1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA
9 Angela T Travis, et al., No. CV-20-00390-TUC-JCH
10 Plaintiffs, ORDER
11 v.
12 Assured Imaging LLC,
13 Defendant. 14 15 Defendant Assured Imaging, LLC (“Defendant” or “Assured”) moves to dismiss 16 Plaintiffs’ Amended Class Action Complaint. (Assured Imaging, LLC’s Mot. to Dismiss, 17 Doc. 12.) The motion is fully briefed. (Pls’ Resp. and Opp’n to Def.’s Mot. to Dismiss, 18 Doc. 13; Assured Imagining, LLC’s Reply Br. in Supp. of Mot. to Dismiss, Doc. 14.) For 19 the reasons set forth below, the Court will grant Assured’s motion to dismiss without 20 prejudice. 21 I. BACKGROUND 22 a. Factual Background 23 This case arises from a ransomware1 attack. (Doc. 9 at ¶ 9.) On or about May 15,
24 1 Plaintiffs allege that a ransomware attack is a type of malicious software that blocks 25 access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. (First Am. Class Action Comp., Doc. 9 at 8, ¶ 34.) They allege ransomware 26 attacks are often the final piece of a multiphase coordinated cyber-attack contending that 27 “[o]nce cyberthieves have plundered the target’s systems using [malicious software], the cybercriminals unleash their ransomware virus, locking down the target’s systems for a 28 ransom.” Id. at ¶ 35. 1 2020, a cyberattack launched from an Assured employee’s email inbox allowed malignant 2 software to infect Assured’s computer networks. (Doc. 9 at ¶ 36.) From May 15 to May 3 17, 2020, Assured was unaware that its system was compromised and the cyberthieves 4 exfiltrated patient and other data from Assured’s system. Id. at ¶ 37. On May 19, 2020, 5 Defendant realized that its computer system was compromised when the nonparty actors 6 launched a targeted ransomware attack. Id. at ¶ 38. The ransomware attack disrupted 7 Assured’s computer network, leaving patient data stored on its network encrypted and 8 inaccessible for multiple days. Id. at ¶¶ 41, 42. 9 In August of 2020, Assured notified potentially affected persons and governmental 10 agencies of the ransomware attack through a Notice of Data Incident or a Notice of Data 11 Breach. Id. at ¶ 44; Docs 9-1 through 9-4. The Notice of Data Incident states in part: 12 What Happened? On May 19, 2020, Assured learned that its electronic 13 medical records system had become encrypted due to “ransomware” 14 deployed by an unknown actor. Because the impacted systems contained patient information, Assured worked quickly to (1) restore access to the 15 patient information so it could continue to care for patients without 16 disruption and (2) investigate what happened and whether this incident resulted in any unauthorized access to, or theft of, patient information by 17 the unknown actor. 18 Assured conducted an extensive investigation, with the assistance of 19 third-party computer forensic specialists to determine the nature and 20 scope of the incident. On July 1, 2020, the investigation confirmed Assured systems were accessible by an unknown actor between May 15, 21 2020 and May 17, 2020, and certain, limited data was exfiltrated from our 22 systems. The investigation was unable to determine the full extent of information that was accessed by the unknown actor. In an abundance of 23 caution, Assured performed a comprehensive review of all information stored in our systems at the time of the incident to identify the individuals 24 whose information may have been accessible to the unknown actor. We 25 then worked to determine the identities and contact information for potentially impacted individuals. 26
27 What information Was Involved. The following types of patient information were present in the electronic medical records system and 28 therefore potentially accessed and acquired by the unknown actor during 1 this incident: full name, address, date of birth, patient ID, facility, treating clinician, medical history, service performed, and assessment of the 2 service performed, including any recommendations on future testing. We 3 are unaware that any of the information was misused by the unknown actor and Assured is providing this notice in an abundance of caution. 4
5 (Doc. 9 at ¶ 44.) 6 Plaintiffs Angela T. Travis (“Travis”), Kerri G. Peters (“Peters”), Geraldine Pineda 7 (“Pineda”) and Rebecca Dawn Kelly-Hartnett (“Kelly-Hartnett”) all received medical 8 services from Assured. Id. at ¶¶ 48, 58, 63, 68. Each alleges providing Assured with 9 personal identifying information such as their name, address, phone number, email address, 10 medical history, demographic information, and insurance information in the course of 11 receiving services from Assured. See Id. at ¶¶ 49-51 (allegations regarding Travis), ¶¶ 59- 12 61 (allegations regarding Peters), ¶¶ 64-66 (allegations regarding Pineda), and ¶¶ 69-71 13 (allegations regarding Kelly-Hartnett). 