1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 ADRIENNE ST. AUBIN, Case No. 24-cv-00667-JST
8 Plaintiff, ORDER GRANTING IN PART AND 9 v. DENYING IN PART DEFENDANT’S MOTION TO DISMISS 10 CARBON HEALTH TECHNOLOGIES, INC., Re: ECF No. 19 11 Defendant.
12 13 Before the Court is Defendant Carbon Health Technologies, Inc.’s (“Carbon Health”) 14 motion to dismiss Plaintiff Adrienne St. Aubin’s class action complaint. ECF No. 19. The Court 15 will grant the motion in part and deny it in part. 16 I. BACKGROUND1 17 Carbon Health is a health care provider. ECF No. 1 ¶ 11. Patients can book appointments 18 to access medical care and manage their treatment or diagnosis of medical conditions through 19 Carbon Health’s website (the “Carbon Website”). Id. 20 Facebook2 offers Facebook Pixel––a segment of code––to advertisers to integrate into its 21 website. Id. ¶ 26. “The Facebook Pixel tracks the people and type of actions they take.” Id. 22 (internal quotation omitted). Carbon Health includes Facebook Pixel on the Carbon Website. Id. 23 ¶ 27. When a user accesses a website hosting Facebook Pixel, the embedded code directs the 24 user’s browser to contemporaneously send a separate message to Facebook’s servers. Id. ¶ 26. 25 1 The facts are taken from the complaint except where otherwise stated. See AE ex rel. Hernandez 26 v. Cnty. of Tulare, 666 F.3d 631, 636 (9th Cir. 2012) (“[W]e accept the factual allegations of the complaint as true and construe them in the light most favorable to the plaintiff.”). 27 2 Plaintiff refers to Meta as “Facebook” throughout her complaint. Although the entity’s legal 1 This transmission contains data that Facebook Pixel is automatically configured to capture, 2 including a web page’s Universal Resource Locator (“URL”). Id. ¶¶ 25–26. The Carbon Website 3 URL contains information about the healthcare page a patient has viewed, including a description 4 of the type of care a patient is seeking. Id. ¶ 55. When a patient books an appointment, Facebook 5 also intercepts information about the type of appointment the patient is booking along with the 6 name of the clinic where the patient will have their appointment. Id. ¶ 56. 7 When a user is logged into Facebook while accessing the Carbon Website, additional 8 cookies are transmitted to Facebook that enable Facebook to link a user to their Facebook ID and 9 corresponding Facebook profile. Id. ¶¶ 58–67. Contemporaneously, Facebook also intercepts a 10 patient’s personally identifiable information, including their Facebook ID. Id. ¶ 57. 11 Facebook processes this information, analyzes it, and assimilates it into relevant internal 12 datasets. Id. ¶ 35. Ultimately, Facebook uses the gathered data to help Carbon Health with 13 advertising to its own patients outside the Carbon Website, and to help other Facebook advertisers 14 with targeted advertising relating to the conditions patients searched for on the Carbon Website. 15 Id. ¶ 31. 16 Similarly, Google offers Google Analytics Pixel (“Google Pixel”)––a segment of code––to 17 advertisers to install on their website. Id. ¶ 37. Carbon Health chose to include Google Pixel on 18 the Carbon Website. Id. ¶ 100. Google directly receives the electronic communications of 19 website visitors entered on websites via features such as search bars. Id. ¶ 40. Carbon Health 20 shares Carbon users’ device identifiers and IP addresses with Google. Id. ¶ 46. Like Facebook, 21 Google intercepts information about: (1) the reason patients booked a medical appointment on 22 Defendant’s Carbon Website and the location for those appointments; and (2) patients’ IP 23 addresses and device identifiers that could be used to personally identify patients. Id. ¶ 68. 24 According to Plaintiff, by using Facebook Pixel and Google Analytics, Carbon Health 25 enables Facebook and Google to intercept the identities and online activity of Carbon Health’s 26 patients, including information related to the type of medical treatment patients are seeking and 27 the health concerns for which they book appointments. Id. ¶ 52. 1 schedule an appointment to obtain a COVID-19 vaccine. Id. Thereafter, she has used the website 2 to schedule additional COVID-19 vaccine appointments and to book an appointment for urgent 3 care. Id. Plaintiff has an active Facebook account which she logged into using the same web 4 browser she used to access the Carbon Website. Id. ¶ 8. Because Facebook and Google 5 intercepted information about the medical appointments Plaintiff scheduled on the Carbon 6 Website—namely, appointments to obtain COVID-19 vaccinations––she received digital 7 advertisements related to the COVID-19 vaccination. Id. ¶ 7. 8 Plaintiff alleges that Carbon Health’s actions violate: (1) the California Information 9 Privacy Act (“CIPA”), Cal. Penal Code § 630, et seq.; (2) the California Confidentiality of 10 Medical Information Act (“CMIA”), Cal. Civ. Code §§ 56.10(a), 56.36(b), 56.36(c); and (3) her 11 right against invasion of privacy under the California Constitution, Cal. Const. Art. I, § 1. 12 II. JURISDICTION 13 The Court has jurisdiction pursuant to 28 U.S.C. § 1332(d)(2)(A). 14 III. REQUEST FOR JUDICIAL NOTICE 15 The Court first addresses Carbon Health’s request for judicial notice. Carbon Health 16 requests that the Court take judicial notice of: (1) Facebook’s Terms of Service available online at: 17 https://www.facebook.com/legal/terms and (2) Google’s Privacy Policy, available online at: 18 https://policies.google.com/privacy?hl=en-US. ECF No. 19 at 8 n.1. 19 “Generally, district courts may not consider material outside the pleadings when assessing 20 the sufficiency of a complaint under Rule 12(b)(6).” Khoja v. Orexigen Therapeutics, Inc., 899 21 F.3d 988, 998 (9th Cir. 2018). Plaintiff opposes the request for judicial notice because the 22 materials are outside the scope of her complaint, and because the information on third party 23 websites is not capable of accurate and ready determination. ECF No. 25 at 8–9. 24 In support of its request, Carbon Health cites Perkins v. LinkedIn Corp., which held that 25 “[p]roper subjects of judicial notice when ruling on a motion to dismiss include . . . publically [sic] 26 accessible websites.” 