Opinion
22-cv-01861-DAD-JDP
01-22-2024
JANE DOE, on behalf of herself and all others similarly situated, Plaintiff, v. NORTHERN CALIFORNIA FERTILITY MEDICAL CENTER, Defendant.
ORDER DENYING DEFENDANT'S MOTION TO DISMISS PLAINTIFF'S FIRST AMENDED COMPLAINT (DOC. NO. 23)
DALE A. DROZD, UNITED STATES DISTRICT JUDGE.
This matter is before the court on the motion to dismiss filed by defendant Northern California Fertility Medical Center on January 1, 2023. (Doc No. 23.) On March 22, 2023, the pending motion was taken under submission on the papers. (Doc. No. 32.) For the reasons explained below, defendant's motion to dismiss will be denied.
BACKGROUND
On December 19, 2022, plaintiff Jane Doe filed her operative first amended complaint (“FAC”), alleging that defendant failed to safeguard her sensitive medical information from cybercriminals. (Doc. No. 16.) In her FAC, plaintiff alleges the following.
Defendant is a fertility clinic offering a full range of infertility services, including reversals of tubal ligations or vasectomies, ovulation induction, artificial insemination, in vitro fertilization (“IVF”), and IVF with egg donation and egg freezing. (Id. at ¶ 9.) As a healthcare provider, defendant creates, maintains, preserves, and stores highly sensitive information regarding its patients' fertility treatments. (Id. at ¶¶ 11-12.)
Plaintiff is a former patient of defendant's and paid defendant in exchange for fertility treatment. (Id. at ¶¶ 2, 81.) In order to receive this treatment, plaintiff was required to provide sensitive information to defendant and permit it to store that information in digital files. (Id. at ¶ 82.) Plaintiff believed that defendant would implement reasonable safeguards to keep her information secure. (Id. at ¶ 83.) Had plaintiff known defendant would fail to do so, she never would have contracted with defendant, let alone paid the full market price for defendant's services. (Id. at ¶ 84.) Concerned about the privacy of her information, plaintiff instructed defendant to delete her data and cease all contact with her in or around 2020. (Id. at ¶ 2.)
Given the type of data that defendant collected and stored, it was highly foreseeable that criminals would attempt to access defendant's servers. (Id. at ¶ 13.) Hackers are drawn to databases containing information with high value on secondary black markets, such as intimate and health-related data. (Id. at ¶ 14.) Indeed, the healthcare industry has faced more data breaches than any other industry, and data breaches are a well-known threat in the field. (Id. at ¶¶ 16-17.)
Despite this risk, defendant failed to adequately train its employees on basic cybersecurity protocols, including: password management and encryption protocols such as multi-factor authentication; locking, encrypting, and limiting access to files containing sensitive information; implementing guidelines for maintaining and communicating sensitive data; implementing protocols on how to request and respond to requests for the transfer of sensitive information; how to securely send sensitive information through a secure file transfer system to only known recipients; and providing cybersecurity training programs. (Id. at ¶ 26.) Instead, defendant continued to use outdated and insecure computer systems that are easily hacked. (Id. at ¶ 28.)
At some time in 2022, cybercriminals accessed defendant's servers and protected health information regarding defendant's patients, including the patients' names, whether the patients had received an ultrasound from defendant, and whether they had “cryopreserved tissue” (e.g., frozen eggs) stored with defendant (collectively, “the PHI”). (Id. at ¶ 21.) Cybercriminals must view the information they access during a data breach in order to determine its value on the black market, and the cybercriminals actually viewed plaintiff's PHI. (Id. at ¶ 22.)
Defendant claims to have discovered the data breach on July 24, 2022, though plaintiff was not notified of the breach until September 28, 2022. (Id. at ¶¶ 23-24.) She experienced extreme distress and anxiety upon learning that the information she had requested be deleted two years earlier had instead been accessed by third parties. (Id. at ¶¶ 31, 37.) Even having one's name associated with a fertility clinic such as defendant would constitute the revelation of the most intimate of health and family planning information. (Id. at ¶ 21.) Moreover, certain fertility treatments are controversial within many religious traditions, and a patient's reputation within their religious community could be compromised if it were discovered that the patient received treatment from a clinic such as defendant. (Id. at ¶ 36.)
