Colcord v. Premera Blue Cross
Filing
96
OPINION AND ORDER: Premeras Motion to Dismiss (ECF 78) is GRANTED IN PART AND DENIED IN PART. Premeras motion is GRANTED against Plaintiffs claims as follows: (1) Plaintiffs fraud-based claims alleging active concealment of fraud are dismissed; (2) Plaintiffs fraud-based claims alleging affirmative misrepresentations that are contained in Premeras Preferred Bronze policy booklet are dismissed; (3) Plaintiffs contract-based claims alleging breach of express contract based on either the Preferred Bronze policy or Premeras Code of Conduct are dismissed; (4) Plaintiffs contract-based claims alleging breach of an implied term in an express contract is dismissed for those Plaintiffs whose contract is governed by Washington law; and (5) the alternative claim for breach of an implied-in-fact contract asserted by Plaintiffs other than the Policyholder Plaintiffs is dismissed. Premeras Motion to Dismiss is DENIED in all other respects. Signed on 2/9/2017 by Judge Michael H. Simon.Associated Cases: 3:15-md-02633-SI, 3:15-cv-00516-SI, 3:15-cv-00572-SI, 3:15-cv-01092-SI, 3:15-cv-01101-SI, 3:15-cv-01102-SI, 3:15-cv-01103-SI, 3:15-cv-01104-SI, 3:15-cv-01105-SI, 3:15-cv-01106-SI, 3:15-cv-01107-SI, 3:15-cv-01115-SI, 3:15-cv-01153-SI, 3:15-cv-01154-SI, 3:15-cv-01155-SI, 3:15-cv-01156-SI, 3:15-cv-01157-SI, 3:15-cv-01158-SI, 3:15-cv-01159-SI, 3:15-cv-01160-SI, 3:15-cv-01161-SI, 3:15-cv-01162-SI, 3:15-cv-01163-SI, 3:15-cv-01164-SI, 3:15-cv-01165-SI, 3:15-cv-01166-SI, 3:15-cv-01167-SI, 3:15-cv-01168-SI, 3:15-cv-01169-SI, 3:15-cv-01170-SI, 3:15-cv-01171-SI, 3:15-cv-01172-SI, 3:15-cv-01262-SI, 3:15-cv-01263-SI, 3:15-cv-01264-SI, 3:15-cv-01265-SI, 3:15-cv-01266-SI, 3:15-cv-01267-SI, 3:15-cv-01268-SI, 3:15-cv-01392-SI, 3:15-cv-01472-SI (kms)
<![CDATA[
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF OREGON
IN RE: PREMERA BLUE CROSS
CUSTOMER DATA SECURITY BREACH
LITIGATION
Case No. 3:15-md-2633-SI
OPINION AND ORDER
This Document Relates to All Actions.
Kim D. Stephens, Christopher I. Brain, Chase C. Alvord, and Jason T. Dennett, TOUSLEY BRAIN
STEPHENS PLLC, 1700 Seventh Avenue, Suite 2200, Seattle, WA 98101; Keith S. Dubanevich,
Steve D. Larson, and Yoona Park, STOLL STOLL BERNE LOKTING & SHLACHTER PC, 209 SW
Oak Street, Portland, OR 97204; Ari J. Scharg, EDELSON PC, 350 North LaSalle Street,
Suite 1300, Chicago, IL 60654; Tina Wolfson, AHDOOT AND WOLFSON PC, 1016 Palm Avenue,
West Hollywood, CA 90069; and James Pizzirusso, HAUSFELD LLP, 1700 K Street NW,
Suite 650, Washington, DC 20006. Of Attorneys for Plaintiffs.
Daniel R. Warren and David A. Carney, BAKERHOSTETLER LLP, 127 Public Square, Suite 2000,
Cleveland, OH 44114; Paul G. Karlsgodt, BAKERHOSTETLER LLP, 1801 California Street, Suite
4400, Denver, CO 80202; and Darin M. Sands, LANE POWELL PC, 601 SW Second Avenue,
Suite 2100, Portland, OR 97204. Of Attorneys for Defendant Premera Blue Cross.
Michael H. Simon, District Judge.
Plaintiffs bring this putative class action against Defendant Premera Blue Cross
(“Premera”), a healthcare benefits servicer and provider. On March 17, 2015, Premera publicly
disclosed that its computer network had been breached. Plaintiffs allege that this breach
compromised the confidential information of approximately 11 million current and former
PAGE 1 – OPINION AND ORDER
members, affiliated members, and employees of Premera. The compromised confidential
information includes names, dates of birth, Social Security Numbers, member identification
numbers, mailing addresses, telephone numbers, email addresses, medical claims information,
financial information, and other protected health information (collectively, “Sensitive
Information”). According to Plaintiffs, the breach began in May 2014 and went undetected for
nearly a year. Plaintiffs allege that after discovering the breach, Premera unreasonably delayed in
notifying all affected individuals. Based on these allegations, among others, Plaintiffs bring
various state common law claims and state statutory claims.
On August 1, 2016, the Court granted in part and denied in part Premera’s motion to
dismiss Plaintiffs’ Consolidated Class Action Allegation Complaint. In re Premera Blue Cross
Customer Data Sec. Breach Litig., --- F. Supp. 3d ---, 2016 WL 4107717 (D. Or. Aug. 1, 2016)
(“Premera I”). The Court dismissed Plaintiffs’ fraud-based claims and contract claims and gave
Plaintiffs leave to replead. On September 30, 2016, Plaintiffs filed their First Amended
Consolidated Class Action Allegation Complaint (“FAC”). Before the Court is Premera’s motion
to dismiss Plaintiffs’ FAC (“Motion”). Specifically, Premera moves to dismiss Plaintiffs’
amended fraud-based and contract claims. Premera also moves to dismiss several claims asserted
by two named Plaintiffs, arguing that those claims are preempted by the Employee Retirement
Income Security Act (“ERISA”), 29 U.S.C. § 1001 et seq. For the reasons that follow, the Court
grants in part and denies in part Premera’s Motion.
STANDARDS
A motion to dismiss for failure to state a claim may be granted only when there is no
cognizable legal theory to support the claim or when the complaint lacks sufficient factual
allegations to state a facially plausible claim for relief. Shroyer v. New Cingular Wireless Servs.,
Inc., 622 F.3d 1035, 1041 (9th Cir. 2010). In evaluating the sufficiency of a complaint’s factual
PAGE 2 – OPINION AND ORDER
allegations, the court must accept as true all well-pleaded material facts alleged in the complaint
and construe them in the light most favorable to the non-moving party. Wilson v. HewlettPackard Co., 668 F.3d 1136, 1140 (9th Cir. 2012); Daniels-Hall v. Nat’l Educ. Ass’n, 629
F.3d 992, 998 (9th Cir. 2010). To be entitled to a presumption of truth, allegations in a complaint
“may not simply recite the elements of a cause of action, but must contain sufficient allegations
of underlying facts to give fair notice and to enable the opposing party to defend itself
effectively.” Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011). All reasonable inferences from
the factual allegations must be drawn in favor of the plaintiff. Newcal Indus. v. Ikon Office
Solution, 513 F.3d 1038, 1043 n.2 (9th Cir. 2008). The court need not, however, credit the
plaintiff’s legal conclusions that are couched as factual allegations. Ashcroft v. Iqbal, 556
U.S. 662, 678-79 (2009).
A complaint must contain sufficient factual allegations to “plausibly suggest an
entitlement to relief, such that it is not unfair to require the opposing party to be subjected to the
expense of discovery and continued litigation.” Starr, 652 F.3d at 1216. “A claim has facial
plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable
inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007)).
BACKGROUND
In Premera I, the Court described in detail the facts alleged by Plaintiffs concerning the
events leading up to the breach, its discovery, and Premera’s response. 2016 WL 4107717,
at *2-4. In their amended pleading, Plaintiffs continue to allege a Nationwide Data Breach Class,
consisting of all persons in the United States whose Sensitive Information was maintained on
Premera’s database and compromised as a result of the breach announced by Premera on or
around March 17, 2015. Plaintiffs also allege a Nationwide Premera Policyholder and Plan
PAGE 3 – OPINION AND ORDER
Administration Subclass, consisting of all Nationwide Data Breach Class members who paid
money to Premera before March 17, 2015 in exchange for health insurance or plan
administration (“Policyholder Plaintiffs”). In the alternative, Plaintiffs allege several statewide
common law classes, statewide statutory classes, and statewide Policyholder Plaintiffs
subclasses. Plaintiffs further alleged that all individually-named Plaintiffs are members of one or
more classes or subclasses. In their amended pleading, Plaintiffs assert the following ten claims
for relief:
First:
Second:
Third:
Fourth:
Fifth:
Sixth:
Seventh:
Eighth:
Ninth:
Tenth:
Violation of Washington Consumer Protection Act;
Violation Washington Data Breach Disclosure Law;
Negligence;
Breach of Express Contract;
Breach of Contract Implied-in-Fact;
Quasi-Contract/Restitution/Unjust Enrichment;
Violation of Other State Consumer Protection Laws;
Violation of Other State Data Breach Notification Laws;
Violation of California Confidential Medical Information Act; and
Misrepresentation by Omission.
DISCUSSION
A. Plaintiffs’ Fraud-Based Claims
In its Motion, Premera challenges the allegations of fraud contained in Plaintiffs’ first,
seventh, and tenth claims. Premera argues that Plaintiffs’ claims that “sound in fraud” continue
to fail to comply with the heightened pleading requirements of Rule 9(b) of the Federal Rules of
Civil Procedure and should be dismissed. Plaintiffs respond that their new allegations cure the
deficiencies identified by the Court in Premera I. Plaintiffs further respond that their state
Consumer Protection Act (“CPA”) claims allege that Premera’s conduct was both deceptive and
unfair and that the allegation of “unfair” conduct does not “sound in fraud” and thus is not
subject to Rule 9(b).
PAGE 4 – OPINION AND ORDER
1. Affirmative Misrepresentation
“To satisfy Rule 9(b), a pleading must identify ‘the who, what, when, where, and how of
the misconduct charged,’ as well as ‘what is false or misleading about [the purportedly
fraudulent] statement, and why it is false.’” Cafasso v. Gen. Dynamics C4 Sys., Inc., 637
F.3d 1047, 1055 (9th Cir. 2011) (quoting Ebeid ex rel. United States v. Lungwitz, 616 F.3d 993,
998 (9th Cir. 2010)). In Premera I, the Court noted that Plaintiffs’ allegations were unclear about
whether Plaintiffs were alleging fraud by affirmative misrepresentation. To cure this deficiency,
the Court directed that Plaintiffs must clearly and explicitly identify each specific affirmative
misrepresentation alleged and provide all of the other information required under Rule 9(b).
