Doe v. US Fertility, LLC et al, No. 1:2021cv00579 - Document 79 (N.D. Ill. 2022)
Court Description: MEMORANDUM Opinion and Order written by the Honorable Gary Feinerman on 3/31/2022.Mailed notice.(jlj, )
Download PDF
<![CDATA[
Doe v. US Fertility, LLC et al Doc. 79 UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION JANE DOE, Plaintiff, vs. FERTILITY CENTERS OF ILLINOIS, S.C., and US FERTILITY, LLC, Defendants. ) ) ) ) ) ) ) ) ) ) 21 C 579 Judge Gary Feinerman MEMORANDUM OPINION AND ORDER Jane Doe brings this putative class action under the diversity jurisdiction against Fertility Centers of Illinois (“FCI”) and US Fertility, LLC (“USF”), alleging violations of Illinois law. Doc. 5. Defendants move under Civil Rules 12(b)(1) and 12(b)(6) to dismiss for lack of standing and failure to state a claim, respectively. Docs. 19, 39. The Rule 12(b)(1) motion is denied, while the Rule 12(b)(6) motion is granted in part and denied in part. Background In resolving a Rule 12(b)(6) motion, the court assumes the truth of the operative complaint’s well-pleaded factual allegations, though not its legal conclusions. See Zahn v. N. Am. Power & Gas, LLC, 815 F.3d 1082, 1087 (7th Cir. 2016). The court must also consider additional facts set forth in Doe’s briefs opposing dismissal, so long as those additional facts “are consistent with the pleadings.” Phillips v. Prudential Ins. Co. of Am., 714 F.3d 1017, 1020 (7th Cir. 2013) (internal quotation marks omitted). The facts are set forth as favorably to Doe as those materials allow. See Pierce v. Zoetis, Inc., 818 F.3d 274, 277 (7th Cir. 2016). The same principles govern the Rule 12(b)(1) motion because it presents only a facial challenge to Doe’s standing. See Prairie Rivers Network v. Dynegy Midwest Generation, LLC, 2 F.4th 1002, 1008 1 Dockets.Justia.com (7th Cir. 2021) (“For facial standing challenges, as here, we employ the familiar ‘plausibility’ requirement—the same standard used to evaluate challenges to claims under Rule 12(b)(6).”). In setting forth the facts at the pleading stage, the court does not vouch for their accuracy. See Goldberg v. United States, 881 F.3d 529, 531 (7th Cir. 2018). On or about October 24, 2011, Doe visited FCI’s office in Hinsdale, Illinois, for an initial consultation. Doc. 5 at ¶¶ 48-49. FCI required Doe to provide proof of insurance, her medical records, her Social Security number, and an identification card, and to describe any medical issues on an intake form. Id. at ¶ 49. Doe paid for the consultation but elected not to receive treatment from FCI. Id. at ¶¶ 50-51. Without Defendants’ express agreement to safeguard and protect her personal and health information, Doe would not have provided her personal and medical information to them. Id. at ¶¶ 4, 50, 69. Defendants maintain privacy policies on their websites. Id. at ¶¶ 34-36. The policies include express promises that Defendants would comply with HIPAA standards, maintain the privacy of personal information, and disclose health information only when required by law. Id. at ¶ 67. FCI’s policy states that it will “maintain the privacy of … health information … abide by the terms of this notice … [and] where required by law, notify [patrons] in the event that there has been a breach of … unsecured health information.” Id. at ¶ 36. And USF’s policy states that it “maintains protected health information in compliance with HIPAA and [its] contractual obligations to [its network of fertility centers].” Id. at ¶ 34. USF provides IT services and platforms for FCI. Doc. 5-1 at 2. In 2020, Defendants experienced a data breach involving Doe’s and other individuals’ names, Social Security numbers, patient numbers, and birth dates. Doc. 5 at ¶¶ 38-40. Defendants became aware of the data breach on September 14, 2020, and contacted Doe about it several months later. Id. at ¶ 41. 