United States District Court, S.D. Alabama, Southern Division
SUNIL GUPTA, M.D., LLC, d/b/a RETINA SPECIALITY INSTITUTE Plaintiff,
ALAN FRANKLIN, TRACY WILSON, and MONICA PAYTON Defendants.
MEMORANDUM OPINION AND ORDER
KATHERINE P. NELSON UNITED STATES MAGISTRATE JUDGE
21, 2017, Plaintiff Sunil Gupta, M.D. LLC d/b/a Retina
Specialty Institute (herein after “Plaintiff” or
“RSI”) filed a two count complaint against
Defendants Dr. Alan Franklin, Tracy Wilson, and Monica Payton
(herein after referred to by their last names or as
“Defendants”). (Doc. 1). According to the
Complaint, this Court has jurisdiction over this matter
pursuant to 28 U.S.C. § 1331, as Count One asserts a
claim arising under the laws of the United States. The Court
has supplemental jurisdiction over Count Two, a state law
claim, pursuant to 28 U.S.C. §1367(a). The Complaint
also states that this Court has diversity jurisdiction
pursuant to 28 U.S.C. § 1332 as the amount in
controversy exceeds $75, 000 and the parties are citizens of
the consent of the parties, the Court has designated the
undersigned Magistrate Judge to conduct all proceedings and
order the entry of judgment in this civil action, in
accordance with 28 U.S.C. § 636(c), Federal Rule of
Civil Procedure 73, and S.D. Ala. GenLR 73. (See Docs.
to Federal Rule of Civil Procedure 12(b)(6), Franklin filed a
motion to dismiss both counts. (Doc. 12). Pro se
Defendants Wilson and Payton have adopted Defendant
Franklin's motion. (Docs. 13-14). Plaintiff and
Defendants filed a timely response and reply. (Doc. 18-19).
Upon consideration, and for the reasons discussed herein, the
motions to dismiss (Docs. 12, 13, and 14) are
a Delaware limited liability corporation, formed by Sunil
Gupta, M.D. Its principal place of business is in Escambia
County, Florida. (Doc. 1 at 2). The membership of RSI is
comprised of three physicians who are Florida citizens. (Doc.
1 at 2-3). RSI also employs a number of other physicians
(ophthalmologists) specializing in the treatment of retina
disease and injury. (Id.).
Franklin, is a physician, former employee, former member,
former and manager of RSI. (Doc. 1 at 3, ¶ 12).
Defendants Wilson and Payton, both ophthalmic technicians,
were formerly employed by RSI. (Id. at ¶¶
13-14). All Defendants were employed at RSI's Mobile,
Alabama location. (Doc. 1 at 3).
February 2017, following an interview process and other
preparations, Franklin accepted employment with Mobile
Infirmary Medical Center, Diagnostic and Medical Clinic
(“DMC”). In early March 2017, Wilson and Payton
applied for employment with DMC. According to the Complaint,
before resigning from employment with RSI,
“…Franklin instructed Wilson and Payton to
download confidential RSI patient data from RSI's
practice management system on a portable hard drive provided
by Franklin.” (Doc. 1 at 4, ¶19). Per the
Wilson and Payton used an RSI computer to log into RSI's
practice management system, which required a password and/or
login credentials, and download confidential RSI patient data
and other confidential RSI data. The confidential RSI patient
information included patient names, addresses, phone numbers,
medical notes, insurance information, and appointment
schedules for tens of thousands of RSI
patients….Franklin also downloaded, with the
assistance of Payton and Wilson, retinal scans of a number of
RSI patients from RSI's network onto a portable hard
drive supplied by Franklin….On the same day that
Franklin, Wilson, and Payton downloaded the confidential RSI
patient data from RSI's practice management system, they
provided the information to DMC so DMC would have contact
information to use in communicating with patients after Dr.
Franklin moved to DMC.
