UNITED STATES DISTRICT COURT DURHAM COUNTY

JANE DOE, a fictitious name to protect privacy, ) Plaintiff, ) ) v. ) Civil No. _________ ) NC THERMAVIEW, ) Defendant.

COMPLAINT

NOW COMES Plaintiff, by and through her undersigned counsel, asserting the following as her Complaint.

JURISDICTION, PARTIES, AND VENUE

1. Plaintiff JANE DOE, a fictitious name to protect privacy, is a resident of Durham County, North Carolina.

2. Defendant NC THERMAVIEW is a North Carolina business that provided thermal imaging mammography services to a Durham County resident.

3. Venue is in this Court pursuant to N.C. Gen. Stat. §1-82.

FACTUAL BACKGROUND

4. JANE DOE is a 60-year-old Durham resident. She purchased thermal heat imaging services from NC Thermaview, a Raleigh business managed by a licensed nurse. NC Thermaview performs thermal heat imaging mammography as an alternative to conventional mammograms and sends the resulting images to the physician each patient designates.

5. During her initial consultation, NC Thermaview’s receptionist assured JANE DOE that all information associated with her visit would be confidential. JANE DOE also read a company brochure which stated that services would be provided “in a confidential and supportive environment.” JANE DOE paid with her credit card and requested that the results be sent to her doctor, Dr. Wilhelmina Prosser. NC Thermaview sent the images to Dr. Prosser through a password-protected website and sent a copy via U.S. mail.

6. Between January 2014 and March 2014, JANE DOE’s identity was stolen. Three credit cards were opened in JANE DOE’s name amassing over $180,000 in charges. In May 2014, JANE DOE’s bank identified suspicious transactions in which someone tried to transfer funds out of her savings and money market accounts.

7. In October 2014, NC Thermaview sent JANE DOE a data security breach notice. The notice said that

her credit card and other information had suffered a “possible exposure” to a hacking attack during “a period of time from January of 2014 through June of 2014.” The notice said that NC Thermaview had alerted law enforcement and hired data security experts to repair the system.

8. JANE DOE believes the data breach allowed an identity thief to access her information. She estimates that she has spent 200 hours in work to restore and protect her credit and to search for the identity thief, taking away time from her work. She is self-employed and ordinarily earns between

eighteen and thirty dollars per hour. She is concerned that she has been unproductive and unable to focus. Dr. Prosser referred JANE DOE to a psychiatrist for anxiety therapy.

9. JANE DOE worries that the mammography images will become public. She is concerned about negative associations of a public photo displaying her torso, and concerned about the possibility that anyone who viewed the images might erroneously think she was ill.

COUNT 1 UNFAIR AND DECEPTIVE TRADE PRACTICES

10. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 11. NC Thermaview advertised its services as “confidential.” 12. NC Thermaview failed to adequately encrypt the website containing JANE DOE’s thermal imaging

pictures and other personally identifying medical information. 13. The misrepresentation of NC Thermaview’s services as confidential, while the company expressly

fails to meet HIPAA-recommended security standards, is a deceptive business practice 14. NC Thermaview failed to quarterly check for authorized and non-authorized access wireless points

pursuant to the PCI Standards Security Council guidelines, an industry-wide standard for all merchants which accept credit card payments.

15. The failure to meet industry-wide data security standards is an unfair business practice. 16. JANE DOE is entitled to recovery under the North Carolina Unfair and Deceptive Trade Practices

Statute. COUNT 2

NORTH CAROLINA IDENTITY THEFT ACT VIOLATION

17. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 18. NC Thermaview disposed of JANE DOE’s personally identifying information when the company

forwarded it to Dr. Prosser. 19. NC Thermaview did not comply with the NC Identity Theft Act by failing to destroy her personally

identifying information after disposal. 20. JANE DOE is entitled to recovery under the North Carolina Identity Theft Act.

COUNT 3

BUSINESS INTERRUPTION

21. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 22. The NC Thermaview data breach caused JANE DOE to miss 200 hours of work due to inability to

focus. JANE DOE is self-employed and earns between $18 and $30 per hour. 23. JANE DOE is entitled to recovery of her lost earnings.

