UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF IDAHO
MILES BLACK, individually and on behalf of all others similarly situated, and Case No. 1:23-cv-00384-AKB MELISSA BLACK, individually and on behalf of all others similarly situated, MEMORANDUM DECISION AND ORDER Plaintiffs,
v.
IEC GROUP, INC., d/b/a Ameriben,
Defendant.
Pending before the Court is Defendant IEC Group, Inc., d/b/a Ameriben’s Motion to Dismiss Plaintiffs’ First Amended Class Action Complaint (Dkt. 41). The Court finds oral argument would not significantly aid its decision-making process and decides the motion on the parties’ briefing. Dist. Idaho Loc. Civ. R. 7.1(d)(1)(B); see also Fed. R. Civ. P. 78(b) (“By rule or order, the court may provide for submitting and determining motions on briefs, without oral hearings.”). For the reasons discussed below, the Court grants Ameriben’s motion to dismiss. I. BACKGROUND Plaintiff IEC Group, Inc., d/b/a Ameriben (“Ameriben”) contracts with employers to provide health insurance administration services (Dkt. 38 at ¶¶ 8, 21). Plaintiffs Miles Black and Melissa Black (“Plaintiffs”) received health insurance benefits from a plan that Ameriben administered (id. at ¶¶ 1-2, 8). In August 2023, Ameriben notified Plaintiffs that certain
MEMORANDUM DECISION AND ORDER - 1 information related to them was part of a data breach (id. at ¶¶ 11, 25-26). The breach occurred in December 2022 when an Ameriben employee emailed a spreadsheet containing “a claims report” to “one or more members” (Id. at ¶ 24; Dkt. 38-1 at 2). The spreadsheet was filtered to show only the recipient’s personal information (id.).
In July 2023, however, Ameriben discovered the spreadsheet could possibly be unfiltered to display the personal information of other members, including Plaintiffs. (Dkt. 38 at ¶ 24; Dkt. 38-1 at 2-7). On August 14, 2023, Ameriben sent a letter to Plaintiffs notifying them of the potential disclosure of their information, explaining how to protect their identity, and advising them of their right to receive one or more free credit reports from each of the major credit reporting bureaus (id. at 3). Further, Ameriben explained the personal information potentially disclosed included the Plaintiffs’ “first and last name, the employee’s first and last name (if someone other than [the Plaintiffs]), a unique tracking (‘cert’) number, provider name, claim number, date of service, and the amount billed or paid” (hereinafter, “patient information”) (id. at 2). Approximately ten days later, on August 25, 2023, Plaintiffs filed their initial complaint on
behalf of themselves and a putative class of similarly situated individuals (Dkt. 1 at ¶ 7). They alleged Ameriben failed “to properly secure and safeguard customers’ sensitive personally identifiable information,” including “their names, sensitive financial information, and protected health information” such as “customers' member[] identification numbers, healthcare provider, and health insurance information” (id.). Based on this disclosure of information, Plaintiffs alleged numerous claims for relief, including negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment/quasi contract, and violation of Florida statutory law (id. at ¶¶ 118-214).
MEMORANDUM DECISION AND ORDER - 2 Ameriben moved to dismiss Plaintiffs’ initial complaint under Rule 12(b)(1) and (b)(6) of the Federal Rules of Civil Procedure, arguing Plaintiffs lack standing and fail to state a claim for relief (Dkt. 24). The Court granted Ameriben’s motion to dismiss because (1) the nature of the information Ameriben allegedly disclosed did not give rise to a credible threat of fraud or identity
theft; (2) the context in which Ameriben’s data breach occurred makes it unlikely the Plaintiffs’ information would be stolen or misused; and (3) Plaintiffs’ mitigation costs and their fear, anxiety, and stress did not establish an injury-in-fact (Dkt. 37). The Court granted leave for Plaintiffs to file an amended complaint addressing the deficiencies identified in the Court’s order (id.). Plaintiffs filed an amended complaint (Dkt. 38). They realleged the principal claims from their initial complaint: negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment/quasi contract, declaratory and injunctive relief, and violations of the Florida Deceptive and Unfair Trade Practices Act (id. at ¶¶ 118-214). Among other changes, Plaintiffs cite public sources explaining an increase in security incidents in the medical field (id. at ¶¶ 38-39); cite public sources that patient data is valuable on the black
market (id. at ¶¶ 47-48, 51); allege Ameriben’s disclosure caused Mrs. Black to suffer anxiety and stress (id. at ¶ 91); and contend Ameriben committed negligence by “failing to use reasonable measures” in violation of Health Insurance Portability and Accountability (“HIPAA”) regulations (id. at ¶ 149). Plaintiffs argue that these amendments clarify the “sensitive nature” of the Plaintiffs’ patient information, the risks related to public knowledge of Plaintiffs’ medical treatments, and the risks of medical identity theft (Dkt. 43 at 1). Ameriben moves to dismiss Plaintiffs’ amended complaint under Rule 12(b)(1) and 12(b)(6) (Dkt. 41).
