Monday, June 13, 2016

The Doctor, the Lawsuit and “Exceeding Authorized Access”

This post examines an opinion the U.S. District Court for the District of Massachusetts issued in a civil case:  Padmanabhan v. Healey, 2016 WL 409673 (2016). 
The District Court Judge begins by noting that “[t]his arises from allegations that defendants intentionally accessed a protected computer database in order to obtain information about plaintiff's patients and to accuse plaintiff falsely of Medicaid fraud.” Padmanabhan v. Healey, supra. He also explained that
[p]ending before the Court are defendants' motion to dismiss the complaint and plaintiff's motion for sanctions. For the reasons that follow, defendants' motion to dismiss will be allowed and plaintiff's motion for sanctions will be denied.
Padmanabhan v. Healey, supra.
The judge went on to explain why, and how, the litigation arose:
The Court accepts as true the following allegations by plaintiff Bharanidharan Padmanabhan (`plaintiff’ or `Padmanabhan’) for the purpose of resolving the motion to dismiss.

Plaintiff is a doctor and neurologist who lives and works in Massachusetts and has chosen to represent himself pro se. Plaintiff filed a criminal complaint against the former Director of the Massachusetts Office of Medicaid in March, 2013 and a second criminal complaint against defendant James Paikos (`Paikos’) in January, 2015 for aiding and abetting Medicaid fraud. The Massachusetts Attorney General apparently declined even to investigate those allegations.

In September, 2015, plaintiff filed a complaint against the following defendants: 1) Maura Healey (`Healey’), the Attorney General of the Commonwealth of Massachusetts, 2) Steven Hoffman (`Hoffman’), the Deputy Chief of the Medicaid Fraud Division at the Office of the Attorney General, 3) Chris Cecchini (`Cecchini’), an investigator at the Office of the Attorney General, 4) Adele Audet (`Audet’), the Assistant Director of the Drug Control Program at the Massachusetts Department of Public Health who oversees the Prescription Monitoring Program computer database (`the PMP database’), 5) Paikos, an investigator for the Massachusetts Executive Office of Health and Human Services (`the Massachusetts HHS’), 6) Loretta Kish Cooke (`Cooke’), an investigator who works alongside Paikos at the Massachusetts HHS, 7) Jane Doe, an unidentified female agent of the Office of the Attorney General or the Massachusetts State Police and 8) other unidentified defendants.

The complaint asserts that 1) defendants unlawfully accessed the protected PMP database in April, 2015 to obtain a list of 16 patients who were treated by plaintiff and who received Medicaid benefits, 2) Healey falsely and maliciously accused him of violating the Social Security Act and committing Medicaid fraud, 3) Healey improperly sought access to the unredacted medical records of the 16 patients and 4) Healey sent Cecchini and Jane Doe to his house to arrest him and to seize his computer and medical records under the pretext of legitimate investigative activity. Those actions allegedly violated a) the Computer Fraud and Abuse Act (“CFAA”), 18 U.S. Code § 1030 et seq., b) the Stored Communications Act (“SCA”), 18 U.S. Code § 2701, c) the equitable Clean Hands Doctrine’ and d) unidentified statutes concerning civil conspiracy.
Padmanabhan v. Healey, supra.  
The Federal Rules of Civil Procedure establish the ground rules for civil litigation in federal courts, and Rule 3 states that “[a] civil action is commenced by filing a complaint with the court.” So, when this judge “refers to Padmanabhan’s “filing a complaint” in the U.S. District Court in which he sits, he is explaining that, in doing this, Padmanabhan was initiating a civil suit against the parties his complaint names as defendants.  Padmanabhan v. Healey, supra.  Wikipedia outlines what needs to be included in a civil complaint. 
The same Wikipedia entry also explains that
[a]fter the complaint has been filed with the court, it has to be properly served to the opposite parties, but usually petitioners are not allowed to serve the complaint personally. The court also can issue a summons - an official summary document which the plaintiff needs to have served together with the complaint. The defendants have limited time to respond, depending on the State or Federal rules. A defendant's failure to answer a complaint can result in a default judgment in favor of the petitioner.