COUNT 4 BREACH OF CONTRACT

24. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 25. NC Thermaview and JANE DOE were parties to a contract in which NC Thermaview promised a

“confidential environment.” Instead of enjoying confidentiality as promised, JANE DOE’s personally identifying information has been potentially subjected to online hackers.

26. JANE DOE is entitled to recovery for NC Thermaview’s breach of contract.

COUNT 5 BREACH OF IMPLIED COVENANT OF GOOD FAITH AND FAIR DEALING

27. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 28. NC Thermaview breached the implied covenant of good faith and fair dealing by consciously failing

to encrypt their website and failing to timely check for data security breaches.

29. JANE DOE is entitled to recovery for NC Thermaview’s breach of the implied covenant of good faith and fair dealing.

COUNT 6

BREACH OF FIDUCIARY DUTY

30. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 31. NC Thermaview breached its fiduciary duty to JANE DOE by failing to ensure adequate data security

of her personally identifying information. 32. JANE DOE is entitled to recovery for NC Thermaview’s breach of fiduciary duty.

WHEREFORE, Jane Doe respectfully requests trial by jury of all issues triable before a jury and judgment for compensatory and punitive damages against Defendant, and any other relief as this Court deems just and proper. This 12th day of December, 2014. Respectfully Submitted, <<Signature>> Supervising Attorney (Bar. No. 12345) Warren & Brandeis

To: Supervising Attorney From: Ikee Gardner Re: Jennifer Laura Entz Date: December 12, 2014

SUMMARY

NC Thermaview is likely liable for violation of the North Carolina Unfair and Deceptive Trade Practices

Act, violation of the North Carolina Identity Theft Act, business interruption breach of contract, violation of the

breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty. Ms. Entz may have a

claim against Dr. Prosser, however the claim is untenable and she should sue NC Thermaview only. Ms. Entz

should be evaluated by a psychiatrist to determine whether there is diagnosable emotional harm which can be

integrated into her complaint. A data security expert should be hired to evaluate Thermaview’s data, to determine

whether the data breach proximately caused Ms. Entz’s identity to be stolen. Ms. Entz should also be advised on the

benefits and detriments of filing a Jane Doe lawsuit.

FACTS

Jennifer Laura Entz is a 60-year-old Durham resident and candidate for re-election to the Durham School

Board. She purchased thermal heat imaging services from NC Thermaview, a Raleigh business managed by a

licensed nurse. NC Thermaview performs thermal heat imaging mammography and sends the resulting images to

the physician each patient designates. During her initial consultation, NC Thermaview’s receptionist assured Ms.

Entz that all information associated with her visit would be confidential. Ms. Entz also read a company brochure

which stated that services would be provided “in a confidential and supportive environment.” Ms. Entz paid with

her credit card and requested that the results be sent to her doctor, Dr. Wilhelmina Prosser. NC Thermaview sent the

images to Dr. Prosser through a password-protected website and sent a copy via U.S. mail.

Between January 2014 and March 2014, Ms. Entz’s identity was stolen. Three credit cards were opened in

Ms. Entz’s name amassing over $180,000 in charges. In May 2014, Ms. Entz’s bank identified suspicious

transactions in which someone tried to transfer funds out of her savings and money market accounts.

In October 2014, NC Thermaview sent Ms. Entz a data security breach notice. The notice said that her

credit card and other information had suffered a “possible exposure” to a hacking attack during “a period of time

from January of 2014 through June of 2014.” The notice said that NC Thermaview had alerted law enforcement and

hired data security experts to repair the system.

Ms. Entz believes the data breach allowed an identity thief to access her information. She estimates that

she has spent 200 hours in work to restore and protect her credit and to search for the identity thief, taking away time

from her work as a freelance technology manual editor. She ordinarily earns between eighteen and thirty dollars per

hour as an editor. She is concerned that she has been unproductive and unable to focus. Dr. Prosser referred Ms.