Premera argues that Plaintiffs’ allegations of fraud remain vague and lack the required
specificity. Premera also argues that the statements are not false. Further, Premera states that
Plaintiffs have not alleged that any of them even read, heard, saw or relied on any statement that
could support a fraud claim. Plaintiffs respond that they have stated the alleged affirmative
misrepresentations with sufficient specificity. Plaintiffs add that whether the alleged statements
are true is an issue of fact not appropriate for resolution in a motion to dismiss. Plaintiffs do not
directly respond to Premera’s assertion that without a specific allegation that Plaintiffs actually
read the alleged misrepresentations, Plaintiffs have not sufficiently alleged causation.
In their amended pleading, Plaintiffs allege that Premera’s policy booklets, Notice of
Privacy Practices (“Privacy Notice”), and Code of Conduct contain affirmative
misrepresentations. Although Plaintiffs did not attach to their amended pleading copies of
Premera’s policy booklets, Privacy Notice, or Code of Conduct, Plaintiffs’ amended pleading
quotes from those documents and Plaintiffs provide identifying Bates numbers and web
addresses showing precisely where these documents can be found. FAC ¶¶ 40-44. Premera has
attached to its Motion a copy of its Notice of Privacy Practices dated November 20, 2015
PAGE 5 – OPINION AND ORDER
(ECF 78-1), the two referenced policy booklets (ECF 78-3 and 78-4), and Premera’s Code of
Conduct dated May 2015 (ECF 78-5). The Court may consider these documents in ruling on
Premera’s Motion.1
a. Causation and reliance
Premera did not expressly and sufficiently raise its argument regarding causation and
reliance in its opening brief.2 Accordingly, the court allowed Plaintiffs to respond at oral
argument, and allowed both parties to submit supplemental briefs after oral argument.
Premera’s argument essentially is that in an affirmative misrepresentation case, without
any allegation that any plaintiff read and relied upon the allegedly false or misleading statements,
1
As a general rule, a district court may not consider any material beyond the pleadings in
ruling on a motion under Rule 12(b)(6) of the Federal Rules of Civil Procedure. Lee v. City of
Los Angeles, 250 F.3d 668, 688-89 (9th Cir. 2001). When matters outside the pleadings are
presented to the court, a motion to dismiss generally must be converted to a motion for summary
judgment under Rule 56, with the parties being given an opportunity to present all pertinent
material. Fed. R. Civ. P. 12(d). There are, however, two exceptions to this rule. First, a court may
consider “material which is properly submitted as part of the complaint.” Lee, 250 F.3d at 688.
This includes both documents physically attached to the complaint and those on which the
complaint “necessarily relies” whose authenticity is not contested. Id. Second, the court may take
judicial notice of “matters of public record” pursuant to Rule 201(b) of the Federal Rules of
Evidence without being required to convert the Rule 12(b)(6) motion into a motion for summary
judgment under Rule 56. Lee, 250 F.3d at 688–89.
2
Premera noted only generally in its introductory section that “Plaintiffs also have not
alleged that any of them even read, heard, saw or relied on any statement that could support a
fraud claim.” ECF 78 at 7. Then, in discussing Plaintiffs’ implied-in-fact contract claim, Premera
argued that Plaintiffs failed to allege a meeting of the minds, citing and quoting the unpublished
appellate decision in Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010), for the
proposition that an implied contract claim must be dismissed “where plaintiffs could not allege
‘they read or even saw the documents’ relied on in their complaint, ‘or that they understood them
as an offer.’” ECF 78 at 24. Premera, however, did not offer any specific argument or authority
for the proposition that Plaintiffs failed to allege causation or reliance in support of their
affirmative misrepresentation claims. It was not until its reply brief that Premera expressly
articulated its argument that without an allegation that any Plaintiff saw the alleged
misrepresentations, those claims must fail. ECF 84 at 10-11.
PAGE 6 – OPINION AND ORDER
a plaintiff cannot show the requisite causation.3 This argument, however, reads a reliance
requirement into the causation element in a CPA claim that the Washington Supreme Court has
not adopted.
In Indoor Billboard/Washington, Inc. v. Integra Telecom of Washington, Inc., 162
Wash. 2d 59 (2007), the Washington Supreme Court addressed what is required to prove
causation under Washington’s CPA when there has been an affirmative misrepresentation. In
that case, the court rejected the defendant’s argument that “a plaintiff must establish that the
plaintiff relied on the defendant’s unfair or deceptive act or practice to establish a causal link
with the plaintiff’s injury” and adopted the position argued by amici curaie in that case that a
plaintiff need only establish a causal link between the alleged unfair or deceptive act or practice
and the injury. Id. at 78, 83. The court further held that the causal link required is proximate
causation and that “[a] plaintiff must establish that, but for the defendant’s unfair or deceptive
practice, the plaintiff would not have suffered an injury.” Id. at 83. In addition, the court stated
that “[p]roximate cause is a factual question to be decided by the trier of fact.” Id.
Two years after the Washington Supreme Court decided Indoor Billboard, that court
addressed the issue again in a decision that may be considered somewhat confusing. In this case,
the Washington Supreme Court stated:
3
At oral argument, Premera indicated that it also intended to raise this argument with
respect to Plaintiffs’ fraud by omission or half-truth claim. The Court finds that Premera did not
sufficiently raise this argument in its motion. In its reply brief, when Premera articulated its
causation theory, Premera stated: “In any event, the simple fact that no plaintiff alleges he or she
ever saw any of these statements is alone dispositive of their affirmative misrepresentation
claim.” ECF 84 at 10 (emphasis added). Moreover, even if Premera had adequately raised this
argument, it would be rejected. See Vernon v. Qwest Commc’ns Int’l, Inc., 643 F. Supp. 2d 1256,
1268 (W.D. Wash. 2009) (finding that allegations that the defendant failed to disclose a
particular fee before the plaintiffs signed up to use the defendant’s internet service were
sufficient under Washington’s CPA and noting that “Washington courts do not require a plaintiff
to allege individual reliance on Defendants’ conduct, particularly where the non-disclosure of a
material fact is alleged.” (emphasis added)).
PAGE 7 – OPINION AND ORDER
Depending on the deceptive practice at issue and the relationship
between the parties, the plaintiff may need to prove reliance to
establish causation, as in Indoor Billboard. Most courts have
concluded a private right of action under state consumer protection
law does not necessarily require proof of reliance, consistently
with legislative intent to ease the burden ordinarily applicable in
cases of fraud.
Panag v. Farmers Ins. Co. of Washington, 166 Wash. 2d 27, 59 n.15 (2009) (citing, among
others, Bob Cohen, Annotation, Right to Private Action under State Consumer Protection Act—
Preconditions to Action, 117 A.L.R.5th 155, § 10, at 222 (2004) (noting jurisdictions, including
Washington, where reliance is not required). Two years after deciding Panag, however, the
Washington Supreme Court clarified that Indoor Billboard “firmly rejected the principle that
reliance is necessarily an element of the plaintiff’s case.” Schnall v. AT & T Wireless Servs., Inc.,
171 Wash. 2d 260, 277 (2011); see also Thornell v. Seattle Serv. Bureau, Inc., 184 Wash. 2d
793, 802 (2015) (“In Indoor Billboard this court rejected the principle that reliance is necessarily
an element of plaintiff’s CPA claim.”).
Some cases decided in the Western District of Washington have indicated that under
Washington’s CPA, there is some level of reliance required to prove or allege causation. See ,
e.g., Kelley v. Microsoft Corp., 251 F.R.D. 544, 558 (W.D. Wash. 2008) (noting that a trier-offact would need to determine, among other things, whether each class member saw the allegedly
misleading statement); Minnick v. Clearwire US, LLC, 683 F. Supp. 2d 1179, 1188 (W.D.
Wash. 2010) (finding allegations that alleged misrepresentations on a website were deceptive
insufficient where none of the plaintiffs alleged that they visited the website). These cases,
however, decided before Schnall, do not imply that reliance is always required.
The Court holds that under the facts presented here, reliance is not required. The
Washington CPA’s purpose is “to protect the public and foster fair and honest competition.”
Wash. Rev. Code. § 19.86.020. It is intended to “ease the burden ordinarily applicable in cases of
PAGE 8 – OPINION AND ORDER
fraud.” Panag, 166 Wash. 2d at 59 n.15. With this purpose in mind, the Court agrees with the
discussion of causation and reliance in the context of class action certification by United States
District Judge Richard A. Jones. In a relatively recent decision, Judge Jones explained that when
there are substantially identical representations given to all plaintiffs, “the problems associated
with proving reliance may be somewhat relaxed” and is distinguished from “a situation where
each class member must prove the falsity of different representations, . . . but rather must prove
the misleading nature of a substantially identical representation.” Weidenhamer v. Expedia, Inc.,
2015 WL 7157282, at *20 (W.D. Wash. Nov. 13, 2015) (emphasis in original). Here, as
discussed below, the Court is allowing the Policyholder Plaintiffs’ affirmative misrepresentation
claim to proceed for those plaintiffs who received the Preferred Select policy booklet, Privacy
Notice, or Code of Conduct. Plaintiffs allege that the Privacy Notice was sent with the policy
booklet. Thus, the relevant Policyholder Plaintiffs received the same alleged misrepresentations.
Under such circumstances, and because Washington does not require proof of reliance
and holds that proximate causation is an issue of fact, the Court agrees with courts in other
jurisdictions that have held that such claims should not be dismissed unless “it is clear that no
reasonable person would be deceived by defendant’s conduct.” Smith v. Wells Fargo Bank, N.A.,
158 F. Supp. 3d 91, 101 (D. Conn. 2016), aff'd, 2016 WL 7323985 (2d Cir. Dec. 16, 2016); see
also Carrera v. Bayer Corp., 727 F.3d 300, 309 (3d Cir. 2013) (holding that when Florida
consumer protection law does not require actual reliance on the deceptive act, the relevant
question is whether the alleged practice was likely to deceive a consumer acting reasonably in
the same circumstances); Fitzpatrick v. Gen. Mills, Inc., 635 F.3d 1279, 1283 (11th Cir. 2011)
(holding that when reliance is not required, “a plaintiff must simply prove that an objective
reasonable person would have been deceived”); In re Gerber Probiotic Sales Practices Litig.,
PAGE 9 – OPINION AND ORDER
2013 WL 4517994, at *9 (D.N.J. Aug. 23, 2013) (noting that “the appropriate inquiry is whether
a reasonable person would be misled by the overall advertising”).