14 Each named Plaintiff received a Notice of Data Breach similar to the above- mentioned Notice of Data Incident. See Doc. 9-1 at pp. 2-3 (notice sent to Travis); Doc. 9- 15 2 at pp. 2-4 (notice sent to Peters); Doc. 9-3 at p. 2 (notice sent to Pineda); Doc. 9-4 at pp. 16 2-5 (notice sent to Kelly-Hartnett).The Notice of Data Breach sent to each named Plaintiff 17 states that their personal information was “potentially accessed by the unknown actor.” The 18 words “and acquired” contained in the Notice of Data Incident are not contained in the 19 Notice of Data Breach. See Doc. 9-1 at p. 2 (Travis notice); Doc. 9-2 at p. 2 (Peters notice); 20 Doc. 9-3 at p. 2 (Pineda notice); and Doc. 9-4 at p. 2 (Kelly-Hartnett notice). 21 Travis is a resident of Washington state. Id. at ¶ 1. She alleges “see[ing] a dramatic 22 increase in targeted spam phone calls after the ransomware attack.” Id. ¶ 53. She alleges 23 suffering severe emotional distress, anxiety, and stress and claims she sought medical help 24 from a mental health counselor to deal with the anxiety and stress. Id. at ¶ 55. She claims 25 to have “spent hours and hours checking her credit monitoring services” and alleges being 26 forced to expend time “fending off” targeted phishing calls. Id. at ¶¶ 56, 57. 27 Kelly-Hartnett is also a resident of Washington state. Id. at ¶ 4. Like Travis, she 28 endorses experiencing an increase in targeted spam phone calls after the ransomware 1 attack. (Doc. 9 at ¶ 73.) She alleges suffering severe emotional distress, anxiety, and stress 2 and claims she was forced to increase her medication in an effort to manage her anxiety 3 and stress. Id. at ¶ 75. She also alleges spending time “fending off” targeted phishing calls. 4 Id. at ¶ 76. 5 Peters and Pineda are residents of the State of New Mexico. Id. at ¶¶ 2-3. Neither 6 claim to have suffered severe emotional distress or anxiety after receiving notice of the 7 ransomware attack. Neither Peters nor Pineda endorse receiving an increased number of 8 spam phone calls after the ransomware attack. 9 Plaintiffs’ First Amended Class Action Complaint alleges claims of negligence, 10 negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, 11 and violations of two state laws. Id. at pp. 37, 39, 41, 45, 48, 51, 53. Plaintiffs seek to 12 represent a class of all persons whose personal information was compromised in the 13 ransomware attack and two subclasses of persons (one of Washington state residents and 14 one of New Mexico state residents) whose personal information was compromised. Id. at ¶ 145. Plaintiffs claim damages as a result of: 15 (1) “being placed at an imminent, immediate, and continuing increased risk of harm 16 from fraud and identity theft” (Id. at ¶ 133); 17 (2) “fac[ing] substantial risk of out-of-pocket fraud losses such as loans [being] 18 opened in their names, medical services billed in their names, tax return fraud, utility bills 19 opened in their names, credit card fraud, and similar identity theft” (Id. at ¶ 134); 20 (3) “fac[ing] substantial risk of being targeted for future phishing, data intrusion, 21 and other illegal schemes based on their Private Information as potential fraudsters could 22 use that information to target such schemes more effectively to Plaintiffs and Class 23 Members” (Id. at ¶ 135); 24 (4) “may[be] also incurring out-of-pocket costs for protective measures such as 25 credit monitoring fees, credit report fees, credit freeze fees, and similar costs directly or 26 indirectly related to the Ransomware Attack” (Id. at ¶ 136); 27 (5) “suffer[ing] a loss of value of their Private Information when it was acquired by 28 cyber[]thieves in the Ransomware Attack” (Id. at ¶ 137); and 1 (6) “overpa[ying] for a service that was intended to be accompanied by adequate 2 data security but was not.” (Doc. 9 at ¶ 138). 3 b. Procedural Background 4 On September 11, 2020, three plaintiffs filed suit. (Class Action Comp. Doc. 1.) On 5 October 30, 2020, Assured filed a motion to dismiss. (Assured Imaging, LLC’s Mot. to 6 Dismiss Doc. 8.) Instead of responding to Assured’s motion to dismiss, the three initial 7 plaintiffs and one new plaintiff filed the First Amended Class Action Complaint.2 (Doc. 9.) 8 Thereafter, Assured filed the instant (second) motion to dismiss. 9 II. DEFENDANT’S MOTION 10 Defendant argues Plaintiffs have failed to adequately allege an injury in fact for 11 Article III standing purposes. (Doc. 12 at pp. 9-14.) Assured contends Plaintiffs’ claims 12 are “replete with allegations about potential injuries that they or any other putative class 13 member might have suffered.” Id. at p. 10. It argues a claimed risk of future identity fraud 14 resulting from the ransomware attack is insufficient to establish standing. Id. at pp. 11-12. It asserts Plaintiffs’ claimed mitigation and emotional distress injuries are also insufficient 15 to establish Article III standing. Id. at pp. 13-14. Defendant also argues Plaintiffs have 16 failed to state a claim under Rule 12(b)(6) pleading standards. Id. at pp. 15-24. 17 18 III. LEGAL STANDARDS 19 a. Fed. R. Civ. P. 12(b)(1) 20 A Rule 12(b)(1) jurisdictional attack can be either facial or factual. White v. Lee, 21 227 F.3d 1214, 1242 (9th Cir. 2000). “A ‘facial’ attack asserts that the complaint’s 22 allegations are themselves insufficient to invoke jurisdiction, while a ‘factual’ attack 23 asserts that the complaint’s allegations, though adequate on their face to invoke 24 jurisdiction, are untrue.” Courthouse News Serv. v. Planet, 750 F.3d 776, 780 n.3 (9th Cir. 25 2014) (citing Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1035 (9th Cir. 2004)). Assured
