Re: Dkt. No. 410, 413
Plaintiffs
Before the Court are separate motions to dismiss Plaintiffs’ consolidated amended complaint (“CAC”) filed by the Anthem and Non-Anthem Defendants. See ECF No. 334-6 (“CAC”); ECF No. 410 (“Anthem Mot.”); ECF No. 413 (“Non-Anthem Mot.”). Having considered the parties’ submissions, the relevant law, and the record in this, case, the Court hereby GRANTS in part and DENIES in part the Anthem Defendants’ motion to dismiss and GRANTS in part and DENIES in part the Non-Anthem Defendants’ motion to dismiss.
I. BACKGROUND
A. Factual Background
Defendant Anthem, Inc. (“Anthem”) is one of the largest health benefits and health insurance companies in the United States. CAC ¶ 109. Anthem serves its members through various Blue Cross Blue Shield (“BCBS”) licensee affiliates and other non-BCBS affiliates. Id. ¶ 155. Anthem also cooperates with the Blue Cross Blue Shield Association (“BCBSA”) and several independent BCBS licensees via the BlueCard program. Id. ¶ 156. “Under the BlueCard program, members of one BCBS licensee may access another BCBS licensee’s provider networks and discounts when the members are out of state.” Id.
In order to provide certain member services, the Anthem and Non-Anthem Defendants “collect, receive, and access their customers’ and members’ extensive individually identifiable health record information.” Id. ¶ 157. “These records include personal information (such as names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data) and individually-identifiable health information (pertaining to the individual claims process, medical history, diagnosis codes, payment and billing records, test records, dates of service,
Anthem maintains a common computer database which contains the PII of current and former members of Anthem, Anthem’s affiliates, BCBSA, and independent BCBS licensees. Id. ¶ 158. In total, Anthem’s database contains the PII of approximately 80 million individuals. Id. ¶ 204. According to Plaintiffs, both the Anthem and Non-Anthem Defendants promised their members that their PII would be protected. Blue Cross of California, for instance, mailed the following privacy notice to its members:
We keep your oral, written and electronic [PII] safe using physical, electronic, and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your [PII] safe include securing offices that hold [PII], password-protecting computers, and locking storage areas and filing cabinets. We require our employees to protect [PII] through written policies and procedures .... Also, where required by law, our affiliates and nonaffiliates must protect the privacy of data we share in the normal course of business. They are not allowed to give [PII] to others without your written OK, except as allowed by law and outlined in this notice.
Id. ¶ 168 (emphasis removed). In February 2015, Anthem announced to the public that “cyberattackers had breached the Anthem Database, and [had] accessed [the PII of] individuals in the Anthem Database.” Id. ¶ 203. This was not the first time that Anthem had experienced problems with data security. In late 2009, approximately 600,000 customers of Wellpoint (Anthem’s former trade name) “had their personal information and protected healthcare information compromised due to a data breach.” Id. ¶ 194. In addition, in 2013, the U.S. Department of Health and Human Services fined Anthem $1.7 million for various HIPAA violations related to data security. Id. ¶ 195. Finally, in 2014, the federal government informed Anthem and other healthcare companies of the possibility of future cyberattacks, and advised these companies to take appropriate measures, such as data encryption and enhanced password protection. Id. ¶¶ 200-01.
Plaintiffs allege that Defendants did not sufficiently heed these warnings, which allowed cyberattackers to extract massive amounts of data from Anthem’s database between December 2014 and January 2015. Id. ¶ 226. After Anthem discovered the extent of this data breach, it proceeded to implement various containment measures. Id. ¶ 232. The cyberattacks ceased by January 31, 2015. Id. In addition, after learning of the cyberattacks, Anthem proceeded to retain Mandiant, a cybersecurity company, “to assist in assessing and responding to the Anthem Data Breach and to assist in developing security protocols for Anthem.” Id. ¶207. Mandiant’s work culminated in the production of an Intrusion Investigation Report (“Mandiant Report”), which Mandiant provided to Anthem in July 2015. Id.
According to Plaintiffs, the Mandiant Report found that “Anthem and [its] Affiliates [had] failed to take reasonable measures to secure the [PII] in their possession.” Id. ¶ 236. Likewise, Plaintiffs allege that “Anthem and Anthem Affiliates [] lacked reasonable encryption policies.” Id. ¶ 237. Additionally, “BCBSA and non-Anthem BCBS allowed the [PII] that their current and former customers and members had entrusted with them to be placed into the Anthem Database even though there were multiple public indications and warnings that the Anthem and Anthem
B. Procedural History
A number of lawsuits were filed against the Anthem and Non-Anthem Defendants in the wake of the Anthem data breach. In general, these lawsuits bring putative class action claims alleging (1) failure to adequately protect Anthem’s data systems, (2) failure to disclose to customers that Anthem did not have adequate security practices, and (3) failure to timely notify customers of the data breach.
In spring 2015, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) (“When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings.”). On June 12, 2015, the Judicial Panel on Multidistrict Litigation (“JPML”) issued a transfer order selecting the undersigned judge as the transferee court for “coordinated or consolidated pretrial proceedings” in the multidistrict litigation (“MDL”) arising out of the Anthem data breach. See ECF No. 1 at 1-3.
On September 10, 2015, the Court held a hearing to appoint Lead Plaintiffs’ counsel. Following this hearing, the Court issued an order appointing Co-Lead Plaintiffs’ counsel and requesting that counsel file a single consolidated amended complaint by October 19, 2015. ECF No. 284 at 2. On October 19, 2015, Plaintiffs filed their consolidated amended complaint, which organized Plaintiffs’ causes of action into thirteen different counts, with claims pursuant to various state and federal laws asserted under each count. The complaint’s prayer for relief included requests for class certification, injunctive relief, and damages.
On this final form of relief, Plaintiffs seek damages arising from four separate economic losses. First, Plaintiffs allege that they “paid Anthem money for services that should have included protecting their [PII] from unauthorized disclosure”; Plaintiffs refer to these losses as “Benefit of the Bargain” losses. ECF No. 424 at 3. Second, Plaintiffs seek recovery for “the theft of Plaintiffs’ [PII],” which Plaintiffs refer to as the “Loss of Value of PII.” Id. Third, Plaintiffs allege that many class members “incurred out-of-pocket losses, including delayed tax returns, and the time and costs of credit monitoring.” Plaintiffs refer to these losses as “Out of Pocket” costs. Id. Finally, Plaintiffs allege that all class members “are at significant risk of imminent identity theft...as a result of the exfiltration of their [PII],” which Plaintiffs refer to as the “Imminent Risk of Further Costs.” Id.
At the October 25, 2015 case management conference, the Court determined that the Anthem Defendants and Non-Anthem Defendants would file separate motions to dismiss. Both motions would be “limited to a combined total of 10 claims, with 5 claims selected by Plaintiffs, 3 claims selected by the Anthem Defendants, and 2 claims selected by the [Non-Anthem Defendants].” ECF No. 326-at 2-3. At the November 10, 2015 case management con
On November 23, 2015, the Anthem Defendants and Non-Anthem Defendants filed their respective motions to dismiss. ECF No. 410 (“Anthem Mot.”); ECF No. 413 (“Non-Anthem Mot.”). Plaintiffs filed their oppositions on December 21, 2015, and the Anthem Defendants and Non-Anthem Defendants filed their replies on January 19, 2016. ECF No. 424 (“Anthem Opp’n”); ECF No. 425 (“Non-Anthem Opp’n”); ECF No. 432 (“Anthem Reply”); ECF No. 433 (“Non-Anthem Reply”).
II. LEGAL STANDARD
A. Motion to Dismiss
Pursuant to Federal Rule of Civil Procedure 12(b)(6), a defendant may move to dismiss an action for failure to allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly,
Nonetheless, the Court is not required to “ ‘assume the truth of legal conclusions merely because they are cast in the form of factual allegations.’ ” Fayer v. Vaughn,
For purposes of motions to dismiss, as with virtually all motions touching upon substantive legal matters, the general rule “is that the MDL transferee court is generally bound by the same substantive legal standards, if not always the same interpretation of them, as would have applied in the transferor court.” In re Korean Air Lines Co., Ltd.,
B. Leave to Amend
Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend “shall be freely granted when justice so requires,” bearing in mind “the underlying purpose of Rule 15 to facilitate decision on the merits, rather than on the pleadings or technicalities.” Lopez v. Smith,
III. DISCUSSION
A. Standing
Before addressing any of the specific claims at issue, the Court turns first to the
Second, the consolidated amended complaint fails “to allege any facts regarding ten Non-Anthem Defendants with respect to” the selected claims at issue in the instant motions to dismiss. Non-Anthem Mot. at 1 (emphasis removed).
Third, the consolidated amended complaint fails to allege any specific facts as to Plaintiffs’ Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, New York unjust enrichment, New York General Business Law § 349, and California Unfair Competition Law claims against 16 of the 17 Non-Anthem Defendants. Specifically, the consolidated amended complaint identifies a New .Jersey Plaintiff — Elizabeth Ames— who was enrolled in a plan managed by Non-Anthem Defendant Horizon Blue Cross Blue Shield of New Jersey. See CAC ¶ 146; Non-Anthem Mot. at 3. Plaintiffs have thus properly asserted a New Jersey breach of contract claim against Horizon Blue Cross Blue Shield of New Jersey, but have not alleged any specific facts as to the remaining 16 Non-Anthem Defendants. The Non-Anthem Defendants therefore request dismissal of those Non-Anthem Defendants who have not had any specific facts alleged against them as to Plaintiffs’ Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, New York unjust enrichment, New York General Business Law § 349, and California Unfair Competition Law claims.
All three of these arguments implicate the same thorny legal question: when, in the context of a nationwide consumer class action, should a federal court address issues of standing? Indeed, “[a]lthough standing is a ‘threshold issue’ usually considered at the outset of the case,” two U.S. Supreme Court decisions — Amchem Products, Inc. v. Windsor,
Neither Amchem nor Windsor, however, created a blanket exception for standing in
On this particular question, the Court finds instructive the reasoning in In re Carrier IQ. In In re Carrier IQ, the district court undertook a comprehensive analysis of U.S. Supreme Court and Ninth Circuit precedent, decisions from various federal district courts, and pertinent legal scholarship. See id. After surveying these sources in detail, the In re Carrier IQ court concluded “that it ha[d] the discretion to defer questions of standing until after class certification” — which it could decide to exercise on a case by case (or even an issue by issue) basis. Id. at 1074. In exercising this discretion, the In re Carrier IQ court noted that a district court might consider factors such as the cost and burden of discovery, “the breadth of the proposed class and the number of state law claims asserted on behalf of the class,” and whether a named plaintiffs “claim is typical of those individuals whose claims arise under the laws of.. .other states.” Id. at 1072-75. Following In re Carrier IQ, the Court finds that it has discretion to decide in the instant action when to consider issues of standing, and shall exercise this discretion as follows.
1. All Claims as to Three Non-Anthem Defendants
As to Blue Cross and Blue Shield of Arizona, Inc., BlueCross BlueShield of Tennessee, Inc., and Highmark West Virginia, Inc., “not one of the 98 named plaintiffs in the CAC alleges that he or she was insured by or had any connection with” these entities. Non-Anthem Mot. at 2. The Non-Anthem Defendants request that these three entities be dismissed from this action in its entirety. The Court finds the Non-Anthem Defendants’ contentions well taken, for the reasons stated below.
