Opinion
23-cv-04179-WHO
01-19-2024
ORDER ON MOTION TO DISMISS RE: DKT. NO. 22
!William H. Orrick United States District Judge
Defendant's motion to dismiss claims four through nine of plaintiff's complaint is GRANTED on the negligence claim but DENIED as to the other challenged claims.
BACKGROUND
Plaintiff C.M. sues defendant MarinHealth Medical Group, Inc. for a number of privacy right claims. Plaintiff alleges that MarinHealth failed “to implement adequate and reasonable measures to ensure that the “personally identifiable information (‘PII') and protected health information (‘PHI') (collectively, ‘Private Information')” was protected and instead allowed “unauthorized third parties, including Meta Platforms, Inc. d/b/a Facebook (“Facebook”) to intercept” information regarding users' use of defendants' websites to seek healthcare related services through implementation of Meta's “Pixel” technology. Compl. ¶¶ 5-7. MarinHealth moves to dismiss four of the nine causes of action alleged, seeking dismissal of the claims for: (1) negligence; (2) breach of implied contract; (3) larceny, Cal. Penal Code § 496(a)&(c); and (4) unjust enrichment.
Plaintiff alleges MarinHealth “is an organization consisting of three major divisions-a hospital, foundation, and network of expert clinicians-offering a wide range of clinical services to patients in Northern California.” Compl. ¶¶ 1-4.
MarinHealth does not move to dismiss the first five causes of action alleged for violations of: (1) California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code § 56, et seq.; (2) Invasion of Privacy, Cal. Penal Code § 630, et seq.; (3) California Unfair Competition Law, Cal. Bus & Prof. Code § 17200 et seq.; (4) Invasion of Privacy (Cal. Constitution); and (5) Invasion of Privacy, Intrusion on Seclusion.
LEGAL STANDARD
Under FRCP 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when the plaintiff pleads facts that “allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570.
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). If the court dismisses the complaint, it “should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). In making this determination, the court should consider factors such as “the presence or absence of undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by previous amendments, undue prejudice to the opposing party and futility of the proposed amendment.” Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989).
DISCUSSION
I. NEGLIGENCE
MarinHealth argues that the negligence claim must be dismissed because plaintiff did not allege nonspeculative negligence damages. Mot. 3-6; Reply at 1-4. Plaintiff responds that he has satisfied that burden because he alleges that he was injured when his private information was misused and that as a result he was subjected to and will continue to be subjected to unsolicited, targeted advertising related to his specific medical conditions. Compl. ¶¶ 14, 111, 159. He also alleges that he suffered a loss of the value of that private information and loss of control over the same. Compl. ¶¶ 18, 223.
Defendant's cases primarily deal with data breach scenarios that where there is no evidence the plaintiff's personal data was used for impermissible purposes, unlike here, where plaintiff alleges that soon after visiting defendant's website he started to receive ads targeted to his medical conditions. Compl. ¶¶ 14, 111, 159. The alleged misuse of his personal data, therefore, is not speculative. This allegation suffices for Article III standing. See, e.g., In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 784 (N.D. Cal. 2019) (allegation “that the plaintiffs' sensitive information was disseminated to third parties in violation of their privacy -is sufficient to confer standing,” but rejecting standing based on allegations regarding speculative risk of identity theft and based on “diminution in value” absent plausible allegations that plaintiffs “intended to sell their non-disclosed personal information to someone else”).
See, e.g., Medoff v. Minka Lighting, LLC, No. 222CV08885SVWPVC, 2023 WL 4291973, at *9 (C.D. Cal. May 8, 2023) (alleged “increased risk of identity theft” did not amount to “appreciable, nonspeculative, present harm”); Razuki v. Caliber Home Loans, Inc., No. 17CV1718-LAB (WVG), 2018 WL 6018361, at *1 (S.D. Cal. Nov. 15, 2018 (allegations of “diminution in value of his personal data” and “continued risk to his financial information” insufficient because both “stem[ed] from the danger of future harm”); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F.Supp.2d 942, 963 (S.D. Cal. 2012 (allegations of “an increased risk of future harm, [are] insufficient to sustain a negligence claim under California law.”).