26 2 An amended complaint supersedes a previously filed complaint. Ferdik v. Bonzelet, 963 F.2d 1258, 1262 (9th Cir. 1992); Hal Roach Studios v. Richard Feiner & Co., 896 F.2d 27 1542, 1546 (9th Cir. 1990). After amendment, a court treats the previous complaint as nonexistent. Ferdick, 963 F.2d at 1262. Assured’s initial motion to dismiss addressed the 28 initial Class Action Complaint. (Doc. 8.) As such, Defendant’s initial motion to dismiss will be denied as moot. 1 launches a facial attack. As such, the Court takes the allegations in the First Amended Class 2 Action Complaint as true and construes them in the light most favorable to Plaintiffs. 3 Warren v. Fox Family Worldwide, Inc., 328 F.3d 1136, 1139 (9th Cir. 2003) (citing 4 Zimmerman v. City of Oakland, 255 F.3d 734, 737 (9th Cir. 2001)). 5 b. Article III Standing 6 To establish standing in federal court, a plaintiff must plead sufficient facts to show 7 the following elements: 8 First, the plaintiff must have suffered an ‘injury in fact’—an invasion of a 9 legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical[.] Second, there must be 10 a causal connection between the injury and the conduct complained of—the 11 injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the 12 court. Third, it must be ‘likely,’ as opposed to merely ‘speculative,’ that the 13 injury will be redressed by a favorable decision.
14 Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 15 (1992) (internal quotations and citations omitted). “Where, as here, a case is at the pleading 16 stage, the plaintiff must ‘clearly … allege facts demonstrating’ each element.” Spokeo, Inc. 17 v. Robins, 136 S.Ct. 1540, 1547 (2016), as revised (May 24, 2016) (quoting Warth v. 18 Seldin, 422 U.S. 490, 518, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975)). The plaintiff bears the 19 burden to establish that the facts alleged, if proved, would confer standing on them. Susan 20 B. Anthony List v. Driehaus, 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014) 21 (citing Clapper v. Amnesty International USA, 568 U.S. 398, 410, 133 S.Ct. 1138, 1148, 22 185 L.Ed.2d 264 (2013)). “That a suit may be a class action … adds nothing to the question 23 of standing, for even named plaintiffs who represent a class ‘must allege and show that 24 they personally have been injured, not that injury has been suffered by other, unidentified 25 members of the class to which they belong.’” Spokeo, Inc., 136 S.Ct. at 1547 n.6 (quoting 26 Simon v. Eastern Ky. Welfare Rights Organization, 426 U.S. 26, 40 n.20, 96 S.Ct. 1917, 27 48 L.Ed.2d 450 (1976) (quoting Warth, 422 U.S. at 502, 95 S.Ct. 2197)). 28 1 Here, Defendant argues only that Plaintiffs do not satisfy the injury in fact element 2 of Article III standing. 3 IV. INJURY-IN-FACT ANALYSIS 4 Plaintiffs’ injury in fact allegations can be separated into five categories: (1) an 5 increased risk of identity theft as a result of the ransomware attack; (2) time and money 6 spent on increased credit monitoring post ransomware attack; (3) a loss of value in their 7 private information; (4) overpayment for Assured’s services; and (5) emotional distress 8 and anxiety suffered after learning of the ransomware attack. The Court discusses each 9 category below. 10 a. Increased Risk of Identity Theft 11 Plaintiffs allege they are at risk of an imminent and impending injury arising from 12 the risk of fraud and identity theft as a direct result of the ransomware attack. They allege 13 facing a future substantial risk of “out-of-pocket fraud losses” such as becoming obligated 14 on a loan in their name, medical services billed in their names, tax return fraud, utility bills 15 opened in their names, credit card fraud, and the like. They allege facing a substantial risk 16 of being targeted for future phishing, data intrusion, and other illegal schemes contending 17 “potential fraudsters” could use their personal information to target their schemes more 18 effectively to them and putative class members. (Doc. 9 at ¶¶ 133-135.) 19 “In order to prove an injury-in-fact in a data breach case, a plaintiff must show the 20 harm has already occurred, there is a ‘substantial risk that the harm will occur,’ or that the 21 threatened injury is ‘certainly impending.’” Dearing v. Magellan Health Inc., No. 2:20- 22 CV-00747-PHX-SPL, 2020 WL 7041059, *2 (D. Ariz. Sept. 3, 2020) (slip copy) (quoting 23 In re Zappos.com, Inc., 888 F.3d 1020, 1023 (9th Cir. 2018) (citing Krottner v. Starbucks 24 Corp., 628 F.3d 1139, 1143 (9th Cir. 2010)). “There must be a ‘credible threat of real and 25 immediate harm stemming from the theft of [data].’” Id. (quoting Krottner, 628 F.3d at 26 1143). The two leading cases in this circuit on Article III injury in fact in data breach cases 27 are In re Zappos.com and Krottner. In both cases, the United States Court of Appeals for 28 the Ninth Circuit found the plaintiffs adequately alleged the injury in fact element of Article 1 III standing. 