Entz to a psychiatrist for anxiety therapy.

Ms. Entz worries that the mammography images will become public. She believes that if the images

became public it could compromise her re-election to the Durham School Board. She is concerned about negative

associations of a public photo displaying her torso, and concerned about the possibility that anyone who viewed the

images might erroneously think she was ill.

DISCUSSION

I. Pseudonymous Pleading and Venue Considerations.

It may be beneficial for Ms. Entz to litigate under a pseudonym, such as “Jane Doe.” Ms. Entz has

expressed her concern that the thermal images may reach the public, and may not wish for a potential lawsuit against

NC Thermaview to be associated with her name. Public association with a lawsuit may negatively affect her

chances for re-election. Voters in the School Board election may think that she is combative (due to being involved

in litigation), unhealthy (due to having mammography imaging) or unable to fulfill her School Board responsibilities

(due to her anxiety and inability to focus). Alternatively, the lawsuit may benefit her public image. Voters may

think she is determined (due to her attempts to track down the identity thief) and relatable (mammograms are

common experiences for women). The lawsuit may present an opportunity for her to demonstrate character traits

towards which voters are sympathetic. Ms. Entz should carefully consider the advantages and disadvantages of a

Jane Doe lawsuit. North Carolina county courts do not require a motion to file pseudonymously.1

Filing the case in Durham County may provide Ms. Entz with a jury more sympathetic to her case – she is a

Durham resident, whereas the defendant is located in Wake County. A jury in Durham County Court may look

favorably on a local plaintiff. On the other hand, if specifics are known about the judge(s) in Wake County court

which may weigh in Ms. Entz’ favor, then we should file in Wake County.

II. Negligence Claims Against NC Thermaview

NC Thermaview is likely liable for negligence in failing to comply with HIPAA, and for negligence in

failing to timely discover the data breach. Negligence occurs when a defendant owes the plaintiff a duty, breaches

that duty, and the plaintiff’s injury is proximately caused by the breach.2 A "duty" is defined as a legal obligation

requiring a person to conform to a certain standard of conduct.3 Here, NC Thermaview owed Ms. Entz a duty to

conform to applicable security standards and a duty to routinely check for data breaches. However, with the

exception of the 200 hours of work lost, Ms. Entz’s existing financial harm does not have a clear nexus to the data

breach. Further investigation is needed – for example, bringing in an expert to assess Thermaview’s records – in

order to establish whether the data breach proximately caused the identity theft. There are also problems

establishing harm. A formal diagnosis by Ms. Lutz’s psychiatrist will determine whether or not there is any

emotional harm. A psychiatric diagnosis can also determine whether the identity theft proximately caused the

emotional harm.

                                                                                                               1 North Carolina appears to accept pseudonymous plaintiffs implicitly. See Doe v. Duke University, 455 S.E.2d 470 (N.C. Ct. App. 1995), ACT-UP Triangle (AIDS Coalition to Unleash Power Triangle) v. Comm’n for Health, 472 S.E.2d 605 (N.C. Ct. App. 1996), Doe v. Jenkins, 547 S.E.2d 124 (N.C. Ct. App. 2001). The 4th Circuit uses a balancing test with the following factors: whether the plaintiff simply wants to avoid criticism or wants to preserve “privacy of a sensitive and highly personal nature,”whether being identified puts the plaintiff or third parties at risk of physical or mental harm, the plaintiff’s age, whether the action is against a governmental or private party, and the risk of unfairness to the defendant from allowing an action from an anonymous plaintiff. James v. Jacobson, 6 F. 3d 233, 238 (4th Cir. 1993). 2 22 Strong’s North Carolina Index 4th Negligence § 8 (2014). 3 Whisnant v. Carolina Farm Credit, 693 S.E.2d 149 (N.C. Ct. App. 2010).

