
    John DOE ONE; John Doe Two; John Doe Three, on Behalf of Themselves and All Similarly Situated Individuals; Plaintiffs, v. CAREMARK, L.L.C.; Fiserv, Inc., Fiserv Solutions, LLC; and Defendants Does 1-10, Defendants.
    John Doe, Individually and on Behalf of All Others Similarly Situated, Plaintiff, v. Caremark, LLC, Defendant.
    Case No. 2:18-cv-238 Case No. 2:18-cv-488
    United States District Court, S.D. Ohio, Eastern Division.
    Signed December 21, 2018
    Terry L. Kilgore, Brooklyn, OH, Alan M. Mansfield, Pro Hac Vice, San Diego, CA, Benjamin R. Powell, Pro Hac Vice, Gerald S. Flanagan, Pro Hac Vice, Los Angeles, CA, Edith Marie Kallas, Pro Hac Vice, Whatley Kallas, LLP, Joe R. Whatley, Jr., Pro Hac Vice, New York, NY, Henry C. Quillen, Pro Hac Vice, Whatley Kalls, LLP, Portsmouth, NH, for Plaintiffs.
    Robert G Cohen, Kegler Brown Hill & Ritter-2, Columbus, OH, Donald M. Houser, Pro Hac Vice, Kristine M Brown, Pro Hac Vice, Matthew L.J.D. Dowell, Pro Hac Vice, Alston & Bird, Atlanta, GA, James B Hadden, Geoffrey J Moul, Murray Murphy Moul Basil LLP, Columbus, OH, David M Kroeger, Pro Hac Vice, John H Mathias, Jr., Pro Hac Vice, Jory M. Hoffman, Pro Hac Vice, Megan B. Poetzel, Pro Hac Vice, Jenner & Block LLP, Chicago, IL, for Defendants.
    OPINION AND ORDER
   EDMUND A. SARGUS, JR., CHIEF UNITED STATES DISTRICT JUDGE

In Civil Case No. 2:18-cv-238 ("Case A"), Defendant Caremark, L.L.C. ("Caremark") has filed a motion to dismiss (Caremark MTD, Case A , ECF No. 43), as have Defendants Fiserv, Inc., and Fiserv Solutions, LLC (collectively, "Fiserv") (Fiserve MTD, Case A, ECF No. 44), to which Plaintiffs have filed an opposing brief (Pl. Mem. Opp., Case A, ECF No. 46). Caremark has filed a reply (Caremark Reply, Case A, ECF No. 48), as has Fiserv (Fiserv Reply, Case A, ECF No. 47).

In Civil Case No. 2:18-cv-488 ("Case B"), Defendant Caremark has filed a motion to dismiss (Caremark MTD, Case B, ECF No. 18), and Plaintiff has filed an opposing brief (Pl. Mem. Opp., Case B, ECF No. 30), to which Caremark has filed a reply (Caremark Reply, Case B, ECF No. 34).

For the reasons set forth below, the Court GRANT IN PART AND DENIES IN PART Defendants' Motions to Dismiss.

I.

The basic facts in these related cases are not contested. Plaintiffs are members of a proposed class of approximately 6,000 individuals in Ohio taking HIV-related medications for treatment and prevention of medical conditions related to being HIV-positive. They are clients of the Ohio HIV Drug Assistance Program ("OHDAP"). The OHDAP website states:

The Ohio Department of Health (ODH) administers the Ohio HIV Drug Assistance Program (OHDAP), providing medications to fight HIV and to treat HIV-related conditions. This program must be the payer of last resort. For eligible participants, HIV-related medications are provided free of charge. The medications are obtained through a specialty mail-order pharmacy to ensure confidentiality and to ensure all geographic areas of Ohio have equal access to this service. Verification of monthly income, updated enrollment applications and a physician's report are required at the beginning of each enrollment period.

See http://ohiv.org/care/medication-pavment-assistance/ (last accessed 11/14/2018 ).

The following facts are taken from the Amended Complaint in Case No. 2:18-cv-238, ("Complaint A"):

Caremark, a foreign limited liability company with its principal place of business in either Rhode Island or Illinois, entered into an agreement with the State of Ohio to operate as the pharmacy benefits manager for the OHDAP program. Caremark contracted with Fiserv to mail information to Plaintiffs and approximately 6,000 other patients throughout Ohio in the proposed class. (Complaint A, ECF No. 38, ¶¶ 5-8.)

