Supreme Court, Westchester County, September 4, 2020

Lewis Brisbois Bisgaard & Smith LLP (Jeffrey Spiegel of counsel) for CBLPath, Inc., defendant.

Blau Leonard Law Group LLC (Steven Bennett Blau and Shelly A. Leonard of counsel) and Kleinman LLC (Abraham Kleinman of counsel) for plaintiff.

In accordance with CPLR 2219 (a), the decision herein is made upon considering all papers filed in the New York State Courts Electronic Filing System (NYSCEF) relative to the motion of codefendant CBLPath, Inc. (mot seq No. 2), made pursuant to CPLR 3211 (a) (3) and (7), for an order dismissing the complaint of plaintiff Michelle Smahaj, individually and on behalf of all others similarly situated, as asserted against CBLPath.{**69 Misc 3d at 599}

This is a class action suit stemming from a data breach of a debt collection agency. Plaintiff is an individual residing in Garnerville, NY. Defendant Retrieval-Masters Creditors Bureau, Inc., doing business as American Medical Collections Agency (AMCA), is a debt collection [*2]corporation who contracts with laboratories, hospitals, and medical providers to collect unpaid debts from consumers. Codefendant CBLPath is a provider of subspecialized anatomic pathology and molecular diagnostic laboratory services with a laboratory facility in the Village of Rye Brook. CBLPath retained AMCA to provide collection services.

During some unspecified period of time, plaintiff and class members received medical services from CBLPath and failed to pay an invoice for the services. CBLPath provided AMCA with personal information of plaintiff and certain class members, including their names, dates of birth, Social Security numbers, and other information so that AMCA could collect on their debt.

From August 2018 to March 2019, a data breach allegedly occurred at AMCA. The nonparty unidentified hackers accessed AMCA's database. Plaintiff alleges that the hackers attempted to "place a batch of 200,000 payment card numbers for sale on a popular Darknet Market." Plaintiff claims that due to the data breach, it is likely that her and other class members' private information "will or has been disclosed already on the Darknet," though there is "uncertainty as to the nature and extent" of the information that was compromised. Plaintiff claims that the hack was "directly caused by the omissions and commissions of AMCA" and that CBLPath became aware of the breach on or about May 10, 2019,^[FN1] but allegedly did not inform plaintiff of the data breach until July 15, 2019.

Plaintiff commenced this action in August 2019, asserting causes of action for negligence, negligence per se, breaches of implied and express contract, and several violations of the General Business Law. In the complaint, plaintiff defines the class as: "[a]ll individuals in the State of New York whose personal information was provided to AMCA by CBLPATH and was compromised as a result of the AMCA data breach." In support of her claims, plaintiff alleges that she and the class suffered three principal categories of damages: (1) an increased risk of suffering from identity theft and fraud; (2) time, money,{**69 Misc 3d at 600} and other resources spent to mitigate against risks, both now and in the future, by cancelling credit cards, ability to open new bank accounts, reversing fraudulently imposed charges, and incurring high interest rates due to the inevitable decline in credit score when plaintiff and class members reasonably do not pay for items and services they did not purchase; and (3) the diminution of the value and/or loss of the benefits or products and services purchased directly or indirectly from defendants.^[FN2]

AMCA is bankrupt and has not appeared in this action. In October 2019, CBLPath filed a pre-answer motion for, among other things, an extension of time to answer or otherwise move with respect to the complaint. This court granted the motion by decision and order in December 2019. Shortly thereafter, CBLPath made this motion to dismiss the complaint against it pursuant to CPLR 3211 (a) (3) and (7), contending that plaintiff lacks standing and that she failed to state a viable claim for all causes of action asserted in the complaint.

CBLPath primarily relies on dismissal under CPLR 3211 (a) (3) inasmuch as it claims that plaintiff did not sufficiently allege an injury-in-fact. " 'On a defendant's motion to dismiss the complaint based upon the plaintiff's alleged lack of standing, the burden is on the moving defendant to establish, prima facie, the plaintiff's lack of standing' " (Gobindram v Ruskin Moscou Faltischek, P.C., 175 AD3d 586, 591 [2d Dept 2019], quoting BAC Home Loans Servicing, LP v Rychik, 161 AD3d 924, 925 [2d Dept 2018]; see CPLR 3211 [a] [3]). "[T]he motion will be defeated if the plaintiff's submissions raise a question of fact as to its standing" (Gobindram v Ruskin Moscou Faltischek, P.C., 175 AD3d at 591).

