In re Premera Blue Cross Customer Data Security Breach Litigation
198 F. Supp. 3d 1183
D. Or.2016Background
- Premera, a large Pacific Northwest health insurer and Blue Cross participant, disclosed on March 17, 2015 that a network breach beginning May 2014 exposed Sensitive Information for ~11 million individuals (names, DOBs, SSNs, member IDs, contact info, medical claims, financial data).
- Plaintiffs (named individuals and putative classes, including Policyholder subclass) allege Premera delayed detection and slow public notification, and failed to implement adequate data security despite prior warnings (FBI notice; OPM vulnerability report).
- Plaintiffs assert eleven causes of action (consumer-protection statutes, data-breach statutes, negligence, breach of express/implied contract, unjust enrichment, CMIA, breach of fiduciary duty, fraud by omission/active concealment), and assert three damage theories: out-of-pocket mitigation/fraud losses, loss in value/privacy violation, and "benefit-of-the-bargain" overpayment by Policyholders.
- Premera moved to dismiss certain claims/damage theories under Rules 8/9(b)/12(b)(6); the court evaluated pleading sufficiency, Rule 9(b) particularity for fraud averments, contract-formation/incorporation, fiduciary-duty existence, and causation for damages.
- Court dismissed (with leave to amend) plaintiffs’ allegations of affirmative misrepresentation, active concealment, fraud-by-omission (to the extent not pleaded with adequate specificity), breach of express contract, breach of implied contract (where unclear), and breach of fiduciary duty. Court denied dismissal as to unjust enrichment, California CMIA claim, causation, and certain damages theories.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether fraud allegations meet Rule 9(b) | Plaintiffs say claims don’t "sound in fraud" or, if they do, Complaint is sufficiently particular | Premera says fraud averments lack particularity and Rule 9(b) applies to all fraud averments | Court: Rule 9(b) applies; affirmative-misrep and active-concealment averments are dismissed for lack of particularity; omissions/half-truths may survive but must be repleaded with specifics |
| Fraud by omission / half-truths — duty and reliance | Plaintiffs allege Premera’s privacy notices and public statements gave rise to duty; class relied and would not have purchased insurance if true practices disclosed | Premera argues plaintiffs don’t identify what specific omissions made statements misleading | Court: Materiality and reliance sufficiently alleged at pleading stage, but plaintiffs must specify what was omitted to cure half-truth theory |
| Breach of express contract — incorporation of privacy policies | Plaintiffs rely on Notice of Privacy Practices / Code of Conduct as contractual promises | Premera contends plaintiffs didn’t show those documents were part of the insurance contract (no incorporation alleged or exemplars attached) | Court: Dismissed with leave to amend; plaintiffs must plead facts showing incorporation by reference or attachment (clear reference, called to attention, terms available) |
| Breach of implied contract / implied term | Plaintiffs assert an implied-in-fact promise to safeguard Sensitive Information (or an implied term in the health-plan contract) | Premera says offer/acceptance/mutual assent not adequately alleged | Court: Dismissed as plead; plaintiffs may replead to clarify whether asserting an implied-in-fact contract or an implied term within an express contract and plead requisite elements |
| Unjust enrichment / restitution for premiums | Plaintiffs say premiums paid conferred benefit; portion should have funded data security; retention would be unjust | Premera challenges lack of allocation and ties to fraud allegations | Court: Unjust enrichment claim survives at pleading stage; facts plausible to proceed |
| CMIA (Cal. Confidentiality of Medical Info Act) — viewing requirement | Plaintiff Hansen-Bosse alleges medical claims info was among Sensitive Information accessed/misused | Premera argues CMIA requires actual unauthorized viewing of medical information and plaintiffs don’t plausibly allege viewing or misuse | Court: CMIA claim survives; allegations that medical information (claims) was compromised and subsequent misuse (fraudulent activity) are sufficient at pleading stage |
| Breach of fiduciary duty | Plaintiffs contend insurer relationship and Premera’s role in patient-provider axis created fiduciary/quasi-fiduciary duty | Premera argues no fiduciary relationship exists as matter of law; courts reject ‘‘guardian of information’’ theory | Court: Dismissed for failure to allege a fiduciary relationship or facts showing induced reliance to relax vigilance; leave to amend denied as pleaded |
| Causation and damages (including delayed-notification and mitigation/time expenses) | Plaintiffs assert out-of-pocket, mitigation expenses, loss of value, and benefit-of-the-bargain damages; some named plaintiffs allege identity fraud/tax fraud post-breach | Premera disputes causal link for many named plaintiffs and contends filed-rate doctrine bars overpayment damages | Court: Causation allegations sufficient at pleading stage; CMIA, unjust enrichment and many damages survive; filed-rate doctrine issue deferred (skepticism noted) |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (U.S. 2009) (plausibility standard for federal pleading)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (U.S. 2007) (complaint must contain factual content to state plausible claim)
- Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097 (9th Cir. 2003) (Rule 9(b) applies to all averments of fraud in federal court; strip insufficient fraud averments)
- Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035 (9th Cir. 2010) (standard for Rule 12(b)(6) dismissal)
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (data-breach context: contractual/unjust-enrichment theories survive where plaintiffs tie privacy promises to contract obligations)
- McCarthy Fin., Inc. v. Premera, 182 Wash.2d 936 (Wash. 2015) (filed-rate doctrine bars damages requiring re‑calculation of insurance premiums already deemed reasonable by regulator)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach plaintiffs adequately plead link between breach and subsequent fraudulent charges to survive motion to dismiss)