2 Defendants offered to provide Doe with twelve months of complimentary access to credit monitoring and identity restoration services. Id. at ¶ 42. As a result of the data breach, Doe has suffered “out-of-pocket costs associated with the prevention, detection, recovery, and remediation from identity theft and fraud,” lost opportunity costs and lost wages, and emotional distress and embarrassment. Id. at ¶¶ 53-56. Doe also must “endure the risks of identity theft and fraud for years to come” and “live with the idea that her private medical affairs are now in the possession of cybercriminals, with the potential to be publicized and forever available to the public.” Id. at ¶¶ 54-55. Doe alleges that Defendants failed to properly safeguard her private information, to promptly dispose of her information, and to timely notify her of the data breach. Id. at ¶¶ 70-72. She brings claims for breach of express contract, breach of implied contract, and unjust enrichment, each in the alternative to the others. Id. at ¶¶ 64-95. She also brings claims for breach of fiduciary duty, invasion of privacy, and violation of the Illinois Consumer Fraud and Deceptive Trade Practices Act (“ICFA”). 815 ILCS 505/2 et seq. Id. at ¶¶ 96-128. Discussion I. Article III Standing Defendants contend that Doe lacks Article III standing to bring this suit. Docs. 39-40. The court must consider that jurisdictional question before reaching the merits. See Va. House of Delegates v. Bethune-Hill, 139 S. Ct. 1945, 1950 (2019). “To establish standing, a plaintiff has the burden to establish that he has (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial ruling.” Larkin v. Fin. Sys. of Green Bay, Inc., 982 F.3d 1060, 1064 (7th Cir. 2020) (internal quotation marks omitted). “To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual 3 or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016) (internal quotation marks omitted). “At the pleading stage, the standing inquiry asks whether the complaint clearly alleges facts demonstrating each element in the doctrinal test.” Larkin, 982 F.3d at 1064 (internal quotation marks and alterations omitted). Citing TransUnion LLC. v. Ramirez, 141 S. Ct. 2190 (2021), Defendants contend that Doe fails to plead injury in fact. Doc. 40 at 4-7. In TransUnion, the Supreme Court held that certain tangible and intangible harms—such as physical harm, monetary harm, and the disclosure of private information—can be concrete for purposes of standing. Id. at 2204. The Court further held that “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial,” and that a plaintiff may seek damages based on a risk of future harm only if “the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210-11. Defendants maintain that Doe’s injuries are not concrete because she alleges neither an actual injury from the data breach nor a risk of future harm sufficient to confer standing. Doc. 40 at 4. The complaint alleges that, due to the data breach, Doe has suffered, among other things, “out-of-pocket costs associated with the prevention, detection, recovery, and remediation [of] identity theft and fraud.” Doc. 5 at ¶ 56(b). As the Seventh Circuit has explained, “mitigation expenses qualify as ‘actual injuries’…when the harm is imminent,” and a data breach that has already occurred is “sufficiently immediate to justify mitigation efforts.” Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (“While mitigation expenses qualify as ‘actual injuries’ only when the harm is imminent, the data breach in Remijas [v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015),] had already occurred. This made the risk of identity 4 theft and fraudulent charges sufficiently immediate to justify mitigation efforts.”). The fact that Defendants offered Doe one year of complimentary access to credit monitoring and identity restoration services, Doc. 5 at ¶ 42, confirms the reasonableness of at least some of Doe’s out-ofpocket mitigation expenditures. See Remijas, 794 F.3d at 694 (“It is telling … that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who had shipped at their stores between January 2013 and January 2014.”). At the pleading stage, Doe has alleged enough to establish injury in fact and thus her Article III standing. II. Merits A. Express Contract Claim Doe’s express contract claim alleges that Defendants breached the parties’ contract(s) by not sufficiently disposing of and protecting her medical information, and by failing to timely notify her of the data breach. Doc. 5 at ¶¶ 64-77. “Under Illinois law, a breach of contract claim has four elements: (1) the existence of a valid and enforceable contract; (2) performance by the plaintiff; (3) a breach of contract by the