Jackson v. Health Center Partners of Southern California

• Court: District Court, S.D. California
• Decided: August 7, 2024
• Docket: 3:24-cv-00106
• Status: Unknown

Opinion

1 2 3 4 5 6 7 UNITED STATES DISTRICT COURT 8 SOUTHERN DISTRICT OF CALIFORNIA 9 10 JAMES JACKSON, Case No.: 24-cv-00106-BEN (DDL)

11 Plaintiff, ORDER DENYING MOTION TO 12 v. DISMISS FOR LACK OF JURISDICTION AND MOTION TO 13 HEALTH CENTER PARTNERS OF DISMISS FOR FAILURE TO STATE SOUTHERN CALIFORNIA, et al, 14 A CLAIM Defendants. 15 [Dkt. 2, 8] 16 17 Now before the Court is the Motion to Dismiss for Lack of Jurisdiction brought by 18 Defendant Netgain Technology, LLC (“Netgain”), and the Motion to Dismiss for Failure 19 to State a Claim brought by Defendant Council of Community Clinics (“CCC”) doing 20 business as Health Centers Partners of Southern California.1 (Dkt. #8). The motions are 21 denied. 22 I. BACKGROUND 23 Plaintiff brings this putative class action alleging state law violations of 24 California’s Confidentiality of Medical Information Act and California’s Customer 25 Records Act relating to a data breach involving Plaintiff’s and potential class members’ 26

27 1 See Defendant’s Request for Judicial Notice (“RJN”) (fictitious business name 28 1 medical and personal information. The operative complaint is the Second Amended 2 Complaint (“SAC”) which was filed on August 22, 2023 in the Superior Court of the 3 State of California for the County of San Diego, Case No. 37-2021-00038892-CU-BT- 4 CTL, prior to the case being removed to this Court. See Dkt. 1-4 (Jan. 16, 2024). 5 A. Statement of Facts2 6 In the Second Amended Complaint filed before the Superior Court, Plaintiff 7 alleges that he is a San Diego County, California resident and a patient of a San Diego 8 County, California based healthcare clinic. As a patient, Plaintiff provided his personal 9 information, including his name, address, date of birth, social security number, phone 10 number and email address to a health care entity named Council of Community Clinics 11 and doing business as Health Centers Partners of Southern California. Plaintiff alleges 12 that CCC maintains an online computer program to allow patients to securely access and 13 review their health information, as well as to update their personal information. Plaintiff 14 alleges that CCC contracted with Netgain to store and protect the private medical 15 information of his own and other CCC patients. 16 Plaintiff alleges that between October 22, 2020 and December 3, 2020, CCC and 17 Netgain were negligent and failed to properly maintain, preserve, and store the 18 confidential, medical, and personal identifying information of Plaintiff by allowing an 19 unauthorized unknown person to gain access and actually view his information. Plaintiff 20 maintains that he has the right to expect that the confidentiality of his medical 21 information in possession of CCC and Netgain be reasonably preserved and protected 22 from unauthorized viewing, exfiltration, theft, and/or disclosures. Plaintiff alleges CCC’s 23 and Netgain’s negligence in caring for the medical information constitutes a violation of 24 three state statutes. 25

26 2 The majority of the facts are taken from the Second Amended Complaint and for 27 purposes of ruling on the instant motion to dismiss, the Court assumes the truth of the allegations pled and liberally construes allegations in favor of the non-moving party. 28 1 As set out in the SAC, Netgain was an IT provider for CCC. Netgain notified CCC 2 that there had been a data breach and that plaintiff’s information may have been exposed 3 to unauthorized access by a criminal hacker. Netgain’s notice to CCC, and CCC’s notice 4 to Plaintiff, said that an attacker had launched a ransomware attack around October to 5 December 2020, and that Netgain had paid the ransom. Defendants maintain that 6 Plaintiff’s medical information was never disclosed to, or actually viewed by, the 7 criminal hackers because the ransom amount was paid in exchange for non-exposure of 8 the medical data. Plaintiff alleges, nevertheless, that during the time period of the attack, 9 his medical information was accessible by the data attackers. 