Neither side cites caselaw regarding whether a defendant's conduct allowing third-party access to sensitive information where the third-party then misuses the information, by itself, supports the injury required for a negligence claim. With respect to the diminution in value theory of injury, as I recognized in the related In re Meta Healthcare Litigation case, where “the crux of this case concerns Meta's receipt of ‘individually identifiable health information,' that plaintiffs apparently do not want Meta or anyone other than their healthcare providers to have” it is incongruous for plaintiff “to then allege they intended to participate in this market, or otherwise to derive economic value from their PII.” Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 2023 WL 5837443, at *17 (N.D. Cal. Sept. 7, 2023) (relying on Moore v. Centrelake Med. Grp., Inc., 83 Cal.App. 5th 515, 538 (2022), review denied (Dec. 14, 2022)). I recognize that discussion was in the context of the “lost money or property” element for standing under California's Unfair Competition Law (“UCL,” Cal. Bus. & Prof. Code § 17200), but it would be incongruous for plaintiff to allege an injury for negligence based on lost value of sensitive healthcare data.
Plaintiff relies on In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1142 (C.D. Cal. 2021), but there the allegations of injury from “unauthorized sharing of their private medical information,” were combined with allegations regarding “anxiety, concern, and unease” and plaintiffs had “spent many hours responding to the data breach.” It is questionable whether the wrongful dissemination of the sensitive data and the alleged “loss of control” over the sensitive data, alone, would satisfy the injury prong of the negligence claim. Plaintiff cites In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767 (N.D. Cal. 2019), but the court there. was considering Article III standing and the viability of privacy-based claims even in the absence of economic loss. Id. at 784 (“courts have often held that this particular type of intangible injury -disclosure of sensitive private information, even without further consequence - gives rise to Article III standing”); see also id. at 785-787.
See In re Facebook Priv. Litig., 791 F.Supp.2d 705, 714 (N.D. Cal. 2011) (“A plaintiff's ‘personal information' does not constitute property under the UCL.....Here, Plaintiffs do not allege that they lost money as a result of Defendant's conduct.”). That decision was affirmed by the Ninth Circuit, which reversed the dismissal of the breach of contract and fraud claims based on allegations of harm “both by the dissemination of their personal information and by losing the sales value of that information.” In re Facebook Priv. Litig., 572 Fed.Appx. 494 (9th Cir. 2014). However, the Ninth Circuit's conclusion, with respect to the contract claim, is undermined by more recent California authority. See Moore v. Centrelake Med. Grp., Inc., 83 Cal.App. 5th 515, 538 (2022), review denied (Dec. 14, 2022) (rejecting “lost-value-of-PII theory” to support standing for UCL and breach of contract claim, where plaintiffs failed to plead they “attempted or intended to participate in [the PII] market, or otherwise to derive economic value from their PII. Nor did they allege that any prospective purchaser of their PII might learn that their PII had been stolen in this data breach and, as a result, refuse to enter into a transaction with them, or insist on less favorable terms.”).
Various Northern District cases have held that allegations of “lost time and expenses Plaintiffs allege that they have already incurred due to the data breach,” can support a negligence claim, as in that scenario “future expenses and time is not too speculative to constitute cognizable injuries at the pleading stage.” Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, 2021 WL 6882392, at *5 (N.D. Cal. Sept. 8, 2021); see also Huynh v. Quora, Inc., 508 F.Supp.3d 633, 650 (N.D. Cal. 2020) (recognizing that allegations of lost time and money constitute cognizable negligence harm). Plaintiff recognizes that he has not, yet, alleged lost time or expenses related to the use of his medical information shared by defendant, although he reserves his right to do so. Oppo. at 6 n.7.
Plaintiff is given leave to amend to include his allegations regarding lost time and/or expenses in responding to the plausibly alleged misuse of his medical information and any other allegations that he believes support the required showing of injury to support his negligence claim. The negligence claim is DISMISSED with leave to amend.
II. BREACH OF IMPLIED CONTRACT
“For a breach of an implied contract claim, a plaintiff must show: (1) a valid implied-in-fact contract, (2) the plaintiff's performance or excuse for nonperformance, (3) the defendant's breach of the agreement, and (4) resulting damages.” Westron v. Zoom Video Commc'ns, Inc., No. 22-CV-03147-YGR, 2023 WL 3149262, at *2 (N.D. Cal. Feb. 15, 2023). Defendant argues that plaintiff's implied contract claim fails because plaintiff has not adequately alleged “loss of the benefit of the bargain” damages. Mot. at 7. In his Complaint, plaintiff specifically alleges that:
280. When Plaintiff and Nationwide Class Members provided their Private Information to Defendant in exchange for services, they entered into implied contracts by which Defendant agreed to safeguard and not disclose such Private Information without consent.