defendant; and (4) resultant injury to the plaintiff.” Hess v. Bresney, 784 F.3d 1154, 1158-59 (7th Cir. 2015) (internal quotation marks omitted). The existence of a contract requires, among other things, “definite and certain terms.” Cogswell v. CitiFinancial Mortg. Co., 624 F.3d 395, 398 (7th Cir. 2010). Doe states a viable express contract claim against FCI. The complaint alleges that Doe entered a valid and enforceable agreement in which FCI promised to safeguard, protect, and timely dispose of her personal and health information. Doc. 5 at ¶¶ 65-69. The complaint further alleges that FCI maintained a privacy policy in which it promised to maintain the privacy of Doe’s health information and timely notify her in the event of a breach. Id. at ¶ 36. Contrary to Defendants’ contention that the complaint does not allege the existence of a contract, Doc. 19 5 at 7, the agreement as described in the complaint and FCI’s privacy policy are sufficient at this stage to plead that a contract was formed. See Dolmage v. Combined Ins. Co. of Am., 2016 WL 754731, at *9 (N.D. Ill. Feb. 23, 2016) (denying a motion to dismiss an express contract claim based on a similar promise and privacy agreement). Defendants’ argument that the contracts alleged by Doe lack sufficient definiteness is unavailing. “To be enforceable, an Illinois contact need be only sufficiently definite and certain that a court may ascertain what the parties have agreed to.” Straits Fin. LLC v. Ten Sleep Cattle Co., 900 F.3d 359, 369 (7th Cir. 2018). The complaint expressly alleges that Doe’s contract with FCI required it to “adequately protect [her] Personal Information” and, in particular, to “prevent disclosure and/or unauthorized access of [her personal and medical] information through its data security measures and prompt disposal of Personal Information that is no longer needed or required.” Doc. 5 at ¶ 68. Moreover, the complaint alleges that FCI’s privacy policy states that FCI will “maintain the privacy of … health information … abide by the terms of this notice … [and] where required by law, notify [patrons] in the event that there has been a breach of … unsecured health information.” Id. at ¶ 36. Those alleged terms of the alleged contracts are sufficiently definite to enable the court to ascertain what the parties agreed to. See Dolmage, 2016 WL 754731 at *1 (denying a motion to dismiss an express contract claim based on a similar privacy policy). Likewise unavailing is Defendants’ argument that FCI could not have breached any contract with Doe because it was USF, not FCI, that suffered the security breach. Doc. 19 at 7-8. Although FCI did not experience the data breach, it cannot shield itself from liability—at least on a Rule 12(b)(6) motion—by arguing that it offloaded to another entity its responsibilities under its contracts with Doe. See Dolmage 2016 WL 754731, at *10 (in a data breach suit, rejecting 6 the defendant’s argument that it could not be liable because it was not the party that experienced the breach). Finally, Defendants argue for the first time in their reply brief that Doe fails to allege that she ever saw FCI’s privacy policy at the time of her consultation. Doc. 32 at 2. That argument is forfeited because it was raised for the first time in a reply brief. See O’Neal v. Reilly, 961 F.3d 973, 974 (7th Cir. 2020) (“[W]e have repeatedly recognized that district courts are entitled to treat an argument raised for the first time in a reply brief as waived.”); Narducci v. Moore, 572 F.3d 313, 324 (7th Cir. 2009) (“[T]he district court is entitled to find that an argument raised for the first time in a reply brief is forfeited.”). In any event, the express contract(s) alleged by the complaint rest only in part on FCI’s privacy policy. Doc. 5 at ¶ 66 (“A material part of Defendants’ promise to provide health care services to [Doe] … was to adequately protect [her] Personal Information.”). Doe does not state a viable express contract claim against USF. As Defendants correctly note, Doe does not allege that she was aware of USF at the time of her consultation with FCI. Doc. 19 at 7-8. Doe could not have entered an express agreement with an entity that she was unaware of. Doe nonetheless argues that USF is liable for breach of express contract because it “was formed through a merger of various fertility centers … , including [FCI],” which “resulted in a partnership between the entities.” Doc. 31 at 14. That argument is unpersuasive, as the complaint fails to plausibly allege facts giving rise to a reasonable inference that USF is a “partnership” in which FCI is a partner or that USF is FCI’s alter ego. See Seybold v. Tazewell Cnty., 2022 WL 68385, at *8 (C.D. Ill. Jan. 6, 2022); FW Assocs. LLC v. WM Assocs. LLC, 2019 WL 354953, at *3 (N.D. Ill. Jan. 28, 2019). 