Based on the above allegations, plaintiff asserts the following four claims against defendant in her FAC: (1) negligence; (2) invasion of privacy in violation of the California Constitution; (3) negligent storage of medical information in violation of California's Confidentiality of Medical Information Act (“CMIA”), California Civil Code §§ 56, et seq.; and (4) unlawful and unfair business practices in violation of California's Unfair Competition Law (“UCL”), California Business and Professions Code §§ 17200, et seq. (Id. at ¶¶ 51-87.)
On January 3, 2023, defendant filed its pending motion to dismiss plaintiff's FAC, arguing that plaintiff lacks Article III standing as to each of her claims; that she has failed to sufficiently allege negligence, invasion of privacy, and violation of the CMIA; and that she lacks standing to assert her UCL claim. (Doc. No. 23.) On January 17, 2023, plaintiff filed her opposition, and defendant filed its reply thereto on January 27, 2023. (Doc. Nos. 24, 26.)
LEGAL STANDARD
A. Motion to Dismiss Under Rule 12(b)(1)
Federal Rule of Civil Procedure 12(b)(1) permits a party to “challenge a federal court's jurisdiction over the subject matter of the complaint.” Nat'l Photo Grp., LLC v. Allvoices, Inc., No. 13-cv-03627-JSC, 2014 WL 280391, at *1 (N.D. Cal. Jan. 24, 2014). “A Rule 12(b)(1) jurisdictional attack may be facial or factual. In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (internal citation omitted). Here, because defendant argues that the allegations in plaintiff's FAC, even if assumed to be true, are insufficient to invoke federal jurisdiction over plaintiff's claims, defendant mounts a facial attack. (See Doc. No. 23 at 10.)
“The district court resolves a facial attack as it would a motion to dismiss under Rule 12(b)(6): Accepting the plaintiff's allegations as true and drawing all reasonable inferences in the plaintiff's favor, the court determines whether the allegations are sufficient as a legal matter to invoke the court's jurisdiction.” Leite v. Crane Co., 749 F.3d 1117, 1121 (9th Cir. 2014). However, the court need not assume the truth of legal conclusions cast in the form of factual allegations. Warren v. Fox Fam. Worldwide, Inc., 328 F.3d 1136, 1139 (9th Cir. 2003).
B. Motion to Dismiss Under Rule 12(b)(6)
The purpose of a motion to dismiss pursuant to Rule 12(b)(6) is to test the legal sufficiency of the complaint. N. Star Int'l v. Ariz. Corp. Comm'n, 720 F.2d 578, 581 (9th Cir. 1983). “Dismissal can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990). A plaintiff is required to allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).
In determining whether a complaint states a claim on which relief may be granted, the court accepts as true the allegations in the complaint and construes the allegations in the light most favorable to the plaintiff. Hishon v. King & Spalding, 467 U.S. 69, 73 (1984). However, the court need not assume the truth of legal conclusions cast in the form of factual allegations. U.S. ex rel. Chunie v. Ringrose, 788 F.2d 638, 643 n.2 (9th Cir. 1986). While Rule 8(a) does not require detailed factual allegations, “it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Iqbal, 556 U.S. at 678. A pleading is insufficient if it offers mere “labels and conclusions” or “a formulaic recitation of the elements of a cause of action.” Twombly, 550 U.S. at 555; see also Iqbal, 556 U.S. at 678 (“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.”). It is inappropriate to assume that the plaintiff “can prove facts that it has not alleged or that the defendants have violated the . . . laws in ways that have not been alleged.” Associated Gen. Contractors of Cal., Inc. v. Cal. State Council of Carpenters, 459 U.S. 519, 526 (1983).