12. OhDAP was initially established in 1990 under the Ryan White HIV/AIDS Treatment Extension Act, 42 U.S.C. §§ 300ff, et seq. This federal legislation has been renewed four times - 1996, 2000, 2006 and 2009 - and is now called the Ryan White Program within Ohio and nationwide.
13. There are three main components within OhDAP. One component is for direct drug provision for eligible uninsured individuals (i.e., individuals with HIV who are not eligible for Medicaid due to income level or citizenship status). Another component is used to provide premium assistance to eligible individuals (i.e. , ACA, Medicare Part D, private health insurance or the employee copayment or coinsurance portion of employer-based insurance). The last component assists insured individuals with their co-pays for their life-saving HIV-related medications.
14. To participate in OhDAP, an individual must submit an application and certify that he or she is HIV-positive, stating the year of the individual's first positive HIV test. The applicant must also attach "medical verification documents," which "are required to establish that an individual is HIV+ and, thus, eligible for our services." Therefore, for purposes of OhDAP, an individual's HIV-positive status necessarily means that the individual has had an HIV test performed on him or her, the result of that HIV test was positive, and provided Personal Health Information ("PHI") to a third party reflecting those results.
15. In February 2017, ODH issued a request for proposals for the purchase of pharmacy benefit management services for OhDAP. The first criterion for evaluating services to be provided under the contract was "Pharmacy Services," the first of which was the development of a pharmacy distribution network. CVS, which submitted a proposal to promote, market and sell its services to ODH, proposed to create this network through its own retail and mail-order pharmacies, through which it has provided medications under contracts with OhDAP since 2000. In the cover letter for its bid, CVS stated, "All of the information contained in this proposal references the capabilities of, and services available from Caremark, L.L.C. ('CVS Caremark')." CVS also stated that it is a health care provider: after stating that it was using the terms "CVS Health" and "CVS Caremark" interchangeably, CVS stated, "As a Fortune 10 company, CVS Health is the largest pharmacy health care provider in the United States with integrated offerings across the entire spectrum of pharmacy care." In another part of its bid, CVS also stated, "We understand that offering open access to pharmacy services and honoring consumer preferences (retail, mail delivery, or personal consultation with a CVS pharmacist) sets us apart from other health care providers." CVS also repeatedly described its delivery of healthcare services under the heading "Pharmacy Distribution Network." For example, CVS stated, "Our therapy-specific CareTeam outreach, provided by expert specialty pharmacy clinicians with up-to-date knowledge of evidence based protocols, helps improve member adherence by educating them on taking medications correctly, reviewing proper medication storage and handling, and troubleshooting medication side effects.... Additionally, our national nursing model delivers specialty nursing services, education, and drug administration to our members who receive infusion and injection medications ...."
16. CVS's bid, which was made in connection with the marketing, promotion, offering for sale and sale of such services, also represented that it understood state and federal laws concerning the privacy of personal information and thus the extent to which it maintains and protects the privacy, confidentiality and integrity of personal information collected from or about consumers: "We are in compliance with federal and state laws and regulations that are applicable to the services to be provided by CVS Health under the Contract."
17. In March 2017, ODH awarded an exclusive contract to CVS, effective July 2017. Through this contract and others, CVS is responsible not only for managing OhDAP's pharmacy benefits, but also providing medications to OhDAP participants.
18. Beginning in approximately late July or early August 2017, Defendants mailed a letter containing membership cards and information marketing and promoting the CVS program and how persons would access their HIV-related prescriptions. This letter was mailed to an estimated 6,000 participants in OhDAP, regardless of whether they were active pharmacy customers of CVS, and thus marketed and promoted the use not only of CVS's pharmacy benefit management services, but also of its health care delivery services. The letter advised OhDAP participants that they could obtain their HIV medications in one of two ways, both provided exclusively by CVS-affiliated entities: from one of CVS's 320 retail pharmacies in Ohio (as well as 59 pharmacies located in Target stores), or through CVS's specialty mail-order pharmacy. Such services were thus offered from CVS as a singular health care entity, since otherwise Caremark LLC would have been prohibited by law from sharing the PHI it possessed and was provided to it by the ODH with these other CVS entities.
19. Even though the information contained in this letter contained the PHI of each individual, specifically information relating to their HIV-positive status, the envelopes containing these mailings had two clear glassine windows. One, in the upper left, contained the logo of "CVS/caremark," the words "Ohio Department of Health," and an address for ODH. A second window contained the recipient's name and address, with the designation "PM 6402 HIV" directly above the person's name. This reference to the recipient's HIV status was plainly visible through the glassine window. The designation "HIV" in the program identification number was not required by ODH, but rather was created by CVS. The envelope referred in big red letters to "new prescription benefits," thereby revealing that the mailing from CVS involved health-related information, including information about prescription medications. The envelope also stated that it was sent from St. Louis, Missouri, with Postal Permit No. 1977. Fiserv is the owner of this permit. Defendants clearly made no advance effort to test or review the disclosure of such information prior to disseminating the mailing, since had they done so they would have seen that the identification number with "HIV" next to it was prominently visible through the envelope....
20. The Defendants' combined use of a glassine windowed envelope, their design of the letter containing the HIV status of the individual recipient in identification code that was not required by law, and placing that code directly above the consumers' name and address such that no matter what size glassine envelope that was used this PHI could be seen through the envelope window, instead of using a different code, an opaque envelope or a letter that was properly spaced not to publicly reveal such information through the envelope window and an identification reference with the term "HIV," resulted in the actual disclosure of recipients' HIV status to the United States Postal Service, which was not privileged to receive this information under Ohio law or federal law, and potential disclosure to numerous individuals, including their families, friends, roommates, landlords, neighbors, and complete strangers. A reasonable person seeing this envelope with the letter in it, or even seeing a mock-up of the letter with the code directly above the name, or creating the identification code in the first place, would conclude that the recipient was HIV-positive. That conclusion would be correct in every instance, as this mailing was sent only to HIV-positive individuals, apparently from ODH.
21. The use of envelopes with transparent glassine windows contravenes the standard practice of ODH, which is to send all mailings relating to HIV-related issues in opaque, nonwindowed envelopes. Thus, Defendants must not have cleared the form of this mailing, or they did so with the knowledge of that Department in contravention of such practices.
22. Defendants must have known, or either knew or reasonably should have known, that this mailing was disseminated in violation of both federal and state laws. While CVS refers in connection with its privacy practices to different entities as "CVS Health" as a collective health care entity, without defining precisely what entity they are referring to, CVS has publicly represented it has systems in place to protect the privacy of sensitive health information. For example, in its Vendor Code of Conduct entitled "Conducting Business With CVS Health" (which would apply to its relationship with Fiserv), CVS claims on page 3 "It is critical that CVS Health and our vendors/suppliers, who also access, use and store this information, handle it only as needed and in accordance with our Privacy and Information Security Policies and Procedures as required under our agreement with our vendors/suppliers, including our Information Privacy and Security Requirements and Business Associate Agreements. It is critical that our vendors/suppliers have in place reasonable and appropriate administrative, technical and physical safeguards to protect this information from improper or unauthorized access or use." In addition, CVS requires in this same Code of Conduct that its vendors and suppliers are expected "to abide by applicable laws and regulations, including applicable Federal health care program requirements, in the states and countries in which they conduct business" - in this case, the Ohio state laws here at issue. In addition, as noted above CVS requires all vendors to comply with CVS' Data Privacy and Security Requirement Agreements, its information Privacy and Security Requirements, and its Privacy and Information Security Policies. This Code of Conduct was executed by Neal Baker as the Chief Privacy Officer of "CVS Health" - the same person who responded to Plaintiffs' request for a response as to this particular privacy breach as set forth herein. Yet under no set of agreements, Codes, business associate agreements, policies or procedures would it be permissible to disclose for public viewing the HIV status of a particular person, in violation of Ohio law.

