501 F.Supp.3d 898
S.D. Cal.2020Background:
- Inmediata Health Group provided billing and electronic health record services and in Jan. 2019 experienced a data incident that allegedly made PHI of ~1,565,338 individuals publicly accessible due to an erroneous webpage indexing setting.
- Plaintiffs received notice letters in April 2019 stating certain medical data may have been publicly available; Inmediata did not offer credit monitoring or fraud insurance.
- Plaintiffs filed a putative class action (FAC filed May 19, 2020) asserting negligence, breach of contract, unjust enrichment, CMIA, CCPA, CCRA, MHRA, and California constitutional privacy claims, among others.
- Inmediata moved to dismiss under Fed. R. Civ. P. 12(b)(1) and (6); the court held the FAC’s standing allegations sufficient and declined to dismiss for lack of Article III jurisdiction.
- On the merits the court: denied dismissal of negligence, breach of contract, CMIA §§56.101/56.36 (negligent maintenance/release), CCPA, CCRA, MHRA, and California constitutional privacy claims; granted dismissal of unjust enrichment and CMIA §56.10 ("disclosure") claim.
Issues:
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing | CMIA violation and dissemination of sensitive medical data are concrete injuries; time/money spent and increased spam support injury | No concrete, particularized injury; no evidence unauthorized persons actually viewed data | Standing denied as grounds to dismiss — Plaintiffs adequately alleged concrete, particularized injury based on CMIA and related allegations |
| CMIA §56.10 ("disclose") | Posting made info publicly available — an affirmative communicative act | No intentional affirmative disclosure; posting/errant setting not a statutory "disclosure" | §56.10 claim dismissed — plaintiff failed to plead plausible affirmative communicative act |
| CMIA §§56.101 & 56.36 (negligent maintenance/release) | Negligent preservation/release of medical records made info viewable online; nominal damages available without proof of actual harm | No allegation that unauthorized persons actually viewed/downloaded data | Claims survive — allegations that records were viewable and were viewed by unauthorized persons are sufficient at pleading stage |
| Negligence (duty, causation, damages; economic-loss) | Inmediata owed duty to safeguard medical data; plaintiffs spent time/money responding and suffered increased phishing | Economic-loss doctrine bars tort recovery absent personal injury/property damage; insufficient causation (no proof of misuse) | Negligence claim survives at pleading stage — economic-loss argument rejected for now; duty, breach, lost time/out-of-pocket plausibly alleged though White’s specific fraud allegation was weak |
| Breach of contract (third-party beneficiary) | Plaintiffs are intended third-party beneficiaries of contracts requiring data protection; invasion of privacy suffices for damages | Allegations conclusory; no contract language identified; damages speculative | Claim survives plausibly — pleading on information and belief and alleged substance of contract terms sufficient pre-discovery; alleged damages adequate for now |
| CCPA / CCRA / MHRA / CA constitutional privacy | Exposure of non-encrypted personal info and delay in notice caused harm and statutory violations; medical privacy implicates CA constitutional privacy | CCPA inapplicable to CMIA-covered medical info; plaintiffs fail to allege unauthorized access/viewing or incremental harm from delayed notice | Claims under CCPA, CCRA, MHRA, and California constitutional privacy survive at pleading stage (CCPA claim limited to non-CMIA personal info); alleged delay and exposure suffice for now |
| Unjust enrichment | Plaintiffs concede limited claim | Inmediata sought dismissal | Unjust enrichment claim dismissed under California law |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (framework for concreteness of statutory injuries)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (elements of Article III standing)
- Campbell v. Facebook, Inc., 951 F.3d 1106 (9th Cir. 2020) (privacy-statute violations can be concrete injuries)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (privacy statutes codify substantive privacy rights supporting standing)
- Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) (statutory privacy violations reflect historically protected privacy harms)
- Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) (statutory privacy harms resemble common-law privacy torts)
- Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037 (9th Cir. 2017) (privacy/annoyance harms confer standing under privacy statutes)
- Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017) (procedural statutory violations may be concrete depending on context)
- Sutter Health v. Superior Court, 227 Cal. App. 4th 1546 (Cal. Ct. App. 2014) (CMIA "disclose" requires affirmative communicative act)
- Regents of Univ. of Cal. v. Superior Court, 220 Cal. App. 4th 549 (Cal. Ct. App. 2013) (CMIA negligent maintenance/release requires unauthorized viewing to recover damages)
- Hill v. Nat'l Collegiate Athletic Assn., 7 Cal. 4th 1 (1994) (elements for California constitutional privacy claim)