ANALYSIS
A. Standing
To have standing, a plaintiff “must satisfy the threshhold [sic] requirement imposed by Article III of the Constitution by alleging an actual case or controversy.” City of Los Angeles v. Lyons, 461 U.S. 95, 101 (1983). “In a class action, standing is satisfied if at least one named plaintiff meets the requirements.” Bates v. United Parcel Serv., Inc., 511 F.3d 974, 985 (9th Cir. 2007). “[S]tanding requires that (1) the plaintiff suffered an injury in fact, i.e., one that is sufficiently ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical,' (2) the injury is ‘fairly traceable' to the challenged conduct, and (3) the injury is ‘likely' to be ‘redressed by a favorable decision.'” Id. (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). “[Plaintiffs must demonstrate standing for each claim . . . .” TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021).
In moving to dismiss plaintiff's complaint, defendant argues that plaintiff has failed to allege a concrete injury and thus lacks standing. (Doc. No. 23 at 11-16.) Defendant argues that a data breach revealing both a patient's name and the fact that the patient received medical services is not sufficient to establish a concrete harm absent further facts. (Id. at 14.) Moreover, defendant argues that plaintiff has failed to allege a credible risk of harm that could support a concrete injury. (Id. at 14-16.)
In her opposition to the pending motion, plaintiff argues that “an injury to common law rights” is sufficient for Article III standing and that she therefore has standing to assert her negligence claim. (Doc. No. 24 at 11-15.) Separately, plaintiff argues that she has suffered an intangible but concrete privacy injury conferring standing upon her for purposes of all of her claims. (Id. at 15-17.)
Because the court concludes that plaintiff's privacy injury confers standing as to each of her claims, the court need not and therefore does not consider plaintiff's separate argument that she has standing with respect to her common law negligence claim.
“[A]n intangible injury may be concrete if it . . . ‘has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,' like common law torts or certain constitutional violations.” Phillips v. U.S. Customs & Border Prot., 74 F.4th 986, 991 (9th Cir. 2023) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016)). These “traditionally recognized” harms “include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion, 594 U.S. at 425. Courts “do not require an exact duplicate” of such harms in order to find a concrete injury in fact under Article III. Id. at 433.
The court concludes that “[t]he harm at issue here-the release of highly personal information . . . is the same harm that forms the basis for the tort of intrusion upon seclusion.” Nayab v. Cap. One Bank (USA), N.A., 942 F.3d 480, 491-92 (9th Cir. 2019). Intrusion upon seclusion “consists solely of an intentional interference with [someone's] interest in solitude or seclusion, either as to [their] person or as to [their] private affairs or concerns, of a kind that would be highly offensive to a reasonable [person].” Id. at 491 (quoting Restatement (Second) of Torts § 652B cmt. a (1977)). The Ninth Circuit's decision in Nayab is particularly instructive here. In that case, the court held that when “a third party obtains the consumer's credit report in violation of 15 U.S.C. § 1681b(f)-that is, for a purpose not authorized by statute-the consumer is harmed because he or she is deprived of the right to keep private the sensitive information about his or her person.” Id. at 492. “This harm is highly offensive and is not trivial because a credit report can contain highly personal information.” Id. In this case, an unauthorized third party obtained plaintiff's medical information, including whether or not she had, for example, frozen her eggs. Plaintiff was thereby harmed because she was deprived of the right to keep private information that is certainly at least as sensitive as a credit report. Cf. Doe v. Beard, 63 F.Supp.3d 1159, 1170 (C.D. Cal. 2014) (holding that disclosure of medical records can be a more “egregious violation of social norms” than disclosure of other “highly personal information” such as Social Security numbers); In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1143 (C.D. Cal. 2021) (holding that “a data breach involv[ing] medical information . . . is more likely to constitute an ‘egregious breach of the social norms' that is ‘highly offensive'”) (citing Doe, 63 F.Supp.3d at 1170).
