1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 FOR THE EASTERN DISTRICT OF CALIFORNIA 10 11 JANE DOE, on behalf of herself and all No. 22-cv-01861-DAD-JDP others similarly situated, 12 Plaintiff, 13 ORDER DENYING DEFENDANT’S v. MOTION TO DISMISS PLAINTIFF’S FIRST 14 AMENDED COMPLAINT NORTHERN CALIFORNIA FERTILITY 15 MEDICAL CENTER, (Doc. No. 23) 16 Defendant. 17 18 This matter is before the court on the motion to dismiss filed by defendant Northern 19 California Fertility Medical Center on January 1, 2023. (Doc No. 23.) On March 22, 2023, the 20 pending motion was taken under submission on the papers. (Doc. No. 32.) For the reasons 21 explained below, defendant’s motion to dismiss will be denied. 22 BACKGROUND 23 On December 19, 2022, plaintiff Jane Doe filed her operative first amended complaint 24 (“FAC”), alleging that defendant failed to safeguard her sensitive medical information from 25 cybercriminals. (Doc. No. 16.) In her FAC, plaintiff alleges the following. 26 Defendant is a fertility clinic offering a full range of infertility services, including 27 reversals of tubal ligations or vasectomies, ovulation induction, artificial insemination, in vitro 28 fertilization (“IVF”), and IVF with egg donation and egg freezing. (Id. at ¶ 9.) As a healthcare 1 provider, defendant creates, maintains, preserves, and stores highly sensitive information 2 regarding its patients’ fertility treatments. (Id. at ¶¶ 11–12.) 3 Plaintiff is a former patient of defendant’s and paid defendant in exchange for fertility 4 treatment. (Id. at ¶¶ 2, 81.) In order to receive this treatment, plaintiff was required to provide 5 sensitive information to defendant and permit it to store that information in digital files. (Id. at 6 ¶ 82.) Plaintiff believed that defendant would implement reasonable safeguards to keep her 7 information secure. (Id. at ¶ 83.) Had plaintiff known defendant would fail to do so, she never 8 would have contracted with defendant, let alone paid the full market price for defendant’s 9 services. (Id. at ¶ 84.) Concerned about the privacy of her information, plaintiff instructed 10 defendant to delete her data and cease all contact with her in or around 2020. (Id. at ¶ 2.) 11 Given the type of data that defendant collected and stored, it was highly foreseeable that 12 criminals would attempt to access defendant’s servers. (Id. at ¶ 13.) Hackers are drawn to 13 databases containing information with high value on secondary black markets, such as intimate 14 and health-related data. (Id. at ¶ 14.) Indeed, the healthcare industry has faced more data 15 breaches than any other industry, and data breaches are a well-known threat in the field. (Id. at 16 ¶¶ 16–17.) 17 Despite this risk, defendant failed to adequately train its employees on basic cybersecurity 18 protocols, including: password management and encryption protocols such as multi-factor 19 authentication; locking, encrypting, and limiting access to files containing sensitive information; 20 implementing guidelines for maintaining and communicating sensitive data; implementing 21 protocols on how to request and respond to requests for the transfer of sensitive information; how 22 to securely send sensitive information through a secure file transfer system to only known 23 recipients; and providing cybersecurity training programs. (Id. at ¶ 26.) Instead, defendant 24 continued to use outdated and insecure computer systems that are easily hacked. (Id. at ¶ 28.) 25 At some time in 2022, cybercriminals accessed defendant’s servers and protected health 26 information regarding defendant’s patients, including the patients’ names, whether the patients 27 had received an ultrasound from defendant, and whether they had “cryopreserved tissue” (e.g., 28 frozen eggs) stored with defendant (collectively, “the PHI”). (Id. at ¶ 21.) Cybercriminals must 1 view the information they access during a data breach in order to determine its value on the black 2 market, and the cybercriminals actually viewed plaintiff’s PHI. (Id. at ¶ 22.) 