
    Kamyra Walker et al. on Behalf of Themselves and a Class v. Boston Medical Center Corp. et al.
    Suffolk, Business Litigation Session-
    SUCV20151733BLS1
    Memorandum Dated November 20, 2015
   Leibensperger, Edward P., J.

By letters dated April 23, 2014, or earlier, defendant, Boston Medical Center Corp. (“BMC”), notified plaintiffs and others similarly situated that their patient records from office visits with physicians “were inadvertently made accessible to the public through an independent medical record transcription service’s online site.” The letters noted that the medical records “could potentially be accessed by non-authorized individuals” although BMC had “no reason to believe that this led to the misuse of any patient information.” BMC could not say “how long the information was publicly accessible through the site.”

Plaintiffs commenced this action on June 10, 2015. In their complaint, plaintiffs seek an injunction against further disclosure of their records and damages for the unauthorized exposure of their medical information to the public. They sue BMC, the medical record transcription servicer, MDF Transcription, LLC (“MDF”), and MDF’s manager and owner, Richard J. Fagan. BMC and Fagan now move to dismiss the complaint.

Plaintiffs do not know, at this stage, whether any unauthorized person actually gained access to their medical records. They allege, however, that “what goes on the internet, stays on the internet.” They are fearful that their private information has been or will be disclosed to the public, a risk acknowledged by BMC’s notice to them. They seek the opportunity to take discovery to learn the details regarding the length of time of the data breach, whether their records have been accessed and what steps have been taken to remedy the inadvertent disclosure. Their complaint contains seven counts: Count I, Invasion of Privacy under G.L.c. 214, §1B; Count II, Breach of Confidentiality; Count III, Breach of Fiduciary Duty; Count IV, Negligence; CountV, Negligent Supervision; Count VI, Breach of Implied Contract; and Count VII, Breach of Contract against MDF and Fagan. Plaintiffs claim that the breach by BMC and Fagan caused them injury. They seek an award of damages for that injury. In their breach of contract counts, plaintiffs also seek damages in the amount of a refund of amounts paid to BMC for medical services as a remedy for BMC’s alleged breach.

BMC moves to dismiss pursuant to Mass.R.Civ.P. 12(b)(1) and 12(b)(6). The sum and substance ofBMC’s motion is that the complaint fails to allege any specific injury. In short, without an allegation that their medical records have actually been accessed by an unauthorized person or that their personal information is being utilized by an unauthorized person, plaintiffs lack standing and fail to state a claim.

With respect to BMC’s standing argument, I note the recent decision of the Supreme Judicial Court in Pugsley v. Police Department of Boston, 472 Mass. 367 (2015). There, the Court affirmed a dismissal for lack of standing upon a motion for summary judgment, not a motion to dismiss. Id. at 370. In doing so it articulated that an alleged injury must not be speculative, remote or indirect, but the Court also acknowledged that “real and immediate” risk of injury may be enough for standing. Id. at 371. Where, as here, plaintiffs allege facts that, if true, suggest a real risk of harm from the data breach at BMC, I conclude that the standing question should await a more full record and be decided upon a motion for summary judgment.

With respect to a motion under Mass.R.Civ.P. 12(b)(6), it is required that the complaint set forth “factual ‘allegations plausibly suggesting (not merely consistent with)’ an entitlement to relief ...” Iannacchino v. Ford Motor Co., 451 Mass. 623, 636 (2008), quoting Bell At.l Corp. v. Twombly, 550 U.S. 544, 557 (2007). The court must, however, accept as true the allegations of the complaint and draw every reasonable inference in favor of the plaintiff. Curtis v. Herb Chambers 1-95, Inc., 458 Mass. 674, 676 (2011).

Applying that standard, plaintiffs’ complaint adequately states a cognizable claim for relief. Support for that conclusion starts with drawing a reasonable inference from BMC’s own letter informing plaintiffs of the data breach. From that letter it may be inferred that plaintiffs’ medical records were available to the public on the internet for some period of time and that there is a serious risk of disclosure. It is reasonable to infer the next step—that plaintiffs’ records either were accessed or likely to be accessed by an unauthorized person. Plaintiffs are entitled to discovery to determine what access, if any, has occurred, among other things.

Plaintiffs general allegation of injury from the data breach, inferring, as I do, that there likely was or will be access to plaintiffs’ confidential medical information by unauthorized persons, is sufficient. For example, a claim for an invasion of privacy involving disclosure of confidential medical records may give rise to damages for mental distress, harm to interest in privacy and special or economic harm. Restatement (Second) of Torts §652H (1977). Depending on the identity of a person who accessed the records, there could be financial damages. At the pleading stage, before discovery has determined whether plaintiffs’ records were accessed, more specificity regarding the kind of injury suffered by plaintiffs is not required.

For the reasons stated above, BMC’s motion to dismiss is DENIED. Fagan’s motion to dismiss is also DENIED. 
      
       The letters are referenced in the complaint but not attached. In opposition to defendants’ motion to dismiss, a copy of a letter was submitted by an affidavit of plaintiffs’ counsel. BMC does not dispute the authenticity of the letter.
     
      
       According to the complaint, MDF was involuntarily dissolved in 2013. No responsive pleading has been served by MDF. Fagan appeared pro se by virtue of a letter to the court asking for dismissal. No cognizable grounds for dismissal were stated. Thus, Fagan’s motion to dismiss is DENIED.
     
      
       Ih support of its motion, BMC submits the affidavit of its Chief Compliance Officer (“CCO”). Among other things, the CCO avers that “[t]here is no indication that any unauthorized third party gained access to Plaintiffs’ medical records.” Under the well established standards for ruling on a motion to dismiss, the court disregards the affidavit. Such factual statements are subject to discovery.
     
      
       BMC cites a number of federal cases addressing motions to dismiss for lack of standing in data breach cases. See, e.g., In re Horizon Healthcare Services, Inc. Data Breach Litigation, 2015 WL 1472483 D.N.J. (2015). The Massachusetts standard for recognizing standing appears to be more liberal, allowing standing when there is risk of harm. How “real and immediate” the risk of harm is should be evaluated when the facts surrounding the data breach, including the quantity and nature of access to the records, are presented after discovery. See also, Tabata v. Charleston Area Medical Center, 233 W.Va. 512, 517 (Supreme Ct. of Apps., W.Va. 2014) (standing recognized for claims about data breach even though there was no evidence of unauthorized access).
     