53 F. Supp. 3d 1190, 1204 (N.D. Cal. 2014). This Court does not agree that 27 all publicly accessible websites are judicially noticeable, as it explained in Rollins v. Dignity 1 There are at least a trillion web pages on the Internet, and many of the documents within those pages are unsupported, poorly 2 supported, or even false. Of course, that does not make all of those documents inadmissible for all purposes. But they are not inherently 3 reliable, and courts should be cautious before taking judicial notice of documents simply because they were published on a website. 4 That is particularly so when a party seeks to introduce documents it created and posted on its own website, as Dignity does here. When 5 a non-governmental entity to seek judicial notice of its paper records, the request is properly rejected because such documents are 6 subject to reasonable dispute. See, e.g., Ladore v. Sony Comput. Entm’t Am., LLC, 75 F.Supp.3d 1065, 1074 (N.D. Cal. 2014) 7 (rejecting request to judicially notice corporate terms of service because moving party “cannot establish that these documents’ 8 ‘accuracy cannot reasonably be questioned.’”). That the same entity posts them on a “publicly available” website does not change that 9 essential fact and does not make them “public records” for purposes of the judicial notice rules. 10 11 Id. at 1032–33. 12 The reasoning of Rollins applies here. The documents in question are the records of a non- 13 governmental entity, and they are subject to reasonable dispute, or least some degree of discovery. 14 Carbon Health’s request for judicial notice is denied. 15 IV. LEGAL STANDARD 16 To survive a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), a 17 complaint must contain “a short and plain statement of the claim showing that the pleader is 18 entitled to relief.” Fed. R. Civ. P. 8(a)(2). Dismissal “is appropriate only where the complaint 19 lacks a cognizable legal theory or sufficient facts to support a cognizable legal theory.” 20 Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). “[A] complaint 21 must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible 22 on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 23 550 U.S. 544, 570 (2007)). Factual allegations need not be detailed, but facts must be “enough to 24 raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555. 25 “A claim has facial plausibility when the plaintiff pleads factual content that allows the 26 court to draw the reasonable inference that the defendant is liable for the misconduct 27 alleged.” Iqbal, 556 U.S. at 678. While this standard is not “akin to a ‘probability 1 Id. (quoting Twombly, 550 U.S. at 556). In determining whether a plaintiff has met the plausibility 2 requirement, a court must “accept all factual allegations in the complaint as true and construe the 3 pleadings in the light most favorable” to the plaintiff. Knievel v. ESPN, 393 F.3d 1068, 1072 (9th 4 Cir. 2005). A plaintiff may “plead[] facts alleged upon information and belief where the facts are 5 peculiarly within the possession and control of the defendant or where the belief is based on 6 factual information that makes the inference of culpability plausible.” Soo Park v. Thompson, 851 7 F.3d 910, 928 (9th Cir. 2017) (quoting Arista Recs., LLC v. Doe 3, 603 F.3d 110, 120 (2d Cir. 8 2010)). 9 V. DISCUSSION 10 Carbon Health argues that Plaintiff fails to state a claim under (1) the CIPA; (2) the CMIA; 11 or (3) the California Constitution. ECF No. 19. 12 A. CIPA § 631(a)
13 Section 631(a) of the CIPA creates four avenues for relief:
14 (1) where a person “by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or 15 makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument”; 16 (2) where a person “willfully and without consent of all 17 parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or 18 meaning of any message, report, or communication while the same is in transit”; 19 (3) where a person “uses, or attempts to use, in any manner, 20 or for any purpose, or to communicate in any way, any information so obtained”; and 21 (4) where a person “aids, agrees with, employs, or conspires 22 with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above.” 23 24 Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 897 (N.D. Cal. 2023) (citing Cal. Penal Code 25 § 631(a) (internal numbering in original)). Plaintiff alleges that Carbon Health has violated the 26 fourth clause of Section 631(a), i.e., that “Defendant aided, agreed with, and conspired with third 27 parties, including, Facebook and Google, to track and intercept Plaintiff’s and Class Members’ 1 argues that Plaintiff fails to state a Section 631(a) claim. ECF No. 19 at 10–17. Because the 2 fourth clause of Section 631(a) depends on first establishing a violation of the first, second, or 3 third clauses, the Court starts by addressing whether Plaintiff has successfully alleged an 4 underlying violation. Mastel v. Miniclip SA, 549 F. Supp. 3d 1129, 1137 (E.D. Cal. 2021). 5 a. Subsection (a)(1) 6 Defendant argues that the first clause does not apply here because it does not apply to 7 internet communications. ECF No. 19 at 11. The Court agrees. 8 Section 631(a)’s first clause prohibits “any person who by means of any machine, 9 instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized 10 connection . . . with any telegraph or telephone wire, line, cable, or instrument, including the wire, 11 line, cable, or instrument of any internal telephonic communication system.” Cal. Penal Code 12 § 631 (emphasis added). “Thus, by its plain terms, the statute prohibits unauthorized connection 13 with transmissions related to ‘telegraph or telephone’ technologies.” Swarts v. Home Depot, Inc., 14 689 F. Supp. 3d 732, 743 (N.D. Cal. 2023). 15 This Court previously rejected the application of Section 631(a)’s first clause to internet 16 transmissions. Id.; see also Cody v. Ring LLC, No. 23-CV-00562-AMO, 2024 WL 735667, at *3 17 (N.D. Cal. Feb. 22, 2024) (finding that “[c]lause one of Section 631(a) prohibits telephonic 18 wiretapping, which does not apply to the internet . . . .”). The Court adopts its earlier holding and 19 dismisses Plaintiff’s claim under Section 631(a)’s first clause. 20 b. Subsection (a)(2) 21 In moving to dismiss Plaintiff’s claims based on the second clause of Section 631(a), 22 Carbon Health argues that Plaintiff has failed to allege that (1) the “contents” of a communication; 23 (2) were intercepted while in transit. ECF No. 19 at 12–15. 24 i. Contents of a Communication 25 Carbon Health argues that Plaintiff has not pleaded any facts supporting that she 26 “communicated” anything to the Carbon Website, and that the URL information she transmitted 27 does not constitute “contents” under the CIPA. ECF No. 19 at 12–13. Plaintiff responds that 1 communications under the CIPA.” ECF No. 25 at 10. 