3 Defendant claims to have discovered the data breach on July 24, 2022, though plaintiff 4 was not notified of the breach until September 28, 2022. (Id. at ¶¶ 23–24.) She experienced 5 extreme distress and anxiety upon learning that the information she had requested be deleted two 6 years earlier had instead been accessed by third parties. (Id. at ¶¶ 31, 37.) Even having one’s 7 name associated with a fertility clinic such as defendant would constitute the revelation of the 8 most intimate of health and family planning information. (Id. at ¶ 21.) Moreover, certain fertility 9 treatments are controversial within many religious traditions, and a patient’s reputation within 10 their religious community could be compromised if it were discovered that the patient received 11 treatment from a clinic such as defendant. (Id. at ¶ 36.) 12 Based on the above allegations, plaintiff asserts the following four claims against 13 defendant in her FAC: (1) negligence; (2) invasion of privacy in violation of the California 14 Constitution; (3) negligent storage of medical information in violation of California’s 15 Confidentiality of Medical Information Act (“CMIA”), California Civil Code §§ 56, et seq.; and 16 (4) unlawful and unfair business practices in violation of California’s Unfair Competition Law 17 (“UCL”), California Business and Professions Code §§ 17200, et seq. (Id. at ¶¶ 51–87.) 18 On January 3, 2023, defendant filed its pending motion to dismiss plaintiff’s FAC, 19 arguing that plaintiff lacks Article III standing as to each of her claims; that she has failed to 20 sufficiently allege negligence, invasion of privacy, and violation of the CMIA; and that she lacks 21 standing to assert her UCL claim. (Doc. No. 23.) On January 17, 2023, plaintiff filed her 22 opposition, and defendant filed its reply thereto on January 27, 2023. (Doc. Nos. 24, 26.) 23 LEGAL STANDARD 24 A. Motion to Dismiss Under Rule 12(b)(1) 25 Federal Rule of Civil Procedure 12(b)(1) permits a party to “challenge a federal court’s 26 jurisdiction over the subject matter of the complaint.” Nat’l Photo Grp., LLC v. Allvoices, Inc., 27 No. 13-cv-03627-JSC, 2014 WL 280391, at *1 (N.D. Cal. Jan. 24, 2014). “A Rule 12(b)(1) 28 jurisdictional attack may be facial or factual. In a facial attack, the challenger asserts that the 1 allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction.” 2 Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (internal citation omitted). 3 Here, because defendant argues that the allegations in plaintiff’s FAC, even if assumed to be true, 4 are insufficient to invoke federal jurisdiction over plaintiff’s claims, defendant mounts a facial 5 attack. (See Doc. No. 23 at 10.) 6 “The district court resolves a facial attack as it would a motion to dismiss under 7 Rule 12(b)(6): Accepting the plaintiff’s allegations as true and drawing all reasonable inferences 8 in the plaintiff’s favor, the court determines whether the allegations are sufficient as a legal matter 9 to invoke the court’s jurisdiction.” Leite v. Crane Co., 749 F.3d 1117, 1121 (9th Cir. 2014). 10 However, the court need not assume the truth of legal conclusions cast in the form of factual 11 allegations. Warren v. Fox Fam. Worldwide, Inc., 328 F.3d 1136, 1139 (9th Cir. 2003). 12 B. Motion to Dismiss Under Rule 12(b)(6) 13 The purpose of a motion to dismiss pursuant to Rule 12(b)(6) is to test the legal 14 sufficiency of the complaint. N. Star Int’l v. Ariz. Corp. Comm’n, 720 F.2d 578, 581 (9th Cir. 15 1983). “Dismissal can be based on the lack of a cognizable legal theory or the absence of 16 sufficient facts alleged under a cognizable legal theory.” Balistreri v. Pacifica Police Dep’t, 901 17 F.2d 696, 699 (9th Cir. 1990). A plaintiff is required to allege “enough facts to state a claim to 18 relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A 19 claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw 20 the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. 21 Iqbal, 556 U.S. 662, 678 (2009). 22 In determining whether a complaint states a claim on which relief may be granted, the 23 court accepts as true the allegations in the complaint and construes the allegations in the light 24 most favorable to the plaintiff. Hishon v. King & Spalding, 467 U.S. 69, 73 (1984). However, 25 the court need not assume the truth of legal conclusions cast in the form of factual allegations. 