Weinberg v. Advanced Data Processing, Inc.

ORDER

BETH BLOOM, UNITED STATES DISTRICT JUDGE

THIS CAUSE is before the Court upon Defendant’s Motion to Dismiss, (“Motion”), ECF No. [13], Plaintiffs Complaint, ECF *1362No. [1] (“Complaint”). The Court has carefully reviewed the Motion, all supporting and opposing submissions, the record, and applicable law. For the reasons set forth below, the Motion is granted in part and denied in part.

I. Introduction

Plaintiff Yehonatan Weinberg (“Plaintiff’) commenced this class action lawsuit on August 4, 2015, against Defendants Advanced Data Processing, Inc. (“ADP”) and Intermedix Corp. (“Intermedix,” together with ADP, “Defendants”),1 for failure to safeguard the sensitive personal information of Plaintiff and other emergency medical service patients (the “Class”), including their names, dates of birth, Social Security numbers, dates of medical services, health insurance information, and other protected health information (collectively, “Sensitive Information”), pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. §§ 1301, et seq., and its implementing rules.

At some point in 2012, Plaintiff was taken by ambulance to a hospital for emergency medical treatment. Compl. ¶36. In order to use the ambulance, Plaintiff was required to provide the ambulance service with his Sensitive Information. Id. ¶ 37. “Unbeknownst to Plaintiff,” the ambulance services he used, Philadelphia Fire Department Emergency Medical Services (“EMS”), engaged Defendants to handle its billing and payment-related processing services. Id. ¶38. As a result, Defendants received Plaintiffs Sensitive Information. Id. Between June 1 and October 2, 2012, “an Intermedix employee systematically accessed and viewed the Sensitive Information of hundreds (if not thousands) of emergency medical service patients [the Class] who used ambulances ([for] which Intermedix provided, among other things, billing and payment processing [ ]). This Sensitive Information was then provided to third parties who used it to file fraudulent tax returns with the Internal Revenue Service.” Id. ¶¶ 4, 21.

The records accessed and viewed by the Intermedix employee included Plaintiffs Sensitive Information. Id. ¶39. Plaintiffs Sensitive Information was “thereafter disclosed to or sold to a group of individuals who subsequently used that information to steal his identity and file a fraudulent tax return using, his name and Social Security number.” Id. ¶ 40. Plaintiff alleges that “after learning that his identity was stolen, Plaintiff Weinberg spent (and continues to spend) a substantial amount of time and resources fixing the identity theft that he experienced.” Id. ¶ 41. Plaintiff further claims that these instances of identity theft, both for him and for the Class, were caused directly by Inter-medix’s failure to protect his Sensitive Information. Id. ¶¶ 6, 44-46.

Intermedix’s alleged security failures include, but are not limited to, the following:

Failing to ensure the confidentiality and integrity of electronic protected health information created, received, maintained, and transmitted in violation of 45 C.F.R. § 164.306(a)(1);
Failing to implement technical policies and procedures for electronic information systems that maintain electronically protected health information to allow ac--eess only to those persons or software programs that have been granted access rights in violation of 45 C.F.R. § 164.312(a)(1);
Failing to implement policies and procedures to prevent, detect, contain, and correct security violations in violation of 45 C.F.R. § 164.308(a)(1);
Failing to identify and respond to suspected or known security incidents, and *1363failing to mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity in violation of 45 C.F.R. § 164.308(a)(6)(ii);
Failing to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information in violation of 45 C.F.R. § 164.306(a)(2);
Failing to protect against reasonably anticipated uses or disclosures of electronic protected health information that are not permitted under the privacy rules regarding individually identifiable health information in violation of 45 C.F.R. § 164.306(a)(3);
Failing to ensure compliance with the HIPAA security standard rules by their workforce in violation of 45 C.F.R. § 164.306(a)(4);
Impermissibly and improperly using and disclosing protected health information that is and remains accessible to unauthorized persons in violation of 45 C.F.R. §§ 164.502, et seq.; and
Failing to effectively train all members of their workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of their workforce to carry out their functions and to maintain security of protected health information in violation of 45 C.F.R. [§ ] 164.308(a)(5). . ■ .

Id. ¶¶ 30-31. The Complaint also alleges that Defendants failed to comply with industry standards relating to data security.2 Id. ¶¶ 32-34.