2 “[W]hen users enter URL addresses into their web browser using the ‘http’ web address 3 format, or click on hyperlinks, they are actually telling their web browsers [] which resources to 4 request and where to find them.” In re Zynga Privacy Litig., 750 F.3d 1098, 1101 (9th Cir. 2014). 5 In determining whether URLs constitute “contents” under the CIPA, courts have distinguished 6 between URLs that contain basic identification and address information, and those that contain a 7 search term or similar information communicated by the user. In re Facebook, Inc. Internet 8 Tracking Litig. (“Facebook Tracking”), 956 F.3d 589, 605 (9th Cir. 2020) (full-string, detailed 9 URLs can divulge a user’s personal interests, queries, and habits on third-party websites).3 10 Descriptive URLs that reveal specific information about a user’s queries reflect the “contents” of a 11 communication. See In re Google RTB Consumer Priv. Litig., 606 F.Supp.3d 935, 949 (N.D. Cal. 12 June 13, 2022) (finding under the Electronic Communications Privacy Act (ECPA), that “referrer 13 URL that caused navigation to the current page”; “details about the publisher object of the site or 14 app”; and “details about the content within the site or app” all constituted “content”); Brown v. 15 Google LLC, 685 F. Supp. 3d 909, 936 (N.D. Cal. 2023) (“full-string detailed URL[s]” containing 16 “users’ actions on a website, and their search queries” can constitute content). The complaint’s 17 allegation that Carbon Health transmitted descriptive URLs suffices to allege a violation of the 18 CIPA.4 See, e.g., ECF No. 1 ¶ 55 (“This information includes the description of the type of care 19 patient is seeking, which is included in the URL.”) 20 In re Zynga Priv. Litig., 750 F.3d 1098, and Brodsky v. Apple Inc., 445 F. Supp. 3d 110 21 (N.D. Cal. 2020), cited by Carbon Health, are not the contrary. First, the Zynga court observed 22 that “[u]nder some circumstances, a user’s request to a search engine for specific information 23 could constitute a communication such that divulging a URL containing that search term to a third 24
25 3 The Ninth Circuit’s holding that a descriptive URL was the “contents” of a “communication” was decided in regards to a a claim for an invasion of privacy under the California Constitution. 26 956 F.3d at 601. The Court nonetheless finds instructive the distinction made there between descriptive URLs and merely record or informational URLs. 27 4 Carbon Health argues that “Plaintiff’s examples of hypothetical searches on Carbon Health’s 1 party could amount to disclosure of the contents of a communication.” In re Zynga Priv. Litig., 2 750 F.3d at 1108–09 (emphasis added). However, in Zynga, ultimately the “information at 3 issue . . . include[d] only basic identification and address information, not a search term or similar 4 communication made by the user, and therefore [did] not constitute the contents of a 5 communication.” Id. Similarly, in Brodsky, the court found that Apple’s interception of 6 plaintiffs’ usernames and passwords was only record information that did not constitute the 7 contents of a communication. 445 F. Supp. 3d at 127. Neither Zynga nor Brodsky assist Carbon 8 Health. 9 Defendant’s attempt to distinguish In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 10 795 (N.D. Cal. 2022) also fails. Defendant contends that In re Meta Pixel is easily distinguishable 11 because there is a difference between Facebook Pixel being present “inside patient portals,” as it 12 was in that case, versus on the appointment page, as alleged here. ECF No. 26 at 9. The Court 13 finds this to be a distinction without a difference. Ultimately, the question for the Court is whether 14 Plaintiff has alleged that the URLs transmitted to Facebook and Google through their respective 15 embedded Pixel codes contains a search term or similar communication made by the user. In re 16 Zynga Priv. Litig., 750 F.3d at 1108–09; see also In re Meta Pixel Healthcare Litig., 647 F. Supp. 17 3d at 795–796. The Court finds that Plaintiff has done so. 18 Here, Plaintiff provides examples of how her searches and appointment bookings create 19 descriptive URLs. “For example, if a patient searches for ‘pap smear,’ they will be taken to the 20 [Carbon] Website page with the URL: carbonhealth.com/get-care/pap-smear.” ECF No. 1 ¶ 55. 21 When a patient books an appointment for cold and flu symptoms, the URL contains: “(1) the 22 ‘appointment-reason’ ‘cold-flu-symptoms’”; and the location of the appointment–– 23 ”location=alameda-ca.” Id. ¶ 56. These are the URLs that are collected by Facebook and Google, 24 id. ¶¶ 56, 68, and they contain communication content. Because Plaintiff has sufficiently pleaded 25 that the URLs transmitted to Facebook and Google include a patient’s symptoms or the reason for 26 her medical appointment, she sufficiently alleges the contents of a communication. See In re Meta 27 Pixel Healthcare Litig., 647 F. Supp. 3d at 795–796 (finding that descriptive URLs such as 1 disorders/ulcerative-colitis” with a “path” and “query string” are contents of a communication.) 2 ii. In Transit 3 Next, Carbon Health argues that Plaintiff fails to allege with specificity that the alleged 4 interception occurred while the communications were in transit. ECF No. 19 at 14–15. Plaintiff 5 responds with two arguments. First, Plaintiff argues that “even if Plaintiff’s communications were 6 not intercepted ‘in transit’ . . . her communications were ‘sent from, or received at, a place within 7 this state.’” ECF No. 25 at 12. Second, she contends that she has alleged detailed facts showing 8 that communications were intercepted in transit. Id. at 13. Clause two of Section 631(a) has three 9 requirements “(1) the absence of consent; (2) the party exception; and (3) the ‘while . . . in transit’ 10 requirement.” Valenzuela v. Keurig Green Mountain, Inc., 674 F. Supp. 3d 751, 756 (N.D. Cal. 11 2023). 