Further, in the context of analyzing class certification, the Central District of California,
applying Washington law (as well as the law of three other relevant states), reached the same
conclusion, holding that for CPA claims “materiality and reliance on alleged misrepresentations
can be proven by reference to a reasonable consumer.” Todd v. Tempur-Sealy Int’l, Inc., 2016
WL 5746364, at *8 (N.D. Cal. Sept. 30, 2016). Here, the Court declines to find that no
reasonable person would be deceived by Premera’s alleged conduct and representations. Thus,
the court declines to dismiss Plaintiffs’ affirmative misrepresentation claims for failing to allege
causation, at least at the motion to dismiss stage of the proceedings.
b. Premera’s policy booklets
Plaintiffs allege that Premera’s policy booklets are sent to its members. FAC ¶ 181.
Plaintiffs further allege that these booklets contain affirmative misrepresentations. Specifically,
Plaintiffs assert that Premera’s “Preferred Select” policy booklet states: “We protect your privacy
by making sure your information stays confidential. We have a company confidentiality policy
and we require all employees to sign it.” FAC ¶ 43 and n.1; see also ECF 78-3 at 59. The
statement that Premera protects policyholders’ privacy and makes sure information stays
confidential is a sufficiently specific representation. Plaintiffs allege that this statement is false
because Premera did not protect its policyholders’ privacy and did not “make sure” that their
information stays confidential. See FAC ¶¶ 75-77, 137-141, 144. Plaintiffs also allege that
Premera knew this statement was false at the time it made the statement because Premera knew
of its inadequate data security measures. These allegations are sufficient under Rule 9(b) to
allege a fraudulent misrepresentation for Policyholder Plaintiffs who were sent this booklet.
Premera’s argument that it did, in fact, reasonably protect the privacy of their policyholders’
PAGE 10 – OPINION AND ORDER
Sensitive Information presents a question that is inappropriate to resolve at this stage of the
litigation.
Plaintiffs also allege that the “Preferred Bronze” policy contains a misrepresentation.
FAC ¶ 43 and n.2. This policy states: “To safeguard your privacy, we take care to ensure that
your information remains confidential by having a company confidentiality policy and by
requiring all employees to sign it.” FAC ¶ 43; see also ECF 78-4 at 52. Plaintiffs argue that this
statement is a promise to take care to ensure that the policyholders’ information stays
confidential and it is false because Premera did not take adequate care to protect data security.
Plaintiffs’ argument, however, overlooks the second half of the sentence. Premera promised that
it would ensure confidentiality “by having a company confidentiality policy and by requiring
employees to sign it.” FAC ¶ 43 (emphasis added). Thus, the Preferred Bronze policy contains a
promise to have a company confidentiality policy and to have employees sign that policy.
Plaintiffs do not allege that Premera did not have such a policy or did not require that its
employees sign the policy. Thus, Plaintiffs’ allegations are insufficient to allege fraud by
misrepresentation based on the Preferred Bronze policy booklet.
c. Privacy Notice
Plaintiffs allege that Premera’s Privacy Notice also was provided to its members.
FAC ¶ 181. Plaintiffs allege in Paragraph 40 that the Privacy Notice contained
misrepresentations, including:
Premera is “committed to maintaining the confidentiality of your medical and
financial information”;
Under federal law, Premera “must take measures to protect the privacy of your
personal information” and “[i]n addition, other state and federal privacy laws may
provide additional privacy protection”;
PAGE 11 – OPINION AND ORDER
Premera “protect[s] your personal information in a variety of ways,” including
“authoriz[ing] access to your personal information . . . only to the extent necessary to
conduct our business of serving you”;
Premera “take[s] steps to secure our buildings and electronic systems from
unauthorized access”;
Premera “train[s] our employees on our written confidentiality policy and procedures
and employees are subject to discipline if they violate them”;
Premera “will protect the privacy of your information even if you no longer maintain
coverage through us”; and
Premera is required by law to protect the privacy of Sensitive Information, provide
the Privacy Notice to members, and notify members following a breach of Sensitive
Information.
Plaintiffs allege that these statements are false or misleading because Premera was not
committed to protecting Plaintiffs’ Sensitive Information, did not take the appropriate measures
required under federal and state law, did not protect Plaintiffs’ Sensitive Information, did not
properly train its employees, and did not provide adequate notice of the breach. See FAC ¶¶ 7577, 137-141, 144. Some of these alleged representations are more appropriate for Plaintiffs’
claim of fraud by omission or half-truth (e.g., that Premera represented that under federal law it
was required to protect Plaintiffs’ Sensitive Information while knowing that it was not
adequately complying with those federal laws). Others, however, are representations that, if
false, as Plaintiffs allege, are sufficient to allege a claim of affirmative misrepresentations (e.g.,
that Premera does not limit access to Sensitive Information, train and discipline its employees on
data security, or protect privacy of Sensitive Information after a person no longer has coverage
with Premera). Accordingly, for Plaintiffs who were provided Premera’s Privacy Notice,
Plaintiffs’ adequately have alleged a claim of affirmative misrepresentation.
PAGE 12 – OPINION AND ORDER
d. Code of Conduct
Plaintiffs allege that Premera’s Code of Conduct is found on its website and available to
Premera’s members. FAC ¶ 44 and n.3. Plaintiffs allege this Code of Conduct contains
misrepresentations, including that: (1) Premera is “committed to complying with federal and
state privacy laws”; (2) Premera uses “privacy principles to guide our actions,” including that
customers “should enjoy the full array of privacy protections”; (3) Premera uses, “where
appropriate,” technical and physical security safeguards; (4) Premera is “committed to ensuring
the security of our facilities and electronic systems to prevent unauthorized access”; and
(5) Premera is “expected to be aware of and follow established corporate policies, processes and
procedures” to protect its buildings and computer systems in compliance with the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”).
To prevail on a CPA claim under Washington law, a plaintiff must establish each of the
following elements: “(1) unfair or deceptive act or practice; (2) occurring in trade or commerce;
(3) public interest impact; (4) injury to plaintiff in his or her business or property; [and]
(5) causation.” Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wash. 2d 778,
785-93 (Wash. 1986). The first two elements “may be established by a showing that (1) an act or
practice which has a capacity to deceive a substantial portion of the public (2) has occurred in the
conduct of any trade or commerce.” Id. at 785-86. “Whether an alleged act is unfair or deceptive
presents a question of law.” Walker v. Quality Loan Serv. Corp., 176 Wash. App. 294, 318
(2013), as modified (Aug. 26, 2013). “‘Implicit in the definition of ‘deceptive’ under the CPA is
the understanding that the practice misleads or misrepresents something of material
importance.’” Id. (quoting Holiday Resort Cmty. Ass’n v. Echo Lake Assocs., LLC, 134 Wash.
App. 210, 226 (2006)).
PAGE 13 – OPINION AND ORDER
Premera argues that its statements in the Code of Conduct are not deceptive both because
they are mere “puffery” or expressions of corporate optimism and because they are not false.
Premera cites to securities fraud cases in which courts have found statements in a code of
conduct or code of ethics not to be material because they are merely expressions of corporate
optimism. To show that an act or statement is “unfair or deceptive” under Washington’s CPA,
however, “[a] plaintiff need not show that the act in question was intended to deceive, but that
the alleged act had the capacity to deceive a substantial portion of the public.” Hangman Ridge,
105 Wash.2d at 785 (emphasis in original) (quotation marks omitted). Thus, the relevant inquiry
is different than in traditional fraud cases—although materiality is an “implicit” element, the
critical factor is whether the alleged statements contained in the Code of Conduct had the
capacity to deceive a substantial portion of the public.
In looking at the statements contained in the Code of Conduct, the Court agrees with
Premera that these are not guarantees and that they are closer being aspirational statements. Cf.
Lorona v. Arizona Summit Law Sch., LLC, 151 F. Supp. 3d 978, 995 (D. Ariz. 2015) (finding
statement that a for-profit school “believes” lawyers should enter the workplace with sufficient
preparation was aspirational); Nathanson v. Polycom, Inc., 87 F. Supp. 3d 966, 976 (N.D. Cal.
2015) (finding statements in a Code of Business Ethics that company funds must be used for
company purposes, not personal gain, and that employees must ensure that the company receives
good value for its expenditures were “‘inherently aspirational’ and hence immaterial”); Cement
& Concrete Workers Dist. Council Pension, 964 F. Supp. 2d 1128, 1138-39 (N.D. Cal. 2013)
(finding statements in a code of ethics immaterial because they are merely vague statements of
corporate optimism).
PAGE 14 – OPINION AND ORDER
In an unpublished opinion, the Washington Court of Appeals recently applied the concept
of “puffery” in the context of a CPA claim. Babb v. Regal Marine Indus., Inc., 179 Wash. App.
1036, 2014 WL 690154, review granted, cause remanded on other grounds, 180 Wash. 2d 1021,
329 P.3d 67 (2014). The court explained that “[g]eneral, subjective, unverifiable claims about a
product or service are ‘mere puffery’ that cannot give rise to false advertising or, in this context,
an unfair or deceptive act.” 2014 WL 690154, 15 *3. The court found that statements that a
company stands behind its product, strives for exceptional customer services, and prides itself on
being family owned were mere puffery and not actionable. Id. In another case, however, the
Washington Court of Appeals found that statements included in marketing materials that the
company’s goal is to provide homes of the highest quality and workmanship and that home
maintenance would be deferred because of the high quality and workmanship were actionable
under the CPA. Carlile v. Harbour Homes, Inc., 147 Wash. App. 193, 212 (2008) (failing to
discuss the concept of “puffery” in a CPA claim).
The Court finds the statements in Premera’s Code of Conduct to be more similar to those
in Carlile than in Babb. For purposes of a Washington CPA claim, the Code of Conduct
statements have the capacity to deceive if, as Plaintiffs’ allege, Premera did not provide adequate
data security. A reasonable person, reading these statements, would believe that Premera
provides reasonable and adequate data security. Moreover, whether a company that will be
receiving a person’s most highly sensitive personal information will keep that information secure
is an issue of material importance. Thus, Plaintiffs’ adequately allege a claim under
Washington’s CPA for alleged deceptive statements in Premera’s Code of Conduct.
2. Active Concealment
As the Court explained in Premera I, active concealment is a species of fraud that
requires more than allegations of an affirmative misrepresentation or “failing to own up to the
PAGE 15 – OPINION AND ORDER
truth.” Premera I, 2016 WL 4107717, at *7. The Court granted Plaintiffs leave to replead this
claim, if they could “clearly and explicitly allege what Premera did that constitutes active
concealment, beyond merely making an affirmative misrepresentation or omitting to disclose
material information.” Id.
Plaintiffs argue that they have cured this deficiency by alleging that Premera continued to
provides services and enroll new members despite knowing that it had failed in its obligations to
protect data security. Essentially, Plaintiffs allege that by continuing to do business after learning
about its data security vulnerabilities and breach, Premera actively concealed this information.
