1 2 3 4 5 6 7 UNITED STATES DISTRICT COURT 8 SOUTHERN DISTRICT OF CALIFORNIA 9 10 VICKI STASI, SHANE WHITE, and Case No.: 19cv2353 JM (LL) CRYSTAL GARCIA, individually and on 11 behalf of all others similarly situated, 12 Plaintiffs, ORDER GRANTING DEFENDANT’S 13 MOTION TO DISMISS v. 14 INMEDIATA HEALTH GROUP CORP., 15 Defendant. 16
17 Defendant Inmediata Health Group Corp. (“Inmediata”) moves to dismiss this 18 putative class action brought by Plaintiffs Vicki Stasi, Shane White, and Chrystal Garcia 19 (“Plaintiffs”) under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). The motion 20 has been briefed and the court finds it suitable for submission without oral argument in 21 accordance with Civil Local Rule 7.1(d)(1). For the below reasons, Inmediata’s motion to 22 dismiss under Rule 12(b)(1) is GRANTED. 23 I. BACKGROUND 24 In their Complaint, Plaintiffs allege that in January of 2019, Inmediata learned it was 25 experiencing a large “data security incident” resulting in the exposure of “personal 26 information” of over 1.5 million “affected individuals.” (Compl. ¶ 1.) Inmediata provides 27 software and service solutions to healthcare providers. (Id. ¶ 11.) The affected individuals’ 28 data was viewable online and downloadable. (Id. at ¶ 2.) “[D]ue to a webpage setting that 1 permitted search engines to index internal webpages that Inmediata use[d] for business 2 operations,” the affected individuals’ information “was also searchable, findable, viewable, 3 and downloadable by anyone with access to an internet search engine[.]” (Id.) The affected 4 individuals’ data exposed included “the types of information that federal and state law 5 requires companies to take security measures to protect: names, addresses, [s]ocial 6 [s]ecurity numbers, dates of birth, gender, and medical claim information including dates 7 of service, diagnosis codes, procedure codes and treating physicians.” (Id. at ¶ 3.) 8 By letter dated April 22, 2019, Inmediata notified Plaintiffs “of a data security 9 incident that may have resulted in the potential disclosure of your personal and medical 10 information.” (Id. ¶¶ 4-6; Doc. No. 1-2 at 2.) On April 24, 2019, Inmediata issued a press 11 release regarding the incident. (Compl. ¶ 14.) Inmediata also filed sample “notice of data 12 security incident” letters with various state attorneys general that mirrored the language of 13 the letters sent to Plaintiffs. (Id. ¶ 15.) The letters stated that “[i]n January 2019, Inmediata 14 became aware that some of its member patients’ electronic patient health information was 15 publicly available online as a result of a webpage setting that permitted search engines to 16 index pages that are part of an internal website we use for our business operations.” (Id. ¶ 17 16.) The letters also stated that “information potentially impacted by this incident may 18 have included your name, address, date of birth, gender, and medical claim information 19 including dates of service, diagnosis codes, procedure codes and treating physician.” (Id. 20 ¶ 17.) Inmediata offered to provide identity monitoring services, but only to those who had 21 their social security numbers disclosed. (Id. ¶ 20.) 22 On December 9, 2019, Plaintiffs filed a putative nationwide class action containing 23 claims for negligence, negligence per se, breach of contract, violation of California’s 24 Confidentiality of Medical Information Act, CAL. CIV. CODE §§ 56-56.37, and the 25 Minnesota Health Records Act, MINN. STAT. ANN. §§ 144.291-144.34. Plaintiffs bring the 26 action on behalf of themselves and “[a]ll persons . . . . whose [p]ersonal [i]nformation was 27 compromised as a result of the Inmediata Data Security Incident announced by Inmediata 28 on or around April 24, 2019.” (Compl. ¶¶ 40-41.) 1 II. LEGAL STANDARDS 2 Federal Rule of Civil Procedure 12(b)(1) allows a party to move for dismissal of an 3 action based on lack of subject-matter jurisdiction. “Dismissal for lack of subject matter 4 jurisdiction is appropriate if the complaint, considered in its entirety, on its face fails to 5 allege facts sufficient to establish subject matter jurisdiction.” In re Dynamic Random 6 Access Memory Antitrust Litig., 546 F.3d 981, 984-85 (9th Cir. 2008) (citation omitted). 7 The plaintiff bears the burden of establishing that subject matter jurisdiction exists. U.S. 8 v. Orr Water Ditch Co., 600 F.3d 1152, 1157 (9th Cir. 2010). If the court finds that it lacks 9 subject matter jurisdiction at any time, it must dismiss the action. Fed. R. Civ. P. 12(h)(3). 10 A party challenging jurisdiction under Rule 12(b)(1) may do so either on the face of 11 the pleadings or by presenting extrinsic evidence. White v. Lee, 227 F.3d 1214, 1242 (9th 12 Cir. 2000) (“Rule 12(b)(1) jurisdictional attacks can be either facial or factual”). In a facial 13 attack, the court accepts the allegations in the complaint as true and draws all reasonable 14 inferences in the plaintiff’s favor. Wolfe v. Strankman, 392 F.3d 358, 362 (9th Cir. 2004). 15 In a factual attack, the court need not presume the truthfulness of the plaintiff’s allegations, 16 and the court may look beyond the complaint without having to convert the motion into 17 one for summary judgment. White, 227 F.3d at 1242 (citation omitted); see also Thornhill 18 Pub. Co., Inc. v. Gen. Tel. & Elec.’s Corp., 594 F.2d 730, 733 (9th Cir. 1979) (“[N]o 19 presumptive truthfulness attaches to plaintiff’s allegations, and the existence of disputed 20 material facts will not preclude the trial court from evaluating for itself the merits of 21 jurisdictional claims.”) (internal quotation marks and citation omitted). 22 III. DISCUSSION 23 The parties dispute whether Plaintiffs have Article III standing based on the potential 24 disclosure of some of their personal and medical information on the internet. “A suit 25 brought by a plaintiff without Article III standing is not a ‘case or controversy,’ and an 26 Article III federal court therefore lacks subject matter jurisdiction over the suit.” Cetacean 27 Cmty. v. Bush, 386 F.3d 1169, 1174 (9th Cir. 2004) (citation omitted). To show standing, 28 Plaintiffs must establish: (1) they suffered an injury in fact, i.e., an invasion of a legally 1 protected interest which is concrete and particularized, and actual or imminent, not 2 conjectural or hypothetical; (2) a causal connection by proving that their injury is fairly 3 traceable to the challenged conduct; and (3) their injuries will likely be redressed by a 4 favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992); Chandler 5 v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1121-22 (9th Cir. 2010). 