2 In Krottner, someone stole a laptop from Starbucks containing the unencrypted 3 names, addresses, and social security numbers of approximately 97,000 Starbucks 4 employees. 628 F.3d at 1140. Plaintiffs alleged being placed at an increased risk of future 5 identity theft as a result of the laptop theft. The court of appeals held the plaintiffs had 6 “alleged a credible threat of real and immediate harm stemming from the theft of a laptop 7 containing their unencrypted personal data” reasoning:
8 [w]ere Plaintiffs-Appellants’ allegations more conjectural or hypothetical— 9 for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future—we would find 10 the threat far less credible. On these facts however, Plaintiffs-Appellants 11 have sufficiently alleged an injury-in-fact for purposes of Article III standing. 12 628 F.3d at 1143. 13 In re Zappos.com, Inc., arose out of a 2012 hacking that breached the servers of 14 online retailer Zappos.com. 888 F.3d at 1023. The hackers allegedly stole the names, 15 account numbers, passwords, email addresses, billing and shipping addresses, telephone 16 numbers, and credit and debit card information of more than 24 million Zappos customers. 17 Id. The district court dismissed some of the plaintiffs’ claims for lack of Article III 18 standing. Id. The plaintiffs appealed contending that they had standing based on, inter alia, 19 the fact that the data breach put them at risk of identity theft. Id. Relying upon Krottner 20 the court of appeals held:
21 Plaintiffs allege that the type of information accessed in the Zappos breach 22 can be used to commit identity theft…Plaintiffs also allege that their credit card numbers were within the information taken in the breach… 23
24 Indeed, the plaintiffs who alleged that the hackers had already commandeered their accounts or identities using information taken from 25 Zappos specifically alleged that they suffered financial losses because of the 26 Zappos data breach (which is why the district court held they had standing). Although those plaintiffs’ claims are not at issue in this appeal, their alleged 27 harm undermines Zappos’s assertion that the data stolen in the breach cannot be used for fraud or identity theft. In addition, two plaintiffs whose claims 28 are at issue in this appeal say that the hackers took over their AOL accounts 1 and sent advertisements to people in their address books. Though not a financial harm, these alleged attacks further support Plaintiffs’ contention 2 that the hacker accessed information that could be used to help commit 3 identity theft. We thus conclude that Plaintiffs have sufficiently alleged an injury in fact under Krottner. 4
5 888 F.3d at 1027-28 (footnote omitted). 6 In its motion, Defendant sets out case law demonstrating that since Krottner and In 7 re Zappos.com district courts have more closely examined the nature of the data breach 8 and the type of information at issue in determining whether an injury in fact for Article III 9 standings purposes is adequately alleged in data breach cases. See Doc. 12 at pp. 12-13 10 (citing Dearing, 2020 WL 7041059, at *2-3; In re Uber Tech., Inc. Data Sec. Breach Litig., 11 No. CV 18-2970 PSG (GJSx), 2019 WL 6522843, *4 (C.D. Cal. Aug. 19, 2019) (slip copy); 12 Jackson v. Loews Hotels, Inc., No. ED CV 18-827-DMG (JCX), 2019 WL 6721637, at *3 13 (C.D. Cal. Jul. 24, 2019) (slip copy); Ables v. Brooks Bros. Grp., Inc., No. CV 17-4309- 14 DMG (EX), 2018 WL 8806667, at *5 (C.D. Cal. Jun. 7, 2018), am. compl. dismissed sub nom. Brett v. Brooks Bros. Grp., Inc., No. 17-4309-DMG (EX), 2018 WL 8806668, at *3- 15 4 (N.D. Cal. Sept. 6, 2018); and Antman v. Uber Tech., Inc., No. 15-CV-01175-LB, 2018 16 WL 2151231, at *11 (N.D. Cal. May 10, 2018)) and Doc. 14 at p. 7 (same). See also, 17 Rahman v. Marriott International, Inc., No. SA CV 20-00654-DOC-KES, 2021 WL 18 346421, at *2 (C.D. Cal. Jan. 12, 2021) (“’The sensitivity of the personal information, 19 combined with its theft’ are prerequisites to finding that plaintiffs ‘adequately alleged an 20 injury in fact.’”) (citation omitted.) This Court will do the same. 21 i. The Ransomware Attack 22 The Notice of Data Breach advised each Plaintiff that their personal information 23 was present in Assured’s electronic medical records system and “therefore potentially 24 accessed by the unknown actor[…]” See Doc. 9-1 at p. 2 (Travis notice); Doc. 9-2 at p. 2 25 (Peters notice); Doc. 9-3 at p. 2 (Pineda notice); Doc. 9-4 at p. 2 (Kelly-Hartnett notice). 