(Compl. A, ECF No. 38, ¶¶ 12-22.)

Additionally, the Amended Complaint in Case No. 2:18-cv-488 ("Complaint B") alleges that:

17. The state of Ohio, where Plaintiff resides and where Caremark has substantial operations, provides a right of privacy that encompasses unconsented medical information disclosures. "[I]t is for the patient-not some medical practitioner, lawyer, or court-to determine what the patient's interests are with regard to personal confidential medical information." Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 408, 715 N.E.2d 518, 528 (Ohio 1999) ; see also Hageman v. Southwest Gen. Health Ctr., 119 Ohio St.3d 185, 188-89, 893 N.E.2d 153, 156 (Ohio 2008) (applying the rule of Biddle to disclosures made by parties other than physicians or hospitals).
18. Ohio also has enacted protections specifically for HIV patients (and those at risk) in order to encourage testing and treatment. See Rev. Code 3701.243(A) ("no person or agency of state or local government that acquires the information while providing any health care service or while in the employ of a health care facility or health care provider shall disclose or compel another to disclose any of the following ... (3) The identity of any individual diagnosed as having AIDS or an AIDS-related condition."); see also Rev. Code 3701.244(B) ("A person or an agency of state or local government that knowingly violates ... division (A) of section 3701.243... may be found liable in a civil action; the action may be brought by any individual injured by the violation.")

(Compl. B, ECF No. 15, ¶¶ 17-18.)

Defendants assert that Plaintiffs' claims in both cases must be dismissed for several reasons, including an assertion that Plaintiffs in both cases have not alleged sufficiently that there was an actual disclosure of Plaintiffs' personal medical information related to their HIV status, because they do not name specific individuals who actually saw the information. (Case A: Caremark MTD, ECF No. 43, p.1; Fiserv MTD, ECF No. 44, p. 1); Case B, Caremark MTD, ECF No. 18, p. 4.) Plaintiffs in both cases have alleged that, at a minimum, this protected information was actually disclosed to Fiserv employees who participated in preparing envelopes for mailing, which included the mailing of health information and pharmacy cards, and to U.S. Postal Service employees who delivered the letters, and others, inasmuch as these letters clearly stated "Personal and confidential - please open right away" and "Your new prescription benefits have arrived" directly above a code that said "HIV" above the recipient's name, and the sender was also clearly designated as "CVS/caremark," in large, bold letters, situated above "Ohio Department of Health" and its address.

II.

Federal Rule of Civil Procedure 12(b)(6) authorizes dismissal of a complaint for "failure to state a claim upon which relief can be granted." To survive a motion to dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6), a complaint must contain sufficient factual matter, accepted as true, to "state a claim for relief that is plausible on its face." Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ;

Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (clarifying the plausibility standard articulated in Twombly ). "A claim has facial plausibility when the plaintiff pleas factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. The factual allegations of a pleading "must be enough to raise a right to relief above the speculative level...." Twombly, 550 U.S. at 555, 127 S.Ct. 1955. "All of the well-pleaded allegations of the complaint must be treated as true, though we need not accept Plaintiff's legal conclusions or draw unwarranted factual inferences." Thomas v. Publishers Clearing House, Inc., 29 F.App'x 319, 322 (6th Cir. 2002). The Court "need not, however, accept conclusory allegations or conclusions of law dressed up as facts." Erie Cnty., Ohio v. Morton Salt, Inc., 702 F.3d 860, 867 (6th Cir. 2012).

In ruling on a motion to dismiss, the court may consider written instruments that are exhibits to a pleading, as those are considered part of the pleading for all purposes. Campbell v. Nationstar Mortg., 611 Fed. App'x 288, 291-92 (6th Cir. 2015) (citing Fed.R.Civ.P. 10(c) ). A court may also consider "documents incorporated into the complaint by reference, and matters of which a court may take judicial notice." Id. (citing Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007) ). At the motion to dismiss stage, the court is not concerned with a challenge to a plaintiff's factual allegations. Golden v. City of Columbus, 404 F.3d 950, 958-59 (6th Cir. 2005). Rather, the court looks to whether the complaint states a claim upon which relief can be granted. Id.

III.

In Complaint A, Plaintiffs bring five claims: Count 1, unauthorized, unprivileged disclosure to a third-party of nonpublic medical information (" Biddle claim"); Count 2, violation of Ohio Rev. Code § 3701.243 ; Count 3, breach of confidentiality (pled in the alternative to Count 1); Count 4, breach of fiduciary duty (pled in the alternative to Count 1); and Count 5, negligence (pled in the alternative to Count 1). (Compl. A, ECF No. 38.) Plaintiffs also seek declaratory judgment. (Id. , ¶ 30.)

In Complaint B, Plaintiffs bring ten claims: Count 1, willful violation of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. §§ 1681 - 1681x ; Count 2, negligent violation of FCRA; Count 3, violation of Ohio Rev. Code § 3701.243 ; Count 4, violation of Ohio Insurance Information and Privacy Protection Act, Ohio Rev. Code § 3904.01, et seq. ; Count 5, negligence; Count 6, negligence per se ; Count 7, breach of contract; Count 8, invasion of privacy; Count 9, intentional infliction of emotional distress; [Count 10 (unjust enrichment - dismissal consented to by Plaintiffs) ]; and Count 11, declaratory judgment. The Complaint also describes a claim for relief under Biddle .

