Bitlaw Summary and Analysis
The claims related to a system to monitor access to protected health information in which a rule is created, an audit log is compared with the rule, and a notification is provided if rule is fulfilled. The court found the claim directed to the abstract idea of detecting misuse in a computer environment based on analyzing log files, while also finding that the claims simply automated a process that was commonly performed without computers in the past. Furthermore, the court found that the claims simply related to the collection and analysis of data, which is an abstract idea. There is no inventive concept, and there are no details in the claim that describe an improvement to existing computer technology.
FAIRWARNING IP, LLC, Plaintiff-Appellant,
IATRIC SYSTEMS, INC., Defendant-Appellee.
United States Court of Appeals, Federal Circuit.
Appeal from the United States District Court for the Middle District of Florida in No. 8:14-cv-02685-SDM-MAP, Judge Steven D. Merryday.
SEAN A. PASSINO, Hauptman Ham, LLP, Alexandria, VA, argued for plaintiff-appellant. Also represented by RACHEL KAREN PILLOFF; MICHAEL S. HOOKER, JASON PAUL STEARNS, Phelps Dunbar LLP, Tampa, FL.
LISA M. TITTEMORE, Sunstein Kann Murphy & Timbers LLP, Boston, MA, argued for defendant-appellee. Also represented by BRANDON TAYLOR SCRUGGS.
Before LOURIE, PLAGER, and STOLL, Circuit Judges.
STOLL, Circuit Judge.
FairWarning IP, LLC, appeals a judgment of the United States District Court for the Middle District of Florida dismissing its suit with prejudice after holding that the asserted patent, U.S. Patent No. 8,578,500, claims patent-ineligible subject matter under 35 U.S.C. § 101. Because we agree with the district court that FairWarning's '500 patent claims patent-ineligible subject matter, we affirm.
FairWarning sued Iatric Systems, Inc. for infringing claims of the '500 patent. The '500 patent is titled "System and Method of Fraud and Misuse Detection" and discloses ways to detect fraud and misuse by identifying unusual patterns in users' access of sensitive data. The specification describes systems and methods to detect fraud by an otherwise-authorized user of a patient's protected health information ("PHI"). According to the specification, pre-existing systems were able to record audit log data concerning user access of digitally stored PHI. The claimed systems and methods record this data, analyze it against a rule, and provide a notification if the analysis detects misuse. Claim 1 recites:
1. A method of detecting improper access of a patient's protected health information (PHI) in a computer environment, the method comprising:
generating a rule for monitoring audit log data representing at least one of transactions or activities that are executed in the computer environment, which are associated with the patient's PHI, the rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, accesses by a specific user, that is indicative of improper access of the patient's PHI by an authorized user wherein the improper access is an indication of potential snooping or identity theft of the patient's PHI, the authorized user having a pre-defined role comprising authorized computer access to the patient's PHI;
applying the rule to the audit log data to determine if an event has occurred, the event occurring if the at least one criterion has been met;
storing, in a memory, a hit if the event has occurred; and
providing notification if the event has occurred.
'500 patent col. 16 ll. 27-46.
Before the district court, Iatric moved to dismiss the complaint, arguing the asserted patent claimed patent-ineligible subject matter under § 101. FairWarning filed an amended complaint asserting all claims of the '500 patent, and Iatric again moved to dismiss. The district court granted Iatric's motion and dismissed the case under Rule 12(b)(6) of the Federal Rules of Civil Procedure.
Following the two-step test for patent-eligibility identified in Alice Corp. v. CLS Bank International, 134 S. Ct. 2347 (2014), the court first found the claims were directed to a patent-ineligible abstract idea: "the concept of analyzing records of human activity to detect suspicious behavior." FairWarning IP, LLC v. Iatric Sys., Inc., No. 8:14-CV-2685, 2015 WL 3883958, at *2 (M.D. Fla. June 24, 2015) (quotation marks omitted). This concept, the court explained, "is a basic and well-established abstract idea." Id. Turning to step two, the court found that the claims contained nothing to "transform the abstract idea into a patentable concept." Id. at *4. The court analyzed the elements of the claim individually and as an ordered combination, but found "nothing significantly more than an instruction to apply the abstract idea . . . using some unspecified, generic computer." Id. (quoting Alice, 134 S. Ct. at 2360) (alteration in original).
FairWarning appealed. We have jurisdiction under 28 U.S.C. § 1295(a)(1).