But that is nothing more than an allegation that Premera failed or omitted to disclose material
information of which it was aware. Plaintiffs do not allege any active concealment or any act that
Premera engaged in to make it more difficult for Plaintiffs to discover the alleged data security
problems or the nature of the alleged misrepresentations. This is insufficient to allege a claim for
active concealment. Plaintiffs’ claims of active concealment are dismissed.
3. Fraud by Omission
In Premera I, the Court held that in Plaintiffs’ claims of fraud by omission Plaintiffs
adequately had alleged materiality, reliance, the duty to speak, and the duty to avoid making a
material omission. Premera I, 2016 WL 4107717, at *7. The Court found, however, that
Plaintiffs had not alleged a clear articulation of precisely what should have been disclosed to
Plaintiffs in order to prevent the statements that Premera did make from being misleading, i.e. a
half-truth. Id. at 8. To cure this deficiency in their amended pleading, Plaintiffs add
Paragraph 256, which alleges that Premera should have disclosed that it did not implement
industry standard access controls, did not fix known vulnerabilities in its electronic security
protocols, failed to protect against reasonably anticipated threats, and otherwise did not comport
with its assurances regarding protecting information.
PAGE 16 – OPINION AND ORDER
Premera argues that Plaintiffs’ new allegations do not cure the deficiency identified by
the Court and are unreasonably vague. The Court disagrees. Plaintiffs’ allegations are sufficient
to articulate what Plaintiffs allege should have been disclosed to prevent Premera’s statements
from being misleading. Premera also argues that its delay in notifying Plaintiffs was reasonable
and necessary to prevent greater harm. Weighing the potential benefits and harm of earlier
disclosure, however, raises an issue that is inappropriate to resolve in a motion to dismiss under
Rule 12(b)(6).
4. Unfair Conduct
Plaintiffs argue that because they have added the allegation that Premera’s conduct that
allegedly violated Washington and other states’ CPA laws was “unfair,” these allegations are not
subject to Rule 9(b). Plaintiffs cite to two cases involving alleged violations of the prohibition
against unfair or deceptive acts or practices affecting commerce contained in section 5 of the
Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45. In In re LabMD, 2016
WL 4128215 (F.T.C. July 29, 2016), the Federal Trade Commission (“FTC”) held that LabMD’s
data security practices constituted an unfair act or practice within the meaning of the FTC Act.
The FTC found that LabMD had failed to use proper detection or monitoring on its computer
system, “provided essentially no data security training to its employees,” and never deleted
customer data. Id. at *1. The FTC then concluded that these practices satisfied the requirements
of 15 U.S.C. § 45(n) that a practice is “unfair” if it causes or is likely to cause substantial injury
to consumers that is not reasonably avoidable by the consumer and the injury is not outweighed
by countervailing benefits to consumers or competition. Id.at *7, 15-23.
In F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), the Third Circuit
analyzed the authority of the FTC and the meaning of “unfair” under the FTC Act and held that a
company’s alleged failure to maintain reasonable and appropriate data security measures could
PAGE 17 – OPINION AND ORDER
constitute an unfair act under the FTC Act. Id. at 244-49. In analyzing unfairness, the Third
Circuit stated:
We recognize this analysis of unfairness encompasses some facts
relevant to the FTC’s deceptive practices claim. But facts relevant
to unfairness and deception claims frequently overlap. See, e.g.,
Am. Fin. Servs. Ass’n v. FTC, 767 F.2d 957, 980 n.27 (D.C.
Cir. 1985) (“the FTC has determined that . . . making
unsubstantiated advertising claims may be both an unfair and a
deceptive practice.”); Orkin Exterminating Co. v. FTC, 849 F.2d
1354, 1367 (11th Cir. 1988) (“[A] practice may be both deceptive
and unfair . . . .”). We cannot completely disentangle the two
theories here.
Id. at 245 (alterations in original) (footnote omitted, observing that the FTC and its employees
have sometimes “described deception as a subset of unfairness”).
Plaintiffs argue that because Washington’s CPA directs that courts should be guided by
federal decisions interpreting similar federal laws regarding unfair trade and competition, this
Court should follow courts analyzing the FTC Act and find that the alleged “unfair” conduct is
separate from the alleged “deceptive” conduct and is thus not subject to Rule 9(b). Premera does
not respond to this specific argument and case law, but instead argues generally that Plaintiffs’
allegations “sound in fraud” and Plaintiffs cannot amend their complaint in briefing.
The FTC Act cases relied on by Plaintiffs do not offer guidance about whether the
allegations of “unfair” conduct sound in fraud such that they are subject to Rule 9(b). Those
cases do not even mention Rule 9(b). Instead, they address the question of whether certain
conduct may be considered “unfair” under 15 U.S.C. § 45(n). As the Court discussed in
Premera I, in considering the applicability of Rule 9(b), a court must look to the alleged conduct
underlying the claim—if it is fraudulent conduct, then Rule 9(b) applies. See Premera I, 2016
WL 4107717, at *5 (discussing Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1103 (9th Cir.
2003)). Here, the underlying conduct that Plaintiffs allege is “unfair” is the alleged
PAGE 18 – OPINION AND ORDER
misrepresentations, concealment, half-truths, and omissions. This is alleged fraudulent conduct
and the nature of the conduct does not change because Plaintiffs label the same conduct as both
“deceptive” and “unfair.”
The third case cited by Plaintiffs, McGraw Co. v. Aegis Gen. Ins. Agency, 2016
WL 3745063 (N.D. Cal. July 13, 2016), is instructive on this point. The plaintiffs in McGraw
alleged that the defendants had disparaged the plaintiffs in the market place (i.e., rade libel), took
proprietary information from their computers, and “poached” their employees. Id. at *1. The
court held that “[t]he latter two claims do not involve any factual averment of fraud; neither the
information-stealing nor the employee-poaching charges involve factual allegations of
misrepresentation, concealment, or other deception.” Id. at *3. Thus, the court concluded that
Rule 9(b) did not apply to those claims. Id. Here, to the contrary, the “unfair” conduct alleged by
Plaintiffs involve only factual allegations of acts of deception—misrepresentation, concealment,
and omissions. Thus, Rule 9(b) applies to Plaintiffs’ CPA claims that Premera engaged in unfair
conduct. As discussed above, the Court dismisses Plaintiffs’ claims that Premera engaged in the
unfair act of active concealment. The Court does not, however, dismiss Plaintiffs’ claims that
Premera engaged in the unfair acts of affirmative misrepresentation and fraud by omission and
concludes that, except as expressly noted above, Plaintiffs have satisfied the requirements of
Rule 9(b).
5. Conclusion
Plaintiffs sufficiently allege a claim for fraud by omission and claims based on alleged
misrepresentations in statements made in Premera’s Preferred Select policy booklet, Privacy
Notice, and Code of Conduct. Plaintiffs, however, do not sufficiently allege an active
concealment claim or claims based on affirmative misrepresentations contained in statements
made in Premera’s Preferred Bronze policy booklet. Those claims are dismissed.
PAGE 19 – OPINION AND ORDER
B. Plaintiffs’ Contract-Based Claims
1. Breach of Express Terms in the Express Contract
In Premera I, the Court agreed with Premera that Plaintiffs had not identified any express
provision in the parties’ health benefit contracts that contains any promise relating to data
security and that Plaintiffs’ references to Premera’s Privacy Notice and Code of Conduct give
rise to the question of whether those documents are part of the parties’ health benefits contract.
2016 WL 4107717, at *9. In response, Plaintiffs added more specific allegations relating to the
policy booklets, Privacy Notice, and Code of Conduct.
a. Policy booklets
The FAC identifies the specific provisions contained in the policy booklets that Plaintiffs
contend were breached. FAC ¶ 43. For the reasons discussed in addressing Plaintiffs’ claims of
affirmative misrepresentation based on the policy booklets, the Court concludes that Plaintiffs
adequately allege a breach of express contract for the Policyholder Plaintiffs who were sent the
Preferred Select policy, but not those who were sent only the Preferred Bronze policy.
b. Privacy Notice
Plaintiffs also allege that Premera made promises in its Privacy Notice that were part of
the health benefits contract and were materially breached. Plaintiffs allege that “Premera sends
its Notice of Privacy Policy and its policy booklets to all members of the Nationwide Premera
Policyholder and Plan Administration Subclass, forming an express contract.” FAC ¶ 181.
Premera argues that because Plaintiffs do not specifically allege that the Privacy Notice was
attached to the policy booklet, Plaintiffs’ allegations are insufficient to support a claim that the
Privacy Notice was sent along with the policy booklet. The Court disagrees. It is a reasonable
inference from Plaintiffs’ allegations in Paragraph 181 that the two documents were sent
together.
PAGE 20 – OPINION AND ORDER
Premera also argues that even if the Privacy Notice was sent with the policy booklets, the
policy booklets contain clauses that preclude interpreting any contract among the parties as
including the Privacy Notice. The Preferred Select policy has an integration clause, titled “Entire
Contract,” which states that the contract includes the policy booklet, summary of costs,
application, and “[a]ll attachments and endorsements included now or issued later.” ECF 78-3
at 57. The Preferred Bronze policy does not have this specific clause. Instead, it states that
Premera agrees to “the terms and conditions appearing on this and the following pages, including
any endorsements, amendments, and addenda to this contract which are signed and issued by
Premera Blue Cross.” ECF 78-4 at 2.
The Court is persuaded by the reasoning stated by United States District Judge Ruben
Castillo in the Northern District of Illinois in addressing similar arguments from the defendant
insurance company moving to dismiss a breach of contract claim involving similar policy
provisions and deciding whether a notice of privacy was included in the policy. Judge Castillo
explained:
The matter is complicated, however, because the policy also
expressly incorporates by reference certain extraneous documents.
Specifically, it defines “policy” as “this policy with any attached
application(s), and any riders and endorsements.” The policy’s
table of contents specifies that “[a] copy of the application and any
riders and endorsements follow page 17.” As the documents have
been submitted to the Court, there are several documents following
page 17, including the Privacy Pledge. Based on the manner in
which the Privacy Pledge was given to her, Plaintiff argues that
this document qualifies as an endorsement. Defendant responds
that the Privacy Pledge could not possibly constitute an
endorsement under the plain meaning of that term.
“[A]n endorsement has been defined as being merely an
amendment to an insurance policy; a rider.” Alshwaiyat v. Amer.
Serv. Ins. Co., 986 N.E.2d 182, 191 (Ill. App. Ct. 2013) (internal
quotation marks and citation omitted). A “rider,” in turn, is defined
as “[a]n attachment to some document, such as ... an insurance
policy, that amends or supplements the document.” BLACK’S
PAGE 21 – OPINION AND ORDER
LAW DICTIONARY (10th ed. 2014). The Court disagrees with
Defendant that the Privacy Pledge could not possibly satisfy these
definitions. Plaintiff alleges that the Privacy Pledge accompanied
the policy that was mailed to her, and this document can be read to
supplement the policy by providing additional benefits to insureds
regarding the handling of their personal information. The policy
does require that endorsements be approved by Defendant’s
president or one if its vice-presidents, but the Privacy Pledge states
that it was authored by Defendant’s “Chairman, President and
Chief Executive Officer.”
