This post examines an opinion the U.S. District Court for the District of Massachusetts issued in a civil case: Padmanabhan v. Healey, 2016 WL 409673 (2016).
The District Court Judge begins by noting that “[t]his arises from allegations that defendants
intentionally accessed a protected computer database in order to obtain information
about plaintiff's patients and to accuse plaintiff falsely of Medicaid fraud.” Padmanabhan v. Healey, supra. He also
explained that
[p]ending
before the Court are defendants' motion to dismiss the complaint and
plaintiff's motion for sanctions. For the reasons that follow, defendants'
motion to dismiss will be allowed and plaintiff's motion for sanctions will be
denied.
Padmanabhan v. Healey, supra.
The judge went on to
explain why, and how, the litigation arose:
The
Court accepts as true the following allegations by plaintiff Bharanidharan
Padmanabhan (`plaintiff’ or `Padmanabhan’) for the purpose of resolving the
motion to dismiss.
Plaintiff
is a doctor and neurologist who lives and works in Massachusetts and has chosen
to represent himself pro se.
Plaintiff filed a criminal complaint against the former Director of the
Massachusetts Office of Medicaid in March, 2013 and a second criminal complaint
against defendant James Paikos (`Paikos’) in January, 2015 for aiding and
abetting Medicaid fraud. The Massachusetts Attorney General apparently declined
even to investigate those allegations.
In
September, 2015, plaintiff filed a complaint against the following defendants:
1) Maura Healey (`Healey’), the Attorney General of the Commonwealth of Massachusetts,
2) Steven Hoffman (`Hoffman’), the Deputy Chief of the Medicaid Fraud Division
at the Office of the Attorney General, 3) Chris Cecchini (`Cecchini’), an
investigator at the Office of the Attorney General, 4) Adele Audet (`Audet’),
the Assistant Director of the Drug Control Program at the Massachusetts
Department of Public Health who oversees the Prescription Monitoring Program
computer database (`the PMP database’), 5) Paikos, an investigator for the
Massachusetts Executive Office of Health and Human Services (`the Massachusetts
HHS’), 6) Loretta Kish Cooke (`Cooke’), an investigator who works alongside
Paikos at the Massachusetts HHS, 7) Jane Doe, an unidentified female agent of
the Office of the Attorney General or the Massachusetts State Police and 8)
other unidentified defendants.
The
complaint asserts that 1) defendants unlawfully accessed the protected PMP
database in April, 2015 to obtain a list of 16 patients who were treated by plaintiff
and who received Medicaid benefits, 2) Healey falsely and maliciously accused
him of violating the Social Security Act and committing Medicaid fraud, 3)
Healey improperly sought access to the unredacted medical records of the 16
patients and 4) Healey sent Cecchini and Jane Doe to his house to arrest him
and to seize his computer and medical records under the pretext of legitimate
investigative activity. Those actions allegedly violated a) the Computer Fraud and Abuse Act (“CFAA”), 18 U.S. Code § 1030 et seq., b) the
Stored Communications Act (“SCA”), 18 U.S. Code § 2701, c) the equitable Clean Hands Doctrine’ and d) unidentified statutes concerning civil conspiracy.
Padmanabhan v. Healey, supra.
The Federal Rules of Civil Procedure establish the ground rules for civil litigation in federal
courts, and Rule 3 states that “[a] civil action is commenced by filing a
complaint with the court.” So, when this judge “refers to Padmanabhan’s “filing a complaint” in the U.S. District Court in which he sits, he is explaining that,
in doing this, Padmanabhan was initiating a civil suit against the parties his
complaint names as defendants. Padmanabhan v. Healey, supra. Wikipedia outlines what
needs to be included in a civil complaint.
The same Wikipedia
entry also explains that
[a]fter
the complaint has been filed with the court, it has to be properly
served to the opposite parties, but usually petitioners are not allowed to
serve the complaint personally. The court also can issue
a summons - an official summary document which the plaintiff needs to
have served together with the complaint. The defendants have limited time to
respond, depending on the State or Federal rules. A defendant's failure to
answer a complaint can result in a default judgment in favor of the
petitioner.
For
example, in United States federal courts, any person who is at least 18
years old and not a party may serve a summons and complaint
in a civil case. The defendant must submit
an answer within 21 days after being served with the summons and
complaint, or request a waiver, according to FRCP Rule 12. After
the civil complaint has been served to the defendants,
the plaintiff must, as soon as practicable initiate a conference
between the parties to plan for the rest of the discovery process and
then the parties should submit a proposed discovery plan to the judge
within 14 days after the conference.