10 B. State Law Causes of Action 11 Plaintiff’s Second Amended Complaint alleges three California state law causes of 12 action (“COA”) against CCC for violations of: (1) the Confidentiality of Medical 13 Information Act, California Civil Code §§ 56, et seq. (“CMIA”); (2) the Customer 14 Records Act, California Civil Code § 1798.82 (“CRA”); and (3) the California Unfair 15 Competition Laws, California Business and Professions Code §§ 17200, et seq. (“UCL”). 16 II. LEGAL STANDARD & DISCUSSION 17 Under Federal Rule of Civil Procedure 12(b)(2) a complaint against a defendant 18 may be dismissed for lack of personal jurisdiction. When a party seeks dismissal under 19 Rule 12(b)(2) for lack of personal jurisdiction, the plaintiff bears the burden of 20 demonstrating that the exercise of personal jurisdiction is proper. Menken v. Emm, 503 21 F.3d 1050, 1056 (9th Cir. 2007). When a motion to dismiss for lack of personal 22 jurisdiction is based on the briefs rather than an evidentiary hearing, “the plaintiff need 23 only make a prima facie showing of jurisdictional facts.” Sher v. Johnson, 911 F.2d 24 1357, 1361 (9th Cir. 1990). While “uncontroverted allegations in the complaint must be 25 taken as true,” the plaintiff cannot “simply rest on the bare allegations of its complaint.” 26 Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 800 (9th Cir. 2004) (quoting 27 Amba Mktg. Sys., Inc. v. Jobar Int'l, Inc., 551 F.2d 784, 787 (9th Cir. 1977)). The court 28 “may not assume the truth of allegations in a pleading which are contradicted by 1 affidavit, but factual conflicts between dueling affidavits must be resolved in the 2 plaintiff's favor.” Ayla, LLC v. Alya Skin Pty. Ltd., 11 F.4th 972, 978 (9th Cir. 2021) 3 (internal quotation marks and citations omitted). “[B]are bones assertions of minimum 4 contacts with the forum or legal conclusions unsupported by specific factual allegations 5 will not satisfy a plaintiff's pleading burden.” Swartz v. KPMG LLP, 476 F.3d 756, 766 6 (9th Cir. 2007) (internal quotation marks omitted). Nor will “random,” “fortuitous,” or 7 “attenuated” contacts establish specific personal jurisdiction. Burger King Corp. v. 8 Rudzewicz, 471 U.S. 462, 475 (1985). 9 Under Federal Rule of Civil Procedure 12(b)(6), a complaint may be dismissed 10 when a plaintiff’s allegations fail to set forth a plausible set of facts which would entitle 11 the complainant to relief. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007); Ashcroft 12 v. Iqbal, 556 U.S. 662, 679 (2009) (holding that a claim must be facially plausible to 13 survive a motion to dismiss). To state a plausible claim for relief, the pleadings must 14 raise the right to relief beyond the speculative level; a plaintiff must provide “more than 15 labels and conclusions, and a formulaic recitation of the elements of a cause of action will 16 not do.” Twombly, 550 U.S. at 555 (citation omitted). At the same time Rule 8(a)(2) 17 requires no more than “a short and plain statement of the claim showing that the pleader 18 is entitled to relief.” Moreover, Rule 8(d)(1) specifies that in general, “[e]ach allegation 19 must be simple, concise, and direct.” 20 III. NETGAIN’S MOTION TO DISMISS FOR LACK OF JURISDICTION 21 Netgain moves to dismiss arguing the Court lacks general and specific personal 22 jurisdiction over Netgain. Netgain argues that it is not at home in California. Rather, it is 23 a Delaware limited liability company, headquartered in Minnesota, a claim Plaintiff does 24 not contest. Additionally, Netgain argues that it has not engaged in the type of 25 continuous and systematic activity in California necessary to establish general 26 jurisdiction, which Plaintiff does contest. Alternatively, Netgain argues that it did not 27 purposefully direct any intentional activity at California and Plaintiff’s claims do not 28 arise out of any contacts between Netgain and Plaintiff in California, which Plaintiff also 1 contests. 