Curtis M. Smallwood, Appellant, vs. State of Minnesota, Department of Human Services, et al., Respondents
Annotate this Case
Download PDF
STATE OF MINNESOTA IN COURT OF APPEALS A21-0001 Curtis M. Smallwood, Appellant, vs. State of Minnesota, Department of Human Services, et al., Respondents. Filed August 23, 2021 Affirmed in part and reversed in part Ross, Judge Ramsey County District Court File No. 62-CV-19-6554 Peter J. Nickitas, Peter J. Nickitas Law Office, Minneapolis, Minnesota (for appellant) Keith Ellison, Attorney General, Drew D. Bredeson, Assistant Attorney General, St. Paul, Minnesota (for respondents) Considered and decided by Ross, Presiding Judge; Segal, Chief Judge; and Gaïtas, Judge. SYLLABUS 1. Data that is acquired by an unauthorized person’s hacking into a government account has not been “disseminated” in violation of Minnesota Statutes section 13.05, subdivision 4 (2020). 2. The state has not waived sovereign immunity for claims under the Minnesota Health Records Act, Minnesota Statutes sections 144.291–98 (2020). OPINION ROSS, Judge A hacker accessed a Minnesota Department of Human Services email account assigned to a department employee. The department informed Curtis Smallwood, who is civilly committed to the state sex-offender program as a sexually dangerous person, that his private information may have been accessed. Smallwood sued the state for damages under the Minnesota Government Data Practices Act and the Minnesota Health Records Act, contending that “disclosing” his private information caused him emotional and economic harm. The district court dismissed Smallwood’s civil complaint for failure to state a claim. We affirm in part because the state did not waive its sovereign immunity from exposure to civil liability under the Minnesota Health Records Act. But we reverse in part because Smallwood stated a data practices act claim despite the generalized nature of his allegation of damages. FACTS Curtis Smallwood has been civilly committed to the Minnesota Sex Offender Program (MSOP) as a sexually dangerous person since 2011. See In re Civil Commitment of Smallwood, No. A11-1971, 2012 WL 896439, at *1, *3 (Minn. App. March 19, 2012), review denied (Minn. June 27, 2012) (affirming Smallwood’s civil commitment); In re Civil Commitment of Smallwood, A18-0481, 2018 WL 4401920, at *1 (Minn. App. Sept. 17, 2018) (affirming refusal to grant Smallwood a provisional discharge or transfer). The Minnesota Department of Human Services (DHS) informed him that, in March 2018, a hacker accessed a DHS email account assigned to a DHS employee. The email account 2 contained no Social Security or financial information but did contain “first and last names, dates of birth, contact information, other demographic data, treatment data, legal history data, and/or information about [Smallwood] or [his] family’s interactions with [MSOP treatment partners].” Smallwood filed a civil complaint seeking damages for DHS’s alleged violations of the Minnesota Government Data Practices Act (MGDPA), Minn. Stat. §§ 13.01–99 (2020), and the Minnesota Health Records Act (HRA), Minn. Stat. §§ 144.291–98 (2020). Smallwood alleged that DHS “disclos[ed]” his private information to an unauthorized person by virtue of the hack and that DHS required him to type his medical-records number to purchase hygiene products at a kiosk in a setting that allowed others to watch him, violating both statutes. His complaint asked for a declaratory judgment determining that DHS violated the statutes, an order enjoining DHS from future unauthorized disclosures, nominal damages, special damages, emotional-distress damages, exemplary damages, mandamus relief to retrieve disclosed information, costs, a civil penalty, and attorney fees. The complaint asserted that, by “disclosing” his private information, DHS caused him “anxiety, fear of economic exploitation, fear of blackmail, and fear of financial losses from identity theft.” The district court granted DHS’s motion to dismiss the complaint for failing to state a claim for which relief can be granted. See Minn. R. Civ. P. 12.02(e). It held that Smallwood failed to state a claim under the MGDPA because he “failed to substantiate his claimed emotional damages with any kind of medical or psychological evidence” and failed to demonstrate harm to his credit score or finances. It held that Smallwood failed to 3 state a claim under the HRA because the state did not waive its sovereign immunity against suit for alleged HRA violations. Smallwood appeals. ISSUES I. Did Smallwood state a claim under the MGDPA? II. Does sovereign immunity preclude Smallwood’s HRA claim? ANALYSIS Challenging the district court’s decision to dismiss his MGDPA claim, Smallwood argues that his factual allegations of a violation and his claim for damages satisfy the notice-pleading requirements of Minnesota Rule of Civil