6 Plaintiffs, invoking federal jurisdiction, bear the burden of establishing actual or 7 imminent injury. Lujan, 504 U.S. at 561; see also City of Los Angeles v. Lyons, 461 U.S. 8 95, 101 (1983) (“[T]hose who seek to invoke the jurisdiction of the federal courts must 9 satisfy the threshold requirement imposed by Article III of the Constitution by alleging an 10 actual case or controversy.”). Plaintiffs can meet this burden by putting forth “the manner 11 and degree of evidence required at the successive stages of the litigation.” Lujan, 504 U.S. 12 at 561. At the motion to dismiss stage, standing is demonstrated through allegations of 13 “specific facts plausibly explaining” that standing requirements are met. Barnum Timber 14 Co. v. Envtl. Prot. Agency, 633 F.3d 894, 899 (9th Cir. 2011). “That a suit may be a class 15 action . . . . adds nothing to the question of standing.” Spokeo, Inc. v. Robins, 136 S. Ct. 16 1540, 1547 n.6 (2016) (internal quotation marks and citation omitted). “[I]f none of the 17 named plaintiffs purporting to represent a class establishes the requisite of a case or 18 controversy with the defendants, none may seek relief on behalf of himself or any other 19 member of the class.” O’Shea v. Littleton, 414 U.S. 488, 494 (1974) (citations omitted). 20 The parties’ threshold dispute is whether Plaintiffs have adequately alleged an injury 21 in fact. Clearly, at this juncture, the prevailing theme of Plaintiffs’ alleged concrete, 22 particularized, and actual or imminent injury is anticipated financial loss, either through 23 identity theft or other fraud. In their Complaint, Plaintiffs allege they suffered an injury in 24 fact because they are “subject to continued, future risk of identity theft, fraudulent charges 25 and other damages.” (Compl. ¶ 21.) Inmediata argues that Plaintiffs have not adequately 26 alleged a risk of future identity theft that is imminent or certainly impending because 27 Plaintiffs do not allege that their specific “electronic health information” was accessed or 28 viewed by an unauthorized person, used to commit identity theft, or that there is any factual 1 basis to assume that harm would ever occur. (Mot. 13-15.) Inmediata also points out that 2 it has been over a year since its “errant web page setting.” (Id. at 13.) Plaintiffs respond 3 by arguing that under Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and In re 4 Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018), cert. denied sub nom. Zappos.com, Inc. 5 v. Stevens, 139 S. Ct. 1373 (2019), the risk of future identity theft based on the exposure 6 of their personal information is sufficient to establish an injury in fact. (Opp. 12.) 7 A. Caselaw 8 In Krottner, a laptop was stolen from Starbucks Corporation that contained the 9 names, addresses, and social security numbers of approximately 97,000 employees. 628 10 F.3d at 1140. The plaintiffs alleged they were injured based on the increased risk of future 11 identity theft, and as a result, enrolled themselves in credit monitoring services (even 12 though Starbucks provided those services at no cost to affected employees). Id. at 1142. 13 One of the plaintiffs also alleged that someone attempted to open a bank account in his 14 name, but the bank closed the account before he suffered any loss. Id. The court found 15 the plaintiffs sufficiently alleged an injury in fact based on “a credible threat of real and 16 immediate harm stemming from the theft of a laptop containing their unencrypted personal 17 data.” Id. at 1143. However, the court warned that “[w]ere [the plaintiffs’] allegations 18 more conjectural or hypothetical – for example, if no laptop had been stolen, and 19 [p]laintiffs had sued based on the risk that it would be stolen at some point in the future – 20 we would find the threat far less credible.” Id. 21 After Krottner, in Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013), the 22 Supreme Court emphasized the strictness of the standard for finding an injury in fact based 23 on a threatened future injury. Clapper involved a constitutional challenge to a portion of 24 the Foreign Intelligence Surveillance Act authorizing surveillance of communications with 25 certain foreign persons. Id. at 404. Upon the law’s enactment, attorneys, human rights 26 workers, and journalists claimed they were injured because the government would likely 27 acquire their communications under the statute’s authority at some point in the future. Id. 28 at 407. The petitioners also argued the risk was so substantial they were forced to take 1 costly and burdensome measures to protect the confidentiality of their international 2 communications. Id. The Court stressed that, in order to confer standing, threatened 3 injuries must be “certainly impending” and not “too speculative” or merely “possible.” Id. 4 at 409. 5 The Court found the threatened injury based on the potential interception of 6 plaintiffs’ communications was not fairly traceable to the challenged statute because the 7 injury was not certainly impending. Id. at 410. The Court found the threatened injury to 8 be “highly speculative” and based on a “highly attenuated chain of possibilities,” including 9 that the government would intercept the communications of the particular petitioners under 10 the challenged statute instead of another source of authority.1 Id. In reaching its decision, 11 the Court rejected the argument that the petitioners were required to assume their 12 communications would be intercepted. Id. at 411. The Court stated, “[w]e decline to 13 abandon our usual reluctance to endorse standing theories that rest on speculation about 14 the decisions of independent actors.” Id. at 414. Regarding the costly protective measures 15 allegedly taken by the petitioners, the Court stated, “respondents cannot manufacture 16 standing merely by inflicting harm on themselves based on their fears of hypothetical future 17
18 19 1 The full “chain of possibilities” the Court found must occur in order for the petitioners to suffer their alleged injury was described as follows: 20
21 (1) the Government will decide to target the communications of non-U.S. persons with whom they communicate; (2) in doing so, the Government will 22 choose to invoke its authority under [the challenged statute] rather than 23 utilizing another method of surveillance; (3) the Article III judges who serve on the Foreign Intelligence Surveillance Court will conclude that the 24 Government’s proposed surveillance procedures satisfy [the challenged 25 statute’s] many safeguards and are consistent with the Fourth Amendment; (4) the Government will succeed in intercepting the communications of 26 respondents’ contacts; and (5) [the] respondents will be parties to the 27 particular communications that the Government intercepts.