2 As part of its opposition, Plaintiff requests judicial notice be taken of several 3 internet website page screenshots. Dkt. 19-1. These screenshots come from Netgain’s 4 own website and to the extent they acknowledge that Netgain maintains an office in San 5 Diego County and describes its clients to include healthcare provider Health Center 6 Partners of Southern California (CCC’s d/b/a name) (generally Exhibits 1-22, 23-24), 7 Plaintiff’s request for judicial notice is granted. 8 Netgain has been sued before in this Court for claims arising out of the data 9 breach. Each time this Court has decided to not exercise jurisdiction over Netgain. See 10 Lee v. Netgain Technology, LLC, Case No 21cv1144-LL (MSB) (S.D. Cal. April 1, 11 2022); Clark v. Netgain Technology, LLC, Case No. 21cv1432-LL (MSB). However, in 12 those cases, the plaintiffs were citizens and residents of South Carolina and patients of 13 healthcare clinics operating in South Carolina. The plaintiffs articulated various state 14 common law claims and South Carolina statutory claims for relief. Why the plaintiffs in 15 Lee and Clark selected the Southern District of California for their lawsuits, is not 16 evident. 17 In going through the legal analysis for testing specific jurisdiction such as 18 purposeful direction and availment, Lee concluded that “[b]y operating an office in San 19 Diego, Netgain has purposefully availed itself of the privilege of doing business in 20 California.” Lee, Order at 9. The problem in Lee (and Clark which relied on Lee) was, 21 inter alia, that there was no evidence that data breach notices were sent to a person in 22 California, that California residents were uniquely harmed, or that Netgain had reason to 23 believe that the South Carolina healthcare providers patients were in California. Id. at 7- 24 11. 25 In the present case, Plaintiff actually provides the Netgain data breach notice he 26 did receive in California. Moreover, California residents were uniquely harmed because 27 their breached health care records were created as a result of receiving healthcare in 28 California, and finally Netgain obviously knew that it provided its data security work to 1 at least one California healthcare provider, i.e., CCC. On every significant metric, the 2 alleged facts that were lacking for the exercise of specific jurisdiction over Netgain in Lee 3 and Clark, are present in this case. 4 Here the Court has specific jurisdiction over Netgain. “Specific jurisdiction, as its 5 name suggests, allows a state court to adjudicate specific claims against a defendant.” 6 Mallory v. Norfolk S. Ry. Co., 600 U.S. 122, 164–65 (2023). “When a defendant 7 ‘purposefully avails itself of the privilege of conducting activities within the forum State, 8 that State’s courts may adjudicate claims that arise out of or relate to the defendant’s 9 contacts’ with the forum.” Id. (citations omitted) (cleaned up). Netgain has purposely 10 availed and directed efforts at CCC and its California resident patients in this district. 11 Netgain’s contacts with this district cannot be characterized as “random, isolated, or 12 fortuitous.” E.g., Keeton v. Hustler Mag., Inc., 465 U.S. 770, 774 (1984). 13 Plaintiff’s claims for violating California laws protecting personal medical 14 information and computer data “arise out of” its IT data security services provided to 15 CCC for protecting CCC’s patients records. Bristol-Myers Squibb Co. v. Superior Ct., 16 137 S. Ct. 1773, 1780 (2017); Learjet, Inc. v. Oneok, Inc., 715 F.3d 716, 742 (9th Cir. 17 2013) (“[A] lawsuit arises out of a defendant's contacts with the forum state if a direct 18 nexus exists between those contacts and the cause of action.” (quoting Fireman's Fund 19 Ins. Co. v. Nat'l Bank of Coops., 103 F.3d 888, 894 (9th Cir. 1996))). Here, the 20 “relationship among the defendant, the forum, and the litigation—is close enough to 21 support specific jurisdiction.” Ford Motor Co. v. Montana Eighth Jud Dist. Ct., 592 22 U.S. 351, 371 (2021). 