The Complaint states three counts — one for negligence, a second for breach of fiduciary duty, and a third for unjust enrichment. As to the negligence claim, Plaintiff asserts that Defendants “had a duty to exercise reasonable care in safeguarding and protecting” Sensitive- Information, id. ¶ 55, as well as “a duty to employ procedures to detect and prevent the improper access and misuse of the Plaintiffs and the Class’s Sensitive Information,” id. ¶ 56. Plaintiff alleges that Defendants unlawfully breached these duties. Id. ¶¶ 56-57. “But for [Defendants’] breach of its duties, Plaintiffs and the Class’s Sensitive Information would not have been compromised. Plaintiffs and the Class’s Sensitive Information was stolen and accessed as the proximate result of Intermedix failing to exercise reasonable care in safeguarding such information by adopting, implementing, and maintaining appropriate security measures.” Id. ¶59. Pursuant to the claim for breach of fiduciary duty, Defendants “owed a fiduciary duty to Plaintiff and the Class to: (1) protect their Sensitive Information; (2) timely notify them of a data breach; and (3) maintain complete and accurate records of what and where their Sensitive Information was stored and who had access to that information.” Id. ¶ 63. Defendants breached this duty to Plaintiff and the Class by failing to safeguard their Sensitive Information, which failures are articulated in more detail above and in the- Complaint. See id. ¶ 64. For counts one and two, Plaintiff alleges actual damages that proximately flow from Defendants’ breach 'of fiduciary duty, as well as “other forms of injury and/or harm including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic lósses.” Id. ¶¶ 60-61, 65-66.3 Plaintiffs third cause of *1364action for unjust’enrichment alleges that, “[U]nder principles of equity and good conscience,” Plaintiff and the Class are owed money knowingly received by Defendants for their payment processing services. Id. ¶¶ 67-72.

II. Legal Standard

A pleading in a civil action must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). Although a complaint “does not need detailed factual allegations,” it must provide' '“more - than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007); see Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (explaining that Rule 8(a)(2)’s pleading standard “demands more than -an -unadorned, the-defendant-unlawfully-harmed-me accusation”). Nor can a complaint rest on “ ‘naked assertion^]’ devoid of ‘further factual enhancement.’” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Twombly, 550 U.S. at 557, 127 S.Ct. 1955 (alteration in original)). When reviewing such a motion, ■ a court, as a general rule, must accept the plaintiffs allegations as true- and evaluate all plausible inferences derived from those facts in favor of the plaintiff. See Chaparro v. Carnival Corp., 693 F.3d 1333, 1337 (11th Cir.2012); Miccosukee Tribe of Indians of Fla. v. S. Everglades Restoration Alliance, 304 F.3d 1076, 1084 (11th Cir.2002); AXA Equitable Life Ins. Co. v. Infinity Fin. Grp., LLC, 608 F.Supp.2d 1349, 1353 (S.D.Fla.2009) (“On a motion to dismiss, the complaint is construed in the light most favorable'to the non-moving party, and all facts alleged by the non-moving party are accepted as true.”).

A court considering a Rule 12(b) motion is generally limited to the facts contained in the complaint and attached exhibits, including documents referred to in the complaint that are central to the claim. See Wilchombe v. TeeVee Toons, Inc., 555 F.3d 949, 959 (11th Cir.2009); Maxcess, Inc. v. Lucent Technologies, Inc., 433 F.3d 1337, 1340 (11th Cir.2005) (“[A] document outside the four corners of the complaint may still be considered if it is central to the plaintiffs claims and is undisputed in terms of authenticity.”) (citing Horsley v. Feldt, 304 F.3d 1125, 1135 (11th Cir.2002)).

III. Discussion

Defendants argue that Plaintiffs allegations are conclusory and, thus, insufficient. See Motion at 2. For this reason, they argue that none of Plaintiffs three counts state a claim upon which relief can be granted. See id. Plaintiff counters that Defendants’ arguments are unsupported and improperly rely on facts outside of the four corners of the complaint. See ECF No. [18] (“Plaintiffs Response”) at 2.

A. Negligence

Defendants argue that dismissal of Plaintiffs negligence claim is warranted because Plaintiff has failed to establish any direct relationship between the parties— and even explicitly conceded as much. See Motion at 5-6 (quoting Compl. ¶24) (“Plaintiff pleads that he ’did not have a direct relationship (business or otherwise) with [Defendants].”’). Plaintiff responds that Defendants owed him a duty that *1365originated from three different'' sources, outside of Defendants’ “direct relationship” test, which Plaintiff maintains has no support in the ■ law. See Pl. Resp. at 67.