As the parties point out, Manning v Pioneer Sav. Bank (56 Misc 3d 790 [Sup Ct, Rensselaer County 2016]) appears to be the only reported case in New York State addressing standing in the context of a data breach. There, the named plaintiff commenced a class action suit alleging, inter alia, negligence and breach of implied and express contract after a bank-owned laptop containing customer information (including names, Social Security numbers, addresses, and account numbers) was stolen from a bank employee's vehicle (see id. at 791). Ultimately,{**69 Misc 3d at 601} the court in Manning dismissed the complaint for lack of standing, finding that plaintiff's claimed injuries were speculative since they were based on future risks of identity theft and, thus, did not constitute an injury-in-fact (see id. at 797).

Plaintiff in this case, however, directs this court's attention to federal and out-of-state cases involving data breach victims who were found to have standing despite not having suffered actual monetary damages or were the victims of identity theft. For example, in Sackin v TransPerfect Global, Inc. (278 F Supp 3d 739 [SD NY 2017]), an employee of defendant TransPerfect disclosed plaintiffs' personal information to unidentified cybercriminals in response to a "phishing" email received on or about January 17, 2017 (id. at 744). About one month later, the plaintiffs in Sackin filed a complaint alleging four categories of injury as a consequence of the data breach: "(1) an imminent risk of future identity theft; (2) lost time and money expended to mitigate the threat of identity theft; (3) diminished value of personal information; and (4) . . . loss of privacy" (id. at 745). In finding that plaintiffs' first two alleged categories constitute injuries-in-fact, the court in Sackin considered the circumstances of the disclosure, which created "a risk of identity theft sufficiently acute so as to fall comfortably into the category of 'certainly impending' " (id. at 746). In so doing, it distinguished cases where "courts found standing to be lacking when a plaintiff's [information] was on a stolen computer, and the plaintiffs did not allege or could not show that obtaining their [information] was the motivation for the theft" (id. at 747).

Notwithstanding the Sackin decision, the court notes that a temporal component may factor into determining whether a threatened harm is sufficient for standing within the Second Circuit. For example, in Fero v Excellus Health Plan, Inc. (236 F Supp 3d 735 [WD NY 2017]), hackers breached the computer network in December 2013 for a health care provider and accessed certain personal and financial information (see id. at 744). About two years later, the initial complaint was filed, and the action was consolidated with some plaintiffs alleging that their information had been misused, while other plaintiffs did not allege any misuse (the non-misuse plaintiffs) (see id. at 744-745). The Fero court held that the non-misuse plaintiffs lacked standing because the alleged harm of increased identity fraud, without more, was too speculative given that three years had passed without any suspicious activity, which undercut assertions{**69 Misc 3d at 602} of[*4]"certainly impending" harm (id. at 753).^[FN3] Moreover, the court in Fero found that with respect to those non-misuse plaintiffs, there was a lack of standing based on: (1) the alleged mitigation efforts against future identify fraud because such harm was not imminent; and (2) the alleged diminution in value of their personal information because the complaint lacked "factual allegations to support the proposition that their personal information was made less valuable to them as a result of the breach, or that the data breach negatively impacted the value of their data such that [p]laintiffs could not use or sell it" (id. at 755).

[1] Here, plaintiff has failed to establish that she and the class members have suffered injuries or that the alleged injuries are imminent (see Silver v Pataki, 96 NY2d 532, 538 [2001]; Society of Plastics Indus. v County of Suffolk, 77 NY2d 761, 772-773 [1991]; Warth v Seldin, 422 US 490, 503-504 [1975]). In contrast to Manning, the data breach at issue creates an inference of malicious intent to steal private information, supporting an increased risk of identity theft (compare Sackin v TransPerfect Global, Inc., 278 F Supp 3d at 746). However, a lengthy passage of time without any suspicious activity weighs against finding an injury-in-fact. Nearly one year elapsed from when the subject data breach occurred and more than one year has now passed since when this action was commenced. The complaint asserts that

"[p]laintiff and class members have sustained further pecuniary injury and have been compelled to expend time, money[,] and other resources to cancelling credit cards, opening new bank accounts, reversing fraudulently imposed charges, and higher interest rates due to the inevitable decline in credit score when [they] reasonably do not pay for items and services they did not purchase" (complaint ¶ 27 [emphasis added]).

