Stasi et al v. Garcia et al
Filing
24
ORDER on Defendant's 17 Motion to Dismiss Plaintiff's First Amended Complaint. Signed by Judge Jeffrey T. Miller on 11/19/2020. (sjt)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.367 Page 1 of 36
1
2
3
4
5
6
UNITED STATES DISTRICT COURT
7
SOUTHERN DISTRICT OF CALIFORNIA
8
9
10
VICKI STASI, SHANE WHITE, and
CRYSTAL GARCIA, individually and on
behalf of all others similarly situated,
11
12
13
Case No.: 19cv2353 JM (LL)
ORDER ON DEFENDANT’S
MOTION TO DISMISS
PLAINTIFFS’ FIRST AMENDED
COMPLAINT
Plaintiffs,
v.
INMEDIATA HEALTH GROUP CORP.,
14
Defendant.
15
16
Defendant Inmediata Health Group Corp. (“Inmediata”) moves under Federal Rules
17
of Civil Procedure 12(b)(1) and 12(b)(6) to dismiss the First Amended Complaint (“FAC”)
18
of Plaintiffs Vicki Stasi, Shane White, and Crystal Garcia. (Doc. No. 17-1.) The motion
19
has been briefed and the court finds it suitable for submission without oral argument in
20
accordance with Civil Local Rule 7.1(d)(1). For the below reasons, Inmediata’s motion to
21
dismiss under Rule 12(b)(1) is DENIED, and Inmediata’s motion to dismiss under Rule
22
12(b)(6) is DENIED IN PART and GRANTED IN PART.
23
I.
BACKGROUND
24
According to Plaintiffs’ FAC,1 Inmediata provides billing and health record software
25
and service solutions to healthcare providers. (FAC ¶¶ 17, 19.) In January of 2019,
26
27
1
28
Well pled allegations of the FAC are taken as true for purposes of ruling on the motion
before the court.
1
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.368 Page 2 of 36
1
Inmediata first learned it was experiencing a “large data breach” resulting in the
2
“unauthorized acquisition, access, use, or disclosure of unsecured protected health
3
information and personal information” of 1,565,338 individuals.
4
information was “posted on the Internet” and “searchable and findable by anyone with
5
access to an internet search engine such as Google[.]” (¶ 7.) Plaintiffs’ information was
6
“disclosed and released to the entire world – it was viewable online by anyone in the world,
7
printable by anyone in the world, copiable by anyone in the world, and downloadable by
8
anyone in the world.” (¶ 8.) The breach did not involve data thieves or hackers. (¶ 9.)
9
Rather, the exposure was “[d]ue to a webpage setting that permitted search engines to index
10
(¶ 2.)2
Plaintiffs’
webpages Inmediata uses for business operations[.]” (¶ 7.)
11
By letter dated April 22, 2019, Inmediata notified Plaintiffs of a “data security
12
incident that may have resulted in the potential disclosure of [their] personal and medical
13
information.” (¶ 24; see also Doc. Nos. 16-3, 16-4, 16-5.) Inmediata also filed sample
14
“notice of data security incident” letters with various state attorneys general that mirrored
15
the language of the letters sent to Plaintiffs. (¶ 26.) There were two versions of the letter
16
– one for persons whose social security numbers were part of the breach, and another
17
version for persons whose social security numbers were not part of the breach. (¶ 26 n.1.)
18
Plaintiffs received the version for persons whose social security numbers were not part of
19
the breach. (Id.) The letters stated that “[i]n January 2019, Inmediata became aware that
20
some of its member patients’ electronic patient health information was publicly available
21
online as a result of a webpage setting that permitted search engines to index pages that are
22
part of an internal website [Inmediata] use[s] for . . . . business operations.” (¶ 27.) The
23
letters also stated that “information potentially impacted by this incident may have included
24
your name, address, date of birth, gender, and medical claim information including dates
25
26
27
28
2
Citations to “¶” refer to the FAC.
2
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.369 Page 3 of 36
1
of service, diagnosis codes, procedure codes and treating physician.” (¶ 29.) Inmediata
2
did not offer Plaintiffs fraud insurance or identity monitoring services. (¶ 34.)
3
On December 9, 2019, Plaintiffs filed a putative class action. On May 5, 2020,
4
Plaintiffs’ initial Complaint was dismissed under Rule 12(b)(1). (Doc. No. 15.) On May
5
19, 2020, Plaintiffs filed their FAC, which included claims for: (1) negligence; (2) breach
6
of contract; (3) unjust enrichment; (4) violation of the California Confidentiality of Medical
7
Information Act; (5) violation of the California Consumer Privacy Act; (6) violation of the
8
California Consumer Records Act; (7) violation of the Minnesota Health Records Act; and
9
(8) invasion of privacy and violation of the California Constitution.
(¶¶ 212-324.)
10
Plaintiffs seek to certify a nationwide class consisting of “[a]ll persons . . . . whose
11
[p]ersonal and [m]edical [i]nformation was compromised as a result of the [d]ata [b]reach
12
announced by Inmediata on or around April 24, 2019.” (¶ 199.) Plaintiffs alternatively
13
seek to certify statewide classes for California, Minnesota, and Florida. (¶ 200.)
14
15
II.
LEGAL STANDARDS
A.
Rule 12(b)(1)
16
Rule 12(b)(1) allows a party to move for dismissal of an action based on lack of
17
subject matter jurisdiction. “Dismissal for lack of subject matter jurisdiction is appropriate
18
if the complaint, considered in its entirety, on its face fails to allege facts sufficient to
19
establish subject matter jurisdiction.” In re Dynamic Random Access Memory Antitrust
20
Litig., 546 F.3d 981, 984-85 (9th Cir. 2008) (citation omitted). The plaintiff bears the
21
burden of establishing subject matter jurisdiction. United States v. Orr Water Ditch Co.,
22
600 F.3d 1152, 1157 (9th Cir. 2010). If the court finds it lacks subject matter jurisdiction
23
at any time, it must dismiss the action. Fed. R. Civ. P. 12(h)(3). In a facial attack on the
24
pleadings under Rule 12(b)(1), the court accepts the allegations in the complaint as true
25
and draws all reasonable inferences in the plaintiff’s favor. Wolfe v. Strankman, 392 F.3d
26
358, 362 (9th Cir. 2004).
27
28
3
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.370 Page 4 of 36
1
B.
Rule 12(b)(6)
2
To survive a motion to dismiss under Rule 12(b)(6), the complaint must contain
3
sufficient facts to state a claim for relief that is plausible on its face. Ashcroft v. Iqbal, 556
4
U.S. 662, 678 (2009). “A claim has facial plausibility when the plaintiff pleads factual
5
content that allows the court to draw the reasonable inference that the defendant is liable
6
for the misconduct alleged.” Id. at 678. The allegations must be construed in the light
7
most favorable to plaintiff. Schueneman v. Arena Pharm., Inc., 840 F.3d 698, 704 (9th Cir.
8
2016). While a court must take all factual allegations in the complaint as true, it is “not
9
bound to accept as true a legal conclusion couched as a factual allegation.” Bell Atl. Corp.
10
v. Twombly, 550 U.S. 544, 555 (2007). “Threadbare recitals of the elements of a cause of
11
action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678.
12
In resolving the motion, the court does not weigh evidence, evaluate witness credibility, or
13
consider the likelihood that a plaintiff will prevail at trial. Twombly, 550 U.S. at 556 (“[A]
14
well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of
15
the facts alleged is improbable, and ‘that a recovery is very remote and unlikely[.]’”).
16
Although the court generally cannot consider facts outside the complaint in ruling on a
17
Rule 12(b)(6) motion to dismiss, Arpin v. Santa Clara Valley Transp. Agency, 261 F.3d
18
912, 925 (9th Cir. 2001), it may consider documents that are referenced in the complaint,
19
No. 84 Employer-Teamster Joint Council Pension Trust Fund v. Am. W. Holding Corp.,
20
320 F.3d 920, 925 n.2 (9th Cir. 2003).
21
22
III.
DISCUSSION
A.
Standing
23
“A suit brought by a plaintiff without Article III standing is not a ‘case or
24
controversy,’ and an Article III federal court therefore lacks subject matter jurisdiction over
25
the suit.” Cetacean Cmty. v. Bush, 386 F.3d 1169, 1174 (9th Cir. 2004) (citation omitted).
26
Standing requires the plaintiff to have suffered an injury in fact that is fairly traceable to
27
the challenged conduct of the defendant, and is likely to be redressed by a favorable judicial
28
decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). An injury in fact
4
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.371 Page 5 of 36
1
is an invasion of a legally protected interest which is concrete and particularized, actual or
2
imminent, and not conjectural or hypothetical. Id. at 560.
3
The plaintiff, as the party invoking federal jurisdiction, bears the burden of
4
establishing the elements of Article III jurisdiction. FW/PBS, Inc. v. Dallas, 493 U.S. 215,
5
231 (1990). At the motion to dismiss stage, standing is demonstrated through allegations
6
of specific facts plausibly explaining that standing requirements are met. Barnum Timber
7
Co. v. Envtl. Prot. Agency, 633 F.3d 894, 899 (9th Cir. 2011); see also Warth v. Seldin,
8
422 U.S. 490, 518 (1975) (“It is the responsibility of the complainant clearly to allege facts
9
demonstrating that he is a proper party to invoke judicial resolution of the dispute and the
10
exercise of the court’s remedial powers.”). However, “the court is to ‘accept as true all
11
material allegations of the complaint, and . . . . construe the complaint in favor of the
12
complaining party.’” Levine v. Vilsack, 587 F.3d 986, 991 (9th Cir. 2009) (quoting Thomas
13
v. Mundell, 572 F.3d 756, 760 (9th Cir. 2009)). “[G]eneral factual allegations of injury
14
resulting from the defendant’s conduct may suffice,” and the court “presume[s] that general
15
allegations embrace those specific facts that are necessary to support the claim.” Lujan,
16
504 U.S. at 561 (quotation and alteration omitted). The question of standing is “distinct
17
from the merits” of the plaintiff’s claim. Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th
18
Cir. 2011); see also Warth, 422 U.S. at 500 (“[S]tanding in no way depends on the merits
19
of the plaintiff’s contention that particular conduct is illegal[.]”).