Procedure 8.01. Challenging the decision to dismiss his HRA claim, Smallwood argues that the state waived sovereign immunity from liability for HRA violations. The first argument succeeds, and the second one fails. I Smallwood’s claim under the MGDPA survives the state’s motion to dismiss. We review de novo a district court’s decision to dismiss for failure to state a claim under Minnesota Rule of Civil Procedure 12.02(e). Halva v. Minn. State Colls. & Univs., 953 N.W.2d 496, 500 (Minn. 2021). In doing so, we accept as true the complaint’s factual allegations and construe reasonable factual inferences in favor of the nonmoving party. Id. For the following reasons, we conclude both that Smallwood’s complaint sufficiently alleges facts that could establish a statutory violation and alleges damages sufficiently tied to the alleged violation. 4 The state accurately argues that, under one of Smallwood’s theories, the complaint fails to allege facts that could establish a violation under the MGDPA. The complaint asserts that Smallwood’s private data “were disseminated and distributed” to unauthorized persons without his consent, violating Minnesota Statutes section 13.05, subdivision 4. That subdivision indeed generally prohibits governmental entities from “disseminat[ing]” private or confidential data to others without the consent of the subject of the data. Id. But Smallwood’s allegations do not support the claim that DHS disseminated his private or confidential data. We interpret statutes de novo. State v. Pakhnyuk, 926 N.W.2d 914, 920 (Minn. 2019). And we do so based on the plain and ordinary meaning of their express terms, construing “words . . . according to their common and approved usage.” Minn. Stat. § 645.08(1) (2020). The statute does not define “disseminate,” but under its common definition the verb implies action. See The American Heritage Dictionary of the English Language 522 (5th ed. 2011) (defining “disseminate” as “to spread abroad; promulgate”). Nothing in the context of the statutory restriction on state handling of private and confidential data implies that the legislature intended to treat information stolen from a governmental entity as information disseminated by the entity. The complaint does not allege, nor does it invite any reasonable inference, that any member of DHS actively participated in the hacker’s intrusion into the DHS employee’s email account. DHS no more “disseminated” Smallwood’s information exposed during the illegal hacking intrusion than a burglary victim can be said to have distributed property stolen from her during a break-in. Smallwood’s assertion that DHS “disseminated and distributed” his data is not supported by the factual allegation that an unknown hacker accessed the employee’s 5 DHS email account, and his claim fails to the extent that it rests on section 13.05, subdivision 4. Although the district court correctly dismissed the MGDPA claim because Smallwood’s complaint failed to assert any dissemination of data, we cannot affirm the dismissal of the claim. The complaint’s allegations do not rest entirely on dissemination because they also implicate a different provision of the statute. The MGDPA does more than prohibit dissemination of private and confidential data, it also requires a governmental entity’s responsible authority to “establish appropriate security safeguards” to ensure that only appropriate persons access government data. Minn. Stat. § 13.05, subd. 5(a)(2). Smallwood’s complaint identifies this subdivision as a basis for his claim. And we reasonably infer from the complaint the allegation that DHS’s failure to institute appropriate safeguards led to the unauthorized access of Smallwood’s private or confidential data. Although DHS did not address liability under subdivision 5(a)(2) in its brief, it contended at oral argument that determining whether information safeguards are appropriate under the statute is a legal question and that the district court properly denied the claim as a matter of law. The contention rests on one doubtful basis and one erroneous basis: we would have to both infer that the district court denied the claim as a matter of law and also hold that it could rightly do so. This we cannot do. The notion that the district court implicitly denied the appropriate-safeguard claim as a matter of law is doubtful because it framed DHS’s argument for dismissal as challenging the dissemination claim specifically. The district court not only did not include 6 the alternative theory of liability in framing DHS’s argument, it also did not mention it when it dismissed the complaint. On the other hand, in the context of dismissing the entire complaint on the motion before it, the district court had to have either implicitly denied the appropriate-safeguard claim as a matter of law or failed to notice it in the complaint. This affords some reason