Opinion
22-cv-2040-MMA-DDL
11-17-2023
HANNAH COUSIN, et al., individually and on behalf of all others similarly situated, Plaintiffs, v. SHARP HEALTHCARE, Defendant.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS
[DOC. NO. 28]
HON. MICHAEL M. ANELLO, UNITED STATES DISTRICT JUDGE.
This action consists of three consolidated cases brought by Hannah Cousin, Linda Camus, and Edward Barbat (“Plaintiffs”) against Defendant Sharp Healthcare (“Defendant” or “Sharp”). See Case Nos. 22-cv-2040-MMA-DDL, 23-cv-33-MMA-DDL, 23-cv-330-MMA-DDL. The Court previously granted Defendant's motion to dismiss the Consolidated Class Action Complaint, see Doc. No. 20, and on August 2, 2023, Plaintiffs filed a First Amended Consolidated Class Action Complaint, see Doc. No. 23 (“First Amended Complaint” or “FAC”). On August 2, 2023, Defendant filed a motion to dismiss. See Doc. No. 26. Plaintiffs have filed an opposition, to which Defendant replied. See Doc. Nos. 32, 40. The Court found the matter suitable for determination on the papers and without oral argument pursuant to Civil Local Rule 7.1.d.1. See Doc. No. 41. For the reasons set forth below, the Court GRANTS IN PART and DENIES IN PART Defendant's motion to dismiss.
Reviewing Defendant's motion to dismiss, the Court accepts as true all facts alleged in the Consolidated Class Action Complaint and construes them in the light most favorable to the Plaintiffs. See Snyder & Assocs. Acquisitions LLC v. United States, 859 F.3d. 1152, 1157 (9th Cir. 2017).
The background factual allegations as set forth in the initial Consolidated Complaint remain largely unchanged in the First Amended Complaint, and so the Court incorporates its prior Order by reference here. See Doc. No. 22. Defendant is a nonprofit corporation that operates multiple hospitals and medical groups, and offers a healthcare plan, throughout San Diego, California. FAC ¶ 13. One such hospital operated by Defendant is Sharp Memorial Hospital (“Sharp Memorial”). Id. Plaintiffs are residents of California and Sharp patients, who used Defendant's website, www.sharp.com, to either search for health care providers, schedule medical appointments, or conduct other health care related matters. Id. ¶¶ 10-12, 70-88.
Due to the sensitive nature of the health-related allegations, an unredacted version of the Court's prior Order was docketed at Doc. No. 22. The Court also notes that Plaintiffs were permitted to file unredacted versions of their FAC and opposition under seal. Doc. Nos. 25, 39. The Court's citations to the FAC, Plaintiffs' opposition, and the Court's prior Order are to the redacted versions, as discussion of the confidential allegations is unnecessary at this stage.
Generally speaking, Plaintiffs allege that Defendant utilizes an online tracking tool, Meta Pixel, on its website sharp.com and related “subpages” to surreptitiously collect their, and other patients', sensitive health information. See, e.g., id. ¶¶ 1-4, 45-48. The website and subpages are defined as “unauthenticated” because they do not require a patient or user to log in to access the websites. See id. ¶ 42. According to Plaintiffs, the information is shared with Meta in “data packets” labelled with personally identifiable information such as a user's IP address, and that Meta in turn “processes this information, analyzes it, and assimilates it in order to provide targeted advertisements to businesses such as Sharp.” Id. ¶¶ 26, 29. Plaintiffs contend they did not agree to have their information collected and used this way. See, e.g., id. ¶ 3.
As a result, Plaintiffs bring the following five causes of action on behalf of a class of Sharp' website users in California: (1) violation of common law invasion of privacy -intrusion upon seclusion; (2) invasion of privacy under the California Constitution, Art. I § 1; (3) violation of the California Confidentiality of Medical Information Act, California Civil Code § 56 et seq. (“CMIA”); and (4) violation of the California Invasion of Privacy Act, California Penal Code § 630 et seq. (“CIPA”).
II. Legal Standard
A Rule 12(b)(6) motion tests the legal sufficiency of the claims made in a complaint. Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). A pleading must contain “a short and plain statement of the claim showing that the pleader is entitled to relief ....” Fed.R.Civ.P. 8(a)(2). However, plaintiffs must also plead “enough facts to state a claim to relief that is plausible on its face.” Fed.R.Civ.P. 12(b)(6); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). The plausibility standard demands more than “a formulaic recitation of the elements of a cause of action,” or “naked assertions devoid of further factual enhancement.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (internal quotation marks omitted). Instead, the complaint “must contain allegations of underlying facts sufficient to give fair notice and to enable the opposing party to defend itself effectively.” Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011).