A negligence claim requires a plaintiff to show that (1) defendant owes plaintiff a duty, (2) defendant breached the duty, (3) defendant’s breach injured plaintiff, and “(4) [plaintiffs] damage [was] caused by the injury to the plaintiff as a result of the defendant’s breach of duty.” Resnick v. AvMed, Inc., 693 F.3d 1317, 1325 (11th Cir.2012) (quoting Delgado v. Laundromax, Inc., 65 So.3d 1087, 1089 (Fla. 3d DCA 2011)). Here, Defendants only dispute' the first element of the negligence claim — the duty owed by them to Plaintiff. “Duty for purposes óf á negligence claim encompasses concepts of foreseeability and may arise from: (1) legislative enactments or administration regulations; (2) judicial interpretations of such enactments and regulations;' (3) other judicial precedent; and (4) a duty arising from the general facts of-the case.” Zinn v. United States, 835 F.Supp.2d 1280, 1311 (S.D.Fla.2011) (citing Clay Elec. Coop., Inc. v. Johnson, 873 So.2d 1182, 1185 (Fla.2003)). The third category, judicial precedent, dictates that a defendant may assume a duty “whenever one undertakes to provide a service to others, whether one does so gratuitously or by contract, the individual who undertakes to provide the service thereby .assumes a duty to act carefully and to not put others at undue risk of harm,” Zinn, 835 F.Supp.2d at 1312 (citing Clay Electric Coop., Inc. v. Johnson, 873 So.2d 1182, 1186 (Fla.2003)). This casé láw principle is known as the “undertaker’s doctrine.” See id. The fourth category encompasses “that class of cases in which the duty arises because of a foreseeable zone of risk arising from the acts of the defendant.” McCain v. Florida Power Corp., 593 So.2d 500, 503 n. 2 (Fla.1992); see Lamm v. State Street Bank and Trust, 749 F.3d 938, 947 (11th Cir.2014) (citations omitted) (“Florida recognizes that a legal duty arises whenever a human endeavor creates a generalized and foreseeable risk of harming others.”). Plaintiffs argue that Defendants’ duty in this instance arose from three independent sources’: ’ (1) HIPAA; (2) the undertaker’s doctrine; and (3) the foreseeable zone of risk created by Defendants. See Pl. Resp. at 6-7.

1. HIPAA

HIPAA provides no private right of action — a fact which Plaintiff does not contest. See Pl. Resp. at 7-8; Jenkins v. Grant Thornton LLP, 2014 WL 860547, at *7 (S.D.Fla. March 5, 2014) (citing Sneed v. Pan American Hosp., 370 Fed.Appx. 47, 50 (11th Cir.2010) (“We decline to hold that HIPAA creates a private cause of action.”)); see also Bradley v. Pfizer, Inc., 440 Fed.Appx. 805, 809 (11th Cir.2011) (relying on Fifth Circuit decision in holding for first time that “there is no private right of action for a violation of HIPAA’s confidentiality provisions”). Yet, Plaintiff still maintains that he has stated a claim for negligence based upon alleged HIPAA violations.

“Florida courts have refused to recognize a private right of action for negligence per se based on an alleged violation of a federal statute that does not provide for a private right of action.” Stevens v. Danek Medical, Inc., 1999 WL 33217282, at *5-6 (S.D.Fla.1999) (citing Jupiter Inlet Corp. v. Brocard, 546 So.2d 1, 2-3 (Fla. 4th DCA 1998) (“OSHA [Occupational Safety and Health Act] does not provide the basis for a private right of action— [Thus,] “violation of OSHA does not constitute per se negligence);' see Zarrella v. Pacific Life Ins. Co., 755 F.Supp.2d 1218, 1228-29 (S.D.Fla. Nov. 10, 2010) (“Plaintiffs cannot use negligence per se to create a private *1366cause of action for alleged violations of [Fla. Stat.] § 626.9541(l)(a)l, and (b)4 because the legislature has not demonstrated an intent to create a private cause of action under these sections.”); cf. Smith v. Triad of Alabama, LLC, 2015 WL 5793318, at *12 (M.D.Ala. Sept. 29, 2015) (“In light of Defendant’s failure to provide precedent binding on this court holding that HIPAA cannot serve as the basis of a negligence per se claim, coupled with the Allen decision, which indicates Alabama court’s willingness to allow statutes that do not otherwise provide private causes of action to serve as the basis for a negligence per se claim, Plaintiffs’ negligence per se claim is not due to be dismissed on the basis that it is not cognizable as a matter of law,”). The Plaintiffs claim of negligence based upon a violation of HI-PAA fails.

