613 F.Supp.3d 1284
S.D. Cal.
2020
Read the full case

Background

  • Solara Medical Supplies suffered a cybersecurity breach in mid-2019 that accessed employee Office 365 accounts and allegedly exposed tens of thousands of customers’ personal and medical information (names, DOBs, SSNs, medical and insurance data, some financial data).
  • Six individual plaintiffs from multiple states received breach notification letters in November 2019 (months after discovery) and alleged harms including time spent mitigating, anxiety/stress, spam/phishing, billing/insurance changes, and unexplained credit inquiries.
  • Plaintiffs filed a consolidated putative nationwide class action asserting negligence, contract and warranty claims, CMIA, California Consumer Records Act, UCL, and several state consumer-protection and data-notice claims.
  • Solara moved to dismiss under Rules 12(b)(6) and 9(b); Plaintiffs relied on various documents (Notice of Privacy Practices, Patient Bill of Rights) and alleged Solara’s Office 365 accounts were unencrypted and inadequately secured.
  • The court denied dismissal of most claims on the pleadings (finding plaintiffs alleged concrete non-economic harms, plausible breaches, and statutory/contractual theories), granted limited dismissals where pleading particularity or a separate cause was deficient, and gave leave to amend in 30 days.

Issues

Issue Plaintiff's Argument Defendant's Argument Held
Negligence (CA) Plaintiffs pled non-economic harm, duty, causation Economic-loss rule bars tort; insufficient causation Negligence claim survives; non-economic harms and time spent are adequate
Negligence per se Statutory violations support presumption Not an independent cause; improper pleading Dismissed without prejudice; may plead facts supporting doctrine within negligence claim
Breach of express contract Privacy notices & Patient Bill of Rights created contractual duties Plaintiffs failed to identify contract terms or damages Express contract claim survives; dissemination of PII can be cognizable damages
Breach of implied contract Alternative to express contract Survives at pleading stage
Breach of implied covenant Security failures show conscious/deliberate conduct No conscious act alleged Survives; facts accepted at pleading stage, summary judgment better venue for merits
Unjust enrichment Plaintiffs seek restitution for unjust benefit Defendant says no independent CA cause Survives; CA recognizes unjust enrichment claims post-Hartford
CMIA (Cal. Civ. Code §56.101/56.36) No need to allege affirmative disclosure; letters and post-breach spam plausibly show unauthorized viewing CMIA requires affirmative communication and actual viewing not pled CMIA claim survives; plaintiffs plausibly alleged unauthorized access/viewing
CA Consumer Records Act (§1798.82) — delayed notice Delay prevented mitigation; plaintiffs allege incremental harm No incremental harm from delay alleged Survives; plaintiffs alleged incremental harm from ~5-month delay
UCL — standing Benefit-of-the-bargain / diminished value of PII No loss of money or property alleged Standing satisfied; benefit-of-the-bargain losses cognizable under UCL
UCL — fraud/9(b) misrepresentation Solara’s privacy statements were false/misleading Fraud claims lack particularity/who saw what statements Fraud-based UCL claims premised on policies/ToS plaintiffs did not allege seeing are dismissed as to those statements; leave to amend allowed
UCL — omission/unlawful/unfair prongs Solara had exclusive knowledge and omitted material facts; violated statutes No duty to disclose; no predicate statutory violations Omission, unlawful, and unfair prongs survive at pleading stage
State consumer-protection and notice claims (CUTPA, MCPA, ITPA, NCUDTPA, PA UTPCPL) Benefit-of-the-bargain and non-economic injuries; delayed notice caused harm Lack of standing or insufficient particularity for fraud-based allegations Most state claims survive on standing; fraud-based misrepresentation allegations relying on ToS/PrivacyPolicy exposure were dismissed as to those documents with leave to amend
Declaratory / Injunctive relief Plaintiffs seek forward-looking relief Relief cannot be independent cause Declaratory relief stands; injunctive relief should be pleaded as a remedy (not a separate cause)

Key Cases Cited

  • Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097 (9th Cir. 2008) (12(b)(6) dismissal standard)
  • Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility pleading standard)
  • Ashcroft v. Iqbal, 556 U.S. 662 (2009) (plausibility pleading standard)
  • Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025 (9th Cir. 2008) (accept factual allegations at pleading stage)
  • In re Gilead Scis. Secs. Litig., 536 F.3d 1049 (9th Cir. 2008) (courts need not accept unwarranted deductions)
  • Kearns v. Ford Motor Co., 567 F.3d 1120 (9th Cir. 2009) (Rule 9(b) applies to certain fraud-based claims)
  • Swartz v. KPMG LLP, 476 F.3d 756 (9th Cir. 2007) (fraud pleading: time, place, content)
  • Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097 (9th Cir. 2003) (fraud pleading who/what/when/where/how)
  • DeSoto v. Yellow Freight Sys., 957 F.2d 655 (9th Cir. 1992) (leave to amend standard)
  • Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 F.2d 1393 (9th Cir. 1986) (leave to amend standard)
  • Robinson Helicopter Co. v. Dana Corp., 34 Cal.4th 979 (Cal. 2004) (economic loss doctrine)
  • Seely v. White Motor Co., 63 Cal.2d 9 (Cal. 1965) (economic loss principle)
  • Corales v. Bennett, 567 F.3d 554 (9th Cir. 2009) (elements of negligence under California law)
  • Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (Cal. 2011) (UCL standing and economic injury)
  • Regents of Univ. of Cal. v. Superior Court, 220 Cal.App.4th 549 (Cal. Ct. App. 2013) (CMIA requires unauthorized viewing to invoke remedies)
  • Sutter Health v. Superior Court, 227 Cal.App.4th 1546 (Cal. Ct. App. 2014) (CMIA interpretation)
  • Hartford Cas. Ins. Co. v. J.R. Mktg., 61 Cal.4th 988 (Cal. 2015) (recognition of unjust enrichment claims under CA law)
  • In re Facebook Privacy Litigation, [citation="572 F. App'x 494"] (9th Cir. 2014) (dissemination of personal information can support damages)
  • Low v. LinkedIn Corp., 900 F. Supp.2d 1010 (N.D. Cal. 2012) (elements and damages for breach of contract)
  • Young v. Facebook, Inc., 790 F. Supp.2d 1110 (N.D. Cal. 2011) (must plead specific contract provisions breached)
Read the full case