to support the inference. But even if we infer from the district court’s dismissal of the complaint entirely that it implicitly rejected the appropriate-safeguard claim as a matter of law, we reject DHS’s position that the district court could do so appropriately. This is because whether DHS’s safeguards were “appropriate” in this case is not subject to dismissal for failure to state a claim. The statute neither defines “appropriate” nor presents any specific elements of what qualifies as an appropriate safeguard or what would fail as an inappropriate one. This is not surprising given the nature of the adjective. “Appropriate” is akin to “reasonable,” being a nearly synonymous, relative term with meaning only in the context of its case-by-case circumstances. The legislature frequently demonstrates that it treats both terms as situational. See, e.g., Minn. Stat. §§ 13.37, subd. 1(b) (defining “[t]rade secret information” in part as data subject to efforts “that are reasonable under the circumstances to maintain [their] secrecy”); 62D.17, subd. 3(b) (authorizing certain proceedings “as the commissioner of health may deem appropriate under the circumstances”); 84.631(b)(4) (authorizing commissioner of natural resources to impose easement restrictions that are “necessary and appropriate under the circumstances”); 176.1351, subd. 5(c) (directing commissioner of labor and industry to conduct proceedings “in a manner the commissioner deems appropriate under the circumstances”); 260C.201, subd. 1(e) (directing district court 7 to impose child-protection conditions it “determines [to be] appropriate under the circumstances”); 325K.20 (declaring that recipient of a digital signature assumes the risk of forgery “if reliance on the digital signature is not reasonable under the circumstances”); 609.324, subd. 3 (authorizing district court to waive mandatory community-service penalty for prostitution crimes if the service “is not feasible or appropriate under the circumstances of the case”); 626.8475 (2020) (requiring police officer to intercede when another officer is using force exceeding that “which is objectively reasonable under the circumstances”). Likewise courts customarily treat the terms as dependent on the circumstances and determined as a matter of fact, not as a matter of law. See, e.g., King’s Cove Marina, LLC v. Lambert Com. Constr. LLC, 958 N.W.2d 310, 321 (Minn. 2021) (“Reasonableness is a question of fact for the district court to resolve as the fact-finder.” (quotation omitted)); Kolstad v. Fairway Foods, Inc., 457 N.W.2d 728, 735–36 (Minn. App. 1990) (“Thus, it is incumbent upon the fact-finder to examine carefully . . . the appropriateness of hours spent and the hourly rate requested.”); W. Nat’l. Ins. Co. v. Thompson, 797 N.W.2d 201, 208 (Minn. 2011) (“[W]e conclude that whether a request for an examination under oath and the refusal of such a request are reasonable are questions of fact. . . .”); Costilla v. State, 571 N.W.2d 587, 596 (Minn. App. 1997), review denied (Minn. Jan. 28, 1998) (observing that “a question of fact exists as to the . . . appropriateness of the state’s actions”); Nicollet Restoration, Inc. v. City of St. Paul, 533 N.W.2d 845, 848 (Minn. 1995) (“Ordinarily, the reasonableness of reliance is a fact question for the jury.”). Given the plain meaning of the term and the manner in which the legislature and courts commonly apply it, we hold that the question of whether the state has established “appropriate” safeguards to prevent 8 unauthorized access to private data under the MGDPA, section 13.05, subdivision 5(a)(2), is not an issue that can be resolved without determining the facts that bear on the claim. We offer no opinion about whether, in some cases, the circumstances might present a clear picture demonstrating that the evidence could not, as a matter of law, support a factual finding of inappropriateness. But at most, the question of appropriateness might then remain a matter for summary judgment on developed, undisputed facts. The facts of the claim in this case are not developed at the early stage of the rule 12 dismissal. Under rule 12 we answer only whether the complaint states a claim for legal relief. And we hold that Smallwood’s complaint alleges facts that could establish a statutory violation under section 13.05, subdivision 5(a). We turn to whether Smallwood’s complaint sufficiently asserted a claim for damages. The district court concluded that it did not. It reached this conclusion two months before, and therefore without the insight provided by, the supreme court’s decision in Halva, 953 N.W.2d at 498. We think Halva controls and requires reversal. A person who “suffers any damage” resulting from a responsible authority’s or government entity’s violating “any provision” of the MGDPA is entitled to damages. Minn. Stat. § 13.08, subd. 1 (2020). Among other