Defendant argues that “an endorsement must be properly attached
to the policy so as to indicate that it and the policy are parts of the
same contract and must be construed together.” But again, Plaintiff
alleges that the Privacy Pledge was sent to her along with the
policy documents, and the Court must accept this allegation as
true. The policy itself states that the documents following page 17
are considered part of the policy, which would appear to include
the Privacy Pledge. Based on Plaintiff’s allegations and the
language of the policy, her claim that the policy incorporated the
Privacy Pledge is not implausible.
Defendant could have avoided any ambiguity by clearly labeling
the documents sent with the policy that were intended to be
incorporated by reference, but it did not do so. Or Defendant could
have drafted an integration clause that did not reference outside
documents, in which case Plaintiff would have been precluded
from relying on outside documents to assert a breach of contract
claim. But that is not how the policy was drafted, and any
ambiguities must be construed against Defendant. Therefore, the
Court rejects Defendant’s argument that the contract documents
foreclose Plaintiff’s claim as a matter of law.
Dolmage v. Combined Ins. Co. of Am., 2016 WL 754731, at *4-6 (N.D. Ill. Feb. 23, 2016)
(emphasis in original) (citations and footnotes omitted).
The Court holds that Plaintiffs have sufficiently alleged that Premera’s Privacy Notice
was expressly attached to and incorporated in the health benefits contracts. Further, for the same
reasons the Court found the representations in the Privacy Notice are sufficiently specific for a
misrepresentation claim, they are also sufficient for a breach of contract claim.
PAGE 22 – OPINION AND ORDER
c. Code of Conduct
Regarding the Code of Conduct, as Plaintiffs quote in their FAC, the policy booklets
connect the assurances relating to the protection of policyholders’ Sensitive Information to a
“company confidentiality policy.” Plaintiffs allege that the Code of Conduct “appears to include
the ‘company confidentiality policy’ referenced in the policy booklets.” FAC ¶ 44. Premera
argues that: (1) the mere reference to this policy is insufficient to incorporate clearly and
unequivocally the terms of a company confidentiality policy for Premera employees into the
contract between Premera and its policyholders; (2) the policy is not clearly identified and
Plaintiffs are guessing that the Code of Conduct contains the policy; and (3) even if the Code of
Conduct were incorporated, it does not contain any enforceable promises.
Under Washington law, “‘[i]f the parties to a contract clearly and unequivocally
incorporate by reference into their contract some other document, that document becomes part of
their contract.’” Cedar River Water & Sewer Dist. v. King Cty., 178 Wash. 2d 763, 785, (2013),
as modified (Jan. 22, 2014) (alteration in original) (quoting Satomi Owners Ass’n v. Satomi, LLC,
167 Wash. 2d 781, 801 (2009)). “It must also be clear that the parties to the agreement had
knowledge of and assented to the incorporated terms.” Swinerton Builders Nw., Inc. v. Kitsap
Cty., 168 Wash. App. 1002 (2012) (quotation marks omitted).
Addressing Premera’s first argument, the Preferred Select policy states: “We protect your
privacy by making sure your information stays confidential. We have a company confidentiality
policy and we require all employees to sign it.” FAC ¶ 43. The Court concludes this is an
enforceable promise to protect data security. It is not, however, an incorporation by reference to
the company confidentiality policy. It contains a factual statement that a policy exists. It does not
link any promise made to policyholders or obligation of Premera to the existence or terms of that
confidentiality policy.
PAGE 23 – OPINION AND ORDER
The Preferred Bronze policy, on the other hand, states: “To safeguard your privacy, we
take care to ensure that your information remains confidential by having a company
confidentiality policy and by requiring all employees to sign it.” Id. As discussed above, the
Court holds that this is not an enforceable promise to protect data security in and of itself. It
does, however, incorporate by reference the confidentiality policy. The reason the Preferred
Bronze policy, unlike the Preferred Select policy, incorporates the company confidentiality
policy by reference is because Premera is promising to protect the privacy of policyholders’
information by having a company confidentiality policy. Thus, the logical reading of this clause
is that it is the terms of the confidentiality policy that will protect policyholders’ private
information and that the parties intended those terms to be incorporated by reference. See Brown
v. Poston, 44 Wash. 2d 717, 719 (1954) (finding that where subcontractor contracted to perform
plastering work on building “as per plans and specifications,” those documents were thereby
incorporated by reference into the contract); W. Washington Corp. of Seventh-Day Adventists v.
Ferrellgas, Inc., 102 Wash. App. 488, 494 (2000) (finding that where a contract provides that
work will be performed in accordance with other documents, those other documents are clearly
and unequivocally incorporated by reference); Santos v. Sinclair, 76 Wash. App. 320, 325 (1994)
(finding that where legal description of a property was vague, but the property was identified as
“‘Tract(s) 3 of short plat No. 702’ the parties intended to use the more exact legal description of
Tract 3 contained in Short Plat 702” and thus that legal description was incorporated by
reference).
The fact that policyholders are not parties to the confidentiality policy does not prohibit
its incorporation by reference. In fact, “[i]ncorporation by reference allows the parties to
‘incorporate contractual terms by reference to a separate . . . agreement to which they are not
PAGE 24 – OPINION AND ORDER
parties, and including a separate document which is unsigned.’” W. Washington Corp. of
Seventh-Day Adventists v. Ferrellgas, Inc., 102 Wash. App. 488, 494 (2000) (quoting 11
WILLISTON ON CONTRACTS § 30:25, at 233–34 (4th ed. 1999)).
Regarding Premera’s second argument, the Court agrees that Plaintiffs’ allegation that the
Code of Conduct “appears” to contain the confidentiality clause incorporated into the Preferred
Bronze policy indicates some doubt by Plaintiffs. Dismissal for inarticulate pleading, however, is
not appropriate. Plaintiffs’ allegations sufficiently place Premera on notice of what document
Plaintiffs are claiming is the confidentiality policy and how it has been breached. Premera’s
argument that the Code of Conduct might not actually contain the referenced confidentiality
policy is more appropriate to consider at summary judgment or trial.
Premera’s final argument, that the Code of Conduct does not contain any enforceable
promises, is well taken. As discussed above, the representations in the Code of Conduct are not
guarantees but are expressions of corporate optimism. Although these statements are sufficiently
alleged to be “deceptive” under Washington’s CPA, they are not enforceable promises sufficient
to support Plaintiffs’ express contract claim.
2. Breach of Implied Terms in the Express Contract
The FAC clarifies that, in the alternative to their claim for breach of express terms in the
express contract, the Policyholder Plaintiffs allege that there was an implied term in their express
contract. FAC ¶ 183. Specifically, the Policyholder Plaintiffs allege that the express contracts
included “implied terms requiring Premera to implement data security adequate to safeguard and
protect the confidentiality of their Sensitive Information, including in accordance with HIPAA
regulations, federal, state and local laws, and industry standards.” Id.
Under Washington law, a court may imply an obligation into a contract when five
requirements are met:
PAGE 25 – OPINION AND ORDER
(1) the implication must arise from the language used or it must be
indispensable to effectuate the intention of the parties; (2) it must
appear from the language used that it was so clearly within the
contemplation of the parties that they deemed it unnecessary to
express it; (3) implied covenants can only be justified on the
grounds of legal necessity; (4) a promise can be implied only
where it can be rightfully assumed that it would have been made if
attention had been called to it; (5) there can be no implied covenant
where the subject is completely covered by the contract.
Brown v. Safeway Stores, 94 Wash. 2d 359, 370 (1980); see also Condon v. Condon, 177
Wash. 2d 150, 163 (2013) (“Courts will also not imply obligations into contracts, absent legal
necessity typically resulting from inadequate consideration.”). Legal necessity means “that a
court will find an implied obligation only to save an otherwise invalid contract. Typically this
means a contract otherwise lacking in consideration.” Oliver v. Flow Int’l Corp., 137 Wash.
App. 655, 663 (2006) (rejecting the reasoning of an out-of-state case implying a contractual term
where there is adequate consideration because “in Washington . . . our courts do not imply an
obligation in the absence of legal necessity” and noting that “[t]ypically, a term is implied in
order to supply consideration, without which there would not be a valid contract”).
At oral argument, the Court asked how to reconcile the fact that Washington courts imply
the duty of good faith and fair dealing into every contract, which is not a “legal necessity,” with
the fact that one of the Brown requirements is that a term will not be implied absent legal
necessity. The parties discussed this issue in their supplemental briefing. Neither the parties, nor
the Court, however, has located any analysis performed by the Washington courts of this
apparent tension. What is apparent, however, is that for decades Washington courts have implied
the duty of good faith and fair dealing into every contract. See, e.g., Miller v. Othello Packers,
Inc., 67 Wash. 2d 842, 844 (1966). Thus, in 1980 when the Washington Supreme Court in Brown
enunciated the factors required to imply a term into a contract, taken from a 1975 Washington
PAGE 26 – OPINION AND ORDER
Court of Appeals case quoting a California case, the Washington Supreme Court knewabout its
longstanding acceptance of the implied duty of good faith and fair dealing.
Moreover, the Washington Supreme Court has explained that “the duty of good faith does
not extend to obligate a party to accept a material change in the terms of its contract. Nor does it
‘inject substantive terms into the parties’ contract.’ Rather, it requires only that the parties
perform in good faith the obligations imposed by their agreement. Thus, the duty arises only in
connection with terms agreed to by the parties.” Badgett v. Sec. State Bank, 116 Wash. 2d 563,
569 (1991) (citations omitted). The reconciliation of these two doctrines may be that the
Washington Supreme Court simply has adopted the widely accepted implied duty of good faith
and fair dealing into every contract, but requires that the five Brown factors be met before
implying any other term into a contract governed by Washington law.
Here, Premera argues that the Policyholder Plaintiffs do not allege legal necessity
because the health benefits contracts are valid and implying a data security obligation is not
required to prevent the contracts from being invalid. Premera also argues that implying a term
into the parties’ contract that requires data security is impermissible because it is essentially
allowing a private right of action to enforce HIPAA requirements, which is expressly prohibited
under that statute.