Fraudulently imposed charges are indicia of fraudulent activity weighing in favor of finding an injury-in-fact (cf. Fero v Excellus Health Plan, Inc., 236 F Supp 3d at 753). But plaintiff does not specifically allege any fraudulent charges and this allegation appears to hinge on "time, money and other resources" expended to avoid or address future harm. For example, the alleged "higher interest rates" appear to be presented as a future {**69 Misc 3d at 603}harm resulting "when [p]laintiff and class members reasonably do not pay for items and services they did not purchase" (complaint ¶ 27 [emphasis added]). As such, the complaint fails to allege any actual suspicious activity that directly harmed plaintiff. Now, almost two years have elapsed since the data breach began and there is still no evidentiary proof of actual harm that plaintiff has suffered. Fero is thus persuasive as to the temporal factor of the injury-in-fact requirement. The alleged increased risk of identity theft is speculative and based on conjecture so as to not constitute an injury-in-fact. Therefore, the court likewise finds plaintiff's alleged injuries are insufficient to confer standing (see Fero v Excellus Health Plan, Inc., 236 F Supp 3d at 754-755; Manning v Pioneer Sav. Bank, 56 Misc 3d at 797).

This case is one step removed from Sackin and Fero in that the data breach is not alleged to have occurred on (or emanated from) CBLPath's network, data systems, or any other system within its control. Plaintiff's conclusory allegation that CBLPath "retained, supervised, controlled, directed[,] and authorized all actions of AMCA, which resulted in [p]laintiff['s] and class members' personal information being compromised" (complaint ¶ 24), is unsupported by any specific details related to control over AMCA's systems or data security. Such a sweeping generalization is undercut by the complaint's averment that "AMCA is one of the nations' largest [*5]debt collectors" (id. at 9). It does not follow that CBLPath—which is not alleged to have an agency relationship with AMCA nor any stake in the debt collection industry—would control "all actions" related to the data security of one of America's biggest debt collectors. Without more, plaintiff fails to demonstrate that CBLPath had control over AMCA's hacked systems (see generally Rejer v Professional Referee Org., 2020 NY Slip Op 30507[U], *4 [Sup Ct, NY County 2020]).

Plaintiff's reliance on Remijas v Neiman Marcus Group, LLC (794 F3d 688 [7th Cir 2015]) to suggest that the data breach is "fairly traceable" to CBLPath's conduct is misplaced because that case is distinguishable. In Remijas, defendant argued that plaintiffs "cannot show that their injuries are traceable to the data incursion at the company rather than to one of several other large-scale breaches that took place around the same time" (id. at 696). The court nonetheless held that plaintiffs' injuries were "fairly traceable" to the data breach at Neiman Marcus and analogized the facts to a 1948 quail hunt case: Summers v Tice (33 Cal 2d 80, 87-88, 199 P2d 1, 5 [Cal 1948]),{**69 Misc 3d at 604} wherein the Summers' plaintiff was shot, but did not know which defendant shot him. Ultimately, the Summers court held that plaintiff properly pleaded joint liability and the burden shifted to defendants to show who was responsible (see Remijas v Neiman Marcus Group, LLC, 794 F3d at 696 [discussing Summers v Tice (33 Cal 2d at 87-88, 199 P2d at 5)]).

Here, in contrast, plaintiff did not allege a breach of CBLPath's network or data systems. When applied to the present matter, these cases suggest an increased probability of identity theft resulting from the nature of the data breach, but a decreased probability of identity theft after a one-to-two year period without suspicious activity, and more importantly, a diminished relationship between the alleged injuries and the challenged conduct of CBLPath. Therefore, this court finds that the complaint alleges speculative harm that does not constitute an injury-in-fact that is fairly traceable to CBLPath's conduct.