23 Exercising jurisdiction over Netgain in this district also comports with notions of 24 fair play and substantial justice such that the exercise of jurisdiction is reasonable. 25 “Once it has been decided that a defendant purposefully established minimum contacts 26 with a forum, ‘he must present a compelling case that the presence of some other 27 considerations would render jurisdiction unreasonable’ in order to defeat personal 28 jurisdiction.” Dole Food Co. v. Watts, 303 F.3d 1104, 1114 (9th Cir. 2002) (citing 1 Burger King Corp. v. Rudzewicz, 471 U.S. 462, 477 (1985)). Dole set out seven factors 2 that may be considered. Considering all of the Dole factors, Netgain has not made a 3 compelling case to overcome the strong presumption of reasonableness of the assertion of 4 personal jurisdiction. v Dole Food Co., 303 F.3d at 1117 (“A number of our cases 5 emphasize the heavy burden on both domestic and foreign defendants in proving a 6 ‘compelling case’ of unreasonableness to defeat jurisdiction.”). Therefore, Netgain’s 7 motion to dismiss for lack of jurisdiction is denied. 8 In the alternative, Netgain asks that this case be transferred to the United States 9 District Court for the District of Minnesota, where another case was brought concerning 10 Netgain’s data breach and ransomware demand. See Netgain Reply, Dkt. 15 at 12-13. 11 The Minnesota action did include, among others, a California plaintiff asserting 12 California state law claims. However, the case settled and is now closed. See In re: 13 Netgain Technology, LLC, Consumer Data Breach Litigation, Case No. 21cv1210 14 (SRN/LIB), Dkt. 103, Joint Notice of Settlement (Dist. Minn. May 14, 2024). Moreover, 15 the Minnesota court did not have the opportunity to address the substance of the 16 California law claims before the case ended. Therefore, little conservation of judicial 17 resources would result from transferring this case at this point to the District of 18 Minnesota. 19 IV. CCC’S MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM 20 A. The Confidentiality of Medical Information Act (CMIA) 21 CCC first argues that Plaintiff has not adequately alleged a cause of action under 22 the CMIA. A California Court of Appeal has said that a successful CMIA claim requires 23 “pleading, and ultimately proving, that the confidential nature of the plaintiff’s medical 24 information was breached as a result of the health care provider’s negligence.” Regents 25 of the University of California v. Sup. Ct., 220 Cal. App. 4th 549, 570 (2013). Under the 26 CMIA, “more than a mere allegation of loss of possession by the health care provider is 27 necessary to state a cause of action for negligent maintenance or storage of confidential 28 medical information.” Id. (citation omitted). Under that state law, “a breach of 1 confidentiality under the CMIA requires a showing that an unauthorized party viewed the 2 confidential information.” Vigil v. Muir Med. Grp. IPA, Inc., 84 Cal. App. 5th 197, 213 3 (2022), review denied (Jan. 25, 2023); see also, Sutter Health v. Sup. Ct., 227 Cal. App. 4 4th 1546, 1550 (2014) (“plaintiffs have failed to state a cause of action under [CMIA] 5 because they do not allege that the stolen medical information was actually viewed by an 6 unauthorized person.”). A California appellate court recently held that similar allegations 7 were sufficient to state a cause of action under the CMIA. See J.M. v Illuminate 8 Education, 2024 WL 3530281 *4 (Cal. App. July 25, 2024). 