First, each of the factors described in In re Carrier IQ weigh in favor of the Court addressing standing questions at the outset of this litigation, rather than deferring such questions until class certification. As to the cost and burden of discovery, for instance, the Court observes that the parties must litigate the selected claims “through two motions to dismiss, through class certification], [and] through summary judgment.” ECF No. 359 at 60. The parties expect discovery to be expensive and time-consuming. As this action moves
In addition, there are nearly 80 million potential class members, with each class member asserting a variety of state and federal law claims. Deferring questions of standing until class certification would only make the Court’s class certification decision all the more unwieldy, and would not be in the interest of promoting efficient litigation. See In re Carrier IQ,
Furthermore, as the parties acknowledge, there are subtle but significant differences in the various state and federal law claims at issue. Plaintiffs might, for instance, be able to move forward with a breach of contract claim under California law but not a breach of contract claim under the law of a different state. Under such circumstances, grouping all Non-Anthem Defendants together — particularly those who have had no specific factual allegations asserted against them — makes little sense. See id. at 1072 (holding that deferring issues of standing until after class certification may be appropriate where a claim brought by an individual with standing “is typical of those individuals whose claims arise under the laws of the other states.”).
In addition to the specific In re IQ Carrier factors discussed above, Plaintiffs acknowledge that “named Plaintiffs from a particular state do not bring their individual state law claims against Non-Anthem Defendants with whom they did not have a relationship.” Non-Anthem Opp’n at 5; see also Armstrong v. Davis,
As a final point, in this particular instance, ease law appears to tilt in the Non-Anthem Defendants’ favor. In In re Carrier IQ, for instance, the district court addressed standing prior to class certification and “require[d] the [plaintiffs to present a named class member who possesses individual standing to assert each state law’s claims against Defendants.”
Plaintiffs’ attempt to distinguish this line of cases by relying on In re Target is unavailing. Although the In re Target court did defer issues of standing until after class certification, the district court reasoned that, “[a]s Target undoubtedly knows, there are consumers in Delaware, Maine, Rhode Island, Wyoming, and the District of Columbia whose personal financial information was stolen in the 2013 breach.”
This same principle does not apply with equal force in the instant case. Here, unlike in In re Target, Plaintiffs do not bring their claims against a single nationwide entity. Instead, Plaintiffs have brought suit against Anthem, 28 Anthem affiliates, and 17 Non-Anthem Defendants. The Non-Anthem Defendants do not dispute that the Anthem data breach affected upwards of 80 million individuals, and that these individuals have standing to bring their claims against at least some Defendants. The Non-Anthem Defendants, however, contest whether three specific Non-Anthem Defendants should remain in this action when not a single named Plaintiff has been able to assert any specific factual allegations against these three Non-Anthem Defendants. Unless and until Plaintiffs demonstrate otherwise, the Court finds that there is little use in keeping these three Non-Anthem Defendants in this action.
Accordingly, the Court DISMISSES Blue Cross and Blue Shield of Arizona, Inc., BlueCross BlueShield of Tennessee, Inc., and Highmark West Virginia, Inc. from this action in its entirety. Plaintiffs, however, shall have leave to amend. It is possible that Plaintiffs may be able to assert specific factual allegations against the three Non-Anthem Defendants listed above by, for instance, adding a new named Plaintiff. See Lopez,
2. All Selected Claims as to Ten Non-Anthem Defendants
For substantially the same reasons, the Court also GRANTS with leave to amend the Non-Anthem Defendants’ motion to dismiss the ten selected claims at issue in the instant motion to dismiss against Blue Cross and Blue Shield of Alabama; Blue Cross and Blue Shield of Arizona, Inc.; CareFirst of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina, Inc.; Highmark Health Services; Highmark West Virginia, Inc.; BlueCross BlueShield of Tennessee, Inc.; Blue Cross and Blue Shield of Vermont; and Blue Cross and Blue Shield of Illinois.
As noted above, the consolidated amended complaint fails to allege any specific facts regarding these ten Non-Anthem Defendants with respect to the selected claims at issue in the instant motions to
3. Selected Claims as to Most Non-Anthem Defendants
Finally, the Non-Anthem Defendants request that the Court dismiss Plaintiffs’ Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, California Unfair Competition Law (“UCL”), New York unjust enrichment, and New York General Business Law (“GBL”) § 349 claims against all Non-Anthem Defendants about whom the consolidated amended complaint makes no factual allegations.
As an initial matter, this argument is moot with respect to Plaintiffs’ Indiana negligence and Kentucky Consumer Protection Act claims. As discussed in greater detail below, Plaintiffs can not maintain these claims as a matter of law. These claims will therefore be dismissed with prejudice.
That leaves the Court with the following four claims: New Jersey breach of contract, California Unfair Competition Law (“UCL”), New York unjust enrichment, and New York General Business Law (“GBL”) § 349. Although the Non-Anthem Defendants acknowledge that Plaintiffs have properly brought these claims against at least one Anthem or Non-Anthem Defendant, the Non-Anthem Defendants contend that there is little point in keeping all Non-Anthem Defendants in this litigation with respect to these particular claims. The Court agrees.
Consistent with its reasoning throughout this section, the Court finds that it would be improvident to require all 17 non-Anthem Blue Cross Blue Shield Defendants to answer for a claim when Plaintiffs assert factual allegations against only a handful of these 17 Defendants. The breadth and complexity of this action make streamlining this litigation all the more important. Thus, the Court GRANTS the Non-Anthem Defendants’ motion to dismiss Plaintiffs’ Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, California Unfair Competition Law (“UCL”), New York unjust enrichment, and New York General Business Law (“GBL”) § 349 claims against all Non-Anthem Defendants about whom the consolidated amended complaint makes no factual allegations. As above, Plaintiffs shall have leave to amend.
B. Indiana Negligence (against Anthem and Non-Anthem Defendants)
“The elements of a negligence claim under Indiana law are: (1) a duty owed to plaintiff by defendant, (2) breach of duty by allowing conduct to fall below
Defendants contend that Plaintiffs’ negligence claim fails for three reasons. First, Defendants assert “that Indiana law does not allow a cause of action in tort against a database owner for failing to protect adequately personal information.” Anthem Mot. at 2. Second, Defendants argue that the economic loss doctrine bars recovery for Defendants’ alleged negligence. Id. at 3. Third, Defendants contend that the allegations in the consolidated amended complaint fail to establish proximate causation. Non-Anthem Mot. at 8.
As to whether Indiana law provides Plaintiffs a private cause of action, the parties acknowledge that no Indiana court has yet ruled on this question. The Court therefore looks to the law of the Seventh Circuit, of which Indiana is a part. On this point, the Court finds instructive the Seventh Circuit’s decision in Pisciotta v. Old National Bancorp. In Pisciotta, Old National Bancorp (“ONB”) maintained a website containing the personal information of potential customers. In 2005, ONB learned that its website had been hacked, and ONB subsequently informed affected potential customers of this breach. Upon receiving this information, Luciano Pisciotta (“Pisciotta”) and Daniel Mills (“Mills”) proceeded to file a putative class action complaint against ONB. As in the instant case, the Pisciotta complaint asserted a negligence claim under Indiana law. The District Court for the Southern District of Indiana determined that Pisciotta and Mills could not bring such a claim as a matter of law, and granted ONB’s motion for judgment on the pleadings.
In reaching this conclusion, the Seventh Circuit first observed that “Neither the parties’ efforts nor our own have identified any Indiana precedent addressing” whether “Indiana would consider that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitutes an existing compensable injury and consequent damages required to state a claim for negligence.” Id. at 635. Accordingly, “[without state authority to guide us, ‘[w]hen given a choice between an interpretation of [state] law which reasonably restricts liability, and one which greatly expands liability, we should” — as a general matter — “choose the narrower and more reasonable path (at least until the [state] Supreme Court tells us differently).’ ” Id. at 635-36 (quoting Todd v. Societe Bic, S.A.,
With this general canon of interpretation in mind, the Seventh Circuit further observed that “the Indiana authority most closely addressed to the issue” — a series of statutes enacted by the Indiana legislature in 2006 — weighed against finding that Pis-ciotta and Mills could assert a private right of action against ONB. Id. at 636-37. The statutory provisions “applicable to private entities storing personal information require only that a database owner disclose a security breach to potentially affected consumers; they do not require the database owner to take any other affirmative act in the wake of a breach.” Id. at 637. Moreover, “[i]f the database owner fails to comply with the only affirmative duty imposed by the statute — the duty to disclose — the
The Seventh Circuit went on to reject the view “that the statute is evidence that the Indiana legislature believes that an individual has suffered a compensable injury at the moment his personal information is exposed because of a security breach.” Id. Indeed, “given the novelty of the legal questions posed by information exposure and theft, it is unlikely that the legislature intended to sanction the development of common law tort remedies that would apply to the same factual circumstances addressed by the statute.” Id.
The Court finds Pisciotta persuasive for the following reasons. First, this Court, as an MDL court, “must apply the law of the transferor forum, that is, the law of the state in which the action was filed.” In re Vioxx Prods. Liab. Litig.,
Second, although Pisciotta was decided in 2007, the parties have identified no subsequent cases — state or federal — that have discussed Indiana’s data breach statutes. The Court has found none in its own research. Thus, Pisciotta continues to serve as the final word on how courts should interpret Indiana’s data breach statutes and, critically, whether individuals may maintain a private cause of action for negligence.
Third, the Pisciotta decision is consistent with the negligence law of other jurisdictions. In Amburgy v. Express Scripts, Inc.,
Similarly, in Willingham v. Global Payments, Inc.,
Third, and finally, Plaintiffs’ attempts to distinguish Pisciotta are unavailing. Plaintiffs, for instance, point to the fact that the Indiana legislature amended Indiana’s data breach statutes in 2009. The statutes now require database owners to “maintain reasonable procedures.. .to protect and safeguard from unlawful use or disclosure any personal information,” a provision that did not exist at the time Pisciotta was decided. Anthem Opp’n at 4. The amendments also exempt some “database owners with security policies under HIPAA from some... [statutory] requirements.” Anthem Mot. at 2 n.3. None of these amendments, however, address whether individual plaintiffs may maintain a private cause of action in negligence. Indiana’s data breach statutes continue to provide a single,enforcement mechanism: an action brought by the state Attorney General. Ind. Code. Ann. § 24-4.9-4-2. The Court thus fails to see how the 2009 amendments give support to Plaintiffs’ attempts to maintain a private cause of action. Pisciotta was decided in 2007. The Indiana legislature, presumably aware of the Pisciotta decision, declined to provide plaintiffs a private cause of action when given the opportunity to amend the state’s data breach statutes in 2009.
Plaintiffs also contend that Indiana courts “frequently borrow from statutes that do not contain a private right of action to impose common law duties.” Anthem Opp’n at 4. Plaintiffs cite Kho v. Pennington,
There are two key flaws with Plaintiffs’ reliance on Kho. First, the fact that Indiana courts have recognized claims for statutory negligence in some cases does not suggest that this Court should recognize a private cause of action in the instant case. This point is all the more pronounced where, as here, the District Court for the Southern District of Indiana and the Seventh Circuit — two federal courts that are significantly more familiar with Indiana law than this Court — declined to recognize a private cause of action under nearly identical circumstances in Pisciotta. Cf. Butner v. United States,
Second — and relatedly — all of the decisions cited in Kho are Indiana Supreme Court or Indiana Court of Appeals decisions. None are federal court decisions, much less decisions by a federal court sitting in a different state. This result is, in the Court’s view, consistent with the view of the Seventh Circuit, that “[w]hen [a federal court is] given a choice between an interpretation of [state] law which reasonably' restricts liability, and one which greatly expands liability, [the federal court] should choose the narrower and more reasonable path.” Todd,
Because Plaintiffs can not pursue such a claim as a matter of law, the Court need not address Defendants’ arguments concerning the economic loss doctrine and proximate causation. Accordingly, Defendants’ motions to dismiss Plaintiffs’ Indiana negligence claim is GRANTED.