A. The Biddle Claim

In construing questions of state law, this Court must apply state law in accordance with the controlling decisions of the highest court of the state. Erie R.R. Co. v. Tompkins, 304 U.S. 64, 58 S.Ct. 817, 82 L.Ed. 1188 (1938). If the state's highest court has not addressed the issue, the Court must attempt to ascertain how that court would rule if it were faced with the issue. The Court may use the decisional law of the state's lower courts, other Federal Courts construing state law, restatements of law, law review commentaries, and other jurisdictions of the "majority" rule in making this determination. Yoder v. Ingersoll-Rand Co., 31 F.Supp.2d 565, 570 (N.D. Ohio 1997), citing Grantham & Mann v. American Safety Prods., 831 F.2d 596, 608 (6th Cir. 1987).

In Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 400, 715 N.E.2d 518 (1999), the Supreme Court of Ohio recognized that an independent tort exists for unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital learned within a physician-patient relationship. In doing so, the Supreme Court of Ohio quoted a long-standing decision from the Supreme Court of Washington:

If the facts set forth in the complaint entitle appellant to relief, it is wholly immaterial by what name the action is called. Neither is it necessary to pursue at length the inquiry of whether a cause of action lies in favor of a patient against a physician for wrongfully divulging confidential communications. For purposes of what we shall say it will be assumed that, for so palpable a wrong, the law provides a remedy. Smith v. Driscoll (1917), 94 Wash. 441, 442, 162 P. 572.
Since then, courts in Ohio and elsewhere have faced common metamorphic disturbances in attempting to provide a legal identity for an actionable breach of patient confidentiality.

Id. at 400.

In creating the tort, the Supreme Court of Ohio considered that, "[i]n their efforts to devise a civil remedy 'for so palpable a wrong,' many of these courts have endeavored to fit a breach of confidence into a number of traditional or accepted legal theories. In much the same way as trying to fit a round peg into a square hole." Biddle, 86 Ohio St.3d at 400, 715 N.E.2d 518. The Biddle Court noted that courts have used theories of "invasion of privacy, defamation, implied breach of contract, intentional and negligent infliction of emotional distress, implied private statutory cause of action, breach of trust, detrimental reliance, negligence, and medical malpractice." Id. The Biddle Court then cited to numerous courts that have adopted the breach of confidence tort as an independent tort in their respective jurisdictions. Broadly, the Biddle Court stated:

We hold that in the absence of prior authorization, a physician or hospital is privileged to disclose otherwise confidential medical information in those special situations where disclosure is made in accordance with a statutory mandate or common-law duty, or where disclosure is necessary to protect or further a countervailing interest which outweighs the patient's interest in confidentiality.

Id., at 402.

In a later case, the Supreme Court of Ohio discussed the "basic policy of confidentiality" described in Biddle, and stated "[a]fter surveying cases in Ohio and beyond, we recognized [in Biddle ] that the breach of patient confidentiality is a palpable wrong." Hageman v. Southwest Gen. Health Ctr., 119 Ohio St.3d 185, 188, 893 N.E.2d 153 (2008). "If the right to confidentiality is to mean anything, an individual must be able to direct the disclosure of his or her private information." Id., at p. 189, 893 N.E.2d 153.

Notwithstanding that the specific causes of action recognized in Biddle apply imperfectly to the facts in this case, we conclude that the rationale for our decision there applies here. Biddle stressed the importance of upholding an individual's right to medical confidentiality beyond just the facts of that case. "[I]t is for the patient - not some medical practitioner, lawyer, or court - to determine what the patient's interests are with regard to personal, confidential medical information." Biddle, 86 Ohio St.3d at 408, 715 N.E.2d 518. As the Supreme Court of California has observed in discussing the related concept of a right to privacy, such a right "is not so much one of total secrecy as it is of the right to define one's circle of intimacy - to choose who shall see beneath the quotidian mask." Hill v. Nat'l Collegiate Athletic Assn. (1994), 7 Cal.4th 1, 25, 26 Cal.Rptr.2d 834, 865 P.2d 633 [additional citations omitted].

Id., at 188-89, 893 N.E.2d 153.

Defendants offer three primary arguments to attempt to defeat Plaintiffs' Biddle claim: 1) Defendants are not a hospital or physician, and Biddle is limited in application to hospitals and physicians; 2) there is no evidence of actual disclosure to a third party; and 3) the "alphanumeric code" ending in HIV is "not medical information." (Caremark MTD, Case A, ECF No. 43, p. 1; Case B, ECF No. 18, p. 1.) Defendants' second and third arguments are also asserted against Plaintiffs' claim under Ohio Rev. Code § 3701.243. For the following reasons, the Court is not persuaded.

1. Biddle is not limited in application to a hospital or physician

Defendants' first argument falls short. The Ohio Supreme Court has held that it did not limit the application of a Biddle claim to the physician-hospital scenario. For example, in the Hageman case, supra, the Ohio Supreme Court held that "[a]n attorney may be liable to an opposing party for the unauthorized disclosure of that party's medical information that was obtained through litigation." Hageman, 119 Ohio St.3d 185, 188, 893 N.E.2d 153, 154 (2008) (syllabus). As Plaintiffs correctly assert, "[i]n several other cases, Ohio courts have held or assumed that a defendant other than a physician or hospital could be liable under Biddle, including a pharmacist." DelleCurti v. Walgreen Co., 2016-Ohio-4741, 70 N.E.3d 111, 115 (Ohio Ct. App., 11th Dist.) (pharmacist). (Pl. Mem. Opp., Case A, ECF No. 46, p. 7.)