12 For her first argument, Plaintiff reads Section 631(a) in the disjunctive, arguing that it 13 imposes liability for eavesdropping on a communication “while [it] is in transit or passing over 14 any wire, line, or cable, or is being sent from, or received at any place within this state.” ECF No. 15 25 at 12 (quoting Cal. Penal Code § 631(a) (emphasis added by Plaintiff). Plaintiff misreads the 16 statute. With regard to the third requirement of the second clause, “‘[w]hile’ is the key word,” 17 Valenzuela v. Keurig Green Mountain, Inc., 674 F. Supp. 3d 751, 758 (N.D. Cal. 2023), and it 18 applies to all of the sentence that follows. “‘[W]hile’ implies [that] the interception must occur 19 contemporaneous[ly] with the sending or receipt of the message.” Id. at 759. Plaintiff cannot 20 avoid the simultaneity requirement merely because she sends or receives a message in California. 21 Id. 22 Thus, the only remaining question is whether Plaintiff has plausibly alleged interception. 23 The Court finds that she had. 24 At the motion to dismiss stage, a plaintiff is not required to allege how and when their 25 communications are captured. In re Vizio, Inc. Consumer Priv. Litig., 238 F. Supp. 3d 1204, 1228 26 (C.D. Cal. 2017). “A pleading standard to the contrary would require the CIPA plaintiff to engage 27 in a one-sided guessing game because the relevant information about data capture typically resides 1 CIPA plaintiff ‘must provide fair notice to [d]efendant’ of how and when she ‘believe[s]’ the 2 defendant or the conspiring third party intercepts her communications.” D’Angelo v. Penny OpCo, 3 LLC, No. 23-CV-0981-BAS-DDL, 2023 WL 7006793, at *8 (S.D. Cal. Oct. 24, 2023). 4 Under this standard, and with respect to Facebook Pixel, Plaintiff’s allegations are more 5 than “threadbare recitals of a cause of action’s elements, supported by mere conclusory 6 statements.” Iqbal, 556 U.S. at 663. She alleges that: 7 When a user accesses a website hosting the Facebook Pixel, Facebook’s software script surreptitiously directs the user’s browser 8 to contemporaneously send a separate message to Facebook’s servers. This second, secret transmission contains the original GET 9 request sent to the host website, along with additional data that the Facebook Pixel is configured to collect. This transmission is 10 initiated by Facebook code and concurrent with the communications with the host website. At relevant times, two sets of code are thus 11 automatically run as part of the browser’s attempt to load and read Defendant’s [Carbon] Website—Defendant’s own code, and 12 Facebook’s embedded code. 13 ECF No. 1 ¶ 26.
14 Facebook’s embedded code, written in JavaScript, sends secret instructions back to the individual’s browser, without alerting the 15 individual that this is happening. Facebook causes the browser to secretly duplicate the communication with Carbon Health, 16 transmitting it to Facebook’s servers, alongside additional information that transcribes the communication’s content and the 17 individual’s identity. 18 ECF No. 1 ¶ 34. 19 Carbon Health’s cited authority does not say otherwise. See Smith v. Facebook, Inc., 262 20 F. Supp. 3d 943, 951, aff’d, 745 F. App’x 8 (9th Cir. 2018); Barbour v. John Muir Health, No. 21 C22- 01693, 2023 WL 2618967, at *5 (Cal. Super. Ct. 2023) (“Barbour I”), and Order Sustaining 22 Defendant’s Demurrer on the First Amended Complaint, Isaac v. Northbay Healthcare Corp., No. 23 FCS059353 (Cal. Super. Ct. Solano Cnty. June 7, 2024) (“Isaac Dismissal Order”). 24 First, the Smith court held that “embedding third-party code cannot confer personal 25 jurisdiction over a website operator in the forum where the third party resides” because “[b]esides 26 triggering a second GET request in the user’s browser, the Healthcare Defendants play no part in 27 the exchange of data between Facebook and [p]laintiffs.” Smith, 262 F. Supp. 3d at 952 (N.D. 1 requirement that the transmission should be contemporaneous; instead, it discussed the 2 transmissions in the context of personal jurisdiction. 3 Second, both Barbour and Isaac stand for the proposition that the key to the interception analysis 4 is whether the plaintiff alleges that transmission was simultaneous. See ECF No. 25-1 at 7 5 (Minute Entry Adopting Tentative Ruling, Barbour v. John Muir Health, No. C22-01693 (Cal. 6 Super. Ct. Contra Costa Cnty. May 18, 2023) (“Barbour II” clarifying Barbour I) (“the key to the 7 Court’s prior analysis was not the multiplicity of electronic messages involved, but their 8 sequentiality or non-simultaneity”); see also Isaac Dismissal Order (finding that plaintiff failed to 9 allege simultaneous transmission). But here, Plaintiff does allege simultaneity. ECF No. 1 ¶ 26 10 (stating “[t]his transmission is initiated by Facebook code and concurrent with the 11 communications with the host website” (emphasis added)). Plaintiff has therefore alleged 12 sufficient facts to defeat a motion to dismiss with respect to Facebook Pixel. 13 With respect to Google Pixel, however, Plaintiff alleges that “Defendant’s integration of 14 the Google Analytics Pixel similarly allows Google to intercept information,” but does not allege 15 how such interception occurs. ECF No. 1 ¶¶ 40, 68. Conclusory allegations that “do not indicate 16 when the interception occurs” fail to support a claim under § 631(a). Swarts, 689 F. Supp. 3d at 17 746 (N.D. Cal. 2023) (emphasis in original). 18 Carbon Health’s motion to dismiss Plaintiff’s Section 631(a) claim based on the second 19 clause is therefore granted with respect to Google Pixel and denied with respect to Facebook Pixel. 20 c. Subsection (a)(3) 21 A violation under the third clause of § 631(a) is contingent upon a finding of a violation of 22 the first or second clause of Section 631(a). Mastel, 549 F. Supp. 3d at 1137 (E.D. Cal. 2021). 23 Defendant argues that because Plaintiff failed to make a showing under the first or second 24 clause, Plaintiff’s claim under the third clause also fails. ECF No. 19 at 15–16. 25 Because the Court dismissed Plaintiff’s claim under the first clause and dismissed 26 Plaintiff’s claim under the second clause in part, the Court finds that only Plaintiff’s clause two 27 claim with respect to Facebook Pixel can survive under clause three of Section 631(a). d. Subsection (a)(4) 1 A party may be held vicariously liable under the fourth clause of Section 631 where it 2 “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, 3 or cause to be done any of the acts or things” prohibited in the first three clauses. Mastel, 549 F. 4 Supp. 3d at 1137; see also Cal. Penal Code § 631(a). As with clause three, because the Court 5 dismissed Plaintiff’s claim under the first clause, and dismissed Plaintiff’s claim under the second 6 clause in part, the Court analyzes only whether Plaintiff has sufficiently stated a claim with respect 7 to Facebook Pixel. 