20
1.
Statutory Standing
21
Intangible injuries based on violation of a statute can be concrete. Spokeo, Inc. v.
22
Robins, 136 S. Ct. 1540, 1549 (2016). “[G]eneral principles” that are “instructive” for
23
assessing whether an intangible injury is concrete include (1) “whether an alleged
24
intangible harm has a close relationship to a harm that has traditionally been regarded as
25
providing a basis for a lawsuit in English or American courts,” and (2) whether, in
26
Congress’ judgment, the intangible harm meets minimum Article III requirements even
27
though it previously did not. Id. at 1549. A plaintiff cannot allege “a bare procedural
28
violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of
5
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.372 Page 6 of 36
1
Article III,” but “the violation of a procedural right granted by statute can be sufficient in
2
some circumstances to constitute injury in fact.” Id.
3
Plaintiffs argue they sufficiently pled concrete injury by pleading that Inmediata
4
violated the California Confidentiality of Medical Information Act (“CMIA”), CAL. CIV.
5
CODE §§ 56-56.265. (Doc. No. 22 at 10-12.) In support of this argument, Plaintiffs state
6
that CMIA was “enacted to protect people such as Plaintiffs from precisely this sort of
7
long-recognized violation of privacy rights in [confidential medical information].” (Id. at
8
10.) Plaintiffs also state that CMIA was “established to protect concrete privacy interests
9
in medical privacy that go far beyond bare procedural requirements, and [Inmediata’s]
10
violations of [CMIA] directly implicate Plaintiffs’ interests in those same, concrete,
11
medical privacy rights,” (id.), and that the California legislature declared the right to
12
privacy “fundamental,” (id. at 11, 12).3 As discussed in greater detail below, CMIA
13
prohibits the unauthorized “disclosure” of medical information, the negligent maintenance
14
of medical information, and the negligent “release” of medical information. 4 CAL. CIV.
15
CODE §§ 56.10(a), 56.101(a), 56.36(b). The statute also provides for nominal damages
16
without having to show the plaintiff “suffered or was threatened with actual damages.” Id.
17
§ 56.36(b)(1). Plaintiffs allege that by “posting”5 their private medical information on the
18
19
3
20
21
22
Other than citing Spokeo II, Plaintiffs provide almost no support for their statutory
standing argument. Plaintiffs do not, for example, discuss the CMIA or its legislative
history. Notwithstanding these omissions, the court has an independent obligation to
assure Plaintiffs’ Article III standing. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs.
(TOC), Inc., 528 U.S. 167, 180 (2000).
23
4
24
25
The CMIA applies to health care providers, service plans, and contractors. CAL. CIV.
CODE § 56.10(a). Inmediata does not dispute that it is subject to the CMIA.
Plaintiffs do not provide a definition as to what “posting” information on the internet
entails. As discussed below, it is not reasonable to infer that Inmediata intentionally posted
Plaintiffs’ information on the internet. Interpreting the “posting” term in the light most
favorable to Plaintiffs, it means that information was made accessible to anyone with an
internet connection, intentionally or not.
5
26
27
28
6
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.373 Page 7 of 36
1
internet, Inmediata violated CMIA by disclosing the information, negligently failing to
2
preserve its confidentiality, and negligently releasing the information. (¶¶ 269-71.)
3
a.
Ninth Circuit Precedent
4
At the outset, the alleged intangible injury resulting from “posting” or allowing
5
access to disclosure of Plaintiffs’ medical information on the internet in violation of CMIA
6
is, at first blush, just as concrete as the intangible injuries the Ninth Circuit has found to be
7
concrete based on violations of other privacy-related statutes. See Campbell v. Facebook,
8
Inc., 951 F.3d 1106, 1112 (9th Cir. 2020) (alleging Facebook scanned plaintiffs’ private
9
messages looking for links to web pages, then allowed third parties to show that the link
10
counted as a “like” on their websites, in violation of the Electronic Communications
11
Privacy Act (ECPA) and the California Invasion of Privacy Act (CIPA)); In re Facebook,
12
Inc. Internet Tracking Litig., 956 F.3d 589, 596 (9th Cir. 2020) (“Facebook Tracking”)
13
(alleging Facebook tracked users’ browsing histories when they visited third-party
14
websites, then compiled their browsing histories into profiles which were sold to
15
advertisers in violation of federal and state statutes, including the CIPA; Patel v. Facebook,
16
Inc., 932 F.3d 1264, 1274 (9th Cir. 2019) (alleging Facebook subjected the plaintiffs to
17
facial recognition technology in violation of state biometric privacy statute), cert. denied,
18
140 S. Ct. 937 (2020); Eichenberger v. ESPN, Inc., 876 F.3d 979, 981 (9th Cir. 2017)
19
(alleging ESPN shared plaintiff’s personally identifiable information with a third party in
20
violation of the Video Privacy Protection Act (VPPA)); Van Patten v. Vertical Fitness
21
Grp., LLC, 847 F.3d 1037, 1043 (9th Cir. 2017) (alleging plaintiff received two unsolicited
22
text messages advertising a gym membership in violation of the Telephone Consumer
23
Protection Act (TCPA)); Robins v. Spokeo, Inc., 867 F.3d 1108, 1117 (9th Cir. 2017)
24
(“Spokeo II”) (alleging credit reporting agency published incorrect biographical
25
information about the plaintiff on the internet in violation of procedural requirements of
26
the Fair Credit Reporting Act (FCRA)). For example, it cannot reasonably be argued that
27
the unwanted receipt of text messages advertising a gym membership, annoying as they
28
may be, is a more serious violation of a statutorily protected privacy right than having one’s
7
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.374 Page 8 of 36
1
medical information accessible via the internet for an unknown period of time. Medical
2
information is also just as private and sensitive as the links included in messages sent via
3
Facebook, facial biometric information, and a person’s video watching history. See
4
Campbell, 951 F.3d at 1112; Patel, 932 F.3d at 1274; Eichenberger, 876 F.3d at 981. As
5
stated in Campbell, “[t]here is no meaningful distinction between the concrete, substantive
6
privacy interests protected by the statutes at issue in Patel, Eichenberger, and Van Patten
7
and the interests protected by the provisions of [the privacy statute] at issue in this case.”
8
951 F.3d at 1118.
9
Although the Ninth Circuit has found, in near uniformity, that intangible injuries
10
based on alleged violations of privacy-related statutes are sufficiently concrete, Inmediata
11
nonetheless urges the court to follow Bassett v. ABM Parking Servs., Inc., 883 F.3d 776
12
(9th Cir. 2018). In Bassett, the court held the plaintiff did not sufficiently plead a concrete
13
injury by alleging that a parking garage displayed his unredacted credit card expiration date
14
on his receipt, in alleged violation of the FCRA, where the information was not seen by
15
anyone else. Id. at 783. The court reasoned, “[w]e need not answer whether a tree falling
16
in the forest makes a sound when no one is there to hear it.” Id. Bassett is distinguishable,
17
however, because in Bassett it was known that nobody else saw, or could have seen, the
18
plaintiffs’ protected information. Here, Plaintiffs repeatedly allege their information “was
19
viewed by unauthorized persons.” (¶¶ 269-271, 277.) Although the basis for Plaintiffs’
20
assertion that their information was actually viewed is sketchy (and, absent ultimate proof,
21
would likely be fatal for Plaintiffs’ case in this regard), it is reasonable to infer the
22
information could have been viewed or copied once available on the internet. (See ¶¶ 7-
23
8.) In other words, unlike in Bassett, the tree falling in the woods question is unavoidable
24
here. Accordingly, even prior to applying the Spokeo test, Ninth Circuit precedent strongly
25
supported the concreteness of Plaintiffs’ alleged injury resulting from a violation of CMIA.
26
b.
Traditional Harm
27
Additionally, the harm that results from “posting” medical information on the
28
internet has a close relationship to harm that has traditionally been regarded as providing a
8
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.375 Page 9 of 36
1
basis for a lawsuit, especially the public disclosure of private facts. See Forsher v. Bugliosi,
2
26 Cal. 3d 792, 808 (1980) (recognizing public disclosure of private facts as a type of
3
invasion of privacy claim); see also U.S. Dep’t of Justice v. Reporters Comm. for Freedom
4
of the Press, 489 U.S. 749, 763 (1989) (“[B]oth the common law and the literal
5
understanding of privacy encompass the individual’s control of information concerning his
6
or her person.”). The Ninth Circuit consistently recognizes that actions based on statutory
7
privacy rights resemble privacy-related claims long available at common law.
8
Campbell, 951 F.3d at 1118 (“The reasons articulated by the legislatures that enacted
9
ECPA and CIPA further indicate that the provisions at issue in this case reflect statutory
10
modernizations of the privacy protections available at common law.”); Patel, 932 F.3d at
11
1271-72 (supporting standing based on state biometric data statute because “[p]rivacy
12
rights have long been regarded ‘as providing a basis for a lawsuit in English or American
13
courts’”); Eichenberger, 876 F.3d at 981 (VPPA violations resemble violations of the right
14
to privacy that have “long been actionable at common law,” including invasion of privacy,
15
and noting that “privacy torts, such as intrusion of seclusion, do not always require
16
additional consequences to be actionable”); Van Patten, 847 F.3d at 1043 (TCPA actions
17
resemble “[a]ctions to remedy defendants’ invasions of privacy, intrusion upon seclusion,
18
and nuisance have long been heard by American courts, and the right of privacy is
19
recognized by most states”); Spokeo II, 867 F.3d at 1114 (FCRA rights resemble the right
20
to prevent the dissemination of private information and right to bring lawsuits based on the
21
unauthorized disclosure of a person’s private information).
22
alleged harm is closely related to one traditionally protected at law.
23
c.