For example, in United States federal courts, any person who is at least 18 years old and not a party may serve a summons and complaint in a civil case. The defendant must submit an answer within 21 days after being served with the summons and complaint, or request a waiver, according to FRCP Rule 12.  After the civil complaint has been served to the defendants, the plaintiff must, as soon as practicable initiate a conference between the parties to plan for the rest of the discovery process and then the parties should submit a proposed discovery plan to the judge within 14 days after the conference.
Wikipedia also explains that the defendant’s obligation to file an answer to the complaint arises under Rule 7(a) of the Federal Rules of Civil Procedure and that “an answer to a complaint” is one of the pleadings allowed in federal civil litigation.  As Wikipedia notes, “an answer is the first pleading by a defendant, usually filed and served upon the plaintiff within a certain strict time limit after a civil complaint . . . has been served upon the defendant.” And Federal Rule 12 states that a defendant “must serve an answer . . . with 21 days after being served with the summons or complaint”.
Instead of filing an answer to the complaint, a defendant in a civil case can file a motion to dismiss the complaint and the cause(s) of action it asserts.  Rule 12(b) of the Federal Rules of Civil Procedure states that a defendant can assert any of several, listed defenses in a motion, instead of an answer.  One of them, which is probably one of the most-often-asserted defenses, is that the plaintiff’s complaint fails “to state a claim upon which relief can be granted.” A defendant’s ability to assert this defense in a motion is established by Rule 12(b)(6) of the Federal Rules of Civil Procedure.
Getting back to the opinion, the judge began his analysis of the defendants’ Rule 12(b)(6) motion by explaining that in order to
survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face. Bell Atlantic Corporation v. Twombly, 550 U.S. 544 (2007). Exhibits attached to the complaint are properly considered `part of the pleading for all purposes.’ Federal Rules of Civil Procedure Rule 10(c).  In considering the merits of a motion to dismiss, the Court must accept all factual allegations in the complaint as true and draw all reasonable inferences in the plaintiff's favor. Santiago v. Puerto Rico, 655 F.3d 61, 72 (U.S. Court of Appeals for the 1st Circuit 2011). Threadbare recitals of the legal elements, supported by mere conclusory statements, do not suffice to state a cause of action.  Ashcroft v. Iqbal, 556 U.S.662 (2009). A complaint does not state a claim for relief where the well-pled facts fail to warrant an inference of any more than the mere possibility of misconduct.  Ashcroft v. Iqbal, supra.
Padmanabhan v. Healey, supra. 
The Judge then began the process of applying the above standards to the allegations in the Complaint, starting with the Computer Fraud and Abuse Act (“CFAA”).  The judge explained that the CFAA
prohibits an individual from 1) intentionally accessing a computer without authorization or exceeding authorized access and thereby 2) obtaining information from any federal department, federal agency or protected computer. 18 U.S. Code §1030(a)(2).

A `protected computer’ is a computer that 1) is exclusively used by the federal government, 2) is used by or for the federal government and the conduct constituting the offense affects that use by or for the federal government or 3) is used in or affects interstate or foreign commerce or communication of the United States. 18 U.S. Code § 1030(e)(2). The statute defines `exceed[ing] authorized access’ as accessing a computer with authorization and using that access to obtain or alter information without authorization. § 1030(e)(6).

The CFAA provides a private right of action to any person who suffers `damage or loss by reason of a violation’ of the CFAA. 18 U.S. Code § 1030(g). The statute defines `damage’ as any `impairment to the integrity or availability of data, a program, a system, or information’ and `loss’ as

`any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. . . .’
Padmanabhan v. Healey, supra. 
The judge went on to analyze the arguments made by both sides to this litigation:
Here, Count 1 asserts that defendants unlawfully accessed the protected computers hosting the PMP database 1) in violation of 105 CMR 700.012  because the access occurred during a Medicaid fraud investigation, not a drug-related investigation, and with insufficient cause, given that plaintiff has never `billed the Government’ for treating Medicaid patients and 2) for the criminal or tortious purpose of `aiding and abetting Medicare Fraud and tampering with a witness who reported it.’ Padmanabhan proclaims that those actions violated § 1030 and caused him financial and professional losses comprising 1) `direct costs owing to having to respond to this violation’ such as consulting with affected patients, seeking legal advice and initiating this action and 2) harm to his professional reputation and ability to practice medicine.

Defendants move for dismissal for failure to state a claim under § 1030. They dispute that the computers hosting the PMP database are `protected computers’ and contend that plaintiff failed to specify which, if any, of the defendants accessed the PMP database with the requisite intent. They argue that, even if one or more of them did access the database, their conduct was specifically authorized by the Office of the Attorney General and is thus expressly exempt from § 1030 as lawfully authorized investigative activity. Defendants further proclaim that plaintiff suffered no cognizable damage or loss under the statute because his purported injuries were not directly related to the costs incurred by an owner of a computer associated with repairing or restoring the computer, a loss of access to or use of the computer, or uncovering the extent of unauthorized access to the computer.