things, Smallwood’s complaint alleges that the security breach and access to his information resulted in his having emotional distress. The district court rejected this claim of damages for two reasons. It first concluded that Smallwood “has failed to substantiate his claimed emotional damages with any kind of medical or psychological evidence.” And it concluded second that he “has not shown that the damages he is alleging are fairly traceable” to the data breach. The problem with the 9 first conclusion is that it applies a summary-judgment standard of evidentiary support rather than a rule 12 standard of notice pleading. The problem with the second conclusion is that it imposes a duty to express a more direct causal relationship between the violations and the alleged harm than rule 12 requires. The supreme court’s analysis in Halva informs our reasoning, as it held sufficient a complaint with a damages claim no more robust or precise than Smallwood’s. The complaint in Halva, like the complaint here, was “sparse with details and [did] not contain a direct causal statement explaining how those violations caused [the plaintiff] harm.” 953 N.W.2d at 503. But also like the complaint here, the Halva complaint “sufficiently identified the facts that gave rise to [the plaintiff’s] claim” because it “list[ed] a number of facts that could support a finding of a Data Practices Act violation.” Id. Although the Halva complaint’s claim for damages asserted only that the plaintiff is “entitled to an award of any actual damages plus exemplary damages for each . . . violation of the Data Practices Act,” id. at 502 (alterations omitted), the court held that the “complaint provide[d] the factual nexus for [the] alleged damages” and was therefore “sufficient under our normal pleading standard,” id. at 503. Smallwood’s complaint describes his purported emotional distress in vague and conclusory terms, but the Halva court reminded us that, “[u]nder our law, the pleading of broad general statements that may be conclusory is permitted.” Id. (quoting Barton v. Moore, 558 N.W.2d 746, 749 (Minn. 1997)). Because Smallwood identified an MGDPA violation and alleged resulting damages sufficient to put DHS on notice of his legal claim, the claim in part survives DHS’s motion to dismiss for failure to state a claim. 10 The claim survives only in part because not all of Smallwood’s alleged damages are plausible. His claim of economic harm from identity theft and exploitation is altogether speculative under the most generous reading of his complaint. The email hack exposed his personal medical information, his name, his date of birth, and his contact information. His treatment information is not economic and exposes him to no economic harm. And his name, date of birth, and residence are already a matter of public record. See In re Civil Commitment of Smallwood, 2012 WL 896439. His claimed economic harm hangs on his alleged concern about identity theft, but none of his allegations indicate that DHS’s alleged failure to appropriately safeguard his private data either has resulted in his identity theft or could actually do so. In sum, Smallwood’s complaint adequately put DHS on notice of his claim that DHS violated the MGDPA’s duty to appropriately secure his private and confidential data, which resulted in a breach that caused emotional damages. We do not suggest that the allegations are a model of precision or that the complaint appears to map a clear course of success on the merits. We say only that the complaint passes the minimum notice-pleading requirements to overcome a rule 12 motion to dismiss. II Smallwood contends that he sufficiently stated a claim under the HRA and that sovereign immunity does not prevent an HRA claim. We resolve the appeal as to this claim based on sovereign immunity alone. Sovereign immunity is a judicial creation generally shielding the state from civil liability in all claims except those to which the state has consented to suit. Nieting v. 11 Blondell, 235 N.W.2d 597, 600, 603 (Minn. 1975). In 1975, the supreme court essentially consented to tort claims against the state, abolishing sovereign-immunity protection as applied to those claims. Id. at 603. The Nieting court did not address the state’s legislatively expressed sovereign immunity against statutorily created liability, codified in 1941 and remaining unchanged today: “The state is not bound by the passage of a law unless named therein, or unless the words of the act are so plain, clear, and unmistakable as to leave no doubt as to the intention of the legislature.” Minn. Stat. § 645.27 (2020). This provision is not itself the source of immunity; it instead “provides a framework for interpreting whether a separate statutory provision waives sovereign immunity.” Nichols v. State, 858 N.W.2d 773, 776 (Minn. 2015) (emphasis omitted). The HRA nowhere names the state