7 B. Implied Contract Claim Doe’s claim for breach of implied contract, stated in the alternative to her express contract claim, alleges that when she provided and Defendants received her personal information, she entered into an implied contract with them under which they “were obligated to take reasonable steps to secure and safeguard the Personal Information entrusted to them,” including complying with HIPAA and FTC guidelines, promptly disposing of her personal information, and timely notifying her of any data breach. Doc. 5 at ¶¶ 78-86. Under Illinois law, an implied-in-fact contract arises from a “promissory expression which may be inferred from the facts and circumstances and the expressions [on] the part of the promisor which show an intention to be bound.” Estate of Jesmer v. Rohlev, 609 N.E.2d 816, 820 (Ill. App. 1993) (internal quotation marks omitted). Such a contract is “a true contract, containing all necessary elements of a binding agreement; it differs from other contracts only in that it has not been committed to writing or stated orally in express terms, but rather is inferred from the conduct of the parties in the milieu in which they dealt.” A.E.I. Music Network, Inc. v. Bus. Computers, Inc., 290 F.3d 952, 956 (7th Cir. 2002) (internal quotation marks omitted); see also Al’s Serv. Ctr. v. BP Prods. N. Am., Inc., 599 F.3d 720, 726 (7th Cir. 2010) (“That is the significance of ‘in fact’: the circumstances allow an inference that the parties had a deal (a ‘meeting of the minds’) even though there was no statement to that effect.”). Doe states a viable implied contract claim against FCI. The complaint alleges that FCI required Doe to disclose her personal and “extremely sensitive medical” information before it provided consultation services to her. Doc. 5 at ¶ 79. Defendants argue that “there are no allegations in the Complaint showing a meeting of the minds regarding how FCI would protect against a data breach suffered by another company providing IT services to it.” Doc. 32 at 4. However, as the Appellate Court of Illinois explained in analogous circumstances, “[i]t can be 8 implied from the parties’ relationship that [the defendant] would take some steps to ensure that plaintiffs’ sensitive information would be shielded in some manner to prevent unauthorized disclosure of that information.” Lozada v. Advocate Health & Hosps. Corp., 2018 IL App (1st) 180320-U, ¶ 27 (Ill. App. Dec. 24, 2018). Defendants also argue that because USF experienced the data breach, “FCI could not have breached any purported implied contract with Plaintiff.” Doc. 19 at 8. That argument fails for the reasons set forth above. See Dolmage, 2016 WL 754731, at *10. Doe does not have a viable implied contract claim against USF. As Defendants correctly observe, Doe was unaware of USF’s existence during her consultation with FCI and thus could not have reach any implied understanding with USF. Doc. 19 at 8. As with the express contract claim, Doe retorts that USF nonetheless can be held liable for breach of implied contract due to its alleged relationship with FCI. Doc. 31 at 16. That argument fails for the reasons set forth above. See Seybold, 2022 WL 68385, at *8; FW Assocs., 2019 WL 354953, at *3. C. Unjust Enrichment Claim In the alternative to her express and implied contract claims, Doe alleges that Defendants were unjustly enriched in that she conferred a monetary benefit on them in the form of payment for health care services, part of those services included protecting her private information, Defendants failed to protect her information, and it therefore would be unjust for Defendants to retain the benefit of the payment. Doc. 5 at ¶¶ 87-95. “To [prove] a claim for unjust enrichment under Illinois law, ‘a