281. Plaintiff and Nationwide Class Members accepted Defendant's offers of services and provided their Private Information to Defendant via the Web Properties.
282. Plaintiff and Nationwide Class Members would not have entrusted Defendant with their Private Information in the absence of an implied contract between them that included Defendant's promise not to disclose Private Information without consent.
283. Defendant breached these implied contracts by disclosing Plaintiff's and Nationwide Class Members' Private Information to third parties, including Facebook.Compl. ¶¶ 280-283.
In support of its argument, defendant cites a number of cases that have required plaintiffs in data breach cases to allege specific “consideration” for the implied contract claim; meaning that the plaintiff paid something more for the alleged security promises. See Ortiz v. Perkins & Co., No. 22-CV-03506-KAW, 2022 WL 16637993, at *6 (N.D. Cal. Nov. 2, 2022) (discussing cases); see also Gardiner v. Walmart, No. 20-cv-04618-JSW, 2021 WL 2520103, at *6, *17-18 (N.D. Cal. Mar. 5, 2021) (rejecting implied contract claim where plaintiff did not allege that the defendant represented that his “purchases included a sum understood by the parties to be allocated toward customer data,” or “that the cost of the goods he purchased ... included some amount attributable to data security as required to support his benefit of the bargain theory.”); In re Linkedin User Privacy Litigation, 932 F.Supp.2d 1089, 1093 (N.D. Cal. 2013) (while plaintiffs had paid for a premium membership, “the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services,” so the complaint “d[id] not sufficiently demonstrate that included in [the p]laintiffs' bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.”); Huynh v. Quora, Inc., No. 18-cv-07597-BLF, 2019 WL 11502875 at *10 (N.D. Cal. Dec. 19, 2019) (finding no breach of contract claim where the plaintiffs “ha[d] not shown that they paid anything for the asserted privacy protections”).
Plaintiff notes that in the majority of these cases there were multiple issues precluding the claims. In Ortiz, for example, the implied breach claim was ultimately dismissed because plaintiff failed “to allege a contract, implied or otherwise, in which Defendant agreed to provide data security.” 2022 WL 16637993, at *6. In Gardiner, the contract claim was dismissed because plaintiff “does not allege facts that his Walmart purchases included a sum understood by the parties to be allocated toward customer data protection nor does he allege that he was required to agree to or accept the terms of the Privacy Policy prior to engaging in any purchase.” 2021 WL 2520103, at *6. In Huynh, the court concluded that “the lost benefit of the bargain is not sufficient to allege damages because Plaintiffs have not shown that they paid anything for the asserted privacy protections; indeed, Quora's services were free.” 2019 WL 11502875, at *10. And in In re LinkedIn, the benefit theory failed because “the User Agreement and Privacy Policy are the same for the premium membership as they are for the nonpaying basic membership. Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members.” 932 F.Supp.2d at 1093.
In contrast, this case arises in the context of paid healthcare services and is based on an ongoing relationship between the parties that plaintiff alleges was based in part, or that the amount he paid for the services was based in part, on MarinHealth's security promises. In this context, adequate consideration has been alleged for the implied contract claim. See, e.g., Medoff v. Minka Lighting, LLC, 2023 WL 4291973, at *11 (“Plaintiff is contending that the safeguard of data was an implied provision of the existing employment contract, which is supported by the consideration that he provided as part of his employment contract-his labor.”); In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1144 (C.D. Cal. 2021) (claim sufficient where “[p]laintiffs allege that they gave their private information to Defendants for purposes of obtaining genetic testing, with the understanding that Defendants would take adequate measures to protect the information.”). The motion to dismiss the breach of implied contract claim is DENIED.