as the intended defendant, so we must decide whether its words are so plain, clear, and unmistakable that the legislature undoubtedly intended to expose the state to civil liability. And whether the statute waives sovereign immunity is a question of law that we review de novo. Id. at 775. Our de novo review of the HRA under this framework leads us to conclude that the legislature did not intend to waive sovereign immunity to allow state liability for HRA claims. Under the operative liability provision of the HRA, “a person” who “negligently . . . releases a health record in violation of sections 144.291 to 144.297” is liable to the patient for compensatory damages resulting from the unauthorized release. Minn. Stat. § 144.298, subd. 2(1) (2020). Smallwood would have us conclude that DHS as a state entity is a “person” under the statute, but that construction is certainly not intuitive. He offers no other statute as an example of the legislature intending the term “person” to 12 include the state or a governmental unit within the state. The plaintiff in Nichols offered a similarly creative argument about a different statute. The supreme court examined Minnesota Statutes, sections 181.64 and .65 (2020), a law restricting false statements inducing employment. Nichols, 858 N.W.2d at 774. That statute broadly defined potentially liable parties, including “[a]ny person, partnership, company, corporation, association, or organization of any kind.” Id. at 776. The supreme court reasoned that, although the phrase “organization of any kind” “could encompass the State, it could just as easily refer only to business or other nongovernmental entities.” Id. at 777 (emphasis in original). The Nichols court rejected the notion that “organization” included the state or state entities, observing that “[t]he Legislature has applied the brakes to th[is] kind of analysis . . . by requiring a waiver of sovereign immunity to be plain, clear, and unmistakable.” Id. It would be a much more difficult leap for us to hold that the legislature intended to include the state when it said “a person” than it would have been for the Nichols court to conclude that the legislature wanted to include a state entity as an “organization of any kind.” Smallwood ushers us on a circuitous journey hoping to arrive at state civil liability under the HRA. Leaving the plainly worded directive that a “person” can be liable under the act, Smallwood takes us to another provision of the chapter, observing that “a provider, or a person who receives health records from a provider, may not release a patient’s health records” unless authorized by the patient or by law. Minn. Stat. § 144.293, subd. 2. He emphasizes that “provider” refers to “any person who furnishes health care services . . . under chapter . . . 151 . . . [or] a health care facility licensed under [chapter 144] or chapter 13 144A.” Minn. Stat. § 144.291, subd. 2(i). He then observes that while chapter 144 does not define health care facility, chapter 144A defines health care facility to include “a hospital . . . licensed under sections 144.50 to 144.58.” Minn. Stat. § 144A.70, subd. 4 (2020). He then highlights that section 144.50 defines “hospital” to include “any institution, place, building, or agency, in which any accommodation is maintained, furnished, or offered for five or more persons for . . . the institutional care of human beings.” Minn. Stat. § 144.50, subd. 2 (2020). And any government unit, department, or agency must obtain a license to operate a hospital. Id., subd. 1 (2020). The sex-offender program provides institutional care to civilly committed client-patients, and it therefore qualifies as a “hospital” under section 144.50. Because DHS is a government department operating the sex-offender program, DHS must obtain licensure under chapter 144. Because it must be so licensed, he concludes, it must be a person subject to liability, indicating the legislature’s intent to waive sovereign immunity for HRA claims. We do not disagree with the conclusion that DHS operates a qualifying healthcare facility licensed under chapter 144 and that it may not release health records without authorization. But the meandering venture linking a liable “provider” under section 144.293, a “health care facility” under section 144.291, a “hospital” under section 144.50, an “institution” providing institutional care under section 144.50, and a government “department” requiring licensure under section 144.50, is too dizzyingly attenuated for us to say that it plainly, clearly, and unmistakably expresses the legislature’s intent—beyond doubt—to waive sovereign immunity. We know that, by comparison, the legislature knows how to strike a simple course from violation to state liability in unmistakable terms: the 14 MGDPA directly declares, “The state is deemed to have waived any immunity to a cause of action