Plaintiffs respond that the legal necessity requirement is met under Washington law
because HIPAA and other data breach and privacy laws require Premera to protect Plaintiffs’
Sensitive Information. Plaintiffs note that any contract that disavowed such an obligation likely
would be invalid as violating these laws. Assuming without deciding that Plaintiffs’ argument is
correct, Plaintiffs offer no authority for the proposition that if a contract could not expressly
disclaim a particular obligation, a contract that does not expressly include that same obligation
PAGE 27 – OPINION AND ORDER
would be invalid. Nor do Plaintiffs provide authority for the proposition that if a clause
disclaiming data security were included in a health insurance contract, a court necessarily would
invalidate the entire contract, as opposed to invalidating only the improper (and unenforceable)
disclaimer. The Court declines to so hold in the context of determining legal necessity for an
implied term. Thus, for those contracts governed by Washington law, the Court declines to imply
a term into the parties’ contracts that would require adequate data security measures be taken.
Plaintiffs, however, also cite to an Oregon case that follows the RESTATEMENT (SECOND)
OF CONTRACTS
§ 2044 to imply a term into a contract without requiring legal necessity.
Harrisburg Educ. Ass’n v. Harrisburg Sch. Dist. No. 7, 186 Or. App. 335 (2003). In Harrisburg,
the court implied a term into the contract, even though the contract would not have otherwise
been invalid. Id. at 347 (“Because it is consistent with the ‘courageous common sense’ principle
articulated in the analogous contractual disputes, and because it best serves the parties’ bargain
and their expectations, this is an appropriate circumstance in which to follow section 204 of the
Restatement.”). Premera does not persuasively respond to the law in Oregon that governs implied
contractual terms or to the law in any state other than Washington.
The Court agrees with Plaintiffs that under the circumstances of this case, it is apparent
that the parties intended that Plaintiffs or their health care providers would give Plaintiffs’
Sensitive Information to Premera and that Premera would take reasonable and adequate steps to
protect the confidentiality of that information. Thus, under Oregon law, this is an appropriate
circumstance in which to follow Section 204 and imply Plaintiffs’ proposed omitted essential
4
The RESTATEMENT (SECOND) OF CONTRACTS § 204 provides: “When the parties to a
bargain sufficiently defined to be a contract have not agreed with respect to a term which is
essential to a determination of their rights and duties, a term which is reasonable in the
circumstances is supplied by the court.”
PAGE 28 – OPINION AND ORDER
term into the parties’ contract.5 The Court also notes that although Premera argues that nowhere
did it indicate that it would follow state law or industry standards, that argument is contradicted
by the documents submitted by Premera. For example, the Privacy Notice and Code of Conduct
both expressly reference state law protecting confidential information, and the Code of Conduct
also notes that Premera is expected to be aware of and follow established corporate policies and
procedures to protect confidential information.
Premera’s final argument is that implying a data security term into the parties’ contract
would frustrate the purpose of Congress in not allowing a private right of action under HIPAA.
The fact that there is no private right of action under HIPAA, however, does not preclude causes
of action under state law, even if such a cause of action requires as an element that HIPAA was
violated. In Webb v. Smart Document Solutions, LLC, the Ninth Circuit noted that for
jurisdictional purposes a “‘complaint alleging a violation of a federal statute as an element of a
state cause of action, when Congress has determined that there should be no private, federal
cause of action for the violation, does not state a claim arising under the Constitution, laws, or
treaties of the United States.’” 499 F.3d 1078, 1084 (9th Cir. 2007) (quoting Merrell Dow
Pharm. v. Thompson, 478 U.S. 804, 817 (1986)). The court in that case, however, also concluded
that when jurisdiction is not contingent on 28 U.S.C. § 1331 (federal question jurisdiction), the
fact that there is no private right of action under HIPAA does not foreclose a state law claim,
even if that claim requires as an element allegations that HIPAA was violated. Id. (“This
jurisdictional concern is not present here. Had [the defendant] removed this case to federal court
on the basis of federal question jurisdiction under § 1331, the lack of a private right of action to
enforce HIPAA may have foreclosed Plaintiffs’ [state law] claim. However, [the defendant]
5
The Court does not reach the issue of whether implying this term is allowable under any
other state’s law because the parties only discussed the state law in Oregon and Washington.
PAGE 29 – OPINION AND ORDER
invoked diversity jurisdiction pursuant to 28 U.S.C. § 1332(d) to justify the removal.”
(alterations added)). Thus, the Ninth Circuit analyzed whether the plaintiffs’ allegations showed
a violation of HIPAA regulations to determine whether the plaintiffs had stated a claim for relief
under state law. Id. at 1084-88 (noting that “[h]aving satisfied ourselves that we have
jurisdiction, therefore, in accordance with California substantive law, we must analyze the
federal regulations that will decide whether Plaintiffs have stated a claim for relief”). Here, like
in Webb, Plaintiffs do not invoke jurisdiction under § 1331, but instead assert diversity
jurisdiction under 28 U.S.C. § 1332(d) and the Class Action Fairness Act of 2005. Accordingly,
HIPAA’s lack of a private right of action does not foreclose Plaintiffs’ state law breach of
contract claim.
Premera also cites to Astra USA, Inc. v. Santa Clara County, 563 U.S. 110 (2011), and
Grochowski v. Phoenix Constr., 318 F.3d 80 (2d Cir. 2003), to support its argument that a
plaintiff may not label a breach of contract claim what is really a claim for breach of a federal
statute that does not allow a private right of action. These cases are distinguishable.
Astra USA involved form contracts between the government and pharmaceutical
companies that contained no negotiable terms, merely incorporated statutory obligations, and
were the means by which pharmaceutical companies could opt into a federal statutory
program. 563 U.S. at 117-18. The Supreme Court rejected a breach of contract claim where
health providers attempted to enforce as third-party beneficiaries the price-ceiling terms of the
form contracts that incorporated the statute’s obligations. Id. at 118. The Supreme Court
explained:
The County’s argument overlooks that the PPAs simply
incorporate statutory obligations and record the manufacturers’
agreement to abide by them. The form agreements, composed by
HHS, contain no negotiable terms. Like the Medicaid Drug Rebate
PAGE 30 – OPINION AND ORDER
Program agreements, the 340B Program agreements serve as the
means by which drug manufacturers opt into the statutory scheme.
A third-party suit to enforce an HHS-drug manufacturer
agreement, therefore, is in essence a suit to enforce the statute
itself. The absence of a private right to enforce the statutory ceiling
price obligations would be rendered meaningless if 340B entities
could overcome that obstacle by suing to enforce the contract’s
ceiling price obligations instead. The statutory and contractual
obligations, in short, are one and the same.
Id. (citation omitted). Similarly, in Grochowski, the Second Circuit held that when a government
contract confirms a statutory obligation, “a third-party private contract action [to enforce that
obligation] would be inconsistent with . . . the legislative scheme . . . to the same extent as would
a cause of action directly under the statute” and “the plaintiffs’ efforts to bring their claims as
state common-law claims are clearly an impermissible ‘end run’ around the [federal
statute].” 318 F.3d at 86.
Here, however, the policy booklets are not government contracts that merely confirm a
statutory obligation or opt-in to a federal statutory scheme. Plaintiffs ask the Court to imply a
term that Premera has agreed to provide reasonable and adequate data security, including data
security that complies with HIPAA as well as with state and local laws and industry standards.
This goes beyond merely confirming Premera’s obligations under HIPAA and thus the fact that
HIPAA does not provide a private right of action does not preclude the Court from implying this
proposed term. See In re: Cmty. Health Sys., Inc., 2016 WL 4732630, at *23 (N.D. Ala. Sept. 12,
2016) (evaluating breach of contract claims for breaching contractual promises reasonably to
protect data and allowing such claims to proceed); Dolmage, 2016 WL 754731, at *9 (same); In
re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 1010-11 (N.D. Cal. 2016) (“Anthem I”)
(rejecting the argument that under the relevant statute exclusive enforcement lies with the
government and finding the plaintiffs could pursue breach of contract claims as third-party
beneficiaries because the contract terms established that the defendant “could be held to privacy
PAGE 31 – OPINION AND ORDER
standards above and beyond the standards required under federal law”); accord In re Anthem,
Inc. Data Breach Litig., 2016 WL 3029783, at *20 (N.D. Cal. May 27, 2016) (“Anthem II”) (“A
breach of contract claim based solely upon a pre-existing legal obligation to comply with HIPAA
cannot survive dismissal.” (emphasis in original)); Wiebe v. NDEX West, LLC, 2010 WL
2035992, *3 (C.D. Cal. May 17, 2010) (noting that “plaintiffs must . . . do something more to
allege a breach of contract claim than merely point to allegations of a statutory violation”).
3. Breach of Implied-in-Fact Contract
Plaintiffs also allege in the alternative to their express contract claim that by “providing
their Sensitive Information, and upon Defendant’s acceptance of such information, [the parties]
entered into implied-in-fact contracts for the provision of data security, separate and apart from
any express contracts.” FAC ¶ 198. Plaintiffs further allege that the implied contracts “obligated
Defendant to take reasonable steps to secure and safeguard Class members’ Sensitive
Information,” that “[t]he terms of these implied contracts are further described in the federal
laws, state law, local laws, and industry standards,” and that Premera assented to these terms
through its Privacy Notice, Code of Conduct, and other public statements. FAC ¶ 199.
As the Court explained in Premera I, Washington law recognizes contracts that are
implied in fact. Such contracts are an agreement between parties “arrived at from their acts and
conduct viewed in the light of surrounding circumstances, . . . . it grows out of the intentions of
the parties to the transaction, and there must be a meeting of the minds.” Milone & Tucci, Inc. v.
Bona Fide Builders, Inc., 49 Wash. 2d 363, 367-68 (1956) (emphasis in original) (quotation
marks omitted). An implied-in-fact contract still requires an offer, acceptance within the terms of
the offer and communicated to the offeror, mutual intention to contract, and a meeting of the
minds. Id.
PAGE 32 – OPINION AND ORDER
Premera argues that Plaintiffs continue to fail adequately to allege that there was a
meeting of the minds with respect to the alleged implied contract. Specifically, Premera asserts
that because this claim is alleged on behalf of every plaintiff in the putative class, it includes
persons whose Sensitive Information came into Premera’s possession without any relationship
between the parties, such as persons who obtained medical treatment in Washington state who
had a health benefits provider other than Premera and may not have known that Premera was
given their Sensitive Information. At least for such persons, Premera argues, Plaintiffs fail to
allege the formation of an implied-in-fact contract.
Plaintiffs respond that they have alleged that all Plaintiffs “gave” their sensitive
information to Premera and thus Premera did not just “come into possession” of the information.
Although Plaintiffs allege in a conclusory fashion that all of them provided their Sensitive
Information to Premera, Plaintiffs do not allege facts that plausibly suggest that Plaintiffs other
than the Policyholder Plaintiffs gave information to Premera, as opposed to merely obtaining
medical treatment in the state of Washington, giving their Sensitive Information to the
Washington provider, who then may have sent that information to Premera for processing. There
are no allegations of (1) an offer by Premera to accept Sensitive Information from those
Plaintiffs, (2) a mutual intention to agree with those Plaintiffs regarding data security, or (3) any
meeting of the minds between Premera and those plaintiffs regarding data security. Thus, there
are insufficient allegations for any Plaintiffs or putative class members who are not Policyholder
Plaintiffs to demonstrate the formation of an implied-in-fact contract relating to data security.