(Doc. 1 at 4-5, ¶¶ 20-21). The Complaint alleges
that there were RSI policies prohibiting such access and use,
and that the Defendants knew about these policies. (Doc. 1 at
5, ¶¶ 22-23).
alleges that Defendants' conduct amounts to violations of
the Computer Fraud and Abuse Act, codified at 18 U.S.C.
§ 1030 (Count One) and the Alabama Digital Crime Act,
codified at Ala. Code §13A-8-112 (Count Two).
considering a Rule 12(b)(6) motion to dismiss, the Court must
accept as true the allegations set forth in the complaint
drawing all reasonable inferences in the light most favorable
to the plaintiff. Bell Atl. Corp. v. Twombly, 550
U.S. 544, 555-56 (2007). Even so, a complaint offering mere
“labels and conclusions” or “a formulaic
recitation of the elements of a cause of action” is
insufficient. Ashcroft v. Iqbal, 556 U.S 662, 678
(2009) (quoting Twombly, 550 U.S. at 555);
accord Fin. Sec. Assurance. Inc. v. Stephens, Inc.,
500 F.3d 1276, 1282-83 (11th Cir. 2007). Further, the
complaint must “contain sufficient factual matter,
accepted as true, ‘to state a claim to relief that is
plausible on its face.” ‘ Iqbal, 556
U.S. at 678 (citing Twombly, 550 U.S. at 570). Put
another way, a plaintiff must plead “factual content
that allows the court to draw the reasonable inference that
the defendant is liable for the misconduct alleged.”
Id. This so-called “plausibility
standard” is not akin to a probability requirement;
rather, the plaintiff must allege sufficient facts such that
it is reasonable to expect that discovery will lead to
evidence supporting the claim. Id.
Computer Fraud and Abuse Act (Count One)
One alleges that all Defendants have violated the Computer
Fraud and Abuse Act (“CFAA”), 18 U.S.C.
§§ 1030 et seq., as follows:
28. Defendants intentionally accessed and downloaded
confidential RSI patient information from RSI's practice
management system using RSI computers without authorization.
29. Defendants acted in concert with DMC to use the
information for an improper purpose and in violation of RSI
policies and procedures and applicable state and federal
laws, including HIPAA
30. RSI's computer network and practice management system
that were wrongfully accessed by Defendants are used in
31. Defendants' unlawful actions have caused RSI to
suffer loss and damages, including without limitation costs
of responding to Defendants' conduct, conducting a damage
assessment, and other costs. RSI's losses resulting from
Defendants' conduct exceed $5, 000.00.
(Doc. 1, Complaint at 6). The Complaint also contains
allegations that the Defendants were aware of RSI's
policies prohibiting RSI employees from downloading patient
information for personal use or for use by anyone other than
a RSI employee. (Doc. 1 at 5, ¶22-23). The policy
prohibited RSI employees from downloading patient information
without express approval from practice management.
CFAA defines seven categories of conduct that can give rise
to civil or criminal liability. Those seven categories of
conduct are contained within § 1030(a)(1)-(7).
Construing the allegations liberally, as detailed in its
Complaint and response brief it appears Plaintiff is
asserting that Defendants accessed a protected computer in
excess of their authority to do so, with resulting damage
and/or loss. (Docs. 1 and 18 at 4-5). Thus, the Court assumes
Plaintiff is alleging that Defendants violated subsections
(a)(2)(C), (a)(4), (a)(5) and/or (a)(6) of 18 U.S.C. §
1030, which provide in relevant part that civil liability may
be imposed upon whoever:
(2) intentionally accesses a computer without authorization
or exceeds authorized access, and thereby obtains- …
(C) information from any protected computer
(4) knowingly and with intent to defraud, accesses a
protected computer without authorization, or exceeds
authorized access, and by means of such conduct furthers the
intended fraud and obtains anything of value, unless the
object of the fraud and the thing obtained consists only of
the use of the ...