8 Carbon Health argues that Plaintiff’s claims must be dismissed because she fails to allege 9 that Carbon Health had any intent to aid or abet a violation of the CIPA, and because Plaintiff 10 consented to the collection of her health information. ECF No. 19 at 16–17. 11 i. Intent to Aid 12 Carbon Health argues that Plaintiff’s clause four claim is deficient because she fails to 13 allege that “Carbon Health had the requisite intent to have aided and abetted any such violation.” 14 ECF No. 19 at 16. Plaintiff responds that Carbon Health improperly inserts a “criminal intent 15 standard to this civil case.” ECF No. 25 at 15. She argues that the use of the word “aid” in clause 16 four simply means that a defendant enables another’s wrongdoing. Id. at 16. 17 The plain text of the statute imposes liability on any person “who aids, agrees with, 18 employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done 19 any of the acts or things mentioned” in clauses one through three. Cal. Penal Code § 631(a). The 20 statute as worded does not include an intent standard. 21 Some courts have adopted the common law civil tort definition of aiding and abetting in 22 construing section 631 claims. Rodriguez v. Ford Motor Co., No. 23-cv-00598-RBM-JLB, 2024 23 WL 1223485, at *15 (S.D. Cal. Mar. 21, 2024); see also Esparza v. UAG Escondido A1 Inc., No. 24 23-cv-0102-DMS(KSC), 2024 WL 559241, at *6 (S.D. Cal. Feb. 12, 2024). Under the common 25 law civil tort definition, a person may be held liable for aiding and abetting if they: 26 (a) know[] the other’s conduct constitute[s] a breach of duty and 27 give[] substantial assistance or encouragement to the other to so act; 1 (b) give[] substantial assistance to the other in accomplishing a tortious result and the person’s own conduct, separately considered, 2 constitutes a breach of duty to the third person.
3 Esparza, 2024 WL 559241, at *6. 4 Other courts have taken a different approach. In Cousin v. Sharp Healthcare, for example, 5 defendants contended—as Defendant does here—that “aids” should be construed to impose the 6 intent requirement for a finding of “aiding and abetting.” 681 F. Supp. 3d 1117 (S.D. Cal. 2023) 7 (“Cousin I”). The Cousin I court rejected that argument, as follows: 8 Defendant’s contention that “aids” means “aiding and abetting” 9 ignores the “agrees with, employs, or conspires with” language of the clause. Defendant provides no case law requiring the Court to 10 analyze “aids, agrees with, employs, or conspires with” as solely “aiding and abetting.” 11 12 Id. at 1130. The Court finds the approach in Cousin more persuasive because it more closely 13 follows the language of the statute. Accordingly, the Court examines whether Plaintiff here has 14 sufficiently alleged that Defendant aided, agreed with, employed, or conspired with Facebook. 15 Plaintiff alleges as follows in that regard: 16 • Carbon Health chose to include Facebook Pixel on its [Carbon] Website. 17 ECF No. 1 ¶ 27. 18 • The Facebook Pixel code enables Facebook to help Carbon Health with 19 advertising to its own patients outside the [Carbon] Website, but also includes 20 individual patients among groups targeted by other Facebook advertisers relating to 21 the conditions about which patients communicated on Defendant’s Carbon 22 Website. Id. ¶ 31. 23 • By installing and enabling Facebook Pixel, Carbon Health assisted 24 Facebook with intercepting the identities and online activity of patients, including 25 information related to the type of medical treatment patients were seeking and for 26 which they booked appointments. Id. ¶ 52. 27 • Carbon Health assisted these interceptions without Plaintiff St. Aubin’s 1 These allegations are sufficient to show that Carbon Health aided, agreed with, employed, 2 or conspired with Facebook. Carbon Health’s motion to dismiss on that ground is denied. 3 ii. Consent 4 Next, Carbon Health argues that Carbon Website users “consented to those entities’ data 5 tracking and collection practices pursuant to their terms and policies when they signed up for their 6 accounts.” ECF No. 19 at 16. Because the Court has declined to take judicial notice of the 7 documents on which this argument depends, the Court rejects the argument. 8 Even if the Court were to consider the proffered documents, however, it would probably 9 not rule in Defendant’s favor. User consent must be actual––that is, “the disclosures must 10 ‘explicitly notify’ users of the conduct at issue.” Calhoun v. Google, LLC, No. 22-16993, 2024 11 WL 3869446, at *5 (9th Cir. Aug. 20, 2024) (internal citations omitted). “Consent is only 12 effective if the person alleging harm consented ‘to the particular conduct, or to substantially the 13 same conduct’ and if the alleged tortfeasor did not exceed the scope of that consent.” Id. (quoting 14 Tsao v. Desert Palace, Inc., 698 F.3d 1128, 1149 (9th Cir. 2012)). Defendant bears the burden of 15 establishing that Plaintiff consented to the transmissions. Id. The governing standard is what a 16 “reasonable user” of a service would understand they were consenting to, not what a technical 17 expert would. Id. at *7. 18 As another court in this district has already found, “Meta’s policies do not . . . specifically 19 indicate that Meta may acquire health data obtained from Facebook users’ interactions with their 20 medical providers’ websites. Its generalized notice is not sufficient to establish consent.” In re 21 Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 793. Carbon Health contends that In re Meta 22 Pixel is easily distinguishable because there is a difference between Facebook Pixel being present 23 “inside patient portals,” versus, as alleged here, on the appointment page, ECF No. 26 at 14, but 24 the distinction is irrelevant. Thus, if the issue were properly presented, the Court would be likely 25 to follow In re Meta Pixel. 26 Carbon Health’s motion to dismiss Plaintiff’s Section 631(a) claim is denied with respect 27 to Plaintiff’s Facebook Pixel claims but granted with respect to Plaintiff’s Google Pixel claims. 1 B. CMIA 2 The CMIA provides that “[a] provider of health care . . . shall not disclose medical 3 information regarding a patient . . . or an enrollee or subscriber . . . without first obtaining an 4 authorization . . . “ Cal. Civ. Code § 56.10(a). The CMIA also creates a private right of action for 5 violations of the Act. Id. § 56.36(b). 