26 The notice further states, “[w]e are unaware that any of this information was misused by 27 the unknown actor and Assured is providing this notice in an abundance of caution.” Id. 28 The personal information at issue here is the patient’s full name, address, date of birth, 1 patient ID, facility, treating clinician, medical history, service performed, and assessment 2 of service performed. See Id. 3 Relying on Dearing v. Magellan Health, Inc., Defendant urges the Court to find that 4 Plaintiffs have not sufficiently alleged injury in fact. (Doc. 12 at p. 12.) In that case, the 5 defendant Magellan Health, Inc. discovered that one of its employees fell for a phishing 6 scheme that allowed third party access to her email account. 2020 WL 7041059, at *1. 7 After receiving notice of the data breach from the defendant, the plaintiff sued claiming 8 that the data breach caused her, inter alia, “imminent and impending injury arising from 9 the increased risk of fraud and identity theft.” Id. at *1, 2. 10 The district court held there was no evidence the information was even stolen 11 pointing out that the notice sent to the affected parties stated that the phisher may have seen 12 emails in the employee’s account. Id. at *3. The potentially viewed emails contained 13 information such as names, social security numbers, health plan ID numbers, health plan 14 names, healthcare providers, and drug names. Id. District Judge Stephen P. Logan found the plaintiff “fail[ed] to show her injury is ‘certainly impending’ or that there is a 15 ‘substantial risk that harm will occur[]’” concluding that “her alleged risk is entirely 16 speculative.” Id. 17 In opposition, Plaintiffs focus on the fact that Assured admits to suffering a data 18 breach through a ransomware attack and insist they “need not suffer data misuse or identity 19 theft before [they have] an injury for standing purposes, but the data must be actually stolen 20 and taken in a ‘manner that suggests it will be misused.’” (Doc. 13 at 4.) Plaintiffs highlight 21 language in Dearing that the data must be taken in a “manner that suggests it will be 22 misused,” and insist the ransomware attack Assured suffered is such a manner. As 23 explained below, the Court disagrees with Plaintiffs. 24 As mentioned above, the language of the Notice of Data Breach sent to each Plaintiff 25 does not state that Plaintiffs’ personal information was stolen. See, e.g., Doc. 9-1 at p. 2 26 (“We determined the following types of information relating to you were present in the 27 electronic medical records system and therefore potentially accessed…”). Based upon the 28 Notice of Data Breach—and similar to Dearing— “there is no evidence the [Plaintiffs’] 1 information was even stolen.”3 See Dearing, 2020 WL 7041059, at *3. 2 Plaintiffs also rely on In re Zappos.com where the court of appeals determined the 3 plaintiffs sufficiently alleged injury in fact. But there, unlike in this case, the court found 4 injury in fact because the plaintiffs alleged that “the hacker took over their AOL accounts 5 and sent advertisements to people in their address book.” 888 F.3d at 1027-28. Plaintiffs 6 here have not alleged their personal information was used to take over their email accounts 7 or identities. Plaintiffs also rely upon Krottner. (Doc. 13 at 5.) In that case, however, it was 8 undisputed that the unencrypted data was stolen when the laptop was stolen. 628 F.3d at 9 1143. Again, the Notice of Data Breach here speaks in terms of Plaintiffs’ personal 10 information having been potentially accessed. 11 i. The Type of Personal Information Involved 12 The type of personal information at issue here is an Assured patient’s full name, 13 address, date of birth, patient ID, facility, treating clinician, medical history, service 14 performed, and assessment of service performed. See, e.g., Doc. 9-1 at p. 2 (identifying 15 personal information). Defendant argues that the type of personal information potentially 16 accessed through the ransomware attack does not rise to the level that is required for this 17 Court to find a certainly impending injury in fact for Article III standing. As explained 18 below, the Court agrees. 19 Defendant relies on In re Uber Tech., Inc Data Sec. Breach Litig. There, a plaintiff 20 seeking to represent a putative class sued after Uber users’ personally identifiable 21 information was breached. 2019 WL 6522843, at *1. The breach occurred when two 22 hackers accessed a private GitHub coding site used by Uber software engineers and then 23 3 The HIPPA website notice attached to the First Amended Class Action Complaint states 24 that the personal information that was contained in the database that was breached was “potentially accessed and acquired.” (Rezolut – HIPPA Website Notice, Doc. 9-6 at p. 2.) 25 This is the notice Plaintiffs appear to quote in their First Amended Class Action Complaint. (Doc. 9 at ¶ 44.) However, Plaintiffs’ notices do not include the “and acquired” phrase that 26 is contained in the HIPPA website notice. That some putative class members may have suffered theft of their personal information does not confer an injury in fact upon the named 27 Plaintiffs. See Spokeo, Inc., 136 S.Ct. at 1547 n.6 (even named plaintiffs who represent a class ‘must allege and show that they personally have been injured, not that injury has been 28 suffered by other, unidentified members of the class to which they belong) (citations and quotations omitted). 