While the tort of intrusion upon seclusion requires intentional interference, “the focus of this inquiry [regarding standing] is on the type of harm, not intent.” Rendon v. Cherry Creek Mortg., LLC, No. 22-cv-01194-DMS-MSB, 2022 WL 17824003, at *4 (C.D. Cal. Dec. 20, 2022) (rejecting the defendant's “argument that, without intent, Plaintiff's harm is not similar to intrusion upon seclusion”) (citing TransUnion, 594 U.S. at 424-25).
Defendant briefly argues that no “sensitive medical information was breached.” (Doc. No. 23 at 9.) Defendant provides no authority suggesting that information regarding whether a person has received an ultrasound or has chosen to freeze their eggs is somehow not “sensitive medical information.” To the contrary, these would seem to be some of the most sensitive categories of information, medical or otherwise.
Defendant argues that plaintiff has failed to allege a privacy injury conferring standing because her allegations that her PHI was actually viewed are conclusory. (Doc. No. 23 at 13-14.) But plaintiff alleges that hackers must view the information they access in order to determine its value on the black market, that it would be pointless to steal the PHI but then refrain from viewing it, and that the cybercriminals did actually view plaintiff's PHI. (Doc. No. 16 at ¶ 22.) The allegations of plaintiff's complaint are sufficient in this regard. Cf. In re Ambry, 567 F.Supp.3d at 1148-49 (concluding in denying a motion to dismiss under Rule 12(b)(6) that plaintiffs' allegations were sufficient to allege that their information was actually viewed where the plaintiffs alleged that the “hackers who committed the Data Breach obtained Plaintiffs' and Class Members' personal medical information, viewed it, and now have it available to them to sell to others [sic] bad actors or otherwise misuse”).
In arguing that plaintiff lacks standing because she failed to allege her PHI was actually viewed, defendant relies on a decision, Fernandez v. Leidos, Inc., 127 F.Supp.3d 1078 (E.D. Cal. 2015), issued before the Supreme Court's decisions in Spokeo and TransUnion. Consequently, the district court in Fernandez found that the plaintiff lacked standing without considering whether the plaintiff's alleged injury bore a close relationship to a traditionally recognized harm. In any event, Fernandez is inapposite. In that case, the plaintiff had alleged that physical “data tapes” were being transported by the defendant when a thief stole those physical tapes from the defendant's vehicle. Fernandez, 127 F.Supp.3d at 1082. The court credited the defendant's argument that the plaintiff had alleged “no facts plausibly suggesting that the thief . . . recognized the [data] tapes for what they were, found a tape reader, acquired the proper software, deciphered the encrypted portions of the information, learned to read the information correctly, and then accessed Plaintiff's personal information.” Id. at 1087; see also id. (“Plaintiff has not shown there is a substantial risk that his PII/PHI will be imminently misused ‘in light of the attenuated chain of inferences necessary to find harm here.'”) (citing Clapper v. Amnesty Int'l USA, 568 U.S. 398, 415 n.5 (2013)). Here, by contrast, plaintiff has alleged in the complaint that cybercriminals accessed defendant's digital records and stole the PHI directly; there is no suggestion that the cybercriminals incidentally acquired the PHI in the process of stealing a separately valuable physical item.
Because plaintiff's injury is similar to the harm forming the basis of an intrusion upon seclusion, defendant's motion to dismiss plaintiff's complaint for lack of Article III standing will be denied.
Because the injuries underlying each of plaintiff's claims (i.e., negligence, invasion of privacy, violation of the CMIA, and violation of the UCL) are all similar and are all “the same harm that forms the basis for the tort of intrusion upon seclusion,” plaintiff has standing with respect to each of her claims. Nayab, 942 F.3d at 492.
B. Merits
1. Negligence
The elements of negligence are duty, breach, causation, and injury. Vasilenko v. Grace Fam. Church, 3 Cal. 5th 1077, 1083 (2017).
Defendant moves to dismiss plaintiff's negligence claim solely on the ground that “the crucial elements of damages is lacking in the FAC as detailed above [in defendant's argument section regarding standing]. Without concrete damages, Plaintiff not only lacks standing to sue, but she cannot establish a necessary element for negligence.” (Doc. No. 23 at 16.) In her opposition to the pending motion, plaintiff argues that she has alleged a privacy injury supporting recovery in tort because her PHI was exposed in the data breach. (Doc. No. 24 at 18.)
