Summary
finding no injury in fact based on deprivation of value of PII where plaintiff "has not alleged that he intended to sell his [PII], that he plans to sell it in the future, that he is foreclosed from doing so because of the Data Breach, or that the data breach reduces the value of the [PII] he possesses"
Summary of this case from Duqum v. Scottrade, Inc.Opinion
No. 2:14–cv–02247–GEB–KJN.
2015-08-27
Timothy G. Blood, Blood Hurst & O'Reardon LLP, San Diego, CA, Richard L. Coffman, The Coffman Law Firm, Beaumont, TX, for Plaintiff. Kenneth Lee Chernof, Arnold & Porter, LLP, Washington, DC, Sharon Mayo, Arnold & Porter LLP, San Francisco, CA, for Defendant.
Timothy G. Blood, Blood Hurst & O'Reardon LLP, San Diego, CA, Richard L. Coffman, The Coffman Law Firm, Beaumont, TX, for Plaintiff.
Kenneth Lee Chernof, Arnold & Porter, LLP, Washington, DC, Sharon Mayo, Arnold & Porter LLP, San Francisco, CA, for Defendant.
ORDER GRANTING DEFENDANT'S DISMISSAL MOTION UNDER RULES 12(b)(1) AND 12(b)(6)
GARLAND E. BURRELL, JR., Senior District Judge.
Defendant moves under Federal Rules of Civil Procedure (“Rules”) 12(b)(1) and 12(b)(6) for dismissal of Plaintiff's putative class action, arguing under Rule 12(b)(1): “Plaintiff lacks Article III standing [to pursue his claims] because he has not alleged a cognizable injury[ ] in[ ] fact traceable to any action by [Defendant], and the Court therefore lacks subject matter jurisdiction.” (Def.'s Mem. P. & A. Supp. Mot. Dismiss (“Mot.”) 2:9–10, ECF No. 21.) Plaintiff alleges subject matter jurisdiction under 28 U.S.C. §§ 1332(a) and 1332(d).
Plaintiff's allegations include the following:
[This is a] California consumer class action to secure redress .... [for the] betray[al of] Plaintiff's and [putative] Class Members' trust.... In September 2011, [Defendant] ... fail[ed] to properly safeguard and protect [Plaintiff's and putative Class Members' personally identifiable information (“PII”) and private health information (“PHI”) ], and publicly disclos[ed] their PII/PHI without authorization (the “Data Breach”), in violation of ... the California Confidentiality of Medical Information Act (“CMIA”) (CAL. CIV. CODE § 56, et seq.), California Unfair Competition Law (CAL. BUS. & PROF. CODE § 17200, et seq.), and California common law.
Plaintiff and [putative] Class Members are current and former United States military servicemen, servicewomen, and the family members of these servicemen and women....
The United States Department of Defense ... contracted with [Defendant] to provide ... electronic information management and data security services for safeguarding and protecting Plaintiff's and [putative] Class Members' PII/PHI, all of which was entrusted to [Defendant] in connection with obtaining health care coverage....
[O]n September 12, 2011, Plaintiff's and [putative] Class Members' PII/PHI .... was contained on backup data tapes transported in an unsecure manner by [Defendant's] newly hired, low-level employee in his personal vehicle. The data tapes were taken from the [employee's] vehicle while it was parked in downtown San Antonio, Texas, and left unattended for over eight hours.
....
A thief or thieves broke into the [Defendant's] employee's ... vehicle, which had no special protections for the information, and took the ... backup data tapes, thereby gaining information worth millions of dollars, which the thief or thieves subsequently sold, transferred, opened, read, mined, and otherwise used without Plaintiff's and [putative] Class Members' authorization.
(Compl. ¶¶ 1–4, 56.)