Unless otherwise noted, all “Rule” references are to the Federal Rules of Civil Procedure. Additionally, all citations to electronically filed documents refer to the pagination assigned by the CM/ECF system.
In reviewing a motion to dismiss under Rule 12(b)(6), courts must assume the truth of all factual allegations and must construe them in the light most favorable to the nonmoving party. See Cahill v. Liberty Mut. Ins. Co., 80 F.3d 336, 337-38 (9th Cir. 1996). The court need not take legal conclusions as true merely because they are cast in the form of factual allegations. See Roberts v. Corrothers, 812 F.2d 1173, 1177 (9th Cir. 1987). Similarly, “conclusory allegations of law and unwarranted inferences are not sufficient to defeat a motion to dismiss.” Pareto v. FDIC, 139 F.3d 696, 699 (9th Cir. 1998). In deciding whether to dismiss the complaint for failure to state a claim, the court is generally bound by the facts and allegations contained within the four corners of the complaint. Hydrick v. Hunter, 500 F.3d 978, 985 (9th Cir. 2007).
Where dismissal is appropriate, a court should grant leave to amend unless the plaintiff could not possibly cure the defects in the pleading. See Knappenberger v. City of Phoenix, 566 F.3d 936, 942 (9th Cir. 2009) (quoting Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000)).
III. Discussion
As an initial matter, the Court previously addressed the issue of whether collecting and sharing of mere browsing activity on a publicly facing website is actionable. See Doc. No. 20 at 6. Defendant again moves to dismiss all claims on the basis that browsing activity on a publicly facing website is not protected, relying largely on the Court's prior Order. See Doc. No. 28 at 14. In opposition, Plaintiffs point out that they now plead that the Department of Health and Human Servies (“HHS”) issued a privacy bulletin on December 1, 2022, providing that the Health Insurance Portability and Accountability Act (“HIPAA”) applies to the use of tracking technologies such as Meta Pixel embedded on an unauthenticated webpage that, for example, “addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances.” FAC ¶ 101.
HIPAA defines “protected health information,” or “PHI” as “individually identifiable” information that is “created or received by a health care provider” and that “[r]elates to the past, present, or future physical or mental health or condition of an individual” or the “provision of health care to an individual.” 45 C.F.R. § 160.103. Having reviewed Plaintiffs' allegations, see FAC ¶¶ 70-91, the Court finds that their interactions on Defendant's website, while “unauthenticated” or publicly facing, plausibly involve PHI. As to whether the information is individually identifiable, all three Plaintiffs plead that they are Facebook users. Id. ¶¶ 70, 75, 84. Plaintiffs allege at length how Meta Pixel uses JavaScript code to connect internet activity to a specific individual using IP addresses and Facebook credentials. See id. ¶¶ 23, 27-28, 50-68. Turning to the information that is tracked and whether it is protected, Plaintiff Cousin alleges that she used Sharp's website to search for a primary care physician. Id. ¶ 71. Namely, she filtered the results of Sharp's physician directory by, among other things, specialty. This just narrowly survives dismissal by demonstrating that her interactions plausibly relate to the provision of health care. Plaintiffs Camus and Barbat, on the other hand, set forth their particular medical conditions and allege that they searched Defendant's website for doctors who specialize in these conditions and for information about their conditions (i.e., symptoms, treatments, procedures). Id. ¶¶ 77-82, 85-87. Camus also alleges she booked an appointment to obtain treatment for a medical condition. Id. ¶ 81. These interactions plausibly convey information about a present medical condition and the provision of medical care covered by HIPAA.
For these reasons, the Court DENIES Defendant's motion to the extent it seeks to dismiss all claims on this basis.
A. Claim 1: Common Law Invasion of Privacy - Intrusion Upon Seclusion
“To state a claim for intrusion upon seclusion under California common law, a plaintiff must show that: (1) a defendant ‘intentionally intrude[d] into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy [,]' and (2) that the intrusion ‘occurred in a manner highly offensive to a reasonable person.'” Davis v. Facebook Inc., (In re Facebook, Inc. Internet Tracking Litig.) 956 F.3d 589, 601 (9th Cir. 2020) (quoting Hernandez v. Hillsides, Inc., 97 Cal.Rptr.3d 274, 285 (Cal. 2009)). In moving to dismiss this claim, Defendant challenges Plaintiffs' pleading of the second element, arguing that any intrusion is not “highly offensive.” Doc. No. 28 at 15-17.
