Opinion
23-cv-00598-WHO
08-22-2023
JANE DOE, Plaintiff, v. REGENTS OF THE UNIVERSITY OF CALIFORNIA, Defendant.
ORDER DENYING MOTION TO DISMISS
Re: Dkt. No. 34
William H. Orrick United States District Judge
Defendant, doing business as UCSF Medical Center (“UCSF”), moves to dismiss the express breach of contract claim from plaintiff's Amended Complaint (“AC”). I dismissed the breach of contract claim with leave to amend in my May 2023 Order because plaintiff Jane Doe had not adequately alleged that she had received or otherwise sufficiently assented to UCSF's Health Notice of Privacy Practices Act or Website Privacy Statement to state a breach of express contact claim. May 2023 Order at 9-10. She has now, and UCSF's motion is DENIED.
The procedural and factual background of this action was discussed in my May 8, 2023 Order Granting in Part and Denying in Part defendant's prior motion to dismiss. May 2023 Order, Dkt. No. 18. Plaintiff's claims for invasion of privacy and violation of specific provisions of California's Confidentiality of Medical Information Act were not dismissed and remain. Id. at 59.
Pursuant to Civil Local Rule 7-1(b), I find this matter appropriate for resolution on the papers and the August 30, 2023 hearing is VACATED.
In the AC, plaintiff alleges three sources for her breach of express contract claim: Terms and Conditions for UCSF MyChart (“MyChart Terms and Conditions”), AC ¶¶ 25-31; (2) UCSF website Terms of Use, which incorporate by reference the Privacy Policy Statement, AC ¶¶ 33-40; and (3) UCSF Notice of Privacy Practices, which UCSF provides to each patient. AC ¶¶ 41-47. UCSF argues that plaintiff has failed to adequately allege: (1) the source of the contractual duties; (2) the consideration and mutual assent for the identified contractual duties; (3) that the contractual duties promise anything beyond what UCSF is required to do under other laws; and (4) damages available as a matter of contract law. Each of UCSF's challenges fail.
Plaintiff has clearly alleged the bases for the contractual duties she alleges UCSF has breached, as well as how those contractual provisions were communicated to plaintiff. See AC ¶¶ 25-47; 154-164. In particular, she points to the disclosure on the MyChart login page, that “BY USING UCSF MYCHART OR BY CLICKING ‘I ACCEPT' BELOW, YOU SIGNIFY YOUR AGREEMENT TO THESE TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, you are not able to use the UCSF MyChart.” AC ¶ 29. Those terms and conditions promise to “afford the same degree of confidentiality to medical information stored on UCSF MyChart as is given to health information stored by UCSF Health in any other medium.” Id. ¶ 30 (emphasis in original). She then identifies additional sources of those promises, including the “Terms of Use” and “Website Privacy Statement” that plaintiff alleges are hyperlinked on UCSF's website as well as in emails UCSF sent to plaintiff and others. Id. ¶ 33. Finally, she alleges that each UCSF patient is provided a separate copy of the “Notice of Privacy Practice.” Id. ¶ 41.
These added allegations bring this case within the lines of authority I distinguished in the May 2023 Order at 9 (discussing In re Solara Medical Supplies, LLC Customer Data Security Breach Litigation, 613 F.Supp.3d 1284 (S.D. Cal. May 7, 2020) and In re Yahoo! Inc. Customer Data Security Breach Litigation, No. 16-MD-02752-LHK, 2017 WL 3727318, at *44 (N.D. Cal. Aug. 30, 2017).
UCSF does not discuss the contents of these documents or challenge whether the documents identified contain express or incorporated promises governing how patient information will be protected, not shared with third parties absent written consent, etc. Instead, UCSF argues that plaintiff fails to allege acceptance, mutual consent, and consideration for her identified contractual promises. But she has adequately alleged that she entered into these contracts to receive treatment and services from UCSF. AC ¶ 152. She plausibly alleges that UCSF uses the MyChart patient portal and its website to provide patient services, and notes where plaintiff had to agree to the terms of use for the portal and website. Id. ¶¶ 29, 33. That is sufficient.
UCSF argues that “at best” plaintiff has alleged UCSF uses a “browsewrap” type of agreement that cannot give rise to an enforceable contract under California law. Reply at 4, citing Sellers v. JustAnswer LLC, 73 Cal.App. 5th 444, 463 (2021), reh'g denied (Jan. 18, 2022), review denied (Apr. 13, 2022). However, plaintiff's complaint does not center on mere browsing of UCSF's website, but the use of it by entering her data into the patient portal. See e.g., AC ¶¶ 71-73. Moreover, the language relied on by plaintiff is more akin to “clickwrap” or “sign-in” agreements that the Sellers court noted are likely to be enforceable, particularly in “continuing, forwardlooking relationships” like plaintiff alleges here. Sellers, 73 Cal.App. 5th at 476.
UCSF may be right that plaintiff's breach of contract claim might fail if she sought only to require UCSF to comply with other legal duties imposed under HIPAA or the CMIA. But she identifies UCSF privacy and data sharing promises that extend beyond UCSF's duties under HIPAA and CMIA, including that “disclosures of ‘health information' for ‘marketing purposes . . . are strictly limited and require your written authorization.'” AC ¶ 45; id. ¶ 46 (“Under the heading ‘Other Uses and Disclosures of Health Information' UC Regents promises that ‘[o]ther ways [it] share[s] and use[s] [a patient's] health information not covered by this Notice will be made only with [the patient's] written authorization.'”); see also In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783, at *12 (N.D. Cal. May 27, 2016 (denying motion to dismiss breach of contract claim based on allegations that defendants violated “their commitment to maintain the confidentiality and security of [PII]” and “by failing to comply with their own policies and applicable laws, regulations and industry standards for data security and protecting the confidentiality” of PII); In re: Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2017 WL 539578, at *15 (D. Or. Feb. 9, 2017) (denying motion to dismiss, where privacy policy “goes beyond merely confirming Premera's obligations under HIPAA and thus the fact that HIPAA does not provide a private right of action does not preclude the Court from implying this proposed term.”).
Finally, plaintiff has sufficiently alleged damage from the type of breach asserted here. See In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 802 (N.D. Cal. 2019) (“the detriment the plaintiffs suffered was an invasion of their privacy. Perhaps some of the individual plaintiffs suffered a harm from this privacy invasion that can be measured by compensatory damages. [] Perhaps others did not, but under California law even those plaintiffs may recover nominal damages.” (citations omitted)).
In light of the foregoing, UCSF's motion to dismiss is DENIED.
IT IS SO ORDERED.