The wrongfully disclosed PII/PHI included, inter alia, Plaintiff's and [putative] Class Members' Social Security numbers, addresses, dates of birth, telephone numbers, and personal health data—including private medical records, health provider information, laboratory test results, medical diagnoses, and prescription medication information.... Plaintiff's and [putative] Class Members' PII/PHI was ... either unencrypted or improperly partially encrypted.
(Id. ¶ 5.)
Defendant argues:
This case follows closely on the heels of the rejection by the U.S. District Court for the District of Columbia of the same and similar class action claims brought by 31 other plaintiffs represented by Plaintiff's counsel [in] In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig. 45 F.Supp.3d 14 (D.D.C. May 9, 2014). [The SAIC court] held that those plaintiffs lacked Article III standing because, consistent with the holdings of the vast majority of courts addressing similar fact patterns, ‘the mere loss of data—without evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing.’ [SAIC, 45 F.Supp.3d] at 19.
(Mot. 1:12–19.)
Article III of the Constitution limits the jurisdiction of federal courts to actual “Cases” and “Controversies.” U.S. Const. art. III, § 2. “ ‘One element of the case-or-controversy requirement’ is that plaintiff [ ] ‘must establish that [he has] standing to sue.’ ” Clapper v. Amnesty Int'l USA, ––– U.S. ––––, 133 S.Ct. 1138, 1146, 185 L.Ed.2d 264 (2013) (quoting Raines v. Byrd, 521 U.S. 811, 818, 117 S.Ct. 2312, 138 L.Ed.2d 849 (1997)). To satisfy Article III standing,
the plaintiff must have suffered an injury in fact—an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical. Second, there must be a causal connection between the injury and the conduct complained of—the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.
Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (citations omitted) (internal quotation marks, brackets and ellipses omitted). “Moreover, if ... the named plaintiff[ ] purporting to represent a class [has not] established the requisite of a case or controversy with the defendant[ ], [he] may [not] seek relief on behalf of himself or any other member of the class.” O'Shea v. Littleton, 414 U.S. 488, 494, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974).
“Under Rule 12(b)(1), a defendant may challenge the plaintiff's jurisdictional allegations in one of two ways. A ‘facial’ attack accepts the truth of the plaintiff's allegations but asserts that they are insufficient on their face to invoke federal jurisdiction. The district court resolves a facial attack as it would a motion to dismiss under Rule 12(b)(6): Accepting the plaintiff's allegations as true and drawing all reasonable inferences in the plaintiff's favor, the court determines whether the allegations are sufficient as a legal matter to invoke the court's jurisdiction.
A ‘factual’ attack, by contrast, contests the truth of the plaintiff's factual allegations, usually by introducing evidence outside the pleadings. When the defendant raises a factual attack, the plaintiff must support h[is] jurisdictional allegations with ‘competent proof,’ under the same evidentiary standard that governs in the summary judgment context. The plaintiff bears the burden of proving by a preponderance of the evidence that each of the requirements for subject-matter jurisdiction has been met. With one caveat, if the existence of jurisdiction turns on disputed factual issues, the district court may resolve those factual disputes itself.
Leite v. Crane Co., 749 F.3d 1117, 1121–22 (9th Cir.2014) (internal citations quotations omitted). Defendant's jurisdictional challenge is a “facial” attack of the pled allegations, which means that Defendant “asserts that the allegations contained in [the] complaint are insufficient on their face to invoke federal jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir.2004).
“The party asserting jurisdiction bears the burden of establishing subject matter jurisdiction on a Rule 12(b)(1) motion to dismiss.” MCI Commc'ns Servs., Inc. v. City of Eugene, OR, 359 Fed.Appx. 692, 697 (9th Cir.2009); see also Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377, 114 S.Ct. 1673, 128 L.Ed.2d 391 (1994) (stating: “Federal courts are of limited jurisdiction.... It is to be presumed that a cause [of action] lies outside of this limited jurisdiction ... and the burden of establishing the contrary rests upon the party asserting jurisdiction.”)