28 1 harm that is not certainly impending.” Id. at 416; see also id. at 417 (“[T]he costs that they 2 have incurred to avoid surveillance are simply the product of their fear of surveillance 3 . . . . [and] such a fear is insufficient to create standing.”). The Court acknowledged, 4 however, that “[o]ur cases do not uniformly require plaintiffs to demonstrate that it is 5 literally certain that the harms they identify will come about,” and “[i]n some instances, we 6 have found standing based on a “substantial risk” that the harm will occur, which may 7 prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Id. at 414 n.5 8 (citations omitted). 9 Lastly, in Zappos, 888 F.3d at 1026, the Ninth Circuit held that Krottner was not 10 clearly irreconcilable with Clapper, and thus Krottner remained good law, because: (1) the 11 plaintiffs’ alleged injury in Krottner did not require a “speculative multi-link chain of 12 inferences;” (2) the Krottner laptop thief had all the information he needed to open 13 accounts or spend money in the plaintiffs’ names; (3) Clapper’s standing analysis was 14 “especially rigorous” because, unlike Krottner, the case implicated national security and 15 separation of powers issues; and (4) Clapper recognized the “substantial risk” of injury 16 standard, and in Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014), the Supreme 17 Court “reemphasized” that an allegation of future injury may suffice if the threatened injury 18 is certainly impending, or if there is a substantial risk the harm will occur.2 See also 19 Antman v. Uber Techs., Inc., No. 3:15-CV-01175-LB, 2015 WL 6123054, at *10 (N.D. 20 Cal. Oct. 19, 2015) (“The court thinks that a credible threat of immediate identity theft 21 based on stolen data is sufficiently different than the speculative harm articulated in 22 Clapper.”); Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK (Ex), 2015 WL 23 3916744, at *2 (C.D. Cal. June 15, 2015) (“While the Court [in Clapper] found no standing 24 based on the facts before it, despite the slight difference in wording, the injury-in-fact 25 standard remained unchanged.”). 26
27 2 The court also noted that two other circuit courts since Clapper found that theft of 28 1 In Zappos, hackers breached the servers of an online retailer and allegedly stole the 2 names, account numbers, passwords, e-mail addresses, billing and shipping addresses, 3 telephone numbers, and credit and debit card information of more than 24 million 4 customers. 888 F.3d at 1023. The court found the plaintiffs sufficiently alleged an injury 5 in fact based on the substantial risk the hackers would commit identity theft. Id. at 1029. 6 Regarding Krottner, the court stated it was “the sensitivity of the personal information, 7 combined with its theft, [that] led us to conclude that the plaintiffs had adequately alleged 8 an injury in fact supporting standing.” Id. Even though the stolen information in Zappos 9 did not include social security numbers, the court found the “sensitivity of the stolen data 10 in this case is sufficiently similar to that in Krottner to require the same conclusion here.” 11 Id. at 1027. The court reasoned that: (1) the plaintiffs alleged their information could be 12 used to commit identity theft, as well as “phishing” and “pharming,” which are ways for 13 hackers to get even more information; (2) the stolen information allegedly included credit 14 card numbers, and Congress has treated credit card numbers as sufficiently sensitive to 15 warrant legislation prohibiting merchants from printing the numbers on receipts; (3) by 16 urging affected customers to change their passwords on any other account for which they 17 may have used the same or a similar password, Zappos acknowledged the information 18 taken could be used to commit identity theft; (4) other plaintiffs, who were not parties to 19 the appeal because the district court ruled they had standing, alleged that the hackers had 20 already commandeered their accounts or identities, and that they suffered financial losses; 21 (5) two of the plaintiffs alleged the hackers took over their e-mail accounts and sent 22 advertisements to people in their address books; and (6) even though months passed since 23 the breach without harm, the plaintiffs alleged it could take years for victims of the breach 24 to experience identity theft, or to find out they were victims. Id. at 1027-28. 25 B. Threat of Identity Theft 26 Plaintiffs are correct that under Krottner and Zappos the threat of identity theft can 27 constitute an injury in fact, even if identity theft has not yet occurred. Krottner, 628 F.3d 28 at 1140; Zappos, 888 F.3d at 1029. However, the type of information that was allegedly 1 exposed here, and the resulting risk of identity theft, does not rise to the level the court 2 found sufficient in Krottner and Zappos, and is not, as Plaintiffs claim, “enough to enable 3 any crook to steal the identities of Plaintiffs and putative class members.” (Opp. 12.) For 4 several reasons, Krottner and Zappos are distinguishable and do not establish Plaintiffs’ 5 injury in fact. 6 1. Social Security Numbers 7 At the outset, Krottner and Zappos are distinguishable because Plaintiffs do not 8 allege their social security numbers were included in the information that was potentially 9 exposed on the internet.3 Although Plaintiffs allege that “affected individuals” had their 10 social security numbers exposed, a careful reading of the Complaint reveals that Plaintiffs 11 do not actually allege that their social security numbers were exposed. See Spokeo, 136 S. 12 Ct. at 1547 n.6 (“[N]amed plaintiffs who represent a class must allege and show that they 13 personally have been injured, not that injury has been suffered by other, unidentified 14 members of the class to which they belong.”) (internal quotation marks and citation 15 omitted). Instead, Plaintiffs allege that the “affected individuals’ data” that was exposed 16 included “the types of information that federal and state law requires companies to take 17 security measures to protect,” including social security numbers. (Compl. ¶ 3 (emphasis 18 added).) Plaintiffs also define “personal information” to include social security numbers, 19 and allege that they received letters from Inmediata “informing [them] that [their] 20 [p]ersonal [i]nformation may have been compromised.” (Id. ¶¶ 4-6.) Plaintiffs do not, 21 however, attach to their Complaint copies of the actual letters they received. Rather, they 22 attach “[t]he California sample letters,” which consist of two different letters, that 23 “mirrored” the language of the letters they received. (Id. ¶ 15.) Only one of the two 24 25 26 3 Neither do Plaintiffs allege the potentially exposed information included their account 27 numbers, passwords, e-mail addresses, billing and shipping addresses, telephone numbers, full credit card numbers, or credit and debit card information, as was the case in Zappos. 