Opinion
23-cv-01033-RS
10-15-2024
IN RE BETTERHELP, INC. DATA DISCLOSURE CASES
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS FIRST AMENDED CONSOLIDATED COMPLAINT
RICHARD SEEBORG CHIEF UNITED STATES DISTRICT JUDGE
A motion to dismiss the initial consolidated complaint in these putative class actions was denied in part and granted in part. Plaintiffs then filed a First Amended Consolidated Complaint (“FACC”) that abandons some of the dismissed claims, amends other, and adds one new claim. Plaintiffs also articulate additional grounds in support of their requests for injunctive and declaratory relief made under several of the counts. Defendant BetterHelp, Inc. now moves to dismiss the amended claims, the new claim, and the requests for injunctive and declaratory relief. Pursuant to Civil Local Rule 7-1(b), the motion is suitable for disposition without oral argument, and the hearing set for October 17, 2024, has been vacated. The motion will be granted in part, and denied in part.
1. Confidentiality of Medical Information Act
California's Confidentiality of Medical Information Act (“CMIA”) prohibits the unauthorized disclosure and negligent maintenance or preservation of medical information by a provider of healthcare. Cal. Civ. Code § 56.101. This claim was previously dismissed because BetterHelp had shown it does not meet any applicable statutory definition of “provider of health care.” Plaintiffs were given leave to amend to allege any facts that place BetterHelp within the statutory definitions.
The FACC presents no additional facts on this issue. Instead, plaintiffs present a new legal contention, arguing that at least one provision of the CMIA governs all “corporations,” without regard to whether those entities otherwise would meet the definition of healthcare provider. Plaintiffs rely on a 2001 amendment to Cal. Civ. Code § 56.10(d) that added the underscored language in the following quote:
Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no provider of health care, health care service plan contractor, or corporation and its subsidiaries and affiliates shall intentionally share, sell, or otherwise use any medical information for any purpose not necessary to provide health care services to the patient.
The statutory language may not be a model of drafting clarity. Plaintiffs correctly observe that, as a matter of grammar, there is no link between “corporation” and “health care” or any other modifier inarguably restricting the kinds of corporations to which the code section applies. The language must nevertheless be read in context and with an application of commonsense. Plaintiffs' argument that the CMIA should be understood as applying to all corporations by virtue of the 2001 amendment is creative, but not persuasive.
Plaintiffs rely heavily on J.M. v. Illuminate Educ., Inc., 103 Cal.App. 5th 1125 (2024), in which a California court of appeal expressly found that the “reach” of the CMIA “extends beyond medical providers.” Id. at 1128. The Illuminate plaintiff alleged the defendant had been negligent in maintaining a student health database, leading to a data breach. Notably, § 56.10(d) was not implicated in that case, as there was no claim the defendant had intentionally shared, sold, or otherwise used medical information for a purpose other than providing medical care. The court concluded the defendant was subject to the CMIA under § 56.06, which expressly lists types of businesses that will be deemed to be “provider[s] of health care.”
Indeed, as noted in the prior order, § 56.06(d) now includes businesses offering “mental health digital services” among those expressly subject to the CMIA. That subsection, however, did not become effective until January 1, 2023, well after the complained-of conduct occurred, and plaintiffs do not contend it can be given retroactive effect. The addition of § 56.06(d) in 2023, which plainly was designed to bring BetterHelp and similar services within the definition of “provider of health care,” however, further undermines any argument that BetterHelp was already subject to the prohibitions of § 56.10(d) merely because it was a “corporation.”
The CMIA claim is therefore dismissed. No further leave to amend is warranted.
2. UCL and CLRA standing
Plaintiffs' UCL and CLRA claims were previously dismissed for failure to plead the requisite economic injury-in-fact. See, Reid v. Johnson & Johnson, 780 F.3d 952, 958 (9th Cir. 2015). Plaintiffs had focused on the claimed economic value of their allegedly misappropriated personal information, which the order found would not establish compensable damages. See Katz-Lacabe v. Oracle Am., Inc., 668 F.Supp.3d 928, 943. (N.D. Cal. 2023). Plaintiffs now stress that they paid BetterHelp for its services on a monthly basis, relying on its assurances that personal information would be kept confidential.