2. Undertaker’s Doctrine

“The undertaker’s doctrine imposes a duty of care not only on the parties to a contract but also to any third parties that perform services under the contract.” Hogan v. Provident Life & Acc. Ins. Co., 665 F.Supp.2d 1273, 1285 (M.D.Fla.2009) (holding that, pursuant to the undertaker’s doctrine, “[t]he duty of care owed by [defendant] Unum to Hogan is plausibly established by Hogan’s allegation that Unum’s employees “adjusted, reviewed, evaluated, handled, approved, and/or denied Hogan’s disability insurance bené-fits.”); see also Clay Elec. Co-op., Inc., 873 So.2d at 1186, This implied legal obligation or duty to act with reasonable care exists “to the end that the person or property of others may not be injured.” Ramjeawan v. Bank of America Corp., 2010 WL 1645097, at *3 (S.D.Fla. Apr. 21, 2010) (emphasis added) (citing Union Park Memorial Chapel v. Hutt, 670 So.2d 64, 67 (Fla.1996)); see Assouman v. Bank of America Corp., 2008 WL 2262031, at *3 (M.D.Fla. May 30, 2008) (denying defendant’s motion where, “taking all the allegations in a light most favorable, to plaintiff, the Court finds that it is foreseeable” that defendant “may have undertaken a duty”).

Here,-Plaintiff alleges that Defendants voluntarily agreed to provide EMS with medical billing and payment processing services, through which Defendants knowingly received Plaintiffs (as well as the Class’s) Sensitive Information. Compl. ¶¶ 38, 55. Defendants, therefore, “assume[d] a duty to act carefully and to not put [those patients] at an undue risk of harm” by, for example, neglecting to implement data security policies and procedures. Id. ¶¶3235, These allegations are sufficient to state a claim for negligence pursuant to the undertaker’s doctrine.

In their Motion, Defendants rely on cases with no-duty findings predicated upon factual circumstances that are conspicuously absent in the instant, action. See, e.g., Willingham v. Glob. Payments, Inc., 2013 WL 440702, at *18 (N.D.Ga. Feb. 5, 2013) (finding no duty because plaintiffs, non-Georgia residents, alleged negligence claim predicated on Georgia’s Data Breach Notification statute, which created a duty with respect to Georgia residents only); Hammond v. The Bank of N.Y. Mellon Corp., 2010 WL 2643307, at *9 (S.D.N.Y. June 25, 2010) (holding no duty in case with defendant bank because, “generally, banks owe no duty of care to their non-customers”). Defendants fail to present any other bases for dismissal of Plaintiffs negligence claim for the Court’s analysis. Thus, Defendants’ one-note attack must fail. Because the Court concludes that Plaintiff has sufficiently alleged a duty pursuant to the undertaker’s doctrine, the Court refrains from analyzing Plaintiffs final argument for imposition of a duty arising under the “foreseeable zone of risk” standard. See, e.g., Virgilio v. *1367Ryland Group, Inc., 680 F.3d 1329, 1339-40 (11th Cir.2012).

B. Breach of Fiduciary Duty

The elements of a claim for breach of fiduciary duty are: (1) the existence of a fiduciary relationship; (2) breach of a duty owed by the fiduciary; and (3) proximate cause. Combe v. Flocar Inv. Grp. Corp., 977 F.Supp.2d 1301, 1307 (S.D.Fla.2013) (citation omitted). Fiduciary relationships must be either expressly or impliedly created. See Greenberg v. Miami Children’s Hosp. Research Inst., Inc., 264 F.Supp.2d 1064, 1071 (S.D.Fla.2003) (citing Capital Bank v. MVB, Inc., 644 So.2d 515, 518 (Fla. 3d DCA 1994)); see also Bldg. Educ. Corp. v. Ocean Bank, 982 So.2d 37, 41 (Fla. 3d DCA 2008) (quoting Doe v. Evans, 814 So.2d 370, 374 (Fla.2002) (“While a contractual relationship between the parties is not' required to form- a fiduciary relationship, a party must be ‘under a duty to act for or to give advice for the benefit of another upon matters within the scope of that relation.’ ”). ' ■

“A fiduciary relationship which is implied in law is based on the specific factual circumstances surrounding 'the transaction and the relationship of the par-' ties.” First Nat’l Bank & Trust Co. of Treasurer Coast v. Pack, 789 So.2d 411, 415 (Fla. 4th DCA 2001) (citations omitted). “To establish a fiduciary' relationship, a party must allege some‘degree !of dependency on one side and some degree of undertaking on the other side to advise, counsel, and protect the weaker party.” Jaffe v. Bank of Am., N.A., 667 F.Supp.2d 1299, 1319 (S.D.Fla.2009). Generally, “in ah arms-length transaction, however, there is no duty imposed on either party to act for the benefit or protection of the other party, or to disclose facts that the other party could, by its own diligence have discovered.” Id. (citing Watkins v. NCNB Nat’l Bank, N.A., 622 So.2d 1063, 1065 (Fla. 3d DCA 1993)).

