Moore v. Centrelake Med. Grp., Inc., B310859
| Docket Number | B310859 |
| Decision Date | 16 September 2022 |
| Citation | 83 Cal.App.5th 515,299 Cal.Rptr.3d 544 |
| Parties | April Kay MOORE, et al., Plaintiffs and Appellants, v. CENTRELAKE MEDICAL GROUP, INC., Defendant and Respondent. |
| Court | California Court of Appeals Court of Appeals |
Wilshire Law Firm, Bobby Saadian, Justin F. Marquez, Thiago M. Coelho, Los Angeles, Robert J. Dart and Jessica Behmanesh, for Plaintiffs and Appellants.
Baker & Hostetler, Paul Karlsgodt, Matthew D. Pearson, Costa Mesa, and Teresa C. Chow, Los Angeles, for Defendant and Respondent.
Appellants April Kay Moore, Kimberly Joy, and Yvette McKinley are patients at medical facilities operated by respondent Centrelake Medical Group. In reliance on Centrelake's allegedly false representations that it employed reasonable safeguards for patients’ personal identifying information (PII), appellants entered into contracts with Centrelake. Their contracts allegedly incorporated a privacy policy, in which Centrelake promised to maintain adequate data security practices to protect appellants’ PII from unauthorized access by third parties. In early 2019, Centrelake suffered a data breach, in which appellants’ PII was allegedly stolen by hackers and disseminated into the public domain. In April 2019, Centrelake issued a notice of the data breach, acknowledging that patient records and data might have been taken, and encouraging patients to protect themselves from identity theft or fraud, including by monitoring their credit and financial accounts. Appellants spent time on such monitoring, and appellant McKinley purchased credit and identity monitoring services.
In June 2019, appellants brought this action against Centrelake on behalf of themselves and a putative class of patients affected by the data breach. The complaint contained causes of action for breach of contract, negligence, and violations of the Unfair Competition Law (UCL), Business and Professions Code section 17200 et seq. Appellants alleged they suffered several injuries as a result of Centrelake's failure to maintain adequate data security, including: (1) overpayments for Centrelake's services, which did not include the adequate data security for which they had bargained; (2) time and money spent on credit monitoring and other measures to mitigate risks posed by the data breach; and (3) deprivation of some portion of the value of their PII.
Centrelake demurred, arguing that appellants had failed to adequately plead any cognizable injury, and that their negligence claim was barred by the economic loss rule. Appellants opposed the demurrer. In a footnote to their opposition brief, and at the hearing on the demurrer, appellants requested leave to amend their complaint to add allegations of future harm, viz., future costs to be incurred retaking medical tests in order to replace medical records that had been lost in the data breach. The trial court sustained the demurrer to all claims without leave to amend, concluding: (1) appellants had failed to adequately plead any injury sufficient to support either (a) standing to bring their UCL claim, or (b) the damages elements of their contract and negligence claims; and (2) appellants’ negligence claim was barred by the economic loss rule. The court entered a judgment dismissing all claims.
On appeal, appellants contend the court erred in sustaining the demurrer with respect to each of their claims, and abused its discretion in denying their request for leave to amend. We conclude appellants adequately alleged UCL standing and contract damages under their benefit-of-the-bargain theory, and appellant McKinley, who purchased monitoring services, did the same under appellants’ monitoring-costs theory. However, appellants have not shown the court erred in dismissing their negligence claim under the economic loss rule; nor have they shown the court abused its discretion in denying their request for leave to amend. Accordingly, we affirm the judgment with respect to the dismissal of appellants’ negligence claim without leave to amend, but reverse with respect to appellants’ UCL and contract claims. For guidance on remand, we address appellants’ lost-value-of-PII theory, and conclude they failed to adequately plead it as a basis for either UCL standing or contract damages.
In June 2019, appellants filed the complaint in this action on behalf of themselves and a putative class of all California residents whose PII was compromised as a result of Centrelake's early 2019 data breach. The facts stated in this subsection are taken from the complaint's factual allegations, which we presume to be true for purposes of reviewing the trial court's ruling on Centrelake's demurrer.