28 1 attached sample letters, however, states that social security numbers may have been 2 compromised. Notably, the first letter states that “neither your Social Security number nor 3 your financial information is involved in this incident.” (Doc. No. 1-2 at 2.) The second 4 letter states that social security numbers, but not financial information, may have been 5 involved. (Id. at 4.) The second letter also offers identity monitoring services for one year 6 at no cost. (Id.) Here, Plaintiffs do not allege they received the second letter, or that they 7 were offered free identity monitoring services. Instead, Plaintiffs admit the letter they 8 received contained the language in the first letter, (see Compl. ¶ 17),4 which specifically 9 informed them that neither their social security numbers, nor their financial information, 10 were exposed, (Doc. No. 1-2 at 2).5 11 Furthermore, the Complaint indicates that Plaintiffs’ knowledge about the specific 12 information that was exposed is based primarily, if not entirely, on the information 13 contained in Inmediata’s letter informing them of the “data security incident.” (Compl. ¶¶ 14 4-6, 15-20.) Although Inmediata’s letter acknowledges that “some of its member patients’ 15
16 17 4 Paragraph 17 of the Complaint states in full: “[t]he notice further explained that ‘information potentially impacted by this incident may have included your name, address, 18 date of birth, gender, and medical claim information including dates of service, diagnosis 19 codes, procedure codes and treating physician.’” (Compl. ¶ 17.)
20 5 In their Complaint, Plaintiffs include multiple factual allegations regarding the potential 21 harm resulting from the theft of social security numbers. (Compl. ¶¶ 29-36.) Also, in their opposition to the instant motion, Plaintiffs allege “their” social security numbers were 22 exposed. (See Opp. 12 (“Plaintiffs allege [in the third paragraph of their Complaint] that 23 Inmediata exposed their [p]ersonal [i]nformation . . . . which included [s]ocial [s]ecurity numbers[.]”) It is therefore unclear whether Plaintiffs’ Complaint was artfully worded to 24 suggest, without specifically alleging, that Plaintiffs’ social security numbers were 25 exposed, or whether Plaintiffs meant to allege that their social security numbers were exposed, but nonetheless failed to do so. Regardless, Plaintiffs’ Complaint simply does 26 not include an allegation that Plaintiffs’ individual social security numbers were exposed. 27 The court will not presume the omission of a potentially important and easily made factual allegation was inadvertent, nor will it presume that reading the Complaint to include an 28 1 electronic patient health information was publicly available online,” the letter does not 2 specify the information that was exposed. (Doc. No. 1-2 at 2.) The letter merely states 3 that the “potentially impacted” information “may” have included names, addresses, dates 4 of birth, gender, and medical claims information. (Id.) The only specificity the letter 5 provides regarding the information that was exposed is that social security numbers and 6 financial information were not involved. (Id.) 7 Finally, Plaintiffs do not actually allege that their names, addresses, dates of birth, 8 gender, and medical claims information were exposed. Plaintiffs merely state, as they did 9 with respect to their social security numbers, that “affected individuals” had their “data” 10 exposed, which included the “types” of information companies are required by law to 11 protect, such as names, addresses, dates of birth, gender, and medical claims information. 12 (Compl. ¶ 3.) Even if Plaintiffs had alleged their individual names, addresses, dates of 13 birth, gender, and medical claims information were exposed, Plaintiffs do not allege, and 14 cite no caselaw supporting, this information is of the type “needed to open accounts or 15 spend money in the plaintiffs’ names.”6 See Zappos, 888 F.3d at 1026; see also Ables v. 16 17 18 6 Some district courts have found that theft of detailed personal information collected by 19 Facebook, which does not include social security numbers or credit card information, can nonetheless “g[i]ve hackers the means to commit further fraud or identity theft.” See, e.g., 20 Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1034 (N.D. Cal. 2019) (alleging theft of 21 plaintiff’s name, e-mail address, telephone number, date of birth, locations, work and education history, hometown, relationship status, and photographs). Although, in Bass, 22 the plaintiff “personally” alleged this information was stolen, and that he received 23 extensive “phishing” e-mails and text messages since the theft. Id. (“Between the hacking and the phishing, plaintiff . . . . has plausibly shown risk of further fraud and identity 24 theft.”); see also Adkins v. Facebook, Inc., No. C 18-05982-WHA, 2019 WL 7212315, at 25 *1 (N.D. Cal. Nov. 26, 2019); In re Facebook, Inc., Consumer Privacy User Profile Litig., 402 F. Supp. 3d 767, 786 (N.D. Cal. 2019). Additionally, one district court found, without 26 citing Krottner, that theft of the plaintiffs’ personal information, including social security 27 numbers and medical information, did not constitute an injury in fact even where the plaintiffs alleged that various unsuccessful attempts to steal their identity occurred. See 28 1 Brooks Bros. Grp., Case No. CV 17-4309-DMG (Ex), 2018 WL 8806667, at *5 (C.D. Cal. 2 June 7, 2018) (“Assuming, without deciding, that a third party intends to commit identity 3 theft using [the plaintiff’s] compromised [personal information], [the plaintiff] still has not 4 made allegations that give rise to the reasonable inference that the stolen [personal 5 information] is sufficient to actually commit identity theft.”). The laptop thief in Krottner 6 stole unencrypted names, addresses, and social security numbers, 628 F.3d at 1140, and 7 the Zappos hackers obtained