26 U.S. ex rel. Chunie v. Ringrose, 788 F.2d 638, 643 n.2 (9th Cir. 1986). While Rule 8(a) does not 27 require detailed factual allegations, “it demands more than an unadorned, the-defendant- 28 unlawfully-harmed-me accusation.” Iqbal, 556 U.S. at 678. A pleading is insufficient if it offers 1 mere “labels and conclusions” or “a formulaic recitation of the elements of a cause of action.” 2 Twombly, 550 U.S. at 555; see also Iqbal, 556 U.S. at 678 (“Threadbare recitals of the elements 3 of a cause of action, supported by mere conclusory statements, do not suffice.”). It is 4 inappropriate to assume that the plaintiff “can prove facts that it has not alleged or that the 5 defendants have violated the . . . laws in ways that have not been alleged.” Associated Gen. 6 Contractors of Cal., Inc. v. Cal. State Council of Carpenters, 459 U.S. 519, 526 (1983). 7 ANALYSIS 8 A. Standing 9 To have standing, a plaintiff “must satisfy the threshhold [sic] requirement imposed by 10 Article III of the Constitution by alleging an actual case or controversy.” City of Los Angeles v. 11 Lyons, 461 U.S. 95, 101 (1983). “In a class action, standing is satisfied if at least one named 12 plaintiff meets the requirements.” Bates v. United Parcel Serv., Inc., 511 F.3d 974, 985 (9th Cir. 13 2007). “[S]tanding requires that (1) the plaintiff suffered an injury in fact, i.e., one that is 14 sufficiently ‘concrete and particularized’ and ‘actual or imminent, not conjectural or 15 hypothetical,’ (2) the injury is ‘fairly traceable’ to the challenged conduct, and (3) the injury is 16 ‘likely’ to be ‘redressed by a favorable decision.’” Id. (quoting Lujan v. Defs. of Wildlife, 504 17 U.S. 555, 560–61 (1992)). “[P]laintiffs must demonstrate standing for each claim . . . .” 18 TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021). 19 In moving to dismiss plaintiff’s complaint, defendant argues that plaintiff has failed to 20 allege a concrete injury and thus lacks standing. (Doc. No. 23 at 11–16.) Defendant argues that a 21 data breach revealing both a patient’s name and the fact that the patient received medical services 22 is not sufficient to establish a concrete harm absent further facts. (Id. at 14.) Moreover, 23 defendant argues that plaintiff has failed to allege a credible risk of harm that could support a 24 concrete injury. (Id. at 14–16.) 25 In her opposition to the pending motion, plaintiff argues that “an injury to common law 26 rights” is sufficient for Article III standing and that she therefore has standing to assert her 27 negligence claim. (Doc. No. 24 at 11–15.) Separately, plaintiff argues that she has suffered an 28 ///// 1 intangible but concrete privacy injury conferring standing upon her for purposes of all of her 2 claims. (Id. at 15–17.)1 3 “[A]n intangible injury may be concrete if it . . . ‘has a close relationship to a harm that 4 has traditionally been regarded as providing a basis for a lawsuit in English or American courts,’ 5 like common law torts or certain constitutional violations.” Phillips v. U.S. Customs & Border 6 Prot., 74 F.4th 986, 991 (9th Cir. 2023) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 341 7 (2016)). These “traditionally recognized” harms “include, for example, reputational harms, 8 disclosure of private information, and intrusion upon seclusion.” TransUnion, 594 U.S. at 425. 9 Courts “do not require an exact duplicate” of such harms in order to find a concrete injury in fact 10 under Article III. Id. at 433. 11 The court concludes that “[t]he harm at issue here—the release of highly personal 12 information . . . is the same harm that forms the basis for the tort of intrusion upon seclusion.” 