See
Accordingly, Plaintiffs’
Legislative Judgment
24
Finally, it is reasonable to infer that “posting” Plaintiffs’ medical information on the
25
internet constitutes a breach of confidentiality that is precisely the type of harm CMIA was
26
intended to prevent as CMIA expressly provides that actionable injury results from the
27
negligent “release” of medical information regardless of whether the plaintiff “suffered or
28
was threatened with actual damages.” See CAL. CIV. CODE § 56.36(b). The Ninth Circuit
9
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.376 Page 10 of 36
1
has repeatedly found the express abdication of the requirement for actual damages in
2
privacy-related statutes supports standing based on violations of those statutes. See Patel,
3
932 F.3d at 1269; Eichenberger, 876 F.3d at 981; Van Patten, 847 F.3d at 1043.6
4
Although neither party discusses the legislative history of CMIA, the plain language
5
of the statute demonstrates that, in the California legislature’s judgment,7 the provisions of
6
CMIA at issue here are substantive, not procedural. See also 1999 Cal. Legis. Serv. Ch.
7
526 (S.B. 19) (“The bill would . . . . create a right of action to recover damages, as specified,
8
for any individual whose confidential information or records are negligently released and
9
would additionally provide for specified administrative and civil penalties.”); Brown v.
10
Mortensen, 51 Cal. 4th 1052, 1070-71 (2011) (“[CMIA] is intended to protect the
11
confidentiality of individually identifiable medical information obtained from a patient . .
12
. . [T]he interest protected is an interest in informational privacy[.]”) (citation and internal
13
quotation marks omitted); Heller v. Norcal Mut. Ins. Co., 8 Cal. 4th 30, 38 (1994)
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
In Spokeo, the Supreme Court emphasized that “Congress’ role in identifying and
elevating intangible harms does not mean that a plaintiff automatically satisfies the injuryin-fact requirement whenever a statute grants a person a statutory right and purports to
authorize that person to sue to vindicate that right.” 136 S. Ct. at 1549. The Court also
emphasized, however, that the violation of a statutory right, even a procedural one, “can
be sufficient in some circumstances to constitute injury in fact.” Id. In such cases, “a
plaintiff . . . . need not allege any additional harm beyond the one Congress has identified.”
Id.
6
Although in Spokeo the Supreme Court examined the judgment of Congress “because
Congress is well positioned to identify intangible harms that meet minimum Article III
requirements, 136 S. Ct. at 1549, the Ninth Circuit has applied this line of inquiry to state
legislatures and state statutes. See Facebook Tracking, 956 F.3d at 598 (“[H]istory and
statutory text demonstrate that Congress and the California legislature intended to protect
these historical privacy rights[.]”); Campbell, 951 F.3d at 1116 (“[W]e are guided in
determining concreteness by ‘both history and the judgment of Congress,’ or the legislature
that enacted the statute.”); Patel, 932 F.3d at 1273 (“The judgment of the Illinois General
Assembly . . . . is ‘instructive and important’ to our standing inquiry[.]”).
7
10
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.377 Page 11 of 36
1
(“[CMIA] was originally enacted in 1979 to provide for the confidentiality of individually
2
identifiable medical information[.]”) (citation and internal quotation marks omitted).
3
As explained in Eichenberger, “every violation” of a substantive provision of a
4
privacy-related statute, and “every disclosure” of information protected by that provision,
5
“presents the precise harm and infringes the same privacy interests Congress sought to
6
protect.” 876 F.3d at 984; see also Facebook Tracking, 956 F.3d at 598 (finding that
7
various privacy-related statutes “codify a substantive right to privacy, the violation of
8
which gives rise to a concrete injury sufficient to confer standing”); Campbell, 951 F.3d at
9
1117 (“When . . . . a statutory provision identifies a substantive right that is infringed any
10
time it is violated, a plaintiff bringing a claim under that provision ‘need not allege any
11
further harm to have standing.’”) (citation omitted); Patel, 932 F.3d at 1274 (violation of a
12
biometric privacy statute would “necessarily violate the plaintiffs’ substantive privacy
13
interests”). At this early stage in the litigation, nothing in the record suggests Plaintiffs
14
must provide additional proof of the concreteness of their injury beyond their allegations
15
of CMIA violations.8 Accordingly, Plaintiffs have adequately alleged standing.9
16
///
17
///
18
///
19
20
21
22
23
24
25
26
27
28
8
Because injury in fact exists based on an alleged violation of CMIA, it is not necessary
to address Plaintiffs’ argument that they also possess standing based on violation of the
Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1302d.
9
Courts have consistently found, with little or no discussion, that concrete injuries based
on violations of privacy-related statutes are also particularized, fairly traceable (to
Inmediata, in this case), and likely to be redressed by a favorable decision. See, e.g.,
Campbell, 951 F.3d at 1116 n.7; see also Dutta v. State Farm Mut. Auto. Ins. Co., 895 F.3d
1166, 1173 (9th Cir. 2018) (injury in fact is the “first and foremost element” of standing).
Here, there is no other source of the alleged injury than Inmediata, and the allege injury to
Plaintiffs could be redressed by an award of damages or other relief. Also, Inmediata’s
standing argument does not rest on traceability or redressability issues. Accordingly,
Plaintiffs have met their burden of adequately pleading all the elements of standing.
11
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.378 Page 12 of 36
1
2.
Additional Grounds
2
Plaintiffs also allege they suffered “a privacy injury by having their sensitive medical
3
information disclosed, irrespective of whether or not they subsequently suffered identity
4
fraud, or incurred any mitigation damages.” (¶ 284.) The concreteness of this injury is
5
supported by In re Facebook, Inc., Consumer Privacy User Profile Litig., 402 F. Supp. 3d
6
767, 784 (N.D. Cal. 2019), in which the district court found the plaintiffs’ allegation that
7
their “sensitive information was disseminated to third parties in violation of their privacy”
8
was sufficient, by itself, to confer standing, even where no theft or hack of the information
9
occurred and the “sensitive information” did not include social security numbers, financial
10
information, or medical information. The district court rejected Facebook’s argument that
11
“a ‘bare’ privacy violation, without ‘credible risk of real-world harm’ such as identity theft
12
or other economic consequences, cannot rise to the level of an Article III injury.” Id. at
13
786-87. To find otherwise, the court reasoned, would “disregard the importance of privacy
14
in our society, not to mention the historic role of the federal judiciary in protecting it” as
15
recognized by “countless federal laws designed to protect our privacy[.]” Id. at 786 (citing,
16
inter alia, HIPAA).
17
Additionally, at least one district court has found an allegation that the plaintiff
18
“received extensive ‘phishing’ emails and text messages [and] spent as much as an hour
19
managing the aftermath of the data breach” was sufficient to allege injury in fact. See Bass
20
v. Facebook, Inc., 394 F. Supp. 3d 1024, 1035 (N.D. Cal. 2019) (“As consequences of this
21
data breach continue to unfold, so too, will plaintiff’s invested time. More phishing e-
22
mails will pile up. At this stage, the time loss alleged suffices.”). Here, Plaintiffs allege
23
they spent time “dealing with” and “addressing” issues arising from Inmediata’s breach
24
notification. (¶¶ 139, 163, 195.) Plaintiffs also allege they noticed an “increase in
25
spam/phishing” e-mails, calls, or both, from “persons apparently attempting to defraud”
26
them. (¶¶ 136, 157, 192.)
27
Finally, district courts have found that out-of-pocket expenses are sufficient to
28
confer standing in data breach cases. See In re Yahoo! Inc. Customer Data Sec. Breach
12
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.379 Page 13 of 36
1
Litig., Case No. 16-MD-02752-LHK, 2017 WL 3727318, at *16 (N.D. Cal. Aug. 30, 2017)
2
(listing cases). Here, Plaintiffs allege that Ms. Garcia spent her own money “addressing
3
issues” arising from the breach. (¶ 195.) Accordingly, these cases serve as additional
4
support for the concreteness of Plaintiffs’ alleged injuries. 10
5
B.
Individual Claims
6
A plaintiff may suffer Article III injury and yet fail to plead a proper cause of action.
7
Doe v. Chao, 540 U.S. 614, 624-25 (2004). Inmediata argues that Plaintiffs’ individual
8
claims for negligence, breach of contract, unjust enrichment, violation of state privacy
9
statutes, and the California Constitution should be dismissed under Rule 12(b)(6). For the
10
below reasons, this argument is mostly unavailing.
11
1.
Negligence
12
The elements of a negligence claim under California law are duty, breach, causation,
13
and injury. Vasilenko v. Grace Family Church, 3 Cal. 5th 1077, 1083 (2017). Inmediata
14
argues that Plaintiffs’ negligence claim is barred by California’s economic loss doctrine.
15
(Doc. No. 17-1 at 19-20.) Inmediata also makes arguments with respect to Plaintiffs’
16
allegations of duty, causation, and damages. (Id. at 20-21.)
17
a.
Economic Loss Doctrine
18
Under the economic loss doctrine, “purely economic losses are not recoverable in
19
tort.” NuCal Foods, Inc. v. Quality Egg LLC, 918 F. Supp. 2d 1023, 1028 (E.D. Cal. 2013)
20
(citation omitted). In the absence of personal injury, physical damage to property, a special
21
relationship between the parties, or some other common law exception to the rule, recovery
22
of purely economic loss for negligence is foreclosed. J’Aire Corp. v. Gregory, 24 Cal. 3d
23
799, 803-04 (1979). Inmediata argues that Plaintiffs’ negligence claim is barred by the
24
economic loss doctrine because Plaintiffs do not allege personal injury or property damage.
25
26
27
28
10
For the same reasons as those stated in the court’s initial order granting Inmediata’s
motion to dismiss, (Doc. No. 15), Plaintiffs arguments with respect to injury based on the
future risk of identity theft are unavailing.
13
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.380 Page 14 of 36
1
(Doc. No. 17-1 at 19-20.) In support of this argument, Inmediata cites Dugas v. Starwood
2
Hotels & Resorts Worldwide, Inc., Case No.: 3:16-cv-00014-GPC-BLM, 2016 WL
3
6523428, at *12 (S.D. Cal. Nov. 3, 2016), in which the district court found the economic
4
loss doctrine barred the plaintiffs’ negligence claim because they alleged purely economic
5
damages, i.e. “theft of their credit card information, costs associated with prevention of
6
identity theft, and costs associated with time spent and loss of productivity.”
