UNITED STATES DISTRICT COURT USDC BDNY SOUTHERN DISTRICT OF NEW YORK DOCUMENT ELECTRONICALLY FILED ADELINE PATTISON, DOMINIQUE DOC #: DURSO, JEAN CHARTER, LIANE DATE FILED: 06/25/2025 TUOMALA, MICHELLE GRENON, ———— TERESA HALE, ZESHAAN AHMED and MYSCHELLE TAYLOR, on behalf of themselves and all others similarly situated, 23-cv-11305 (NSR) Plaintifis, OPINION & ORDER -against- TELADOC HEALTH, INC., Defendant.
NELSON S. ROMAN, United States District Judge: Plaintiffs Adeline Pattison, Dominique Durso, Jean Charter, Liane Tuomala, Michelle Grenon, Teresa Hale, Zeshaan Ahmed, and Myschelle Taylor on behalf of themselves and all others similarly situated (“Plaintiffs”), initiated this action on December 29, 2023 (ECF No. 1), alleging violations of the Electronic Communications Privacy Act 18 U.S.C. § 2511(1) (“ECPA”), as well as numerous New York, Florida and California state law claims against Teladoc Health (“Teladoc” or “Defendant”). Presently before the Court is the Defendant’s Motion to Dismiss Plaintiffs’ claims pursuant to Federal Rule of Civil Procedure 12(b)(6). For the following reasons, Defendant’s Motion to Dismiss is DENIED IN PART and GRANTED IN PART. BACKGROUND The following facts are derived from the Amended Complaint and are taken as true and construed in the light most favorable to the Plaintiffs at this stage.
Plaintiffs Adeline Pattison, Dominique Durso, Jean Charter, Liane Tuomala, Michelle Grenon, Teresa Hale, Zeshaan Ahmed, and Myschelle Taylor bring forth the present action on behalf of themselves and those similarly situated against Teladoc. (Am. Compl. ¶ 4.) Teladoc is a telehealth company that connects users to doctors, therapists, specialists and dietitians through
the Teladoc platform. (Id. ¶ 45.) Defendant owns and operates the website https://my.teladoc.com/. (Id. ¶ 5.) Plaintiffs make use of the Teladoc platform to obtain a variety of medical services. (Id.) In using the Teladoc platform, Plaintiffs provide Teladoc protected health information (“PHI”) and personally-identifiable-information (“PII”). (Id. ¶ 75.) At minimum, Plaintiffs provide Teladoc the following information: “[their] names and dates of birth; email addresses, residential addresses, and phone numbers; gender and age; health conditions; health insurance information; medical diagnoses and treatment information; and prescriptions and medication information.” (Id.) Defendant allegedly installed the Facebook Tracking Pixel (“Pixel”) and Conversion
Application Programming Interface (“Conversions API”) on its Website. (Id. ¶¶ 6, 12.) The Pixel and Conversions API facilitate the dissemination of Plaintiffs’ PHI and PII entered on the Teladoc platform to third-parties like Facebook, regardless of whether the individual has a Facebook profile. (Id. ¶¶ 16, 20, 23.) Plaintiffs did not anticipate that Teladoc would disclose their PHI and PII via information submitted to the Teladoc platform and did not consent to such disclosures of their information. (Id. ¶ 25.) By way of example, many Plaintiffs who have made use of the Teladoc platform to receive medical services and have, as necessary, uploaded PHI and PII to the Teladoc website and thereafter have seen advertisements on Facebook specifically tailored to their medical conditions. (Id. ¶¶ 213, 221, 228, 235, 242, 250, 257, 265.) Plaintiffs allege that Defendant utilized the Pixel and Conversions API with the knowledge that Plaintiffs’ PHI and PII would be transmitted to Facebook. (Id. ¶¶ 16, 90, 317.) Plaintiffs allege that Teladoc made use of such tracking technology to improve its advertising and bolster its revenues. (Id. ¶ 68.) As a result of