I. DISCUSSION
a. Actual Identity Theft, Identity Fraud and/or Medical Fraud
Defendant argues Plaintiff's actual injury allegations are insufficient to sustain his burden of establishing Article III standing. Plaintiff alleges he has experienced “actual identity theft, identity fraud, and/or medical fraud” because of having his PII/PHI stolen. (Compl. ¶ 9.) Specifically, Plaintiff alleges as follows:
[I]n April 2012, Fernandez secured employment as an armaments/logistics government contractor at Travis Air Force Base in north central California, subject to obtaining the appropriate security clearance. Fernandez, however, could not obtain the required security clearance because certain addresses at which he never lived, and certain large purchases he never made, appeared on his credit reports and did not match his actual previous addresses listed on his employment application. The fraudulent entries on his credit reports logically could only be the direct and/or proximate result of the Data Breach. Because he could not obtain the required security clearance, Fernandez lost the government contractor position, which paid $55,000$60,000 per year
Fernandez also experienced other forms of identity theft and[ ] identity fraud, including: (i) multiple attempted logins to his Microsoft and Yahoo accounts requiring him to change his passwords and login information several times, and (ii) notification by his bank, Bank of America, that someone posing as Fernandez attempted to open a bank account in a Bank of America branch in San Diego, California, using his wrongfully disclosed and compromised PII/PHI.
[Additionally,] Fernandez has received an ongoing and increasing stream of electronic mail and regular mail advertisements from drug companies, Canadian online pharmacies, and other health care providers specifically targeting three medical conditions from which he suffers. Fernandez did not receive the type and volume of such targeted advertisements prior to the Data Breach. These advertisements logically could only be the direct and/or proximate result of the data thieves and their customers buying, selling, opening, reading, mining, and using Fernandez's PII/PHI wrongfully disclosed in the Data Breach.
[Further,] Fernandez was informed that several other persons named ‘Martin Fernandez’ with his birthdate had been treated at the clinic for medical conditions from which Fernandez does not suffer. Fernandez also has been involved in a lengthy dispute with the Veterans Administration regarding the proper amount of compensation for his injured eye. Fernandez has been required to go through multiple levels of appeal. At each appellate level, however, a determination could not be made because Fernandez's medical records are lost and incomplete. The Veteran Administration's inability to make a determination, in turn, has delayed and reduced the amount of Fernandez's compensation for his injury.
(Compl. ¶¶ 17–20.)
Defendant responds to Plaintiff's actual identity theft, identity fraud and/or medical fraud allegations as follows:
Plaintiff's alleg[ation] that in April 2012 he ‘lost [a] government contractor position’ for which he had applied, due to an inability to ‘obtain the required security clearance,’ due to erroneous information in a credit report, which Plaintiff surmises ‘logically could only be the direct and/or proximate result of the Data Breach,’ .... [consists of a] ‘highly attenuated chain’ of events and inferences ... [and] reeks of implausibility.... [E]ven if errors on a credit report could be deemed to suggest some kind of fraudulent use of Plaintiff's identity by some unknown person at some point in the past, they in no way suggest [Defendant] or the September 2011 backup tape theft had anything to do with it.
....
[Further,] [t]he Complaint omits the dates of erroneous addresses and purchases on the credit report (information that is typically reflected on the face of a credit report),
leaving the reader to guess whether those errors even arose after, rather than before, the [Data Breach].
....
Plaintiff makes only a vague claim that the unspecified errors [on his credit report] harmed him indirectly by inducing the Government to deny him a security clearance which in turn allegedly prevented him from getting a job. But this, too, defies plausibility. Plaintiff does not attempt to explain why the Government would deny a security clearance to an otherwise eligible veteran of our Armed Forces because of the type of routine errors in credit reports that affect a significant percentage of the American population.
(Id. 7:19–8:19) (emphasis added).