Plaintiffs’ claim of such an implied-in-fact contract for Plaintiffs other than the Policyholder
Plaintiffs is therefore dismissed.
PAGE 33 – OPINION AND ORDER
To the extent Premera intends to assert this argument against Policyholder Plaintiffs,
however, the Court rejects Premera’s position. For those Plaintiffs, there are sufficient
allegations to support an alternative claim of a contract implied-in-fact. The policy booklets,
Code of Conduct, and Privacy Notice all demonstrate Premera’s commitment and intent to take
reasonable and adequate steps to safeguard the Sensitive Information of its policyholders.
Because the contractual relationship between Premera and the Policyholder Plaintiffs necessarily
requires those Plaintiffs (and their doctors) to provide their Sensitive Information to Premera,
Plaintiffs’ allegations that they did so with an understanding and the intent that Premera would
adequately protect that data is a plausible inference.
Premera also argues that this implied-in-fact contract is barred by the preexisting duty
rule. Premera contends that the only specific law cited by Plaintiffs in the FAC is HIPAA, and
thus that is the only law Plaintiffs sufficiently allege with which Premera must comply. Premera
then concludes that because it is already obligated to comply with HIPAA under federal law,
there could be no consideration for the promise to comply with federal law.
Premera is correct that Washington law recognizes the preexisting duty rule and that “the
performance of an act which one party is legally bound to render to the other party is not legal
consideration.” Stephen Haskell Law Offices, PLCC v. Westport Ins. Corp., 2011 WL 1303376,
at *3 (E.D. Wash. Apr. 5, 2011). Premera’s argument, however, overlooks Plaintiffs’ allegations
that include promises other than compliance with HIPAA, such as promises that Premera will
restrict access to Plaintiffs’ Sensitive Information and will train and discipline employees.
Plaintiffs specifically reference in their implied-in-fact contract claim all of Premera’s alleged
promises, including those contained in its Privacy Notice, which include more than just the
protections provided by HIPAA. Thus, Premera’s argument is rejected. See Dolmage, 2016 WL
PAGE 34 – OPINION AND ORDER
754731, at *9 (rejecting argument that preexisting duty required dismissal of claim for breach of
contract based on a privacy notice where that notice “contains other provisions unrelated to
Defendant’s compliance with federal law,” including promises to restrict access to confidential
information and to ensure third parties will protect confidential information); see also
RESTATEMENT (SECOND) OF CONTRACTS, § 73, Cmt. b (“The requirement of consideration is
satisfied . . . if the consideration includes a performance in addition to or materially different
from the performance of a legal duty.”).
4. Conclusion
The Policyholder Plaintiffs have sufficiently alleged claims for breach of express contract
for alleged breach of Premera’s obligations contained in the Preferred Select policy and Privacy
Notice. Plaintiffs have not sufficiently alleged claims for breach of express contract for promises
or obligations contained in the Preferred Bronze policy or Code of Conduct. Under Oregon law,
Plaintiffs adequately allege breach of an implied term in their express contract, but this claim is
not adequately alleged under the common law of contract in Washington. In addition, the
Policyholder Plaintiffs sufficiently allege an alternative claim for breach of an implied-in-fact
contract, but the non-Policyholder Plaintiffs have not.
C. ERISA Preemption
Under ERISA § 502(a), a civil enforcement action may be brought: (1) by a participant or
beneficiary . . . (B) to recover benefits due to him under the terms of his plan, to enforce his
rights under the terms of the plan, or to clarify his rights to future benefits under the terms of the
plan. 29 U.S.C. § 1132(a). The Supreme Court has explained that “any state-law cause of action
that duplicates, supplements, or supplants the ERISA civil enforcement remedy conflicts with the
clear congressional intent to make the ERISA remedy exclusive and is therefore preempted.”
Aetna Health Inc. v. Davila, 542 U.S. 200, 207-08 (2004). Complete preemption applies when:
PAGE 35 – OPINION AND ORDER
(1) an individual, at some point in time, could have brought the claim under ERISA
§ 502(a)(1)(B); and (2) there is no other independent legal duty that is implicated by a
defendant’s actions. Id. at 211. There is, however, a presumption against federal preemption of
state laws, and the Supreme Court has “made clear that this presumption plays an important role
in ERISA cases.” Gobeille v. Liberty Mut. Ins. Co., 136 S. Ct. 936, 954 (2016) (“In framing
preemption doctrine, the Court does not ‘assum[e] lightly that Congress has derogated state
regulation, but instead . . . addresse[s] claims of pre-emption with the starting presumption that
Congress does not intend to supplant state law[.]” (alterations in original) (citations omitted));
see also Anthem II, 2016 WL 3029783, at *45 (noting that the presumption against preemption
applies “with equal force to cases involving ERISA preemption”).
In their FAC, Plaintiffs identify specific provisions in the policy booklets and in other
documents that Plaintiffs allege were incorporated into the health benefits contract that Plaintiffs
allege were breached by Premera. Thus, argues Premera, Plaintiffs Forseter and Kalowitz6 are
seeking to enforce rights they assert are due to them under their ERISA plan—specifically, data
security rights. Premera further argues that these claims are completely preempted because they
could have been brought under Section 502(a)(1)(B) of ERISA.
Plaintiffs respond that: (1) Premera waived this argument by not raising it in the previous
motion to dismiss; (2) data protection is not a “benefit” as that term is used in ERISA and thus
Plaintiffs could not bring a claim under Section 502(a); and (3) even if data protection is an
ERISA benefit, complete preemption is not applicable because Plaintiffs allege that Premera’s
6
Premera makes this argument only with respect to these two plaintiffs to “simplify the
issues before the Court on this motion,” but Premera anticipates that the Court’s analysis “will
have ramifications for the majority of the other policyholder plaintiffs, who likewise allege they
participate in employer-sponsored health plans.” ECF 78 at 29.
PAGE 36 – OPINION AND ORDER
duty to protect Plaintiffs’ Sensitive Information arises independently from the ERISA plan
documents.
1. Waiver
The Court rejects Plaintiffs’ argument that Premera waived its right to raise a challenge
based on ERISA preemption. Plaintiffs did not identify the express contractual provisions it
contends were breached until the FAC, in which Plaintiffs for the first time relied on
representations made in the policy booklets. Plaintiffs’ original class action complaint did not
reference or quote the policy booklets. Thus, Premera did not waive its ERISA challenge by
failing to raise that argument previously against Plaintiffs’ original complaint.
2. Whether Plaintiffs could have brought a claim under Section 502(a)
Plaintiffs urge the Court to follow the opinion of Anthem II in finding that data security is
not a “benefit” as that term is used in ERISA and that all potential claims under
Section 502(a)(1)(B) necessarily involve a “benefit.” The Court finds Anthem II persuasive in its
discussion of why data security is not a “benefit” under ERISA. Anthem II, 2016 WL 3029783,
at *47 (observing that several of ERISA’s “statutory subsections suggest that benefits must
concern payments for healthcare-related services”).
The Court disagrees, however, that all three types of claims under Section 502(a)(1)(B)
must involve a “benefit.” Section 502(a)(1)(B) provides for three types of claims: (1) to recover
benefits due under the plan; (2) to enforce rights under the terms of the plan; or (3) to clarify
rights to future benefits under the terms of the plan. 29 U.S.C. § 1132(a)(1)(B). As the Supreme
Court has noted, “[t]his provision is relatively straightforward.” Davila, 542 U.S. at 210. The
first and third types of claims involve benefits under the ERISA plan. The second type of claim,
however, more broadly allows a participant or beneficiary to enforce his or her rights under the
plan, without reference to “benefits.” If Congress intended the second type of claim to only
PAGE 37 – OPINION AND ORDER
involve the enforcement of benefits, it could easily have stated as much, like it did with the first
and third types of claims. The fact that Congress did not include the term “benefits” in the
second type of claim is presumed intentional under the doctrine of expressio unius est exclusio
alterius. See Russello v. United States, 464 U.S. 16, 23 (1983) (“Where Congress includes
particular language in one section of a statute but omits it in another section of the same Act, it is
generally presumed that Congress acts intentionally and purposely in the disparate inclusion or
exclusion.” (quotation marks omitted)); United States v. Vance Crooked Arm, 788 F.3d 1065,
1075 (9th Cir. 2015) (applying the “longstanding canon” of expressio unius est exclusio alterius
to presume that the exclusion of certain words in one part of a statute was intentional).
Additionally, if the second type of claim is interpreted as solely involving “benefits”
under the plan, then it overlaps with either the first type of claim (looking backward, for benefits
improperly withheld) or the third type of claim (looking forward, to ascertain rights to future
benefits). Thus, there would be no need for the enumerated second type of claim. Interpreting the
statute in this manner violates the surplusage canon of statutory construction, which requires a
court to “avoid a reading [of a statute] that renders some words altogether redundant.” Antonin
Scalia and Bryan A. Garner, READING LAW: THE INTERPRETATION OF LEGAL TEXTS 176 (1st
ed. 2012), citing inter alia, Lowe v. S.E.C., 472 U.S. 181, 208 n. 53 (1985) (Stevens, J.) (“[W]e
must give effect to every word that Congress used in the statute.”); Reiter v. Sonotone Corp., 442
U.S. 330, 339 (1979) (Burger, C.J.) (“In construing a statute we are obliged to give effect, if
possible, to every word Congress used.”).
The Court’s interpretation that the second type of claim does not solely involve rights to
“benefits” is also supported by the Supreme Court’s description of the types of claims under
Section 502(a)(1)(B). The Supreme Court noted that “[i]f a participant or beneficiary believes
PAGE 38 – OPINION AND ORDER
that benefits promised to him under the terms of the plan are not provided, he can bring suit
seeking provision of those benefits. A participant or beneficiary can also bring suit generically to
‘enforce his rights’ under the plan, or to clarify any of his rights to future benefits.” Davila, 542
U.S. at 210 (emphasis added). The Supreme Court thus identified the second type of claim as one
that can be brought “generically” and is in addition to a claim for withheld benefits.
The Court in Anthem II found differently—that the second type of claim, to enforce rights
under the terms of the plan, means “enforcing rights to retain benefits” under the plan. Anthem
II, 2016 WL 3029783, at *47. Thus, the court in Anthem II concluded that “all three parts of
ERISA § 502(a) refer to benefits” and that “ERISA complete preemption applies where ERISA
benefits are at issue, and does not apply when ERISA benefits are not at issue.” Id.