plaintiff must [show:] [1] that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and [2] that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience.’” Banco Panamericano, Inc. v. City of Peoria, 880 F.3d 329, 333 (7th Cir. 2018) (quoting HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989)). Where “an unjust enrichment claim rests 9 on the same improper conduct [underlying] another claim, then the unjust enrichment claim will be tied to this related claim—and, of course, unjust enrichment will stand or fall with the related claim.” Platt v. Brown, 872 F.3d 848, 853 (7th Cir. 2017) (internal quotation marks omitted); see also Cleary v. Philip Morris Inc., 656 F.3d 511, 517 (7th Cir. 2011) (“Unjust enrichment is a common-law theory of recovery or restitution that arises when the defendant is retaining a benefit to the plaintiff’s detriment, and this retention is unjust. What makes the retention of the benefit unjust is often due to some improper conduct by the defendant. And usually this improper conduct will form the basis of another claim against the defendant in tort, contract, or statute.”). Doe pleads her unjust enrichment claim in the alternative to her express and implied contract claims, so the claim rests on the same allegedly improper conduct underlying the contract claims. Indeed, Doe herself acknowledges that “[u]njust enrichment is not a separate cause of action that, standing alone, will justify an action for recovery.” Doc. 31 at 17. Accordingly, given that Doe’s contract claims survive against FCI but not against USF, Doe’s unjust enrichment claim likewise survives against FCI but not against USF. See Lozada, 2018 IL App (1st) 180320-U, at ¶¶ 34-37 (in a data breach suit, allowing an unjust enrichment claim to proceed where the contract claim survived dismissal). D. Fiduciary Duty Claim Plaintiff next claims that Defendants breached their fiduciary duty to her by failing to safeguard her private information. Doc. 5 at ¶¶ 96-101. “To recover for a breach of fiduciary duty, Illinois law require[s] the plaintiff[] to establish the existence of a fiduciary duty, a breach of that duty, and damages proximately caused by the breach.” Alonso v. Weiss, 932 F.3d 995, 1001 (7th Cir. 2019). Defendants contend that Doe’s claim fails at the threshold because she does not allege facts sufficient to infer that they owed her a fiduciary duty. Doc. 19 at 10-11. 10 Doe responds that a fiduciary duty arose from her and FCI’s physician-patient relationship. Doc. 31 at 18-19. Under Illinois law, “[a] physician-patient relationship is established where the physician takes some affirmative action to participate in the care, evaluation, diagnosis or treatment of a specific patient. The central inquiry is whether the physician has been asked to provide a specific service for the benefit of a specific patient.” Mackey v. Sarroca, 35 N.E.3d 631, 638 (Ill. App. 2015) (internal citations omitted). The relationship is one “in which the patient knowingly seeks the physician’s assistance and the physician knowingly accepts the person as a patient.” Reynolds v. Decatur Mem’l Hosp., 660 N.E.2d 235, 239 (Ill. App. 1996). True enough, the complaint alleges that, “[a]fter her initial consultations, [Doe] elected to not become a patient of Defendants and received no treatment from them.” Doc. 5 at ¶ 51. That said, the complaint also alleges that Doe received an “initial consultation” from FCI and that she paid FCI “for her consultation.” Id. at ¶¶ 49-50. Without knowing what transpired during the initial consultation, the court cannot hold on the pleadings that Doe did not have a physician-patient relationship with FCI during the consultation. Also, as with the contract claims, FCI cannot escape liability on Doe’s fiduciary duty claim because it offloaded to USF its alleged fiduciary duty to protect Doe’s personal information from a data breach. Accordingly, Doe’s fiduciary duty claim against FCI survives. Doe admits that she did not have a physician-patient relationship with USF, but, as with her contract claims, she argues that USF can be held liable on a partnership or alter ego theory. Doc. 31 at 19. That argument fails for the reasons stated above. E. Invasion of Privacy Claim Doe alleges that Defendants breached her