Plaintiff, however, attempts to raise a question of fact alleging, for the first time in her memorandum of law in opposition, that "following the [d]ata [b]reach, [her] Private Information, including her Social Security number, has been found available for sale on the 'dark web,' and that she knows of no other source of such information besides the [d]ata [b]reach at issue here" (NYSCEF Doc No. 33, mem of law in opp at 9). Generally, even an "attorney's affirmation that is not based upon personal knowledge is of no probative [value]" (Warrington v Ryder Truck Rental, Inc., 35 AD3d 455, 456 [2d Dept 2006]). Here, plaintiff's allegation is asserted in a memorandum of law, is unsworn to in an affidavit or verified pleading, and, therefore, is not in admissible form. Plaintiff's allegation in this regard was improper and is thus rejected (see Countrywide Home Loans, Inc. v Vittorio, 178 AD3d 1017, 1018-1019 [2d Dept 2019]). Therefore, based on the allegations set forth in the complaint, plaintiff fails to allege an injury-in-fact, and lacks standing.

Even assuming that plaintiff established standing, the court must dismiss the complaint based upon a failure to state a cause of action.

"On a motion to dismiss pursuant to CPLR 3211 (a) (7), the complaint is to be afforded a liberal construction, the facts alleged are presumed to be true, the plaintiff is afforded the benefit of every favorable{**69 Misc 3d at 605} inference, and the court is to determine only whether the facts as alleged fit within any cognizable legal theory" (Rodriguez v Daily News, L.P., 142 AD3d 1062, 1063 [2d Dept 2016], lv denied 28 NY3d 913 [2017]).

"Such [*6]a motion should be granted only where, even viewing the allegations as true, the plaintiff still cannot establish a cause of action" (Hartman v Morganstern, 28 AD3d 423, 424 [2d Dept 2006]).

a. Negligence

Turning first to plaintiff's first cause of action, to establish a prima facie case of negligence, a plaintiff must demonstrate the existence of a duty owed by defendant to plaintiff, a breach of that duty, and resulting injury which was proximately caused by the breach (see Solomon v City of New York, 66 NY2d 1026, 1027 [1985]; Conneally v Diocese of Rockville Ctr., 116 AD3d 905, 906 [2d Dept 2014]; Rubin v Staten Is. Univ. Hosp., 39 AD3d 618, 618 [2d Dept 2007]).

[2] In this matter, plaintiff ostensibly failed to pay for medical services provided by CBLPath, requiring CBLPath to enter into an agreement with AMCA for collection of the unpaid monies. Being in the business of providing medical services, CBLPath had no duty to protect plaintiff from third parties harming her by unforeseeable hacks into AMCA's system, which CBLPath had no control over (see Malik v Ultraline Med. Testing, P.C., 177 AD3d 515, 515-516 [1st Dept 2019]). Hence, plaintiff's claim for negligence is untenable.

Nonetheless, plaintiff argues that a common-law duty exists and that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104-191, 110 US Stat 1936) establishes a duty of care on the part of CBLPath. However, none of the cases cited by plaintiff suggest that one has a common-law duty to protect another from the potential breach of a third party's data network—here, being AMCA's network.^[FN4] Moreover, the cases cited by plaintiff purportedly creating a common-law duty underscore the foreseeability of harm, such as prior notice to data breaches, lax security measures, disabled security features, etc. (see In re Arby's Rest. Group, Inc., Litig., 2018 WL 2128441, *5, 2018 US Dist LEXIS 131140, *23 [ND Ga, Mar. 5, 2018, No. 1:17-cv-0514-AT] ["Under Georgia {**69 Misc 3d at 606}law . . . , allegations that a company knew of a foreseeable risk to its data security systems are sufficient to establish the existence of a plausible legal duty and survive a motion to dismiss"]). In contrast, here, plaintiff did not assert that AMCA was aware of any specific risks to its data security system, let alone that CBLPath was aware of such risks to AMCA's network.