Whether an alleged intrusion is highly offensive to a reasonable person is an issue not capable of resolution, on these facts, at the motion to dismiss stage. As both parties note, the Ninth Circuit has explained that such a determination “requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive.” In re Facebook, 956 F.3d at 606 (citing Hernandez, 97 Cal.Rptr.3d at 287). Here, Plaintiffs allege that their medical conditions and statuses as patients with certain doctors were tracked on Defendant's website and transmitted to Meta. They contend this information, which was collected during their use of Defendant's website, was linked to them using their Facebook accounts and/or IP address. FAC ¶ 4. They assert Defendant's use of Meta Pixel, and Meta's collection of this information, is for targeted advertising. Id. ¶¶ 18, 29. And they identify a variety of sources that note privacy and policy concerns. Id. ¶¶ 35-40. Simply put, in light of Plaintiffs' allegations, “[t]he ultimate question of whether [Defendant's disclosure of their information through Meta Pixel] could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage.” Id. Accordingly, the Court DENIES Defendant's motion on this basis.
B. Claim 2: California Constitution Invasion of Privacy
“A claim for invasion of privacy under the California Constitution involves similar elements.” Id. Plaintiffs must plead “that: (1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion [is] ‘so serious . . . as to constitute an egregious breach of the social norms' such that the breach is ‘highly offensive.'” Id. (quoting Hernandez, 97 Cal.Rptr.3d at 285). “Because of the similarity of the tests, courts consider the claims together and ask whether: (1) there exist a reasonable expectation of privacy, and (2) the intrusion was highly offensive.” Id. at 601.
Defendant challenges Plaintiffs' second cause of action for substantively the same reason discussed above: that Plaintiffs fail to plausibly plead any invasion was sufficiently egregious. Doc. No. 28 at 18. For the same reasons, the Court DENIES Defendant's motion to dismiss Plaintiff's second claim. Plaintiffs have plausibly pleaded that the alleged invasion of privacy is highly offensive.
Defendant also moves to dismiss this claim to the extent Plaintiffs seek monetary damages. Id. As the Court previously explained, “California's ‘constitutional provision protecting the right of privacy . . . supports a cause of action for an injunction' but it does not confer on a litigant a private right of action for damages.” Moore v. Rodriguez, No. 20-cv-01481-BAS-BGS, 2021 U.S. Dist. LEXIS 103725 at *58-59 (S.D. Cal. June 2, 2021) (dismissing an invasion of privacy claim against private defendants under Rule 12(b)(6) because the plaintiffs only sought “damages, and not an injunction, as relief”) (citing Clausing v. San Francisco Unified Sch. Dist., 271 Cal.Rptr. 72, 78, (Cal.Ct.App. 1990)). Plaintiffs do not address this argument in opposition, and therefore seemingly concede they cannot seek monetary damages in connection with this claim. Therefore, the Court GRANTS Defendant's motion to dismiss Plaintiff's claim for monetary damages under Article 1, Section 1 of the California Constitution.
C. Claim 3: Violation of CMIA
CMIA prohibits the unauthorized disclosure of medical information and the negligent maintenance or preservation of medical information. Cal. Civ. Code §§ 56.10(a), 56.101(a). CMIA defines “Medical Information” as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan . . . regarding a patient's medical history, mental health application information, mental or physical condition, or treatment.” Cal. Civ. Code § 56.05(i). “‘Individually identifiable' means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.” Id.
It is clear that the California Civil Code's definition for information protected by CMIA largely tracks HIPAA's definition of PHI. Therefore, for the reasons discussed above, the Court finds that Plaintiffs have plausibly pleaded their protected medical information, as defined by HIPAA and California Civil Code § 56.05, was disclosed by Defendant. For this reason, the Court DENIES Defendant's motion to dismiss Plaintiffs' CMIA claim on this basis.