7
Dugas is not persuasive, however, because even though Plaintiffs allege they lost
8
time responding to Inmediata’s breach notification, (see ¶¶ 139, 163, 195), they do not
9
necessarily base their allegations on the “costs” of their lost time and lost productivity.
10
Moreover, unlike in Dugas, the compromised information here includes medical
11
information, the disclosure of which leads to damages that are not necessarily as
12
“economic” as those resulting from the theft of credit card information and social security
13
numbers. Indeed, Plaintiffs allege they suffered “a privacy injury by having their sensitive
14
medical information disclosed, irrespective of whether or not they subsequently suffered
15
identity fraud, or incurred any mitigation damages.” (¶ 284.) Plus, Plaintiffs allege they
16
noticed an increase in spam/phishing e-mails and/or calls, (¶¶ 136, 157, 192), which is
17
harm that is also not necessarily “economic” in nature. Accordingly, at least two district
18
court cases, with facts more similar to the instant case than those in Dugas, found that time
19
spent responding to a data breach is a non-economic injury, that when alleged to support a
20
negligence claim, defeats an economic loss doctrine argument. See Solara, 2020 WL
21
2214152, at *4 (involving theft of medical information); Bass, 394 F. Supp. 3d at 1039
22
(involving the hack of non-financial personal information, the only alleged misuse of which
23
was spam e-mails). Other than citing Dugas, Inmediata does not meaningfully address
24
these alleged injuries in its motion to dismiss Plaintiffs’ negligence claim.11
25
26
27
28
In its reply, Inmediata merely states, without citing any authority, that “the loss of time
does not meet the requirement that there must be bodily injury or property damage.” (Doc.
No. 23 at 11.)
11
14
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.381 Page 15 of 36
1
The applicability of the economic loss doctrine is also questionable given that
2
Plaintiffs and Inmediata were not in privity of contract, there was no commercial activity
3
between Plaintiffs and Inmediata that went awry, and the case does not involve a defective
4
product or services resulting in mere “disappointed expectations.”
5
Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988 (2004) (“The economic loss rule
6
requires a purchaser to recover in contract for purely economic loss due to disappointed
7
expectations, unless he can demonstrate harm above and beyond a broken contractual
8
promise. Quite simply, the economic loss rule prevents the law of contract and the law of
9
tort from dissolving one into the other.”) (internal quotation marks and alteration omitted);
10
see also Giles v. Gen. Motors Acceptance Corp., 494 F.3d 865, 880 (9th Cir. 2007) (finding
11
the economic loss doctrine did not apply because appellants’ tort claim was not a “mere
12
contract claim cloaked in the language of tort”); Dugas, 2016 WL 6523428, at *1
13
(involving dispute between parties in privity of contract).
See Robinson
14
Finally, as discussed above, the statutory protection afforded to medical information
15
is rooted in common law duties traditionally serving as the basis for lawsuits, including the
16
duty not to publicly disclose private facts. Therefore, to the extent the economic loss rule
17
does apply, it is plausible a common law exception to the rule also applies. (See Doc. No.
18
22 at 27-28.) Accordingly, at this stage in the litigation, the economic loss doctrine does
19
not defeat Plaintiffs’ negligence claim.
20
b.
Duty and Breach
21
Inmediata argues that Plaintiffs have not alleged a common law duty because “it is
22
not plausible to suggest Inmediata could foresee that an errant web page setting would
23
result in identity theft or fraudulent transactions using stolen patient data.” (Doc. No. 17-
24
1 at 20.) This is not an accurate description of Plaintiffs’ allegations. In their FAC,
25
Plaintiffs repeatedly, and in a variety of ways, allege that Inmediata owed them a duty to
26
safeguard their personal and medical information as consistent with medical privacy
27
statutes and industry standards. (¶¶ 81-87, 218-226, 231.) Emphatically, the issue here is
28
not foreseeability of harm.
15
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.382 Page 16 of 36
1
District courts have found comparable allegations sufficient to survive motions to
2
dismiss negligence claims. See Castillo v. Seagate Tech., LLC, Case No. 16-cv-01958-RS,
3
2016 WL 9280242, at *2 (N.D. Cal. Sept. 14, 2016) (alleging employer had duty to
4
reasonably protect employees’ information); Corona v. Sony Pictures Entm’t, Inc., No. 14-
5
CV-09600 RGK (Ex), 2015 WL 3916744, at *3 (C.D. Cal. June 15, 2015) (alleging
6
employer owed employees a duty to implement and maintain adequate security measures
7
to safeguard their personal information); see also Facebook, 402 F. Supp. 3d at 799
8
(finding a duty because “Facebook had a responsibility to handle its users’ sensitive
9
information with care”); Bass, 394 F. Supp. 3d at 1039 (alleging Facebook failed to comply
10
with industry data-security standards).
11
Inmediata cites no data breach case in which the court found the plaintiffs failed to
12
adequately allege duty. Instead, Inmediata argues that without a “special relationship,” it
13
owed no duty to Plaintiffs to protect their information from thieves and hackers. 12 (Doc.
14
No. 17-1 at 20.) Inmediata provides no support, however, for its argument that no special
15
relationship exists between a company that possesses peoples’ personal and medical
16
information and those people. In Castillo, a case upon which Inmediata relies, the court
17
found an employer had a duty to protect the personal information it possessed regarding
18
not only its employees and former employees, but also their spouses and dependents. 2015
19
WL 3916744, at *3. In reaching this conclusion, the court applied the factors identified in
20
Rowland v. Christian, 69 Cal. 2d 108, 113 (1968), which the district court described as:
21
(1) the foreseeability of the harm to the plaintiff; (2) the degree of certainty
that the plaintiff suffered injury; (3) the closeness of the connection between
the defendant’s conduct and the injury suffered; (4) the moral blame attached
to the defendant’s conduct; (5) the policy of preventing future harm; and
(6) the extent of the burden to the defendant and consequences to the
community of imposing a duty to exercise care with resulting liability for
22
23
24
25
26
27
28
12
For this reason, Inmediata’s argument concerning a common law duty appears to be
aimed more towards Inmediata’s economic loss doctrine argument rather than attacking
the duty element of Plaintiffs’ negligence claim.
16
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.383 Page 17 of 36
1
breach and the availability, cost, and prevalence of insurance for the risk
involved.
2
3
Id.
4
Applied here, these factors weigh in favor of the plausibility that Inmediata owed a
5
duty to protect Plaintiffs’ information despite the fact that Plaintiffs were not Inmediata’s
6
customers or otherwise in privity with Inmediata. As noted above, Plaintiffs allege they
7
lost time responding to Inmediata’s breach notification, (¶¶ 139, 163, 195), and that they
8
noticed an increase in spam/phishing e-mails and/or calls, (¶¶ 136, 157, 192). Plaintiffs
9
also allege that Ms. Garcia spent her own money. (¶ 195.) It is foreseeable that these
10
alleged harms would result from posting Plaintiffs’ personal and medical information on
11
the internet. While the chance that Plaintiffs will actually suffer identity theft is unknown13
12
and has likely decreased over time, it is reasonable to infer that persons whose information
13
was compromised in such a manner would, at the very least, spend some time and/or effort
14
to detect or prevent identity theft. It can also reasonably be said that Inmediata bears some
15
“moral” blame for failing to protect medical information concerning persons who were
16
likely unaware that Inmediata possessed their medical information in the first place. (See
17
¶ 158 (alleging Mr. White spent hours “attempting to determine how he is connected to
18
Inmediata and how his information came into the possession of Inmediata.”).)
19
Additionally, imposing a common law duty on companies that possess personal and
20
medical information to safeguard that information further promotes a policy, statutorily
21
recognized, of preventing identity theft and protecting the confidentiality of medical
22
information. Finally, the burden of imposing a common law duty to protect medical and
23
personal information is not likely high given that both state and federal law already require
24
such protection, and, in the case of state law, already allows for a private right of action.
25
26
27
13
28
As discussed below, it is also far from reasonably certain Mr. White’s alleged identity
theft was the result of this data breach.
17
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.384 Page 18 of 36
1
In the context of this case, the burden appears especially light given Inmediata’s position
2
that an “errant webpage setting” was the culprit. (Doc. No. 17-1 at 20.)
3
Overall, it is reasonably foreseeable that a company that possesses medical
4
information for thousands of people would cause those people time and effort upon
5
learning that information had been freely accessible on the internet. See Bass, 394 F. Supp.
6
3d at 1039 (finding the Rowland test supported the assertion that Facebook owed its users
7
a duty of care because, inter alia, “[t]he lack of reasonable care in the handling of personal
8
information can foreseeably harm the individuals providing the information,” including
9
harm in the form of lost time). Accordingly, Plaintiffs plausibly allege breach of duty.
10
c.
Causation
11
Inmediata further argues that Plaintiffs fail to sufficiently allege causation because
12
they do not allege an unauthorized person actually viewed or downloaded their data, or that
13
they experienced identity theft, fraudulent charges, or any other legally cognizable harm.
14
(Doc. No. 17-1 at 21.) The only support Inmediata provides for this argument is a citation
15
to Castillo, in which the plaintiff employees all suffered identity theft in the form of falsely
16
filed tax returns. 2016 WL 9280242, at *2. The district court found that causation was not
17
adequately pled for one of the named plaintiffs because she conceded that her information
18
had been compromised during a previous, unrelated data breach. Id. at *4. The court
19
stated, “[t]o create a reasonable inference the [defendant’s] data breach caused the [false
20
tax] filing, [the plaintiff] should plead more particular facts connecting the two events, such
21
as the temporal relationship between the breach and the false filing, or the similarities
22
between the false filing in her name and the filings in the names of other [persons whose
23
data was breached].” Id.
24
This argument is persuasive with respect to the allegation that Plaintiff White
25
actually experienced identity theft. In addition to the injuries already discussed above,
26
Plaintiffs allege that, approximately nine months after Inmediata first learned of the data
27
breach, Mr. White suffered $600 in fraudulent charges on his credit card. (¶¶ 159-162.)