Defendant also argues Plaintiff lacks standing to bring his claims based on
[the] alleg[ation] that someone unsuccessfully attempted to log-in to his email accounts and that someone unsuccessfully attempted to open a bank account in his name. Compl. ¶ 18 However, the backup tape theft cannot plausibly explain these attempts. The backup tapes did not include e-mail addresses. Compl. ¶ 5 (listing information on the backup tapes). And the Complaint does not explain how failed attempts to access Plaintiff's e-mail or open a bank account in his name could have injured Plaintiff.
(Id. 8:20–25) (emphasis in original).
Defendant further argues:
“Plaintiff['s] alleg[ation] of an ‘ongoing and increasing stream of electronic mail and regular mail advertisements from drug companies' .... lack [s] any plausible connection to the [D]ata [B]reach because the stolen backup tapes did not include email addresses.... Plaintiff does not otherwise link the [advertisements] to the tapes, claim that the [marketers] have personal or private information found on the tapes, or even allege that his [home address] was unlisted and hence would have been difficult for marketers to locate absent the assistance of the data thief. In other words, Plaintiff seems to simply be one among the many of us who are interrupted in our daily lives by unsolicited [advertisements]. [Plaintiff's] harm, consequently, cannot plausibly be linked to the tapes.
(Id. 8:26–9:7.) (internal quotation marks and citations omitted) (emphasis added).
Defendant also argues Plaintiff's allegation “that ‘there was confusion regarding his appointment’ at a recent visit to ... [a] VA Clinic ... [when] ‘several other persons named Martin Fernandez with his birthdate [were] treated at the clinic for medical conditions from which Fernandez does not suffer ...’ ” (id. 9:8–11), is not an injury in fact fairly traceable to the Data Breach as follows:
[O]ther than temporary ‘confusion,’ Plaintiff does not explain how the treatment of others with his name constitutes injury for the purpose of Article III standing. Moreover, [this] theory of standing requires the Court to indulge in an incredible chain of assumptions: that after the backup tape theft in San Antonio, Texas, an individual accessed his information on the backup tapes, then transferred that information to multiple individuals who happened to be in Southern California and wanted a way to obtain free health care, each of whom then falsely posed as Martin Fernandez to obtain free health care in the very same clinic ... that the real Martin Fernandez, who resides in Elk Grove, would later happen to visit for medical care.
Plaintiff's need to resort to such an outlandish and ‘highly attenuated chain’ of events ... only highlights his utter inability to satisfy Article III's requirements.
(Id. 9:11–21) (emphasis added). Lastly, Defendant argues:
Plaintiff['s] alleg[ation] that his ‘medical records are lost and incomplete’ ... has no plausible connection with the [Data Breach]. After all, the stolen tapes were backup tapes, not unique originals. Plaintiff offers no explanation as to how the theft of the backup tapes could cause his medical records to be incomplete or lost.
(Id. 9:22–25) (emphasis added).
Plaintiff's allegations that someone attempted to open a bank account in his name, attempted to log in to his email accounts, and that he received an increased number of email advertisements targeting his medical conditions do not allege injuries in fact fairly traceable to the Data Breach, since Plaintiff has not alleged that bank account information or email addresses were on the stolen backup data tapes. (See Compl. ¶ 5) (describing the information contained on the backup data tapes). If certain “information [is] not on the [stolen] tapes ... Plaintiff[ ] cannot causally link [the use of that information] to the [Data Breach].” SAIC, 45 F.Supp.3d at 32; see also id. at 33 (finding the plaintiffs did not have standing based on allegations concerning the misuse of their bank accounts where they “proferr[ed] no plausible explanation for how the thief would have acquired their banking information.”).
In addition, Plaintiff's allegation that he could not obtain the required security clearance for a job he sought since his credit report contained addresses at which he never lived, and purchases he never made, which in turn caused him to lose that job opportunity, requires judicial endorsement of a standing theory “that require[s] guesswork as to how [an] independent decisionmaker[ ] ... exercise[d][its] judgment” in denying Plaintiff a security clearance. Clapper, 133 S.Ct. at 1150 (“We decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors.”)