names, account numbers, passwords, e-mail addresses, billing 8 and shipping addresses, telephone numbers, full credit card numbers, and unspecified 9 credit and debit card information, 888 F.3d at 1023. Plaintiffs’ current allegations are 10 simply too general, opaque, and untethered to Plaintiffs’ particular circumstances to 11 properly analyze whether the Krottner/Zappos standard has been met. Without alleging 12 that their social security numbers were stolen, or in the alternative, information tantamount 13 to their account numbers, passwords, billing addresses, phone numbers, and credit and 14 debit card information was hacked, Plaintiffs cannot rely on Krottner or Zappos to establish 15 an injury in fact based on the future threat of identity theft. District courts examining 16 whether data breaches that did not involve these specific types of information have found 17 a lack of standing. See In re Uber Techs., Inc., Data Sec. Breach Litig., CV 18-2970 PSG 18 (GJSx), 2019 WL 6522843, at *4 (C.D. Cal. Aug. 19, 2019) (“Plaintiff fails to explain how 19 gaining access to one’s basic contact information and driver’s license number creates a 20 credible threat of fraud or identity theft.”); Jackson v. Loews Hotels, Inc., Case No. ED CV 21 18-827-DMG (JCx), 2019 WL 6721637, at *3 (C.D. Cal. July 24, 2019) (theft of name, e- 22 mail address, phone number, and mailing address, but not social security number, account 23 number, or account password, does not suggest that hackers obtained any information that 24 would allow them to assume the plaintiff’s identity or access any of her accounts); Brett v. 25 Brooks Bros. Grp., Case No. CV 17-4309-DMG (Ex), 2018 WL 8806668, at *3 (C.D. Cal. 26 Sept. 6, 2018) (hackers’ theft of names, credit and debit card numbers (along with card 27 expiration dates and verification codes), and possibly the store zip codes where the 28 plaintiffs made purchases, as well as the times of purchase, “does not rise to the level of 1 sensitivity of the information in Krottner and Zappos”); Dugas v. Starwood Hotels & 2 Resorts Worldwide, Inc., Case No.: 3:16-cv-00014-GPC-BLM, 2016 WL 6523428, at *5 3 (S.D. Cal. Nov. 3, 2016) (theft of names, addresses, billing information, and credit card 4 numbers, was insufficient for standing under Krottner because it did not include social 5 security numbers, usernames, passwords, or e-mails); Antman, 2015 WL 6123054, at *11 6 (“[The plaintiff’s] allegations are not sufficient because his complaint alleges only the theft 7 of names and driver’s licenses. Without a hack of information such as social security 8 numbers, account numbers, or credit card numbers, there is no obvious, credible risk of 9 identity theft that risks real, immediate injury.”); see also Antman v. Uber Techs., Inc., 10 Case No. 15-cv-01175-LB, 2018 WL 2151231, at *10 (N.D. Cal. May 10, 2018) (Antman 11 II) (theft of Uber drivers’ names and driver’s license numbers, combined with bank account 12 and routing numbers, “does not change the court’s conclusion that the disclosed 13 information does not plausibly amount to a credible threat of identity theft that risks real, 14 immediate injury”). Accordingly, Plaintiffs’ failure to allege that the exposed information 15 included their social security numbers, or similarly sensitive financial or account 16 information as identified in Zappos, leaves Plaintiffs short of what is required by Krottner 17 and Zappos.7 18
19 7 Because Plaintiffs do not allege in their Complaint that their social security numbers were 20 included in the exposed information, the court need not resolve the parties’ dispute as to 21 whether the court can consider a declaration from Inmediata stating that social security numbers were not included in the exposed information. (See Doc. No. 6-2.) Accordingly, 22 because the court’s decision here does not depend, even in part, on Inmediata’s declaration, 23 Plaintiffs’ evidentiary objection to the declaration, (Doc. No. 11-1), is OVERRULED as moot at this point. The court’s decision also does not turn, even in part, on Inmediata’s 24 factual attack on the pleadings, which would only add to Plaintiffs’ burden of proof. See 25 Savage v. Glendale Union High Sch., 343 F.3d 1036, 1039-40 n.2 (9th Cir. 2003) (“Once the moving party has converted the motion to dismiss into a factual motion by presenting 26 affidavits or other evidence properly brought before the court, the party opposing the 27 motion must furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction.”); Foster v. Essex Prop. Tr., Inc., Case No. 5:14- 28 1 2. Theft 2 The instant case is also distinguishable from Krottner and Zappos because Plaintiffs 3 do not allege their information was stolen or hacked. Plaintiffs’ allegation that their 4 information was temporarily accessible via the internet, but not necessarily copied or even 5 viewed by a potential identity thief, implicates the warning in Krottner that if a plaintiff 6 were to allege that no information was actually stolen, but nonetheless sued “based on the 7 risk that it would be stolen at some point in the future,” the court would find the threat “far 8 less credible.” 628 F.3d at 1143. As the Zappos court explained, it was “the sensitivity of 9 the personal information, combined with its theft, [that] led us to conclude [in Krottner] 10 that the plaintiffs had adequately alleged an injury in fact supporting standing.” 888 F.3d 11 at 1027 (emphasis added). 12 District courts have also recognized the importance of the element of theft in data 13 breach cases to support an injury in fact based on a future risk of identity theft. In Whitaker 14 v. Health Net of California, Inc., No. CIV S-11-0910 KJM-DAD, 2012 WL 174961, at *1 15 (E.D. Cal. Jan. 20, 2012), which was decided before Zappos, computer server drives 16 containing the plaintiffs’ “personal and medical information” were “lost.” In finding that 17 Krottner did not control, the court rejected the plaintiffs’ argument that loss was equivalent 18 to theft. Id. at *2. The court found the plaintiffs did not have standing because they did 19 not explain how the loss of their information actually harmed them or threatened to harm 20 them, or that third parties accessed their information. Id. In Khan v. Children’s Nat’l 21 Health Sys., 188 F. Supp. 3d 524, 532 (D. Md. 2016), the court surveyed cases and 22 concluded that, in the data breach context, plaintiffs adequately allege an injury in fact 23