The Court agrees with defendants that the patient consulting costs, legal fees and professional injuries claimed by plaintiff do not qualify as losses under the statute. Although the First Circuit Court of Appeals has held that the CFAA does not restrict `loss’ under the statute to purely physical damage, EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584 (U.S. Court of Appeals for the 1st Circuit 2001), nothing in the statute suggests that the alleged loss or costs can be for matters unrelated to the computer, Shirokov v. Dunlap, Grubb & Weaver, PLLC, 2012 WL 1065578 (U.S. District Court for the District of Massachusetts Mar. 27, 2012). Plaintiff does not claim, for example, that defendants' alleged actions 1) affected or impaired his ability to use the computers hosting the PMP database, 2) required him to engage in computer investigation or repair or 3) forced him to incur costs due to an inoperative computer system. See Shirokov v. Dunlap, Grubb & Weaver, supra. Nor do his legal fees constitute loss under the statute because they are not directly attributable to the alleged access to the PMP database. See Shirokov v. Dunlap, Grubb & Weaver, supra.

Accordingly, the complaint does not assert a qualifying loss within the meaning of § 1030 of the CFAA. The Court will allow defendants' motion to dismiss Count 1 for failure to state a claim.
Padmanabhan v. Healey, supra. 
The judge then took up Padmanabhan’s claim under the Stored Communications Act (“SCA”), explaining that the SCA
prohibits an individual from 1) intentionally accessing a facility that provides an electronic communication service without authorization or exceeding an authorization to access that facility and thereby 2) obtaining, altering or preventing authorized access to an electronic communication while it is in electronic storage in such a system. 18 U.S. Code § 2701(a) The SCA defines `electronic communication’ by reference to 18 U.S. Code § § 2510 which, in turn, defines it as
`any transfer of signs, signals, writings, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce. . . .’
§ 18 U.S. Code § 2711(1) (referring to §2510(12)). The term `electronic storage’ means
`any temporary, intermediate storage of . . . [an] electronic communication incidental to the electronic transmission thereof; and [ ] any storage of such communication by an electronic communication service for purposes of backup protection of such communication[.]’
18 U.S. Code1711(1) (referring to § 2510(17)).
Padmanabhan v. Healey, supra. 
The judge also noted that the Stored Communications Act
provides a private right of action to any `person aggrieved’ by conduct that violates the SCA and that was performed with a knowing or intentional state of mind. 18 U.S. Code §2707(a). An `aggrieved person’ is a person who was a party to an intercepted electronic communication or against whom the interception was directed. 18 U.S. Code § 2711(1) (referring to § 2510(11)).  

In our case, plaintiff alleges in Count 2 that defendants unlawfully accessed the computer system which hosts the PMP database without authorization or, alternatively, in excess of any authorization, and thereby accessed patient information stored in the database. Plaintiff reiterates that defendants lacked or exceeded any authorization because 1) their access was in violation of 105 CMR 700.012 and 2) they acted pursuant to a criminal or tortious purpose.

Defendants respond that plaintiff fails to state a claim under the SCA because 1) the patient information in the PMP database is not `electronic information in electronic storage’ and is therefore unprotected by the statute and 2) he is not a “person aggrieved” because he has no ownership, privacy or confidentiality right in that information.

The Court agrees with defendants that plaintiff fails to allege that the purportedly accessed information is protected by the SCA. That is because plaintiff neither claims that the patient information is an electronic communication within the meaning of § 2510(20 nor asserts that the PMP database is stored at a facility that provides an electronic communication service.

Accordingly, the complaint does not state a claim under § 2701 of the SCA and defendants' motion to dismiss Count 2 will be allowed.
Padmanabhan v. Healey, supra. 
After addressing several other, related issues, the District Court Judge held that
[f]or the foregoing reasons, defendants' motion to dismiss (Docket No. 23) is ALLOWED and plaintiff's motion for sanctions (Docket No. 35) is DENIED.

Furthermore, the Court forewarns plaintiff, once again, that he will be subject to the imposition of sanctions himself if he continues to make gratuitous, inflammatory and groundless charges against defendants and their counsel.
Padmanabhan v. Healey, supra (emphasis in the original). 

No comments: