaintiffs allege that the defendants disclosed their personal and health information to third parties by permitting the theft of the information contained in their database without plaintiffs’ consent, this claim fails to state a cause of action. Plaintiffs do not allege that the defendants were participants in the theft of the subject data. Therefore, the theft of the subject data cannot constitute a disclosure of said information. Furthermore, plaintiffs have not established that a private right of action exists with respect to the claimed disclosure of the patients’ medical records. Notably, subdivision (12) of this statute provides that “[n]o health care provider shall be subjected to civil liability arising solely from granting or providing access to any patient information in accordance with this section.” Therefore, that branch of defendants’ motion which seeks to dismiss the second cause of action is granted.

The third cause of action for negligence per se is based upon General Business Law § 399-dd (4) (sic). Plaintiffs’ third cause of action is actually based upon General Business Law § 399-ddd (4) which institutes safeguards necessary to thwart unauthorized access to Social Security numbers. As the enforcement of the provisions of this statute has been entrusted to the Attorney General (see General Business Law § 399-ddd [7]), no private right of action exists with respect to a violation of General Business Law § 399-ddd (4). Therefore, that branch of the defendants’ motion which seeks to dismiss the third cause of action is granted.

Plaintiffs’ fourth cause of action for negligence per se is based upon HIPAA. As HIPAA and its regulations do not create a private right of action (see Romanello v Intesa Sanpaolo S.p.A., 97 AD3d 449, 455 [1st Dept 2012]; Jurado v Kalache, 29 Misc 3d 1005, 1009 [Sup Ct, Westchester County 2010]; Webb v Smart Document Solutions, LLC, 499 F3d 1078 [9th Cir 2007]; Acara v Banks, 470 F3d 569, 571 [5th Cir 2006]; Cassidy v Nicolo, 2005 WL 3334523, 2005 US Dist LEXIS 34160 [WD NY, Dec. 7, 2005, No. 03-CV-6603-CJS]), that branch of the defendants’ motion which seeks to dismiss the fourth cause of action is granted.

Plaintiffs’ fifth cause of action for negligence per se is based upon title XIII, § 13402, of the American Recovery and Reinvestment Act — Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH, enacted on February 17, 2009, provides for privacy and security of patient health information, and modifies HIPAA by adding new requirements concerning privacy and security for health information. Section 13402, cited in plaintiffs’ complaint, is found in 42 USC § 17932. Although the failure to notify patients of the breach of their protected health information may result in the imposition of penalties by the United States Department of Health and Human Services, neither HITECH nor its governing regulations create a private right of action. Therefore, that branch of the defendants’ motion which seeks to dismiss the fifth cause of action is granted.

The sixth cause of action for a violation of General Business Law § 349 alleges that the defendants “maintained a privacy policy guaranteeing that plaintiffs’ protected health information would not be released to any unauthorized third parties without plaintiffs’ consent,” and that by “failing to safeguard plaintiffs’ protected health information and permitting unauthorized third parties, employees, agents, and/or servants access to plaintiffs’ protected health information for illicit and unlawful purposes, in contravention of its privacy policy and other statutory duties detailed above, defendants engaged in a deceptive and unlawful practice.”

General Business Law § 349 (a) provides that “[deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful.” A private right of action to recover damages for violations of General Business Law § 349 (h) has been provided to “any person who has been injured by reason of any violation of” the statute. Under General Business Law § 349 (h), a prima facie case requires a showing that the defendant engaged in a consumer-oriented act or practice that was “deceptive or misleading in a material way and that [the] plaintiff has been injured by reason thereof” (Goshen v Mutual Life Ins. Co. of N.Y., 98 NY2d 314, 324 [2002], quoting Oswego Laborers’ Local 214 Pension Fund v Marine Midland Bank, 85 NY2d 20, 25 [1995]). Here, despite the broad language contained in the complaint, the statements allegedly made by defendants in the privacy policy and online notices do not constitute an unlimited guaranty that patient information could not be stolen or that computerized data could not be hacked. Defendants’ alleged failure to safeguard plaintiffs’ protected health information and identifying information from theft did not mislead the plaintiffs in any material way and does not constitute a deceptive practice within the meaning of the statute (see Jones v Bank of Am. N.A., 97 AD3d 639 [2d Dept 2012]; see also Ladino v Bank of Am., 52 AD3d 571, 574 [2d Dept 2008]). Therefore, that branch of the defendants’ motion which seeks to dismiss the sixth cause of action for a violation of General Business Law § 349 is granted.