Further, Plaintiff's allegation that he was injured when he received an increasing number of regular mail advertisements after the Data Breach targeting his medical conditions is not plausibly alleged as an injury fairly traceable to the Data Breach. Plaintiff has not alleged that his home address is not publicly available and therefore “would have been difficult for marketers to locate absent the assistance of the data thief.” SAIC, 45 F.Supp.3d at 33 (emphasis added) (finding a plaintiff did not have standing where he did not “allege that his home phone number was unlisted.”) Moreover, Plaintiff has not alleged that the medical conditions from which he suffers, and to which the advertisements are allegedly targeted, were listed in his medical records before the Data Breach.
Additionally, Plaintiff has not alleged facts from which a plausible inference could be drawn that the medical treatment of others with his name and birthdate for different medical conditions than Plaintiff has, which allegedly caused “confusion,” (Compl. ¶ 20), is an injury fairly traceable to the Data Breach.
Nor has Plaintiff “establish[ed] standing [based on lost medical records] because only backup tapes were stolen from the SAIC employee's car,” SAIC, 45 F.Supp.3d at 32 (emphasis in original), and Plaintiff has not alleged facts from which a plausible inference could be drawn that the theft of backup tapes caused the entirety of his medical records to become incomplete or lost.
For the stated reasons, Plaintiff has not shown he has standing to bring actual identity theft, identity fraud and/or medical fraud claims.
b. Increased Risk of Harm
Defendant also argues that Plaintiff's allegations of “an imminent, immediate and continuing risk of identity theft, identity fraud and medical fraud—risks justifying expenditures for protective and remedial services for which he is entitled to compensation,” (Compl. ¶ 9), constitute “[s]peculation and assumptions about future harm [which] cannot transform a threatened injury into a certainly impending one.” (Mot. 10:4–10.) Specifically, Defendant argues: “Plaintiff alleges no facts plausibly suggesting that the thief ... recognized the [data] tapes for what they were, found a tape reader, acquired the proper software, deciphered the encrypted portions of the information, learned to read the information correctly, and then accessed Plaintiff's personal information....” (Id. 12:17–21.)
When an “alleged injury has not yet occurred .... [courts] ... must determine whether [the plaintiff's] alleged injury is ‘ imminent.’ An injury is imminent ‘if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.' ” Montana Environmental Information Center v. Stone–Manning, 766 F.3d 1184, 1189 (9th Cir.2014) (emphasis added) (quoting Clapper, 133 S.Ct. at 1147; Susan B. Anthony List v. Driehaus, ––– U.S. ––––, 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (2014)). “[P]laintiffs bear the burden of pleading ... concrete facts showing that the defendant's actual action has caused the substantial risk of harm. Plaintiffs cannot rely on speculation about the unfettered choices made by independent actors not before the court.” Clapper, 133 S.Ct. at 1150 n. 5 (emphasis added).
Plaintiff has not shown there is a substantial risk that his PII/PHI will be imminently misused “in light of the attenuated chain of inferences necessary to find harm here.” Clapper, 133 S.Ct. at 1150 n. 5. Specifically, Plaintiff's allegations concerning his increased risk of harm require “speculation ... [about the] decisions or capabilities of ... independent, unidentified actor [s],”—the data thief or thieves, and whether they intend to misuse Plaintiff's PII/PHI at some point in the future. In re Zappos.com, Inc., 108 F.Supp.3d 949, 959, No. 3:12–CV–00325–RCJ–VP, 2015 WL 3466943, at *8 (D.Nev. June 1, 2015) (stating: “Should the person or persons in possession of Plaintiff's information choose not to misuse the data, then the harm Plaintiff[ ] fears will never occur.... Plaintiff's damages at this point rely almost entirely on conjecture.”) As stated in SAIC,
[T]here is simply no way to know [whether identity theft, identity fraud and/or medical fraud will occur] until either the [thief] is apprehended or the data is actually used.