Some courts have expressly disagreed with Gardiner and the line of cases requiring identification of specific sums attributable to increased security representations. See, e.g., Smallman v. MGM Resorts Int'l, 638 F.Supp.3d 1175, 1190 (D. Nev. 2022) (“The Court considers, but does not find persuasive, these cases ‘requiring allegations of a particular sum of the purchase price being explicitly allocated for data security. That is requiring too much.'”); In re Intel Corp. CPU Mktg., Sales Pracs. & Prod. Liab. Litig., No. 3:18-MD-2828-SI, 2020 WL 1495304, at *8 (D. Or. Mar. 27, 2020), aff'd, No. 22-35652, 2023 WL 7211394 (9th Cir. Nov. 2, 2023) (finding “not find persuasive the cases requiring allegations of a particular sum of the purchase price being explicitly allocated for data security. That is requiring too much. The Court finds more persuasive the line of cases that accept at the pleading stage more general factual allegations about the plaintiff's expectations for data security and the contours of the parties' bargain.”).
III. LARCENY, CAL PENAL CODE 496(A)&(C)
Plaintiff's larceny claim is brought under California Penal Code sections 496(a) & (c), on the theory that MarinHealth “knew the Private Information” from C.M. and others was obtained through “false pretenses” prohibited by Cal. Penal Code section 484 and that MarinHealth transmitted the Private Information to “unauthorized third parties, like Facebook” or Google, and “concealed, withheld, or aided in concealing or withholding” the Private Information from their rightful owners. Compl., ¶¶ 291-295; see also Bell v. Feibush, 212 Cal.App.4th 1041, 1047-48 (2013) (discussing theft by false pretenses). Defendant makes a number of challenges to this claim, each of which fail.
Plaintiff is correct that a claim for theft by false pretenses, relying on Penal Code section 484, is cognizable under section 496(a). See Bell, 212 Cal.App.4th at 1047-48.
Initially, I need not address the possible extraterritorial scope of California's larceny statute at this juncture. Plaintiff is a California resident, defendant is a California resident, and Meta - the only entity alleged to have received the stolen information and which is alleged to have designed and marketed the technology used to secure plaintiff's information - is a California resident. See Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 2023 WL 5837443, at *6 (N.D. Cal. Sept. 7, 2023) (deferring extraterritoriality issue as arguably premature, where plaintiffs plausibly alleged that the design and marketing of Meta's Pixel technology occurred in California, and where Facebook's Terms of Service specify that California law applies to disputes between Facebook and its users). Whether it is appropriate to certify a nationwide class that might include absent class members who are residents of states other than California will be determined at class certification.
Dfinity USA Rsch. LLC v. Bravick, No. 22-CV-03732-EJD, 2023 WL 2717252 (N.D. Cal. Mar. 29, 2023) does not address a similar claim in a similar posture and is, therefore, inapposite. See id. *5 (larceny claim “barred by the presumption against extraterritoriality” where the “wrongful withholding” of a former employer's computer equipment “took place solely in Michigan”).
MarinHealth next contends that plaintiff's continued use of the MarinHealth website “invalidates” his claim for larceny. Plaintiff admits that he continues to submit information to MarinHealth through MarinHealth's website, so MarinHealth argues that since he now knows his information is being stolen by MarinHealth and shared with Meta, he can no longer be “relying on false pretenses” sufficient to state a larceny claim. Reply [Dkt. No. 33] 6-7. This argument may work to cut off potential liability for larceny at some point in this case, perhaps to be raised at summary judgment or trial, but it does not warrant dismissal of the larceny claim at the motion to dismiss stage.
To plausibly state a claim of theft by false pretenses, plaintiff must allege that MarinHealth made specific false representations to him and that plaintiff transferred his property “in reliance on the representation.” See People v. Miller, 81 Cal.App.4th 1427, 1440 (2000), as modified on denial of reh'g (July 6, 2000). Here, plaintiff has identified the false pretenses and his reliance on them. Compl. ¶ 17 n.4 (“MarinHealth's Privacy Policies (and other affirmative representations) represent to Users that it will not share Private Information for marketing purposes unless patients provide written permission [MarinHealth website Privacy Policy]); ¶¶ 95-98 (identifying specific portions of Privacy Policy MarinHealth violated); ¶ 110 (“Plaintiff and Class Members relied to their detriment on Defendant's uniform representations and omissions regarding protection privacy, limited uses, and lack of sharing of their Private Information”), ¶ 228 (“Plaintiff and Nationwide Class Members reasonably relied upon the representations Defendant made in their Privacy Policy, including those representations concerning the confidentiality of Private Information, such as patient health information.”). That is sufficient. Defendant has adequate notice of the bases of plaintiff's larceny claim. There is nothing contradictory about plaintiff's admission that he continues to use defendant's site to communicate about his healthcare that would defeat this claim on a motion to dismiss.