Defendant’s use of the Pixel and Conversions API, Plaintiffs allege the following injuries: loss of the benefit of the bargain, increased infiltrations into their privacy through spam and targeted advertising they did not ask for, loss of privacy, loss of confidentiality, embarrassment, emotional distress, and humiliation and loss of enjoyment of life (Id. ¶ 338.) Based on the foregoing, Plaintiffs bring claims alleging violations of the ECPA, as well as numerous New York, Florida and California state law claims. PROCEDURAL HISTORY On December 29, 2023, Plaintiffs commenced this action against Defendant in their Complaint. (ECF No. 1.) Thereafter, on July 2, 2024 Plaintiffs filed their Amended Complaint, which is now the operative complaint (the “Amended Complaint” or “Am. Compl.”) On October 15, 2024, Defendant filed a motion to dismiss and its memorandum of law in support (the “Motion” or “Mot.”, ECF Nos. 29 and 30.) Plaintiffs filed an opposition to the Motion (the “Opposition” or “Opp.”, ECF No. 32.) The Defendant also filed a reply in further support of the Motion (the “Reply”, ECF No. 31.) LEGAL STANDARD
A. Motion to Dismiss Under Federal Rule of Civil Procedure 12(b)(6), dismissal is proper unless the complaint “contain[s] sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). When there are well-pled factual allegations in the complaint, “a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief.” Id. at 679. While the Court must take all material factual allegations as true and draw reasonable inferences in the non-moving party’s favor, the Court is “not bound to accept as true a legal conclusion couched as a factual allegation,” or to credit “mere conclusory
statements” or “[t]hreadbare recitals of the elements of a cause of action.” Id. at 678 (quoting Twombly, 550 U.S. at 555). The Second Circuit “deem[s] a complaint to include any written instrument attached to it as an exhibit or any statements or documents incorporated in it by reference . . . and documents that plaintiffs either possessed or knew about and upon which they relied in bringing the suit.” Rotham v. Gregor, 220 F.3d 81, 88 (2d Cir. 2000) (internal citations omitted). The critical inquiry is whether the plaintiff has pled sufficient facts to nudge the claims “across the line from conceivable to plausible.” Twombly, 550 U.S. at 570. A motion to dismiss will be denied where the allegations “allow[] the court to draw the reasonable inference that the Defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. DISCUSSION
Plaintiffs bring claims pursuant to Electronic Communications Privacy Act 18 U.S.C. § 2511(1) (“ECPA”) and numerous New York, Florida and California state law claims. The Court addresses them in turn. A. Electronic Communications Privacy Act Pursuant to the ECPA, where a plaintiff is bringing forth an ECPA claim and the Defendant consents to the interception at issue, the Plaintiff “must make sufficient allegations that ‘support an inference that the offender intercepted the communication for the purpose of a tortious or criminal act that is independent from the intentional act of recording.’” Gay v. Garnet Health, 2024 WL 4203263, at *2 (S.D.N.Y. Sept. 16, 2024) (quoting Caro v. Weintraub, 618 F.3d 94, 100 (2d Cir. 2010)). The facts in the instant case parallel the circumstances before the Court in Garnet Health. In Garnet Health, Garnet Health used the Pixel and Conversion API to intercept and then
transmit the Garnet Health plaintiffs’ PHI and PII entered into the Garnet Health platform by Plaintiffs to Facebook and other third parties, in violation of 42 U.S.C. § 1320d-6 (“HIPAA”) to increase its profit margins. Garnet Health, 2024 WL 4203263 at *3. The Court concluded that the Garnet Health plaintiffs “sufficiently allege[d] an independent action secondary to the interception; Plaintiff[s] state that Defendant used and accessed Plaintiffs’ and Class Members’ data to ‘send identifiers and the content of communications with Defendant simultaneously to . . . Facebook, Google, and others.’” Id. The Court found that such conduct “evidence[d] an intent on Garnet [Health]’s part to commit tortious or unlawful conduct at the time of interception [of plaintiffs’ PHI and PII] as required to state an ECPA claim.” Id. at *4. On this basis, the Court declined to dismiss the Garnet Health plaintiffs’ ECPA claims.