24 25 for not responding to a facial attack by attaching affidavits or other evidence to their opposition brief). Even under the more favorable facial attack standard, Plaintiffs have not 26 met their burden. Also, based on the absence of a material dispute regarding social security 27 numbers, as well as the multiple grounds for the court’s decision, the jurisdictional issue here is not, at this stage, so intertwined with the substantive claims to warrant jurisdictional 28 1 arising from increased risk of identity theft only by showing “(1) actual examples of the 2 use of the fruits of the data breach for identity theft, even if involving other victims; or (2) 3 a clear indication that the data breach was for the purpose of using the plaintiffs’ personal 4 data to engage in identity fraud.” Even in Krottner and Zappos, which held that misuse of 5 information is not necessarily required for standing, there was still some indication of 6 actual misuse that is absent from the instant case. See Krottner, 628 F.3d at 1142 (noting 7 that one of the plaintiffs alleged that someone attempted to open a bank account in his 8 name); Zappos, 888 F.3d at 1027-28 (noting that some non-parties had their accounts 9 commandeered and suffered financial losses, and that two plaintiffs had their e-mail 10 accounts taken over). 11 Additionally, although Inmediata’s letter acknowledges that “some of its member 12 patients’ electronic patient health information was publicly available online,” the letter also 13 states that Inmediata had “no evidence that any files were copied or saved,” and that 14 Inmediata had “not discovered any evidence that any information that may be involved in 15 this incident has been misused.” (Doc. No. 1-2 at 2.) Plaintiffs cite no case in which a 16 court has found the temporary accessibility of personal information on the internet, or 17 anywhere else, without any evidence that it was taken or viewed by a bad actor, constitutes 18 a sufficient injury in fact. As was the case in Clapper, finding harm here requires finding 19 the substantial risk or impending certainty of an attenuated chain of events, i.e. that during 20 the unspecified period when the information of over 1.5 million individuals was viewable 21 on the internet, a bad actor with the capability of using or selling the information for 22 identity theft purposes, discovered the particular Plaintiffs’ information and took it so it 23 could be used, at some point over a year later, to commit identity theft. 24 In the relatively few data breach cases that did not involve a confirmed theft or 25 breach by hackers, courts have found that without a theft or hack, the exposure of personal 26 information does not constitute an injury in fact. In re Facebook, 402 F. Supp. 3d at 784, 27 for example, found plaintiffs inadequately alleged an injury in fact when Facebook made 28 sensitive user information available to countless companies and individuals without 1 preventing them from selling or otherwise misusing the information. The court stated, “this 2 is not a case involving, say, hackers, and it is not a case about the theft of, say, social 3 security or credit card numbers. Although the risk of identity theft is admittedly greater 4 than if Facebook had not made the plaintiffs’ personal information available, the risk is too 5 speculative to confer standing.” Id.; see also Rechnitz v. Transamerica Life Ins. Co., 6 LACV 17-03970-VAP (AFMx), 2018 WL 6164267, at *5 (C.D. Cal. July 18, 2018) 7 (“Plaintiffs’ allegations [that an unauthorized beneficiary was added to their life insurance 8 policy] do not give rise to the reasonable inference that their information has been stolen 9 or in any way accessed by third parties.”); Foster, 2015 WL 7566811, at *3 (“Since 10 [p]laintiffs have not shown, contrary to [d]efendants’ evidence, that any of their 11 information was actually stolen, their theory of potential future harm is implausible.”).8 12 3. Medical Information 13 The instant case is also distinguishable from Krottner and Zappos because it 14 involves medical information. Accordingly, in their Complaint, Plaintiffs bring claims for 15 violation of the California Confidentiality of Medical Information Act (CMIA), CAL. CIV. 16 CODE §§ 56-56.37, and the Minnesota Health Records Act (MHRA), MINN. STAT. ANN. §§ 17 144.29-144.34, both of which protect the confidentiality of medical information. A 18 violation of a statute, even a procedural violation, can constitute a sufficiently concrete 19 injury to establish an injury in fact. Spokeo, 36 S. Ct. at 1549. On multiple occasions, the 20 Ninth Circuit has addressed whether an alleged statutory violation constitutes an injury in 21 fact in cases involving privacy rights. See Patel v. Facebook, Inc., 932 F.3d 1264, 1273- 22 74 (9th Cir. 2019) (plaintiff sufficiently alleged an injury in fact by alleging that 23
24 25 8 Plaintiffs’ supplemental citation to In re Facebook, Inc. Internet Tracking Litig., No. 17- 17486, 2020 WL 1807978, *1 (9th Cir. Apr. 9, 2020) is unpersuasive because that case 26 involved Facebook’s use of programs to track users’ web browsing, not whether the 27 plaintiffs’ information was exposed to outside identity thieves. Additionally, the plaintiffs’ standing argument was based on statutory violations, not the risk of identity theft. Id. at 28 1 Facebook’s facial recognition technology violated an Illinois statute prohibiting the use of 2 biometric identifiers), cert. denied, 140 S. Ct. 937 (2020); Bassett v. ABM Parking Servs., 3 Inc., 883 F.3d 776, 782-83 (9th Cir. 2018) (plaintiff did not sufficiently allege a concrete 4 injury by alleging that a parking garage displayed his unredacted credit card expiration date 5 on his receipt in violation of the Fair Credit Reporting Act (FCRA) where the information 6 was not seen by anyone else); Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037, 7 1041-43 (9th Cir. 2017) (plaintiff suffered an injury in fact when he received unauthorized 8 text messages from a gym in alleged violation of the Telephone Consumer Protection Act); 9 Robins v. Spokeo, Inc., 867 F.3d 1108, 1118 (9th Cir. 2017) (Spokeo II) (plaintiff 10 established concrete injury by alleging that a website allowing users to obtain data on other 11 people published incorrect information about him in violation of the FCRA). 