That plaintiff alleges defendant allowed Meta's Pixel to intercept his data, but that defendant may also allow the “CAPI” workaround provided by Meta to connect directly with and receive marketing data from MarinHealth's servers, does not undermine plaintiff's larceny or other claims. See Compl. ¶¶ 41-46; Reply 8-10. Whether defendant allows Meta access to its users' personal information from Pixel or through CAPI is appropriately tested through discovery. The Complaint, however, alleges sufficient plausible facts to state the larceny claim at this juncture.
Lastly, defendant argues that plaintiff's allegations regarding MarinHealth's knowledge of Meta's receipt of its users' personal information are insufficient to show “the type of willful blindness contemplated by § 496, as opposed to mere negligence.” Nowak v. Xapo, Inc., No. 5:20-CV-03643-BLF, 2020 WL 6822888, at *2 (N.D. Cal. Nov. 20, 2020). However, plaintiff pleads that despite MarinHealth's alleged express and contradictory assertions to patients that it would not share this type of information: it incorporated the Pixel and CAPI technology knowingly and willfully into its websites; it knows that Meta uses the information secured to provide analytic services back to MarinHealth about its website; and it knows Meta uses the information it secures for marketing. Compl. ¶¶ 10, 40-44, 58, 170-171. This. That is sufficient. See Siry Inv., L.P. v. Farkhondehpour, 13 Cal. 5th 333, 362 (2022) (“In this case, the record appears consistent with a conclusion that defendants acted not innocently or inadvertently, but with careful planning and deliberation reflecting the requisite criminal intent.”). The motion to dismiss the larceny claim is DENIED.
IV. UNJUST ENRICHMENT
Finally, MarinHealth moves to dismiss the unjust enrichment claim because the only harm plaintiff seeks restitution for under this claim is the same harm he seeks damages for. Given the duplicative nature of the remedies sought, MarinHealth argues the unjust enrichment claim must be dismissed under Sonner v. Premier Nutrition Corp., 971 F.3d 834 (9th Cir. 2020). He also argues that to the extent plaintiff is seeking restitutionary disgorgement under an unjust enrichment theory, that is the same relief he seeks under his UCL claim and, therefore, the unjust enrichment claim should be dismissed as redundant.
With respect to Sonner, I have repeatedly held that at the pleading stage all a plaintiff needs to allege is inadequate remedies at law to pursue equitable claims. See, e.g., Brown v. Van's Int'l Foods, Inc., No. 22-CV-00001-WHO, 2022 WL 1471454, at *13 (N.D. Cal. May 10, 2022) (“Once the plaintiff has met her burden to plead the inadequacy of legal remedies, it will typically make sense to defer the determination of whether-on the particular facts of a particular case and in light of how the evidence develops-a plaintiff's legal remedies will ultimately be adequate. It will suffice at the pleading stage for plaintiff to plead that her legal remedies are inadequate or plead equitable claims in the alternative because her legal remedies are inadequate.”). Plaintiff has done that. Compl. ¶ 303. And with respect to the contention that his unjust enrichment claim is duplicative of the relief available under the UCL claim, plaintiff responds that under unjust enrichment he seeks non-restitutionary disgorgement, which is a type of relief that is not available under the UCL. See Korea Supply Co. v. Lockheed Martin Corp., 29 Cal.4th 1134, 1148 (2003).
Here, where plaintiff has alleged insufficient remedies as a matter of law and where plaintiff is seeking restitution not allowed under the UCL, I will not dismiss an unjust enrichment claim at the pleading stage. MarinHealth may rest assured that if this claim carries weight, during any equitable phase I will ensure that plaintiff cannot rest on it to secure a “windfall.” See Lanovaz v. Twinings N. Am., Inc., No. 12-CV-02646-R, 2015 WL 729705, at *2 (N.D. Cal. Feb. 19, 2015) (noting that courts can limit or deny disgorgement to the extent “it would result in an inappropriate windfall to the claimant, or would otherwise be inequitable in a particular case”).
CONCLUSION
The negligence claims is DISMISSED with leave to amend. The remainder of the motion to dismiss is DENIED. Plaintiff shall file his Amended Complaint within twenty (20) days of the date of this Order.
IT IS SO ORDERED.