Garnet Health counsels the same result here. Plaintiffs sufficiently allege that at the time of interception, Defendant had the “purpose [] to commit an act [separate from the interception itself] that is punishable as a crime under 42 U.S.C. § 1320d-6: knowingly disclose [PHI and PII] without authorization for marketing purposes.” Garnet Health, 2024 WL 4203263 at *4. Such allegations are enough to invoke the criminal-tortious exemption to the one-party consent rule of the ECPA, and, as a result, allow Plaintiffs to bring forth an ECPA claim. See also Kane v. Univ. of Rochester, No. 23-CV-6027-FPG, 2024 WL 1178340 (W.D.N.Y. Mar. 19, 2024) (denying motion to dismiss plaintiffs’ ECPA claim against University of Rochester where the University of Rochester used the Facebook Tracking Pixel and Conversions Application Program to transmit plaintiffs’ PHI and PII to third-parties such as Facebook without consent as part of enhancing its marketing efforts in violation of HIPAA); Cooper v. Mount Sinai Health Sys., Inc., No. 23 CIV. 9485 (PAE), 2024 WL 3586357 (S.D.N.Y. July 30, 2024) (denying motion to dismiss plaintiffs’ ECPA claim where defendant hospital, by way of the Facebook Pixel, intercepted and then
disseminated plaintiffs’ PHI and PII to Facebook in violation of HIPAA); Kurowski v. Rush Sys. for Health, No. 22 CIV. 5380, 2023 WL 8544084, *3 (N.D. Ill. Dec. 11, 2023) (denying motion to dismiss plaintiffs’ ECPA claim where plaintiffs alleged that defendant knowingly transmitted metadata for the purpose of financial gain and that such allegations were “sufficient to invoke the HIPAA [criminal or tortious] exception-to-the-party exception” for a Wiretap Claim); Mekhail v. N. Mem'l Health Care, 726 F. Supp. 3d 916 (D. Minn. 2024) (denying motion to dismiss plaintiffs’ ECPA claim where defendant transmitted plaintiffs’ PHI and PII to third parties through use of the Facebook Pixel in violation of HIPAA). Sustaining Plaintiffs’ ECPA claim is consistent with binding precedent such as Caro. In Caro, the Second Circuit held that in order to successfully state an ECPA claim, the plaintiff
must plead that “the offender must have as her objective a tortious or criminal result.” Caro v. Weintraub, 618 F.3d 94 at 100. Such is the case here, where, at the time of intercepting Plaintiffs’ PHI and PII, Defendant intended to secondarily disseminate Plaintiffs’ PHI and PII to third parties – in other words, intending, at the moment of interception, to commit a separate act, a criminal act in violation of HIPAA. 42 U.S.C. § 1320d-6. Plaintiffs are not pleading that the mere act of interception is the criminal or tortious act; rather, Plaintiffs are pleading that the criminal or tortious act is the independent, secondary act of disseminating through the Pixel and Conversions API Plaintiffs’ PHI and PII to third parties such as Facebook and Google. (Am. Compl. ¶ 320.) Caro therefore does not require dismissal of Plaintiffs’ ECPA claim. Consequently, the Court denies Defendant’s motion to dismiss Plaintiffs’ ECPA claim. B. Negligence In order to bring a claim for negligence, a plaintiff must, of course, allege negligent
conduct. Silivanch v. Celebrity Cruises, Inc., 171 F. Supp. 2d 241 (S.D.N.Y. 2001). Here, beyond stating that Defendant’s “wrongful actions and/or inactions . . . constituted (and continues to constitute) negligence at common law,” Plaintiffs do not identify with enough specificity the purportedly negligent conduct Defendant took. Plaintiffs do indeed offer copious amounts of intentional conduct, but the Court, even construing the Amended Complaint in the light most favorable to Plaintiffs, cannot discern allegations of negligent conduct, and therefore dismisses the claim without prejudice. C. Breach of Implied Contract “A contract may be implied in fact where inferences may be drawn from the facts and circumstances of the case and the intention of the parties as indicated by their conduct.” Matter