28
Because he used the card to pay for healthcare, Plaintiffs allege that Mr. White “believes
18
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.385 Page 19 of 36
1
Inmediata was the source of his breached credit card information.” (¶ 162.) As was the
2
case in Castillo, however, Plaintiffs acknowledge that Mr. White received a data breach
3
notification resulting from a 2017 data breach involving Equifax. (¶ 161). Additionally,
4
Plaintiffs acknowledge that Inmediata specifically informed them that “financial
5
information” was “not involved.” (¶ 30.) Plaintiffs nonetheless state they “do not accept
6
this as an accurate statement” because the letter they received in Inmediata’s letter advised
7
them to “keep[] a close eye on your credit card activity.” (Id.) However, Inmediata’s letter,
8
which is attached to the FAC, contains no such language and does not reference credit card
9
information. Additionally, Plaintiffs acknowledge that Inmediata specifically informed
10
them “[b]ased on the investigation, we have no evidence that any files were copied or
11
saved” and “we have not discovered any evidence that any information that may be
12
involved in this incident has been misused.” (See Doc. No. 16-4 at 2.) For these reasons,
13
Plaintiffs cannot allege a plausible negligence claim based on Mr. White’s allegation that
14
he actually experienced identity theft. As discussed above, however, it is plausible the lost
15
time and increase in spam/phishing Plaintiffs allegedly suffered was caused by the alleged
16
breach of Inmediata’s duty to protect their personal and medical information, and
17
Inmediata does not argue otherwise.
18
d.
19
Damages
i.
Lost Time
20
As noted above, Plaintiffs allege they suffered damages in the form of lost time.
21
Specifically, Plaintiffs allege that Ms. Stasi spent time “trying to make sure she has not and
22
does not become further victimized because of the Data Breach,” (¶ 139), Mr. White spent
23
time “dealing with the aftermath of the Data Breach,” (¶ 163), and Ms. Garcia spent time
24
“addressing issues arising from the Data Breach,” (¶ 195). Plaintiffs also allege that, since
25
early 2019 when Inmediata first became aware of the breach, they noticed an “increase in
26
spam/phishing” e-mails, calls, or both, from “persons apparently attempting to defraud”
27
them. (¶¶ 136, 157, 192.)
28
19
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.386 Page 20 of 36
1
Generally, it can be inferred that theft of social security numbers, financial
2
information, and medical information is primarily financially motivated and realized
3
through identity theft or other forms of fraud. See Remijas v. Neiman Marcus Grp., LLC,
4
794 F.3d 688, 693 (7th Cir. 2015) (“Why else would hackers break into a store’s database
5
and steal consumers’ private information? Presumably, the purpose of the hack is, sooner
6
or later, to make fraudulent charges or assume those consumers’ identities.”); Bass, 394 F.
7
Supp. 3d at 1035 (“It is not too great a leap to assume . . . . that [hackers’] goal in targeting
8
and taking . . . . information [is] to commit further fraud and identity theft.”). Accordingly,
9
the Ninth Circuit has held that theft of information that can be used to commit identity theft
10
causes an injury to victims for standing purposes based on the future threat of identity theft
11
regardless of whether the named plaintiffs actually suffered identity theft. See In re
12
Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018), cert. denied sub nom. Zappos.com,
13
Inc. v. Stevens, 139 S. Ct. 1373 (2019); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143
14
(9th Cir. 2010).14
15
The instant case is not, however, the typical data breach case because it does not
16
involve the theft or hack of information that courts have recognized as enabling identity
17
theft, such as financial information or social security numbers, and there are no plausible
18
allegations that Plaintiffs actually suffered identity theft resulting from the alleged breach.
19
Rather, at this stage, the case involves allegations that Plaintiffs’ medical information,
20
including diagnosis codes and treating physicians, was posted on the most publicly
21
accessible forum in the world for an unknown period of time. In other words, the interest
22
23
14
24
25
26
27
28
As this court previously found, in both Krottner and Zappos the Ninth Circuit held that
misuse of the named plaintiffs’ information was not necessarily required for standing
purposes, but the court nonetheless relied on allegations of actual misuse of others victims’
information to find standing. See Krottner, 628 F.3d at 1142 (noting that one of the
plaintiffs alleged that someone unsuccessfully attempted to open a bank account in his
name); Zappos, 888 F.3d at 1027-28 (noting that some non-parties had their accounts
commandeered and suffered financial losses, and that two plaintiffs had their e-mail
accounts taken over).
20
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.387 Page 21 of 36
1
in the confidentiality of medical information is not, as Inmediata apparently presumes,
2
necessarily tied to the risk of identity theft. Accordingly, although some cases have found
3
that when information capable of being used to commit identity theft is stolen, it must also
4
be misused in order to find injury, see, e.g., In re Sony Gaming Networks & Customer Data
5
Sec. Breach Litig., 903 F. Supp. 2d 942, 963 (S.D. Cal. 2012), the facts here are different.
6
Although Plaintiffs do not provide great detail in describing how they expended time and
7
effort after receiving Inmediata’s breach notification, it is reasonable to infer that upon
8
receiving notice of the breach they responded by ensuring: (1) that their medical
9
information was no longer accessible via the internet; (2) that their information did not
10
reappear on the internet; and/or (3) they had not, and would not, become victims of identity
11
theft. “Increased time spent monitoring one’s credit and other tasks associated with
12
responding to a data breach have been found by other courts to be specific, concrete, and
13
non-speculative.” Solara, 2020 WL 2214152, at *4 (declining to dismiss negligence claim
14
under Rule 12(b)(6) on this ground); see also Adkins, 424 F. Supp. 3d at 692 (time lost
15
responding to a data breach establishes a harm for standing purposes); but see Corona,
16
2015 WL 3916744, at *4 (finding, without discussion, that “general allegations of lost time
17
are too speculative to constitute cognizable injury” in case involving an alleged hack, theft,
18
and misuse of employee financial and medical information). It is also reasonable to infer
19
that the receipt of alleged spam/phishing e-mails and/or calls cost Plaintiffs some of their
20
time. Even though Plaintiffs do not allege that their e-mail addresses or phone numbers
21
were included in the information that was compromised, it would nonetheless be
22
reasonable for them to be curious about spam/phishing contacts they received after being
23
informed of the data breach. See Bass, 394 F. Supp. 3d at 1035 (finding that time spent
24
“sorting through a few dozen e-mails,” though de minimis, is a sufficient injury for
25
standing purposes because “[as] consequences of [the alleged] data breach continue to
26
unfold, so too, will plaintiff’s invested time”). Accordingly, at this early stage in litigation,
27
Plaintiffs allege plausible damages in the form of lost time, and Inmediata has not met its
28
burden of showing otherwise.
21
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.388 Page 22 of 36
1
ii.
Lost Money
2
Plaintiffs also allege that Ms. Garcia “spent her own money . . . . addressing issues
3
arising from the Data Breach.” (¶ 195.) Plaintiffs do not specify what Ms. Garcia spent
4
her money on, or what “issues” she “addressed.” As pointed out by Inmediata, Plaintiffs
5
do not allege they actually purchased credit monitoring services. (See Doc. No. 17-1 at
6
17.) Construing this allegation in the light most favorable to Plaintiffs, however, it is
7
reasonable to infer at this stage in litigation that Ms. Garcia spent her money on some form
8
of identity theft protection. (See ¶¶ 193-94 (alleging she placed credit freezes on her credit
9
reports in order to detect potential identity theft and fraudulent activity, and now engages
10
in monthly monitoring of her credit and her bank accounts); see also Doc. No. 22 at 25
11
(“Plaintiffs engaged credit monitoring services as a result of the . . . . risk of future identity
12
theft.”).)
13
In data breach cases involving negligence claims, district courts have found it
14
sufficient to allege out-of-pocket expenses in purchasing identity theft protection services
15
to show damages. See Castillo, 2016 WL 9280242, at *4 (“Those who have incurred such
16
out-of-pocket expenses [such as purchasing identity protection services] have pleaded
17
cognizable injuries[.]”); Corona, 2015 WL 3916744, at *4 (finding the same by
18
analogizing costs associated with identity theft protection to those resulting from exposure
19
to toxic chemicals); see also Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d
20
1226, 1233 (D. Nev. 2020) (“[T]angible, out-of-pocket expenses are required in order for
21
lost time spent monitoring credit to be cognizable as damages.”); Adkins v. Facebook, Inc.,
22
424 F. Supp. 3d 686, 695 (N.D. Cal. 2019) (denying class certification because the plaintiff
23
“never paid any money as a result of this data breach” and “never purchased any credit
24
monitoring service”); Yahoo, 2017 WL 3727318, at *16 (money spent to monitor credit
25
and prevent future identity theft is sufficient injury for standing purposes).
26
These cases may be distinguishable because they involve far more serious data
27
breaches than what Plaintiffs allege here. See Castillo, 2016 WL 9280242, at *2 (defendant
28
employer released all of its employees’ tax information in response to a phishing scam,
22
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.389 Page 23 of 36
1
after which the plaintiff employees all suffered identity theft in the form of fraudulently
2
filed tax returns); Corona, 2015 WL 3916744, at *4 (hackers stole, and traded on the
3
internet, social security numbers, financial information, medical information, home and e-
4
mail addresses, and visa and passport numbers). However, in arguing that Plaintiffs failed
5
to state a claim for negligence under Rule 12(b)(6), Inmediata does not argue these cases
6
are distinguishable. In fact, Inmediata does not specifically address the allegation that Ms.
7
Garcia spent her own money.
8
Instead, Inmediata argues, as it did in its standing argument, under California law
9
Plaintiffs’ allegation that they took steps to protect against possible future risk of identity
10
theft is insufficient. 15 (Doc. No. 17-1 at 21.) The only support Inmediata provides for this
11
argument is a citation to Corona, 2015 WL 3916744. In Corona, however, the district
12
court did not find that the plaintiffs failed to adequately allege injury, either for standing
13
or Rule 12(b)(6) purposes.
14
negligence claim, the court found they adequately alleged a cognizable injury “by way of
15
costs relating to credit monitoring, identity theft protection, and penalties.” 2015 WL
16
3916744, at *5.