By Plaintiffs own admissions, Plaintiff did not depend upon either Defendant nor did either Defendant undertake to counsel, act for, or protect Plaintiff in any capacity. Compl. ¶24 (Plaintiff “did not have a direct relationship (business or otherwise) with Intermedix.”). Because he cannot plead facts to establish any direct relationship, let alone a fiduciary one, Plaintiff appears to improperly base his claim on the conclusory allegation that “[a]s guardians .of Plaintiffs’ ... Sensitive Information, Defendant owed a fiduciary duty to Plaintiff and the Class.” Id. ¶ 63. But .the mere receipt of confidential information is insufficient by itself to transform an arm’s-length transaction into a fiduciary relationship. See Winter Park Condo. Ltd. P’ship v. Wachovia Bank, N.A., 2009 WL 290992, at *l (M.D.Fla. Feb. 6, 2009) (citing Barnett Bank of Marion Cty., N.A. v. Shirey, 655 So.2d 1156 (Fla. 5th DCA 1995)) (Florida law “does not stand for the proposition attributed to it by the Plaintiff ... that the bank’s réceipt of confidential information gave rise to a fiduciary obligation.”). See, e.g., Silver v. Countrywide Home Loans, Inc., 760 F.Supp.2d 1330, 1338 (S.D.Fla.2011), aff'd, 483 Fed.Appx. 568 (11th Cir.2012) (holding that “the mere communication of confidential information between the borrower and the bank is not enough to establish a fiduciary obligation.”); see also Dolmage v. Combined Insurance Company of America, 2015 WL 292947, at *6 (N.D.Ill. Jan. 21, 2015) (plaintiff’s allegations, that she and the class members placed their trust in defendant with regard to the handling, maintenance, and disposition of their confidential personal information, were insufficient to establish that defendant owed them a fiduciary duty to secure and protect their information). Accordingly, Plaintiffs claim for breach of fiduciary duty must be dismissed.

*1368C. Unjust Enrichment

Defendants argue that Plaintiffs allegations demonstrate that any subject transaction was too tenuous to support a direct conferral of benefit, as required by a valid claim for unjust enrichment. Plaintiff responds that direct-contact between the parties is unnecessary to confer a direct benefit on a defendant for purposes of an unjust enrichment claim. The -Court agrees. ;

Unjust enrichment is an equitable doctrine that “has to do with wealth being in one person’s hands when it should' be in another person’s.” Jovine v. Abbott Labs., Inc., 795 F.Supp.2d 1331, 1341 (S.D.Fla.2011) (quoting Guyana Tel. & Tel Co. v. Melbourne Int’l Commc’ns, Ltd., 329 F.3d 1241, 1245 n. 3 (11th Cir.2003)). In Florida, “[t]o establish a cause of action for unjust emichment/restitution, a Plaintiff must show, that ‘1) the plaintiff has conferred a benefit on the defendant; 2) the defendant has knowledge of the benefit; 3) the defendant has accepted or retained the benefit conferred; and 4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying fair value for it.’ ” Resnick, 693 F.3d at 1328 (quoting Della Ratta v. Della Ratta, 927 So.2d 1055, 1059 (Fla.Dist.Ct.App.2006)).

The Court finds Resnick instructive. 693 F.3d at 1328. There, plaintiffs alleged as follows:

[T]hat they conferred a monetary benefit on defendant in the form of monthly premiums, that [defendant] AvMed “appreciates or has knowledge of such benefit,” that defendant uses the premiums to “pay for the administrative costs of data management and security,” and that defendant “should not be permitted to retain the money belonging to Plaintiffs ... because [AvMed] failed to implement the data management and security measures that are mandated by industry standards.” Plaintiffs also allege that AvMed either failed to implement or inadequately implemented policies to secure sensitive, inforrpation, as can be seen from the data breach.