of Boice, 640 N.Y.S.2d 681, 683 (1996). However, “[a] contract may not be implied in fact from the conduct of the parties where it appears that they intended to be bound only by a formal written agreement.” Valentino v. Davis, 270 A.D.2d 635, 703 N.Y.S.2d 609, 612 (2000) (internal quotation marks omitted). Here, based on the allegations of the Complaint, the parties evidenced an intent to be bound by “formal written agreement,” namely the expressed policies, including Defendant’s privacy policy, Teladoc required Plaintiffs to assent to prior to receiving medical care. (Am. Compl. ¶¶ 116, 121.) Accordingly, while Plaintiffs may well be able to plead a breach of contract claim, Plaintiff’s implied contract claim cannot be sustained where it is clear that Plaintiffs intended to be bound by the express written agreements. Therefore, the Court dismisses without prejudice Plaintiff’s breach of implied contract claim. D. Breach of Confidence To plead a breach of confidence claim, a plaintiff must allege “(i) the defendant assumed
a duty of confidentiality, (ii) the defendant intentionally, knowingly, or negligently breached that duty, and (iii) the plaintiff was damaged as a result of that breach.” In re Canon U.S.A. Data Breach Litig., 2022 WL 22248656, *11 (E.D.N.Y. Mar. 15, 2022). Here, Plaintiffs have successfully stated a breach of confidence claim against Defendant. Defendant assumed a duty of confidentiality by way of being a medical services provider dealing with Plaintiffs’ PHI and PII (Am. Compl. ¶¶ 4, 209, 215, 223), thus imposing HIPAA obligations on Teladoc through 42 U.S.C. § 1320d-6 (prong 1); Defendant breached that duty by way of improperly disclosing Plaintiffs’ information to third parties (Am Compl. ¶¶ 5-9, 13, 16, 29) (prong 2); and, finally, Plaintiffs were damaged as a result of that breach, specifically “loss of the benefit of the bargain, increased infiltrations into their privacy through spam and targeted
advertising they did not ask for, loss of privacy, loss of confidentiality, embarrassment, emotional distress, and humiliation and loss of enjoyment of life.” (Id. ¶ 338.) Defendant attempts to argue that “Plaintiffs [] elide the distinction between a technology platform like Teladoc on one hand, and an actual doctor or a hospital on the other hand.” (Opp. p. 16.) The Court rejects such binary thinking; Teladoc is not just any technology platform but is a healthcare corporation serving as the cornerstone of the physician-patient relationship that Plaintiffs established through Teladoc. (Am. Compl. ¶ 45.) More precisely, “Teladoc is a multinational telemedicine and virtual healthcare corporation provid[ing] primary services such as telehealth, medical opinions, artificial intelligence and analytics, telehealth devices and licensable platform services, as well as on-demand remote medical care.” (Id.) Defendant, in other words, functions as a healthcare provider such as a hospital, which courts have already concluded can be subject to a tort claim of breach of confidentiality. In re
Unite Here Data Sec. Incident Litig., 740 F. Supp. 3d 364 (S.D.N.Y. 2024), motion to certify appeal denied, 2024 WL 4307975 (S.D.N.Y. Sept. 26, 2024) (noting the scope of the physician- patient relationship); see also Garnet Health, 2024 WL 4203263 (allowing claim for breach of confidentiality to be brought against hospital). It would be contrary to the purposes undergirding the breach of confidence tort to allow Defendant to function as effectively as a healthcare provider, reap the benefits of providing such services to its consumers (who are, in actuality, its patients), only to circumvent the obligations of confidentiality that any healthcare provider in the United States is subject to. See Wallace v. Health Quest Sys., Inc., No. 20 CIV. 545 (VB), 2021 WL 1109727, at *12 (S.D.N.Y. Mar. 23, 2021) (noting that the duty of confidence “has been extended beyond the physician-patient context to healthcare corporations because the ‘cloak of