BetterHelp argues plaintiffs cannot rely on a theory that they did not receive the benefit of their bargain because they are no longer pursuing an express false advertising claim and/or because they have not shown they were paying specifically for data security measures that BetterHelp failed to implement. BetterHelp's argument, however, presupposes it breached no enforceable promises to keep plaintiffs' personal information confidential. Plaintiffs have adequately alleged they relied on BetterHelp's assurances of confidentiality when they paid BetterHelp for its services. See In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953, 985 (N.D. Cal. 2016)(finding alleged benefit of the bargain losses to constitute cognizable economic injury). The motion to dismiss the UCL and CLRA claims is denied.
3. Breach of implied contract
The prior order observed that plaintiffs were alleging, in essence, that they entered into contractual relationships with BetterHelp, and that BetterHelp's various promises of confidentiality were part of the terms of those contracts. Without concluding the original consolidated complaint necessarily failed to state a contractual claim, the order directed plaintiffs to provide greater specificity in alleging how the contracts were formed, the alleged contractual terms, and the facts plaintiffs contend establish breach. Plaintiffs have now more clearly identified the particular promises they contend BetterHelp made and breached. There is no basis to dismiss the claim for breach of implied contract. See Castillo v. Seagate Tech., LLC, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) (“The upshot of the averments in the plaintiffs' complaint, however, is quite clear: The employees provided their personal information . . . with the understanding that Seagate, while it held the information, would take adequate measures to protect it.”)
4. Stored Communications Act
Plaintiffs bring claims in the FACC under two different parts of Electronic Communications Privacy Act (“ECPA”): the Wiretap Act (Count IV) and the Stored Communications Act (Count V) (“SCA”). Plaintiffs' claim under the Wiretap Act survived BetterHelp's earlier motion to dismiss and is unchanged. Plaintiffs have added a new claim, however, under the SCA.
The SCA provides that, with certain exceptions, a person or entity providing either an electronic communication service or remote computing service to the public shall not “knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service [.]” 18 U.S.C. § 2702(a)(1). BetterHelp insists the SCA does not apply because it is not “in the business of providing electronic communications services,” in the manner of ordinary email and internet service providers. The FACC alleges, however, that BetterHelp customers communicate with their therapists through the conduit of BetterHelp's websites. BetterHelp has not shown the statute should be construed so narrowly as to apply only to internet service providers. BetterHelp's further argument that it did not divulge information “while in electronic storage” presents factual issues not appropriately resolved at the pleading stage. The motion to dismiss the SCA claim is denied.
BetterHelp relies on Crowley v. CyberSource Corp., 166 F.Supp.2d 1263, 1270 (N.D. Cal. 2001), in which online retailer Amazon was found not to be an electronic communication service, despite an argument that it receives electronic communications from its customers through its platform. The distinction is that BetterHelp does not merely receive its own customers' communications electronically, it allegedly facilitates two-way electronic communications between its customers and third-party therapists.
5. Injunctive and Declaratory Relief
The claims for injunctive and declaratory relief in the original consolidated complaint were dismissed because plaintiffs had not pleaded facts showing “a sufficient likelihood that [they] will again be wronged in a similar way” by BetterHelp absent injunctive relief. See Williams v. Apple, Inc., 449 F.Supp.3d 892, 906 (N.D. Cal. 2020) (quotation omitted). Plaintiffs were given leave to amend to show: (1) some right or duty on BetterHelp's part to control the conduct of third parties, and (2) a sufficient factual basis to show the requisite ongoing or future harm exists notwithstanding the existence of the injunctive relief obtained by the FTC. The FACC fails to do either. Plaintiffs' allegations that BetterHelp has not complied with all of its obligations under the FTC's injunction, even if accurate, do not provide a basis for this court to enter a second injunction requiring similar action. The requests for injunctive and declaratory relief are dismissed, without leave to amend.
The motion to dismiss the FACC is granted to the extent specified above, and is otherwise denied. Defendant shall file an answer within 20 days of the date of this order.
IT IS SO ORDERED.