Resnick, 693 F.3d at 1328 (quoting complaint). The Eleventh Circuit found that these allegations were sufficient to survive a motion to dismiss. See id.

Similarly, under the instant facts, Plaintiff alleges that he paid EMS for his ambulance .trip and, as a result of the direct relationship between EMS and Defendants, a portion of his payment was transferred to Defendants. Compl. ¶38; Plaintiff, further alleges that a portion of Defendants’ share of this • payment was supposed to be, but was not, “used ... to pay for the administrative costs of data management and security.” Id. ¶ 70. The only fact differentiating this case, from Resmck is the fact that Plaintiff paid Defendants through EMS, an intermediary. But, the “direct benefit” element of an unjust enrichment claim may be satisfied where a benefit is conferred through an intermediary. In other words, a direct benefit can derive from a transaction with no direct contact. See, e.g., Williams v. Wells Fargo Bank, N.A., 2011 WL 4901346, at *5 (S.D.Fla. Oct. 14, 2011) (unjust enrichment claim survived even though the at-issue benefit did not pass directly between the parties and, instead, passed through a third party); Ulbrich v. GMAC Mortg., LLC, 2012 WL 3516499, at *2 (S.D.Fla. Aug. 15, 2012) (allegations that third-party Balboa charged plaintiff inflated premiums and. “skimmed the excess for themselves” was sufficient to show that plaintiff, by paying the allegedly excessive premiums, conferred a direct benefit on third-party); Carriuolo v. Gen. Motors LLC, 72 F.Supp.3d 1323, 1326 (S.D.Fla.2014) (“Plaintiffs have alleged that they have conferred the required di*1369rect benefit upon Defendant. It is of no matter that the benefit passed through independent dealerships.”); see also Aceto Corp. v. TherapeuticsMD, Inc., 953 F.Supp.2d 1269, 1288-89 (S.D.Fla.2013) (“It would not serve the principles of justice and equity to preclude an unjust enrichment claim merely because-the ‘benefit’ passed through an intermediary before being conferred on a defendant.”).

Plaintiff alleges, that he made a' one-time payment to EMS for its services and, as part and parcel to those services, reasonably expected that his Sensitive Information would remain confidential and protected. Compl. ¶¶ 68-70. ÉMS, in turn, decided to hire and pay Defendants to perform the portion of those services relating to billing and payment processing, which, as alleged, also involved the transmittal of Sensitive Information belonging to Plaintiff and the Class. Id. ¶ 38. Thus, Plaintiff’s single payment directly benefited both EMS and Defendants — even if Defendants received it by way of EMS. See, e.g., Romano v. Motorola, Inc., 2007 WL 4199781, at *2 (S.D.Fla. Nov. 26, 2007) (denying motion to dismiss unjust enrichment claim against cell phone manufacturer, even though plaintiff directly paid a non-defendant retailer, because “[djefeh-dant erroneously equates direct contact with direct benefit ”). The fact that EMS functioned as a payment intermediary has no legal significance for Plaintiffs unjust enrichment claim. Because the remaindér of Plaintiffs unjust enrichment claim stands unchallenged, Defendants’ Motion is denied on this count.

IV. Conclusion

Accordingly, it is ORDERED AND ADJUDGED that Defendant’s Motion to Dismiss, ECF No. [13], is GRANTED IN PART AND DENIED IN PART as follows:

1. Defendants’ Motion is DENIED as to Plaintiffs claim for negligence;
2. Defendants’ Motion is GRANTED as to Plaintiffs claim for breach of fiduciary duty;
3. Defendants’ Motion is DENIED as to Plaintiffs claim for unjust enrichment;
4. Defendants are directed to file an Answer to the Complaint no later than December 4, 2015.

DONE AND ORDERED in Miami, Florida, this 16th day of November, 2015.

. Plaintiff cites to a report published by the National Institute of Standards and Technology detailing standards for healthcare-related service providers to come into compliance with HIPAA’s Security Rule. Id. ¶¶ 32-33. He alleges that this report illustrates Defendants’ failure to "comply with even basic industry standards.” Id. ¶ 34.

. Specifically, Plaintiff alleges damages "including, but not limited to,- expenses and/or time spent on credit monitoring and identity *1364theft insurance; time spent scrutinizing bank statements, credit card statements, and credit reports; expenses and/or time spent initiating fraud alerts; decreased credit scores and ratings; and increased risk of future harm,.., Further, Plaintiff and the Class have suffered ,,and- will continue to suffer other forms of injury and/or harm including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses.” Id.