We review motions to dismiss under the law of the regional circuit. OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1362 (Fed. Cir.), cert. denied, 136 S. Ct. 701 (2015). The Eleventh Circuit reviews the dismissal of a complaint under Rule 12(b)(6) de novo, "[a]ccepting all of the well-pleaded allegations in the complaint as true and drawing all reasonable inferences in favor of the plaintiff." Montgomery Cty. Comm'n v. Fed. Hous. Fin. Agency, 776 F.3d 1247, 1254 (11th Cir. 2015).
Section 101 defines patent-eligible subject matter as "any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof." 35 U.S.C. § 101. The Supreme Court has "long held that this provision contains an important implicit exception: Laws of nature, natural phenomena, and abstract ideas are not patentable." Ass'n for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107, 2116 (2013) (internal brackets omitted) (quoting Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1293 (2012)).
To determine patent eligibility, "the Supreme Court set forth a two-step analytical framework to identify patents that, in essence, claim nothing more than abstract ideas." BASCOM Glob. Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341, 1347 (Fed. Cir. 2016) (citing Mayo, 132 S. Ct. at 1296-97). The inquiry's first step requires a court to "determine whether the claims at issue are directed to a patent-ineligible concept." Alice, 134 S. Ct. at 2355. If they are, the court must then, under the second step, "examine the elements of the claim to determine whether it contains an `inventive concept' sufficient to `transform' the claimed abstract idea into a patent-eligible application." Id. at 2357 (quoting Mayo, 132 S. Ct. at 1294, 1298). This inventive concept must do more than simply recite "well-understood, routine, conventional activity." Mayo, 132 S. Ct. at 1298.
We find that, under step one, the claims of the '500 patent are directed to an abstract idea. As the `CLAUDIA BURKE500 patent specification explains, the invention "relates to a system and method of detecting fraud and/or misuse in a computer environment based on analyzing data such as in log files, or other similar records, including user identifier data." '500 patent col. 1 ll. 15-18. The district court found that "the '500 patent is directed to or drawn to the concept of analyzing records of human activity to detect suspicious behavior." FairWarning, 2015 WL 3883958, at *2 (quotation marks omitted). We agree. The patented method, as illustrated by claim 1 quoted above, collects information regarding accesses of a patient's personal health information, analyzes the information according to one of several rules (i.e., related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific user) to determine if the activity indicates improper access, and provides notification if it determines that improper access has occurred.
We have explained that the "realm of abstract ideas" includes "collecting information, including when limited to particular content." Elec. Power Grp., LLC v. Alstrom S.A., No. 15-1778, 2016 WL 4073318, at *3 (Fed. Cir. Aug. 1, 2016) (collecting cases). We have also "treated analyzing information by steps people go through in their minds, or by mathematical algorithms, without more, as essentially mental processes within the abstract-idea category." Id. And we have found that "merely presenting the results of abstract processes of collecting and analyzing information, without more (such as identifying a particular tool for presentation), is abstract as an ancillary part of such collection and analysis." Id. Here, the claims are directed to a combination of these abstract-idea categories. Specifically, the claims here are directed to collecting and analyzing information to detect misuse and notifying a user when misuse is detected. See id.
While the claims here recite using one of a few possible rules to analyze the audit log data, this does not make them eligible under our decision in McRO, Inc. v. Bandai Namco Games America Inc., No. 15-1080, 2016 WL 4896481 (Fed. Cir. Sept. 13, 2016), which also involved claims reciting rules. In McRO we held that, in analyzing step one, "the claims are considered in their entirety to ascertain whether their character as a whole is directed to excluded subject matter." Id. at *6 (quoting Internet Patents Corp. v. Active Network, Inc., 790 F.3d 1343, 1346 (Fed. Cir. 2015)). Of course, claims cannot be directed to "laws of nature, natural phenomena, and abstract ideas," but must instead "claim patent-eligible applications of those concepts." Alice, 134 S. Ct. at 2355 (citing Mayo, 132 S. Ct. at 1296-97). Indeed, even though a claim can be abstracted to the point that it reflects a patent-ineligible concept—for, "[a]t some level, `all inventions . . . embody, use, reflect, rest upon, or apply laws of nature, natural phenomena, or abstract ideas,'" id. at 2354 (quoting Mayo, 132 S. Ct. at 1293)—that claim may nevertheless be patent eligible if the claim language is directed to a patent-eligible application of that concept. See Rapid Litig. Mgmt. Ltd. v. CellzDirect, Inc., 827 F.3d 1042, 1050 (Fed. Cir. 2016).