common law privacy rights by allowing the data breach to occur. Doc. 5 at ¶¶ 102-115. In her opposition brief, Doe clarifies that her 11 privacy claim rests on the theory that she suffered “public disclosure of private facts.” Doc. 31 at 20. To state an invasion of privacy claim for the public disclosure of private facts, a plaintiff must allege facts sufficient to show that “private facts were made public and that the matter made public would be highly offensive to a reasonable person.” Karraker v. Rent-A-Ctr., Inc., 411 F.3d 831, 838 (7th Cir. 2005). Defendants correctly contend that the complaint does not allege a public disclosure of Doe’s information. Doc. 32 at 9. Public disclosure “means ‘communicating the matter to the public at large or to so many persons that the matter must be regarded as one of general knowledge.’” Wynne, 741 N.E.2d at 677 (2000) (internal citations omitted). Public disclosure also can mean “disclosure to a limited number of people if those people have a special relationship with the plaintiff that makes the disclosure as devastating as disclosure to the public at large.” Karraker, 411 F.3d at 838. Although the complaint alleges that Doe’s private medical information was “stolen by a third party and [is] now available to disclosure to others without authorization,” Doc. 5 at ¶ 112, it does not allege disclosure to the public at large or to a limited number of people with a special relationship to her. Accordingly, Doe’s invasion of privacy claim is dismissed. F. ICFA Claim Finally, Doe alleges that Defendants violated the ICFA through conduct that qualifies as “unfair” under the statute. Doc 5 at ¶¶ 116-128. Defendants seek dismissal on the sole ground that Doe has not alleged actual damages, meaning economic or pecuniary harm. Doc. 19 at 12-13; see 815 ILCS 505/10a(a) (providing that a person “who suffers actual damage as a result of a violation of” the ICFA may recover). In Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018), the Seventh Circuit held in a data breach case that the plaintiff’s alleged “monthly $17 out of pocket” payment for a credit-monitoring service she purchased as a result of 12 the data breach “is a form of ‘actual damage’” under the ICFA. Id. at 829. Here, Doe alleges that she suffered “out-of-pocket costs associated with the prevention, detection, recovery, and remediation from identity theft and fraud.” Doc. 5 at ¶ 126. Under Dieffenbach, that suffices to allege actual damages. In their initial brief, Defendants asked the court to strike Doe’s request for punitive damages under the ICFA. Doc. 19 at 13. Doe responded with argument and authority, Doc. 31 at 23-24, and Defendants’ reply brief dropped the matter, thereby forfeiting the point. See Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs., Inc., 536 F.3d 663, 668 n.3 (7th Cir. 2008) (“We have made it clear that a litigant who fails to press a point by supporting it with pertinent authority, … forfeits the point.”) (internal quotation marks omitted). Conclusion Defendants’ motions to dismiss are granted in part and denied in part. Doe has Article III standing to pursue her claims. Doe’s claims against USF are dismissed, except for her ICFA claim. Doe’s invasion of privacy claim against FCI is dismissed as well. The dismissal of those claims is without prejudice, and Doe has until April 21, 2022 to file a second amended complaint. See Runnion ex rel. Runnion v. Girl Scouts of Greater Chi. & Nw. Ind., 786 F.3d 510, 519 (7th Cir. 2015) (“Ordinarily, … a plaintiff whose original complaint has been dismissed under Rule 12(b)(6) should be given at least one opportunity to try to amend her complaint before the entire action is dismissed.”). If Doe does not file a second amended complaint, the dismissal will convert automatically to a dismissal with prejudice, and Defendants shall answer the surviving portions of the amended complaint by May 4, 2022. If Doe files a second amended complaint, Defendants shall file a responsive pleading by May 11, 2022, though Defendants 13 should not again move to dismiss the claims that survived dismissal on grounds rejected in this opinion. March 31, 2022 ___________________________________ United States District Judge 14
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