17
damages in the form of lost money.
18
To the contrary, with respect to the Corona plaintiffs’
Accordingly, Plaintiffs sufficiently allege that Ms. Garcia suffered
e.
Negligence Per Se
19
In their FAC, Plaintiffs allege they are entitled to an evidentiary presumption of
20
negligence per se based on violations of various statutes, including CMIA. (¶ 229.) Under
21
California law, Inmediata’s failure to exercise due care is presumed if Plaintiffs sufficiently
22
allege that: (1) Inmediata violated a statute or regulation; (2) the violation was the
23
proximate cause of Plaintiffs’ injury; (3) the injury resulted from an occurrence, the nature
24
25
26
27
28
15
Inmediata’s reference to its argument against Plaintiffs’ standing in support of its
argument against Plaintiffs’ negligence claims is not particularly helpful given that
Plaintiffs bear the burden of showing standing while Inmediata bears the burden of showing
that Plaintiffs failed to state their claim for negligence under Rule 12(b)(6).
23
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.390 Page 24 of 36
1
of which the statute or regulation was designed to prevent; and (4) the person suffering the
2
injury was one of the class of persons for whose protection the statute or regulation was
3
adopted. CAL. EVID. CODE § 669. District courts have relied on allegations of negligence
4
per se to deny Rule 12(b)(6) motions to dismiss. See, e.g., Harris v. Burlington N. Santa
5
Fe R.R., No. 17-cv-2433-BAS-JLB, 2013 WL 12122668, at *2 (C.D. Cal. July 12, 2013).
6
The negligence per se doctrine does not, however, obviate the need for Plaintiffs to show
7
a viable and independent duty. See Nikoopour v. Ocwen Loan Servicing, LLC, Case No.:
8
17cv2015-MMA (WVG), 2018 WL 1035210, at *7 (S.D. Cal. Feb. 23, 2018) (citations
9
omitted).
10
As discussed below, Plaintiffs plead a plausible violation of CMIA, which provides
11
for nominal damages even if Plaintiff did not suffer actual damages. See CAL. CIV. CODE
12
§ 56.36(b)(1). Also, it is reasonable, at this stage in the litigation, that Plaintiffs’ alleged
13
injuries resulting from the “posting” of their medical information on the internet are the
14
injuries the statute was intended to prevent, and that Plaintiffs, as persons who initially
15
provided the confidential medical information that Inmediata possessed, are within the
16
class of persons for whose protection the statute was adopted. Accordingly, to the extent
17
the instant negligence claim is distinguishable from those in data breach cases involving a
18
theft or hack of social security numbers or financial information, this distinction is counter-
19
buttressed by this case involving confidential medical information protected by statute.
20
Accordingly, the negligence per se doctrine supports the plausibility of Plaintiffs’
21
negligence claim.
22
23
2.
Breach of Contract
a.
Third Party Beneficiaries
24
Plaintiffs allege, based on information and belief, that they are intended third party
25
beneficiaries of contracts between Inmediata and its customers that require Inmediata to
26
take appropriate steps to safeguard Plaintiffs’ information. (¶¶ 248-49.) Inmediata argues
27
these allegations are conclusory and not supported by any facts, such as specific contract
28
language or the identity of the parties to the contracts. (Doc. No. 17-1 at 24-25.)
24
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.391 Page 25 of 36
1
The standard to achieve third party beneficiary status is a high one.
2
Goonewardene v. ADP, LLC, 6 Cal. 5th 817, 821 (2019) (a motivating purpose of the
3
contracting parties must be to provide a benefit to the third party); see also Cummings v.
4
Cenergy Int’l Servs., LLC, 271 F. Supp. 3d 1182, 1188 (E.D. Cal. 2017) (“It is well settled
5
. . . . that enforcement of a contract by persons who are only incidentally or remotely
6
benefitted by it is not permitted.”). Moreover, the alleged contractual terms, if they exist,
7
likely refer to Inmediata’s pre-existing statutory duties to safeguard the medical
8
information in its possession. See In re Anthem, Inc. Data Breach Litig., Case No. 15-MD-
9
02617-LHK, 2016 WL 3029783, at *20 (N.D. Cal. May 27, 2016) (“A breach of contract
10
claim based solely upon a pre-existing legal obligation to comply with HIPAA can not
11
survive dismissal.”). Additionally, district courts in data breach cases have dismissed
12
breach of contract claims for failure to identify the specific language in the contract that
13
was breached. See, e.g., Hassan v. Facebook, Inc., Case No. 19-cv-01003-JST, 2019 WL
14
3302721, at *3 (N.D. Cal. July 23, 2019).
See
15
Based on the above, Plaintiffs’ breach of contract claim is tenuous at best. At this
16
stage in the litigation, however, Plaintiffs plausibly allege they are third party beneficiaries,
17
and Plaintiffs’ allegations are sufficiently factual to give fair notice and to enable Inmediata
18
to defend itself effectively. See Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011).
19
Although Plaintiffs do not provide specific contract terms, Plaintiffs allege the substance
20
of the relevant terms. See McKell v. Washington Mut., Inc., 142 Cal. App. 4th 1457, 1489
21
(2006); see also Summit Estate, Inc. v. Cigna Healthcare of California, Inc., Case No. 17-
22
CV-03871-LHK, 2017 WL 4517111, at *4 (N.D. Cal. Oct. 10, 2017). Moreover, without
23
discovery, it is not clear what more Plaintiffs could plead, or what more Inmediata would
24
need to be able to defend against Plaintiffs’ claims that they are third party beneficiaries of
25
Inmediata’s contracts. In the early stages of litigation, plaintiffs may base their allegations,
26
even jurisdictional ones, on information and belief when the allegations include facts that
27
are primarily within the defendant’s knowledge. Carolina Cas. Ins. Co. v. Team Equip.,
28
Inc., 741 F.3d 1082, 1087 (9th Cir. 2014); see also Park v. Thompson, 851 F.3d 910, 928
25
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.392 Page 26 of 36
1
(9th Cir. 2017) (Iqbal/Twombly plausibility standard does not prevent a plaintiff from
2
pleading facts alleged upon information and belief). Accordingly, Plaintiffs’ allegations
3
that contracts exist that contain terms protecting their information are sufficient to allege a
4
breach of contract claim based on a third party beneficiary theory.
5
b.
Damages
6
Inmediata argues that Plaintiffs have not adequately pled damages because they do
7
not plead (1) they were victims of identity theft, except for the “wildly speculative”
8
allegations of Mr. White regarding unknown charges to his credit card, or (2) they paid for
9
credit monitoring services. (Doc. No. 17-1 at 22.) As Inmediata points out, some district
10
courts have found that fear of future identity theft is too speculative to support damages in
11
a breach of contract claim. See, Svenson v. Google Inc., 65 F. Supp. 3d 717, 724-25 (N.D.
12
Cal. 2014); Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 918 (N.D. Cal. 2009), aff’d, 380 F.
13
App’x 689 (9th Cir. 2010). Additionally, the standard for damages under California
14
contract law may be higher than that for negligence claims. See Aguilera v. Pirelli
15
Armstrong Tire Corp., 223 F.3d 1010, 1015 (9th Cir. 2000) (plaintiffs must show
16
appreciable and actual damage that is not nominal, speculative, or based on fear of future
17
harm).
18
regarding the fraudulent charges on his credit card are unreasonably speculative.
Also, as discussed above, Inmediata is correct that Mr. White’s allegations
19
However, the cases dismissing breach of contract claims for lack of plausible
20
damages did not involve medical information that was allegedly posted on the internet.
21
Moreover, Inmediata does not argue that breach of contract claims have substantively
22
different standards for damages than negligence claims. Also, Inmediata is incorrect that
23
Plaintiffs’ fail to allege they paid for credit monitoring services. Rather, as discussed
24
above, Plaintiffs allege that Ms. Garcia “spent her own money . . . . addressing issues
25
arising from the Data Breach,” (¶ 195), and this is sufficient to infer that she spent the
26
money on some form of identity theft protection.
27
Additionally, other district courts have found, or at least suggested, that an alleged
28
invasion of privacy is per se sufficient to show damages in a breach of contract claim. See
26
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.393 Page 27 of 36
1
Facebook, 402 F. Supp. 3d at 802 (“[U]nder California law even those plaintiffs [who did
2
not suffer measurable compensatory damages] may recover nominal damages.”); Solara,
3
2020 WL 2214152, at *5 (“The dissemination of one’s personal information can satisfy the
4
damages element of a breach of contract claim.”); In re Google Assistant Privacy Litig.,
5
457 F. Supp. 3d 797, 834 (N.D. Cal. 2020) (“[T]he detriment Plaintiffs say they suffered
6
was an invasion of their privacy. Plaintiffs are entitled to seek compensatory damages or
7
perhaps nominal damages for such harm.”); see also Facebook Tracking, 956 F.3d 589,
8
598 (9th Cir. 2020) (finding that plaintiffs had standing to bring claims for breach of
9
contract by adequately alleging “privacy harms”). Accordingly, Plaintiffs sufficiently
10
11
plead damages in their breach of contract claim.
3.
Unjust Enrichment
12
Inmediata argues, and Plaintiffs concede, that they have not pled a plausible claim
13
for unjust enrichment under California law. (See Doc. Nos. 17-1 at 24-25; 22 at 30 n.2.)
14
Accordingly, Plaintiffs fail to state a plausible claim for unjust enrichment under California
15
law. Plaintiffs nonetheless argue that Inmediata does not challenge their unjust enrichment
16
claims under Florida and Minnesota law. (Doc. No. 22 at 30.) In their FAC, however,
17
Plaintiffs do not list their purported claims for unjust enrichment under Florida or
18
Minnesota law as separate claims, and Plaintiffs make only passing reference to Florida
19
and Minnesota law. (See ¶¶ 226-27.) To the extent that Plaintiffs actually and sufficiently
20
allege unjust enrichment under Florida and Minnesota law, those claims survive because
21
they are not challenged.
22
4.
California Confidentiality of Medical Information Act
23
Inmediata argues that Plaintiffs fail to state a plausible violation of CMIA, CAL. CIV.