In reaching the conclusion that the second type of claim necessarily involved ERISA
benefits, the court in Anthem II relied on the Fifth Circuit’s opinion in Arana v. Ochsner Health
Plan, 338 F.3d 433 (5th Cir. 2003) (en banc). Arana involved a declaratory judgment suit in
which the plaintiff sought a declaration that his medical insurance provider, who had paid the
plaintiff’s medical claims, was required under Louisiana law to release its lien and subrogation
claims against the personal injury settlement the plaintiff had received. Id. at 435-36. The
plaintiff had filed suit in state court, and the defendant insurance company removed the case to
federal court, basing jurisdiction on the argument that ERISA completely preempted the state
law claims. Id. at 436. The district court agreed that ERISA preempted the state law claims and
resolved the claims on the merits. Id. A panel of the Fifth Circuit held that the plaintiff’s claim
was not completely preempted by ERISA. Id. The panel held that the suit was not seeking to
recover benefits under the plan because the plan had already paid out the benefits and was not
seeking to enforce a right under the terms of the plan because the plaintiff was seeking a
PAGE 39 – OPINION AND ORDER
declaration that certain plan terms violated Louisiana law and were invalid. Id. The Fifth Circuit
accepted review en banc to consider the jurisdictional issue.
The Fifth Circuit found that the plaintiff’s first claim
can fairly be characterized either as a claim “to recover benefits
due to him under the terms of his plan” or as a claim “to enforce
his rights under the terms of the plan.” As it stands, Arana’s
benefits are under something of a cloud, for OHP is asserting a
right to be reimbursed for the benefits it has paid for his account. It
could be said, then, that although the benefits have already been
paid, Arana has not fully “recovered” them because he has not
obtained the benefits free and clear of OHP’s claims. Alternatively,
one could say that Arana seeks to enforce his rights under the
terms of the plan, for he seeks to determine his entitlement to
retain the benefits based on the terms of the plan
Id. at 438. The court in Anthem II relied on the last sentence to conclude that, as used in ERISA,
a suit to enforce rights under the terms of the plan means seeking to enforce rights to retain
benefits under the plan. Anthem II, 2016 WL 3029783, at *47.
The interpretation of “to enforce his rights under the terms of the plan” as meaning “to
enforce his rights to retain benefits under the plan” adds words that Congress did not include. It
is also not required by the en banc opinion in Aranda. The fact that a claim could be considered
both to recover benefits under the plan and to enforce rights under the plan (such as in Aranda)
does not mean that a claim to enforce rights under the plan must always be to retain benefits
under the plan.
The Court declines to follow the conclusion in Anthem II that all three types of claims
under Section 502(a) require ERISA benefits to be at issue. Accordingly, the fact that data
security protection is not a “benefit” under ERISA is not determinative of whether complete
ERISA preemption applies in this case.
Plaintiffs’ reliance on Wickens v. Blue Cross of California, Inc., 2015 WL 4255129 (S.D.
Cal. July 14, 2015), is misplaced. Unlike Plaintiffs here, the plaintiff in Wickens did not identify
PAGE 40 – OPINION AND ORDER
any express or implied term in his ERISA plan that allegedly had been breached, and the court in
Wickens relied heavily on that fact. The court explained:
Plaintiff asserts an express and implied breach of contract claim.
Although the breach of an express contract cause of action
references the health insurance plan provided by Defendants, it
does not provide any provisions of the contract that was breached.
A careful look at Plaintiff’s claim reveals that it does not relate to
benefits under the plan and does not require an interpretation of the
contract for purposes of benefits.
***
As to enforcing his rights under the plan, Plaintiff does not allege
any express provisions of the plan that were breached.
Id. at *3.
Here, Plaintiffs allege that the express terms of their health benefit plans (including the
allegedly incorporated documents) require Premera to provide reasonable and adequate data
security measures and that those terms have been materially breached. Plaintiffs cite to the
specific provisions they allege have been breached. Premera argues that those provisions are not
promises to provide adequate data security. Thus, the Court must interpret those provisions in the
health benefits contracts to determine whether they include data security promises, the contours
of any promises, and whether the promises were breached. As alleged in this case, Plaintiffs’
claims seek to enforce their alleged rights under their ERISA plan, and interpretation of the plan
is required. Accordingly, at least some of the claims asserted in this case could have been
brought under Section 502(a).
3. Independent Duty
Plaintiffs also argue that Premera had a duty independent from its ERISA plan reasonably
and adequately to protect Plaintiffs’ data privacy, and thus the second part of the Davila test is
not met in this case. This argument is well taken. Plaintiffs have alleged that Premera was
PAGE 41 – OPINION AND ORDER
obligated to protect Plaintiffs’ Sensitive Information under HIPAA, various state laws, and
industry standards. Here, the court’s discussion in Wickens is instructive:
“No independent legal duty exists where interpretation of the terms
of the ERISA-regulated benefits plan forms an essential part of the
claim and where the defendant’s liability exists only due to its
administration of the ERISA-regulated plan.” Nielson v. Unum Life
Ins. Co. of Amer., 58 F. Supp. 3d 1152, 1162 (W.D. Wash.v2014)
(quoting Davila, 542 U.S. at 213); Marin Gen. Hosp., 581 F.3d
at 950 (“Since the state-law claims asserted in this case are in no
way based on an obligation under an ERISA plan, and since they
would exist whether or not an ERISA plan existed, they are based
on ‘other independent legal dut[ies]’ within the meaning of
Davila.” ).
***
Plaintiff’s breach of contract claim is not based on the
interpretation of the plan for benefits but based on an independent
duty of an entity to protect the personal information of individuals
if such information is required to be provided to the entity
Wickens, 2015 WL 4255129, at *3.
Plaintiffs’ allegations include that Premera, irrespective of the ERISA plan, was obligated
to protect Plaintiffs’ Sensitive Information. This distinguishes Plaintiffs’ claims from those at
issue in Davila because there the potential state law liability “exist[ed] only because of
petitioners’ administration of ERISA-regulated benefit plans” and thus any potential state law
liability “derives entirely from the particular rights and obligations established by the benefit
plans.” Davila, 542 U.S. at 213-14 (emphasis added). Plaintiffs here allege that Premera was
required to protect Plaintiffs’ Sensitive Information under state law, HIPAA, and industry
standards, regardless of what is contained in the health insurance contracts. Plaintiffs’ allegations
are sufficient to show that their claims are not solely and entirely dependent on the ERISA plan.
Id.; see also Nutrishare, Inc. v. Connecticut Gen. Life Ins. Co., 2014 WL 1028351, at *7 (E.D.
Cal. Mar. 14, 2014) (“However, the UCL and fraud claims both involve violations of duties
PAGE 42 – OPINION AND ORDER
completely independent of ERISA. CIGNA has alleged that Nutrishare fraudulently
misrepresented the rates for its services. This would be an actionable claim and a violation of a
legal duty regardless of whether an ERISA plan was involved.”).
The Supreme Court instructs that “[i]n order to evaluate whether the normal presumption
against pre-emption has been overcome in a particular [ERISA] case,” a court “must go beyond
the unhelpful text [of ERISA] . . . and look instead to the objectives of the ERISA statute as a
guide to the scope of the state law that Congress understood would [or would not] survive.” De
Buono v. NYSA-ILA Med. and Clinical Servs. Fund, 520 U.S. 806, 813-14 (1997). In a similar
context, involving a claim of invasion of privacy, the Ninth Circuit followed this instruction and
held: “Though there is clearly some relationship between the conduct alleged [invasion of
privacy] and the administration of the plan, it is not enough of a relationship to warrant
preemption. We are certain that the objective of Congress in crafting Section 1144(a) was not to
provide ERISA administrators with blanket immunity from garden variety torts which only
peripherally impact daily plan administration.” Dishman v. Unum Life Ins. Co. of Am., 269 F.3d
974, 984 (9th Cir. 2001); see also Duran v. Cisco Sys., Inc., 2008 WL 4793486, at *4 (C.D. Cal.
Oct. 27, 2008) (finding that claims for negligence and breach of fiduciary duty are not preempted
by ERISA because “[f]inding preemption would immunize defendant from liability for alleged
behavior—negligently allowing a third party to access plaintiff’s personal information—that is
only peripherally related to the administration of the plan” and concluding that “[t]his is not a
result envisioned by Congress”).
The Court similarly finds that although there is some relationship between data security
and the administration of Plaintiffs’ ERISA plans, it is not enough to overcome the presumption
against preemption of state law. Moreover, Plaintiffs have sufficiently alleged an independent
PAGE 43 – OPINION AND ORDER
legal duty separate from the ERISA plan that has been implicated by Premera’s alleged actions.
Thus, complete preemption under ERISA does not apply.
At oral argument, Premera cited the Supreme Court’s decision in Ingersoll-Rand Co. v.
McClendon, 498 U.S. 133 (1990), as supporting ERISA preemption in this case. Ingersoll-Rand,
however, is distinguishable. In that case, the Supreme Court explained that preemption would
apply because:
We are not dealing here with a generally applicable statute that
makes no reference to, or indeed functions irrespective of, the
existence of an ERISA plan. . . . Here, the existence of a pension
plan is a critical factor in establishing liability under the State’s
wrongful discharge law. As a result, this cause of action relates not
merely to pension benefits, but to the essence of the pension plan
itself.
Id. at 139-40 (emphasis in original). As discussed above, however, the state statutory and
common law claims here are generally applicable, and they function irrespective of the existence
of an ERISA plan. Further, the state law causes of action alleged by Plaintiffs do not relate to the
“essence of the [ERISA] plan itself.” Accordingly, Ingersoll-Rand does not support Premera’s
argument that complete preemption under ERISA applies in this case.
CONCLUSION
Premera’s Motion to Dismiss (ECF 78) is GRANTED IN PART AND DENIED IN
PART. Premera’s motion is GRANTED against Plaintiffs’ claims as follows: (1) Plaintiffs’
fraud-based claims alleging active concealment of fraud are dismissed; (2) Plaintiffs’ fraudbased claims alleging affirmative misrepresentations that are contained in Premera’s Preferred
Bronze policy booklet are dismissed; (3) Plaintiffs’ contract-based claims alleging breach of
express contract based on either the Preferred Bronze policy or Premera’s Code of Conduct are
dismissed; (4) Plaintiffs’ contract-based claims alleging breach of an implied term in an express
contract is dismissed for those Plaintiffs whose contract is governed by Washington law; and
PAGE 44 – OPINION AND ORDER
(5) the alternative claim for breach of an implied-in-fact contract asserted by Plaintiffs other than
the Policyholder Plaintiffs is dismissed. Premera’s Motion to Dismiss is DENIED in all other
respects.
IT IS SO ORDERED.
DATED this 9th day of February, 2017.
/s/ Michael H. Simon
Michael H. Simon
United States District Judge
PAGE 45 – OPINION AND ORDER
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