12 While the lack of the theft of Plaintiffs’ social security numbers, credit card 13 information, passwords, e-mail addresses, etc. cuts against the imminence of identity theft, 14 the alleged exposure of Plaintiffs’ private medical information potentially supports the 15 actuality and concreteness of an injury based on statutory law. Again, however, Plaintiffs 16 do not argue or allege that their standing is based on a statutory violation. To be sure, 17 Plaintiffs allege that Inmediata breached multiple statutes and bring claims for violations 18 of CMIA and MHRA, as well as negligence per se. (See Compl. ¶¶ 27 (alleging violations 19 of federal regulations), 65-76 (alleging negligence per se based on CMIA and MHRA, as 20 well as several federal statutes), 84-110 (alleging violations of CMIA and MHRA). But, 21 as discussed above and emphasized below, Plaintiffs’ theory of injury is risk of financial 22 fraud, not of mere exposure of protected medical information in violation of statutory law. 23 Moreover, Plaintiffs do not discuss the legislative history or intent regarding the various 24 statutes they cite, which is a necessary step in determining whether standing exists based 25 on the violation of a statute. See Spokeo, 36 S. Ct. at 1549 (“In determining whether an 26 intangible harm constitutes injury in fact, both history and the judgment of Congress play 27 important roles.”); Spokeo II, 867 F.3d at 1113 (“In evaluating . . . . harm, we . . . . ask: (1) 28 whether the statutory provisions at issue were established to protect [the plaintiff’s] 1 concrete interests (as opposed to purely procedural rights), and if so, (2) whether the 2 specific procedural violations alleged in this case actually harm, or present a material risk 3 of harm to, such interests”). Plaintiffs also do not discuss whether the alleged violations 4 of CMIA and MHRA are substantive or procedural, which is also a relevant consideration. 5 See Spokeo II, 867 F.3d at 1113; see also Bassett, 883 F.3d at 782-83. Although Inmediata 6 concedes that CMIA provides a private cause of action, (Mot. 26), “Congress cannot erase 7 Article III’s standing requirements by statutorily granting the right to sue to a plaintiff who 8 would not otherwise have standing.” See Spokeo, 136 S. Ct. at 1549; Spokeo II, 867 F.3d 9 at 1113. 10 Notably, nothing in Plaintiffs’ papers suggests their alleged injury is based on 11 anything other than the increased risk of future harm due to financial fraud (including 12 identity theft) as defined by Krottner and Zappos. For example, rather than alleging injury 13 based on the exposure of their private medical information per se,9 they cite studies 14 supporting the value of a “medical identity” and the cost of “medical identity theft.” 15 (Compl. ¶¶ 35-36.) However, Plaintiffs cite no case, and the court is aware of none, 16 involving the theft or hack of medical information that did not include social security 17 numbers and/or financial information. See, e.g., Beck v. McDonald, 848 F.3d 262, 275 (4th 18 Cir. 2017) (theft and loss of medical information, including social security numbers, was 19 insufficient to confer standing under Clapper based on the required chain of assumptions, 20 including that thieves would successfully select the personal information belonging to the 21 named plaintiffs, as opposed to one of the thousands of other affected persons); Khan, 188 22 F. Supp. 3d at 527. Plaintiffs do not explain what injurious acts, if any, an identity thief 23 could commit with medical information that does not include the patient’s social security 24
25 9 Although Plaintiffs argue “[t]he disclosure of information to unauthorized persons, as 26 proscribed by the state laws at issue and as confirmed by Inmediata, alone disposes of 27 Inmediata’s contentions,” (Opp. 8), this argument is not used to support Plaintiffs’ standing, but rather to defend against Inmediata’s challenge under Rule 12(b)(6) to 28 1 number. Additionally, in a series of district court cases brought by prisoners based on the 2 theft of a laptop of a correctional healthcare worker that allegedly contained the prisoners’ 3 medical information, courts have uniformly found that the prisoners lacked standing 4 because it was unknown, as it is unknown here, whether any of the prisoners’ sensitive 5 information was ever “compromised.” See, e.g., Cassells v. McNeal, No. 2:15-cv-0313 6 KJM AC P, 2017 WL 1272482, at *6 (E.D. Cal. Jan. 27, 2017). Accordingly, Plaintiffs 7 have not met, or even attempted to meet, their burden to establish standing based on the 8 exposure of their “medical claim information including dates of service, diagnosis codes, 9 procedure codes and treating physicians.” (Compl. ¶ 3.) 10 4. Other Factors 11 Finally, Zappos is distinguishable because it relied on several facts not present here, 12 including that hackers commandeered some non-parties’ accounts and caused financial 13 losses, hackers used one of the plaintiff’s e-mail accounts to send advertisements, and the 14 plaintiffs alleged their stolen information could be used to conduct “phishing” and 15 “pharming.” 888 F.3d at 1027-28. Although some of the reasoning upon which the court 16 in Zappos relied could arguably apply to the instant case, Plaintiffs do not argue that it 17 does. First, the court reasoned that the Zappos company “effectively acknowledged” that 18 the plaintiffs were at risk of identity theft “by urging affected customers to change their 19 passwords.” Id. at 1027. Here, in contrast, Plaintiffs minimize the import of Inmediata’s 20 letter urging them to “follow the recommendations included with this letter to protect your 21 personal information,” such as reviewing account statements and placing fraud alerts on 22 their credit reports. (Doc. No. 1-2 at 2-3.) Rather than consistently alleging that this 23 constitutes an admission by Inmediata concerning the risk of identity theft, Plaintiffs 24 concede that “all of these steps [recommended by Inmediata] are mandated generalities 25 used by virtually every company when publishing alerts about data security breaches.” 26 (See Compl. ¶ 20.) While Inmediata’s motive for notifying Plaintiffs of the potential 27 exposure of their information is not contained in the record, its letter is consistent with 28 California law regarding notice obligations in the event of a data breach. See CAL. CIV. 1 CODE § 1798.82(d)(1). As recognized by the district court in Brett, interpreting Inmediata’s 2 letter as an admission of imminent identity theft is problematic because “such an 3 interpretation would require courts to conclude that a data breach’s mere occurrence 4 establishes imminent risk of future harm, which is contrary to controlling Article III 5 precedent, and it would perversely incentivize companies to provide vague or misleading 6 disclaimers to customers affected by a data breach in an attempt to avoid litigation.” See 7 2018 WL 8806668, at *5. 