C. California Breach of Contract (against Anthem Defendants)
The consolidated amended complaint asserts against the Anthem Defendants a breach of contract claim under California law. Specifically, Plaintiffs allege that “Anthem and Anthem Affiliates did not satisfy their promises and obligations to Plaintiffs and Statewide Class Members under the contracts in that they did not take reasonable measures to keep Plaintiffs’ and Statewide Class Members’ [PII] secure and confidential and did not comply with the applicable laws, regulations, and industry standards.” CAC ¶ 305. In moving to dismiss Plaintiffs’ claim, the Anthem Defendants contend that “(a) the CAC fails to identify the contractual provisions that allegedly were breached, (b) the CAC fails to allege facts showing any breach caused Plaintiffs to suffer damages that are cognizable under California law, and (c) certain Plaintiffs’ claims are preempted by ERISA.” Anthem Mot. at 4.
As to whether the consolidated amended complaint identifies the contractual provisions that were breached, the Court observes that, “[u]nder California law, to state a claim for breach of contract a plaintiff must plead the contract, plaintiffs’ performance (or excuse for nonperformance), defendant’s breach, and damage to plaintiff therefrom.” Low v. LinkedIn Corp.,
The Court finds that the consolidated amended complaint fails to satisfy this requirement, based on a review of (1) the language in the consolidated amended complaint, (2) the language on Anthem’s public websites and in various privacy notices, (3) the exhibits submitted in connection with the consolidated amended complaint, and (4) relevant state and federal
1. Language in Consolidated Amended Complaint
First, with respect to the language in the consolidated amended complaint, Plaintiffs allege that class members “who purchased individual insurance plans from Anthem Affiliates or who received health insurance... under a contract between an employer... and Anthem or Anthem Affiliates had valid, binding, and enforceable express, third party beneficiary, or implied contracts with Anthem and Anthem Affiliates.” CAC ¶ 303.
However, under the section of the consolidated amended complaint titled “Breach of Contract,” id. ¶¶ 302-311, Plaintiffs do not refer to any contractual language or any contractual provisions that the Anthem Defendants allegedly breached. Instead, Plaintiffs state — without reference to an underlying contract or other documents — that class members provided “Anthem and/or Anthem Affiliates with their [PII].” Id. ¶ 303(a). In exchange, the Anthem Defendants promised “to protect [class members’ PII] in compliance with federal and state laws and regulations, including HIPAA, and industry standards.” Id. In the very next paragraph, Plaintiffs state that “[t]he terms of Plaintiffs’ and Statewide Class Members’ contracts with Anthem and Anthem Affiliates that concern the protection of Plaintiffs’ [PII] [are] set forth above.” Id. ¶304. However, this paragraph does not refer specifically to any other part of the consolidated amended complaint. The remaining paragraphs in this section do no better. One paragraph addresses Plaintiffs’ implied contract theory, id. ¶ 303(c), another paragraph alleges that Plaintiffs “fully performed their obligations under their contracts,” id. ¶ 307, and several paragraphs address the damages that Plaintiffs seek, id. ¶¶ 308-310. Considered together, none of these paragraphs identify a specific contractual provision that the Anthem Defendants breached.
These stray allegations mirror the facts in Young v. Facebook, where plaintiff stated in the complaint that “Facebook did not perform in accordance with the terms of [the] agreement in their Statement of Rights and Responsibilities contract by arbitrarily and impulsively handling [plaintiffs] member account.” Young,
2. Language on Public Websites and in Privacy Notices
Plaintiffs, however, contend that the paragraphs discussed above constitute “only.. .the summary language [of Plaintiffs’] breach of contract count.” Anthem Opp’n at 5. Instead, Plaintiffs note, “specific promises.. .regarding data security” are located in paragraphs 161 through 170. Id. at 5-6. These paragraphs include language from the public websites of the Anthem Defendants and from statements made by the Anthem Defendants in various privacy notices. The website for every Anthem BCBS affiliate, for instance, states:
[PII] (including Social Security Number) Privacy Protection Policy [Name of Anthem BCBS Affiliate] maintains policies that protect the confidentiality of [PII], including Social Security numbers, obtained from its members and associates in the course of its regular business functions. [Name of Anthem BCBS Affiliate] is committed to protecting information about its customers and associates, especially the confidential nature of their [PII].
CAC ¶ 166 (second and fourth alterations in original). Likewise, Blue Cross of California mailed the following privacy notice to customers:
We keep your oral, written and electronic [PII] safe using physical, electronic, and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your [PII] safe include securing offices that hold [PII], password-protecting computers, and locking storage areas and filing cabinets. We require our employees to protect [PII] through written policies and procedures. These policies limit access to [PII] to only those employees who need the data to do their job. Employees are also required to wear ID badges to help keep people who do not belong out of areas where sensitive data is kept. Also, where required by law, our affiliates and nonaffiliates must protect the privacy of data we share in the normal course of business. They are not allowed to give [PII] to others without your written OK, except as allowed by law and outlined in this notice.
Id. ¶ 163. Although this language is more specific than the conclusory paragraphs discussed above, this language still does not give rise to a viable California breach of contract claim.
First, the consolidated amended complaint provides no information on when the language at issue was posted onto the Anthem Defendants’ websites and when the various privacy notices were sent to class members. Clearly, such notices would be of little assistance to Plaintiffs’ claim if Plaintiffs received these notices after the data breach at issue.
More importantly, the consolidated amended complaint makes no attempt to connect the language in paragraphs 161 through 170 with the terms of Plaintiffs’ alleged contracts. At no point in paragraphs 161 through 170 do Plaintiffs allege that the privacy notices or public website statements were part of or were incorporated by reference into Plaintiffs’ contracts with the Anthem Defendants. In fact, the word “contract” does not appear at all in paragraphs 161 through 170. By this same token, under the section of the consolidated amended complaint titled “Breach of Contract,” id. ¶¶ 302-311, Plaintiffs do not at any point refer to the privacy notices or public websites discussed in paragraphs 161 through 170.
Plaintiffs can not bring a breach of contract claim based on language from documents that might have been issued after the alleged breach and based on language from documents that might not even have been part of the alleged contract. In reaching this conclusion, the Court returns to the legal principle discussed above: that, “[i]n an action for breach of a written contract, a plaintiff must allege the specific provisions in the contract creating the obligation the defendant is said to have breached.” Young,
3. Exhibits Submitted in Connection With Consolidated Amended Complaint
Plaintiffs have failed to submit any relevant exhibits, such as a copy of the contract between an Anthem Defendant and a California Plaintiff, which might counsel against dismissal. Although Plaintiffs are not required to submit such exhibits, these exhibits would certainly provide clarity on the scope and nature of the Anthem Defendants’ obligations. Thus, in Young, plaintiff included a copy of Facebook’s Statement of Rights and Responsibility with the complaint.
In fact, the only possibly relevant exhibits filed were submitted by the Anthem Defendants, not Plaintiffs. The Anthem Defendants, for instance, filed a copy of the Summary Plan Description under which Plaintiffs Daniel and Kelly Tharp allegedly received coverage. See ECF No. 411 at 1-2. This Plan Description includes a five page “Privacy Notice.” See ECF No. 411-4 at 58-62. This Privacy Notice provides a list of specific circumstances where Anthem or an Anthem affiliate might disclose a member’s personal health information. Id. The Notice further provides that “[o]ther than as stated above, the Health Plan will not disclose your health information other than with your written authorization.” Id. at 61. Moreover, “[t]he Health Plan is required by law to maintain the privacy of your health information and to provide you with this Notice of the Plan’s legal duties and privacy practices with respect to your health information. If you participate in an insured plan option, you will receive a notice directly from the Insurer.” Id. at 62. This final statement in the Summary Plan Description could plausibly be taken to incorporate by reference future privacy notices sent to class members.
However, the problem with relying on this Summary Plan Description is that Plaintiffs have, in the consolidated amended complaint, stated that such documents do not represent the contract between class members and the Anthem Defendants. See CAC ¶ 303(b) (“With respect to contracts between employers and Anthem and/or Anthem Affiliates, the applicable contract is the services agreement between the employer and Anthem and/or Anthem Affiliates, not the employer benefits plan document.”). Plaintiffs repeat this assertion in opposing the Anthem Defendants’ motion to dismiss. See Anthem Opp’n at 25 (describing Summary Plan Description documents as “non-enforceable”). Given Plaintiffs’ position, the Court can not rely upon the Summary Plan De
4. Incorporation of Applicable State and Federal Law
As a final point, Plaintiffs state that, “[u]nder California law, Defendants’ contracts necessarily incorporate applicable laws even absent specific promises.” Anthem Opp’n at 7 (citing Edwards v. Arthur Andersen LLP,
First, the consolidated amended complaint provides little guidance as to which “applicable laws” were incorporated into the contract. Instead, the consolidated amended complaint merely alleges that the Anthem Defendants were required to comply with “federal and state laws and regulations, including HIPAA, and industry standards.” CAC ¶ 303(a). In other words, outside of a single passing reference to HIPAA, Plaintiffs have provided little detail on what other laws, regulations, or standards the Anthem Defendants might have violated. As other district courts have noted, “plaintiffs must...do something more to allege a breach of contract claim than merely point to allegations of a statutory violation.” Wiebe v. NDEX West, LLC,
Second, Plaintiffs’ breach of contract claim reaches beyond mere violation of “applicable laws.” Plaintiffs, for instance, also allege that the Anthem Defendants’ actions ran afoul of certain “industry standards.” CAC ¶ 303(a). Thus, simply stating that Defendants’ contracts incorporate applicable laws does not accurately reflect the nature of Plaintiffs’ breach of contract claim.
In sum, after examining the consolidated amended complaint, the exhibits (or lack thereof) filed in connection with the consolidated amended complaint, and relevant case law and statutory authority, the Court finds that Plaintiffs have failed to identify the specific contractual provisions that were breached, as Plaintiffs must do in order to bring a breach of written contract claim under California law.
5. Breach of Implied Contract
In addition to Plaintiffs’ breach of express contract claim, Plaintiffs also state that “[b]y demanding and accepting Plaintiffs’ and Statewide Class Members’ [PII], Anthem and Anthem Affiliates entered into implied contracts with Plaintiffs and Statewide Class Members.” CAC ¶ 303(c). The consolidated amended complaint does not delve into additional detail on the terms and scope of this alleged implied contract. In moving to dismiss Plaintiffs’ California breach of contract claim, the Anthem Defendants contend that “[t]he CAC fails to allege any facts showing that [any] implied contracts existed beyond vague, conclusory allegations.” Anthem Mot. at 6. Relying upon both federal and state case law, the Anthem Defendants argue that Plaintiffs’ implied contract theory is not well taken. Id.
Plaintiffs declined to respond to these arguments in Plaintiffs’ opposition. See Anthem Opp’n at 6 n.7 (“The fact that Plaintiffs have pled theories of contract formation in the alternative is no reason to dismiss Plaintiffs’ breach of contract claims. This Court need not resolve now the merits of any challenge to these alternative theories of contract formation.”) (citation omitted). In light of Plaintiffs’ position, the Court finds Plaintiffs’ implied contract theory unavailing. If Plaintiffs intend to pursue an implied contract theory in lieu of an express contract claim, Plaintiffs must elaborate upon the nature and
6. Conclusion
The consolidated amended complaint fails to identify the contractual provisions that were breached. In addition, Plaintiffs’ opposition fails to respond to the Anthem Defendants’ arguments concerning Plaintiffs’ implied contract theory. Accordingly, the Court finds that Plaintiffs can not maintain a breach of contract claim under California law. The Anthem Defendants’ motion to dismiss Plaintiffs’ California breach of contract claim is therefore GRANTED. Pursuant to this decision, the Court need not address the Anthem Defendants’ arguments regarding contract damages and ERISA preemption.