13 Nayab v. Cap. One Bank (USA), N.A., 942 F.3d 480, 491–92 (9th Cir. 2019). Intrusion upon 14 seclusion “consists solely of an intentional2 interference with [someone’s] interest in solitude or 15 seclusion, either as to [their] person or as to [their] private affairs or concerns, of a kind that 16 would be highly offensive to a reasonable [person].” Id. at 491 (quoting Restatement (Second) of 17 Torts § 652B cmt. a (1977)). The Ninth Circuit’s decision in Nayab is particularly instructive 18 here. In that case, the court held that when “a third party obtains the consumer’s credit report in 19 violation of 15 U.S.C. § 1681b(f)—that is, for a purpose not authorized by statute—the consumer 20 is harmed because he or she is deprived of the right to keep private the sensitive information 21 about his or her person.” Id. at 492. “This harm is highly offensive and is not trivial because a 22 credit report can contain highly personal information.” Id. In this case, an unauthorized third 23 1 Because the court concludes that plaintiff’s privacy injury confers standing as to each of her 24 claims, the court need not and therefore does not consider plaintiff’s separate argument that she has standing with respect to her common law negligence claim. 25
2 While the tort of intrusion upon seclusion requires intentional interference, “the focus of this 26 inquiry [regarding standing] is on the type of harm, not intent.” Rendon v. Cherry Creek Mortg., 27 LLC, No. 22-cv-01194-DMS-MSB, 2022 WL 17824003, at *4 (C.D. Cal. Dec. 20, 2022) (rejecting the defendant’s “argument that, without intent, Plaintiff’s harm is not similar to 28 intrusion upon seclusion”) (citing TransUnion, 594 U.S. at 424–25). 1 party obtained plaintiff’s medical information, including whether or not she had, for example, 2 frozen her eggs. Plaintiff was thereby harmed because she was deprived of the right to keep 3 private information that is certainly at least as sensitive as a credit report. Cf. Doe v. Beard, 63 F. 4 Supp. 3d 1159, 1170 (C.D. Cal. 2014) (holding that disclosure of medical records can be a more 5 “egregious violation of social norms” than disclosure of other “highly personal information” such 6 as Social Security numbers); In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 7 1143 (C.D. Cal. 2021) (holding that “a data breach involv[ing] medical information . . . is more 8 likely to constitute an ‘egregious breach of the social norms’ that is ‘highly offensive’”) (citing 9 Doe, 63 F. Supp. 3d at 1170).3 10 Defendant argues that plaintiff has failed to allege a privacy injury conferring standing 11 because her allegations that her PHI was actually viewed are conclusory. (Doc. No. 23 at 13–14.) 12 But plaintiff alleges that hackers must view the information they access in order to determine its 13 value on the black market, that it would be pointless to steal the PHI but then refrain from 14 viewing it, and that the cybercriminals did actually view plaintiff’s PHI. (Doc. No. 16 at ¶ 22.) 15 The allegations of plaintiff’s complaint are sufficient in this regard. Cf. In re Ambry, 567 F. 16 Supp. 3d at 1148–49 (concluding in denying a motion to dismiss under Rule 12(b)(6) that 17 plaintiffs’ allegations were sufficient to allege that their information was actually viewed where 18 the plaintiffs alleged that the “hackers who committed the Data Breach obtained Plaintiffs’ and 19 Class Members’ personal medical information, viewed it, and now have it available to them to 20 sell to others [sic] bad actors or otherwise misuse”). 21 In arguing that plaintiff lacks standing because she failed to allege her PHI was actually 22 viewed, defendant relies on a decision, Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078 (E.D. 23 Cal. 2015), issued before the Supreme Court’s decisions in Spokeo and TransUnion. 24 Consequently, the district court in Fernandez found that the plaintiff lacked standing without 25
3 Defendant briefly argues that no “sensitive medical information was breached.” (Doc. No. 23 26 at 9.) Defendant provides no authority suggesting that information regarding whether a person 27 has received an ultrasound or has chosen to freeze their eggs is somehow not “sensitive medical information.” To the contrary, these would seem to be some of the most sensitive categories of 28 information, medical or otherwise. 