The claims in McRO were not directed to an abstract idea, but instead were directed to "a specific asserted improvement in computer animation, i.e., the automatic use of rules of a particular type." McRO, 2016 WL 4896481, at *8. We explained that "the claimed improvement [was] allowing computers to produce `accurate and realistic lip synchronization and facial expressions in animated characters' that previously could only be produced by human animators." Id. at *8 (quoting U.S. Patent No. 6,307,576 col. 2 ll. 49-50). The claimed rules in McRO transformed a traditionally subjective process performed by human artists into a mathematically automated process executed on computers. Id. at *8-9. Indeed, Defendants conceded that prior animating processes were "driven by subjective determinations rather than specific, limited mathematical rules," such as the mathematical rules articulated in McRO's claimed method. Id. at *8. Thus, the traditional process and newly claimed method stood in contrast: while both produced a similar result, i.e., realistic animations of facial movements accompanying speech, the two practices produced those results in fundamentally different ways.
As such, we explained that "it [was] the incorporation of the claimed rules, not the use of the computer, that `improved [the] existing technological process' by allowing the automation of further tasks." Id. (alteration in original) (quoting Alice, 134 S. Ct. at 2358). "This [was] unlike Flook, Bilski, and Alice, where the claimed computer-automated process and the prior method were carried out in the same way." Id. (citing Parker v. Flook, 437 U.S. 584, 585-86 (1978); Bilski v. Kappos, 561 U.S. 593, 611 (2010); Alice, 134 S. Ct. at 2356).
The claims here are more like those in Alice than McRO. FairWarning's claims merely implement an old practice in a new environment. See Alice, 134 S. Ct. at 2356. The claimed rules ask whether accesses of PHI, as reflected in audit log data, are 1) "by a specific user," 2) "during a pre-determined time interval," or 3) "in excess of a specific volume." '500 patent col. 16 ll. 34-36. These are the same questions (though perhaps phrased with different words) that humans in analogous situations detecting fraud have asked for decades, if not centuries. Although FairWarning's claims require the use of a computer, it is this incorporation of a computer, not the claimed rule, that purportedly "improve[s] [the] existing technological process" by allowing the automation of further tasks. Alice, 134 S. Ct. at 2358.
Moreover, the claims here are not like those we found patent eligible in Enfish. In that case, we explained that the claims were "specifically directed to a self-referential table for a computer database." Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1337 (Fed. Cir. 2016). The claims were thus "directed to a specific improvement to the way computers operate," rather than an abstract idea implemented on a computer. Id. at 1336. The claims here, in contrast, are not directed to an improvement in the way computers operate, nor does FairWarning contend as much. While the claimed system and method certainly purport to accelerate the process of analyzing audit log data, the speed increase comes from the capabilities of a general-purpose computer, rather than the patented method itself. See Bancorp Servs., L.L.C. v. Sun Life Assurance Co. of Can. (U.S.), 687 F.3d 1266, 1278 (Fed. Cir. 2012) ("[T]he fact that the required calculations could be performed more efficiently via a computer does not materially alter the patent eligibility of the claimed subject matter."). Thus here, as in Electric Power, "the focus of the claims is not on . . . an improvement in computers as tools, but on certain independently abstract ideas that use computers as tools." Elec. Power, 2016 WL 4073318, at *4.
Because we find these claims are directed to an abstract idea at step one of the patent-eligibility inquiry, we turn to step two.
After "scrutiniz[ing] the claim elements more microscopically" under step two, id., we find nothing sufficient "to `transform the nature of the claim' into a patent-eligible application," Alice, 134 S. Ct. at 2355 (quoting Mayo, 132 S. Ct. at 1297). As the district court correctly explained, the claims generally require "(1) generating a rule `related to' the number of accesses, the timing of accesses, and the specific users in order to review `transactions or activities that are executed in a computer environment'; (2) applying the rule; (3) storing the result; and (4) announcing the result." FairWarning, 2015 WL 3883958, at *3 (quoting '500 patent col. 16 ll. 31-32, 34). The claim limitations, analyzed alone and in combination, fail to add "something more" to "transform" the claimed abstract idea of collecting and analyzing information to detect misuse into "a patent-eligible application." See Alice, 134 S. Ct. at 2354, 2357.