Plaintiff concedes that HIPAA does not provide a private right of action but instead relies on out-of-state cases to argue that "HIPAA may be used to establish an appropriate standard for the protection of health care information" and that "HIPAA [does] not preempt negligence claims based on alleged HIPAA violations" (NYSCEF Doc No. 33, mem of law in opp at 23-24).^[FN5] Plaintiff, however, does not dispute CBLPath's averment that it properly disclosed protected health information to AMCA, its "business associate," as that term is defined by HIPAA regulations (45 CFR 160.103, 164.502 [a] [1] [i]; [e]), after obtaining satisfactory security assurances from AMCA. Indeed, the complaint avers the following: "AMCA states that it is[*7]'compliant with all Federal and State Laws and are members of ACA International. We provide our services adhering to the ethical guidelines expected from a National Accounts Receivable Management firm' " (complaint ¶ 10). Critically, HIPAA does not require covered entities, such as CBLPath, "to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract"; "[n]or is the covered entity responsible or liable for the actions of its business associates" (Is a covered entity liable for, or required to monitor, the actions of its business associates?, Health Information Privacy, US Department of Health and Human Services, available at https://www.hhs.gov/hipaa/for-professionals/faq/236/covered-entity-liable-for-action/index.html [Dec. 19, 2002], cached at http://www.nycourts.gov/reporter/webdocs/236-Is-a-covered-entity-liable-for-the-actions-of-business-associates.pdf). In view of the foregoing, plaintiff failed to establish that CBLPath owed a duty to protect her data that had been appropriately transferred to, and was stored by, a third party. Accordingly, the complaint fails to state a cause of action for negligence as against CBLPath (see Fox v Marshall, 88 AD3d {**69 Misc 3d at 607} 131, 135-140 [2d Dept 2011]; Engelhart v County of Orange, 16 AD3d 369, 371 [2d Dept 2005], lv denied 5 NY3d 704 [2005]; compare Abdale v North Shore-Long Is. Jewish Health Sys., Inc., 49 Misc 3d 1027, 1041 [Sup Ct, Queens County 2015]).

b. Breach of Contract

"The elements of a cause of action to recover damages for breach of contract are the existence of a contract, the plaintiff's performance under the contract, the defendant's breach, and resulting damages" (Detringo v South Is. Family Med., LLC, 158 AD3d 609, 609-610 [2d Dept 2018]). "Generally, a party alleging a breach of contract must demonstrate the existence of a contract reflecting the terms and conditions of their purported agreement. Moreover, the plaintiff's allegations must identify the provisions of the contract that were breached" (Canzona v Atanasio, 118 AD3d 837, 839 [2d Dept 2014] [internal quotation marks, citations and ellipses omitted]).

[3] Here, it is undisputed that plaintiff's alleged harm stems from a data breach on AMCA's network. Plaintiff, however, fails to identify which provision of the purported contract required CBLPath to safeguard plaintiff's information on AMCA's network. Plaintiff simply recites various passages from CBLPath's privacy notice, which she claims constitutes a part of the contract, but nothing in the privacy notice suggests that CBLPath would safeguard plaintiff's information on AMCA's network. As such, plaintiff failed to plead the material terms of the alleged contract by which CBLPath supposedly agreed to safeguard plaintiff's information on a third party's network (see Canzona v Atanasio, 118 AD3d at 839). Plaintiff's allegations of an alleged contract are, therefore, insufficient to plead a breach of contract cause of action against CBLPath (see id.).

c. Breach of Implied Contract

"An implied-in-fact contract requires the same elements as an express contract including, consideration, mutual assent, legal capacity, and legal subject matter" (Canon U.S.A., Inc. v Stereo Advantage, Inc., 2019 NY Slip Op 32394[U], *2 [Sup Ct, NY County 2019], citing Maas v Cornell Univ., 94 NY2d 87, 93-94 [1999]). "Like an express contract, an implied-in-fact contract requires a showing that there was a meeting of the minds" (Canon U.S.A., Inc. v Stereo [*8]Advantage, Inc., 2019 NY Slip Op 32394[U], *3). "A contract implied in fact may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the presumed intention of the parties as indicated by their conduct" {**69 Misc 3d at 608}(Jemzura v Jemzura, 36 NY2d 496, 503-504 [1975] [internal quotation marks and citations omitted]).

Here, plaintiff contends that CBLPath required her to provide sensitive personal information in exchange for specialized pathological and diagnostic services, and her reliance on those services evinced an implicit promise by CBLPath to act reasonably to keep plaintiff's information safe. However, the complaint is devoid of any facts supporting an inference that CBLPath implicitly promised to keep plaintiff's information safe when it was stored on a third-party business associate's network (cf. Hammond v Bank of N.Y. Mellon Corp., 2010 WL 2643307, *10-11, 2010 US Dist LEXIS 71996, *37-38 [SD NY, June 25, 2010, No. 08 Civ 6060(RMB)(RLE)] [finding lack of any evidence of defendant's assent]). Hence, the complaint fails to state a cause of action to recover damages under a theory of implied contract as asserted against CBLPath (see id.).