6 Carbon Health argues that Plaintiff’s CMIA claim should be dismissed because she fails to 7 plead (1) disclosure of her medical information; and (2) that any third party improperly viewed the 8 medical information. 9 1. Medical Information 10 The CMIA defines “medical information” as “any individually identifiable information, in 11 electronic or physical form . . . regarding a patient’s medical history, mental health application 12 information, mental or physical condition, or treatment.” Cal. Civ. Code § 56.05(j). 13 “[M]edical information cannot mean just any patient-related information held by a health 14 care provider but must be ‘individually identifiable information’ and [] include ‘a patient’s 15 medical history, mental or physical condition, or treatment.’ This definition does not encompass 16 demographic or numeric information that does not reveal medical history, diagnosis, or care.” 17 Eisenhower Med. Ctr. v. Superior Ct., 226 Cal. App. 4th 430, 435 (Cal. Ct. App. 2014). The “fact 18 that he or she was a patient is not in itself medical information.” Id. at 436. 19 In Wilson v. Rater8, LLC, the plaintiff alleged that defendants “disclosed [p]laintiff’s 20 name, cellular telephone number, ‘treating physician names, medical treatment appointment 21 information, and medical treatment discharge dates and times’ to [defendant].” No. 20-CV-1515- 22 DMS-LL, 2021 WL 4865930, at *5 (S.D. Cal. Oct. 18, 2021). The Wilson court held that “[w]hile 23 some of this information is ‘individually identifiable,’ none of it constitutes ‘medical information’ 24 within the meaning of the statute.” Id. 25 Carbon Health moves to dismiss Plaintiff’s CMIA claim because she fails to allege the 26 disclosure of any medical information. ECF No. 19 at 19–22. Carbon Health also argues that the 27 complaint contains only hypothetical scenarios regarding the disclosure of medical information. 1 Plaintiff alleges that the URLs transmitted to Facebook and Google include: (1) the reason 2 patients booked a medical appointment and the location for those appointments; and (2) patients’ 3 identifiable information including their device IDs, IP addresses, or Facebook IDs that could be 4 used to personally identify patients. Id. ¶¶ 55–72. This constitutes a person’s “mental or physical 5 condition” or a course of treatment falling under the CMIA’s definition of “medical information.” 6 Barbour, 2023 WL 2618967, at *7 (finding that plaintiff’s allegations explaining searches for 7 doctors, doctors’ specialties, and doctor’s appointments—that reveal plaintiffs’ medical 8 conditions, treatments, and medical history adequately pleaded that the information in question 9 was “medical information”; discussing that “it takes little deduction to ascertain that a person who 10 searched for a cardiologist may have a heart condition and may seek treatment for their perceived 11 symptoms.”) 12 As stated above, Carbon Health’s contention that Plaintiff failed to allege that the tracking 13 technologies “were present inside any patient portal on the Carbon Health website” is irrelevant. 14 ECF No. 19 at 18. Regardless of whether the technologies were inside a patient portal, or whether 15 they were on the appointment page, the question is whether the transmission of a URL containing 16 the nature of the appointment constitutes medical information. The Court finds that it does. 17 Nienaber v. Overlake Hosp. Med. Ctr., No. 2:23-CV-01159-TL, 2024 WL 2133709, at *3 (W.D. 18 Wash. May 13, 2024) (“The collection and transmission of information from unauthenticated web 19 pages (i.e., pages that do not require a user to log in to access the website) may be actionable as 20 well if the information disclosed demonstrates that the plaintiff’s interactions plausibly relate to 21 the provision of healthcare, or if the information connects a particular user to a particular 22 healthcare provider (i.e., patient status).”). 23 Defendant’s authorities are inapposite because they do not involve information that 24 revealed the nature of a patient’s treatment. For example, in B.K. v. Eisenhower Med. Ctr., 25 plaintiffs failed to allege with any specificity what medical information was allegedly disclosed. 26 No. 23-cv-2092-JGB-KKX, 2024 WL 878100, at *4 (C.D. Cal. Feb. 29, 2024), on reconsideration 27 in part, No. 23-cv-2092 JGB (DTBX), 2024 WL 2037404 (C.D. Cal. Apr. 11, 2024). Similarly in 1 statement that defendants disclosed “plaintiff’s name, cellular telephone number, treating 2 physician names, medical treatment appointment information, and medical treatment discharge 3 dates and times.” 2021 WL 4865930, at *5. The Wilson plaintiff did not allege with any 4 specificity any facts about the “medical treatment appointment information” other than 5 “[p]laintiff’s contact information and appointment date.” Id. 6 The Court therefore finds that Plaintiff has adequately alleged the disclosure of information 7 “reveal[ing] medical history, diagnosis, or care” within the meaning of the CMIA. 8 2. Viewing By Unauthorized Third Party 9 Defendant argues that Plaintiff’s CMIA claim fails because “she does not allege that the 10 information was actually viewed by an unauthorized person—as she must to assert a CMIA 11 claim.” ECF No. 19 at 19 (emphasis omitted). Plaintiff responds that “[m]ultiple courts have held 12 that a health care provider’s disclosure of PHI to third-party online advertisers is sufficient to 13 plausibly plead viewing under the CMIA where the complaint includes allegations like the ones 14 Plaintiff has made.” ECF No. 25 at 23. 15 The Court agrees with Plaintiff. In Doe v. Regents of Univ. of California, defendant UC 16 Regents made the same argument Defendant makes here: “that even if plaintiff has alleged that the 17 information was transferred to Meta, she has not sufficiently alleged that it was viewed by an 18 authorized party.” 672 F. Supp. 3d 813, 819 (N.D. Cal. 2023) (emphasis in original). The court 19 rejected this argument, finding that plaintiff’s allegation that “Meta acted upon the information 20 transmitted to it by tailoring advertisements to her based on her medical condition” was “sufficient 21 to raise a plausible claim that her medical information was inappropriately accessed.” Id. 22 Similarly, in Cousin v. Sharp Healthcare (“Cousin II”), Defendant argued that plaintiffs failed to 23 allege their information was “viewed” and therefore did not state a claim. 702 F. Supp. 3d 967, 24 975 (S.D. Cal. 2023). The court rejected this argument:
25 Whether Meta, as an entity and not a human being, can “view” information for CMIA purposes is a question the Court cannot resolve 26 at this stage. Similarly, whether the alleged use by Meta of the information, through perhaps algorithms, amounts to viewing or 27 accessing under CMIA is a question the Court cannot answer on that Plaintiffs’ information was “viewed or otherwise accessed” as 1 contemplated by CMIA. 2 Id. The court accordingly denied defendant’s motion to dismiss plaintiff’s CIMA claim on that 3 basis. 4 In support of its motion, Defendant cites Barbour v. John Muir Health, an unpublished 5 California superior court case. 2023 WL 2618967 (Cal. Super. Jan. 05, 2023). In Barbour, the 6 court determined that there was no CMIA violation because Facebook may have been able to 7 collect, analyze and use the data at issue “through the use of computers without any human 8 actually laying eyes on it.” Id., at *7. The Court finds Barbour unpersuasive. First, its reasoning 9 that “the information may be collected, analyzed, and used by a third party . . . without any human 10 actually laying eyes on it,” id.—in other words, that it was possible no human viewed the 11 information—violates the stricture that a complaint’s allegations are to be construed in favor of the 12 plaintiff. Knievel, 393 F.3d at 1072; see also Barbour, 2023 WL 2618967, at *1 (“On demurrer 13 the complaint must be liberally construed with a view to substantial justice between the parties.” 14 (citation omitted)). Second, Barbour’s holding is unsupported by authority. The case it cites, 15 Sutter Health v. Superior Court 227 Cal.App.4th 1546 (2014), does not address the question of 16 whether the “viewing” of information by software designed for that purpose satisfies the 17 requirements of the CMIA. 18 Carbon Health also argues that “Plaintiff’s conclusion requires making the unsupported 19 (and improbable) inference that online advertisements for COVID-19 vaccination could only 20 result from booking a vaccination appointment on Carbon Health’s website.” ECF No. 19 at 20. 21 The Court does not find the inference improbable. To the contrary, Plaintiff’s allegation is at least 22 as probable as Carbon Health’s postulated unlikely coincidence. See, e.g., United States v. Mayes, 23 524 F.2d 803, 807 (9th Cir. 1975) (finding it “too great a coincidence” that the tracks of three 24 persons, including the defendant, joined together near a cache of marijuana). Moreover, 25 “[p]lausibility pleading does not require a plaintiff to foreclose every other avenue by which she 26 could have been harmed[,] . . . [s]he simply must plead facts that raise more than a sheer 27 possibility that the defendant has acted unlawfully.” Doe v. Regents of Univ. of Cal., 672 F. Supp. 1 Plaintiff alleges that the business models for Facebook and Google use the information 2 gathered from the Carbon Website for targeted advertising (including for Carbon Health). ECF 3 No. 1 ¶¶ 23–26, 31, 43–45. She further alleges that after collecting and intercepting the 4 information, Facebook process it, analyzes it, and assimilates it into relevant datasets. Id. ¶ 35. 5 Similarly, Google uses the data to personalize content ads on Google and partners’ sites. Id. ¶ 42. 6 Finally, she alleges that after scheduling an appointment for her COVID-19 vaccine, Plaintiff 7 received advertisements relating to COVID-19 vaccination. Id. ¶ 7. These allegations are 8 sufficient. 9 Carbon Health’s motion to dismiss is denied with respect to Plaintiff’s CMIA claim. 10 C. California Invasion of Privacy Claim 11 To maintain a constitutional invasion of privacy claim, a plaintiff must allege: (1) a 12 specific, protected privacy interest; (2) a reasonable expectation of privacy; and (3) a “sufficiently 13 serious” invasion of the privacy interest such that it “constitute[s] an egregious breach of the social 14 norms underlying the privacy right.” Hill v. Nat’l Collegiate Athletic Ass’n, 7 Cal. 4th 1, 35–37 15 (Cal. 1994). Carbon Health argues that Plaintiff fails to plausibly allege any of these elements. 16 ECF No. 19 at 21–23. 17 1. Protected Privacy Interest 18 “Legally recognized privacy interests are generally of two classes: (1) interests in 19 precluding the dissemination or misuse of sensitive and confidential information (‘informational 20 privacy’); and (2) interests in making intimate personal decisions or conducting personal activities 21 without observation, intrusion, or interference (‘autonomy privacy’).” Hill, 7 Cal.4th at 35. “It is 22 well-settled under California law that, although not absolute, people have a privacy interest in their 23 ‘medical history and information.’” Ojeda v. Kaiser Permanente Int’l., Inc., 2022 WL 18228249, 24 at *6 (C.D. Cal. Nov. 29, 2022). “Medical patients’ privacy interests . . . may include descriptions 25 of symptoms, family history, diagnoses, test results, and other intimate details concerning 26 treatment.” Grafilo v. Wolfsohn, 33 Cal. App. 5th 1024, 1034 (Cal. Ct. App. 2019) (internal 27 quotation marks and citations omitted). Because Plaintiff plausibly alleges Carbon Health’s 1 described, she sufficiently pleads a protected privacy interest. 2 2. Reasonable Expectation of Privacy 3 “The extent of [a privacy] interest is not independent of the circumstances.” Hill, 7 Cal. 4 4th at 36 (internal citation omitted). “Even when a legally cognizable privacy interest is present, 5 other factors may affect a person’s reasonable expectation of privacy.” Id. Defendant argues that 6 “Plaintiff provides little support, facts, or further contentions as to why [her] expectation of 7 privacy is reasonable,” especially when there is “no reasonable expectation of privacy in many 8 standard internet transmissions.” ECF No. 19 at 21–22. 9 The Court finds inapt Defendant’s attempts to characterize communications with Carbon 10 Health’s website as “standard internet transmissions” and Plaintiff’s personal health information 11 as “general information.” ECF No. 19 at 22. Plaintiffs have “an objectively reasonable 12 expectation that their communications with their medical providers [are] confidential based on the 13 laws and regulations protecting the confidentiality of medical information.” In re Meta Pixel 14 Healthcare Litig., 647 F. Supp. 3d at 800. As Plaintiff alleges, “[p]atients can book appointments 15 with Carbon Health medical providers to access medical care and manage their treatment or 16 diagnosis of medical conditions through” the Carbon Website. ECF No. 1 ¶ 11. These include 17 “patient communications concerning reasons for the appointments they are booking.” Id. ¶ 51. 