1 considering whether the plaintiff’s alleged injury bore a close relationship to a traditionally 2 recognized harm. In any event, Fernandez is inapposite. In that case, the plaintiff had alleged 3 that physical “data tapes” were being transported by the defendant when a thief stole those 4 physical tapes from the defendant’s vehicle. Fernandez, 127 F. Supp. 3d at 1082. The court 5 credited the defendant’s argument that the plaintiff had alleged “no facts plausibly suggesting that 6 the thief . . . recognized the [data] tapes for what they were, found a tape reader, acquired the 7 proper software, deciphered the encrypted portions of the information, learned to read the 8 information correctly, and then accessed Plaintiff’s personal information.” Id. at 1087; see also 9 id. (“Plaintiff has not shown there is a substantial risk that his PII/PHI will be imminently 10 misused ‘in light of the attenuated chain of inferences necessary to find harm here.’”) (citing 11 Clapper v. Amnesty Int’l USA, 568 U.S. 398, 415 n.5 (2013)). Here, by contrast, plaintiff has 12 alleged in the complaint that cybercriminals accessed defendant’s digital records and stole the 13 PHI directly; there is no suggestion that the cybercriminals incidentally acquired the PHI in the 14 process of stealing a separately valuable physical item. 15 Because plaintiff’s injury is similar to the harm forming the basis of an intrusion upon 16 seclusion, defendant’s motion to dismiss plaintiff’s complaint for lack of Article III standing will 17 be denied.4 18 B. Merits 19 1. Negligence 20 The elements of negligence are duty, breach, causation, and injury. Vasilenko v. Grace 21 Fam. Church, 3 Cal. 5th 1077, 1083 (2017). 22 Defendant moves to dismiss plaintiff’s negligence claim solely on the ground that “the 23 crucial elements of damages is lacking in the FAC as detailed above [in defendant’s argument 24 section regarding standing]. Without concrete damages, Plaintiff not only lacks standing to sue, 25 but she cannot establish a necessary element for negligence.” (Doc. No. 23 at 16.) In her 26 4 Because the injuries underlying each of plaintiff’s claims (i.e., negligence, invasion of privacy, 27 violation of the CMIA, and violation of the UCL) are all similar and are all “the same harm that forms the basis for the tort of intrusion upon seclusion,” plaintiff has standing with respect to each 28 of her claims. Nayab, 942 F.3d at 492. 1 opposition to the pending motion, plaintiff argues that she has alleged a privacy injury supporting 2 recovery in tort because her PHI was exposed in the data breach. (Doc. No. 24 at 18.) 3 For similar reasons to those noted above, the court concludes that plaintiff has sufficiently 4 alleged a privacy injury arising from the negligent disclosure of her PHI. See, e.g., In re Ambry, 5 567 F. Supp. 3d at 1142 (denying the defendants’ motion to dismiss the plaintiffs’ negligence 6 claim because the plaintiffs “have alleged a privacy injury stemming from the unauthorized 7 sharing of their private medical information”). Accordingly, defendant’s motion to dismiss 8 plaintiff’s negligence claim will be denied. 9 2. Invasion of Privacy under the California Constitution 10 To state a claim for invasion of privacy under the California Constitution, a plaintiff must 11 allege that “(1) they possess a legally protected privacy interest, (2) they maintain a reasonable 12 expectation of privacy, and (3) the intrusion is ‘so serious . . . as to constitute an egregious breach 13 of the social norms’ such that the breach is ‘highly offensive.’” In re Facebook, Inc. Internet 14 Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020) (quoting Hernandez v. Hillsides, Inc., 47 Cal. 15 4th 272, 286 (2009)). 16 In its pending motion, defendant argues that plaintiff’s invasion of privacy claim must be 17 dismissed because: (1) Plaintiff has failed to allege publicity or widespread dissemination of her 18 PHI; (2) negligence cannot support a claim for invasion of privacy; and (3) plaintiff has “failed to 19 set forth a concrete remedy for damages.”5 (Doc. No. 23 at 16–18.) 20 First, defendant argues that the common law tort of invasion of privacy requires “publicity 21 in the sense of communication to the public in general or to a large number of persons as 22 distinguished from one individual or a few.” (Doc. No. 23 at 17) (quoting Del Llano v. Vivint 23 Solar Inc., No. 17-cv-01429-AJB-MDD, 2018 WL 656094, at *5 (S.D. Cal. Feb. 1, 2018)). In 24 her opposition brief, plaintiff clarifies that her invasion of privacy claim is asserted under the 25 ///// 26
