Opinion
24-cv-00106-BEN (DDL)
08-07-2024
JAMES JACKSON, Plaintiff, v. HEALTH CENTER PARTNERS OF SOUTHERN CALIFORNIA, et al, Defendants.
ORDER DENYING MOTION TO DISMISS FOR LACK OF JURISDICTION AND MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM [Dkt. 2, 8]
Hon. Roger T. Benitez United States District Judge
Now before the Court is the Motion to Dismiss for Lack of Jurisdiction brought by Defendant Netgain Technology, LLC (“Netgain”), and the Motion to Dismiss for Failure to State a Claim brought by Defendant Council of Community Clinics (“CCC”) doing business as Health Centers Partners of Southern California. (Dkt. #8). The motions are denied.
See Defendant's Request for Judicial Notice (“RJN”) (fictitious business name registration for Health Centers Partners of Southern California).
I. BACKGROUND
Plaintiff brings this putative class action alleging state law violations of California's Confidentiality of Medical Information Act and California's Customer Records Act relating to a data breach involving Plaintiff's and potential class members' medical and personal information. The operative complaint is the Second Amended Complaint (“SAC”) which was filed on August 22, 2023 in the Superior Court of the State of California for the County of San Diego, Case No. 37-2021-00038892-CU-BT-CTL, prior to the case being removed to this Court. See Dkt. 1-4 (Jan. 16, 2024).
The majority of the facts are taken from the Second Amended Complaint and for purposes of ruling on the instant motion to dismiss, the Court assumes the truth of the allegations pled and liberally construes allegations in favor of the non-moving party. Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008).
In the Second Amended Complaint filed before the Superior Court, Plaintiff alleges that he is a San Diego County, California resident and a patient of a San Diego County, California based healthcare clinic. As a patient, Plaintiff provided his personal information, including his name, address, date of birth, social security number, phone number and email address to a health care entity named Council of Community Clinics and doing business as Health Centers Partners of Southern California. Plaintiff alleges that CCC maintains an online computer program to allow patients to securely access and review their health information, as well as to update their personal information. Plaintiff alleges that CCC contracted with Netgain to store and protect the private medical information of his own and other CCC patients.
Plaintiff alleges that between October 22, 2020 and December 3, 2020, CCC and Netgain were negligent and failed to properly maintain, preserve, and store the confidential, medical, and personal identifying information of Plaintiff by allowing an unauthorized unknown person to gain access and actually view his information. Plaintiff maintains that he has the right to expect that the confidentiality of his medical information in possession of CCC and Netgain be reasonably preserved and protected from unauthorized viewing, exfiltration, theft, and/or disclosures. Plaintiff alleges CCC's and Netgain's negligence in caring for the medical information constitutes a violation of three state statutes.
As set out in the SAC, Netgain was an IT provider for CCC. Netgain notified CCC that there had been a data breach and that plaintiff's information may have been exposed to unauthorized access by a criminal hacker. Netgain's notice to CCC, and CCC's notice to Plaintiff, said that an attacker had launched a ransomware attack around October to December 2020, and that Netgain had paid the ransom. Defendants maintain that Plaintiff's medical information was never disclosed to, or actually viewed by, the criminal hackers because the ransom amount was paid in exchange for non-exposure of the medical data. Plaintiff alleges, nevertheless, that during the time period of the attack, his medical information was accessible by the data attackers.
B. State Law Causes of Action
Plaintiff's Second Amended Complaint alleges three California state law causes of action (“COA”) against CCC for violations of: (1) the Confidentiality of Medical Information Act, California Civil Code §§ 56, et seq. (“CMIA”); (2) the Customer Records Act, California Civil Code § 1798.82 (“CRA”); and (3) the California Unfair Competition Laws, California Business and Professions Code §§ 17200, et seq. (“UCL”).