For similar reasons to those noted above, the court concludes that plaintiff has sufficiently alleged a privacy injury arising from the negligent disclosure of her PHI. See, e.g., In re Ambry, 567 F.Supp.3d at 1142 (denying the defendants' motion to dismiss the plaintiffs' negligence claim because the plaintiffs “have alleged a privacy injury stemming from the unauthorized sharing of their private medical information”). Accordingly, defendant's motion to dismiss plaintiff's negligence claim will be denied.
2. Invasion of Privacy under the California Constitution
To state a claim for invasion of privacy under the California Constitution, a plaintiff must allege that “(1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is ‘so serious . . . as to constitute an egregious breach of the social norms' such that the breach is ‘highly offensive.'” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020) (quoting Hernandez v. Hillsides, Inc., 47 Cal.4th 272, 286 (2009)).
In its pending motion, defendant argues that plaintiff's invasion of privacy claim must be dismissed because: (1) Plaintiff has failed to allege publicity or widespread dissemination of her PHI; (2) negligence cannot support a claim for invasion of privacy; and (3) plaintiff has “failed to set forth a concrete remedy for damages.” (Doc. No. 23 at 16-18.)
For similar reasons to those discussed above, the court finds defendant's third argument to be unpersuasive and concludes that plaintiff has sufficiently alleged damages as to her invasion of privacy claim.
First, defendant argues that the common law tort of invasion of privacy requires “publicity in the sense of communication to the public in general or to a large number of persons as distinguished from one individual or a few.” (Doc. No. 23 at 17) (quoting Del Llano v. Vivint Solar Inc., No. 17-cv-01429-AJB-MDD, 2018 WL 656094, at *5 (S.D. Cal. Feb. 1, 2018)). In her opposition brief, plaintiff clarifies that her invasion of privacy claim is asserted under the California Constitution, not the common law. (Doc. No. 24 at 19 n.4.) Because “[t]he constitutional variety . . . does not require a wide dissemination of private information,” the court rejects defendant's argument to the contrary. Ignat v. Yum! Brands, Inc., 214 Cal.App.4th 808, 820 (2013).
In her FAC, plaintiff asserts a claim for “Invasion of Privacy” without specifying whether the claim is brought under the California Constitution or the common law. (Doc. No. 16 at 10.) However, immediately under that heading in the FAC, plaintiff lists the elements for such a claim under the California Constitution. (See id. at ¶ 59) (citing In re Facebook, 956 F.3d at 601).
Second, defendant argues that plaintiff has only alleged that defendant was negligent in its handling of plaintiff's PHI, and that a defendant's negligence regarding data security does not constitute an “egregious breach of social norms” as required for an invasion of privacy claim. (Doc. No. 23 at 17) (citing, e.g., In re iPhone Application Litig., 844 F.Supp.2d 1040, 1063 (N.D. Cal. 2012) (“Even negligent conduct that leads to theft of highly personal information, including social security numbers, does not . . . constitute a violation of Plaintiffs' right to privacy”)). In her opposition, plaintiff argues that negligence can qualify as egregious conduct if it leads to the disclosure of medical information. (Doc. No. 24 at 20.)
