1 U.S. FDILISETDR IINC TT HCEO URT 2 EASTERN DISTRICT OF WASHINGTON Jan 23, 2024 3 SEAN F. MCAVOY, CLERK 4 5 UNITED STATES DISTRICT COURT 6 EASTERN DISTRICT OF WASHINGTON 7 8 NO. 2:23-CV-00179-SAB 9 In re 10 Whitworth University Data Breach ORDER DENYING 11 DEFENDANT’S MOTION TO 12 DISMISS 13 14 Before the Court is Defendant’s Motion to Dismiss. ECF No. 16. The 15 motion was heard without oral argument. Plaintiff Patrick Loyola is represented by 16 Kevin Laukaitis, Brian Bleichner, and Samuel Strauss. Plaintiff Rachel Wilson is 17 represented by Jason Dennett, Kaleigh Boyd and Kim Stephens. Plaintiff Danielle 18 Wyman is represented by Samuel Strauss. Defendant is represented by David Liu 19 and David Spellman. 20 On September 20, 2023, Plaintiffs collectively filed an Amended 21 Consolidated Complaint against Defendant Whitworth University. ECF No. 15. 22 Plaintiffs assert that Defendant failed to properly secure and safeguard their and 23 class members protected health information (PHI) and personally identifiable 24 information (PII) stored on Defendant’s information network. 25 Plaintiffs are bringing five claims on behalf of themselves and the class: 1) 26 negligence; 2) breach of implied contract; 3) breach of the implied covenant of 27 good faith and fair dealing; 4) unjust enrichment; and 5) violation of the 28 Washington Consumer Protection Act. Defendant now moves to dismiss Counts 1 Two (breach of implied contract); Three (breach of good faith and fair dealing); 2 and Four (unjust enrichment) for failure to state a claim upon which relief may be 3 granted. For the reasons stated below, the Court denies the motion. 4 Motion Standard 5 To survive a motion to dismiss under Rule 12(b)(6), a complaint must allege 6 “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corps. 7 v. Twombly, 550 U.S. 544, 570 (2007). A claim is plausible on its face when “the 8 plaintiff pleads factual content that allows the court to draw the reasonable 9 inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 10 556 U.S. 662, 678 (2009). The Ninth Circuit explain:
11 To be entitled to the presumption of the truth, allegations in a 12 complaint or counterclaim may not simply recite the elements of a cause of action but must contain sufficient allegations of underlying 13 facts to give fair notice and to enable the opposing party to defend 14 itself effectively. The factual allegations that are taken as true must plausibly suggest an entitlement to relief, such that it is not unfair to 15 require the opposing party to be subject to the expense of discovery 16 and continued litigation. 17 Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011). 18 When evaluating a Rule 12(b)(6) motion, the court must draw all reasonable 19 inferences in favor of the non-moving party. Navarro v. Block, 250 F.3d 729, 732 20 (2001). However, the court is not required to accept conclusory allegations as true 21 or to accept any unreasonable inferences in a complaint. In re Gilead Scis. Sec. 22 Litig., 536 F.3d 1049, 1054 (9th Cir. 2008). 23 Plaintiff’s Complaint 24 In July 2022, cybercriminals gained access to Defendant’s network and 25 obtained Plaintiffs’ PHI/PII. Plaintiffs assert they provided Defendant with this 26 information as required to apply for enrollment at Whitworth University. Almost a 27 year later, Defendant sent a letter to Plaintiffs stating that their PHI/PII was 28 involved in a Data Breach. 1 Plaintiffs allege they spent time dealing with the consequences of the Data 2 Breach, which included time spent verifying the legitimacy and impact of the Data 3 Breach, time spent exploring credit monitoring and identity theft insurance options, 4 time spent self-monitoring accounts with heightened scrutiny and time spent 5 seeking legal counsel regarding their options for remedying and/or mitigating the 6 effects of the Data Breach. They assert they have increased anxiety about their loss 7 of privacy and anxiety over the impact of cybercriminals accessing, using, and 8 selling their PHI/PII. 9 Specifically, in July 2023, Plaintiff Wyman experienced fraud and identity 10 theft. Someone, not Plaintiff, called her bank to ask for an increase to her line of 11 credit. Her credit history also showed a fraudulent pending mortgage loan in 12 Florida, a loan for a 2018 Toyota Camry and attempts to open at least 7 bank 13 accounts and at least 7 credit cards. Several credit cards/loans were opened or 14 requested in Plaintiff’s name. As a result, her credit score dropped, and she spent at 15 least 15 hours dealing with the fraudulent activity. 