The seventh cause of action is for breach of contract. The essential elements of a cause of action to recover damages for breach of contract are the existence of a contract, the plaintiff’s performance pursuant to the contract, the defendant’s breach of its contractual obligations, and damages resulting from the breach (see El-Nahal v FA Mgt., Inc., 126 AD3d 667, 668 [2d Dept 2015]; Dee v Rakower, 112 AD3d 204, 208-209 [2d Dept 2013]). In addition, a complaint must “plead the provisions of the contract upon which the cause of action is based” (Bello v New England Fin., 3 Misc 3d 1109[A], 2004 NY Slip Op 50520 [U], *6 [Sup Ct, Nassau County 2004], citing Rattenni v Cerreta, 285 AD2d 636 [2d Dept 2001]; see also Matter of Sud v Sud, 211 AD2d 423, 424 [1st Dept 1995]).

Here, plaintiffs allege that they were patients at NSUH, Long Island Jewish Medical Center and other medical facilities, owned or operated by the defendant Health System; that the plaintiffs provided personal information to the defendants; that defendants were contractually obligated to the plaintiffs to protect their private health and personal information; and that defendants breached their contractual obligations by

“permitting or inadequately protecting against the theft of the Face Sheets containing private health and personal information, and by not acting reasonably to notify and protect plaintiffs and the Class immediately after learning of the thefts and then maliciously failing to notify plaintiffs and the Class in order to knowingly further their own economic interests.”

It is alleged that the plaintiffs suffered mentally, physically, financially and emotionally and seek to recover damages, including attorney’s fees.

Plaintiffs’ allegations are insufficient to state a claim against the defendants for breach of contract. Plaintiffs fail to allege that they each had a contractual relationship with each of the named defendants, and fail to allege any specific provision in an agreement that the defendants allegedly breached. To the extent that plaintiffs are relying on a privacy statement, either provided to them at the time they received medical services or posted on a website, plaintiffs do not allege that said privacy statement contained any obligation or promise regarding the theft of personal information by third parties. Therefore, that branch of the defendants’ motion which seeks to dismiss the seventh cause of action for breach of contract is granted.

The eighth cause of action is for breach of fiduciary duty. “The elements of a cause of action to recover damages for breach of fiduciary duty are (1) the existence of a fiduciary relationship, (2) misconduct by the defendant, and (3) damages directly caused by the defendant’s misconduct” (Varveris v Zacharakos, 110 AD3d 1059, 1059 [2d Dept 2013], quoting Rut v Young Adult Inst., Inc., 74 AD3d 776, 777 [2d Dept 2010]; see Faith Assembly v Titledge of N.Y. Abstract, LLC, 106 AD3d 47, 61 [2d Dept 2013]; Armentano v Paraco Gas Corp., 90 AD3d 683, 684 [2d Dept 2011]). A cause of action sounding in breach of fiduciary duty must be pleaded with the particularity required by CPLR 3016 (b).

Here, plaintiffs’ allegations for breach of fiduciary duty are made collectively against all defendants. Under CPLR 3016 (b), a claim for breach of fiduciary must be pleaded with particularity, and the circumstances constituting the alleged wrong must be stated in detail (see Palmetto Partners, L.P. v AJW Qualified Partners, LLC, 83 AD3d 804, 808 [2d Dept 2011]; Chiu v Man Choi Chiu, 71 AD3d 621, 623 [2d Dept 2010]). Plaintiffs’ group pleading falls far short of this mark. Therefore, that branch of defendants’ motion which seeks to dismiss the eighth cause of action for breach of fiduciary duty is granted.

The ninth cause of action is for negligence. “To establish a prima facie case of negligence, a plaintiff must establish the existence of a duty owed by a defendant to the plaintiff, a breach of that duty, and that such breach was a proximate cause of injury to the plaintiff” (Alvino v Lin, 300 AD2d 421, 421 [2d Dept 2002]). Here, plaintiffs allege they gave personal information to the treating facilities in order to receive medical treatment; that these facilities informed the plaintiffs that their personal information would not be disclosed to third parties without their consent; and that an employee or employees of defendants stole their personal information and sold it to third parties who used said information to open fraudulent credit card accounts, make fraudulent purchases, and fraudulently obtain income tax returns. Plaintiffs allege that they sustained emotional distress, mental anguish, and financial damages as a result of said identity theft. Under these circumstances, the court finds that the ninth cause of action sufficiently states a claim for negligence against defendants Health System and NSUH (see Daly v Metropolitan Life Ins. Co., 4 Misc 3d 887 [Sup Ct, NY County 2004]).