brought under this chapter.” Minn. Stat. § 13.08, subd. 1. Smallwood cites no case, and we are certain none exists, supporting the idea that we can discover a plain and clear waiver using only a series of inferences from statute to statute. Similarly unconvincing are Smallwood’s three other arguments against sovereign-immunity waiver. We briefly address each. We reject Smallwood’s contention that state liability derives from Minnesota Statutes, section 144.51 (2020). Any party licensed under section 144.50 must prove its ability to comply with provisions set forth in sections 144.50 to 144.56. Id. Once again by extension, Smallwood implies that, because DHS is a healthcare-provider licensee under section 144.51, it is liable for wrongful information disclosure. But sections 144.50 to 144.56 cover obtaining and maintaining hospital licenses and other hospital-administration protocol. See Minn. Stat. §§ 144.50–56 (Minn. 2020). HRA’s information-disclosure penalties are in section 144.293 and 144.298, not in sections 144.50 to 144.56. The argument fails. We also reject his argument that the legislature abrogated sovereign immunity by allowing for vicarious liability. The HRA prohibits “[a] provider, or a person who receives health records from a provider” from releasing health records without authorization. Minn. Stat. § 144.293, subd. 1. That section 144.293 includes “provider” and that the definition of “provider” includes a healthcare facility, Minn. Stat. § 144.291, subd. 2(i), might suggest that the HRA allows for vicarious liability by prohibiting conduct by healthcare facilities rather than solely prohibiting conduct by specific persons. The HRA’s provision 15 for a private cause of action, however, states, “A person who does any of the following [including releasing health records without authorization] is liable.” Minn. Stat. § 144.298, subd. 2 (emphasis added). A statute allows a civil cause of action only if it expressly creates one or clearly implies the intent to do so. Becker v. Mayo Found., 737 N.W.2d 200, 207 (Minn. 2007). And section 298, subdivision 2 narrowly imposes liability to the specific actor engaging in the wrongful conduct. Although the subheading for section 144.298, subdivision 2 is “Liability of provider or other person,” (emphasis added), our analysis is unchanged. “The headnotes printed in boldface type before sections and subdivisions in editions of Minnesota Statutes are mere catchwords to indicate the contents of the section or subdivision and are not part of the statute.” Minn. Stat. § 645.49 (2020). And finally we reject Smallwood’s related contention based on caselaw. He asserts that Expose v. Thad Wilderson & Associates, P.A. establishes vicarious liability under the HRA. 863 N.W.2d 95, 104–05 (Minn. App. 2015), aff’d (Minn. Nov. 3, 2016). It does not. We did not discuss vicarious liability in Expose. We held merely that, because the appellant had not consented to a disclosure, the district court improperly concluded that the respondent was entitled to judgment as a matter of law on appellant’s vicarious-liability allegation. Id. Smallwood’s contention that vicarious liability is available under Larson v. Northwest Mutual Life Ins. Co. fails for the same reason. 855 N.W.2d 293, 301–02 (Minn. 2014). Although the court said that “under the plain meaning of the [HRA], liability arises only when a person or entity actually discloses a health record” (emphasis added), this was dicta and not binding. Id. at 302; Brink v. Smith Cos. Const., Inc., 703 N.W.2d 871, 876 (Minn. App. 2005), review denied (Minn. Dec. 21, 2005). The “only question before [the 16 court] [was] whether [respondent was] liable for failing to release the cardiologist’s letters and CAT scan angiogram report.” Larson, 855 N.W.2d at 302. The court did not assess vicarious liability and affirmed summary judgment because the appellant based his theory on liability for failure to disclose medical records, not on unauthorized disclosure. Id. We observe that determining the types of damages to which Smallwood would be entitled if he should prove his claims is premature. We generally review a damages award for an abuse of discretion. See, e.g., Dunn v. Nat’l Beverage Corp., 745 N.W.2d 549, 555 (Minn. 2008). Because the district court dismissed Smallwood’s complaint entirely, it did not consider his request for different types of damages. Nor do we. DECISION Smallwood alleged facts and damages that could establish a violation of the Minnesota Government Data Practices Act. The district court therefore erroneously dismissed his data-practices claim. The state did not waive its sovereign immunity for claims under Minnesota Health Records Act. The district court therefore correctly dismissed Smallwood’s health-records claim. Affirmed in part and reversed in part. 17
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