16 Analysis 17 A. Breach of Implied Contract 18 1. Plaintiffs’ Allegations 19 In their Consolidated Complaint, Plaintiffs allege that through its course of 20 conduct, Defendant, Plaintiffs and Class Members entered into implied contracts 21 for Defendant to implement data security adequate to safeguard and protect the 22 privacy of Plaintiffs’ and Class Members’ PHI/PII. In doing so, Defendant required 23 Plaintiffs and Class Members to provide and entrust their PHI/PII to obtain 24 Defendant’s services. Plaintiffs and Class Members accepted Defendant’s offers 25 and provided their PHI/PII to Defendant. A meeting of the minds occurred when 26 Plaintiffs and Class Members agreed to and did provide their PHI/PII to Defendant 27 in exchange for, amongst other things, the protection of their PHI/PII. 28 // 1 2. Analysis 2 Under Washington law, there are three essential elements to establish a 3 breach of contract: 1) the parties entered into an enforceable contract; 2) Defendant 4 breached the contract as claimed by Plaintiffs; and 3) Plaintiffs were damaged 5 because of Defendant’s breach. Nw. Indep. Forest Mfrs v. Dep’t of Labor & Indus., 6 78 Wash.App. 707, 712 (1995). 7 Plaintiffs have alleged sufficient facts to plead a cause of action for breach 8 of implied contract. Plaintiffs alleged the parties had an implicit agreement that 9 Defendant would safeguard Plaintiffs PHI/PII data, Defendant breached the 10 agreement, and Plaintiffs were damaged. 11 B. Breach of Implied Covenant of Good Faith and Fair Dealing 12 1. Plaintiffs’ Allegations 13 Plaintiffs allege that Defendant breached the implied covenant of good faith 14 and fair dealing by failing to maintain adequate computer systems and data 15 security practices to safeguard PHI/PII, failing to timely and accurately disclose 16 the Data Breach to Plaintiffs and Class Members, and continued acceptance of 17 PHI/PII and storage of other personal information after Defendant knew, or should 18 have known, of the security vulnerabilities of the systems that were exploited in 19 the Data Breach. 20 Plaintiffs allege Defendant acted in bad faith and/or with malicious motive 21 in denying Plaintiffs and Class Members the full benefit of their bargains as 22 originally intended by the parties, thereby causing them injury in an amount to be 23 determined at trial. 24 2. Analysis 25 Washington law requires parties to perform in good faith the obligations 26 imposed by their agreement. Rekhter v. State, Dep’t of Soc. And Health Servs,, 180 27 Wash.2d 102, 112 (2004). The duty arises only in connection with the terms agreed 28 to by the parties, including those terms where one party has discretionary authority 1 to determine a future contract term. Id. at 113. 2 Plaintiffs have sufficiently plead a cause of action for breach of the implied 3 duty of good faith. 4 C. Unjust Enrichment 5 1. Plaintiffs’ Allegations 6 In their Consolidated Complaint, Plaintiffs allege the following: 7 Defendant benefited by unduly taking advantage of Plaintiffs and Class 8 members.
Free access — add to your briefcase to read the full text and ask questions with AI
1 U.S. FDILISETDR IINC TT HCEO URT 2 EASTERN DISTRICT OF WASHINGTON Jan 23, 2024 3 SEAN F. MCAVOY, CLERK 4 5 UNITED STATES DISTRICT COURT 6 EASTERN DISTRICT OF WASHINGTON 7 8 NO. 2:23-CV-00179-SAB 9 In re 10 Whitworth University Data Breach ORDER DENYING 11 DEFENDANT’S MOTION TO 12 DISMISS 13 14 Before the Court is Defendant’s Motion to Dismiss. ECF No. 16. The 15 motion was heard without oral argument. Plaintiff Patrick Loyola is represented by 16 Kevin Laukaitis, Brian Bleichner, and Samuel Strauss. Plaintiff Rachel Wilson is 17 represented by Jason Dennett, Kaleigh Boyd and Kim Stephens. Plaintiff Danielle 18 Wyman is represented by Samuel Strauss. Defendant is represented by David Liu 19 and David Spellman. 20 On September 20, 2023, Plaintiffs collectively filed an Amended 21 Consolidated Complaint against Defendant Whitworth University. ECF No. 15. 22 Plaintiffs assert that Defendant failed to properly secure and safeguard their and 23 class members protected health information (PHI) and personally identifiable 24 information (PII) stored on Defendant’s information network. 25 Plaintiffs are bringing five claims on behalf of themselves and the class: 1) 26 negligence; 2) breach of implied contract; 3) breach of the implied covenant of 27 good faith and fair dealing; 4) unjust enrichment; and 5) violation of the 28 Washington Consumer Protection Act. Defendant now moves to dismiss Counts 1 Two (breach of implied contract); Three (breach of good faith and fair dealing); 2 and Four (unjust enrichment) for failure to state a claim upon which relief may be 3 granted. For the reasons stated below, the Court denies the motion. 4 Motion Standard 5 To survive a motion to dismiss under Rule 12(b)(6), a complaint must allege 6 “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corps. 7 v. Twombly, 550 U.S. 544, 570 (2007). A claim is plausible on its face when “the 8 plaintiff pleads factual content that allows the court to draw the reasonable 9 inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 10 556 U.S. 662, 678 (2009). The Ninth Circuit explain:
11 To be entitled to the presumption of the truth, allegations in a 12 complaint or counterclaim may not simply recite the elements of a cause of action but must contain sufficient allegations of underlying 13 facts to give fair notice and to enable the opposing party to defend 14 itself effectively. The factual allegations that are taken as true must plausibly suggest an entitlement to relief, such that it is not unfair to 15 require the opposing party to be subject to the expense of discovery 16 and continued litigation. 17 Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011). 18 When evaluating a Rule 12(b)(6) motion, the court must draw all reasonable 19 inferences in favor of the non-moving party. Navarro v. Block, 250 F.3d 729, 732 20 (2001). However, the court is not required to accept conclusory allegations as true 21 or to accept any unreasonable inferences in a complaint. In re Gilead Scis. Sec. 22 Litig., 536 F.3d 1049, 1054 (9th Cir. 2008). 23 Plaintiff’s Complaint 24 In July 2022, cybercriminals gained access to Defendant’s network and 25 obtained Plaintiffs’ PHI/PII. Plaintiffs assert they provided Defendant with this 26 information as required to apply for enrollment at Whitworth University. Almost a 27 year later, Defendant sent a letter to Plaintiffs stating that their PHI/PII was 28 involved in a Data Breach. 1 Plaintiffs allege they spent time dealing with the consequences of the Data 2 Breach, which included time spent verifying the legitimacy and impact of the Data 3 Breach, time spent exploring credit monitoring and identity theft insurance options, 4 time spent self-monitoring accounts with heightened scrutiny and time spent 5 seeking legal counsel regarding their options for remedying and/or mitigating the 6 effects of the Data Breach. They assert they have increased anxiety about their loss 7 of privacy and anxiety over the impact of cybercriminals accessing, using, and 8 selling their PHI/PII. 9 Specifically, in July 2023, Plaintiff Wyman experienced fraud and identity 10 theft. Someone, not Plaintiff, called her bank to ask for an increase to her line of 11 credit. Her credit history also showed a fraudulent pending mortgage loan in 12 Florida, a loan for a 2018 Toyota Camry and attempts to open at least 7 bank 13 accounts and at least 7 credit cards. Several credit cards/loans were opened or 14 requested in Plaintiff’s name. As a result, her credit score dropped, and she spent at 15 least 15 hours dealing with the fraudulent activity. 16 Analysis 17 A. Breach of Implied Contract 18 1. Plaintiffs’ Allegations 19 In their Consolidated Complaint, Plaintiffs allege that through its course of 20 conduct, Defendant, Plaintiffs and Class Members entered into implied contracts 21 for Defendant to implement data security adequate to safeguard and protect the 22 privacy of Plaintiffs’ and Class Members’ PHI/PII. In doing so, Defendant required 23 Plaintiffs and Class Members to provide and entrust their PHI/PII to obtain 24 Defendant’s services. Plaintiffs and Class Members accepted Defendant’s offers 25 and provided their PHI/PII to Defendant. A meeting of the minds occurred when 26 Plaintiffs and Class Members agreed to and did provide their PHI/PII to Defendant 27 in exchange for, amongst other things, the protection of their PHI/PII. 28 // 1 2. Analysis 2 Under Washington law, there are three essential elements to establish a 3 breach of contract: 1) the parties entered into an enforceable contract; 2) Defendant 4 breached the contract as claimed by Plaintiffs; and 3) Plaintiffs were damaged 5 because of Defendant’s breach. Nw. Indep. Forest Mfrs v. Dep’t of Labor & Indus., 6 78 Wash.App. 707, 712 (1995). 7 Plaintiffs have alleged sufficient facts to plead a cause of action for breach 8 of implied contract. Plaintiffs alleged the parties had an implicit agreement that 9 Defendant would safeguard Plaintiffs PHI/PII data, Defendant breached the 10 agreement, and Plaintiffs were damaged. 