1 used login credentials that they obtained to discover an archive of Uber’s rider and driver 2 information. Id. The compromised data included the names, email addresses, and mobile 3 phone numbers of 50 million riders and 7 million drivers and included “some 600,000 U.S. 4 driver’s license numbers.” Id. In determining the plaintiff failed to adequately allege injury 5 in fact, the district court held the plaintiff “fails to explain how gaining access to one’s 6 basic contact information and driver’s license number creates a credible threat of fraud or 7 identity theft.” Id. at *4 (citing Antman v. Uber Techs., Inc., (Antman I), No. 3:15-cv- 8 01175-LB, 2015 WL 6123054, at *10-11 (N.D. Cal. Oct. 19, 2015) (similarly concluding 9 that an allegation that a theft of names and driver’s licenses, without more, is insufficient 10 to establish a credible threat of immediate harm)) (emphasis in original). The court 11 determined the plaintiff’s allegations of an increased risk of fraud and identity theft were 12 insufficient to establish a credible risk of immediate harm for Article III standing purposes. 13 Id. at *5. 14 Similarly, in Ables v. Brooks Bros. Grp., Inc., also relied upon by Defendant, 15 clothing retailer Brooks Brothers suffered the installation of malware in its point-of-sale 16 systems affecting at least 223 of its locations. 2018 WL 8806667 at *1. As a result, an 17 unauthorized party collected the credit and debit card account numbers, expiration dates, 18 and verification codes, as well as full names, of Brooks Brothers customers for 19 approximately 11-months. 2018 WL 8806667 at *1. In finding that the plaintiff failed to 20 establish standing based on an injury in fact theory stemming from a risk of future identity 21 theft or fraudulent activity resulting from the data breach, the district court relied on the 22 fact that the compromised information did not include addresses or social security 23 numbers.4 Id. at *5. 24 The district court in Ables also held that the first amended complaint failed to 25 explain how “the wrongdoers’ possession of [the plaintiff’s] first and last name expose[d] 26 him” to a substantial risk of future identity theft. Id. Finally, the court determined that even 27 4 The court also determined that “cancellation of the compromised debit and credit card 28 accounts extinguished any concrete risk of future identity theft…[.]” Ables, 2018 WL 8806667, at *4. 1 assuming that a third party “intends to commit identity theft using [the plaintiff’s] 2 compromised PII, [he] still has not made allegations that give rise to the reasonable 3 inference that the stolen PII is sufficient to actually commit identity theft.” Id. (emphasis 4 in Ables). In reaching its decision, Ables distinguished a number of district court cases 5 relied upon by the plaintiff in that case. See Id. at *6 (distinguishing In re Adobe Sys., Inc. 6 Privacy Litig., 66 F.Supp.3d 1197, 1206 (N.D. Cal. 2014) (personal information included 7 “names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing 8 and e-mail addresses”); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 9 996 F.Supp.2d 942, 954 (S.D. Cal. 2014), order corrected, No. 11MD2258 AJB (MDD), 10 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014) (personal information included “names, 11 mailing addresses, email addresses, birth dates, credit and debit card information (card 12 numbers, expiration dates, and security codes), and login credentials”); Doe 1 v. AOL LLC, 13 719 F.Supp.2d 1102, 1105 (N.D. Cal. 2010) (personal information included “names, social 14 security numbers, addresses, telephone numbers, credit card numbers, user names, 15 passwords, and financial/bank account information”). 16 Defendant also points to Jackson v. Lowes Hotels, Inc., wherein the court 17 determined the plaintiff failed to sufficiently allege a certainly impending future harm 18 reasoning:
19 […] Plaintiff has once again failed to demonstrate that her name, phone 20 number, email address (but not her email password), and mailing address are sensitive enough pieces of information to give rise to a certainly impending 21 risk of future identity theft or fraud. Her claim that she has received mass 22 mailing materials does not help her because receiving spam or mass mail does not constitute an injury. See, e.g., Peters v. St. Joseph Servs. Corp., 74 23 F. Supp. 3d 847, 857 (S.D. Tex. 2015) (no injury despite plaintiff receiving 24 “target[ed]” physical, electronic, and telephonic “solicitations”); Cherny v. Emigrant Bank, 604 F. Supp. 2d 605, 609 (S.D.N.Y. 2009) (“The receipt of 25 spam by itself, however, does not constitute a sufficient injury entitling 26 [plaintiff] to compensable relief.”).