24
CODE §§ 56-56.265, because they do not allege facts suggesting that an unauthorized
25
person “actually viewed” their confidential information. (Doc. No. 17-1 at 26.) As noted
26
above, Plaintiffs allege that by posting their medical information on the internet, Inmediata
27
violated multiple provisions of CMIA, including the first sentence of section 56.10(a)
28
(prohibiting “disclosure”), the first sentence of section 56.101(a) (establishing a duty to
27
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.394 Page 28 of 36
1
“preserve confidentiality”), and section 56.36(b) (allowing a private right of action for
2
“negligent release”).16 (¶¶ 269-71, 277.) As a result, Plaintiffs seek actual and nominal
3
damages. (¶ 281.)
4
a.
Section 56.10(a)
5
Under California law, in order to plead a violation of section 56.10(a), which
6
mandates that health care providers and contractors shall not “disclose” medical
7
information, the plaintiff must plead an “affirmative communicative act” by the defendant,
8
which does not occur if the information is stolen. Sutter Health v. Superior Court, 227
9
Cal. App. 4th 1546, 1556 (2014); see also Regents of Univ. of Cal. v. Superior Court, 220
10
Cal. App. 4th 549, 564 (2013) (“disclose” under CMIA means an “affirmative act of
11
communication”). Plaintiffs allege that Inmediata employees “posted” their information
12
on the internet, and that “posting” is an affirmative communicative act. (¶¶ 269-71.)
13
Here, it is reasonable to infer that some affirmative act by Inmediata caused the
14
“errant webpage setting” that allegedly made Plaintiffs’ information accessible via the
15
internet. However, while intentionally posting something on the internet is inherently
16
communicative, Plaintiffs do not allege that Inmediata intentionally17 posted their
17
information, or that whatever affirmative act might have caused their information to
18
19
16
20
21
22
23
24
25
Plaintiffs also allege that Inmediata violated: (1) sections 56.101(b)(1) related to its
electronic health record system; (2) section 56.26(a) by using their information in a manner
not reasonably necessary in connection with the administration or maintenance of payment
for health care services program; (3) section 56.10(d) by intentionally using their
information for a purpose not necessary to provide health care services; and (4) section
56.10(e) by disclosing their information to persons or entities not engaged in providing
direct health care services. (¶273-276, 278-79.) Inmediata does not argue that Plaintiffs
have failed to state a claim with respect to these provisions.
Although Plaintiffs allege that Inmediata “intentionally shared, sold, used for marketing,
or otherwise used” their information “for a purpose not necessary to provide health care
services,” (¶ 278), this is merely a recitation of the elements of section 56.10(d) of the
CMIA. The same is true where Plaintiffs use the word “intent” to allege fraud. (See ¶
304.)
17
26
27
28
28
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.395 Page 29 of 36
1
become accessible via the internet was done with the intent to communicate that
2
information. Based on the meaning of “disclose” as defined in Sutter and Regents, Plaintiffs
3
have not pled a plausible violation of section 56.10(a) of CMIA.
4
b.
Sections 56.101(a) and 56.36(b)
5
The first sentence of section 56.101(a) in CMIA provides that every health care
6
provider and contractor “who creates, maintains, preserves, stores, abandons, destroys, or
7
disposes of medical information shall do so in a manner that preserves the confidentiality
8
of the information contained therein.”18 CAL. CIV. CODE § 55.101(a). The second sentence
9
provides that any health care provider or contractor “who negligently creates, maintains,
10
preserves, stores, abandons, destroys, or disposes of medical information shall be subject
11
to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.”
12
Section 56.36(b) provides, in turn, that nominal and actual damages are available when
13
information is “negligently released.”19 § 56.36(b). In Regents, the court held that in order
14
to plead a violation of sections 56.101(a) and 56.36(b), the plaintiff does not need to plead
15
an affirmative communicative act. 220 Cal. App. 4th at 553-54; see also Corona, 2015
16
17
18
19
20
21
22
23
24
25
26
27
28
18
Unlike other provisions of the CMIA, however, this provision does not state that damages
are available for violations. See Lu v. Hawaiian Gardens Casino, Inc., 50 Cal. 4th 592,
596 (2010) (“A violation of a state statute does not necessarily give rise to a private cause
of action.”). As recognized in Regents, to allow claims based on violation of this provision
alone would allow persons other than the patient to bring suit. Regents, 220 Cal. App. 4th
at 563.
19
On its face, the statute is unclear as to whether, in order to recover actual or nominal
damages for, say, “negligent maintenance” of information, the plaintiff must also show that
the information was “negligently released.” In Regents, however, the court clarified that
in order to sufficiently plead actual or nominal damages under CMIA, it is insufficient for
the plaintiff to plead, under the second sentence of section 56.101(a), that the defendant
negligently created, maintained, preserved, stored, abandoned, destroyed, or disposed of
medical information. 220 Cal. App. 4th at 554. Rather, the plaintiff must also plead that
their information was negligently “released” under section 56.36(b). Id.
29
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.396 Page 30 of 36
1
WL 3916744, at *7; Sutter, 227 Cal. App. 4th 1554 (assuming the same). The court also
2
held, however, that plaintiffs must plead that “negligence result[ed] in unauthorized or
3
wrongful access to the information,” i.e. that the information was “improperly viewed or
4
otherwise accessed.”20 Id. at 554. Similarly, in Sutter, the court held that “[n]o breach of
5
confidentiality takes place until an unauthorized person views the medical information.”
6
227 Cal. App. 4th at 1557. The Sutter court stated, “[t]hat the records have changed
7
possession even in an unauthorized manner does not mean they have been exposed to the
8
view of an unauthorized person.” Id. at 1558.
9
Here, Regents and Sutter do not preclude Plaintiffs’ remaining CMIA claims because
10
the Plaintiffs repeatedly allege their information “was viewed by unauthorized persons.”21
11
(¶¶ 269-271, 277.) The lack of allegations that the plaintiffs’ information was actually
12
viewed was crucial to the courts’ decisions in Regents and Sutter. See Sutter, 227 Cal.
13
App. 4th at 1555 (“[T]he main pleading problem for the plaintiffs in this case and in
14
Regents is the same: there is no allegation that the medical information was viewed by an
15
unauthorized person.”). Additionally, in both Regents and Sutter, the stolen data was
16
password protected and/or encrypted. See Sutter, 227 Cal. App. 4th at 1555. The same
17
cannot be said for information that is posted and accessible on the internet.22 Given the
18
19
20
21
The court found that pleading negligent maintenance and loss of possession based on the
theft of the data is insufficient to state a claim under sections 56.101 and 56.36(b). Regents,
220 Cal. App. 4th at 569-70.
22
21
20
23
Strangely, Inmediata argues that “Plaintiffs do not even allege an unauthorized person
actually viewed or downloaded their data.” (Doc. No. 17-1 at 21.)
24
22
25
26
27
28
In cases where the plaintiffs allege their information was stolen and actually misused,
district courts have declined to dismiss CMIA claims under Rule 12(b)(6). See In re
Premera Blue Cross Customer Data Sec. Breach Litig., 198 F. Supp. 3d 1189, 1202 (D.
Or. 2016) (hack); Corona, 2015 WL 3916744 (hack), at *7; Falkenberg v. Alere Home
Monitoring, Inc., Case No. 13-cv-00341-JST, 2015 WL 800378, at *4 (N.D. Cal. Feb. 23,
2015) (theft of a password protected laptop). Here, only one of the Plaintiffs alleges actual
identity theft, and it is a weak allegation at that. This weakness is counter-balanced,
30
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.397 Page 31 of 36
1
relatively clear holdings in Regents and Sutter, Plaintiffs’ allegation that their information
2
was actually viewed could be read, of course, as a threadbare and conclusory recital of an
3
essential element to their CMIA claim. When read in the light most favorable to Plaintiffs,
4
however, the allegation that their information was actually viewed is at least somewhat
5
factual.
6
Additionally, one court in this district recently found it sufficient for plaintiffs to
7
plead that they received a letter stating their medical information was exposed in a data
8
breach, and the only evidence that it had actually been viewed was an increase in medical-
9
related spam e-mails and phone calls. See Solara, 2020 WL 2214152, at *7. The court
10
found these allegations sufficient to infer the plaintiffs’ medical information was viewed
11
by an unauthorized party, even though the plaintiffs did not specifically allege that it was.
12
Id. As an alternative to their allegation that their information was actually viewed,
13
Plaintiffs repeatedly assert that they reasonably believe, and it should be inferred or
14
rebuttably presumed, that their information was actually viewed. (See, e.g., ¶¶ 46-48.)
15
Given that Plaintiffs allege that Inmediata posted their information on the internet, making
16
it searchable, findable, viewable, printable, copiable, and downloadable by anyone in the
17
world with an internet connection, (¶¶ 7-8), it can be reasonably inferred that someone
18
viewed it. Ultimately, it may be that Plaintiffs’ allegation that their information was
19
actually viewed while it was accessible on the internet will prove to be unsubstantiated. At
20
this early stage in the litigation, however, Plaintiffs allege a plausible claim based on
21
violations of sections 56.101(a) and 56.36(b) of CMIA, and Inmediata has not met its
22
burden of showing otherwise.
23
24
25
26
27
28
however, because the Plaintiffs information was allegedly accessible on the most public
forum in the world, and not just to the thief or thieves. And again, Inmediata does not
argue to any convincing degree that cases involving theft or hacking are distinguishable.
Additionally, when suing for nominal damages under CMIA, plaintiffs do not have to prove
they “suffered or [were] threatened with actual damages.” CAL. CIV. CODE § 56.36(b)(1).
31
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.398 Page 32 of 36
1
5.
California Consumer Privacy Act
2
Inmediata argues that Plaintiffs fail to state a claim for violation of the California
3
Consumer Privacy Act of 2018 (CCPA), CAL. CIV. CODE §§ 1798.150(a), because
4
(1) Plaintiffs merely allege that it should be inferred or rebuttably presumed that their
5
information was accessed by an unauthorized individual, which is insufficient to allege
6
theft of or “unauthorized access” to their personal information, and (2) Plaintiffs allege
7
violation of the CCPA based on the exposure of both their personal and medical
8
information, but the CCPA does not apply to medical information governed by CMIA.