11 B. Breach of Implied Covenant of Good Faith and Fair Dealing 12 1. Plaintiffs’ Allegations 13 Plaintiffs allege that Defendant breached the implied covenant of good faith 14 and fair dealing by failing to maintain adequate computer systems and data 15 security practices to safeguard PHI/PII, failing to timely and accurately disclose 16 the Data Breach to Plaintiffs and Class Members, and continued acceptance of 17 PHI/PII and storage of other personal information after Defendant knew, or should 18 have known, of the security vulnerabilities of the systems that were exploited in 19 the Data Breach. 20 Plaintiffs allege Defendant acted in bad faith and/or with malicious motive 21 in denying Plaintiffs and Class Members the full benefit of their bargains as 22 originally intended by the parties, thereby causing them injury in an amount to be 23 determined at trial. 24 2. Analysis 25 Washington law requires parties to perform in good faith the obligations 26 imposed by their agreement. Rekhter v. State, Dep’t of Soc. And Health Servs,, 180 27 Wash.2d 102, 112 (2004). The duty arises only in connection with the terms agreed 28 to by the parties, including those terms where one party has discretionary authority 1 to determine a future contract term. Id. at 113. 2 Plaintiffs have sufficiently plead a cause of action for breach of the implied 3 duty of good faith. 4 C. Unjust Enrichment 5 1. Plaintiffs’ Allegations 6 In their Consolidated Complaint, Plaintiffs allege the following: 7 Defendant benefited by unduly taking advantage of Plaintiffs and Class 8 members. Specifically, Defendant, before and at the time Plaintiffs and Class 9 Members entrusted their PHI/PII to Defendant to enroll in or apply to one of 10 Defendant’s programs, caused Plaintiffs and Class Members to reasonably believe 11 that Defendant would keep such PHI/PII secure. 12 Defendant was aware, or should have been aware, that reasonable students 13 would have wanted their PHI/PII kept secure and would not have contracted with 14 Defendant, directly or indirectly, had they known that Defendant’s information 15 systems were sub-standard for that purpose. Defendant was also aware that if the 16 substandard condition of and vulnerabilities in its information systems were 17 disclosed, it would negatively affect Plaintiffs’ and Class Members’ decisions to 18 seek services therefrom. 19 Defendant failed to disclose facts about its substandard information systems, 20 defects, and vulnerabilities before Plaintiffs and Class Members decided to 21 purchase, engage in commerce, and seek services or information. Instead, 22 Defendant suppressed and concealed such information. By concealing and 23 suppressing that information, Defendant denied Plaintiffs and Class Members the 24 ability to make a rational and informed purchasing and health care decision and 25 took undue advantage of Plaintiffs and Class Members. 26 Defendant was unjustly enriched at the expense of Plaintiffs and Class 27 Members, as Defendant received profits, benefits, and compensation, in part, at the 28 expense of Plaintiffs and Class Members; however, Plaintiffs and Class Members 1|| did not receive the benefit of their bargain because they paid for products that did not satisfy the purposes for which they bought/sought them. Since Defendant’s 3|| profits, benefits, and other compensation were obtained improperly, Defendant is not legally or equitably entitled to retain any of the benefits, compensation, or 5|| profits realized from these transactions. 2. Analysis Under Washington law, “[u]njust enrichment is a method of recover for the value of the benefit retained absent any contractual relationship because notions of fairness and justice require it,” Young v. Young, 164 Wash.2d 477, 484 (2008). 10 A party claiming unjust enrichment must prove three elements: (1) the defendant received a benefit; (2) the received benefit was at the plaintiff's expense; and (3) the circumstances made it unjust for the defendant to retain the benefit without payment. Jd. 14 Plaintiffs have sufficiently plead a cause of action for unjust enrichment. 15 Accordingly, IT IS HEREBY ORDERED: 16 1. Defendant’s Motion to Dismiss, ECF No. 16, is DENIED. 17 IT IS SO ORDERED. The District Court Executive is hereby directed to 18|| file this Order and provide copies to counsel. 19 DATED this 23rd day of January 2024. 20 21 22 Sucker Ecc Yoar byt Sec 25 Stanley A. Bastian 26 Chief United States District Judge 27 28 ORDER DENYING DEFENDANT?’S MOTION TO DISMISS ~ 6