A. NC Thermaview Negligently Failed to Implement HIPAA and HITECH Act Data Security Standards

Compliance with HIPAA has been recognized as a duty owed in North Carolina.4 For example, under

Acosta v. Byrum, a plaintiff alleged that her psychiatrist allowed a third party to see her medical records. The court

ruled that HIPAA “provid[es] evidence of the duty of care owed.”5 Here, NC Thermaview owes Ms. Entz the duty

to comply with HIPAA standards.

NC Thermaview is a ‘business associate’ under HIPAA. Under the HITECH Act, business associates are

required to comply with the security requirements as HIPAA covered entities.6 HIPAA defines a ‘covered entity’ as

a health care provider who transmits any health information in electronic form.7 Assuming Prosser transmits as well

as receives electronic health information, Prosser is a covered entity. HIPAA defines a ‘business associate’ as a

person who “other than in the capacity of a member of the workforce of such covered entity…performs, or assists in

the performance of: [a] function or activity involving the use or disclosure of individually identifiable health

information.”8 NC Thermaview “assists” in the “performance” of thermal imaging services and “discloses” the

individually identifying images to Prosser. NC Thermaview thus qualifies as a business associate.

As a business associate, NC Thermaview has a duty to “encrypt electronic protected health information

whenever deemed appropriate.”9 Under HIPAA, encryption methods qualify as making data at rest unusable,

unreadable, and undecipherable if the encryption is consistent with NIST Special Publication 800-111.10 Failure to

encrypt the website is a breach of NC Thermaview’s duty under HIPAA. As reviewed above, causation and harm

cannot be established under the present facts.

B. Negligence: NC Thermaview’s Failure to Timely Discover the Breach.

NC Thermaview’s statement that it “only recently discovered” the data breach indicates a breach of duty to

follow industry standards. Under the HITECH act, a breach will be treated as “discovered” on the date when the

business associate “reasonably should have known” of the breach.11 Thermaview failed to comply with industry

                                                                                                               4 Acosta v. Byrum, 638 SE 2d. 246, 249-253 (N.C. App. 2006). 5 Id. at 253. 6 The HITECH act states that “[s]ections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.” High Information Technology for Economic and Clinical Heatlh Act (HITECH Act), §13401(a), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf (last visited Dec. 11, 2014). 7 45 CFR 160.03. We should find out whether Dr. Prosser does transmit health information electronically. In Ms. Entz’s case, Dr. Prosser is receiving electronic information but we do not know if she transmits information electronically. Regardless, most doctors’ offices send patient data electronically for billing/administrative purposes. By doing business with any doctors’ office that transmits electronic information, NC Thermaview is a business associate. 8 45 CFR 160.103 9 High Information Technology for Economic and Clinical Heatlh Act (HITECH Act) §13401(a), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf (last visited Dec. 11, 2014); 45 C.F.R §164.312(a)(2)(iv). 10 U.S. Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html (last visited Nov. 12, 2014). 11 High Information Technology for Economic and Clinical Heatlh Act (HITECH Act) §13402(c), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf (last visited Dec. 11, 2014);

standards governing when it reasonably should have known that hackers had breached its system.12 PCI DSS, the

industry standard for the payment card industry, applies to all entities that store, process or transmit cardholder data,

including merchants and service providers.13 “Cardholder data” is defined as account numbers, names, expiration

dates, and service codes. In addition to requirements on encrypting cardholder data14 and maintaining secure

systems15, PCI DSS institutes a timing requirement to detect all authorized and unauthorized wireless access points

“on a quarterly basis.”16 . Thermaview processed Ms. Entz’s cardholder data when it accepted her credit card

payment. According to PCI DSS, a data breach which began in January should have been caught in March. If the

data breach began in June, it should have been caught in September. Thermaview reasonably should have known of

the breach at the latest in September, at the start of the third quarter.17 Thermaview breached its duty to comply

with industry standards by failing to complete quarterly detection of wireless access points. As reviewed above,

causation and harm cannot be established under the present facts.