8 Second, the Zappos court reasoned that stolen credit card information was as 9 sensitive as social security numbers because “Congress has treated credit card numbers as 10 sufficiently sensitive to warrant legislation prohibiting merchants from printing such 11 numbers on receipts – specifically to reduce the risk of identity theft.” 888 F.3d at 1027. 12 As previously discussed, Plaintiffs cite both state and federal statutes protecting the 13 confidentiality of medical records. They do not argue, however, that these statutes support 14 their standing, or that the statutes were enacted to reduce the risk of identity theft. 15 Accordingly, the reasoning in Zappos does not control the outcome of the instant standing 16 challenge. 17 C. Time and Money 18 Two of the three named Plaintiffs also allege they suffered an injury in fact based on 19 the time and money they spent protecting themselves from future identity theft. (Compl. 20 ¶¶ 4, 6.) Ms. Staci alleges she now engages in regular monitoring of her credit reports, 21 credit cards, and bank accounts, and that she has spent twenty hours “attempting to 22 determine how she is connected to Inmediata, how her information came into the 23 possession of Inmediata, and trying to make sure she . . . . does not become victimized 24 because of the Inmediata Data Security Incident.” (Id. ¶ 4.) Ms. Garcia alleges she “placed 25 credit freezes on her credit reports with the three major U.S. consumer credit reporting 26 agencies in order to detect potential identity theft and fraudulent activity,” and “now 27 engages in monthly monitoring of her credit and her bank accounts.” (Id. ¶ 6.) 28 1 Additionally, Ms. Garcia alleges she has “spent her own money and numerous hours 2 addressing issues arising from the Inmediata Data Security Incident.”10 (Id.) 3 Citing Krottner and Zappos, Plaintiffs argue “[i]t is well established that mitigation 4 expenses constitute an injury-in-fact when the risk of identity theft is real and imminent.” 5 (Opp. 14.) As discussed above, however, under Krottner and Zappos, the risk of identity 6 theft here is not imminent. In the cases cited by Plaintiffs, i.e. those finding that the time 7 and money associated with protection against identity theft support standing, the courts all 8 found the threat of identity theft to be imminent. See Bass, 394 F. Supp. 3d at 1035 9 (“Plaintiff . . . . has established standing through the dual harms of increased risk of future 10 harm and loss of time.”); In re Anthem, Inc. Data Breach Litig., Case No. 15-MD-02617- 11 LHK, 2016 WL 3029783, at *26 (N.D. Cal. May 27, 2016) (denying motion to dismiss 12 under Rule 12(b)(6) because time and money expended for credit monitoring in response 13 to the “imminent” threat of identity theft constitutes recoverable damages); In re Adobe 14 Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1217 (N.D. Cal. 2014) (“[I]n order for costs 15 incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the 16 future harm being mitigated must itself be imminent.”).11 17 Plaintiffs cite no case in which the expenditure of time or money to prevent future 18 identity theft was sufficient in and of itself to support standing without a finding that the 19 threat of identity theft was imminent. Courts addressing the issue have come to the 20 21 22 10 Mr. White, in contrast, merely alleges he spent two hours “attempting to determine how 23 he is connected to Inmediata and how his information came into the possession of Inmediata.” (Compl. ¶ 5.) Plaintiffs cite no authority suggesting that time expended 24 towards such an endeavor constitutes an injury in fact. 25 11 Plaintiffs also cite a case from the Seventh Circuit that did not directly address standing, 26 but dealt with whether the plaintiffs had suffered damages under a Rule 12(b)(6) motion to 27 dismiss. See Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (“To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if 28 1 || opposite conclusion. See Antman IT, 2018 WL 2151231, at *10 (“Given this holding [that 2 ||the threat of identity theft was not imminent] the mitigation expenses do not qualify as 3 ||injury because the risk of identity theft must be real before mitigation can establish injury 4 fact.”); Antman, 2015 WL 6123054, at *11 (“[Ml]itigation expenses do not qualify as 5 injury; the risk of identity theft must first be real and imminent, and not speculative, before 6 || mitigation costs establish injury in fact.”). Accordingly, for standing purposes, the risk of 7 || future identity theft, and the related mitigation costs, are injuries that rise and fall together. 8 || As the Supreme Court noted in Clapper, Plaintiffs “cannot manufacture standing merely 9 || by inflicting harm on themselves based on their fears of hypothetical future harm that is 10 || not certainly impending.” 568 U.S. at 416. 11 IV. CONCLUSION 12 For the foregoing reasons, Inmediata’s Motion to Dismiss is GRANTED under Rule 13 || 12(6)(1) for lack of standing. The court declines to decide whether Plaintiffs’ claims must 14 || also be dismissed under Rule 12(b)(6). Plaintiffs’ request for leave to amend, (Opp. 26 15 29.17), is GRANTED. See Fed. R. Civ. P. 15(a) (leave to amend “should be freely 16 || granted when justice so requires”); Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) 17 banc) (“[T]he underlying purpose of Rule 15... . [is] to facilitate decision on the 18 || merits, rather than on the pleadings or technicalities.”) (internal quotation marks omitted); 19 || Moss v. U.S. Secret Serv., 572 F.3d 962, 972 (9th Cir. 2009) (requests for leave should be 20 || granted with “extreme liberality”). Plaintiffs shall file their first amended complaint, 21 ||should they choose to file one, within 14 days of the filing of this order. Inmediata’s 22 |/response to the operative complaint is due within 21 days after the expiration of the 23 || Plaintiffs’ deadline to file their first amended complaint. See Fed. R. Civ. P. 15(a)(3). 24 IT IS SO ORDERED. □□ . 25 DATED: May 5, 2020 Mey Yel 6 JOFFREY T. ALLER ted States District Judge 27 28