2. Actual disclosure to a third party.

Defendants' second argument also falls short. Defendants assert that all of the claims, including the Biddle claim and the Ohio Rev. Code § 3701.243 claim, fail because Plaintiffs have not alleged "actual disclosure" of their confidential "HIV-positive status." (See Fiserve MTD, Case A, ECF No. 44, p. 6.) The dictionary defines "disclose" as "to make known or reveal to another or to the public." https://www.merriam-webster.com/dictionary/disclose (last visited 11/26/2018 ). At the outset, Plaintiffs assert that, inasmuch as they did not know Caremark had their information (the purpose of the mailing was to announce Caremark's participation in the OHDAP program) it is axiomatic that Plaintiffs did not, and could not have consented to Caremark's disclosure of their nonpublic medical information. (Pl. Mem. Opp., Case B, ECF No. 30, p. 8.) Thus, Plaintiffs assert that any disclosure of their confidential medical information is not an authorized disclosure. The Ohio Supreme Court made it clear that for purposes of the breach of medical confidentiality tort, the focus is on the patient's wishes, as "it is for the patient - not some medical practitioner, lawyer, or court - to determine what the patient's interests are with regard to personal, confidential medical information." Biddle, 86 Ohio St.3d at 408, 715 N.E.2d 518.

Defendants cite to Yoder v. Ingersoll-Rand Co., 31 F.Supp.2d 565, 570 (N.D. Ohio 1997), for the proposition that Plaintiffs must plead an "actual disclosure," asserting that the court "concluded that plaintiff's HIV/AIDS status was not 'actually communicated' to persons who passed along a form including that information, but did not read it." (Fiserv MTD, Case A, ECF No. 44, p. 7.) However, the Yoder decision, decided before the Ohio Supreme Court's decision in Biddle, is distinguishable for several reasons. In Yoder, the court determined that a breach of privacy tort could not be proven under the "publicity" theory of the tort of invasion of privacy under Ohio law, because the disclosure in that case could not be proven to have been made intentionally. The Court relied on key facts developed in the record on summary judgment: "nothing on the outside of the envelope received in the Aro mail room indicated that it contained a confidential medical record," and "the disclosure would not have occurred without Plaintiff's mother's intervening act of opening and reading the medical records without authorization from the Defendant." Yoder, 31 F.Supp.2d at 570-71. This differs from the posture of the case at bar, where the complaints allege that the exterior of the envelope clearly states "Personal and confidential - please open right away" and "Your new prescription benefits have arrived" directly above a code that says "HIV" above the recipient's name.

The state court cases upon which Defendants rely are also distinguishable. Defendants contend that, in Ackerman v. Medical College of Ohio Hosp., 113 Ohio App.3d 422, 426, 680 N.E.2d 1309, 1312, (Ohio Ct. App., 10th Dist, 1996), "the Ohio Court of Appeals held that a plaintiff could only recover under R.C. § 3701.243 if the covered information was, in fact, disclosed (or revealed) to a third person." (Caremark MTD, Case A, ECF No. 43, p. 5; Case B, ECF No. 18, p. 4.) In that case, the Ohio Court of Appeals declined to overturn the Court of Claim's credibility determinations, and held that a state agency such as the Medical College of Ohio (MCO) "is liable only for a knowing violation of R.C. 3701.243(A) and an agency such as MCO may act only through its employees." Id., at p. 426, 680 N.E.2d 1309. Regarding the issue of whether defendant's employee had made the alleged unauthorized disclosure of the decedent's HIV-positive condition, the trial court had found the evidence to be in equipoise, and therefore, that Plaintiff had failed to carry her burden of proof. The trial court made its decision after weighing the evidence and making credibility determinations - not on a motion to dismiss; and the issue was not "actual" disclosure, but whether there was any disclosure at all. Ackerman, 113 Ohio App.3d at 426, 680 N.E.2d 1309 ("appellant had failed to present sufficient evidence that an employee of MCO disclosed Jeff's HIV positive diagnosis").

Defendants also cite Ohio v. Gonzalez, 154 Ohio App.3d 9, 2003-Ohio-4421, 796 N.E.2d 12, 21 (1st Dist.), asserting that disclosure occurs when a person "hears and comprehends the information." (Caremark MTD, Case A, ECF No. 43, p. 5; Case B, ECF No. 18, p. 4) (emphasis supplied ). However, Gonzalez involved a criminal statute, Ohio Rev. Code § 2903.11(B)(1), which makes it a felonious assault for a person to engage in sexual conduct with another without affirmatively disclosing his or her HIV-positive status. In discussing the definition of "disclose," the Ohio Court of Appeals stated:

A person of common intelligence would know that to "disclose" is to reveal or make known - and that the statute requires a person who has knowledge that he is HIV-positive to tell his sexual partner that he (or she) is HIV-positive before engaging in sexual conduct with that partner.

Id. In that case, the HIV-positive individual faced criminal liability for failing to affirmatively inform his sexual partner of his medical condition. This is the polar opposite of the intention of the Biddle decision, which protects the privacy of an individual's confidential medical information, and the statutory provisions of Ohio Rev. Code § 3701.243, which protect an individual from disclosure of his or her confidential medical information concerning an HIV/AIDS condition. However, in each instance, the Ohio Court of Appeals made clear that the word "disclose" is given its ordinary meaning in the particular context.

Defendants also rely on Scott v. Ohio Dept. of Rehabilitation & Correction , 999 N.E.2d 231, 240 (Ohio Ct. App. (10th Dist.) 2013), where the Ohio Court of Appeals found that, in considering a matter of first impression, "under the circumstances outlined in the facts" on summary judgment, "supervised inmate access to trash containing unshredded medical documents does not constitute 'disclosure' for purposes of the tort of unauthorized disclosure of medical information as defined by Biddle ." The Court of Appeals noted that, "[w]ithout precluding that an inadvertent disclosure might, under different facts, fulfill the elements of Biddle, the present case does not."

In the case sub judice, Plaintiffs' claims sufficiently allege that Defendants made known Plaintiffs' confidential medical information regarding their HIV/AIDS condition without consent or proper authorization.

3. The "alphanumeric code" ending in HIV

Finally, the assertion that the "alphanumeric code" ending in "HIV" is not medical information is not well-taken. Plaintiffs allege that the only purpose for the mailing by Fiserv was to provide for Plaintiffs' medical needs under the contract that Caremark received to enable OHDAP to provide for Plaintiffs' HIV needs. At no point did Plaintiffs agree that any contractor could reveal the purposes of the mailing. (Compl. A, ECF No. 38, ¶¶ 46-47.) Plaintiffs assert that any reasonable person would quickly determine that this envelope was addressed to a person receiving medical assistance for an HIV condition. (Id. , ¶ 20.)