III. Violation of NC Unfair & Deceptive Trade Practices Act/ “Little FTC Act”

NC Thermaview’s failure to complete quarterly wireless access point inspections and failure to encrypt the

website are likely violations of the North Carolina Unfair and Deceptive Trade Practices Act. Under North Carolina

law, unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting

commerce, are unlawful.18 In Johnson v. Phoenix Mutual Life Ins. Co., the plaintiff and defendant entered into a

contract to negotiate a mortgage loan. The defendant’s representative mistakenly misrepresented the financial

consequences of substituting one commercial leaseholder for another commercial leaseholder.19 The court ruled that

the defendant’s actions were neither unfair nor deceptive.20 The defendant was cooperative at all times and never

“exerted itself in any manner which would have contributed to the problem” of getting tenants.21 The defendant did

not act deceptively but “undertook to keep the partnership accurately and clearly informed of the state of affairs.” 22

The instant case can be distinguished from Johnson. NC Thermaview was not cooperative with Ms. Entz.

Thermaview waited too long to check its systems for a breach in noncompliance with industry standards.

Thermaview did not keep Ms. Entz clearly informed. Ms. Entz received notice of the breach in the fourth quarter of

the year, when according to the data breach notice the breach began in January. Quarterly wireless access point

inspections would have revealed a January breach in March, and would have revealed a June breach in September.

A court would likely rule that NC Thermaview is in violation of the UDTPA.

                                                                                                               12 PCI standards are established by the PCI Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. PCI Security Standards Council, About The PCI Security Standards Council, https://www.pcisecuritystandards.org/organization_info/ (last visited Dec. 12, 2014). 13 PCI SECURITY STANDARDS COUNCIL, PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD: REQUIREMENTS AND SECURITY ASSESSMENT PROCEDURES VERSION 3.0 at* 7. (2013) https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf. 14 Id. at 44. 15 Id. at 49. 16 Id. at 89. 17 Id. at 7-8. 18 N.C. Gen. Stat. § 75-1.1(a) (2014) 19 Johnson v. Phoenix Mutual Life Ins. Co., 266 S.E.2d. 610, 616-18 (1980). 20 Id. at 623. 21 Id. at 622. 22 Id. at 622-623.

In Pearce v. American Defender Life Ins. Co., the plaintiff’s late husband bought a life insurance policy

which he believed would cover him.23 After his death, the insurance company refused to pay part of the policy. 24

His wife sued.25 The court ruled that a defendant’s actions are unfair and deceptive if they have “capacity…to

deceive,” based on the judgment of the average consumer, and if the plaintiff suffered actual injury as a proximate

result.26 NC Thermaview’s actions are unfair and deceptive according to the definition in American Defender. The

average consumer would assume that the marketing statement “confidential and supportive” in the NC Thermaview

brochure meant that their personal information was safe from hackers. The data breach proximately caused Ms. Entz

to lose 200 hours of work.

A court will award treble damages for violations of the UDTPA.27 Presently, lacking evidence that the data

breach proximately caused her identity theft or proximately caused a diagnosable emotional disorder, Ms. Entz is

likely entitled to treble her lost work revenue. If evidence of proximate cause becomes available, or a further

medical diagnosis becomes available, Ms. Entz would be entitled to treble the amount a jury assigns to all three

harms.

IV. Violation of North Carolina Identity Theft Act.

NC Thermaview may be liable for violation of the North Carolina Identity Theft Act, because the business

failed to delete or destroy the images after sending them to Dr. Prosser. Under the Act, any business that does

business in NC or maintains/possesses personal measures of an NC resident is required to “take reasonable measures

to protect against unauthorized access to or use of the information in connection with or after its disposal.”28 These

“reasonable measures” must include the implementation of policies to erase electronic media containing personal

information so that it can no longer be read or reconstructed.29

Mailing the images to Prosser may be a form of “disposal.” Since Thermaview is run by a nurse (as opposed to

a physician) she could not expect to do any further medical procedures, diagnoses, or treatments after obtaining the

thermal imaging scans. After obtaining the scans, she is turning them over to Prosser w/o expecting to use them any

more. This counts as “disposal” because the nurses who run NC Thermaview do not intend to use the information

further after it is sent to the patient’s doctor of choice – the information is “dispos[ed] of by sending it to Prosser.