Wikipedia also
explains that the defendant’s obligation to file an answer to the complaint
arises under Rule 7(a) of the Federal Rules of Civil Procedure and that “an
answer to a complaint” is one of the pleadings allowed in federal civil
litigation. As Wikipedia notes, “an answer is
the first pleading by a defendant, usually filed and served upon
the plaintiff within a certain strict time limit after a
civil complaint . . . has been served upon the defendant.” And
Federal Rule 12 states that a defendant “must serve an answer . . . with 21
days after being served with the summons or complaint”.
Instead of filing an
answer to the complaint, a defendant in a civil case can file a motion to dismiss the complaint and the cause(s) of action it asserts. Rule 12(b) of the Federal Rules of Civil
Procedure states that a defendant can assert any of several, listed defenses in
a motion, instead of an answer. One of them,
which is probably one of the most-often-asserted defenses, is that the
plaintiff’s complaint fails “to state a claim upon which relief can be
granted.” A defendant’s ability to assert this defense in a motion is
established by Rule 12(b)(6) of the Federal Rules of Civil Procedure.
Getting back to the
opinion, the judge began his analysis of the defendants’ Rule 12(b)(6) motion
by explaining that in order to
survive
a motion to dismiss, a complaint must contain sufficient factual matter,
accepted as true, to state a claim to relief that is plausible on its
face. Bell Atlantic Corporation v.
Twombly, 550 U.S. 544 (2007). Exhibits attached to the complaint are
properly considered `part of the pleading for all purposes.’ Federal Rules of Civil Procedure Rule 10(c). In
considering the merits of a motion to dismiss, the Court must accept all
factual allegations in the complaint as true and draw all reasonable inferences
in the plaintiff's favor. Santiago v. Puerto
Rico, 655 F.3d 61, 72 (U.S. Court of Appeals for the 1st Circuit
2011). Threadbare recitals of the legal elements, supported by mere conclusory
statements, do not suffice to state a cause of action. Ashcroft v. Iqbal, 556 U.S.662 (2009). A complaint does not state a claim for relief where the well-pled
facts fail to warrant an inference of any more than the mere possibility of
misconduct. Ashcroft v. Iqbal,
supra.
Padmanabhan v. Healey, supra.
The Judge then began
the process of applying the above standards to the allegations in the
Complaint, starting with the Computer Fraud and Abuse Act (“CFAA”). The judge explained that the CFAA
prohibits
an individual from 1) intentionally accessing a computer without authorization
or exceeding authorized access and thereby 2) obtaining information from any
federal department, federal agency or protected computer. 18 U.S. Code §1030(a)(2).
A
`protected computer’ is a computer that 1) is exclusively used by the federal
government, 2) is used by or for the federal government and the conduct
constituting the offense affects that use by or for the federal government or
3) is used in or affects interstate or foreign commerce or communication of the
United States. 18 U.S. Code § 1030(e)(2). The statute defines `exceed[ing]
authorized access’ as accessing a computer with authorization and using that
access to obtain or alter information without authorization. § 1030(e)(6).
The
CFAA provides a private right of action to any person who suffers `damage or
loss by reason of a violation’ of the CFAA. 18 U.S. Code § 1030(g). The
statute defines `damage’ as any `impairment to the integrity or availability of
data, a program, a system, or information’ and `loss’ as
`any
reasonable cost to any victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data, program, system, or
information to its condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of interruption of
service. . . .’
Padmanabhan v. Healey, supra.
The judge went on to
analyze the arguments made by both sides to this litigation:
Here,
Count 1 asserts that defendants unlawfully accessed the protected computers
hosting the PMP database 1) in violation of 105 CMR 700.012 because
the access occurred during a Medicaid fraud investigation, not a drug-related
investigation, and with insufficient cause, given that plaintiff has never
`billed the Government’ for treating Medicaid patients and 2) for the criminal
or tortious purpose of `aiding and abetting Medicare Fraud and tampering with a
witness who reported it.’ Padmanabhan proclaims that those actions
violated § 1030 and caused him financial and professional losses
comprising 1) `direct costs owing to having to respond to this violation’ such
as consulting with affected patients, seeking legal advice and initiating this
action and 2) harm to his professional reputation and ability to practice
medicine.
Defendants
move for dismissal for failure to state a claim under § 1030. They dispute
that the computers hosting the PMP database are `protected computers’ and
contend that plaintiff failed to specify which, if any, of the defendants
accessed the PMP database with the requisite intent. They argue that, even if
one or more of them did access the database, their conduct was specifically
authorized by the Office of the Attorney General and is thus expressly exempt
from § 1030 as lawfully authorized investigative activity. Defendants
further proclaim that plaintiff suffered no cognizable damage or loss under the
statute because his purported injuries were not directly related to the costs
incurred by an owner of a computer associated with repairing or restoring the
computer, a loss of access to or use of the computer, or uncovering the extent
of unauthorized access to the computer.