MEMORANDUM DECISION AND ORDER - 3 II. LEGAL STANDARD A motion to dismiss under Rule 12(b)(1) challenges the Court’s subject matter jurisdiction. The plaintiff bears the burden of establishing that subject matter jurisdiction exists. Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994). A motion to dismiss for lack of standing
is properly brought under Rule 12(b)(1) because standing is a jurisdictional matter. Fed. R. Civ. P. 12(b)(1). A jurisdictional challenge may be facial or factual. Leite v. Crane Co., 749 F.3d 1117, 1121 (9th Cir. 2014). “A ‘facial’ attack accepts the truth of the plaintiff’s allegations but asserts that they are insufficient on their face to invoke federal jurisdiction.” Id. “A ‘factual’ attack, by contrast, contests the truth of the plaintiff’s factual allegations, usually by introducing evidence outside the pleadings.” Id. III. ANALYSIS A. Plaintiffs’ Standing Ameriben facially challenges the Plaintiffs’ standing to assert their claims. (Dkt. 41-1 at 5- 7). While Article III of the United States Constitution grants federal courts the power to redress
harms that defendants cause plaintiffs, it does not grant courts any “freewheeling power to hold defendants accountable for legal infractions.” TransUnion LLC v. Ramirez, 594 U.S. 413, 427 (2021) (citing Casillas v. Madison Ave. Assocs., Inc., 926 F.3d 329, 332 (7th Cir. 2019)). Article III limits federal courts to hearing only “cases” and “controversies.” U.S. Const. art. III, § 2. The “essential and unchanging part of the case-or-controversy requirement of Article III” underpins the doctrine of standing. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). A plaintiff’s standing is a jurisdictional question—it precedes any analysis on the merits of a case. Maya v. Centex Corp., 658 F.3d 1060, 1067-68 (9th Cir. 2011).
MEMORANDUM DECISION AND ORDER - 4 The party invoking federal jurisdiction has the burden to show standing. TransUnion, 594 U.S. at 430-31. Standing is not dispensed “in gross.” Davis v. Fed. Election Comm’n, 554 U.S. 724, 734 (2008) (citing Lewis v. Casey, 518 U.S. 343, 358 n.6 (1996)). To meet this jurisdictional requirement, a plaintiff “must demonstrate standing for each claim that they press and for each
form of relief that they seek (for example, injunctive relief and damages).” TransUnion LLC., 594 U.S. at 431. Further, a court lacks jurisdiction over a class action where no named plaintiff has standing. Frank v. Gaos, 586 U.S. 485, 492 (2019) (citing Simon v. Eastern Ky. Welfare Rights Organization, 426 U.S. 26, 40, n.20 (1976)). To satisfy Article III’s standing requirement, “a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC, 594 U.S. at 423. “To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016)
(internal quotation marks omitted). 1. Plaintiff’s Injury-in-Fact Ameriben argues Plaintiffs have no standing to bring this case because they cannot allege “any concrete injury in fact” (Dkt. 41-1 at 5). While a concrete injury may include tangible or intangible harms, it must be real and not abstract. TransUnion, 594 U.S. at 424 (internal citations omitted). In a suit for damages, a concrete harm demands more than mere risk of future harm. In re California Pizza Kitchen Data Breach Litig., 129 F.4th 667, 678 (9th Cir. 2025) (citing TransUnion, 594 U.S. at 437). A plaintiff must allege an injury-in-fact showing a “certainly
MEMORANDUM DECISION AND ORDER - 5 impending” or “substantial risk” of harm. Black v. IEC Grp., Inc., No. 1:23-CV-00384-AKB, 2024 WL 3623361, at *5-6 (D. Idaho July 30, 2024). Plaintiffs contend that under “binding Ninth Circuit precedent,” Plaintiffs have suffered a constitutionally sufficient harm (Dkt. 43 at 5-6 (citing Krottner v. Starbucks Corp., 628 F.3d 1139
(9th Cir. 2010), and In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018)). Plaintiff cites a more recent Ninth Circuit case, which itself relies on Krottner and Zappos.com, to argue these two older cases remain good law (Dkt. 43 at 5-6) (citing Greenstein v. Noblr Reciprocal Exch., No. 22- 17023, 2024 WL 3886977, at *1 (9th Cir. Aug. 21, 2024)). Relatedly, Plaintiffs cite In re Facebook, Inc. Consumer Privacy User Profile Litig., 402 F. Supp. 3d 767, 784 (N.D. Cal. 2019), for the contention that unauthorized disclosure “alone satisfies the injury in fact element of standing,” (Dkt. 43 at 8). In Krottner, plaintiffs brought a putative class action against Starbucks for negligence and breach of contract after a laptop containing the names, addresses, and social security numbers of approximately 97,000 former Starbucks employees was stolen. The plaintiffs alleged they were