18 Thus, these are communications that Plaintiff can reasonably expect will remain confidential 19 regardless of Defendant’s label. See Dietrick v. Securitas Sec. Servs. USA, Inc., 50 F. Supp. 3d 20 1265, 1276 (N.D. Cal. 2014) (recalling Abraham Lincoln’s aphorism that “calling a tail a leg 21 doesn’t make it one” (citation omitted)). 22 Smith v. Facebook, Inc., cited by Carbon Health, is inapposite. In Smith, at issue was 23 Facebook’s tracking visits to websites that publish general and publicly available information 24 about medical conditions, such as http://www.cancer.net/. 262 F. Supp. 3d at 947–948. The Smith 25 court found that the web pages at issue “contain[ed] general health information that is accessible 26 to the public at large. . . . Nothing about the URLs, or the content of the pages located at those 27 URLs, relates ‘to the past, present, or future physical or mental health or condition of an 1 to appointments the Plaintiff made, and the transmitted URLs contain information regarding the 2 specific symptoms, physical condition, or course of treatment of an individual. ECF No. 1 ¶¶ 56, 3 68. The pleadings here are sufficient to support a reasonable expectation of privacy. 4 3. Highly Offensive 5 “Actionable invasions of privacy must be sufficiently serious in their nature, scope, and 6 actual or potential impact to constitute an egregious breach of the social norms underlying the 7 privacy right.” Hill, 7 Cal. 4th at 37. When determining whether an invasion is “highly 8 offensive,” courts consider “the degree and setting of the intrusion,” as well as “the intruder’s 9 motives and objectives.” Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 287 (Cal. 2009). Given 10 the factually intensive nature of the inquiry, “[c]ourts are generally hesitant to decide claims of 11 this nature at the pleading stage.” In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 799. 12 Only if the allegations “show no reasonable expectation of privacy or an insubstantial impact on 13 privacy interests” can the “question of [a serious or highly offensive] invasion [] be adjudicated as 14 a matter of law.” Hill, 7 Cal. 4th at 40. 15 Plaintiff contends that there are two reasons why the disclosure here is “highly offensive.” 16 First, she alleges that Carbon Health “states in its Privacy Policy that it ‘will not use Protected 17 Health Information for any purpose that is not defined in [its] HIPAA Privacy Practices, including 18 advertising or marketing purposes, without [patients’] consent.” ECF No. 1 ¶ 71; see also ECF 19 No. 25 at 29. But, notwithstanding this pledge, Plaintiff alleges that Carbon Health fails to obtain 20 its patients’ authorization for the disclosure of medical information to Facebook and Google, 21 among others, for marketing purposes. Id. ¶¶ 112, 119–120. This court joins a colleague court in 22 finding that a defendant’s representations that sensitive information would not be disclosed is 23 relevant to whether the disclosure was highly offensive. See Rodriguez v. Google LLC, 2021 WL 24 2026726, at *8 (N.D. Cal. May 21, 2021). 25 Second, Plaintiff contends that the disclosure here is highly offensive because it involves 26 Plaintiff’s medical information. This Court agrees with other courts that “have refused to dismiss 27 invasion of privacy claims at the motion to dismiss stage where, as here, a data breach involved 1 “egregious breach of the social norms” that is “highly offensive.” In re Ambry Genetics Data 2 Breach Litig., 567 F. Supp. 3d 1130, 1143 (C.D. Cal. 2021) (quoting Stasi v. Inmediata Health 3 Grp. Corp., 501 F. Supp. 3d 898, 926 (S.D. Cal. 2020); see also Doe v. Beard, 63 F. Supp. 3d 4 1159, 1170 (C.D. Cal. 2014) (denying motion to dismiss where plaintiff’s HIV-positive status was 5 disclosed). 6 Defendant argues that where the disclosed medical information consists solely of a 7 COVID-19 vaccination appointment, disclosure cannot be highly offensive, citing Ojeda v. Kaiser 8 Permanente Int’l, Inc., No. EDCV 22-1057-MWF (GJS), 2022 WL 18228249, at *7 (C.D. Cal. 9 Nov. 29, 2022). Ojeda does not foreclose Plaintiff’s claim. First, Plaintiff alleges disclosure of 10 more than just a COVID-19 vaccination appointment. See ECF No. 1 ¶ 70 (“Plaintiff used 11 Defendant’s Website to book COVID-19 vaccine appointments and an urgent care appointment.”). 12 Second, Ojeda did not decide that disclosure of a COVID-19 appointment could never be highly 13 offensive, only that plaintiff in that case had failed to allege “any of the circumstances around the 14 disclosure” and that the court could not determine whether plaintiff had alleged “an egregious 15 breach of social norms” “without these details.” 2022 WL 18228249, at *7 (emphasis added). 16 Here, plaintiff alleges that Defendant implemented a system that surreptitiously allowed third 17 parties, including Facebook and Google, to track, record, and intercept Plaintiff’s and other online 18 patients’ confidential communications, personally identifiable information, and PHI, and use that 19 information for marketing and other purposes. ECF No. 1 ¶¶ 72, 112. At this stage of the 20 litigation, that is sufficient to allege that Defendant’s conduct was highly offensive. The Court 21 therefore denies Defendant’s motion on this basis. 22 CONCLUSION 23 The Court grants Carbon Health’s motion to dismiss with respect to clause one of Section 24 631(a). The Court grants Carbon Health’s motion to dismiss with respect to clauses two, three and 25 four of Section 631(a) with respect to Plaintiff’s allegations regarding Google Pixel and denies the 26 motion with respect to Plaintiff’s allegations regarding Facebook Pixel. The Court denies Carbon 27 Health’s motion to dismiss under the CMIA and the California Constitution. 1 of this order amended solely to cure the deficiencies identified by this order. If no timely amended 2 || complaint is filed, the case will proceed only as to the claims that were not dismissed. 3 IT IS SO ORDERED.
4 Dated: October 1, 2024 ° JON S. TIGAR 6 nited States District Judge 7 8 9 10 11 12
© 15 16
= 17
Z 18 19 20 21 22 23 24 25 26 27 28