However, Plaintiffs shall have leave to amend because the Court finds that amendment would not be futile. Plaintiffs may, for instance, be able to allege sufficient facts to show that the privacy notices were incorporated by reference into Plaintiffs’ contracts with the Anthem Defendants. Alternatively, Plaintiffs may be able to more specifically explain the scope and nature of their implied contracts with the Anthem Defendants. Plaintiffs’ California breach of contract claim is therefore DISMISSED with leave to amend.
D. New Jersey Breach of Contract (against Non-Anthem Defendants)
Plaintiffs’ have also asserted against the Non-Anthem Defendants a breach of contract claim under New Jersey law. Specifically, Plaintiffs allege that the Non-Anthem Defendants “did not satisfy their promises and obligations to Plaintiffs ... [because] they failed to ensure that Plaintiffs’ and Statewide Class Members’ [PII] would be secured as required by the contracts. Instead, Plaintiffs’ and Statewide Class Members’ [PII] was stored in the inadequately-secured Anthem Database and accessed and exfiltrated in the Anthem Data Breach.” CAC ¶ 316. In response, the Non-Anthem Defendants contend that the CAC “fails to identify the contractual provisions that allegedly were breached.” Non-Anthem Mot. at 4.
As the Non-Anthem Defendants acknowledge, this arguments essentially repeat the Anthem Defendants’ arguments concerning Plaintiffs’ California breach of contract claim. Id. at 4-6. As with Plaintiffs’ California breach of contract claim, the Court finds that the consolidated amended complaint fails to identify the relevant contractual provisions that were breached.
Indeed, as with California breach of contract claims, parties seeking “[t]o prevail on a breach of contract claim under New Jersey law” must “identify the specific contract or provision that was allegedly breached.” CIBC Inc. v. Grande Vill., LLC,
Moreover, although the Non-Anthem Defendants filed a copy of the policy provided to purchasers of the Horizon Blue Cross Blue Shield of New Jersey health plan, see ECF Nos. 414-1 & 414-2, which includes a section regarding privacy practices, Plaintiffs dispute that this exhibit constitutes a true and accurate copy of the policy agreement between Plaintiffs and the Non-Anthem Defendants, see Non-Anthem Opp’n at 8.
Accordingly, consistent with the Court’s determination as to Plaintiffs’ California breach of contract claim, the Non-Anthem Defendants’ motion to dismiss Plaintiffs’
E. New York Unjust Enrichment (against Anthem and Non-Anthem Defendants)
Plaintiffs assert an unjust enrichment claim under New York law against the Anthem and Non-Anthem Defendants. See, e.g., CAC ¶¶ 350-58. Specifically, Plaintiffs argue that Defendants “should not be permitted to retain the money belonging to Plaintiffs and Class Members because Defendants failed to implement (or adequately implement) the data security and security practices and procedures that Plaintiffs and Class Members paid for.” Id. ¶ 355. Defendants contend that this claim “should be dismissed because” such claims can not be brought “where there exists an enforceable express contract.” Anthem Mot. at 11. According to Defendants, Plaintiffs must, pursuant to New York law, bring their claim against Defendants as a breach of contract claim, and not as an unjust enrichment claim. See, e.g., Goldman v. Metro. Life Ins. Co.,
As the parties acknowledge, the viability of Plaintiffs’ New York unjust enrichment claim depends largely upon the viability of Plaintiffs’ breach of contract claims. See Anthem Mot. at 11; Anthem Opp’n at 11. As Plaintiffs point out, parties are barred from bringing unjust enrichment claims in New York where “there is a ‘valid written agreement, the existence of which is undisputed, and the scope of which clearly covers the dispute between the parties’ ” Anthem Opp’n at 11 (quoting Clark-Fitzpatrick, Inc. v. Long Island R.R. Co.,
Because Plaintiffs’ New York unjust enrichment claim depends upon Plaintiffs’ breach of contract claims, the Court DISMISSES Plaintiffs’ New York unjust enrichment claim. However, consistent with the Court’s ruling regarding Plaintiffs’ breach of contract claims, Plaintiffs shall have leave to amend their New York unjust enrichment claim.
F. California Unfair Competition Law (against Anthem and Non-Anthem Defendants)
California’s Unfair Competition Law (“UCL”) provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus & Prof. Code § 17200, et seq. “The UCL’s coverage is sweeping, and its standard for wrongful business conduct intentionally broad.” Moore v. Apple, Inc.,
Each prong of the UCL provides a separate and distinct theory of liability, Lozano v. AT&T Wireless Servs., Inc.,
1. Standing
a. Economic Injury
As to whether Plaintiffs have demonstrated “injury in fact” and “a loss of money or property caused by unfair competition,” Susilo,
(1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; or (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary
Id at 885-86. Here, Plaintiffs seek recovery under the UCL for three types of economic injury: “Loss of Benefit of the Bargain,” “Out of Pocket Costs,” and “Imminent Risk of Further Costs.”
Moreover, more recent case law within the data breach context confirms that benefit of the bargain damages represent economic injury for purposes of the UCL. See In re Adobe Sys., Inc. Privacy Litig.,
Incidentally, the fact that Plaintiffs have sufficiently pleaded benefit of the bargain losses also establishes that
Defendants’ reliance on In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (“Sony I”),
Because Plaintiffs have established economic injury and restitution under the UCL by pleading benefit of the bargain losses, the Court need not address whether “Out of Pocket Costs” and “Imminent Risk of Further Costs” constitute economic injury under the UCL. The Court recognizes, however, that the case law on these questions is still developing. On the one hand, some district courts have held that such costs are not actionable under the UCL. See, e.g., Sony I,
Several other district courts, however, have found otherwise. See, e.g., Corona v. Sony Pictures Entm’t, Inc.,
Although Kwikset does contain language that appears to weigh in Plaintiffs’ favor, see, e.g.,
b. Causation
“Generally, to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.” Resnick v. AvMed, Inc.,
Here, the consolidated amended complaint sufficiently establishes a logical connection between the Anthem data breach and the harm suffered by Plaintiffs. Every Plaintiff was at one point enrolled in a health plan administered by a Defendant. See CAC ¶¶ 12-108. As a condition of this enrollment, each Plaintiff provided his or her PII to a Defendant, which was thereafter inputted into Anthem’s database. Defendants do not contest that each Plaintiff had his or her PII stolen as a result of the Anthem data breach. Finally, many Plaintiffs allege that third parties used Plaintiffs’ PII in the wake of the data breach. See, e.g., id. ¶ 21 (“[T]he Tharps received a confirmatory letter from the IRS informing them that someone may have attempted to impersonate them by using their names and Social Security numbers to file a 2014 federal tax return.”). These allegations—that each Plaintiff was enrolled in a health plan administered by a Defendant, that each Plaintiff had his or her PII stolen, and that specific aspects of Plaintiffs PII were used for illicit financial gain after the breach—establish the requisite logical and temporal connection necessary to demonstrate causation.
Defendants’ contentions to the contrary lack merit. Defendants argue that Plaintiffs “rel[y] ... on tenuous temporal relationships that fail to connect the cyberat-tack and the alleged injuries, rather than stating sufficient facts to show economic injury caused by the unfair business practice.” Anthem Mot. at 16 (internal quotation marks and alteration omitted). As the Court has pointed out, however, Plaintiffs do more than simply allege a temporal relationship between their economic injury and the data breach at issue. Rather, Plaintiffs state that (1) they were enrolled in a particular health plan administered by a Defendant, (2) that they provided their PII to Anthem, (3) that their PII was compromised as a result of the data breach, and (4) that their PII was used for illicit financial gain. Taken together, these allegations “plausibly link Plaintiffs’ purported injuries to the Anthem cyberat-tack.” Id. at 9.
On this particular point, the Court also observes that Defendants have argued that “[s]cores of other cyber intrusions and data thefts have compromised the personal information of tens of millions of individuals.” Id. at 9 n. 7. In support of this argument, Defendants point to recent data breaches at eBay, Target, Home Depot, Neiman Marcus, and various other enti
Second, and more importantly, under Defendants’ theory, a company affected by a data breach could simply contest causation by pointing to the fact that data breaches occur all the time, against various private and public entities. This would, in turn, create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable. No part of the UCL, the relevant authority addressing causation, or the specific facts of this case support such a legal theory.
As a final matter, Defendants focus on the allegations of Plaintiff Joseph Blanchard (“Blanchard”). Blanchard alleges that he “spent over 60 hours addressing credit fraud, monitoring his accounts, and addressing issues arising from the Anthem data breach.” CAC ¶ 22. However, according to Defendants, Blanchard never received notice that his PII had been “compromised in the Anthem cyberattack.” Non-Anthem Mot. at 11. “Rather, the CAC alleges that Plaintiff Blanchard’s wife— who is not a named Plaintiff — received notice that her [PII] may have been compromised.” Id.
As with Defendants’ other arguments concerning causation, the Court finds this argument unavailing. The consolidated amended complaint states that Blanchard “was enrolled in a Blue Cross Blue Shield of Texas health plan,” and that he provided his PII to Blue Cross Blue Shield of Texas as a condition of his enrollment. CAC ¶ 22. The consolidated amended complaint further states that Blanchard and his wife were enrolled in the same health plan. Thus, the only apparent difference between the two is that Blanchard’s wife received notice of the data breach, .but Blanchard did not. This difference in circumstances, however, does not excuse the Non-Anthem Defendants from liability. Again, Plaintiffs allege that every individual enrolled in a health plan administered by an Anthem or Non-Anthem Defendant was affected by the data breach. Id. ¶¶ 1, 3. That means that Blanchard, after reviewing the notice sent to his wife, could have reasonably concluded that his PII had also been compromised.
Additional allegations in the consolidated amended complaint lend further support to Blanchard’s decision to take action. According to Blanchard, “[f|ollowing announcement of the Anthem breach, at least 10 credit cards or credit accounts were opened or attempted to be opened in Mr. Blanchard’s name and using his [PII].” Id. ¶ 22. Although Blanchard spent significant time contesting the new charges on his accounts, Blanchard’s credit score nonetheless dropped by approximately 130 points. These events suggest that Blanchard’s data was not only compromised, but also that Blanchard suffered significant financial harm as a result of the Anthem data breach.
To summarize, the Court finds that Plaintiffs, have sufficiently demonstrated both a logical and temporal relationship necessary to establish causation. Defendants’ attempts to direct the Court to the facts (1) that many other data breaches occurred during the relevant time period and (2) that a named Plaintiff did not receive notice from an Anthem or Non-Anthem Defendant do not negate this finding. Thus, by demonstrating both causation and economic loss, Plaintiffs have suf
2. Unlawful
“The unlawful prong of the UCL prohibits anything that can properly be called a business practice and that at the same time is forbidden by law.” In re Adobe,
Plaintiffs allege that, with respect to the UCL’s unlawful prong, Defendants’ actions violated the Federal Trade Commission Act, HIPAA, the Gramm-Leach-Bliley Act, California’s Confidentiality of Medical Information Act, California’s unfair insurance practices statutes, California’s Insurance Information and Privacy Protection Act, and California’s data breach statute. CAC ¶ 366(b). In support of this contention, the consolidated amended complaint identifies specific provisions of HIPAA, id. ¶¶ 177-81, the Gramm-Leach-Bliley Act, id. ¶ 182, the Federal Trade Commission Act, id. ¶ 183, and California’s data breach statute, id. ¶ 366(b), that were allegedly violated. Such references directly rebut Defendants’ claim that the consolidated amended complaint “references ... statutes only generally, and does not specify how ... Defendants supposedly violated them.” Anthem Mot. at 17. Instead, a review of the complaint demonstrates that Plaintiffs’ allegations “identify the particular section of the statute that was violated,” and other allegations in the consolidated amended complaint “describe with reasonable particularity the facts supporting the violation.” Baba,
3. Unfair
“The ‘unfair’ prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law.” In re Adobe,
Some California appellate courts apply a balancing approach, which requires courts to “weigh the utility of the defendant’s conduct against the gravity of the harm to the alleged victim.” Davis v. HSBC Bank Nevada, N.A.,
In challenging whether Plaintiffs have sufficiently pleaded a UCL claim under the
None of the three tests for unfairness require plaintiffs to plead that defendants acted in an immoral, unethical, oppressive, or unscrupulous manner. With respect to the balancing test, for instance, the California Courts of Appeal have stated that “an unfair business practice occurs when it offends an established public policy or when the practice is immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers.” Bardin v. Daimlerchrysler Corp.,
In any event, the Court finds dismissal of Plaintiffs’ UCL claim under the unfair prong unwarranted. In In re Adobe, this Court observed that various California statutes — -including several statutes upon which Plaintiffs rely here — reflect “California’s public policy of protecting customer data.” Id. at 1227 (internal quotation marks omitted). Based on the allegations in the consolidated amended complaint, Defendants’ actions violated this public policy. Whether Defendants’ public policy violation is outweighed by the utility. of their conduct under the balancing test is a question to be resolved at a later stage in this litigation. Thus, based on the balancing test alone, the Court DENIES Defendants’ motion to dismiss Plaintiffs’ UCL claim under the unfair prong.