Defendant is correct that district courts in the Ninth Circuit have held that “[l]osing personal data through insufficient security doesn't rise to the level of an egregious breach of social norms underlying the protection of sensitive data like social security numbers.” Razuki v. Caliber Home Loans, Inc., No. 17-cv-01718-LAB-WVG, 2018 WL 2761818, at *2 (S.D. Cal. June 8, 2018); see also in re iPhone Application Litig., 844 F.Supp.2d at 1063 (holding that “[e]ven negligent conduct that leads to theft of highly personal information, including social security numbers,” does not constitute actionable conduct under the California Constitution); Schmitt v. SN Servicing Corp., No. 21-cv-03355-WHO, 2021 WL 3493754, at *7 (N.D. Cal. Aug. 9, 2021) (“Plaintiffs contend that the criminal nature of the data breach and the information that was exposed or stolen in the data breach demonstrates that [the defendant] committed a serious violation of their privacy rights. Courts faced with similar data breach scenarios have found such allegations insufficient.”). However, it has been recognized that district courts have also “refused to dismiss invasion of privacy claims at the motion to dismiss stage where, as here, a data breach involved medical information, because the disclosure of such information is more likely to constitute an ‘egregious breach of the social norms' that is ‘highly offensive.'” In re Ambry, 567 F.Supp.3d at 1143; see also Doe, 63 F.Supp.3d at 1170 (denying the defendant's motion to dismiss the plaintiff's invasion of privacy claim because “even negligent disclosure of HIV-positive status can be an egregious violation of social norms”); Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 926 (S.D. Cal. 2020) (denying the defendant's motion to dismiss the plaintiffs' invasion of privacy claim because the plaintiffs alleged that the defendant negligently disclosed their medical information); cf. Guy v. Convergent Outsourcing Inc., No. 22-cv-01558-MJP, 2023 WL 4637318, at *11 (W.D. Wash. July 20, 2023) (granting the defendant's motion to dismiss the plaintiffs' invasion of privacy claim because “[w]hile the PII contains sensitive information including financial information and Social Security numbers, it does not include medical information”). Because the data breach which is the subject of this action concerns disclosure of plaintiff's sensitive medical information, such as whether she had received an ultrasound or chosen to freeze her eggs, the court concludes plaintiff has sufficiently alleged that defendant's negligent data security practices constitute an egregious breach of social norms.
Accordingly, defendant's motion to dismiss plaintiff's invasion of privacy claim will be denied.
3. CMIA
Plaintiff asserts her CMIA claim under California Civil Code § 56.101(a), which states, in pertinent part, that any health care provider “who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under” subsections (b) and (c) of California Civil Code § 56.36.
Defendant again argues that plaintiff has failed to allege that anyone “actually viewed” her PHI, as is required for a claim under § 56.101(a). (Doc. No. 23 at 18) (quoting Sutter Health v. Superior Ct., 227 Cal.App.4th 1546, 1550 (2014) (“We conclude that the plaintiffs have failed to state a cause of action under the [CMIA] because they do not allege that the stolen medical information was actually viewed by an unauthorized person.”)). In her opposition, plaintiff argues that the decision in Sutter Health, as well as the other decision cited by defendant, Regents of University of California v. Superior Court, 220 Cal.App.4th 549 (2013), are both distinguishable from the present case. (Doc. No. 24 at 22.)
The court agrees with plaintiff. In Sutter Health, the state appellate court stated, “the main pleading problem for the plaintiffs in this case and in Regents is the same: there is no allegation that the medical information was viewed by an unauthorized person.” 227 Cal.App.4th at 1555. By contrast, here, plaintiff expressly alleges that her PHI was viewed. (Doc. No. 16 at ¶ 22.) Furthermore, unlike Regents and Sutter Health, which both involved the theft of a physical item containing PHI, here, plaintiff alleges that cybercriminals accessed the digital files directly. See Regents, 220 Cal.App.4th at 554 (explaining that “an encrypted external hard drive containing some of [certain patients'] personally identifiable medical information had been stolen as part of a home invasion robbery”); Sutter Health, 227 Cal.App.4th at 1550 (“In this case, a thief stole a health care provider's computer containing the medical records of about four million patients.”) As previously noted, plaintiff alleges in the complaint that the hackers must view the information they access in order to determine its value on the black market, that it would be pointless to steal the PHI but then refrain from viewing it, and that the cybercriminals did actually view plaintiff's PHI. Therefore, for the same reasons as discussed above in the standing analysis, the court concludes that plaintiff has adequately alleged that her PHI was actually viewed.
Accordingly, defendant's motion to dismiss plaintiff's CMIA claim will be denied.