vigilant in checking their financial accounts or were otherwise anxious of being a victim of fraud. 628 F.3d at 1140-41. In addressing the plaintiffs’ allegations, the Ninth Circuit noted the only alleged “present” injury was that one plaintiff alleged anxiety and stress; the plaintiffs’ “remaining allegations concern[ed] their increased risk of future identity theft.” Id. at 1142. Regarding this risk of future harm, the Ninth Circuit ruled that “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.” Id. at 1143 (quoting Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007)). Accordingly, the
MEMORANDUM DECISION AND ORDER - 6 Ninth Circuit ruled that “because the plaintiffs had alleged an act that increased their risk of future harm, they had alleged an injury-in-fact sufficient to confer standing.” Id. at 639. Subsequently, the Ninth Circuit in Zappos.com, Inc. addressed standing in an analogous context. In Zappos.com, hackers targeted the servers of Zappos, a retailer, and stole the personal
information of more than 24 million Zappos customers, including their “names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.” 888 F.3d at 1023. Concluding Krottner remained good law, the Ninth Circuit in Zappos.com noted that “the sensitivity of the personal information, combined with its theft, led [it] to conclude that the plaintiffs had adequately alleged an injury in fact in standing” in Krottner. Zappos.com, 888 F.3d at 1027 (emphasis added). In other words, the Court in Zappos.com considered both the nature of the sensitive information and the context in which it was disclosed, i.e, by theft. Relying on Krottner, the Ninth Circuit concluded in Zappos.com that the plaintiffs had alleged the theft of the type of information, including their credit card information, which could be used to commit identity theft. Id. As a result, the plaintiffs had alleged
an injury-in-fact. Id. Following Krottner and Zappos.com, the Supreme Court addressed the requisite showing of an injury-in-fact for establishing standing in TransUnion. In that case, a class of 8,185 individuals sued TransUnion, claiming it “failed to use reasonable procedures to ensure the accuracy of their credit files.” Id. at 417. The Court explained that in determining “the concrete- harm requirement” for standing, “courts should assess whether the alleged injury to the plaintiff has a ‘close relationship’ to harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” Id. at 424. Considering whether those class members whose credit files were
MEMORANDUM DECISION AND ORDER - 7 not provided to third parties had standing, the TransUnion Court concluded they did not. Id. at 437. It ruled that those “plaintiffs did not demonstrate that the risk of future harm materialized,” i.e., they did not establish TransUnion had ever provided inaccurate information to third parties. Id. Further, the Court ruled the risk of future harm of dissemination to third parties was too
speculative to support Article III standing for their damage claims. Id. at 438. More recently, the Ninth Circuit addressed a putative class action following a targeted cyberattack in Greenstein, 2024 WL 3886977, at *1. The Greenstein plaintiffs alleged negligence and violations of federal and state consumer protection laws after anonymous intruders were able to access their driver’s license numbers during a cyberattack. Id. Plaintiffs argued that their “actual injury” stemmed “from having [their personal information] exposed” during the attack. Id. at *2. The court explained that, under Krottner, plaintiffs “whose personal information has been stolen but not misused” can establish injury only if they “face[ ] a credible threat of harm, and that harm is both real and immediate, not conjectural or hypothetical.” Id. at *1 (citing Krottner, 628 F.3d at 1143). The court concluded Plaintiffs could not rely on the “future risk of identity theft” to
establish an actual or imminent injury because, unlike the plaintiffs in Krottner and Zappos.com, they did not allege their driver license numbers were among those stolen by the attackers. Id. The court affirmed the lower court’s dismissal of plaintiffs’ complaint because their allegations presented the kind of “far less credible” allegations of imminent injury than Krottner envisioned. Id. Notwithstanding the impact of the Supreme Court’s decision in TransUnion, Plaintiffs submit an unjustifiably broad reading of Krottner, Zappos.com, Greenstein, and related lower court cases by arguing that theft of personal information is a sufficient condition to show injury in