4. Fraudulent
“To state a claim under the ‘fraud’ prong of [the UCL], a plaintiff must allege facts showing that members of the public are likely to be deceived by the alleged fraudulent business practice.” Ant-man,
The gravamen of Plaintiffs’ fraud claim is that Defendants promised to carry out reasonable security measures, but ultimately failed to carry through with this promise. See generally CAC ¶¶ 2-6. At
However, Plaintiffs’ fraud claim suffers from one notable flaw: as with Plaintiffs’ breach of contract claims, Plaintiffs have not “inelude[d] an account of the time... of the false representations” at issue. Swartz,
Consistent with the Court’s reasoning with respect to Plaintiffs’ breach of contract claims, it is possible that Plaintiffs may amend the complaint to state with particularity the time that the specific misrepresentations occurred. Accordingly, the Court finds that Plaintiffs have not stated a fraud claim under the UCL, but that Plaintiffs may be able to do so after amendment. Thus, Plaintiffs’ fraud claim under the UCL is DISMISSED with leave to amend. Plaintiffs, however, have sufficiently established standing under the UCL and have sufficiently stated a UCL claim to survive dismissal under the unlawful and unfair prongs. Defendants’ motion to dismiss Plaintiffs’ UCL claim is therefore GRANTED in part and DENIED in part.
G. New York General Business Law § 349 (against Anthem and Non-Anthem Defendants)
New York General Business Law (“GBL”) § 349 prohibits “[deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service.” N.Y. Gen. Bus. § 349(a). To successfully assert a claim under this section, “a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice.” Orlander v. Staples, Inc.,
1. Consumer-Oriented Conduct
“To provide the basis for a Section 349 claim, a disputed private transaction must have ‘ramifications for the public at large,’ or be harmful to the general public interest.” M & T Mortg. Corp. v. White,
In interpreting this requirement, courts have found consumer-oriented conduct where banks operated a standard savings account policy for customers, Oswego,
Plaintiffs’ claims satisfy the GBL’s consumer-oriented requirement. The instant case does not involve a unique, single shot dispute over the nature or scope of an individual’s insurance coverage. Instead, Plaintiffs seek to bring a putative class action on behalf of approximately 80 million individuals who were affected by the Anthem data breach. The purpose of •bringing this litigation as a putative class action is to ensure that consumers who might not have the resources to serve as named Plaintiffs can nonetheless recover for Defendants’ alleged misconduct. Moreover, Plaintiffs aver that the instant breach is but the latest in a series of data security incidents. Notably, Anthem’s database was also breached in 2009. In 2013, the Office of the Inspector General found Anthem’s information systems deficient in several respects. See CAC ¶¶ 193-98. Anthem’s continued non-compliance with data security practices would therefore not only affect the named Plaintiffs, but also “a broad group of individuals” — all 80 million individuals whose PII is stored on Anthem’s database. See Feldman,
2. Actual Harm
Parties seeking damages under the GBL must provide “proof that a material deceptive act or practice caused actual, although not necessarily pecuniary, harm.” Small v. Lorillard Tobacco Co., Inc.,
a. “Out of Pocket Costs” and “Imminent Risk of Further Costs”
As to “Out of Pocket Costs” and “Imminent Risk of Further Costs,” the Court
Several district courts within the Second Circuit have relied upon Shafran to find that “Out of Pocket Costs” and “Imminent Risk of Further Costs” do not represent injuries cognizable under GBL § 349. See, e.g., Hammond v. The Bank of New York Mellon Corp.,
Tellingly, Plaintiffs have not cited any cases interpreting GBL § 349 that have found to the contrary. Instead, Plaintiffs rely upon the First Circuit’s decision in Anderson v. Hannaford Bros. Co.,
b. “Loss of Value of PII”
As to the “Loss of Value of PII,” the Court observes that no New York state courts have yet ruled on this question. Nor has the Second Circuit or any federal district court in the- Second Circuit provided guidance on whether such losses constitute cognizable injury under GBL § 349. Instead, Defendants rely entirely upon the Southern District of California’s decision in In re Sony Gaming Networks & Consumer Data Security Breach Litigation (“Sony II”),
The Court finds Sony II inappo-site. First, Shafran, Hammond, and Wil-ley did not address whether “Loss of Value of PII” represented a cognizable injury under GBL § 349. Instead, the Shafran, Hammond, and Willey courts examined whether “Out of Pocket Costs” and “Imminent Risk of Further Costs” represented a cognizable injury under GBL § 349. See, e.g., Shafran,
. In addition, in Pisciotta — the only other decision cited by the Sony II court — plaintiffs did not bring a GBL § 349 claim. Instead, plaintiffs asserted an Indiana negligence claim, and the Pisciotta court examined whether plaintiffs could proceed under Indiana law with a “cause of action in tort against a database owner for failing to” adequately protect personal information. Anthem Mot. at 2. Given the fact that Pisciotta interpreted a different cause of action from a different state, the Court declines to rely upon Pisciotta to find that “Loss of Value of PII” is not a cognizable injury under GBL § 349.
To summarize, none of the cases cited in Sony II addressed whether “Loss of Value of PII” constitutes a cognizable injury under GBL § 349. Under such circumstances, the Court need not follow Sony II. Instead, the Court finds more persuasive a set of more recent decisions, all published after Sony II, where courts have recognized that “Loss of Value of PII” does represent a cognizable economic harm.
In In re Adobe, for instance, this Court rejected defendant’s argument that an “ ‘increased risk [of future harm]’ is not a cognizable injury for Article III standing purposes.”
Here, too, Plaintiffs allege that cyberat-tackers extracted Plaintiffs’ PII from the Anthem database over an extended time period, from December 2014 to January 2015. Plaintiffs further allege that these cyberattackers misused Plaintiffs’ personal information. A false tax return, for instance, was allegedly filed on behalf of New York Plaintiff Juan Carlos Cerro. CAC ¶ 87. Thus, under the reasoning set forth in In re Adobe, Plaintiffs’ “Loss of Value of PII” would represent a cognizable injury under Article III.
Likewise, in In re Facebook Privacy Litigation,
Most recently, in Svenson v. Google, Inc.,
The Court acknowledges that the In re Adobe, Corona, In re Facebook, and Sven-son decisions are not perfectly analogous to the claim that is currently before the Court. Both In re Adobe and Corona, for instance, addressed the loss in value of an individual’s PII in the standing context, and both In re Facebook and Svenson addressed the loss in value of an individual’s PII in the context of a common law breach of contract claim. However, the consistent theme running through these decisions — all of which were, again, published after Sony II — is that “Loss of Value of PII” represents a cognizable form of economic injury. Absent any state law or Second Circuit precedent that holds to the contrary, the Court finds that it would be appropriate to apply this general principle to Plaintiffs’ GBL § 349 claim. Accordingly, the Court finds that “Loss of Value of PII” constitutes a cognizable injury under GBL § 349.
c. “Loss of Benefit of the Bargain”
Finally, the Court turns to consider harm in the form of “Loss of Benefit of the Bargain.” On this point, the case law tips in Plaintiffs’ favor. In Orlander v. Staples, Inc.,
In challenging this finding, Defendants rely upon an earlier Second Circuit decision, Spagnola v. Chubb Corp.,
In sum, although “Out of Pocket Costs” and “Fear of Imminent Further Costs” are not cognizable injuries under GBL § 349, “Loss of Value of PII” and “Loss of Benefit of the Bargain” are cognizable injuries under GBL § 349. Accordingly, Plaintiffs have sufficiently pleaded injury under GBL § 349.
3. Causation
Last, “[t]o properly allege causation, a. plaintiff must state in his complaint that he has seen the misleading statements of which he complains before he came into possession of the products he purchased.” Goldemberg v. Johnson & Johnson Consumer Cos., Inc.,
As the Court has explained, Plaintiffs aver that Defendants made various representations that Plaintiffs’ PII would be protected. These representations came in the form of statements made on Defendants’ websites and statements made in Defendants’ privacy notices. The Court finds that Plaintiffs have sufficiently alleged causation under GBL § 349 based on GBL § 349’s pleading requirements and case law interpreting GBL § 349.
First, as the Court has pointed out, GBL § 349 is not subject to the more demanding pleading requirements of Federal Rule of Civil Procedure 9(b). Thus, the New York Court of Appeals has held that Plaintiffs bringing claims under GBL § 349 must simply raise a reasonable inference of causation rather than demonstrating reliance. See, e.g., Stutman v. Chem. Bank,
Several recent federal district court decisions from the Eastern and Southern Districts of New York help illustrate the difference between causation and reliance. In Dash v. Seagate Technology (U.S.) Holdings, Inc.,
Consistent with Dash, plaintiff in Goldemberg v. Johnson & Johnson “describe[d] in particular [detail] the allegedly misleading advertising and other statements.”
Finally, in Belfiore v. Procter & Gamble Co.,
In sum, after reviewing the allegations in the consolidated amended complaint, the different pleading requirements between GBL § 349 and Federal Rule of Civil Procedure 9(b), and case law addressing GBL § 349, the Court finds that Plaintiffs have sufficiently alleged causation for purposes of their GBL § 349 claim.
4. ERISA Preemption
As a final matter, the consolidated amended complaint includes four named New York Plaintiffs, all of whom assert a GBL § 349 claim on behalf of themselves and a putative statewide class. CAC ¶¶ 85-88. Defendants contend that New York Plaintiff Matthew Gates’ (“Gates”) GBL § 349 claim is preempted by ERISA. See Anthem Mot. at 22. Defendants, however, do not assert ERISA preemption against New York Plaintiffs Barbara Gold, Marne Onderdonk, and Juan Carlos Cerro. Thus, because Plaintiffs have demonstrated all of the required elements to plead a GBL § 349 claim, Plaintiffs’ GBL § 349 claim survives whether or not Gates’ claim is preempted. Defendants’ motion to dismiss Plaintiffs’ GBL § 349 claim is therefore DENIED.
Additionally, the Court denies without prejudice Defendants’ motion to dismiss Gates’ GBL § 349 claim as preempted by ERISA. As the Ninth Circuit has observed, “[t]here are two strands of ERISA preemption: (1) ‘express’ preemption under ERISA § 514(a), 29 U.S.C. § 1144(a); and (2) preemption due to a ‘conflict’ with ERISA’s exclusive remedial scheme set forth in [ERISA § 502(a),] 29 U.S.C. § 1132(a).” Fossen v. Blue Cross and Blue Shield of Mont., Inc.,
Under ERISA § 502(a), a civil enforcement action may be brought:
(1) by a participant or beneficiary— ... (B) to recover benefits due to him under the terms of his plan, to enforce his rights under the terms of the plan, or to clarify his rights to future benefits under the terms of the plan.