Courts for this reason are reluctant to grant standing where the alleged future injury depends on the actions of an independent third party.
SAIC, 45 F.Supp.3d at 25 (citing Clapper, 133 S.Ct. at 1150) (emphasis added).
Further, in light of the fact that Plaintiff waited thirty-six months after the Data Breach to file his Complaint, and that now almost four years has elapsed since the Data Breach, Plaintiff has not shown that any alleged risk of future identity theft, identity fraud, and/or medical fraud is imminent. See SAIC, 45 F.Supp.3d at 34 (declining to find that there was “imminent ... harm,” inter alia, since “given that thirty-four months have elapsed, either the malefactors are extraordinarily patient or no mining of the tapes has occurred.”).
For the stated reasons, Plaintiff has not alleged facts from which a plausible inference could be drawn that he suffers from a substantial risk of imminent future harm of identity theft, identity fraud and/or medical fraud.
c. Standing Based on Invasion of Privacy or Breach of Confidentiality
Defendant argues Plaintiff's allegation that there has been a “breach of the confidentiality of his personal information .... is insufficient to establish Article III standing .... [since] Plaintiff does not allege any facts that plausibly suggest anyone has accessed his personal information.” (Mot. 12:25–13:6.) As stated in SAIC:
For a person's privacy to be invaded, their personal information must, at a minimum, be disclosed to a third party. Existing case law and legislation support that common-sense intuition: If no one has viewed your private information (or is about to view it imminently), then your privacy has not been violated.
45 F.Supp.3d at 28 (finding “[the] disclosure and access of [the plaintiffs'] personal information is anything but certain. Rather, the information itself is locked inside tapes that require some expertise to open and decipher.”) (citing statutes and cases).
Plaintiff has not alleged facts from which a plausible inference could be drawn that anyone has viewed his PII/PHI as a result of the Data Breach. Therefore, Plaintiff has not shown he has standing to bring his claims based on his allegations of invasion of privacy or breach of confidentiality.
d. Standing Based on Deprivation of Value of Plaintiff's Personal Information
Defendant argues Plaintiff's allegation of “standing based on [the] ‘deprivation of the value of his [personal information] for which there is a well-established national and international market’ .... [is] inadequate.” (Mot. 13:22–24.) Specifically, Defendant argues:
[Plaintiff] fails to allege that he has the ability to sell his personal information, that he has attempted to sell this information but could not do so because of the theft, or that he plans to sell this data in the future. Without any such allegations, Plaintiff's deprivation-of-value theory does not confer Article III standing.
(Mot. 14:8–11.)
Where the plaintiff has not alleged that he “attempted to sell his PII [;] that he would to do so in the future[;] or that he was foreclosed from entering into a ... transaction relating to his PII[ ] as a result of [the defendant's] conduct,” the plaintiff has “not alleged facts sufficient to show [an] injury[ ] in [ ]fact based on the purported diminution in value of his PII.” Yunker v. Pandora Media, Inc., No. 11–cv–03113–JSW, 2013 WL 1282980, *4 (N.D.Cal. Mar. 26, 2013); accord SAIC, 45 F.Supp.3d at 30.