MEMORANDUM DECISION AND ORDER - 8 fact (Dkt. 43 at 6, 8). These cases support a narrower rule: to allege a concrete injury from disclosure of personal information, a plaintiff must show the nature of the information disclosed, the context of the disclosure, and other alleged injuries associated with the disclosure demonstrate an imminent and substantial injury. Greenstein, 2024 WL 3886977, at *1 (explaining “the
sensitivity of the personal information, combined with its theft,” can establish an injury when it creates “a substantial risk that . . . hackers will commit identity fraud or identity theft” in the future) (citing Zappos.com, 888 F.3d at 1027, 1029). For the following reasons, the Court finds that Plaintiffs have not met this burden. a. Nature of Information Disclosed Whether a plaintiff establishes future harm is likely, and thus a concrete injury, turns on the type of personal information compromised. Greenstein v. Noblr Reciprocal Exchange, 585 F. Supp. 3d 1220, 1227 (N.D. Cal. 2022). “[I]n data breach cases, courts must examine the nature of the specific information at issue to determine whether privacy interests were implicated at all. Otherwise, every data breach . . . would confer standing, regardless of whether private information
is exposed.” I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034, 1050 (N.D. Cal. 2022) Here, Plaintiffs’ amended complaint refers to the value of patient information on the black market, but they do not explain how the specific information at issue here—Plaintiffs’ member identification numbers, health provider, and health insurance information—is conducive to medical identity theft (Dkt. 38 at 3, 6). Plaintiffs cite public sources that allude to crimes using confidential information, such as social security numbers (id. at ¶ 51) (explaining “personally identifiable information and Social Security numbers are worth more than 10x on the black market”), but Plaintiffs do not support their assertions regarding the patient information at issue in
MEMORANDUM DECISION AND ORDER - 9 their case. Instead, Plaintiffs submit broad assertions that the patient information at issue here can reveal personal and private information about Plaintiffs’ treatments and diagnoses, that disclosure is highly offensive to a reasonable person, and patient information is conducive to committing medical identity theft (id.). Plaintiffs’ allegations are, in general, reformulations of their initial allegations.1 The Court finds these arguments unpersuasive for similar reasons the Court stated in
its dismissal of Plaintiffs’ initial complaint (Dkt. 37 at 8-10). While a social security number, date of birth, or passwords pose an inherent risk of fraud, a patient’s name, references to a patient being insured, review time, and total amount billed do not raise the same sensitivity concerns. See, e.g., Patterson v. Med. Rev. Inst. of Am., LLC, No. 22- CV-00413-MMC, 2022 WL 2267673, at *2 (holding “name, date, reference to plaintiff being insured/patient, review time, and total amount to be billed” not sufficiently sensitive). To the extent Plaintiff draws comparisons between the instant case and cases where a court found a sufficient injury, those cases involved information distinct from the instant case. See, e.g., Krottner, 628 F.3d at 1140-41 (addressing theft of names, addresses, and social security numbers); Zappos.com, 888
F.3d at 1023 (addressing theft of billing information, credit card numbers, and account passwords). Plaintiffs repeat their assertions that their patient information “is the type of information that can be used to commit medical identity theft” (Dkt. 43 at 5, 12-15). As the Court previously explained, disclosure of certain health-related information may raise privacy concerns, but “this
1 Additionally, Plaintiffs’ amended complaint suggests Ameriben violated Title II of HIPAA by failing to keep their information confidential (Dkt. 38 at ¶¶ 59, 149). HIPAA, however, contains no private cause of action or a means to confer standing without a concrete injury. Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1081 (9th Cir. 2007).