29 U.S.C. § 1132(a). Pursuant to this provision, a “state-law cause of action that duplicates, supplements, or supplants the ERISA civil enforcement remedy” is preempted because it “conflicts with the clear congressional intent to make the ERISA remedy exclusive.” Aetna Health Inc. v. Davila,
The primary points of disagreement between the parties is whether, for purposes of both conflict and express preemption, (1) Defendants’ promises to protect Plaintiffs’ PII represents a “benefit” under Plaintiffs’ health plans, as defined by ERISA, and (2) whether state laws that implicate Plaintiffs’ data security “relate to” or conflict with ERISA.
There is insufficient information at this time to make a determination on either question. As noted above, Plaintiffs have failed to produce a copy of their insurance contracts with Defendants and have failed to identify which contractual provisions Defendants allegedly breached. In addition, although Defendants have submitted a copy of Gates’ Summary Plan Description, see ECF No. 412-1, Plaintiffs contend that Gates’ contract and the Summary Plan Description are different documents. Anthem Opp’n at 25. Defendants’ obligations to protect Gates’ data, Plaintiffs argue, were memorialized in Gates’ contract, and “[t]here is no preemption when plaintiffs sue to enforce the terms of some contract other than the ERISA plan.” Id. As a final point, neither party has provided briefing on whether Congress necessarily intended for ERISA to preempt state consumer protection laws such as New York’s GBL § 349.
■ Given the disputed contentions made by the parties and the fact that the parties have not produced a copy of Gates’ contract, the Court can not decide whether Gates’ GBL § 349 claim is preempted by ERISA. In reaching this conclusion, the Court finds instructive statements made by U.S. Department of Labor (“DOL”) staff at the 2010 Joint Committee of Employee Benefits Technical Session, hosted by the American Bar Association. Specifically, DOL staff were asked the following:
In an era of enhanced privacy protections, some participants have complained that personally identifiable information (PII) releases have occurred under State privacy laws...
Does the DOL agree that State privacy laws regarding PII releases are not applicable to plan administration communications from authorized third party service providers?
Questions and Proposed Answers for the Department of Labor Staff for the 2010 Joint Committee of Employee Benefits
The Court’s decision to deny without prejudice is in line with DOL’s position. Without specific information on the contours of Gates’ health plan and the statutory purpose behind GBL § 349, the Court can not decide whether Gates’ GBL § 349 claim is subject to ERISA preemption. Accordingly, the Court DENIES without prejudice Defendants’ motion to dismiss Gates GBL § 349 claim as preempted by ERISA.
H. Kentucky Consumer Protection Act (against Anthem and Non-Anthem Defendants)
Plaintiffs allege that the Anthem and Non-Anthem Defendants “engaged in deceptive, unfair, and unlawful trade acts or practices in the conduct of trade or commerce,” in violation of the Kentucky Consumer Protection Act (“KCPA”), Ky. Rev. Stat. § 367.170, et seq. CAC ¶ 425. Defendants contend that Plaintiffs’ KCPA claim fails “because the Act cannot be used to bring a class action.” Anthem Mot. at 12. Moreover, Defendants assert that Plaintiffs do not have standing to bring a KCPA claim. Id. at 12-13.
With respect to the viability of class certification, the Court turns first to the Kentucky Circuit Court’s decision in Arnold v. Microsoft Corporation,
A number of federal courts — including several in the MDL context — have relied upon Arnold to find that plaintiffs can not bring a class action claim under the KCPA. In In re Pharmaceutical Industry Average Wholesale Price Litigation,
More recently, in In re Target, the District of Minnesota district court dismissed plaintiffs’ KCPA claim upon finding that “[t]he consumer-protection statutes in eight states — Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, and Tennessee — prohibit class-action treatment of claims under those statutes.”
Plaintiffs have not cited any case law that would compel a different conclusion. Instead, Plaintiffs argue only that the KCPA “does not contain an express class action ban,” and that some “courts have certified class actions under the KCPA, both before and after Arnold.” Anthem Opp’n at 12. In support of this latter point, Plaintiffs rely upon two Western District of Kentucky decisions: Brummett v. Skyline Corporation,
As Plaintiffs acknowledge, Brum-mett was decided sixteen years prior to Arnold. This fact alone renders Plaintiffs’ reliance on Brummett unavailing. As the Sixth Circuit, of which Kentucky is a part, has noted, “[t]he function of [a federal court] is to apply the law of the state which governs the suit, not to take a position regarding the advisability or fairness of the rule applied.” San Francisco Real Estate Inv’rs v. J.A. Jones Real Estate Constr. Co.,
In addition, the Brummett plaintiffs sought class certification on a number of different claims. See Brummett,
Plaintiffs’ reliance on Clark v. BellSouth Telecommunications is likewise unavailing. As in Brummett, plaintiffs in Clark asserted a number of claims under state and federal law. With respect to plaintiffs’ KCPA claim, the Clark court found the parties’ briefing incomplete.
Outside of Brummett and Clark, Plaintiffs have not identified any cases where courts have allowed parties to proceed with a class action claim under the KCPA. The Court has found none in its own research. Instead, Arnold remains the most pertinent state authority on this issue, and several courts have relied upon Arnold to hold that parties can not, as a matter of law, bring a KCPA claim as a class action. See In re Pharm.,
Furthermore, in the absence of any authority for the position that a KCPA claim may be brought as a class action, the Court finds that leave to amend would be futile, and thus denies Plaintiffs leave to amend. See Bonin,
I. Kentucky Data Breach Act (against Anthem Defendants)
In opposing the instant motions to dismiss, Plaintiffs have moved to withdraw their cause of action against the Anthem Defendants for violation of Kentucky’s Data Breach Act. Anthem Opp’n at 11 n.13. Accordingly, the Anthem Defendants’ motion to dismiss Plaintiffs’ Kentucky data breach claim is GRANTED, and Plaintiffs’
J. Georgia Insurance Information and Privacy Protection Act (against Anthem Defendants)
The Georgia Insurance Information and Privacy Protection Act (“IIPA”) states that “[a]n insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure” falls under a list -of specifically enumerated exceptions. Ga. Code. Ann. § 33-39-14 (emphasis added). In the consolidated amended complaint, Plaintiffs allege that “Defendants Anthem and Anthem Affiliates disclosed individually-identifiable [PII] regarding members of the Georgia Class that was collected or received in connection with an insurance transaction without their authorization, in violation of’ the IIPA. CAC ¶ 801.
In response, the Anthem Defendants contend that Plaintiffs’ PII was never “disclosed.” See, e.g., Anthem Reply at 12. Rather, Plaintiffs’ PII was “stole[n]” by “a third-party cyberattacker.” Id. The IIPA, the Anthem Defendants argue, protects only against disclosure, and not against theft. In addition, the Anthem Defendants contend that Plaintiffs have failed to allege any actual damages. See id. at 13.
As to the scope of the IIPA’s disclosure requirement, the Court notes that neither party has identified a ease — state or federal- — -interpreting Ga. Code. Ann. § 33-39-14. The Court has found none in its own research. Thus, this action presents an issue of first impression: whether the IIPA, which proscribes the unlawful disclosure of personal information, also applies to the theft of one’s personal information.
In interpreting the IIPA, the Court must examine statutory rules of construction as applied by courts in Georgia. See In re Korean Air,
1. Statutory Text
As an initial point, the Court observes that the Georgia Code does not define the term “disclose” or “disclosure” in the IIPA. See Ga. Code. Ann. § 33-39-3 (providing list of definitions). Where a statute does not define a key term, the Court must “look to the ordinary meaning of that word.” Jackson v. State,
Black’s Law Dictionary defines “disclosure” as “[t]he act or process of making known something that was previously un
An analysis of the structure of the IIPA lends further support to this conclusion. As noted above, the IIPA states that “[a]n insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information.. .unless the disclosure” falls under a set of 18 exceptions. These exceptions allow the insurance institution, agent, or insurance-support organization to disclose an individual’s personal information “[t]o a medical-care institution or medical professional,” Ga. Code Ann. § 33-39-14(4), “[t]o an insurance regulatory authority,” Ga. Code Ann. § 33-39-14(5), and “[t]o a law enforcement or other governmental authority,” Ga. Code Ann. § 33-39-14(6), among other entities. Indeed, for each of these 18 exceptions, the insurance institution, agent, or insurance-support organization must affirmatively provide an individual’s personal information to a third party. Thus, under the dictionary definition of “disclosure” and under the structure of the IIPA, it is unlikely that the Georgia Legislature intended for “disclosure” to encompass instances of third party cyberhacking and data breach.
2. Additional Considerations
In addition to the IIPA’s text and structure, several other considerations lend support to this more narrow reading of the IIPA’s scope. Indeed, in predicting how the Georgia Supreme Court would rule on this issue, the Court believes that the Georgia Supreme Court would review how the terms “disclose” or “disclosure” have been defined in other statutes and how these terms have been interpreted by other courts.
On this particular point, the Federal Privacy Act defines “disclosure” to “mean[ ] providing personal review of a record, or a copy thereof, to someone other than the data subject or the data subject’s authorized representative.” 5 C.F.R. § 297.102. Courts have restricted this definition to situations where information holders have willfully provided data to an unauthorized third party. In Walia v. Chertoff,
The district court granted Nationwide’s motion to dismiss. In reaching this decision, the district court observed that the common law tort of invasion of privacy requires publicity of a private fact. Publicity, in turn, “means that [a] matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Id. Plaintiffs had failed to satisfy this publicity requirement because “there is no allegation in the Complaint that [Nationwide] disclosed Named Plaintiffs’ private affairs.” Id. at 662 (emphasis added). Moreover, “[t]here are no factual allegations in the Complaint to make plausible the allegation that [Nationwide] disseminated Named Plaintiffs’ PII.” Id. Rather, “the Complaint alleges the PII was stolen from [Nationwide], not that [Nationwide] disseminated it to anyone.” Id. In sum, when presented with a substantially similar set of facts, the Galaria court clearly understood “disclosure” as requiring a party to commit some voluntary, affirmative act. The Galaria court, moreover, drew a distinction between when information is “disclosed” and when information is “stolen.” Thus, although the questions presented in Galaria were somewhat different than the questions presented in the instant case, this Court nevertheless finds the Ga-laria court’s understanding of “disclosure” informative.
The D.C. District Court’s decision in In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation,
In opposing the Anthem Defendants’ motion to dismiss, Plaintiffs rely upon a statement in Shames-Yeakel v. Citizens Financial Bank,
First, as discussed above, private plaintiffs can not, under Pisciotta, bring a cause of action in Indiana for negligence for injuries arising out of a data breach. The Northern District of Illinois’ decision in Shames-Yeakel is therefore, at the very least, in tension with the Seventh Circuit’s decision in Pisciotta. Tellingly, in discussing the negligence claim in Shames-Yeak-el, the district court did not refer to Pisci-otta. The district court also acknowledged that “this court could not find an Indiana case addressing the matter” of whether a bank has a “duty to sufficiently secure its online banking system.” Id. Thus, by allowing plaintiffs in Shames-Yeakel to move forward with their Indiana negligence claim, the Shames-Yeakel court appeared to overlook both the specific and general precedent of its circuit court of appeals, the Seventh Circuit, that federal courts, sitting in diversity, should refrain from creating new causes of action under state law. See, e.g., Pisciotta,
Second, with respect to the specific statement quoted by Plaintiffs — that a bank’s duty not to disclose must include a duty to protect customers’ personal information — the Shames-Yeakel court did not discuss, refer to, or cite any supporting authority. In the nearly six and a half years since the Shames-Yeakel decision, no federal or state court has cited Shames-Yeakel for this proposition. In light of these circumstances, and in light of the fact that Shames-Yeakel appears to be in tension with prevailing Seventh Circuit precedent, the Court finds Plaintiffs’ reliance on Shames-Yeakel not well taken.