27 5 For similar reasons to those discussed above, the court finds defendant’s third argument to be unpersuasive and concludes that plaintiff has sufficiently alleged damages as to her invasion of 28 privacy claim. 1 California Constitution, not the common law.6 (Doc. No. 24 at 19 n.4.) Because “[t]he 2 constitutional variety . . . does not require a wide dissemination of private information,” the court 3 rejects defendant’s argument to the contrary. Ignat v. Yum! Brands, Inc., 214 Cal. App. 4th 808, 4 820 (2013). 5 Second, defendant argues that plaintiff has only alleged that defendant was negligent in its 6 handling of plaintiff’s PHI, and that a defendant’s negligence regarding data security does not 7 constitute an “egregious breach of social norms” as required for an invasion of privacy claim. 8 (Doc. No. 23 at 17) (citing, e.g., In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 9 (N.D. Cal. 2012) (“Even negligent conduct that leads to theft of highly personal information, 10 including social security numbers, does not . . . constitute a violation of Plaintiffs’ right to 11 privacy”)). In her opposition, plaintiff argues that negligence can qualify as egregious conduct if 12 it leads to the disclosure of medical information. (Doc. No. 24 at 20.) 13 Defendant is correct that district courts in the Ninth Circuit have held that “[l]osing 14 personal data through insufficient security doesn’t rise to the level of an egregious breach of 15 social norms underlying the protection of sensitive data like social security numbers.” Razuki v. 16 Caliber Home Loans, Inc., No. 17-cv-01718-LAB-WVG, 2018 WL 2761818, at *2 (S.D. Cal. 17 June 8, 2018); see also in re iPhone Application Litig., 844 F. Supp. 2d at 1063 (holding that 18 “[e]ven negligent conduct that leads to theft of highly personal information, including social 19 security numbers,” does not constitute actionable conduct under the California Constitution); 20 Schmitt v. SN Servicing Corp., No. 21-cv-03355-WHO, 2021 WL 3493754, at *7 (N.D. Cal. 21 Aug. 9, 2021) (“Plaintiffs contend that the criminal nature of the data breach and the information 22 that was exposed or stolen in the data breach demonstrates that [the defendant] committed a 23 serious violation of their privacy rights. Courts faced with similar data breach scenarios have 24 found such allegations insufficient.”). However, it has been recognized that district courts have 25 also “refused to dismiss invasion of privacy claims at the motion to dismiss stage where, as here, 26 6 In her FAC, plaintiff asserts a claim for “Invasion of Privacy” without specifying whether the 27 claim is brought under the California Constitution or the common law. (Doc. No. 16 at 10.) However, immediately under that heading in the FAC, plaintiff lists the elements for such a claim 28 under the California Constitution. (See id. at ¶ 59) (citing In re Facebook, 956 F.3d at 601). 1 a data breach involved medical information, because the disclosure of such information is more 2 likely to constitute an ‘egregious breach of the social norms’ that is ‘highly offensive.’” In re 3 Ambry, 567 F. Supp. 3d at 1143; see also Doe, 63 F. Supp. 3d at 1170 (denying the defendant’s 4 motion to dismiss the plaintiff’s invasion of privacy claim because “even negligent disclosure of 5 HIV-positive status can be an egregious violation of social norms”); Stasi v. Inmediata Health 6 Grp. Corp., 501 F. Supp. 3d 898, 926 (S.D. Cal. 2020) (denying the defendant’s motion to 7 dismiss the plaintiffs’ invasion of privacy claim because the plaintiffs alleged that the defendant 8 negligently disclosed their medical information); cf. Guy v. Convergent Outsourcing Inc., No. 22- 9 cv-01558-MJP, 2023 WL 4637318, at *11 (W.D. Wash. July 20, 2023) (granting the defendant’s 10 motion to dismiss the plaintiffs’ invasion of privacy claim because “[w]hile the PII contains 11 sensitive information including financial information and Social Security numbers, it does not 12 include medical information”). Because the data breach which is the subject of this action 13 concerns disclosure of plaintiff’s sensitive medical information, such as whether she had received 14 an ultrasound or chosen to freeze her eggs, the court concludes plaintiff has sufficiently alleged 15 that defendant’s negligent data security practices constitute an egregious breach of social norms. 