d. Violations of the New York State General Business Law and Negligence Per Se

As to plaintiff's fourth and fifth causes of action, plaintiff alleges that CBLPath violated General Business Law §§ 349, 899-aa, and 899-bb, and section 5 of the Federal Trade Commission Act (FTC Act) (15 USC § 45), with the latter forming the basis for plaintiff's negligence per se claim. First, apart from General Business Law § 349, none of the cited laws provide a private right of action (see Abdale v North Shore-Long Is. Jewish Health Sys., Inc., 49 Misc 3d at 1036-1038 [finding that General Business Law § 899-aa does not create a private right of action]). Thus, plaintiff's claims under General Business Law §§ 899-aa and 899-bb must be dismissed.

Plaintiff's negligence per se claim based on an alleged violation of the FTC Act must also be dismissed because "[i]f mere proof of a violation . . . were to establish negligence per se, plaintiff would effectively be afforded a private right of action that [the statute] does not recognize" (Lugo v St. Nicholas Assoc., 2 Misc 3d 212, 218 [Sup Ct, NY County 2003], mod 18 AD3d 341 [2005] [analyzing the Americans with Disabilities Act of 1990 (42 USC § 12101 et seq.)]; see generally Moore v New York Cotton Exchange, 270 US 593, 602-603 [1926]).

Next, General Business Law § 349 (a) provides that "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful" (see Keshin v Montauk Homes, LLC, 162 AD3d 758, 760 [2d Dept 2018], lv denied 32 NY3d 910 {**69 Misc 3d at 609} [2018]); and section 349 (h) provides a private right of action to "any person who has been injured by reason of any violation of this section." A prima facie case under General Business Law § 349 (h) requires "a showing that the defendant engaged in a consumer-oriented act or practice that was 'deceptive or misleading in a material way and that [the] plaintiff has been injured by reason thereof' " (Abdale v North Shore-Long Is. Jewish Health Sys., Inc., 49 Misc 3d at 1039, quoting Goshen v Mutual Life Ins. Co. of N.Y., 98 NY2d 314, 324 [2002]).

In this regard, plaintiff argues that the complaint sufficiently alleges the elements of a cause of action predicated on General Business Law § 349 (a) and (h), referring to a litany of alleged failures, misrepresentations, and omissions by CBLPath. Plaintiff further contends that CBLPath violated section 349 by neglecting to disclose its inadequate cybersecurity practices and misrepresented its efforts to safeguard plaintiff's personal information.

The data breach was of AMCA's network, not CBLPath, and plaintiff does not allege that CBLPath exercised control over AMCA's network or data security. Nothing set forth in the complaint or in CBLPath's privacy notice can be considered a statement relative to an obligation of CBLPath to secure data on AMCA's network. In fact, CBLPath's privacy notice discloses that it may share a patient's personal information with "other entities . . . known as 'business associates' "—which "are required to maintain the privacy and security" of that information. Indeed, the privacy notice reflects that CBLPath itself will maintain the privacy and security of that information after it has been shared and is in the custody of its business associate. "[T]he statements allegedly made by [CBLPath] in the privacy policy . . . do not constitute an unlimited guaranty that patient information could not be stolen [from a business associate] or that computerized data could not be hacked" on the network of a business associate (Abdale v North Shore-Long Is. Jewish Health Sys., Inc., 49 Misc 3d at 1039). CBLPath's alleged failure to safeguard information on AMCA's networks did not mislead plaintiff in any material way and does not constitute a deceptive practice within the meaning of General Business Law § 349 (see id.). Therefore, plaintiff fails to state a cause of action under that statute as asserted against CBLPath. Based on the foregoing, CBLPath's motion to dismiss is granted.

The court has considered the additional contentions of the parties not specifically addressed herein. To the extent any{**69 Misc 3d at 610} relief requested by the parties was not addressed, it is hereby denied. Accordingly, it is hereby: ordered that the motion of codefendant CBLPath, Inc. (mot seq No. 2), made pursuant to CPLR 3211 (a) (3) and (7), for an order dismissing the complaint of plaintiff Michelle Smahaj, individually and on behalf of all others similarly situated, as asserted against CBLPath, Inc., is granted in its entirety; and it is further ordered that the complaint of plaintiff Michelle Smahaj, individually and on behalf of all others similarly situated, is dismissed as against codefendant CBLPath, Inc.