4. Conclusion Biddle claim

Accepting as true Plaintiffs' factual allegations, they have stated a Biddle breach of medical confidentiality claim that is plausible on its face. Because a Biddle claim is properly presented, the Court will address only Count I and II of Complaint A. Counts 3, 4, and 5, pled in the alternative to a Biddle claim in Complaint A (Case No. 2:18-cv-238, ECF No. 38) are dismissed. For Complaint B (Case No. 2:18-cv-488, ECF No. 15), inasmuch as a Biddle claim is intended to encompass other common law causes of action brought in an attempt to remedy the unpermitted disclosure of private medical information, Plaintiffs common law claims 5, 6, 7, 8, and 9 are dismissed.

B. Ohio Revised Code Section 3701.243

Plaintiffs also bring a claim under Ohio Rev. Code § 3701.243 (Compl. A, ECF No. 38, Claim II, ¶¶ 42-49; Compl. B, ECF No. 15, Claim III, ¶¶ 65-71.) Section 3701.243 of the Ohio Revised Code is titled "Disclosing of HIV test results or diagnosis." It states, in pertinent part:

(A) Except as provided in this section or section 3701.248 of the Revised Code, no person or agency of state or local government that acquires the information while providing any health care service or while in the employ of a health care facility or health care provider shall disclose or compel another to disclose any of the following:
(1) The identity of any individual on whom an HIV test is performed;
(2) The results of an HIV test in a form that identifies the individual tested;
(3) The identity of any individual diagnosed as having AIDS or an AIDS-related condition.
....
(D) The results of an HIV test or the identity of an individual on whom an HIV test is performed or who is diagnosed as having AIDS or an AIDS-related condition may be disclosed to a federal, state, or local government agency, or the official representative of such an agency, for purposes of the medicaid program, the medicare program, or any other public assistance program.
(E) Any disclosure pursuant to this section shall be in writing and accompanied by a written statement that includes the following or substantially similar language: "This information has been disclosed to you from confidential records protected from disclosure by state law. You shall make no further disclosure of this information without the specific, written, and informed release of the individual to whom it pertains, or as otherwise permitted by state law. A general authorization for the release of medical or other information is not sufficient for the purpose of the release of HIV test results or diagnoses.["]

Ohio Rev. Code § 3701.243(A) 1-3, (D),(E).

Defendant Fiserv moves to dismiss this statutory claim by arguing for a strained reading of the statute, asserting that:

[t]aken together, these provisions indicate that the Ohio statute prohibits unauthorized third-party disclosure that a person has "AIDS" or an "AIDS-related condition," but does not prohibit disclosure that a person is HIV positive or, as Plaintiffs allege, a person's "HIV status." Instead, in the specific context of "HIV," the Ohio statute prohibits only the unauthorized third-party disclosure of "[t]he identity of any individual on whom an HIV test is performed" or "[t]he results of an HIV test in a form that identifies the individual tested." The portion of alphanumeric code "PM 6402 HIV" does neither.

(Fiserve MTD, Case A, ECF No. 44, p. 13.) Similarly, in Case B, Defendant Caremark parses the AIDS/HIV line too thin in this assertion:

"Plaintiff does not allege that the mailing disclosed the identity of anyone diagnosed with AIDS. Nor does Plaintiff allege that the mailing disclosed the identity of anyone as having an "AIDS-related condition," which is narrowly defined by statute to only include "symptoms of illness related to HIV infection, including AIDS-related complex, that are confirmed by a positive HIV test" R.C. § 3701.24(A)(3). There are no allegations in the Complaint at all regarding any "symptoms." Indeed, the provision of the statute that Plaintiff alleges Caremark violated is also inapplicable because the alphanumeric code does not actually reveal the "identity" of anyone. In short, Plaintiff has not alleged the disclosure of any information protected by R.C. § 3701.24(A)(3).

(Caremark MTD, Case B, ECF No. 18, p. 18.)

Plaintiffs assert that Defendants' argument that "Plaintiff has not alleged the disclosure of any information protected by R.C. § 3701.24(A)(3)" ignores other subsections in Ohio Rev. Code § 3701.24(A). Section 3701.24 is titled "Report as to contagious or infectious diseases AIDS and HIV," and it provides the following:

(A) As used in this section and sections 3701.241 to 3701.249 of the Revised Code :
(1) "AIDS" means the illness designated as acquired immunodeficiency Syndrome.
(2) "HIV" means the human immunodeficiency virus identified as the causative agent of AIDS.
(3) "AIDS-related condition" means symptoms of illness related to HIV infection, including AIDS-related complex, that are confirmed by a positive HIV test.
(4) "HIV test" means any test for the antibody or antigen to HIV that has been approved by the director of health under division (B) of section 3701.241 of the Revised Code.

Plaintiffs contend that revealing an individual's HIV infection discloses an AIDS-related condition. (Pl. Mem. Op, Case B, ECF No. 30, p. 19.) In any event, Plaintiffs have alleged that they were participants in OHDAP based on their need for HIV-related medications, and "[accordingly, Caremark unlawfully disclosed Plaintiff's AIDS-related condition, namely his HIV infection, in violation of the statute." (Pl. Mem. Op., Case B, ECF No. 30, p. 19.)

Defendant Caremark claims that it "helps provide health care 'benefits,' not health care 'services,' and therefore falls outside the scope of R.C. § 3701.243." (Caremark MTD, Case A, ECF No. 43, p. 13.) However, Plaintiffs allege that "[t]he disclosed information was obtained while running a state-run program, and providing a health care service, namely Caremark's provision of pharmacy benefits management and pharmacy services to OhDAP and obtaining a contract for the sale of such services from ODH." (Compl., Case A, ECF No. 38, ¶ 53.) Plaintiffs allege that Caremark's bid, submitted to the Ohio Department of Health, "refers to Caremark as a 'health care provider'... and lists the 'pharmacy services' it will provide, including 'personal consultation with a CVS pharmacist.' " (Id., ¶ 15; Pl. Mem. Op., Case A, ECF No. 46, p. 13.) The Court finds that Plaintiffs have sufficiently pleaded a violation of the Ohio Rev. Code § 3701.243.