With respect to defendants Network and Medical Care, plaintiffs do not allege that they gave any personal or medical information to these entities, and do not specifically allege that these defendants maintained any patient data or were responsible for safeguarding patient data. Plaintiffs’ counsel’s present assertion that defendants Medical Care, Network, and NSUH are all alter egos of Health System, or that they are wholly owned corporate subsidiaries of Health System, is not alleged in the complaint. Therefore, as the complaint does not sufficiently allege any duty owed to the plaintiffs by Medical Care and Network, that branch of the motion which seeks to dismiss the ninth cause of action for negligence is granted as to defendants Network and Medical Care and is denied as to defendants NSUH and Health System.

Plaintiffs, in their tenth cause of action, allege that even if there was no express contractual obligation, defendants owed them a duty of good faith and fair dealing in protecting their personal information from theft. That branch of the defendants’ motion which seeks to dismiss the tenth cause of action for breach of the duty of good faith and fair dealing is granted, as such a claim may not be used as a substitute for a nonviable claim of breach of contract (see StarVest Partners II, L.P v Emportal, Inc., 101 AD3d 610 [1st Dept 2012]; Sheth v New York Life Ins. Co., 273 AD2d 72, 73 [1st Dept 2000]).

In the eleventh cause of action for misrepresentation, plaintiffs allege that the defendants

“knowingly, recklessly or negligently failed to timely disclose the material facts to plaintiffs and the Class that their private financial identity, health [ ] identity and personal information had been stolen, and actively acted to suppress the plaintiffs and the Class from learning of the information thefts, thereby prevented and hindered plaintiffs from taking steps to protect themselves from identity theft or other harm.”

Plaintiffs allege that defendants’ “misrepresentation by allowing the theft of the Face Sheets and unencrypted computer database and then by not acting reasonably to notify the Class immediately was deliberate, intentional and wanton.” Plaintiffs allege that they suffered mentally, physically, financially and emotionally.

“The elements of a cause of action sounding in fraud are a material misrepresentation of an existing fact, made with knowledge of the falsity, an intent to induce reliance thereon, justifiable reliance upon the misrepresentation, and damages” (High Tides, LLC v DeMichele, 88 AD3d 954, 957 [2d Dept 2011], quoting Introna v Huntington Learning Ctrs., Inc., 78 AD3d 896, 898 [2d Dept 2010]; see also Cremosa Food Co., LLC v Amelia, 130 AD3d 559 [2d Dept 2015]). CPLR 3016 (b) requires that the circumstances of the fraud must be “stated in detail,” including specific dates and items (see Moore v Liberty Power Corp., LLC, 72 AD3d 660, 661 [2d Dept 2010]). A cause of action to recover damages for fraudulent concealment requires, in addition to allegations of scienter, reliance, and damages, an allegation that the defendant had a duty to disclose material information and that it failed to do so (see High Tides, LLC v DeMichele, 88 AD3d at 957; Manti’s Transp., Inc. v C.T. Lines, Inc., 68 AD3d 937, 940 [2d Dept 2009]; Barrett v Freifeld, 64 AD3d 736, 738 [2d Dept 2009]).

Here, plaintiffs make their fraud allegations collectively as to all defendants. Such group pleading is impermissible. A fraud claim asserted against multiple defendants must include specific and separate allegations for each defendant (see Ramos v Ramirez, 31 AD3d 294, 295 [1st Dept 2006]; see also Aetna Cas. & Sur. Co. v Merchants Mut. Ins. Co., 84 AD2d 736, 736 [1st Dept 1981]; Shareholder Representative Servs. LLC v Sandoz Inc., 46 Misc 3d 1228[A], 2015 NY Slip Op 50326[U] [Sup Ct, NY County 2015]; CIFG Assur. N. Am., Inc. v Bank of Am., N.A., 41 Misc 3d 1203[A], 2013 NY Slip Op 51565[U] [Sup Ct, NY County 2013]; Excel Realty Advisors, L.P. v SCP Capital, Inc., 2010 NY Slip Op 33447[U] [Sup Ct, Nassau County 2010]). Therefore, defendants’ motion to dismiss the eleventh cause of action is granted.

In view of the foregoing, defendants’ motion is granted to the extent that the first, second, third, fourth, fifth, sixth, seventh, eighth, tenth and eleventh causes of action are dismissed in their entirety as to all defendants. That branch of the defendants’ motion which seeks to dismiss the ninth cause of action for negligence is granted as to defendants Network and Medical Care, and is denied as to defendants NSUH and Health System.  