C. M. v. Marinhealth Med. Grp.
| Jurisdiction | United States,Federal,California |
| Parties | C. M., Plaintiff, v. MARINHEALTH MEDICAL GROUP, INC., Defendant. |
| Decision Date | 19 January 2024 |
| Court | U.S. District Court — Northern District of California |
| Docket Number | 23-cv-04179-WHO |
Defendant's motion to dismiss claims four through nine of plaintiff's complaint is GRANTED on the negligence claim but DENIED as to the other challenged claims.
Plaintiff C.M. sues defendant MarinHealth Medical Group Inc.[1] for a number of privacy right claims. Plaintiff alleges that MarinHealth failed “to implement adequate and reasonable measures to ensure that the “personally identifiable information (‘PII') and protected health information (‘PHI') (collectively, ‘Private Information')” was protected and instead allowed “unauthorized third parties, including Meta Platforms, Inc. d/b/a Facebook (“Facebook”) to intercept” information regarding users' use of defendants' websites to seek healthcare related services through implementation of Meta's “Pixel” technology. Compl. ¶¶ 5-7. MarinHealth moves to dismiss four of the nine causes of action alleged, seeking dismissal of the claims for: (1) negligence; (2) breach of implied contract; (3) larceny, Cal. Penal Code § 496(a)&(c); and (4) unjust enrichment.[2]
Under FRCP 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when the plaintiff pleads facts that “allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570.
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). If the court dismisses the complaint, it “should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). In making this determination, the court should consider factors such as “the presence or absence of undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by previous amendments, undue prejudice to the opposing party and futility of the proposed amendment.” Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989).
MarinHealth argues that the negligence claim must be dismissed because plaintiff did not allege nonspeculative negligence damages. Mot. 3-6; Reply at 1-4. Plaintiff responds that he has satisfied that burden because he alleges that he was injured when his private information was misused and that as a result he was subjected to and will continue to be subjected to unsolicited, targeted advertising related to his specific medical conditions. Compl. ¶¶ 14, 111, 159. He also alleges that he suffered a loss of the value of that private information and loss of control over the same. Compl. ¶¶ 18, 223.
Defendant's cases primarily deal with data breach scenarios that where there is no evidence the plaintiff's personal data was used for impermissible purposes,[3] unlike here, where plaintiff alleges that soon after visiting defendant's website he started to receive ads targeted to his medical conditions. Compl. ¶¶ 14, 111, 159. The alleged misuse of his personal data, therefore, is not speculative. This allegation suffices for Article III standing. See, e.g., In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 784 (N.D. Cal. 2019) ().
Neither side cites caselaw regarding whether a defendant's conduct allowing third-party access to sensitive information where the third-party then misuses the information, by itself, supports the injury required for a negligence claim.[4] With respect to the diminution in value theory of injury, as I recognized in the related In re Meta Healthcare Litigation case, where “the crux of this case concerns Meta's receipt of ‘individually identifiable health information,' that plaintiffs apparently do not want Meta or anyone other than their healthcare providers to have” it is incongruous for plaintiff “to then allege they intended to participate in this market, or otherwise to derive economic value from their PII.” Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 2023 WL 5837443, at *17 (N.D. Cal. Sept. 7, 2023) (). I recognize that discussion was in the context of the “lost money or property” element for standing under California's Unfair Competition Law (“UCL,” Cal. Bus. & Prof. Code § 17200),[5] but it would be incongruous for plaintiff to allege an injury for negligence based on lost value of sensitive healthcare data.
Various Northern District cases have held that allegations of “lost time and expenses Plaintiffs allege that they have already incurred due to the data breach,” can support a negligence claim, as in that scenario “future expenses and time is not too speculative to constitute cognizable injuries at the pleading stage.” Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, 2021 WL 6882392, at *5 (N.D. Cal. Sept. 8, 2021); see also Huynh v. Quora, Inc., 508 F.Supp.3d 633, 650 (N.D. Cal. 2020) (recognizing that allegations of lost time and money constitute cognizable negligence harm). Plaintiff recognizes that he has not, yet, alleged lost time or expenses related to the use of his medical information shared by defendant, although he reserves his right to do so. Oppo. at 6 n.7.
Plaintiff is given leave to amend to include his allegations regarding lost time and/or expenses in responding to the plausibly alleged misuse of his medical information and any other allegations that he believes support the required showing of injury to support his negligence claim. The negligence claim is DISMISSED with leave to amend.
“For a breach of an implied contract claim, a plaintiff must show: (1) a valid implied-in-fact contract, (2) the plaintiff's performance or excuse for nonperformance, (3) the defendant's breach of the agreement, and (4) resulting damages.” Westron v. Zoom Video Commc'ns, Inc., No. 22-CV-03147-YGR, 2023 WL 3149262, at *2 (N.D. Cal. Feb. 15, 2023). Defendant argues that plaintiff's implied contract claim fails because plaintiff has not adequately alleged “loss of the benefit of the bargain” damages. Mot. at 7. In his Complaint, plaintiff specifically alleges that:
Compl. ¶¶ 280-283.
In support of its argument, defendant cites a number of cases that have required plaintiffs in data breach cases to allege specific “consideration” for the implied contract claim; meaning that the plaintiff paid something more for the alleged security promises. See Ortiz v. Perkins & Co., No. 22-CV-03506-KAW, 2022 WL 16637993, at *6 (N.D. Cal. Nov. 2, 2022) (discussing cases); see also Gardiner v. Walmart, No. 20-cv-04618-JSW, 2021 WL 2520103, at *6, *17-18 (N.D. Cal. Mar. 5, 2021) (); In re Linkedin User Privacy Litigation, 932 F.Supp.2d 1089, 1093 (N.D. Cal. 2013) (while plaintiffs had paid for a premium membership, “the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities...
To continue reading
Request your trial