C. Declaratory Relief

In both Complaints, Plaintiffs seek declaratory relief. Declaratory relief is governed by 28 U.S.C. § 2201, which provides in pertinent part:

(a) In a case of actual controversy within its jurisdiction... any court of the United States, upon the filing of an appropriate pleading, may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought. Any such declaration shall have the force and effect of a final judgment or decree and shall be reviewable as such.

28 U.S.C. 2201(a).

Complaint A states that "(a) relief is necessary to inform the parties of their rights and obligations under the laws at issue herein; (b) damages may not adequately compensate them for the injuries suffered, nor may other claims permit such relief; (c) the relief sought herein in terms of correcting such practices and precluding further use of glassine envelopes may not be fully accomplished by awarding damages; and (d) if the conduct complained of is not corrected, harm may continue to result to members of the general public." (Compl., Case A, ECF No. 38, ¶ 30.) Likewise, Complaint B seeks declaratory judgment under 28 U.S.C. § 2201 in order "(1) that the rights of the Plaintiff and the Classes may be determined with certainty for purposes of resolving this action; and (2) so that the Parties will have an understanding of Defendant's obligations in the future given its continuing legal obligations and ongoing relationships with Plaintiff and Class Members." (Compl., Case B , ECF No. 15, ¶ 107.) Specifically, Plaintiffs seeks "a judicial determination of whether Defendant has performed, and [is] performing, the medical privacy practices and obligations necessary to protect and safeguard Plaintiff's and Class members' PH and PHI from further unauthorized access, use, disclosure, or insecure disposal." (Id., ¶ 106.)

Defendants maintain that this claim should be dismissed "because declaratory judgments are 'prospective in nature.' " CMR D.N. Corp. v. City of Phila., 703 F.3d 612, 628 (3d Cir. 2013). "In the context of a declaratory judgment action, allegations of past injury alone are not sufficient to confer standing. The plaintiff must allege and/or 'demonstrate actual present harm or a significant possibility of future harm.' " (Caremark MTD, Case B, ECF No. 18, p. 24) (citing Fieger v. Ferry, 471 F.3d 637, 643 (6th Cir. 2006), quoting Peoples Rights Org., Inc. v. City of Columbus, 152 F.3d 522, 527 (6th Cir. 1998) ).

The Sixth Circuit has explained that a declaratory judgment generally is sought before a completed injury-in-fact has occurred. Nat'l Rifle Assoc. of America v. Magaw, 132 F.3d 272, 279 (6th Cir. 1997) ; Pic-A-State Pa. Inc. v. Reno , 76 F.3d 1294, 1298 (3d Cir.), cert. denied, 517 U.S. 1246, 116 S.Ct. 2504, 135 L.Ed.2d 194 (1996). When seeking declaratory or injunctive relief, the plaintiff must demonstrate actual present harm or a significant possibility of future harm to justify pre-enforcement relief. Magaw, 132 F.3d at 279 ; Bras v. California Pub. Utilities Comm'n, 59 F.3d 869, 873 (9th Cir.1995), cert. denied, 516 U.S. 1084, 116 S.Ct. 800, 133 L.Ed.2d 748 (1996).

Plaintiffs assert that "[t]he Parties have an ongoing dispute about whether Caremark is maintaining proper medical privacy protocols under state and federal law and its contract with the state of Ohio, thereby entitling them to plead a claim and seek declaratory relief." (Pl. Mem. Op., Case B, ECF No. 30, p. 28.) "Plaintiff's claim thus requests precisely the type of relief that the Declaratory Judgment Act is supposed to provide: a declaration that will prevent future harm from ongoing and future violations before the harm occurs." (Id., citing In re Adobe Sys., Inc. Privacy Litig. , 66 F.Supp.3d 1197, 1222 (N.D. Cal. 2014) ).

The Court concludes that Plaintiffs' allegations satisfy the statutory jurisdictional requirements for obtaining declaratory relief. Defendants are therefore not entitled to dismissal of Plaintiffs' claim for declaratory relief.

IV.

Complaint B alleges several additional claims that are not alleged in Complaint A: Count 1 (willful violation of the Fair Credit Reporting Act ("FCRA"), in violation of 15 U.S.C. §§ 1681 - 1681x ), Count 2 (negligent violation of the FCRA), Count 4 (violation of Ohio Insurance Information and Privacy Protection Act, Ohio Rev. Code § 3904.01, et seq. ) and Count 11 (declaratory relief under 28 U.S.C. § 2201 ).

A. Fair Credit Reporting Act

Plaintiffs allege that "[o]ne of the fundamental purposes of the FCRA is to protect consumers' privacy. 15 U.S.C. § 1681(a). Protecting consumers' privacy involves adopting reasonable procedures to keep sensitive information confidential. 15 U.S.C. § 1681(b)." (Compl. B, ECF No. 15, ¶ 45.) Plaintiffs further allege that "Plaintiff's and Class Members' PII [personally identifiable information] and PHI [protected health information] constitute consumer reports under FCRA, because the information bears on, among other things, their credit worthiness, credit capacity, character, general reputation, personal characteristics, physical and mental conditions, and mode of living, and is used or collected, in whole or in part, for the purpose of establishing Plaintiff's and other Class Members' eligibility for insurance to be used primarily for personal, family, or household purposes, and establishing rates for same." (Id., ¶ 49.) Ultimately, Plaintiffs seek to link his claim to FCRA's provision that "[u]nder FCRA, a 'person that receives medication information shall not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. 15 U.S.C. § 1681(g)(4), 1681(g)(3)(A)." (Id. , ¶ 54.)