Defendant also argues once again in a single sentence that “[p]laintiff has failed to allege any concrete damages based on any alleged violation of the CMIA.” (Doc. No. 23 at 19.) However, the CMIA “provides for nominal damages without having to show the plaintiff ‘suffered or was threatened with actual damages.'” Stasi, 501 F.Supp.3d at 908 (quoting Cal. Civ. Code § 56.36(b)(1)).
4. UCL Claim
“To have standing to assert a [UCL] claim, the plaintiff must ‘(1) establish a loss or deprivation of money or property sufficient to qualify as injury in fact, i.e., economic injury, and (2) show that that economic injury was the result of, i.e., caused by, the unfair business practice or false advertising that is the gravamen of the claim.'” In re Turner, 859 F.3d 1145, 1151 (9th Cir. 2017) (quoting Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 322 (2011)).
Plaintiff argues that she has suffered a loss or deprivation of money or property conferring standing as to her UCL claim because she did not receive the benefit of her bargain with defendant, since she would not have paid as much as she did for her medical services had she known that defendant would be so allegedly careless with her PHI. (Doc. No. 24 at 22-23.) Defendant argues that “such a monetary loss is adequately-pleaded [sic] where a contract explicitly promises data security in exchange for payment,” and that plaintiff has not alleged any such explicit promise of data security. (Doc. No. 23 at 20) (citing Moore v. Centrelake Med. Grp., Inc., 83 Cal.App. 5th 515, 520 (2022)). In fact, defendant argues in its reply brief that plaintiff has not alleged the existence of any contract between herself and defendant. (Doc. No. 26 at 6.)
The court concludes that plaintiff has standing to assert her UCL claim. Defendant cites no authority suggesting that a contract must expressly promise data security in exchange for payment in order for a plaintiff to have standing in a data breach UCL action. Nor has the court found any. To the contrary, the court's decision in Moore, cited by defendant, suggests the opposite:
We also disagree with [the defendant's] contention that appellants' benefit-of-the-bargain theory fails because data security was at most ‘incidental' to appellants' bargain for medical services. To the contrary, appellants alleged that data security was sufficiently material to them that had they known the truth of the matter, they would not have entered into contracts for medical services with [the defendant], or would not have accepted [the defendant's] pricing terms. Such materiality is to be expected in light of the sensitive and confidential nature of the information appellants entrusted to [the defendant], including medical diagnoses and services performed ....Few prospective patients would entrust such information-and pay full market prices-to a medical provider known to be careless with it.Moore, 83 Cal.App. 5th at 528-29. Similarly, here, plaintiff alleges that data security regarding her medical information was sufficiently important to her that, had she known defendant would use such poor security practices, she would not have paid for fertility treatment from defendant. (Doc. No. 16 at 13.) Plaintiff has thereby alleged that she was denied the benefit of her bargain. See also In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 466, 492 (D. Md. 2020) (holding that the plaintiffs had standing for their California UCL claim because “it is enough to allege that there was an explicit or implicit contract for data security, that plaintiffs placed value on that data security, and that Defendants failed to meet their representations about data security”) (citing In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F.Supp.3d 1113 (N.D. Cal. 2018); In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953 (N.D. Cal. 2016)); cf. In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 988 (S.D. Cal. 2014) (“As a result, because Plaintiffs have alleged that Sony omitted material information regarding the security of Sony Online Services, and that this information should have been disclosed to consumers at the time consumers purchased their Consoles, the Court finds Plaintiffs have sufficiently alleged a loss of money or property ‘as a result' of Sony's alleged unfair business practices.”).
Accordingly, defendant's motion to dismiss plaintiff's UCL claim will also be denied.
CONCLUSION
For the reasons explained above, 1. Defendant Northern California Fertility Medical Center's motion to dismiss (Doc. No. 23) is denied; and
2. Defendant Northern California Fertility Medical Center shall file an answer responding to the claims asserted in plaintiff's first amended complaint no later than twenty-one (21) days after the date of entry of this order.
IT IS SO ORDERED.