Defendant also argues that Plaintiffs fail to allege their information was transmitted or viewed and therefore have not plausibly pleaded their claim. Doc. No. 28 at 19-23. However, Plaintiffs do plead their information was transmitted to Meta. See, e.g., FAC ¶¶ 29, 74, 83, 88. Plaintiffs must also plausibly plead that their medical information was “improperly viewed or otherwise accessed.” Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 923 (S.D. Cal. 2020) (citing Regents of Univ. of Cal. v. Superior Court, 163 Cal.Rptr.3d 205, 208 (Cal.Ct.App. 2013)). Here Plaintiffs allege upon information and belief that “Meta regularly viewed” the information. FAC ¶ 29. Plaintiffs also plead information regarding Meta's business model and how it uses the information for targeted advertising. See, e.g., id. ¶ 174. Whether Meta, as an entity and not a human being, can “view” information for CMIA purposes is a question the Court cannot resolve at this stage. Similarly, whether the alleged use by Meta of the information, through perhaps algorithms, amounts to viewing or accessing under CMIA is a question the Court cannot answer on Defendant's motion to dismiss. It is sufficiently plausible at this time that Plaintiffs' information was “viewed or otherwise accessed” as contemplated by CMIA. Accordingly, the Court DENIES Defendant's motion to dismiss Plaintiff's CMIA claim on this basis as well.
D. Claim 4: Violation of CIPA
CIPA “broadly prohibits the interception of wire communications and disclosure of the contents of such intercepted communications.” Tavernetti v. Superior Court of San Diego Cty., 148 Cal.Rptr. 883, 885 (Cal. 1978). Namely, it prohibits the use of electronic means to “learn the contents or meaning of any message, report, or communication” “without the consent of all parties to the communication.” Cal. Pen. Code § 631(a). Liability may be had against those who aid another in violating this statute. Id.
Here, Defendant argues that Plaintiffs fail to allege facts showing that “contents of communications are at issue.” Doc. No. 28 at 24. “The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.” Cline v. Reetz-Laiolo, 329 F.Supp.3d 1000, 1051 (N.D. Cal. 2018) (internal citation omitted). The Wiretap Act defines the term “contents” as “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510. The Ninth Circuit has held that “contents” means “the intended message conveyed by the communication and does not include record information regarding the characteristics of the message that is generated in the course of the communication.” Graf v. Zynga Game Network, Inc. (In re Zynga Privacy Litig.), 750 F.3d 1098, 1107 (9th Cir. 2014). Defendant discusses Zynga as supporting its position. See Doc. No. 28 at 24. But the Ninth Circuit in Zynga expressly left open the possibility that transmission of electronic data such as URLs could amount to the conveyance of the content of a communication: “Under some circumstances, a user's request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” 750 F.3d at 1108-09. Thereafter, in In re Facebook, the Ninth Circuit explained that search “terms and the resulting URLs could divulge a user's personal interests, queries, and habits on third-party websites” but did not consider whether such information amounted to “content” for the purpose of CIPA or the federal Wiretap Act. 956 F.3d at 605, 607.
The Court finds the approach and discussion in Hammerling v. Google, LLC, persuasive.
Courts employ a contextual “case-specific” analysis hinging on “how much information would be revealed” by the information's tracking and disclosure. Google Cookie Placement, 806 F.3d at 137-38. Generally, customer
information such as a person's name, address, and subscriber number or identity is record information, but it may be contents when it is part of the substance of the message conveyed to the recipient. See id. at 137; Zynga, 750 F.3d at 1104, 1108-09. Similarly, URLs are record information when they only reveal a general webpage address and basic identification information, but when they reproduce a person's personal search engine queries, they are contents. See id. at 1108; Forrester, 512 F.3d at 510 n.6.615 F.Supp.3d 1069, 1092-93 (N.D. Cal. 2022). However, unlike the information collected by Google in Hammerling, which merely involved “usage and engagement” data, id. 1078, here Plaintiffs allege that their data included personal search queries- such as specialty healthcare providers and treatments for medical conditions-and therefore plausibly conveyed content: their PHI. See In re Google RTB Consumer Priv. Litig., 606 F.Supp.3d 935, 949 (N.D. Cal. 2022); see also Gershzon v. Meta Platforms, Inc., No. 23-cv-00083-SI, 2023 U.S. Dist. LEXIS 147448, at *35 (N.D. Cal. Aug. 22, 2023); In re Meta Pixel Healthcare Litig., No. 22-cv-03580-WHO, 2022 U.S. Dist. LEXIS 230754, at *36 (N.D. Cal. Dec. 22, 2022). Accordingly, the Court DENIES Defendant's motion to dismiss Plaintiff's CIPA claim on this basis.
IV. Conclusion
Based upon the foregoing, the Court GRANTS IN PART and DENIES IN PART Defendant's motion to dismiss. Namely, the Court DISMISSES Plaintiffs' invasion of privacy claim under the California Constitution (Claim 2) only to the extent Plaintiffs seek monetary damages. The Court DENIES the remainder of Defendant's motion. The Court DIRECTS Defendant to file an answer within twenty-one (21) days of the date of this Order.
IT IS So ORDERED.