To conclude, Plaintiffs have failed to persuade the Court that a broader construction of the IIPA is warranted. Under the facts alleged in the consolidated amended complaint, the Anthem Defendants did not “disclose” Plaintiffs data, as required under the IIPA. Pursuant to the Court’s finding, the Court need not address the Anthem Defendants’ arguments regarding whether Plaintiffs have sufficiently alleged damages for purposes of the IIPA. The Anthem Defendants’ motion to dismiss Plaintiffs’ IIPA claim is GRANTED.
Plaintiffs, however, shall have leave to amend because the Court finds that amendment would not be futile. Plaintiffs may be able to allege facts to demonstrate that the Anthem Defendants disclosed Plaintiffs’ PII to a third party. See Lopez,
K. Federal Law Third Party Beneficiary (against Non-Anthem Defendants)
Finally, Plaintiffs assert a third party beneficiary claim for breach of contract
The Non-Anthem Defendants contend that Plaintiffs’ third party beneficiary claim fails because OPM is the only party that can seek relief under the Federal BCBSA contract. Plaintiffs can not, in other words, pursue a private cause of action against BCBSA. The Non-Anthem Defendants also argue that “the Federal Employee Plaintiffs’ state law claims are preempted.” Non-Anthem Mot. at 19.
Given that adjudication of the' instant claim involves a nuanced understanding of federal law, administrative regulations, and various rules governing contract interpretation, the Court first provides an overview of the background and statutory framework behind the Federal BCBSA contract. The Court shall then address the Non-Anthem Defendants’ arguments in turn.
1. Background
The Federal Employee Health Benefits Act (“FEHBA”), enacted in 1959, “established a comprehensive program to provide federal employees and retirees with subsidized health care benefits.” Hayes v. Prudential Ins. Co. of Am.,
“Among the plans offered to federal employees is the Blue Cross Blue Shield Service Benefit Plan,” which is governed by the Federal BCBSA contract (known internally as 2013 Contract No. CS 1039). CAC ¶ 172.
The framework under which the Federal BCBSA contract operates is notable in three important respects. First, Plaintiffs assert, and the Non-Anthem Defendants do not dispute, that the Federal Employee Plaintiffs are intended third party beneficiaries of the Federal BCBSA contract. See CAC ¶ 339; Non-Anthem Mot. at 14; Non-Anthem Opp’n at 14; see also Catholic Diocese of Biloxi Supplemental Med. Reimbursement Plan and Catholic Diocese of Biloxi v. Blue Cross, Blue Shield of Tex.,
Second, the Federal BCBSA contract and various administrative regulations vest OPM with general management authority over the contract. As discussed, individuals filing health benefits claims must, prior to going to federal court, present their claims in an administrative proceeding before OPM. Outside of handling such health benefits claims, OPM “shall” also “notify [BCBSA] of [various] deficiencies” which relate to BCBSA’s “financial resources, facilities, providers, staff and other necessary resources to meet [BCBSA’s] obligations under this contract.” Fed. BCBSA Contract § 1.12(a). Relatedly, BCBSA must “notify” OPM “of any Significant Event within ten (10) working days after [BCBSA] becomes aware of it.” Id. § 1.10; see also id. (providing list of Significant Events). If BCBSA does not address a Significant Event in a satisfactory manner, OPM may suspend new enrollments, advise enrollees of the asserted deficiencies and provide enrollees an opportunity to transfer to another plan, withhold payment, and refuse to renew the contract. Id. On a more general level, federal law provides that OPM “may prescribe reasonable minimum standards for health benefits plans,” 5 U.S.C. § 8902(e), and “may prescribe regulations necessary to carry out” FEHBA, 5 U.S.C. § 8913(a).
Third, and finally, the Federal BCBSA contract includes several provisions that address data privacy. Section 1.30(a) states that BCBSA must “at a minimum, comply with equivalent privacy and security policies as are required of a ‘covered entity’ under the HIPAA Privacy and Security regulations.” Id. § 1.30(a). The Federal BCBSA contract was specifically amended in 2014 so that BCBSA could be required to go beyond compliance with the minimum privacy standards required under federal law. Section 1.30(d), for instance, now states that an OPM representative “may recommend that the Carrier adopt a
2. Enforcement of Federal BCBSA Contract
a. “Health Benefits Claim”
The Non-Anthem Defendants first contend that Plaintiffs’ third party beneficiary claims constitute health benefits claims. Thus, pursuant to the Federal BCBSA contract, Plaintiffs must exhaust the administrative apparatus described above before bringing their claims into federal court. The Court finds this contention unavailing.
The administrative apparatus to which Non-Anthem Defendants refer applies to “health benefits claims.” Federal regulations define “claim” to mean a “request for (i) payment of a health-related bill; or (ii) provision of a health-related service or supply.” 5 C.F.R. § 890.101. The Federal BCBSA contract, in turn, defines “[b]ene-fits” as “[ejovered services or payment for covered services set forth in [the Statement of Benefits], to which Members are entitled to the extent provided by this contract.” Fed. BCBSA Contract § 1.1. The Statement of Benefits accompanying the Federal BCBSA contract does not define “benefit.” See 2015 Statement of Benefits at 145 (providing list of definitions). However, the Statement of Benefits does list the following as “Benefits”: “Preventative care,” “Allergy care,” and “Prescription drug benefits.” Id. at 32. In short, “benefits” — at least as understood in the context of the Federal BCBSA contract and the Statement of Benefits — appears to refer only to the provision of medical-related coverage. Tellingly, neither patient privacy nor data security is listed as a “benefit” in the Statement of Benefits. Indeed, there is but one reference to patient privacy in the Statement of Benefits, confined to a single sentence in the 160 page document: “We [BCBSA] will keep your medical and claims information confidential.” Id. at 14. There is, in sum, little to suggest that “health benefits claims” were meant to encompass claims regarding data privacy-
In further support of this conclusion, the Court observes that, in Roach v. Mail Handlers Benefits Plan, the Ninth Circuit construed “benefits” under FEHBA narrowly. Specifically, the Ninth Circuit noted that, in interpreting the scope of FEHBA, several “courts have created a divide between claims based on a denial of benefits, which are preempted, and claims based on medical malpractice, which are not.” Roach,
To summarize, the Federal BCBSA contract, the Statement of Benefits, and Ninth Circuit precedent all counsel in favor of finding that Plaintiffs here have not asserted a claim that should have first gone through an established administrative review apparatus.
The Non-Anthem Defendants have not cited any authority to support their arguments to the contrary. Instead, the Non-Anthem Defendants point to the allegations in the consolidated amended complaint, which state that “[a]s a result of BCBSA, Anthem BCBS Affiliates, and non-Anthem BCBS’s failure to implement the security measures required by the Federal BCBSA contract, OPM did not receive the full benefit of its bargain.” CAC ¶ 340 (emphasis added). This argument lacks merit. In seeking benefit of the bargain damages, Plaintiffs state that they received “services that were less valuable than what OPM bargained for.” Id. This understanding of “benefit” differs significantly from the term of art referenced in FEHBA and employed in the Federal BCBSA contract. Accordingly, the Court finds that Plaintiffs’ third party beneficiary claim is not a “health benefits claim.”
b. Exclusive Enforcement Authority
In the alternative, the Non-Anthem Defendants argue that even “[i]f the Federal Employee Plaintiffs are suing for something other than benefits, their claims are no less barred because FEHBA’s scheme gives OPM exclusive authority over all aspects of the contractual relationship, not just over benefits.” Non-Anthem Mot. at 17. The gist of this contention is that “FEHBA leaves no room for” Plaintiffs to seek a remedy as a third party beneficiary. Bridges v. Blue Cross and Blue Shield Ass’n,
The Court disagrees with this argument. As an initial matter, the Court notes that, “[w]hen interpreting contracts under federal law, courts look to general common law on contracts.” Interface Banner, LLC v. JPMorgan Chase Bank, N.A.,
Assuming that Plaintiffs are intended third party beneficiaries of the Federal BCBSA contract, it is — as a gen
The Restatement of Contracts is in accord with this conclusion. Section 145, which addresses “Beneficiaries Under Promises to the United States,” states that:
A promisor bound to the United States.. .by contract to.. .render a service to some or all of the members of the public, is subject to no duty under the contract to such members to give compensation for the injurious consequences of performing or attempting to perform it, or of failing to do so, unless,... an intention is manifested in the contract, as interpreted in the light of the circumstances surrounding its formation.
Restatement (First) of Contracts § 145 (emphasis added). In other words, under the Restatement, promisors such as BCBSA have duties to the Federal Employee Plaintiffs because these Plaintiffs are intended third party beneficiaries.
In addition, the U.S. Supreme Court’s decision in Astra USA, Inc. v. Santa Clara County, California,
On the other hand, as the Court has noted, the Federal BCBSA contract here was specifically amended in 2014 such that BCBSA could be held to privacy standards above and beyond the standards required under federal law. See 2014 Amendments § 1.3(d). In addition, in direct contrast to the contract in Astra, where the agreement contained “no negotiable terms,” the 2014 Amendments include three full paragraphs that allow BCBSA to negotiate with OPM over which best practices BCBSA should implement. See id. § 1.3(d)(2) (“In a written response to such a recommendation, [BCBSA] shall (i) agree to adopt the recommendation, (ii) explain that it is already in compliance with the recommendation, or (iii) explain why maintaining its current practice... is equally, if not more, appropriate for its business purposes than the recommended best practice.”). As a final point, the consolidated amended complaint alleges that BCBSA breached the contract by failing to comply with various laws, regulations, and — most importantly — “industry standards for data security.” CAC ¶ 335. Thus, Plaintiffs’ claim clearly reaches beyond the mere statutory violations that were at issue in Astra.
The Non-Anthem Defendants, however, contend that the Federal BCBSA contract does not comport with these general contract law principles. Rather, the Non-Anthem Defendants contend that the Federal BCBSA contract is unique because it is governed by FEHBA, which gives exclusive enforcement authority to OPM. In support of this contention, the Non-Anthem Defendants point to both the structure of the Federal BCBSA contract and case law interpreting FEHBA.
The Court is not persuaded by either of these points. With respect to the structure of the Federal BCBSA contract, the Court has already noted that the Federal BCBSA contract provides an extensive administrative review process for “health benefits claims,” but that Plaintiffs’ claims are not “health benefits claims.” The Court also observes that, under § 1.10 of the Federal BCBSA contract, BCBSA must notify OPM within ten days if BCBSA becomes aware of the occurrence of a “Significant Event.” Fed. BCBSA Contract § 1.10(a). BCBSA and OPM must then work together to address the Significant Event. Id. § 1.10(b). The Federal BCBSA contract provides a list of 13 Significant Events. None of these Significant Events mention or relate to data security. Thus, under a plausible reading of this section, BCBSA might not even have been required to notify OPM of the Anthem data breach, and OPM would not necessarily have needed to take corrective action.
Taken together, the extensive administrative review process and the “Significant Event” provisions appear to delineate some of the contours of OPM’s authority. On a conceptual level, it might be helpful to consider OPM, the BCBSA, and Plaintiffs as being three separate but related actors. Here, OPM contracts with BCBSA, and Plaintiffs serve as an intended third party beneficiary. The instant contract, however, is unique in two ways. First, if Plaintiffs have a health benefits claim, Plaintiffs must go to OPM first. Second, if BCBSA experiences a Significant Event, such as the “[disposal of major assets” or a loss of more than 15% of its membership, id. § 1.10(b)(1) & § 1.10(b)(2), then BCBSA must go to OPM. The contract is silent as to all remaining matters, including matters of data security. Given this contractual structure, the Court finds that it would be equally (if not more) plausible to find that general contract law principles govern matters where the Federal BCBSA contract is silent, rather than the Non-Anthem Defendants’ exclusive enforcement theory.