9 At trial, Plaintiff may have a difficult time proving in these circumstances that his 10 protected medical information was actually viewed by the ransomware hackers, evidence 11 that is required to prevail on a CMIA cause of action. But Plaintiff does allege that his 12 medical information was “actually viewed by at least one ‘unauthorized third party’” in 13 violation of CIMA. SAC ¶71. In the context of a criminal ransomware attack on a 14 medical records database, this allegation along with the other allegations satisfies Rule 8 15 and states a plausible claim for relief. 16 B. The Customer Records Act (CRA) 17 The CRA requires businesses to disclose a breach of security following discovery 18 or notification of the breach in the security of covered data. See Cal. Civ. Code § 19 1798.82(a). No specific timeframe for disclosure is mandated. However, the CRA 20 requires that the disclosure notice must “be made in the most expedient time possible and 21 without unreasonable delay.” In his SAC, Plaintiff alleges that CCC took 139 days to 22 begin disclosing the data breach to Plaintiff and others which, allegedly, is an 23 unreasonable delay. SAC ¶81. 24 Some courts have found that five-month delays and nine-month delays in 25 providing notice of a data breach sufficiently alleged an “unreasonable delay” under the 26 CRA. E.g. In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F. 27 Supp. 3d 1284, 1300 (S.D. Cal. 2020) (Huff, J.) (five month delay); In re Arthur J. 28 Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 589-90 (N.D. Ill. 2022) (nine month 1 delay); J.M. v Illuminate Education, 2024 WL 3530281 *5-6 (Cal. App. July 25, 2024) 2 (five month delay). In contrast, an alleged ten-day delay was not a sufficient allegation 3 of unreasonable delay. In re Sony Gaming Networks & Customer Data Sec. Breach 4 Litig., 996 F. Supp. 2d 942, 1010 (S.D. Cal. 2014). And at least one court has suggested 5 that whether a particular delay qualifies as an “unreasonable under” the CRA is normally 6 a question for trial rather than for a motion to dismiss. Id. 7 After the briefing was complete in this case, a court in a similar case alleging a 8 violation of the CRA denied a motion to dismiss. The court set for trial the CRA claim of 9 a one-month delay where the plaintiff also alleged he was incrementally harmed 10 separately from the data breach. Mohsen v. Veridian Credit Union, No. C23-2048-LTS- 11 KEM, 2024 WL 2080177, at *11 (N.D. Iowa May 9, 2024) (“I find that Mohsen has 12 sufficiently pleaded a claim for violation of the CCRA. While the complaint alleges a 13 significantly shorter delay than in Solara and Arthur J. Gallagher, Mohsen has alleged 14 that the one-month delay incrementally harmed him separately from the data breach. 15 Specifically, Mohsen alleges that the delay prevented him from securing identity theft 16 protection or requesting a credit freeze which could have mitigated the damage caused by 17 the data breach. While the one-month period between the data breach and the 18 notification of customers may be found to be reasonable at a later stage, this argument 19 will benefit from a more developed factual record. Count VII will not be dismissed.”) 20 (citations omitted). In addition to mere delay, “[t]o allege a ‘cognizable injury’ arising 21 from Defendant’s alleged failure to timely notify Plaintiffs of the Data Breach, Plaintiffs 22 must allege ‘incremental harm suffered as a result of the alleged delay in notification,’ as 23 opposed to harm from the Data Breach itself.” In re Solara Med. Supplies, LLC 24 Customer Data Sec. Breach Litig., 613 F. Supp. 3d at 1300 (S.D. Cal. 2020). 25 Defendant argues that Plaintiff’s CRA claim fails because he does not allege any 26 damages caused by the purported delay. But Plaintiff does allege damages were incurred. 