83 Cal.App.5th 515
Cal. Ct. App.2022Background
- Centrelake Medical Group operated clinics and published a Notice of Privacy Practices promising to safeguard patients’ personal identifying information (PII), which was incorporated into patients’ contracts.
- Between Jan. 9 and Feb. 19, 2019 Centrelake suffered a cybersecurity incident; plaintiffs allege hackers stole and publicly disseminated patient PII; Centrelake’s April 2019 notice acknowledged possible access and advised monitoring credit.
- Plaintiffs (Moore, Joy, McKinley) sued on behalf of a putative class for breach of contract (and covenant), negligence, and UCL violations, alleging (1) they overpaid for services because promised data security was not provided, (2) out-of-pocket and time costs (credit/identity monitoring), and (3) loss of value of their PII.
- Centrelake demurred, arguing plaintiffs failed to plead cognizable injury and that the negligence claim was barred by the economic loss rule; trial court sustained the demurrer without leave to amend and entered judgment dismissing all claims.
- On appeal the court: reversed dismissal of UCL and contract claims (finding plaintiffs adequately pled benefit-of-the-bargain injury and that McKinley adequately pled monitoring-cost injury), but affirmed dismissal of the negligence claim under the economic loss rule and upheld denial of leave to amend.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| UCL standing — benefit-of-the-bargain | Plaintiffs paid market prices relying on Centrelake’s privacy promises and thus paid more than they would have otherwise. | Misrepresentations about data security were incidental to medical services; plaintiffs received medical care so no cognizable economic loss. | Reversed: under Kwikset plaintiffs adequately alleged they surrendered more in the transaction (benefit-of-the-bargain) and thus pleaded UCL standing. |
| UCL standing — monitoring costs | McKinley bought credit/identity monitoring reasonably and necessarily because of the breach; others spent time monitoring credit. | Time spent is speculative/non-cognizable; purchases were precautionary and not compensable. | Reversed as to McKinley: purchase of monitoring services is a cognizable economic injury under Kwikset; time-only allegations are more tenuous. |
| Contract damages — benefit-of-the-bargain & monitoring costs | Breach deprived plaintiffs of the promised data-security performance; value of promised security is the proper contract-damages measure; McKinley’s monitoring costs are foreseeable consequential damages. | Data security was incidental; implausible to say patients paid extra for data protection. | Reversed: plaintiffs sufficiently pled general contract damages (value of promised security) and McKinley pled recoverable consequential (monitoring) damages; foreseeability and reasonableness remain factual. |
| Negligence — economic loss rule & leave to amend | Contracting parties had a special relationship; HIPAA imposed an independent duty; lost time is non-economic; leave to allege future medical-test costs should be allowed. | Economic loss rule bars tort recovery for purely economic harms tied to contract; no independent duty alleged; monitoring/time are economic. | Affirmed: negligence barred by economic loss rule because claims arise from contract privity; lost time is economic; trial court did not abuse discretion in denying leave to amend as plaintiffs failed to show how amendment would cure the legal bar. |
Key Cases Cited
- Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (Cal. 2011) (UCL standing requires injury in fact and loss of money or property; benefit-of-the-bargain can establish economic injury)
- Sheen v. Wells Fargo Bank, N.A., 12 Cal.5th 905 (Cal. 2022) (explains economic loss rule and when tort claims between contracting parties are barred)
- Lewis Jorge Constr. Mgmt., Inc. v. Pomona Unified Sch. Dist., 34 Cal.4th 960 (Cal. 2004) (distinguishes general (expectation) and special (consequential) contract damages)
- New West Charter Middle Sch. v. Los Angeles Unified Sch. Dist., 187 Cal.App.4th 831 (Cal. Ct. App. 2010) (contract damages measure as value of promised performance)
- In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005) (rejects contract damages theory premised on loss of market value of PII where plaintiffs had no expectation to monetize their data)
- Pruchnicki v. Envision Healthcare Corp., [citation="845 F. App'x 613"] (9th Cir. 2021) (affirming dismissal where plaintiff failed to plead actual diminution in value of her PII following breach)
- Bass v. Facebook, Inc., 394 F. Supp. 3d 1024 (N.D. Cal. 2019) (district court view that time spent responding to data-breach effects may be non-economic; court here declined to follow Bass)
- In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015) (plaintiffs failed to allege they intended to participate in a market for their data; loss-of-value theory insufficient for standing)