MEMORANDUM DECISION AND ORDER - 10 information is not the type of information hackers generally rely on to steal identity or to access financial resources.” Black, 2024 WL 3623361, at *4 (citing Greenstein, 585 F. Supp. 3d at 1227). This Court also rejected Plaintiffs’ suggestion that any disclosure of health information is so offensive that it can establish standing for a privacy claim.2 Black, 2024 WL 3623361, at *4 (citing
Zynga, 600 F. Supp. 3d at 1049). Plaintiffs’ reliance on Tsao v. Capitva MVP Rest. Partners, LLC, 986 F.3d 1332, 1343 (11th Cir. 2021) and Attias v. Carefirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017), does not warrant a different analysis (Dkt. 43 at 9). The court in Tsao explained the plaintiff had “not met his burden” to show there was a substantial risk of harm, or certainly impending harm, because, among other reasons, it was unlikely that the credit card numbers stolen in the breach “raise[d] a substantial risk of identity theft.” 986 F.3d at 1343. Conversely, the court in Attias found plaintiffs had met their burden to show standing because hackers had stolen their “names, birthdates, email addresses, social security numbers, and credit card information” from the defendant’s computer systems, “plac[ing] plaintiffs at a high risk of financial fraud.” 865 F.3d at 623, 628. Neither case
suggests a less rigorous analysis applies to medical-related information. The information Ameriben allegedly disclosed is not sufficiently sensitive to give hackers the means to commit fraud or identity theft. Accordingly, the Court finds Plaintiffs have not alleged a sufficient injury-in-fact.
2 Plaintiff cites St. Aubin v. Carbon Health Techs., Inc., No. 24-CV-00667-JST, 2024 WL 4369675 (N.D. Cal. Oct. 1, 2024) for the proposition that unauthorized disclosure of medical information is highly offensive. That case did not address the standing of any plaintiff, including the plaintiff’s alleged injury.
MEMORANDUM DECISION AND ORDER - 11 b. Context of Disclosure The context of an alleged disclosure shapes the plaintiff’s risk of injury. See Greenstein, 2024 WL 3886977, at *1. A “highly attenuated chain of possibilities” does not support an allegation that harm is substantial or imminent. Clapper v. Amnesty Int’l, 568 U.S. 398, 410 (2013).
Where a plaintiff makes unsubstantiated claims as to how an independent actor may misuse information, that speculation does not show a substantial risk of harm. Id. at 414 n.5; see also Beck v. McDonald, 848 F.3d 262, 273-74 (4th Cir. 2017) (finding plaintiffs’ failure to allege “the data thief intentionally targeted the personal information” rendered risk of future identity theft too speculative); Dearing v. Magellan Health Inc., No. CV-20-00747-PHX-SPL, 2020 WL 7041059, at *2-3 (D. Ariz. Sept. 3, 2020) (ruling risk not substantial or certainly impending where plaintiffs’ information was not “deliberately targeted” or “even stolen”). In other words, where a plaintiff alleges their information was among items targeted and stolen by a bad actor, the future risk of identity theft is high. Greenstein, 2024 WL 3886977, at *1; see also Dearing, 2020 WL 7041059, at *2 (explaining that to find risk of fraud and identity theft,
“the data must be actually stolen and taken in a manner that suggests it will be misused”) (internal quotation marks omitted). Courts routinely find allegations “too speculative” where cases do not involve “hackers” or “theft of” sensitive information. See, e.g., In re Facebook, Inc., 402 F. Supp. 3d at 784 (“Regarding the risk of identity theft, this is not a case involving, say, hackers, and it is not a case about the theft of, say, social security or credit card numbers.”); Stasi v. Inmediata Health Grp. Corp., No. 19CV2353 JM (LL), 2020 WL 2126317, at *6 (S.D. Cal. May 5, 2020) (“The instant case is also distinguishable from Krottner and Zappos.com because Plaintiffs do not allege their information was stolen or hacked.”).
MEMORANDUM DECISION AND ORDER - 12 Plaintiffs cite In re Adobe Systems, Inc. Privacy Litigation¸66 F. Supp. 3d 1197 (N.D. Cal. 2014) and In re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F. Supp. 2d 942 (S.D. Cal. 2014), for the premise that actual misuse of patient information is not required (Dkt. 43 at 8). The Adobe court addressed “hackers” gaining access to the defendant's servers;
hackers stealing “names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates”; and independent researchers discovering stolen information online. 66 F. Supp. 3d at 1214-15. The court in Sony addressed a similar “criminal intrusion” where hackers stole names, addresses, birth dates, and credit card information. 996 F. Supp. 2d at 953-55. While neither the Adobe nor Sony courts asked plaintiffs to show they were “literally certain” that harms would occur, both found harm was “certainly impending” because an incident involved an intrusion by hackers, who stole sensitive data. Adobe, 66 F. Supp. 3d at 1215 (citing Clapper, 133 S. Ct. at 1150 n.5). Here, Plaintiffs’ alleged harm has not changed despite the amended complaint adding details regarding the general risks associated with sharing medical data. Ameriben’s post-
disclosure notice, which Plaintiffs cite, states Ameriben had “no reason to believe that someone has or will misuse your healthcare data” (Dkt. 38-1 at 2). Plaintiffs assert that the patient information is valuable on the black market (Dkt. 38 at 12-15), but they do not allege how the information will be used for nefarious purposes. They do not explain to whom the patient information was disclosed, why it is likely subject to misuse, or why individuals are likely to share Plaintiffs’ medical diagnoses with the public.