II. LEGAL STANDARD & DISCUSSION
Under Federal Rule of Civil Procedure 12(b)(2) a complaint against a defendant may be dismissed for lack of personal jurisdiction. When a party seeks dismissal under Rule 12(b)(2) for lack of personal jurisdiction, the plaintiff bears the burden of demonstrating that the exercise of personal jurisdiction is proper. Menken v. Emm, 503 F.3d 1050, 1056 (9th Cir. 2007). When a motion to dismiss for lack of personal jurisdiction is based on the briefs rather than an evidentiary hearing, “the plaintiff need only make a prima facie showing of jurisdictional facts.” Sher v. Johnson, 911 F.2d 1357, 1361 (9th Cir. 1990). While “uncontroverted allegations in the complaint must be taken as true,” the plaintiff cannot “simply rest on the bare allegations of its complaint.” Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 800 (9th Cir. 2004) (quoting Amba Mktg. Sys., Inc. v. Jobar Int'l, Inc., 551 F.2d 784, 787 (9th Cir. 1977)). The court “may not assume the truth of allegations in a pleading which are contradicted by affidavit, but factual conflicts between dueling affidavits must be resolved in the plaintiff's favor.” Ayla, LLC v. Alya Skin Pty. Ltd., 11 F.4th 972, 978 (9th Cir. 2021) (internal quotation marks and citations omitted). “[B]are bones assertions of minimum contacts with the forum or legal conclusions unsupported by specific factual allegations will not satisfy a plaintiff's pleading burden.” Swartz v. KPMG LLP, 476 F.3d 756, 766 (9th Cir. 2007) (internal quotation marks omitted). Nor will “random,” “fortuitous,” or “attenuated” contacts establish specific personal jurisdiction. Burger King Corp. v. Rudzewicz, 471 U.S. 462, 475 (1985).
Under Federal Rule of Civil Procedure 12(b)(6), a complaint may be dismissed when a plaintiff's allegations fail to set forth a plausible set of facts which would entitle the complainant to relief. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007); Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009) (holding that a claim must be facially plausible to survive a motion to dismiss). To state a plausible claim for relief, the pleadings must raise the right to relief beyond the speculative level; a plaintiff must provide “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555 (citation omitted). At the same time Rule 8(a)(2) requires no more than “a short and plain statement of the claim showing that the pleader is entitled to relief.” Moreover, Rule 8(d)(1) specifies that in general, “[e]ach allegation must be simple, concise, and direct.”
III. NETGAIN'S MOTION TO DISMISS FOR LACK OF JURISDICTION
Netgain moves to dismiss arguing the Court lacks general and specific personal jurisdiction over Netgain. Netgain argues that it is not at home in California. Rather, it is a Delaware limited liability company, headquartered in Minnesota, a claim Plaintiff does not contest. Additionally, Netgain argues that it has not engaged in the type of continuous and systematic activity in California necessary to establish general jurisdiction, which Plaintiff does contest. Alternatively, Netgain argues that it did not purposefully direct any intentional activity at California and Plaintiff's claims do not arise out of any contacts between Netgain and Plaintiff in California, which Plaintiff also contests.
As part of its opposition, Plaintiff requests judicial notice be taken of several internet website page screenshots. Dkt. 19-1. These screenshots come from Netgain's own website and to the extent they acknowledge that Netgain maintains an office in San Diego County and describes its clients to include healthcare provider Health Center Partners of Southern California (CCC's d/b/a name) (generally Exhibits 1-22, 23-24), Plaintiff's request for judicial notice is granted.
Netgain has been sued before in this Court for claims arising out of the data breach. Each time this Court has decided to not exercise jurisdiction over Netgain. See Lee v. Netgain Technology, LLC, Case No 21cv1144-LL (MSB) (S.D. Cal. April 1, 2022); Clark v. Netgain Technology, LLC, Case No. 21cv1432-LL (MSB). However, in those cases, the plaintiffs were citizens and residents of South Carolina and patients of healthcare clinics operating in South Carolina. The plaintiffs articulated various state common law claims and South Carolina statutory claims for relief. Why the plaintiffs in Lee and Clark selected the Southern District of California for their lawsuits, is not evident.