FairWarning argues claims 12-13 and 14-17 separately, but none of these claims add limitations that impart patent eligibility. Claim 12 reads as follows:
12. A system for detecting improper access of a patient's protected health information (PHI) in a health-care system computer environment, the system comprising:
a user interface for selection of at least one criterion related to accesses in excess of a specific volume, accesses during a predetermined time interval, accesses by a specific user, representing at least one of transactions or activities associated with the patient's PHI that is indicative of improper access of the patient's PHI within the health-care system computer environment by an authorized user wherein the improper access is an indication of potential snooping or identity theft of the patient's PHI, the authorized user having a pre-defined role comprising authorized computer access to the patient's PHI, and for selection of a schedule for application of a rule for monitoring audit log data representing at least one of the transactions or the activities;
a microprocessor in communication with the user interface and having access to the audit log data representing the transactions or the activities of the patient's PHI, the microprocessor generating the rule based at least in part on the at least one criterion selected and applying the rule to the audit log data according to the schedule selected in order to determine if an event has occurred,
wherein the event occurs if the at least one criterion has been met,
wherein the microprocessor stores a hit if the event has occurred, and
wherein the microprocessor provides notification if the event has occurred.
'500 patent col. 17 l. 24 — col. 18 l. 2. Claim 12 and its dependent claim 13 are system claims that add the requirement that the system include a "user interface" for selection of a rule, as well as a microprocessor that analyzes audit log data under various rules. But, under our precedent, the features of claims 12 and 13 do not recite that "something more" required to make these claims patent eligible. As we have explained, the use of generic computer elements like a microprocessor or user interface do not alone transform an otherwise abstract idea into patent-eligible subject matter. See DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1256 (Fed. Cir. 2014).
Claim 14 is a system claim, but it recites limitations that FairWarning admits are "analogous to that recited in [method] claim 1" and argues that they are patentable for the same reasons as claim 1. Appellant Br. 41. Claims 15-17 depend from claim 14 and, like claim 14, add nothing more than similar nominal recitations of basic computer hardware, such as "a non-transitory computer-readable medium with computer-executable instructions" and a microprocessor. See '500 patent col. 18 ll. 37-50. "While it is not always true that related system claims are patent-ineligible because similar method claims are, when they exist in the same patent and are shown to contain insignificant meaningful limitations, the conclusion of ineligibility is inescapable." Accenture Glob. Servs., GmbH v. Guidewire Software, Inc., 728 F.3d 1336, 1344 (Fed. Cir. 2013). The claims here are decidedly not the exception to that rule. The limitations added in FairWarning's system claims merely graft generic computer components onto otherwise-ineligible method claims. As such, these claims are patent ineligible along with claim 1 and its dependents.
Nonetheless, FairWarning argues that all of the claims, without exception, solve technical problems unique to the computer environment and thus should be patent eligible under DDR Holdings. Appellant Br. 44-48 (citing DDR Holdings, 773 F.3d at 1257). FairWarning explains that, at the time of the '500 patent's filing, audit log data of patient health information "tended to have different file formats" and that this information was stored in different applications and data stores. Reply Br. 9 (citing '500 patent col. 1 ll. 26-31). FairWarning contends that its system allowed for the compilation and combination of these disparate information sources and that the patented method "made it possible to generate a full picture of a user's activity, identity, frequency of activity, and the like in a computer environment." Id. at 10. The mere combination of data sources, however, does not make the claims patent eligible. As we have explained, "merely selecting information, by content or source, for collection, analysis, and [announcement] does nothing significant to differentiate a process from ordinary mental processes, whose implicit exclusion from § 101 undergirds the information-based category of abstract ideas." Elec. Power, 2016 WL 4073318, at *4. Furthermore, to the extent that FairWarning suggests that its claimed invention recites a technological advance relating to accessing and combining disparate information sources, its claims do not recite any such improvement. Rather, the claimed invention is directed to the broad concept of monitoring audit log data. The claims here do not propose a solution or overcome a problem "specifically arising in the realm of computer [technology]." DDR Holdings, 773 F.3d at 1257. At most, the claims require that these processes be executed on a generic computer. But, "after Alice, there can remain no doubt: recitation of generic computer limitations does not make an otherwise ineligible claim patent-eligible." Id. at 1256 (citing Alice, 134 S. Ct. at 2358). Thus, while the patent may in fact require that the claimed data relate to "transactions or activities that are executed in the computer environment," Reply Br. 10, limiting the claims to the computer field does not alone transform them into a patent-eligible application. See Alice, 134 S. Ct. at 2358.