27 Specifically, Plaintiff alleges the delay prevented him from taking steps to protect his 28 personal information. SAC ¶ 82. Plaintiff alleges the delay prevented him from taking 1 steps in the most expedient time possible to mitigate the fallout from his personal 2 information being stolen “such as purchasing dark web monitoring or an identity theft 3 protection service.” Id. As in Mohsen, whether Plaintiff is ultimately able to prove his 4 damages at trial must be left for another day. Today, Plaintiff’s allegation of harm is 5 sufficient, along with the allegation of unreasonable delay, to state a plausible state law 6 cause of action under the CRA and the claim satisfies Rule 8. 7 Defendant makes another argument for dismissing the CRA cause of action 8 claiming CCC is not subject to the CRA because it is a health care provider. CCC 9 argues, “the CCRA expressly excludes entities, such as health care providers and 10 contractors who are subject to the CMIA. See Cal. Civ. Code 1798.81.5(e)(1).” And 11 CCC argues that the CRA does not apply to covered entities under HIPAA, citing Cal. 12 Civ. Code 1798.81.5(e)(3). But Plaintiff does not allege violations of 1798.81. Plaintiff 13 alleges violations of 1798.82. Section 1798.82 admits no exceptions for health care 14 providers or entities covered by HIPPA. In fact, 1798.82(e) suggests by its presence that 15 entities covered by HIPPA are included by setting out an alternative method of giving 16 notice of a breach and by stating that covered entities are not exempted.3 There is no 17 basis to dismiss Plaintiff’s cause of action on this ground.. 18 C. The Unfair Competition Laws (UCL) 19 CCC argues that Plaintiff’s allegations of a violation of the UCL are deficient. 20 However, it does not take much to make out a plausible claim that a defendant violated 21 the California UCL when it is also plausibly alleged that another California law was 22 violated by the same defendant. A plaintiff ultimately must prove that a business act was 23

24 3 Cal. Civ. Code 1798.82(e) states, “A covered entity under the federal Health Insurance 25 Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d et seq.) will be deemed to have complied with the notice requirements in subdivision (d) if it has complied 26 completely with Section 13402(f) of the federal Health Information Technology for 27 Economic and Clinical Health Act (Public Law 111-5).1 However, nothing in this subdivision shall be construed to exempt a covered entity from any other provision of this 28 1 ||somehow “unlawful” for a UCL claim. A business act or practice is “unlawful” under the 2 ||UCL if it, in turn, violates a rule contained in some other state or federal statute. Rose v. 3 || Bank of America, N. A., 57 Cal. 4th 390, 396 (2013) (“By proscribing ‘any unlawful’ 4 || business practice, Business and Professions Code ‘section 17200 “borrows” violations of 5 || other laws and treats them as unlawful practices’ that the UCL makes independently 6 || actionable.”). Thus, the requirements for alleging a UCL claim are easily met. 7 “The unlawful prong of the UCL prohibits anything that can properly be called a 8 business practice and that at the same time is forbidden by law. Generally, violation of 9 ||almost any law may serve as a basis for a UCL claim.” Jn re Solara Med. Supplies, LLC 10 || Customer Data Sec. Breach Litig., 613 F. Supp. 3d at 1303 (S.D. Cal. 2020) (‘Plaintiffs 11 |} argue that they have alleged that Solara has unlawfully violated ‘the CMIA, the 12 || California Consumer Records Act, and several state laws.’ ... Defendant’s arguments are 13 better suited for a motion for summary judgment when the record is more fully 14 developed. As a result, the Court denies Defendant’s motion to dismiss Plaintiffs’ 15 || unlawful UCL claim at this time.”). Here, Plaintiff's SAC and its UCL claim relies on 16 || violations of the CMIA and CRA. This is sufficient to plausibly allege a UCL cause of 17 |} action under California law and Rule 8. 18 V. CONCLUSION 19 For the above reasons Netgain’s motion to dismiss for lack of jurisdiction and 20 ||CCC’s motion to dismiss for failure to state a claim are denied. 21 IT IS SO ORDERED. ° 92 Dated: August 7, 2024 73 Hot ér T. Benitez United States District Judge 24 25 26 27 28