MEMORANDUM DECISION AND ORDER - 13 Neither the nature of the information Ameriben disclosed, nor the context in which Ameriben disclosed it, establishes that Plaintiffs are subject to an imminent risk of harm that is not conjectural or hypothetical. Accordingly, Plaintiffs have failed to allege injury-in-fact for standing. c. Other Alleged Injuries
“Only when the risk of future harm is not speculative can the cost of mitigation efforts form a basis for standing.” Greenstein, 2024 WL 3886977, at *3. A plaintiff cannot manufacture standing based on a hypothetical future harm. Clapper, 568 U.S. at 416 (ruling plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending”); Antman v. Uber Technologies, Inc., No. 3:15-CV- 01175-LB, 2015 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) (ruling “mitigation expenses do not qualify as injury; the risk of identity theft must first be real and imminent, and not speculative, before mitigation costs establish injury in fact”). Plaintiffs contend they have spent, and will continue to spend, “considerable time and money to mitigate the risk of identity theft by monitoring bank statements, other financial
accounts, and changing passwords” (Dkt. 43 at 9-10) (citing Dkt. 38 at ¶¶ 88, 91, 100, 103). Plaintiffs attempt to distinguish their instant case from Clapper by asserting that Plaintiffs’ costs were not incurred to “manufacture standing” but “were reasonably incurred to mitigate or avoid the substantial risk of harm” (id. at 10). Mitigation costs and emotional distress may only qualify as concrete injuries when they are “based on a risk of harm that is either ‘certainly impending’ or ‘substantial.’” Zynga, 600 F. Supp. 3d at 1052 (citing Clapper, 568 U.S. at 422). The Court in Clapper explained that plaintiffs may reasonably incur costs to mitigate or avoid harm, but a claim for injury falls short when a
MEMORANDUM DECISION AND ORDER - 14 plaintiff fails to establish a substantial risk that the harm will occur. 568 U.S. at 414 n.5. Thus, a theory for injury based on mitigation will fail where the theory relies on a faulty claim that harm is certainly impending or substantial. Zynga, 600 F. Supp. 3d at 1052 (explaining “no Article III standing exists if a plaintiff's theory of injury rests on an ‘attenuated chain of inferences necessary
to find harm’”) (internal citations omitted). Here, Plaintiffs allege they made efforts to mitigate their risk of identity theft by engaging in certain conduct. Plaintiffs’ amended complaint largely repeats their contentions regarding their emotional distress and time spent to ameliorate the alleged disclosure (Dkt. 38 at ¶ 18). The Court already considered and rejected these arguments as a basis to assert standing (Dkt. 37 at 11-12). Plaintiffs’ amended complaint does not establish a risk that harm will occur, so claims regarding mitigation costs are insufficient to establish standing because they were not reasonably incurred to mitigate or avoid substantial risk of harm. Accordingly, Plaintiffs’ other alleged injuries fail to establish standing here. IV. CONCLUSION
For the foregoing reasons, the Court concludes that Plaintiffs lack standing to bring their claims for damages and injunctive and declaratory relief. Accordingly, the Court grants Ameriben’s motion to dismiss (Dkt. 41). Because the Court previously granted Plaintiffs leave to amend, the Court finds dismissal with prejudice is appropriate. Allen v. City of Beverly Hills, 911 F.2d 367, 373 (9th Cir. 1990). The Court shall issue a separate judgment dismissing the case in its entirety.
MEMORANDUM DECISION AND ORDER - 15 V. ORDER IT IS ORDERED that: 1. Defendant’s Motion to Dismiss Plaintiffs’ First Amended Class Action Complaint (Dkt. 41) is GRANTED. Plaintiffs’ Complaint is dismissed with prejudice, and the case is DISMISSED IN ITS ENTIRETY.
SE DATED: August 21, 2025 44 y ey } OnankeS Prabfor hk Ze Amanda K. Brailsford RiCT U.S. District Court Judge
MEMORANDUM DECISION AND ORDER - 16