In going through the legal analysis for testing specific jurisdiction such as purposeful direction and availment, Lee concluded that “[b]y operating an office in San Diego, Netgain has purposefully availed itself of the privilege of doing business in California.” Lee, Order at 9. The problem in Lee (and Clark which relied on Lee) was, inter alia, that there was no evidence that data breach notices were sent to a person in California, that California residents were uniquely harmed, or that Netgain had reason to believe that the South Carolina healthcare providers patients were in California. Id. at 711.
In the present case, Plaintiff actually provides the Netgain data breach notice he did receive in California. Moreover, California residents were uniquely harmed because their breached health care records were created as a result of receiving healthcare in California, and finally Netgain obviously knew that it provided its data security work to at least one California healthcare provider, i.e., CCC. On every significant metric, the alleged facts that were lacking for the exercise of specific jurisdiction over Netgain in Lee and Clark, are present in this case.
Here the Court has specific jurisdiction over Netgain. “Specific jurisdiction, as its name suggests, allows a state court to adjudicate specific claims against a defendant.” Mallory v. NorfolkS. Ry. Co., 600 U.S. 122, 164-65 (2023). “When a defendant ‘purposefully avails itself of the privilege of conducting activities within the forum State, that State's courts may adjudicate claims that arise out of or relate to the defendant's contacts' with the forum.” Id. (citations omitted) (cleaned up). Netgain has purposely availed and directed efforts at CCC and its California resident patients in this district. Netgain's contacts with this district cannot be characterized as “random, isolated, or fortuitous.” E.g., Keeton v. Hustler Mag., Inc., 465 U.S. 770, 774 (1984).
Plaintiff's claims for violating California laws protecting personal medical information and computer data “arise out of” its IT data security services provided to CCC for protecting CCC's patients records. Bristol-Myers Squibb Co. v. Superior Ct., 137 S.Ct. 1773, 1780 (2017); Learjet, Inc. v. Oneok, Inc., 715 F.3d 716, 742 (9th Cir. 2013) (“[A] lawsuit arises out of a defendant's contacts with the forum state if a direct nexus exists between those contacts and the cause of action.” (quoting Fireman's Fund Ins. Co. v. Nat'l Bank of Coops., 103 F.3d 888, 894 (9th Cir. 1996))). Here, the “relationship among the defendant, the forum, and the litigation is close enough to support specific jurisdiction.” Ford Motor Co. v. Montana Eighth Jud Dist. Ct., 592 U.S. 351, 371 (2021).
Exercising jurisdiction over Netgain in this district also comports with notions of fair play and substantial justice such that the exercise of jurisdiction is reasonable. “Once it has been decided that a defendant purposefully established minimum contacts with a forum, ‘he must present a compelling case that the presence of some other considerations would render jurisdiction unreasonable' in order to defeat personal jurisdiction.” Dole Food Co. v. Watts, 303 F.3d 1104, 1114 (9th Cir. 2002) (citing Burger King Corp. v. Rudzewicz, 471 U.S. 462, 477 (1985)). Dole set out seven factors that may be considered. Considering all of the Dole factors, Netgain has not made a compelling case to overcome the strong presumption of reasonableness of the assertion of personal jurisdiction. v Dole Food Co., 303 F.3d at 1117 (“A number of our cases emphasize the heavy burden on both domestic and foreign defendants in proving a ‘compelling case' of unreasonableness to defeat jurisdiction.”). Therefore, Netgain's motion to dismiss for lack of jurisdiction is denied.
In the alternative, Netgain asks that this case be transferred to the United States District Court for the District of Minnesota, where another case was brought concerning Netgain's data breach and ransomware demand. See Netgain Reply, Dkt. 15 at 12-13. The Minnesota action did include, among others, a California plaintiff asserting California state law claims. However, the case settled and is now closed. See In re: Netgain Technology, LLC, Consumer Data Breach Litigation, Case No. 21cv1210 (SRN/LIB), Dkt. 103, Joint Notice of Settlement (Dist. Minn. May 14, 2024). Moreover, the Minnesota court did not have the opportunity to address the substance of the California law claims before the case ended. Therefore, little conservation of judicial resources would result from transferring this case at this point to the District of Minnesota.