confidentiality wraps around more than the health care professionals who renders . . . services”). Therefore, the Court finds that it is proper to sustain Plaintiffs’ breach of confidentiality claim against Defendant and denies Defendant’s motion to dismiss said claim. E. Constructive Bailment In order to state a claim for a constructive bailment, the plaintiff must “relinquish his exclusive control, dominion and possession over the property.” Mada Int'l Auto Auction, Inc. v. Bridgeside Inc., No. 07 CIV. 286 (BMC), 2008 WL 2414799 (E.D.N.Y. June 13, 2008), aff'd sub nom. Elyse v. Bridgeside Inc., 367 F. App'x 266 (2d Cir. 2010). While it is true that Plaintiffs shared PHI and PII with Teladoc, it cannot be argued that Plaintiffs gave Teladoc exclusive control over such information; Plaintiffs, of course, still retain control over their PHI and PII. Therefore, Plaintiffs have failed to state a constructive bailment claim, and the Court dismisses said claim without prejudice.
F. Unjust Enrichment Plaintiffs, in their Opposition brief, withdrew their claim for unjust enrichment. (Opp. p. 14 n. 6.) Therefore, the Court dismisses without prejudice Plaintiffs’ unjust enrichment claim. G. New York Deceptive Trade Practices Act To state a claim under § 349, “a plaintiff must allege that a defendant engaged in consumer-oriented conduct that was materially misleading and that the plaintiff suffered an injury as a result.” Miguel Frias, Jessica Avilez and Roy Campbell, individually & on behalf of all others similarly situated, Plaintiffs, v. Mars Wrigley Confectionery US LLC, Defendant., No. 23 CIV. 4422 (AT), 2024 WL 3988667, *2 (S.D.N.Y. Aug. 28, 2024). A consumer for § 349 is one “‘who purchase[s] goods and services for personal, family or household use.’” Exxonmobil
Inter-Am., Inc. v. Advanced Info. Eng'g Servs., Inc., 328 F. Supp. 2d 443, 449 (S.D.N.Y. 2004). Plaintiffs are able to meet such a burden here. Plaintiffs allege that Defendant has violated its express policies, namely its privacy policy. (Am. Compl. ¶¶ 119, 123, 133, 271, 283, 327, 380.) Teladoc did not “inform [Teladoc] patients of its actions in transmitting information from Defendant’s [platform] to Facebook [and other websites]” and “[g]iven the discrepancy between the policies explicitly articulated by the Defendant and the actual conduct regarding Plaintiffs’ PHI and PII, at this stage in the case, Plaintiffs have sufficiently alleged the conduct was materially misleading.” Garnet Health, 2024 WL 4203263 at *7. Plaintiffs likewise can establish injury. Per Miguel Frias, Plaintiffs can establish injury if they plead they did not receive the full value of their purchase. Miguel Frias, 2024 WL 3988667 at *4. This can be done by stating that plaintiff would not have purchased the product or been willing to pay as much had they known the true facts. Id. Durso specifically pleads that “she
never would have provided her Private Information to Teladoc or purchased Teladoc’s services had she known or been told that Teladoc shared confidential and sensitive Private Information with Facebook.” (Am. Compl. ¶ 396.) The Amended Complaint, therefore, Plaintiffs clearly avers that Plaintiffs would not have purchased the product or service had they known the true facts. This is enough for the purposes of pleading injury at the motion to dismiss stage. See Pichardo v. Only What You Need, Inc., No. 20-CV-493 (VEC), 2020 WL 6323775 (S.D.N.Y. Oct. 27, 2020) (holding that plaintiff sufficiently pled injury where they asserted that had they known the true facts they would not have purchased the product). Therefore, Plaintiffs sufficiently alleged that the Defendant materially misrepresented its services offered and that, as a result, they suffered injury, which is enough to survive Defendant’s motion to dismiss. The Court thus