NC Thermaview is liable for violation of the NC Identity Theft Act by failing to destroy the information. Under

N.C.G.S. 75-64(f), Ms. Entz is entitled to treble damages and attorney’s fees for the violation.30

V. Business Interruption

Ms. Entz will likely be able to recover damages for business interruption. Under Young v. Stewart, a

plaintiff is entitled to recover for lost profits when business earnings are due to her personal efforts (as opposed to

hired employees), when the defendant tortiously causes the reduction in the plaintiff’s earning capacity and there is

                                                                                                               23 Id. at 176. 24 Id. at 177. 25 Id. 26 Id. at 180. 27 N.C. Gen. Stat. § 75-16 (2014). 28 N.C. Gen. Stat. § 75-64(a) (2014). 29 N.C. Gen. Stat. § 75-64(b) (2014). 30 N.C. Gen. Stat. §75-64(f) (2014).

sufficient evidence of the plaintiff’s past earnings.31 Here, Ms. Entz lost at least $3600 and at most $6000

(calculated using the range of $18 to $30 per hour charged, times 200 hours spent restoring her credit and looking

for the identity thief). Like the plaintiff in Young v. Stewart, whose earnings and commissions were drastically

reduced when the defendant caused her chronic back pain by crashing into her vehicle, Ms. Entz’s earning ability

has been drastically reduced when the NC Thermaview data breach caused her loss of ability to focus.32 Ms. Entz is

likely entitled to recover damages in the amount of the profits she reasonably would have made, were she not

distracted from her work. She should see a psychiatrist to determine whether she has a diagnosable inability to

focus or clinical anxiety disorder caused by the data breach. A medical diagnosis, if available, will bolster her

business interruption claim. She should also prepare evidence of her past earnings, such a list of accounts receivable

or invoices.

VI. Negligent Infliction of Emotional Distress

A claim for negligent infliction of emotional distress (“NIED”) is likely to succeed in the event that Ms.

Entz has a diagnosable emotional or mental disorder (such as PTSD, chronic anxiety, or depression) caused by the

data breach. Under North Carolina law, to state a NIED claim, the plaintiff must show that the defendant’s conduct

was negligent, that the defendant’s conduct would foreseeably cause severe emotional distress to the plaintiff, and

that the defendant’s actions did in fact cause severe emotional distress.33 Proximate cause of severe distress is

required.34 Severe emotional distress is defined as “any emotional or mental disorder…which may be generally

recognized and diagnosed by professionals trained to do so.”35 In Reilly v. Ceridian, plaintiffs sued a payroll

processing firm for emotional distress after a security breach of their personal information. The court ruled that

emotional distress could not exist if there was no change in the status quo and no human health concern at stake.

The facts of the instant case can be distinguished from Reilly v. Ceridian. Here, the status quo has changed. Ms.

Entz has lost over $180,000 and her income as a freelance editor has been compromised. Her inability to focus

represents a health concern. A medical diagnosis, if available, would further support the argument that a weighty

health concern at stake.

VII. Breach of Contract

NC Thermaview is liable for breach of contract. Breach of contract occurs when there is existence of a

valid contract and breach of the terms of that contract.36 A valid contract is formed when there is assent, mutuality,

and definite terms including consideration.37 Here, Ms. Entz and NC Thermaview formed a contract when she paid

for the services with her credit card. Her credit card payment was the acceptance of NC Thermaview’s offer of

thermal imaging in a “confidential” environment. Ms. Entz assented to the offer by paying. The amount she paid

for the thermal imaging was Ms. Entz’s consideration. Breach of contract occurred because Ms. Entz’s treatment

was not confidential. Ms. Entz justifiably relied on the premise that her information would be kept confidential.