On the other hand, Defendants assert that "the FCRA simply does not apply to Caremark. Congress enacted FCRA because the 'banking system is dependent upon fair and accurate credit reporting' and 'unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.' " 15 U.S.C. § 1681(a)(1). (Caremark MTD, Case B, ECF No. 18, p. 21.) Defendants' argument is well-taken.

The FCRA's statutory scheme is set forth in 15 U.S.C. § 1681, titled "Congressional findings and statement of purpose":

(a) Accuracy and fairness of credit reporting The Congress makes the following findings:
(1) The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
(2) An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
(3) Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
(4) There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy.
(b) Reasonable procedures
It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.

The key consideration is the definition of "consumer" for the purposes of the FCRA. In 15 U.S.C. § 1692(a)(3), the term "consumer" is defined as "any natural person obligated or allegedly obligated to pay any debt." Defendants posit that Plaintiff "does not allege that the communication at issue was used to determine his eligibility in anything. He was an OHDAP member, and the letter merely announced how he could receive certain OHDAP benefits." (Caremark MTD, Case B, ECF No. 18, p. 22.) In addition, Defendants assert that there is no allegation that Caremark is a consumer reporting agency, or that the communication was a consumer report. A consumer report is a communication "bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living." 15 U.S.C. § 1681a(d)(l). Defendants' arguments are well-taken, and Count 1 (willful violation of FCRA) and Count 2 (negligent violation of FCRA) fail to state a claim upon which relief can be granted.

B. Ohio Insurance Information and Privacy Protection Act

In Count 4, Plaintiffs asserts that Defendants violated the Ohio Insurance Information and Privacy Protection Act (the "Act"), Ohio Rev. Code § 3904.01, et seq. Section 3904.13 of the Act states that "[n]o insurance institution, agent, or insurance support organization shall disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction...." These entities are defined as follows:

(K) "Insurance institution" means any corporation, association, partnership, fraternal benefit society, or other person engaged in the business of life, health, or disability insurance, including health insuring corporations. "Insurance institution" does not include agents or insurance support organizations.
(L)
(1) "Insurance support organization" means any person that regularly engages, in whole or in part, in the practice of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including both of the following:
(a) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction;
(b) The collection of personal information from insurance institutions, agents, or other insurance support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity
(2) Notwithstanding division (L)(l) of this section, agents, government institutions, insurance institutions, medical care institutions, and medical professionals are not "insurance support organizations" for purposes of sections 3904.01 to 3904.22 of the Revised Code.

Defendants argue that the "Complaint does not allege that Defendant is an 'insurance institution, agent, or insurance support organization' for purposes of the Act." (Caremark MTD, Case B, ECF No. 34, p. 20.) This Court, however, disagrees.

While it is true that the Complaint does not specifically use the label of institution, agent, or insurance support organization' for purposes of the Act, it "provide[s] notice to the defendant of the nature of the plaintiffs claims." Gross v. Nationwide Credit, Inc., 1:10-CV-00738, 2011 WL 379167, at *3 (S.D. Ohio Feb. 2, 2011) (citing as example Erickson v. Pardus, 551 U.S. 89, 93, 127 S.Ct. 2197, 167 L.Ed.2d 1081 (2007) ); see also Twombly , 550 U.S. at 555, 127 S.Ct. 1955 (plaintiff's statement must "give the defendant fair notice of what the ... claim is and the grounds upon which it rests."). Paragraphs 77 and 78 of Count 4 describe the "HIV-medication information" as "personal information" and allege that it was collected "in connection with an insurance transaction in violation of Ohio Rev. Code § 3904.13." Plaintiffs maintain that Caremark was acting on behalf of the Ohio Department of Health's AIDS Drug Assistance Program, which is administered just like health insurance, including via application and the payment of benefits for health services and prescriptions. Plaintiffs posit:

As stated on the OhDAP's website, Caremark was administering "[t]his program [which] is the payer of last resort" indicating that it was the final insurance transaction for covered medications when participants primary insurer's could not or did not pay [https://www.odh.ohio.gov/odhprograms/hastpac/hivcare/Ohio% 20ADAP/Ohio% 20ADAP.aspx ] Moreover, the very same program has a component entitled "HIV Health Insurance Premium Payment Program" and the same, extensive application for these programs clearly indicates it is providing insurance services. [https://www.odh.ohio.gov/media/ODH/ASSETS/Files/hst/hcs/2018RWADAppV4.pdf?la=en]. Accordingly, Caremark is both an "insurance institution" when acting as an agent of the state of Ohio in administering these programs and as an "insurance support organization" when it collects data from participants and furnishes that information to the state for the administration of its programs. Ohio Rev. Code § 3904.01(K), (L).

(Pl. Mem. Op., Case B, ECF No. 30, p. 21-22.)

Taking Plaintiffs allegations as true, and making reasonable inferences in their favor, they state a plausible claim for violation of the Ohio Insurance Information and Privacy Protection Act.

V.

For the reasons stated above, Defendants' Motions to Dismiss in Case No. 2:18-cv-238 are GRANTED IN PART AND DENIED IN PART (ECF Nos. 43, 44) and Defendants' Motion to Dismiss in Case No. 2:18-CV-488 is GRANTED IN PART AND DENIED IN PART (ECF No, 18).

IT IS SO ORDERED. 
      
      Plaintiffs consented to dismissal of Claim 10 (Pl. Mem. Op., Case B, ECF No. 30, p. 6).
     
      
      In his memorandum in opposition to Caremark's motion to dismiss, Plaintiff requests leave to amend his Complaint should the Court require him to plead "a stand-alone 'Biddle ' claim beyond what he has already done in the Complaint." (Pl. Mem. Opp., Case B, ECF No. 30, p. 9, fn 2.). Rather than requiring Plaintiff to file an amended complaint, the Court will consider Plaintiff's Biddle claim, presented in paragraph 17. (Compl. B, ECF No. 15, ¶ 17.)
     