declines to dismiss Plaintiffs’ New York Deceptive Trade Practices Act. H. Florida Security of Communications Act Defendant’s argument for dismissal of Plaintiffs’ FSCA claim rests on Defendant’s contention that the Amended Complaint does not sufficiently allege that Defendant intercepted the “contents” of Plaintiffs’ communications. (Opp. p. 11.) The Court disagrees. Courts have construed the FSCA’s definition of “contents” to mean the “‘[the] substance, purport, or meaning’ – of the communication itself.” Goldstein v. Costco Wholesale Corp., 559 F. Supp. 3d 1318, 1321 (S.D. Fla. 2021). Notably, courts have held that “‘some queried URLs qualify as content,’ reasoning that a URL may convey ‘substantive information’ about web browsing activity, instead of mere ‘dialing, routing, addressing, or signaling information.’” In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262 (3d Cir. 2016). To be sure, Defendant is correct that it is clear that the FSCA does not cover “the mere tracking of [a] Plaintiff’s movements on [a] Defendant’s website.” Goldstein, 559 F. Supp. 3d
1318 at 1321. But Plaintiffs are not alleging the interception of such information; rather, they are alleging that information such as their medical conditions were intercepted by Defendant and relayed to Facebook, such that Plaintiffs started to see ads related to their medical conditions. (Am Compl. ¶¶ 208, 213.) With such information intercepted, Plaintiffs are clearly pleading that Defendant intercepted the “substance, purport, or meaning” of the communication itself – in this case, the substance being Plaintiffs’ medical information. Goldstein, 559 F. Supp. 3d 1318 at 1321. Therefore, because the Court must find that Plaintiffs have sufficiently alleged that the contents of their communication have been intercepted by Defendant, Plaintiffs have plausibly alleged a FSCA claim and declines to dismiss said claim. I. California Invasion of Privacy Act
“The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.” Cline v. Reetz-Laiolo, 329 F. Supp. 3d 1000, 1051 (N.D. Cal. 2018) (internal citation omitted). Thus, because the Court has found that Plaintiffs have plausibly stated an ECPA claim, the Court must find that Plaintiffs’ have likewise stated a CIPA claim and denies Defendant’s motion to dismiss said claim. J. California Confidentiality of Medical Information Act CMIA “prohibits the unauthorized disclosure of medical information and the negligent maintenance or preservation of medical information.” Cousin v. Sharp Healthcare, 702 F. Supp. 3d 967, 974 (S.D. Cal. 2023). As discussed previously, the Court has already found that Plaintiffs have sufficiently alleged that Defendant disclosed Plaintiffs’ medical information in contravention of HIPAA. It follows, then, that the unauthorized disclosure of Plaintiffs’ medical information giving way to a HIPAA violation also gives way to a CMIA violation. As a result, the Court must find that Defendant’s alleged unauthorized transmission of Plaintiffs’ PHI and PII
to third parties like Meta states a plausible claim for a CMIA violation and denies Defendant’s motion to dismiss Plaintiffs’ CMIA claim. See Cousin, 702 F. Supp. 3d 967 (holding that Plaintiffs sufficiently alleged CMIA claim where Defendant used third-party tracking tool that disseminated Plaintiffs’ medical information to Facebook). K. California Unfair Competition Law To bring forth a UCL claim, a plaintiff must show “either an (1) ‘unlawful, unfair or fraudulent business act or practice,’ or (2) ‘unfair, deceptive, untrue or misleading advertising.’” Lippett v. Raymond James Fin. Servs., 340 F.3d 1033, 1043 (9th Cir. 2003) (citing Cal. Bus. & Prof. Code § 17200). Furthermore, a plaintiff must show they “suffered an injury in fact” and “lost money or property” as a result of such conduct. Kemp v. Wells Fargo Bank, N.A., No. 17-