16 Accordingly, defendant’s motion to dismiss plaintiff’s invasion of privacy claim will be 17 denied. 18 3. CMIA 19 Plaintiff asserts her CMIA claim under California Civil Code § 56.101(a), which states, in 20 pertinent part, that any health care provider “who negligently creates, maintains, preserves, stores, 21 abandons, destroys, or disposes of medical information shall be subject to the remedies and 22 penalties provided under” subsections (b) and (c) of California Civil Code § 56.36. 23 Defendant again argues that plaintiff has failed to allege that anyone “actually viewed” her 24 PHI, as is required for a claim under § 56.101(a). (Doc. No. 23 at 18) (quoting Sutter Health v. 25 Superior Ct., 227 Cal. App. 4th 1546, 1550 (2014) (“We conclude that the plaintiffs have failed to 26 state a cause of action under the [CMIA] because they do not allege that the stolen medical 27 information was actually viewed by an unauthorized person.”)). In her opposition, plaintiff 28 argues that the decision in Sutter Health, as well as the other decision cited by defendant, Regents 1 of University of California v. Superior Court, 220 Cal. App. 4th 549 (2013), are both 2 distinguishable from the present case. (Doc. No. 24 at 22.) 3 The court agrees with plaintiff. In Sutter Health, the state appellate court stated, “the 4 main pleading problem for the plaintiffs in this case and in Regents is the same: there is no 5 allegation that the medical information was viewed by an unauthorized person.” 227 Cal. App. 6 4th at 1555. By contrast, here, plaintiff expressly alleges that her PHI was viewed. (Doc. No. 16 7 at ¶ 22.) Furthermore, unlike Regents and Sutter Health, which both involved the theft of a 8 physical item containing PHI, here, plaintiff alleges that cybercriminals accessed the digital files 9 directly. See Regents, 220 Cal. App. 4th at 554 (explaining that “an encrypted external hard drive 10 containing some of [certain patients’] personally identifiable medical information had been stolen 11 as part of a home invasion robbery”); Sutter Health, 227 Cal. App. 4th at 1550 (“In this case, a 12 thief stole a health care provider’s computer containing the medical records of about four million 13 patients.”) As previously noted, plaintiff alleges in the complaint that the hackers must view the 14 information they access in order to determine its value on the black market, that it would be 15 pointless to steal the PHI but then refrain from viewing it, and that the cybercriminals did actually 16 view plaintiff’s PHI. Therefore, for the same reasons as discussed above in the standing analysis, 17 the court concludes that plaintiff has adequately alleged that her PHI was actually viewed. 18 Accordingly, defendant’s motion to dismiss plaintiff’s CMIA claim will be denied.7 19 4. UCL Claim 20 “To have standing to assert a [UCL] claim, the plaintiff must ‘(1) establish a loss or 21 deprivation of money or property sufficient to qualify as injury in fact, i.e., economic injury, and 22 (2) show that that economic injury was the result of, i.e., caused by, the unfair business practice 23 or false advertising that is the gravamen of the claim.’” In re Turner, 859 F.3d 1145, 1151 (9th 24 Cir. 2017) (quoting Kwikset Corp. v. Superior Ct., 51 Cal. 4th 310, 322 (2011)). 25