IV. CCC'S MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM A. The Confidentiality of Medical Information Act (CMIA)
CCC first argues that Plaintiff has not adequately alleged a cause of action under the CMIA. A California Court of Appeal has said that a successful CMIA claim requires “pleading, and ultimately proving, that the confidential nature of the plaintiff's medical information was breached as a result of the health care provider's negligence.” Regents of the University of California v. Sup. Ct., 220 Cal.App.4th 549, 570 (2013). Under the CMIA, “more than a mere allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information.” Id. (citation omitted). Under that state law, “a breach of confidentiality under the CMIA requires a showing that an unauthorized party viewed the confidential information.” Vigil v. Muir Med. Grp. IPA, Inc., 84 Cal.App. 5th 197, 213 (2022), review denied (Jan. 25, 2023); see also, Sutter Health v. Sup. Ct., 227 Cal.App.4th 1546, 1550 (2014) (“plaintiffs have failed to state a cause of action under [CMIA] because they do not allege that the stolen medical information was actually viewed by an unauthorized person.”). A California appellate court recently held that similar allegations were sufficient to state a cause of action under the CMIA. See J.M. v Illuminate Education, 2024 WL 3530281 *4 (Cal.App. July 25, 2024).
At trial, Plaintiff may have a difficult time proving in these circumstances that his protected medical information was actually viewed by the ransomware hackers, evidence that is required to prevail on a CMIA cause of action. But Plaintiff does allege that his medical information was “actually viewed by at least one ‘unauthorized third party'” in violation of CIMA. SAC ¶71. In the context of a criminal ransomware attack on a medical records database, this allegation along with the other allegations satisfies Rule 8 and states a plausible claim for relief.
B. The Customer Records Act (CRA)
The CRA requires businesses to disclose a breach of security following discovery or notification of the breach in the security of covered data. See Cal. Civ. Code § 1798.82(a). No specific timeframe for disclosure is mandated. However, the CRA requires that the disclosure notice must “be made in the most expedient time possible and without unreasonable delay.” In his SAC, Plaintiff alleges that CCC took 139 days to begin disclosing the data breach to Plaintiff and others which, allegedly, is an unreasonable delay. SAC ¶81.
Some courts have found that five-month delays and nine-month delays in providing notice of a data breach sufficiently alleged an “unreasonable delay” under the CRA. E.g. In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d 1284, 1300 (S.D. Cal. 2020) (Huff, J.) (five month delay); In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 589-90 (N.D. Ill. 2022) (nine month delay); J.M. v Illuminate Education, 2024 WL 3530281 *5-6 (Cal.App. July 25, 2024) (five month delay). In contrast, an alleged ten-day delay was not a sufficient allegation of unreasonable delay. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 1010 (S.D. Cal. 2014). And at least one court has suggested that whether a particular delay qualifies as an “unreasonable under” the CRA is normally a question for trial rather than for a motion to dismiss. Id.
After the briefing was complete in this case, a court in a similar case alleging a violation of the CRA denied a motion to dismiss. The court set for trial the CRA claim of a one-month delay where the plaintiff also alleged he was incrementally harmed separately from the data breach. Mohsen v. Veridian Credit Union, No. C23-2048-LTS-KEM, 2024 WL 2080177, at *11 (N.D. Iowa May 9, 2024) (“I find that Mohsen has sufficiently pleaded a claim for violation of the CCRA. While the complaint alleges a significantly shorter delay than in Solara and Arthur J. Gallagher, Mohsen has alleged that the one-month delay incrementally harmed him separately from the data breach. Specifically, Mohsen alleges that the delay prevented him from securing identity theft protection or requesting a credit freeze which could have mitigated the damage caused by the data breach. While the one-month period between the data breach and the notification of customers may be found to be reasonable at a later stage, this argument will benefit from a more developed factual record. Count VII will not be dismissed.”) (citations omitted). In addition to mere delay, “[t]o allege a ‘cognizable injury' arising from Defendant's alleged failure to timely notify Plaintiffs of the Data Breach, Plaintiffs must allege ‘incremental harm suffered as a result of the alleged delay in notification,' as opposed to harm from the Data Breach itself.” In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d at 1300 (S.D. Cal. 2020).