9
(Doc. No. 17-1 at 27.)
10
As discussed above, Plaintiffs do not merely allege that it should be inferred or
11
rebuttably presumed that their information was accessed by an unauthorized individual.
12
Plaintiffs repeatedly allege that their information “was viewed by unauthorized persons.”
13
(See, e.g., ¶¶ 269-271, 277.) Moreover, Inmediata does not point to any authority requiring
14
Plaintiffs to plead theft or unauthorized access in order to plead a plausible violation of the
15
CCPA. The CCPA provides a private right of action for actual or statutory damages to
16
“[a]ny consumer whose nonencrypted and nonredacted personal information . . . . is subject
17
to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s
18
violation of the duty to implement and maintain reasonable security procedures and
19
practices appropriate to the nature of the information to protect the personal information[.]”
20
Id. § 1798.150(a). Plaintiffs argue, and Inmediata does not dispute, that the facts alleged
21
in the FAC that Plaintiffs’ personal and medical information were accessible via the
22
internet, constitutes a “disclosure” under the CCPA. (Doc. No. 22 at 22-23.) Further,
23
although Inmediata is correct that the CCPA does not apply to medical information
24
governed by CMIA, § 1798.145(c)(1)(A), Inmediata does not address the non-medical
25
information that it admits was accessible on the internet. Accordingly, at this early stage
26
in the litigation, Plaintiffs allege a plausible claim based on violation of the CCPA, and
27
Inmediata has not met its burden of showing otherwise.
28
32
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.399 Page 33 of 36
1
6.
California Consumer Records Act
2
Plaintiffs allege that by taking 81 days to inform them of the data breach, Inmediata
3
acted with unreasonable delay in violation of the California Customer Records Act
4
(CCRA), CAL. CIV. CODE § 1798.82(a). (¶ 297.) Inmediata argues that Plaintiffs allege no
5
facts demonstrating unreasonable delay in notifying them of the alleged breach, and
6
therefore, Plaintiffs fail to state a CCRA violation. (Doc. No. 17-1 at 28.) Inmediata
7
further argues that Plaintiffs did not allege harm or subsequent incremental harm from the
8
delay. (Id.)
9
The CCRA provides that “[a] person or business that conducts business in
10
California, and that owns or licenses computerized data that includes personal information,
11
shall disclose a breach of the security of the system following discovery or notification of
12
the breach in the security of the data to a resident of California . . . . whose unencrypted
13
personal information was, or is reasonably believed to have been, acquired by an
14
unauthorized person . . . . in the most expedient time possible and without unreasonable
15
delay[.]” CAL. CIV. CODE § 1798.82(a).
16
Inmediata cites no authority to support its argument that 81 days is reasonable delay.
17
Additionally, the only authority Inmediata cites to support its argument that Plaintiffs are
18
required to allege harm or incremental harm from the delay is Yahoo, 2017 WL 3727318,
19
at *41. In Yahoo, however, the court found the plaintiffs adequately alleged incremental
20
harm by alleging that, if they had been notified earlier, they could have taken steps to
21
mitigate the “fallout” from their information being stolen. Id. Similarly, Plaintiffs allege
22
that because of the delay they were “prevented from taking appropriate protective
23
measures, such as securing identity theft protection or requesting a credit freeze.” (¶ 301.)
24
Plaintiffs also allege these measures could have prevented some of their damages because
25
their information would have been less valuable to identity thieves. (Id.) Although only
26
one Plaintiff, Mr. White, allegedly experienced “fallout” in the form of identity theft,
27
Inmediata does not specifically address Plaintiffs’ allegations regarding their incremental
28
harm. Instead, Inmediata argues, inaccurately, that “Plaintiffs here have not alleged harm
33
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.400 Page 34 of 36
1
or subsequent ‘incremental harm’ from delay.” (Doc. No. 17-1 at 28.) Accordingly, at this
2
early stage in the litigation, Plaintiffs allege a plausible claim based on violations of the
3
CCRA, and Inmediata has not met its burden of showing otherwise.
4
7.
Minnesota Health Records Act
5
Plaintiffs allege that Inmediata violated the Minnesota Health Records Act (MHRA),
6
MINN. STAT. ANN. §§ 144.29-144.34, by releasing their health records without first
7
obtaining consent or authorization, and by negligently or intentionally releasing their health
8
records. (¶¶ 312-13.) Inmediata argues these allegations are conclusory and not supported
9
by factual allegations. (Doc. No. 17-1 at 28-29.) Inmediata also argues this claim should
10
be dismissed because “Plaintiffs did not and cannot allege facts suggesting that any
11
unauthorized person actually searched for, found, viewed, or downloaded the data at issue.”
12
(Id. at 29.) As discussed above, however, Plaintiffs allege that Inmediata posted their
13
medical information on the internet for an unknown period of time. Additionally, Plaintiffs
14
repeatedly allege that their information was viewed. Inmediata also provides no support
15
for its argument that by posting medical information on the internet, where it was allegedly
16
viewed, is insufficient to plead a plausible claim under the MHRA. Accordingly, at this
17
early stage in the litigation, Plaintiffs allege a plausible claim based on violations of the
18
MHRA, and Inmediata has not met its burden of showing otherwise.
19
8.
Article I, Section 1 of the California Constitution
20
Finally, Inmediata argues that Plaintiffs’ claim under the California Constitution it
21
was not Inmediata. 23 (Doc. No. 17-1 at 29-30.) The California Constitution provides that
22
“[a]ll people are by nature free and independent and have inalienable rights. Among these
23
are enjoying and defending life and liberty, acquiring, possessing, and protecting property,
24
and pursuing and obtaining safety, happiness, and privacy.” CAL. CONST. art. I, § 1. The
25
26
27
28
23
Although Plaintiffs allege both invasion of privacy and violation of the California
Constitution, (¶ 319), Inmediata does not move to dismiss Plaintiffs’ invasion of privacy
claim.
34
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.401 Page 35 of 36
1
parties do not dispute that to support a claim under this provision, Plaintiffs must show:
2
“(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the
3
circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.”
4
Hill v. Nat’l Collegiate Athletic Assn., 7 Cal. 4th 1, 39-40 (1994). The parties also do not
5
dispute that Plaintiffs have a legally protected privacy interest in their medical information.
6
See also Heldt v. Guardian Life Ins. Co. of Am., Case No. 16-cv-885-BAS-NLS, 2019 WL
7
651503, at *4 (S.D. Cal. Feb. 15, 2019) (recognizing a legally protected privacy interest in
8
medical information held by an insurer).
9
Whether Plaintiffs had a reasonable expectation of privacy, and whether Inmediata’s
10
conduct constitutes a serious invasion of privacy, are mixed questions of law and fact. See
11
Hill, 7 Cal. 4th at 40; see also Facebook Tracking, 956 F.3d at 606 (“The ultimate question
12
of whether Facebook’s tracking and collection practices could highly offend a reasonable
13
individual is an issue that cannot be resolved at the pleading stage.”). At this stage in the
14
litigation, it is reasonable to infer that Plaintiffs reasonably expected Inmediata would not
15
post their medical information on the internet, negligently or otherwise, and that doing so
16
constitutes a serious invasion of privacy. Although some courts have dismissed privacy
17
claims based on the state constitution given the “high bar” for such claims, see Low, 900
18
F. Supp. 2d at 1025 (listing cases), these cases do not involve medical information that was
19
“posted” on the internet, see Hill, 7 Cal. 4th at 35 (“Legally recognized privacy interests
20
[include] interests in precluding the dissemination or misuse of sensitive and confidential
21
information.”); Strawn v. Morris, Polich & Purdy, LLP, 30 Cal. App. 5th 1087, 1100
22
(2019) (finding the seriousness of the alleged invasion of privacy based on disclosure of
23
plaintiffs’ tax returns presented a question of fact that could not be resolved on demurrer).
24
Moreover, Inmediata provides no support for its argument that negligently posting medical
25
information on the internet does not constitute a serious invasion of privacy, and only those
26
who hack or steal information can be held liable. See Doe v. Beard, 63 F. Supp. 3d 1159,
27
1170 (C.D. Cal. 2014) (negligent disclosure of plaintiff’s medical information was
28
sufficient to sustain a breach of privacy claim under the state constitution); but see Razuki
35
19cv2353 JM (LL)
Case 3:19-cv-02353-JM-LL Document 24 Filed 11/19/20 PageID.402 Page 36 of 36
1
v. Caliber Home Loans, Inc., Case No. 17cv1718-LAB (WVG), 2018 WL 2761818, at *2
2
(S.D. Cal. June 8, 2018) (suggesting the conduct must be intentional). Accordingly, at this
3
early stage in litigation, Plaintiffs allege a plausible violation of the state constitution’s
4
privacy provision, and Inmediata has not met its burden of showing otherwise.
5
IV.
6
For the foregoing reasons, Inmediata’s Motion to Dismiss under Rule 12(b)(1) for
7
lack of standing is DENIED. Inmediata’s Motion to Dismiss under Rule 12(b)(6) is
8
DENIED IN PART and GRANTED IN PART.
9
Plaintiffs’ claims for negligence, breach of contract, violation of sections 56.101(a) and
10
56.36(b) of CMIA, as well as violations of the CCPA, CCRA, MHRA, and the California
11
Constitution, is DENIED. Inmediata’s Motion to Dismiss Plaintiffs’ claims for unjust
12
enrichment and violation of section 56.10(a) of CMIA is GRANTED. In their opposition
13
to the instant motion, Plaintiffs do not request leave to amend. Inmediata’s answer to the
14
operative complaint is due within 21 days of this court’s order.
15
16
17
CONCLUSION
Inmediata’s Motion to Dismiss
IT IS SO ORDERED.
DATED: November 19, 2020
JEFFREY T. MILLER
United States District Judge
18
19
20
21
22
23
24
25
26
27
28
36
19cv2353 JM (LL)
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?