7 Defendant also argues once again in a single sentence that “[p]laintiff has failed to allege any 26 concrete damages based on any alleged violation of the CMIA.” (Doc. No. 23 at 19.) However, 27 the CMIA “provides for nominal damages without having to show the plaintiff ‘suffered or was threatened with actual damages.’” Stasi, 501 F. Supp. 3d at 908 (quoting Cal. Civ. Code 28 § 56.36(b)(1)). 1 Plaintiff argues that she has suffered a loss or deprivation of money or property conferring 2 standing as to her UCL claim because she did not receive the benefit of her bargain with 3 defendant, since she would not have paid as much as she did for her medical services had she 4 known that defendant would be so allegedly careless with her PHI. (Doc. No. 24 at 22–23.) 5 Defendant argues that “such a monetary loss is adequately-pleaded [sic] where a contract 6 explicitly promises data security in exchange for payment,” and that plaintiff has not alleged any 7 such explicit promise of data security. (Doc. No. 23 at 20) (citing Moore v. Centrelake Med. 8 Grp., Inc., 83 Cal. App. 5th 515, 520 (2022)). In fact, defendant argues in its reply brief that 9 plaintiff has not alleged the existence of any contract between herself and defendant. (Doc. 10 No. 26 at 6.) 11 The court concludes that plaintiff has standing to assert her UCL claim. Defendant cites 12 no authority suggesting that a contract must expressly promise data security in exchange for 13 payment in order for a plaintiff to have standing in a data breach UCL action. Nor has the court 14 found any. To the contrary, the court’s decision in Moore, cited by defendant, suggests the 15 opposite: We also disagree with [the defendant’s] contention that appellants’ 16 benefit-of-the-bargain theory fails because data security was at most ‘incidental’ to appellants’ bargain for medical services. To 17 the contrary, appellants alleged that data security was sufficiently material to them that had they known the truth of the matter, they 18 would not have entered into contracts for medical services with [the defendant], or would not have accepted [the defendant’s] pricing 19 terms. Such materiality is to be expected in light of the sensitive and confidential nature of the information appellants entrusted to 20 [the defendant], including medical diagnoses and services performed . . . . Few prospective patients would entrust such 21 information—and pay full market prices—to a medical provider known to be careless with it. 22 23 Moore, 83 Cal. App. 5th at 528–29. Similarly, here, plaintiff alleges that data security regarding 24 her medical information was sufficiently important to her that, had she known defendant would 25 use such poor security practices, she would not have paid for fertility treatment from defendant. 26 (Doc. No. 16 at 13.) Plaintiff has thereby alleged that she was denied the benefit of her bargain. 27 See also In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 466, 28 492 (D. Md. 2020) (holding that the plaintiffs had standing for their California UCL claim 1 | because “it is enough to allege that there was an explicit or implicit contract for data security, that 2 | plaintiffs placed value on that data security, and that Defendants failed to meet their 3 | representations about data security”) (citing In re Yahoo! Inc. Customer Data Sec. Breach Litig., 4 | 313 F. Supp. 3d 1113 (N.D. Cal. 2018); In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 5 | 953 (N.D. Cal. 2016)); cf In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 6 | 996 F. Supp. 2d 942, 988 (S.D. Cal. 2014) (“As a result, because Plaintiffs have alleged that Sony 7 | omitted material information regarding the security of Sony Online Services, and that this 8 | information should have been disclosed to consumers at the time consumers purchased their 9 | Consoles, the Court finds Plaintiffs have sufficiently alleged a loss of money or property ‘as a 10 | result’ of Sony’s alleged unfair business practices.”). 11 Accordingly, defendant’s motion to dismiss plaintiff's UCL claim will also be denied. 12 CONCLUSION 13 For the reasons explained above, 14 1. Defendant Northern California Fertility Medical Center’s motion to dismiss (Doc. 15 No. 23) is denied; and 16 2. Defendant Northern California Fertility Medical Center shall file an answer 17 responding to the claims asserted in plaintiff's first amended complaint no later 18 than twenty-one (21) days after the date of entry of this order. 19 IT IS SO ORDERED. | Dated: _ January 22, 2024 Da A. 2, □□ 21 DALE A. DROZD 0 UNITED STATES DISTRICT JUDGE
23 24 25 26 27 28 14