27 2019 WL 6721637, at *4. 28 Here, the personal information potentially accessed was Plaintiffs’ full name, 1 address, date of birth, patient ID, facility, treating clinician, medical history, service 2 performed, and assessment of service performed. In light of the case law set forth above, 3 the Court is unconvinced that Plaintiffs are at risk of a certainly impending identity theft 4 or fraud injury because their full name, address, date of birth (along with the other 5 identified information) was potentially accessed in the ransomware attack. 6 The Court is not persuaded by the cases relied upon by Plaintiffs. For instance, 7 Plaintiffs rely upon In re Adobe Sys., Inc. Privacy Litig., pointing out that case is similar to 8 the instant case on the grounds that “the hackers stole the customer data.” (Doc. 13 at 4.) 9 While that was true in In re Adobe, as explained above, that is not the case here based on 10 the Notice of Data Breach that each Plaintiff received. See, e.g., Doc. 9-1 at p. 2 (“We 11 determined the following types of information relating to you were present in the electronic 12 medical records system and therefore potentially accessed…”). Furthermore, the data in In 13 re Adobe Sys., Inc. Privacy Litig. included “names, login IDs, passwords, credit and debit 14 card numbers, expiration dates, and mailing and e-mail addresses.” 66 F.Supp.3d at 1206. The potentially accessed data here does not include social security numbers, debit or credit 15 card numbers, expiration dates, attendant security codes or email addresses and passwords. 16 Plaintiffs also rely upon Claridge v. RockYou, Inc., 785 F.Supp.2d 855, 861 (N.D. 17 Cal. 2011). There, the defendant RockYou, Inc., a publisher and developer of online 18 services and applications for use with social networking sites such as Facebook and 19 MySpace, suffered a cyberattack in which a hacker accessed its database and copied the 20 email and social networking login credentials of approximately 32 million registered 21 RockYou users. Id. at 859. The district court denied the defendant’s request to dismiss the 22 complaint for lack of jurisdiction reasoning, “[n]ot only is there a paucity of controlling 23 authority regarding the legal sufficiency of plaintiff's damages theory, but the court also 24 takes note that the context in which plaintiff's theory arises—i.e., the unauthorized 25 disclosure of personal information via the Internet—is itself relatively new, and therefore 26 more likely to raise issues of law not yet settled in the courts.” Id. Ten years have passed 27 since Claridge and “the unauthorized disclosure of personal information via the Internet” 28 can no longer be characterized as “relatively new.” The Court is not persuaded by Claridge. 1 In sum, the Court finds that Plaintiffs have not sufficiently alleged that their personal 2 information was stolen in the ransomware attack. And, even if their personal information 3 was stolen, they have not shown that the personal information at issue is sufficiently 4 sensitive to give rise to an imminent or certainly impending injury in fact for Article III 5 standing purposes in data breach cases. 6 b. Time and Money Spent Monitoring Credit 7 Plaintiffs allege they “may also” incur out-of-pocket costs for protective measures 8 such as credit monitoring fees, credit report fees, credit freeze fees, and similar costs 9 “directly or indirectly” related to the ransomware attack. (Doc. 9 at ¶ 136.) A plaintiff 10 cannot “manufacture standing merely by inflicting harm on themselves based on their fears 11 of hypothetical future harm that is not certainly impending.” Clapper, 568 U.S. at 416, 133 12 S.Ct. at 1151 (citing Pennsylvania v. New Jersey, 426 U.S. 660, 664, 96 S.Ct. 2333, 49 13 L.Ed.2d 124 (1976) (per curiam); National Family Planning & Reproductive Health Assn., 14 Inc., 468 F.3d 826, 831 (D.C. Cir. 2006)). The focus is not upon the reasonableness of the 15 fears but upon the imminence of the future harm and whether it is certainly impending, or 16 the risk of harm is substantial. 568 U.S. at 416, 133 S.Ct. at 1151. Without imminent harm, 17 mitigation expenses do not meet the injury in fact requirement of standing. 568 U.S. at 416, 18 133 S.Ct. at 1151. See also, Rahman, 2021 WL 346421, at *2 (“As the Supreme Court has 19 said, ‘mitigation costs … rise and fall together’ with claims based on the risk of future 20 harm.” (quoting Clapper, 568 U.S. at 402)); Dearing, 2020 WL 7041059, at *3 (“…[W]hen 21 a risk of future harm is speculative, a plaintiff cannot ‘manufacture standing by choosing 22 to make expenditures based on hypothetical harm that is not certainly impending.’” 23 (quoting Clapper, 568 U.S. at 401)). 24 As explained above, the Court determines Plaintiffs have failed to sufficiently allege 25 they are at an imminent risk of future harm as a result of the ransomware attack. 26 Accordingly, Plaintiffs’ claimed injury from incurring mitigation costs is insufficient as a 27 matter of law to establish Article III standing. 28 1 c. Decreased Value in Personal Information 2 Plaintiffs allege “suffer[ing] a loss of value” of their personal information “when it 3 was acquired by cyber[]thieves in the [r]ansomware [a]ttack.” (Doc. 9 at ¶ 137.) They claim 4 that medical information is “especially valuable to thieves” alleging that “the asking price 5 for medical data” is “$50 and up.” (Id. at ¶ 128.) Plaintiffs have not alleged any facts 6 explaining how their personal information became less valuable as a result of the 7 ransomware attack or that they attempted to sell their personal information and could not 8 because of the ransomware attack. 