                                                                                                               31 Young v. Stewart, 101 N.C. App 312, 316-7 (1991). 32 Id. at 312-313. 33 22 Strong’s North Carolina Index 4th Negligence § 43 (2014). 34 Johnson v. Ruark Obstetrics and Gynecology Assocs. P.A., 327 N.C. 283, 304 (1990). 35 Id. 36 6 Strong’s North Carolina Index 4th Contracts § 87 (2014). 37 6 Strong’s North Carolina Index 4th Contracts § 3 (2014).

VIII. Breach of Implied Covenant of Good Faith & Fair Dealing

NC Thermaview likely breached the implied covenant of good faith and fair dealing by failing to comply with

HIPAA security standards and PCI quarterly monitoring standards. When Ms. Entz paid for the imaging services

with her credit card, she entered into an enforceable contract with NC Thermaview. NC Thermaview offered

thermal imaging sent to her doctor, with a confidential and supportive environment. Ms. Entz accepted by payment

with consideration equal to the cost of the services. Any party who enters an enforceable contract is “required to act

in good faith and to make reasonable efforts to perform his obligations under the agreement.” 38 A breach of this

implied covenant occurs when there is a breach of an express term of the contract, prompted by the defendant’s

conscious and deliberate act.39 In Resnick v. Avmed, plaintiffs became victims of identity theft when Avmed laptops

were stolen. The court ruled that there was no breach of the covenant of good faith and fair dealing because Avmed

did not commit a conscious and deliberate act causing the identity theft.40 Here, NC Thermaview breached an

express term of the agreement by failing to provide a “confidential” environment. The failure to provide

confidentiality did not occur through NC Thermaview’s mistake, but through the deliberate decision to password-

protect the website (leaving it more vulnerable than encryption) and to avoid compliance with PCI quarterly

monitoring of wireless access points. NC Thermaview’s failure to encrypt the website, and failure to comply with

PCI standards for between four and ten months, demonstrate two deliberate acts which compromised the privacy of

Ms. Entz’s personal data.

IX. Breach of Fiduciary Duty

Breach of fiduciary duty occurs when a defendant fails to "act in good faith and with due regard to

plaintiff's interests.”41 For example, in White v. Consolidated Planning, an insurance company hired the plaintiff’s

son, who misappropriated funds from his parents’ account. The court ruled that the insurance company violated

fiduciary duty by breaching trust and allowing the parents to rely on false representations.42 Here, NC Thermaview

also did not act with due regard to Ms. Entz’s best interest. The company allowed her to rely on the representation

that its services were confidential. NC Thermaview failed to encrypt the website where her data was listed and

failed to regularly check for unauthorized wireless access.

X. Negligence Claims Against Dr. Prosser

Dr. Prosser may be liable for negligence due to failure to set up a HIPAA-compliant contractual business

associate relationship with NC Thermaview. As discussed in Section I, assuming Prosser transmits as well as

receives electronic health information, Prosser is a covered entity under 45 CFR 160.103. NC Thermaview is then a

business associate under 45 CFR 160.103. A covered entity can only allow a business associate to “create, receive,

maintain, or transmit protected health information on its behalf,” if the covered entity “obtains satisfactory assurance

                                                                                                               38 6 Strong’s North Carolina Index 4th Contracts § 56 (2014). 39 Resnick v. AvMed, Inc., 693 F. 3d 1317, 1329 (11th Cir. 2012). 40 Id. at 1329-30. 41 White v. Consolidated Planning, Inc. 166 N.C. App 283, 293 (2004) (quoting Vail v. Vail, 233 N.C. 109, 114 (1951)). 42 Id. at 294.

that the business associate will appropriately safeguard the information.”43 Prosser may be obligated to set up a

contract with business associates requiring them to use appropriate data security standards. Thermaview’s failure to

implement appropriate data security practices may be attributable to the doctor for negligence.