Here, Plaintiff has not alleged that he intended to sell his PII/PHI, that he plans to sell it in the future, that he is foreclosed from doing so because of the Data Breach, or that the data breach reduces the value of the PII/PHI he possesses. See generally Green v. eBay Inc., 2015 WL 2066531, at *5 n. 59 (E.D.La. May 4, 2015) (stating: “Even if the Court were to find that personal information has an inherent value and the deprivation of such value is an injury sufficient to confer standing, Plaintiff has failed to allege facts indicating how the value of his personal information has decreased as a result of the Data Breach”). Therefore, Plaintiff has not shown he has standing to bring his claims based on his allegation that he has been deprived of the value of his PII/PHI.
e. Standing Based on Plaintiff's Lost Benefit of the Bargain or Diminished Value of Products and Services Received
Defendant argues Plaintiff's allegations that he has standing to bring his claims based on the “diminished value of the healthcare products, medical insurance and/or medical services [he] purchased from [his healthcare provider],” (Compl. ¶ 97), and a “lost benefit of [his] bargain” (id. ¶ 119), “lack[ ] any explanation of how the value of Plaintiff's health care—which he received through [Plaintiff's healthcare provider], not from [Defendant]—has been diminished.” (Mot. 14:17–18.)
In SAIC, the court found plaintiffs did not have standing to bring claims based on the allegation that the value of their healthcare was diminished as a result of the backup tape theft, stating:
[The plaintiffs] do not maintain ... that the money they paid [to their healthcare provider] could have or would have bought a better policy with a more bullet-proof information-security regime.
Put another way, [the p]laintiffs have not alleged facts that show that the market value of their insurance coverage (plus security services) was somehow less than what they paid. Nothing in the Complaint makes a plausible case that [the p]laintiffs were cheated out of their premiums. As a result, no injury lies.
SAIC, 45 F.Supp.3d at 30 (emphasis added).
This reasoning in SAIC is persuasive and is adopted. Here, Plaintiff has not alleged facts from which a plausible inference could be drawn that he has been injured by a loss in value of his insurance coverage, nor has he alleged that the value of his health care coverage after the Data Breach is less than what it was before the Data Breach. Therefore, Plaintiff has not shown he has standing to bring his claims based on these allegations.
f. Allegations Under the California Confidentiality of Medical Information Act (“CMIA”)
Defendant also moves for dismissal under Rule 12(b)(1) of Plaintiff's CMIA claim, arguing: “Plaintiff fails to state a claim ... because [Defendant] is not the type of health-care entity covered by the CMIA.” (Mot. 13:10–11.) This portion of the motion actually seeks dismissal under Rule 12(b)(6) and will be considered under that rule.
The Confidentiality of Medical Information Act (“CMIA”) (Civ.Code § 56 et seq.) prescribes: “[a] provider of health care, [a] health care service plan, or [a] contractor shall not disclose medical information ....” and any such entity that “negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information ...” is liable under the CMIA. Cal. Civ.Code §§ 56.10, 56.101 (emphasis added). The CMIA states a “contractor” is a “medical group, independent practice association, pharmaceutical benefits manager, or ... medical service organization [that] is not a health care service plan or provider of health care.” Id. § 56.05(d) (emphasis added). The CMIA states a “provider of health care” is “any clinic, health dispensary, or health facility” licensed under certain California codes, and that a “health care service plan” is “any entity regulated pursuant” to certain California health and safety code statutes. Id. § 56.05(m), (g) (emphasis added). Concerning Defendant's status as a contractor, Plaintiff alleges:
The United States Department of Defense ... contracted with [Defendant] to provide ... electronic information management and data security services for safeguarding and protecting Plaintiff's and [putative] Class Members' PII/PHI, all of which was entrusted to [Defendant] in connection with obtaining health care coverage
....
[Defendant] provides scientific, engineering, systems integration, and technical services.
(Compl. ¶¶ 3, 24) (emphasis added).
Plaintiff has not alleged facts from which a plausible inference could be drawn that Defendant is an entity governed by CMIA. Therefore, this portion of Defendant's dismissal motion is granted.
II. CONCLUSION
For the stated reasons, all of Plaintiff's claims are dismissed under Rule 12(b)(1), except for Plaintiff's CMIA claim, which is dismissed under Rule 12(b)(6). Plaintiff has twenty days leave from the date on which this Order is filed to file an amended complaint addressing the referenced deficiencies in his Complaint.