The
Court agrees with defendants that the patient consulting costs, legal fees and
professional injuries claimed by plaintiff do not qualify as losses under the
statute. Although the First Circuit Court of Appeals has held that the CFAA
does not restrict `loss’ under the statute to purely physical damage, EF Cultural Travel BV v. Explorica,
Inc., 274 F.3d 577, 584 (U.S. Court
of Appeals for the 1st Circuit 2001), nothing in the statute
suggests that the alleged loss or costs can be for matters unrelated to the
computer, Shirokov v. Dunlap,
Grubb & Weaver, PLLC, 2012 WL 1065578 (U.S. District Court for the
District of Massachusetts Mar. 27, 2012). Plaintiff does not claim, for
example, that defendants' alleged actions 1) affected or impaired his ability
to use the computers hosting the PMP database, 2) required him to engage in
computer investigation or repair or 3) forced him to incur costs due to an
inoperative computer system. See Shirokov
v. Dunlap, Grubb & Weaver,
supra. Nor do his legal fees constitute loss under the statute because they
are not directly attributable to the alleged access to the PMP database. See Shirokov v. Dunlap, Grubb & Weaver, supra.
Accordingly,
the complaint does not assert a qualifying loss within the meaning of § 1030 of
the CFAA. The Court will allow defendants' motion to dismiss Count 1 for
failure to state a claim.
Padmanabhan v. Healey, supra.
The judge then took
up Padmanabhan’s claim under the Stored Communications Act (“SCA”), explaining
that the SCA
prohibits an
individual from 1) intentionally accessing a facility that provides an
electronic communication service without authorization or exceeding an
authorization to access that facility and thereby 2) obtaining, altering or
preventing authorized access to an electronic communication while it is in
electronic storage in such a system. 18 U.S. Code § 2701(a) The SCA defines
`electronic communication’ by reference to 18 U.S. Code § § 2510 which, in
turn, defines it as
`any transfer of
signs, signals, writings, images, sounds, data, or intelligence of any nature
transmitted in whole or in part by a wire, radio, electromagnetic,
photoelectronic or photooptical system that affects interstate or foreign
commerce. . . .’
§ 18 U.S. Code § 2711(1) (referring to §2510(12)). The term `electronic storage’ means
`any temporary,
intermediate storage of . . . [an] electronic communication incidental to the
electronic transmission thereof; and [ ] any storage of such communication by
an electronic communication service for purposes of backup protection of such
communication[.]’
18 U.S. Code1711(1) (referring to § 2510(17)).
Padmanabhan v. Healey, supra.
The judge also noted that the Stored
Communications Act
provides a private
right of action to any `person aggrieved’ by conduct that violates the SCA and
that was performed with a knowing or intentional state of mind. 18 U.S. Code §2707(a). An `aggrieved person’ is a person who was a party to an intercepted
electronic communication or against whom the interception was directed. 18 U.S.
Code § 2711(1) (referring to § 2510(11)).
In our case,
plaintiff alleges in Count 2 that defendants unlawfully accessed the computer
system which hosts the PMP database without authorization or, alternatively, in
excess of any authorization, and thereby accessed patient information stored in
the database. Plaintiff reiterates that defendants lacked or exceeded any
authorization because 1) their access was in violation of 105 CMR 700.012 and
2) they acted pursuant to a criminal or tortious purpose.
Defendants respond
that plaintiff fails to state a claim under the SCA because 1) the patient
information in the PMP database is not `electronic information in electronic
storage’ and is therefore unprotected by the statute and 2) he is not a “person
aggrieved” because he has no ownership, privacy or confidentiality right in
that information.
The Court agrees
with defendants that plaintiff fails to allege that the purportedly accessed
information is protected by the SCA. That is because plaintiff neither claims
that the patient information is an electronic communication within the meaning of
§ 2510(20 nor asserts that the
PMP database is stored at a facility that provides an electronic communication
service.
Accordingly, the
complaint does not state a claim under § 2701 of the SCA and defendants' motion
to dismiss Count 2 will be allowed.
Padmanabhan v. Healey, supra.
After addressing several other, related
issues, the District Court Judge held that
[f]or the foregoing
reasons, defendants' motion to dismiss (Docket No. 23) is ALLOWED and
plaintiff's motion for sanctions (Docket No. 35) is DENIED.
Furthermore, the
Court forewarns plaintiff, once again, that he will be subject to the
imposition of sanctions himself if he continues to make gratuitous,
inflammatory and groundless charges against defendants and their counsel.
Padmanabhan v. Healey, supra (emphasis in the original).
No comments:
Post a Comment