Defendant argues that Plaintiff's CRA claim fails because he does not allege any damages caused by the purported delay. But Plaintiff does allege damages were incurred. Specifically, Plaintiff alleges the delay prevented him from taking steps to protect his personal information. SAC ¶ 82. Plaintiff alleges the delay prevented him from taking steps in the most expedient time possible to mitigate the fallout from his personal information being stolen “such as purchasing dark web monitoring or an identity theft protection service.” Id. As in Mohsen, whether Plaintiff is ultimately able to prove his damages at trial must be left for another day. Today, Plaintiff's allegation of harm is sufficient, along with the allegation of unreasonable delay, to state a plausible state law cause of action under the CRA and the claim satisfies Rule 8.
Defendant makes another argument for dismissing the CRA cause of action claiming CCC is not subject to the CRA because it is a health care provider. CCC argues, “the CCRA expressly excludes entities, such as health care providers and contractors who are subject to the CMIA. See Cal. Civ. Code 1798.81.5(e)(1).” And CCC argues that the CRA does not apply to covered entities under HIPAA, citing Cal. Civ. Code 1798.81.5(e)(3). But Plaintiff does not allege violations of 1798.81. Plaintiff alleges violations of 1798.82. Section 1798.82 admits no exceptions for health care providers or entities covered by HIPPA. In fact, 1798.82(e) suggests by its presence that entities covered by HIPPA are included by setting out an alternative method of giving notice of a breach and by stating that covered entities are not exempted. There is no basis to dismiss Plaintiff's cause of action on this ground..
Cal. Civ. Code 1798.82(e) states, “A covered entity under the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d et seq.) will be deemed to have complied with the notice requirements in subdivision (d) if it has complied completely with Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).1 However, nothing in this subdivision shall be construed to exempt a covered entity from any other provision of this section.”
C. The Unfair Competition Laws (UCL)
CCC argues that Plaintiff's allegations of a violation of the UCL are deficient. However, it does not take much to make out a plausible claim that a defendant violated the California UCL when it is also plausibly alleged that another California law was violated by the same defendant. A plaintiff ultimately must prove that a business act was somehow “unlawful” for a UCL claim. A business act or practice is “unlawful” under the UCL if it, in turn, violates a rule contained in some other state or federal statute. Rose v. Bank of America, N. A., 57 Cal.4th 390, 396 (2013) (“By proscribing ‘any unlawful' business practice, Business and Professions Code ‘section 17200 “borrows” violations of other laws and treats them as unlawful practices' that the UCL makes independently actionable.”). Thus, the requirements for alleging a UCL claim are easily met.
“The unlawful prong of the UCL prohibits anything that can properly be called a business practice and that at the same time is forbidden by law. Generally, violation of almost any law may serve as a basis for a UCL claim.” In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d at 1303 (S.D. Cal. 2020) (“Plaintiffs argue that they have alleged that Solara has unlawfully violated ‘the CMIA, the California Consumer Records Act, and several state laws.' . . . Defendant's arguments are better suited for a motion for summary judgment when the record is more fully developed. As a result, the Court denies Defendant's motion to dismiss Plaintiffs' unlawful UCL claim at this time.”). Here, Plaintiff's SAC and its UCL claim relies on violations of the CMIA and CRA. This is sufficient to plausibly allege a UCL cause of action under California law and Rule 8.
V. CONCLUSION
For the above reasons Netgain's motion to dismiss for lack of jurisdiction and CCC's motion to dismiss for failure to state a claim are denied.
IT IS SO ORDERED.