Centrelake is a medical provider operating eight medical facilities in southern California. Prior to January 9, 2019, appellants became patients of Centrelake. Centrelake "made repeated promises and representations" to appellants "that it would protect its patients’ PII from disclosure to unauthorized third parties." Each appellant signed a contract with Centrelake that incorporated a contractually binding privacy policy, viz., Centrelake's Notice of Privacy Practices (attached to the complaint as an exhibit), in which Centrelake promised to take appropriate steps to attempt to safeguard any medical or other personal information provided to it. Centrelake also published its Notice of Privacy Practices to the public on its website. However, the Notice of Privacy Practices contained false statements concerning data security.
Centrelake failed to implement reasonable security practices to protect appellants’ PII. As a result, from January 9 to February 19, 2019, Centrelake suffered a data breach, during which appellants’ PII was "stolen" (in other words, "acquired" or "harvested") by hackers, and "disseminat[ed] into the public domain." The stolen PII included contact information (names, addresses, and phone numbers), Social Security numbers, driver's license information, and medical information (services performed, diagnosis information, health insurance information, referring provider information, medical record number, and dates of service).
In April 2019, Centrelake issued a Notice of Data Breach (attached to the complaint as an exhibit). The Notice stated that "suspicious activity" began on Centrelake's network on January 9, 2019 and continued for over a month until, on February 19, Centrelake discovered that a hacker had infected Centrelake's system with a virus that prohibited its access to its files. Centrelake announced that its ongoing investigation had yet to uncover any evidence that the hacker viewed or took patient information, or any indication that such information had been misused. However, Centrelake acknowledged that the hacker might have gained access to patient records and data. Centrelake encouraged affected individuals to "remain vigilant against incidents of identity theft and fraud" by regularly reviewing their credit reports, financial account statements, and explanations of benefits for suspicious activity.
Centrelake provided a toll-free phone line staffed with individuals familiar with the data breach, and invited calls from patients with questions regarding how to protect themselves from "potential harm resulting from this incident," including how to place fraud alerts on the patients’ credit files.
Appellants’ first and second causes of action were for breach of contract and breach of the covenant of good faith and fair dealing (contract claims).1 Appellants alleged Centrelake breached its contracts with them by (1) failing to "implement and maintain reasonable security procedures to protect Plaintiffs’ and Class Members’ PII from unauthorized access, destruction, use, modification, or disclosure"; and (2) failing to prevent unauthorized third parties from obtaining such access.
Appellants’ third and fourth causes of action were for "negligence per se" and negligence.2 Appellants alleged: (1) Centrelake entered into a " ‘special relationship’ " with appellants "when [Centrelake] contracted with [them] for medical services and obtained their PII from them"; (2) Centrelake owed appellants a duty of care in protecting their PII, because inadequate data security practices would foreseeably cause them harm; and (3) Centrelake breached that duty by adopting inadequate safeguards to protect their PII.
Appellants’ fifth and final cause of action was for violations of the UCL. Appellants alleged Centrelake violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) ( 42 U.S.C. § 1320d et seq. ) and the public policy expressed therein, rendering its business practices both unlawful and unfair, by (1) failing to "implement and maintain reasonable security procedures to protect Plaintiffs’ and Class Members’ PII from unauthorized access, destruction, use, modification, or disclosure"; and (2) failing to prevent unauthorized third parties from obtaining such access. Appellants further alleged Centrelake's business practices were fraudulent "because they involved representations to the public which [we]re likely to deceive," including false statements concerning data security in its Notice of Privacy Practices.
Appellants sought compensatory damages, restitution, and injunctive relief requiring Centrelake to implement reasonable data security practices.
Appellants alleged they suffered several injuries. First, appellants alleged they overpaid for Centrelake's medical services, in that they paid for but did not receive reasonable and adequate security for their PII. In other words, appellants "paid more for [Centrelake]’s services than they [otherwise] would have paid" had they known their PII would not be protected. Relatedly, appellants "relied on [Centrelake]’s [privacy] representations in entering into contracts with Defendants for medical services, which they would not have...
To continue reading
Request your trial