After closely examining the claims of the '500 patent in search of "something more" to transform the underlying abstract idea into a patent-eligible application, we conclude that there is nothing claimed in the patent—either by considering the claim limitations individually or as an ordered combination—that makes its claims patent eligible.
FairWarning further alleges that the district court improperly granted Iatric's motion under Rule 12(b)(6). We disagree. "We have repeatedly recognized that in many cases it is possible and proper to determine patent eligibility under 35 U.S.C. § 101 on a Rule 12(b)(6) motion." Genetic Techs. Ltd. v. Merial L.L.C., 818 F.3d 1369, 1373-74 (Fed. Cir. 2016) (citing OIP Techs., 788 F.3d at 1362; Content Extraction & Transmission LLC v. Wells Fargo Bank, Nat'l Ass'n, 776 F.3d 1343, 1351 (Fed. Cir. 2014); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355 (Fed. Cir. 2014)). We have also acknowledged, however, that plausible factual allegations may preclude dismissing a case under § 101 where, for example, "nothing on th[e] record . . . refutes those allegations as a matter of law or justifies dismissal under Rule 12(b)(6)." BASCOM, 827 F.3d at 1352.
FairWarning argues that the district court wrongly found facts outside of the pleadings and construed disputed facts in a light unfavorable to FairWarning. It argues that the court erred in finding, on a motion to dismiss, that the '500 patent is not necessarily rooted in computer technology. It points to the ability of its system and method to collect and analyze disparate data sources in real time. And it claims that the court, drawing all reasonable inferences in its favor, could not resolve this issue on a motion to dismiss. We disagree. As we explained above, the practices of collecting, analyzing, and displaying data, with nothing more, are practices "whose implicit exclusion from § 101 undergirds the information-based category of abstract ideas." Elec. Power, 2016 WL 4073318, at *4. The district court correctly dismissed FairWarning's purportedly factual claims as insufficient to impart patent eligibility.
FairWarning also contends that the court erred by finding that "the human mind can perform each step" because there is no support in the complaint or the patent for this finding. Appellant Br. 30-34. It argues that the large number of calculations required in its patents precludes a pen and paper test. Id. at 32. First of all, we do not rely on the pen and paper test to reach our holding of patent eligibility in this case. At the same time, we note that, in viewing the facts in FairWarning's favor, the inability for the human mind to perform each claim step does not alone confer patentability. As we have explained, "the fact that the required calculations could be performed more efficiently via a computer does not materially alter the patent eligibility of the claimed subject matter." Bancorp Servs., 687 F.3d at 1278.
FairWarning further argues that the district court incorrectly found that its patents preempt the field of HIPAA regulation compliance. FairWarning contends that, while HIPAA regulations require certain privacy protections for PHI, they do not mandate a particular set of specific response measures. But even assuming that the '500 patent does not preempt the field, its lack of preemption does not save these claims. As this court explained in Ariosa, "[w]hile preemption may signal patent ineligible subject matter, the absence of complete preemption does not demonstrate patent eligibility." Ariosa, 788 F.3d at 1379; see also OIP Techs., 788 F.3d at 1362-63. So too here. That the '500 patent's claims might not preempt the entire field of HIPAA compliance "do[es] not make them any less abstract." OIP Techs., 788 F.3d at 1363.
Finally, FairWarning argues that "there is an identified claim construction issue" that precludes dismissal under Rule 12(b)(6). Appellant Br. 19. FairWarning appears to argue that, under a correct construction, the district court would have understood the term audit log data to "exist in the computer environment after at least one of [the] transactions or activities . . . are executed in the computer environment by an authorized user." Id. at 30 (emphases omitted). The implication of this construction, FairWarning argues, would be that "the '500 patent is necessarily rooted in computer technology." Id. But this is the same argument we dismissed above, cloaked as claim construction. Simply requiring computer implementation of an otherwise abstract-idea process, as Fair-Warning would require of the claim, does not make the claims patent eligible. Regardless of the resolution of this construction issue, the '500 patent claims patent-ineligible subject matter.
We have considered FairWarning's remaining arguments and find them unpersuasive. For the forgoing reasons, we affirm the district court's determination that the claims of the '500 patent recite patent-ineligible subject matter under § 101 and its dismissal of FairWarning's infringement suit.