9 Other courts that have examined this theory of injury have declined to find that it 10 constitutes an injury in fact for Article III standing purposes. This Court agrees. See, e.g., 11 In re Zappos.com, Inc., 108 F.Supp.3d at 954 rev’d on other grounds by In re Zappos.com, 12 Inc., 888 F.3d 1020 (9th Cir. 2018) (rejecting plaintiffs’ claim that the Zappos security 13 breach deprived them of the “substantial value” of their personal information reasoning 14 that even assuming the plaintiffs’ data has value on the black market, they did not allege 15 any facts explaining how their personal information became less valuable as a result of the 16 breach or that they attempted to sell their information and were rebuffed because of a lower 17 price-point attributable to the security breach). See also, Dearing, 2020 WL 7041059, at 18 *4 (rejecting claim that alleged diminution in value of personal information constitutes a 19 sufficient injury in fact to confer standing). 20 d. Overpayment for Services 21 Plaintiffs allege “overpa[ying] for a service that was intended to be accompanied by 22 adequate data security but was not.” (Doc. 9 at ¶ 138.) They do not explain how the 23 ransomware attack impacted the value of the services they received from Assured. Nor do 24 they allege facts establishing that the price they paid for the medical services they received 25 incorporated an amount that they understood to be allocated towards the cost of protecting 26 their personal information. 27 Other courts that have examined this theory of injury have declined to find that it 28 constitutes an injury in fact for Article III standing purposes and this Court agrees. See, 1 e.g., In re Zappos.com, Inc., 108 F.Supp.3d at 962 n.5, rev'd on other grounds by In re 2 Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (finding plaintiffs' theory of standing 3 failed in part because they did not “allege facts showing how the price they paid for such 4 goods incorporated some particular sum that was understood by both parties to be allocated 5 towards the protection of customer data”); Jackson v. Loews Hotels, Inc., 2019 WL 6 6721637, at *2 (finding that while the second amended complaint asserts that a portion of 7 the price that the plaintiff paid to reserve a room went to data security, the plaintiff does 8 not allege how the room price incorporated that amount or what gave rise to the defendant's 9 understanding that the room reservation price included funds for data security) (quotation 10 omitted). 11 e. Emotional Distress and Anxiety 12 Plaintiffs Travis and Kelly-Hartnett5 contend the emotional distress, anxiety and 13 “lack of privacy” they allegedly suffered as a result of the ransomware attack constitutes 14 sufficient injury-in-fact to confer standing. (Doc. 13 at pp. 6-7.) They rely on Shqeirat v. 15 U.S. Airways Group, Inc., 515 F.Supp.2d 984, 998 (D. Minn. 2007). Id. at p. 6. The Court 16 finds Shqeirat distinguishable. 17 As pointed out by Defendant, Shqeirat did not address Article III standing. Rather, 18 that case involved individuals of Middle eastern descent who were ordered to deboard a 19 plane and subsequently arrested. They sued alleging they were arrested in violation of their 20 constitutional rights. 515 F.Supp.2d at 988-90. One plaintiff further alleged that his social 21 security number, contained in a police report, was publicly posted on the internet in 22 violation of a Minnesota state law and this event caused him to suffer fear and anxiety that 23 he may fall victim to identity fraud. Id. at 991. The district court held that plaintiff’s 24 allegations were sufficient to state a claim for damages under the Minnesota state law at 25 issue. Id. at 998. 26 This Court is not persuaded by Shqeirat and finds its distinguishable. 27
28 5 Plaintiffs Peters and Pineda do not allege they suffered emotional distress or anxiety as a result of the ransomware attack. 1 V. CONCLUSION 2 The Court finds Plaintiffs lack Article III standing to sue because they have not 3 satisfied the injury in fact requirement. As such, the Court need not consider Defendant’s 4 other arguments for dismissal based on Rule 12(b)(6) pleading standards. 5 The Court will grant Defendant’s Motion to Dismiss without prejudice with leave 6 to amend. Although the Court finds Plaintiffs do not have standing as currently pleaded, 7 the Court will permit amendment. 8 In permitting amendment, the Court points out that time passing without harm 9 actually occurring further undermines the claim that the threat of harm is immediate, 10 impending, or otherwise substantial. See In re Zappos.com, 108 F.Supp.3d at 958 (“Indeed, 11 putting aside the legal standard for imminence, a layperson with a commonsense notion of 12 ‘imminent’ would find this lapse of time, without any identity theft, to undermine the 13 notion that identity theft would happen in the near future.”)) (citation omitted). In this same 14 vein, Plaintiffs’ allegations that “there may be a substantial lag [—] measured in years [— 15 ] between when harm occurs versus when it is discovered,” that “stolen data may be held 16 for up to a year or more before being used to commit identity theft,” and that they “are at 17 an increased risk of fraud and identity theft for many years into the future[]” tends to 18 relegate their claim that they are at an “imminent [and] immediate” risk of future injury 19 into the realm of speculation. (Doc. 9 at ¶¶ 125, 127, 133.) In re Zappos.com, 108 20 F.Supp.3d at 959. 21 … 22 … 23 … 24 … 25 … 26 … 27 … 28 … 1 For the foregoing reasons, 2 IT IS HEREBY ORDERED GRANTING Assured Imaging, LLC’s Motion to || Dismiss (Doc. 12), DISMISSING WITHOUT PREJUDICE the First Amended Class 4|| Action Complaint (Doc. 9), and DENYING AS MOOT Assured Imaging, LLC’s Motion 5 || to Dismiss (Doc. 8). Plaintiffs may file a second amended complaint in accordance with 6 || the applicable Federal Rules of Civil Procedure. 7 Dated this 10th day of May, 2021. 8 9 □
10 9S MH herb onorable John C. Hinderaker United States District Judge 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
-19-