Although Prosser likely represents a more monetarily viable target for suit than NC Thermaview due to

insurance, Ms. Entz probably should only sue NC Thermaview. The claim against Dr. Prosser is not strong. Since

NC Thermaview only sent the images to Dr. Prosser once, Prosser will argue that a one-time interaction does not

constitute a business associate relationship and does not necessitate a contract under HIPAA. The type of covered

entity – business associate relationship likely intended by the statute is a long-term relationship, such as that

between a doctor’s office and a payroll firm, or between a hospital and an administrative staffing company. The

claims against NC Thermaview are significantly stronger than any claims against Prosser. Dr. Prosser may be a key

witness or supply a key deposition as to Ms. Entz’s emotional state, in the event that Ms. Entz has a diagnosable

emotional condition resulting from the data breach. Ms. Entz should consider whether a possible larger payout on a

less tenable claim outweighs Dr. Prosser’s value as a witness to her anxious and agitated state in a suit against

Thermaview.

XI. Claims Presently Unlikely to Succeed

No defamation has occurred under present facts. If the thermal images ever actually appear on the Internet

paired false information, such as a statement that Ms. Entz is sickly, the individual posting the photos would likely

be liable for defamation.44 Ms. Entz could use a reputation defender service (such as Reputation.com) to regularly

search the internet for any photos of her torso.45 If the photos are posted, a reputation defender would minimize the

damage to Ms. Entz’s public image by identifying the photos quickly and attempting to eliminate them from search

engines.

A fraud claim will likely fail because there is no evidence that NC Thermaview intended for its customers’

data to be stolen or to deceive customers.46 Thermaview’s promissory misrepresentation of a “confidential”

environment does not constitute fraud, because there is no evidence that Thermaview intended to cause harm.47

Intentional Infliction of Emotional Distress claim will fail because there is no evidence of Thermaview intended to

cause her any anxiety and, as of yet, no medical diagnosis of Ms. Entz’s anxiety.48 North Carolina recognizes

neither the Public Disclosure of Private Facts tort nor the False Light in Public Eye tort.49

                                                                                                               43 45 C.F.R. § 160.103 44 Defamation occurs when a falsehood is published as a statement of fact and proximately causes injury. Tyson v. L'Eggs Products, Inc., 84 N.C.App. 1 (1987). 45 Reputation.com helps individuals and businesses control their online personae. “About Us,” http://www.reputation.com (last visited Dec. 11, 2014). 46 Fraud occurs when there is false representation or concealment of a material fact, reasonably calculated to deceive, made with intent to deceive, which does in fact deceive, resulting in damage to the injured party. Ragsdale v. Kennedy, 286 N.C. 130, 130 (1974). 47 Pierce v. American Fidelity Fire Ins. Co, 240 N.C. 567, 567 (1954). 48 Intentional Infliction of Emotional Distress occurs when an actor who by extreme and outrageous conduct intentionally or recklessly causes severe emotional harm to another, is subject to liability for that emotional harm, and if the emotional harm causes bodily harm, also for the bodily harm. Dickens v. Puryear, 302 N.C. 437, 447 (1980). 49 See Hall v. Post, 355 S.E.2d 819 (N.C. Ct. App. 1987). Public Disclosure of Private Facts occurs when one who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that a) would be highly offensive to a reasonable person and b) is not of

XII. Conclusion

Ms. Entz should wait to file suit (while still staying within the statute of limitations) until she receives a

psychiatric evaluation and until a data security expert can investigate a potential nexus between the data breach and

Ms. Entz’s identity theft. Presently, she is likely able to recover on six claims, two of which offer treble damages.

However, she will be unable to allege negligence without proof of proximate cause. She will be unable to allege

NIED without a medical diagnosis of emotional distress. A psychiatric evaluation and the opinion of a data security

expert may provide Ms. Entz with more claims to raise in litigation and strengthen the claims on which she is

already likely to prevail.

This work complies with the UNC Honor Code.

                                                                                                                                                                                                                                                                                                                                                                     legitimate concern to the public. RESTATEMENT 2ND OF TORTS §652D (1977). False light in the public eye occurs when one who gives publicity to a matter concerning another places the other before the public in a false light, is subject to liability to the other for invasion of privacy if a) the false light in which the other was placed would be highly offensive to a reasonable person, and b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed. RESTATEMENT 2ND OF TORTS §652E (1977).