CV-01259-MEJ, 2017 WL 4805567, at *15 (N.D. Cal. Oct. 25, 2017). Courts have recognized as a cognizable form of injury under the UCL benefit of the bargain losses. In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783 (N.D. Cal. May 27, 2016). Additionally, courts have recognized diminution of the value of private data by way of improper disclosure to third parties as a recognizable form of economic harm sufficient to serve as the basis for a UCL claim. Brown v. Google LLC, No. 20-CV-03664-LHK, 2021 WL 6064009, at *15 (N.D. Cal. Dec. 22, 2021). Plaintiffs have sufficiently alleged an unlawful and fraudulent business practice, specifically Defendant’s disclosure of PHI and PII to third parties in violation of HIPAA (Am. Compl. ¶ 320) (prong 1); and Plaintiffs suffered economic injury the form of benefit of the bargain losses (Plaintiffs bargained for medical services that safeguarded their PHI and PII and instead were provided medical services that unlawfully disseminated their PHI and PII) and diminution of the value of their private data due to Defendant’s improper disclosure of Plaintiffs’
private data such as PHI and PII to third-parties (prong 2). Therefore, the Court finds that Plaintiffs have plausibly alleged a UCL claim and denies Defendant’s motion to dismiss said claim. L. California Consumers Legal Remedies Act In order to state a CLRA claim, a plaintiff must “show that: (1) the defendant’s conduct was deceptive; and (2) that the deception caused ?defendant? to be harmed.” Spann v. J.C. Penney Corp., 307 F.R.D. 508 (C.D. Cal. 2015), modified, 314 F.R.D. 312 (C.D. Cal. 2016). Benefit of the bargain damages are a cognizable form of harm under the CLRA. Nguyen v. Nissan N. Am., Inc., 932 F.3d 811 (9th Cir. 2019). The Court must find that Plaintiffs have successfully stated a CLRA claim. As discussed
supra, Plaintiffs have alleged that Defendant has engaged in deceptive practices (advertising a privacy policy that was in accordance with federal regulation like HIPAA, only to violate HIPAA through unauthorized disclosure of PHI and PII to third parties) (prong 1); and Plaintiffs have been harmed, namely in the form of benefits of the bargain damages for reasons stated supra (prong 2). Accordingly, the Court finds that the Amended Complaint’s allegations sufficiently allege a CLRA claim, and the Court denies Defendant’s motion to dismiss said claim. CONCLUSION For the foregoing reasons, the Court GRANTS in part and DENIES in part Defendant’s motion to dismiss. The motion to dismiss is GRANTED without prejudice as to Count 2, Count 3, Count 5 and Count 6, and DENIED as to Count 1, Count 4, Count 7, Count 8, Count 9, Count 10, Count 11 and Count 12. Plaintiffs are granted leave to file a Second Amended Complaint by July 30, 2025. Plaintiffs are advised that the Second Amended Complaint will replace, not supplement, the
Amended Complaint, and so any claims that they wish to pursue must be included in, or attached to, the Second Amended Complaint. Should Plaintiffs file a Second Amended Complaint, Defendant is directed to answer or otherwise respond by August 20, 2025. If Plaintiffs fail to file a Second Amended Complaint within the time allowed, those claims that were dismissed without prejudice shall be deemed dismissed with prejudice. If no Second Amended Complaint is timely filed, Defendant is directed to answer or otherwise respond by August 20, 2025 and the parties are directed to complete and file a Case Management Plan and Scheduling Order by September 10, 2025. The Clerk of Court is respectfully directed to terminate the motion at ECF No. 29.
Dated: June 25, 2025 SO ORDERED: White Plains, New York ________________________________ NELSON S. ROMÁN United States District Judge