The Court also finds unavailing the Non-Anthem Defendants’ reliance on Miscellaneous Service Workers v. Philco-Ford Corp.,
Bridges appears to be more on point. In Bridges, plaintiffs “allege[d] that BCBSA’s licensee entities, with BCBSA’s knowledge and approval, secretly negotiated discounts on the cost of services of member facilities and physicians, and then failed to apply
The Court finds Bridges distinguishable for three reasons. First, the Bridges court did not rely only on an “exclusive enforcement” theory. Instead, the district court determined that plaintiffs had also failed to sufficiently allege a RICO violation as a substantive matter.
Second, the Court believes the RICO claim in Bridges is at least somewhat analogous to a “health benefits claim.” Indeed, the only way that plaintiffs in Bridges could have been overcharged for a coinsurance payment is if plaintiffs actually decided to exercise their health benefits. In the Statement of Benefits, for instance, the “Benefits Description” section provides a statement of what benefits are covered, followed by a discussion of the coinsurance payment that the insured must incur in exchange for a particular benefit. See, e.g., 2014 Statement of Benefits at 37-118. On the other hand, the Statement of Benefits includes but a single sentence on data privacy, and a class member’s data privacy could have been compromised even if that class member did not decide to exercise any. health benefits.
Similarly, under the “Disputed Claims Process” section of the Statement of Benefits, an insured can readily dispute a coinsurance payment by including “copies of documents that support your claim, such as... bills... and explanation of benefits (EOB) forms.” Id. at 130. There is no clear parallel provision for recovery for a personal data breach.
Third, and finally, it is not clear that the Court should follow Bridges. Bridges was decided by the D.C. District Court in 1996. Since that time, more recent federal court precedent has appeared to take a more narrow understanding of OPM’s enforcement authority. As this Court has noted, for instance, the Ninth Circuit allowed plaintiff in Roach, who was covered by a FEHBA plan, to proceed with a state medical malpractice claim against her health insurance carrier after finding that such a claim fell outside of OPM’s purview.
To conclude, neither the structure of the Federal BCBSA contract nor the case law cited by the Non-Anthem Defendants compels the Court to find, as a matter of law, that OPM has exclusive enforcement authority over the Anthem data breach as it applies to the Federal Employee Plaintiffs. Instead, under general principles of con
3. Preemption of State Law Claims
In addition to arguments concerning OPM’s enforcement of the Federal BCBSA contract, the Non-Anthem Defendants contend that the Federal Employee Plaintiffs’ state law claims are preempted. This contention applies to two Plaintiffs in particular: Stella Williams (“Williams”), a resident of Indiana, and Alvin Lawson (“Lawson”), a resident of California.
The Court need not address whether Williams’ Indiana state law claims are preempted. Only one of the ten causes of action selected by the parties is based on Indiana law — the Indiana negligence claim. As the Court has already determined, Plaintiffs can not proceed with this claim as a matter of law.
With respect to Lawson, two of the ten causes of action selected by the parties are based on California law — the California breach of contract claim and the California UCL claim. The Court finds Lawson’s California breach of contract claim preempted, for two reasons. First, Plaintiffs do not contest that this claim is preempted. See, e.g., Non-Anthem Opp’n at 15 (contesting Lawson’s California UCL claim and Williams’ Indiana negligence claim, but making no mention of Lawson’s California breach of contract claim). Second, the Federal BCBSA contract expressly provides that “United States law will apply to resolve any claim of breach of this contract.” Fed. BCBSA Contract § 5.62; CAC ¶ 332 (“Under the. . .Federal BCBSA Contract, federal law applies to breach of contract claims.”).
On the other hand, whether or not Lawson’s UCL claim is preempted is a more difficult question. The U.S. Supreme Court “has identified three types of preemption: express preemption, field preemption, and implied conflict preemption.” Deweese v. Nat’l R.R. Passenger Corp. (Amtrak),
On the issue of express preemption, FEHBA contains the following express preemption provision:
The terms of any contract under this chapter which relate to the nature, provision, or extent of coverage or benefits (including payments with respect to benefits) shall supersede and preempt any State or local law, or any regulation issued thereunder, which relates to health insurance or plans.
5 U.S.C. § 8902(m)(l)(emphasis added). Because this preemption provision mirrors ERISA’s express preemption provision, see ERISA § 514, 29 U.S.C. § 1144(a), the Ninth Circuit has referred to U.S. Supreme Court decisions interpreting ERISA’s “relate to” requirement in examining eases brought under FEHBA. Botsford v. Blue Cross and Blue Shield of Mont., Inc.,
With this principle in mind, the Ninth Circuit has “held that FEHBA preempts disputes over a “ ‘denial of benefits’ and ‘the nature or extent of coverage for benefits.’ ” Botsford,
In like manner, the Tenth Circuit recently observed that a number of federal courts have concluded that “FEHBA preempts state laws limiting subrogation and reimbursement.” Helfrich,
In contrast, as noted above, the Ninth Circuit has determined that state medical malpractice claims are not necessarily preempted by FEHBA. Roach,
After carefully reviewing these decisions, the Court concludes that Lawson’s UCL claim does not represent a claim for benefits. The understanding of “benefits,” as elucidated in Roach, Helf-rich, and Botsford, is that benefits pertain to an individual’s medical coverage and payments related to such medical coverage. Benefits do not, however, pertain to claims related to data privacy. Accordingly, the Court finds that Lawson’s UCL claim is not expressly preempted under
b. Conflict Preemption
Turning to the issue of conflict preemption, the Court notes that conflict preemption applies when compliance with federal and state law is physically impossible (hereinafter referred to as “impossibility preemption”) or where the state law is an obstacle to the purposes and objectives of the federal law (hereinafter referred to as “obstacle preemption”). “Courts will find impossibility preemption where it is impossible for a private party to comply with both state and federal requirements.” Fulgenzi v. PLIVA, Inc.,
Lawson’s UCL claim is also not subject to obstacle preemption. The Non-Anthem Defendants’ primary argument in this regard is that “the state law claims interfere with OPM’s exclusive authority to police FEHBA carriers.” Non-Anthem Reply at 9. According to the Non-Anthem Defendants, the Federal BCBSA contract implicates uniquely federal interests, which thus preempts parties from asserting state law claims. Id. at 10. These arguments largely repeat the Non-Anthem Defendants’ contentions concerning Plaintiffs’ third party beneficiary claims. As with those claims, the Court finds that OPM’s exclusive authority does not apply to claims over an individual’s data privacy.
A review of the Congressional purpose behind FEHBA lends additional support to this finding. A report from the House of Representatives, for instance, “expressed fear that the imposition of state-law requirements on FEHBA contracts would result in... a lack of uniformity of benefits for enrollees in the same plan.” Helfrich,
In sum, the Court need not address whether Williams’ Indiana negligence claim is preempted because Plaintiffs can not proceed with this claim as a matter of law. In addition, the Court finds that, as Plaintiffs concede, Lawson’s California breach of contract claim is preempted. Lawson’s California breach of contract claim is therefore DISMISSED with prejudice. Finally, the Court finds that Lawson’s UCL claim is not preempted. Therefore, the Non-Anthem Defendants’ motion to dismiss Lawson’s UCL claim is DENIED.
IV. CONCLUSION
To conclude:
1. The Court GRANTS with leave to amend the Non-Anthem Defendants’ motion to dismiss Blue Cross and Blue Shield of Alabama; Blue Cross and Blue Shield of Arizona, Inc.; Ca-reFirst of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina, Inc.; Highmark Health Services; Highmark West Virginia, Inc.; BlueCross BlueShield of Tennessee, Inc.; Blue Cross and Blue Shield of Vermont; and Blue Cross and Blue Shield of Illinois, with respect to the selected claims at issue in the instant motions to dismiss.
2. The Court GRANTS with leave to amend the Non-Anthem Defendants’ motion to dismiss Blue Cross and Blue Shield of Arizona, Inc.; BlueC-ross BlueShield of Tennessee, Inc.; and Highmark West Virginia, Inc. from this action in its entirety.
3. The Court GRANTS with leave to amend the Non-Anthem Defendants’ motion to dismiss all Non-Anthem Defendants against whom no specific factual allegations were made with respect to Plaintiffs’ New Jersey breach of contract, New York unjust enrichment, New York General Business Law § 349, and California Unfair Competition Law claims.
4. The Court GRANTS with leave to amend Defendants’ motions to dismiss Plaintiffs’ California breach of contract, New Jersey breach of contract, New York unjust enrichment, and Georgia Information and Privacy Protection Act claims. In addition, the Court GRANTS with leave to amend Defendants’ motion to dismiss Plaintiffs’ fraud claim under California’s Unfair Competition Law.
5.' The Court GRANTS with prejudice Defendants’ motions to dismiss Plaintiffs’ Indiana negligence, Kentucky Consumer Protection Act, Kentucky Data Breach Act, and Plaintiff Lawson’s California breach of contract claim.
6. The Anthem and Non-Anthem Defendants’ motions to dismiss are otherwise DENIED.
Should Plaintiffs elect to file an amended complaint curing the deficiencies identified herein, Plaintiffs shall do so within 30 days of the date of this Order. Failure to meet the 30 day deadline to file an amended complaint or failure to cure the deficiencies identified in this Order will result in a dismissal with prejudice. Plaintiffs may not add new causes of actions or parties without leave of the Court or stipulation of the parties pursuant to Federal Rule of Civil Procedure 15.
IT IS SO ORDERED.
Notes
. All named Plaintiffs are identified in paragraphs 12 through 108 of the Consolidated Amended Complaint. See ECF No. 334-6 (“CAC”) ¶¶ 12-108.
. The Anthem affiliates are: Blue Cross and Blue Shield of Georgia; Blue Cross Blue Shield Healthcare Plan of Georgia; Anthem Blue Cross and Blue Shield of Indiana; Anthem Blue Cross of California; Anthem Blue
. The non-Anthem BCBS Companies are: Blue Cross and Blue Shield of Alabama; Blue Cross Blue Shield of Arizona; Arkansas Blue Cross and Blue Shield; Blue Shield of California; Blue Cross and Blue Shield of Illinois; ' Blue Cross and Blue Shield of Florida; Care-First BlueCross BlueShield; Blue Cross and Blue Shield of Massachusetts; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of Minnesota; Horizon Blue Cross and Blue Shield of New Jersey; Blue Cross and Blue Shield of North Carolina; Highmark Blue Shield; Highmark Blue Cross Blue Shield West Virginia; BlueCross BlueShield of Tennessee; Blue Cross and Blue Shield of Texas; and Blue Cross and Blue Shield of Vermont.
. As of February 14, 2016, after remand or dismissal of 9 cases, this MDL is comprised of 114 active individual cases. ECF No. 451-1 at 4. An additional case is pending conditional transfer to this MDL.
. These ten Non-Anthem Defendants are: Blue Cross and Blue Shield of Alabama; Blue Cross and Blue Shield of Arizona, Inc.; Care-First of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina, Inc.; Highmark Health Services; Highmark West Virginia, Inc.; BlueCross BlueShield of Tennessee, Inc.; Blue Cross and Blue Shield of Vermont; and Blue Cross and Blue Shield of Illinois. Non-Anthem Mot. at 1.
. In the same vein, Plaintiffs must specifically and accurately identify the health plan of each named Plaintiff. For example, although the consolidated amended complaint alleges that California Plaintiff Michael Bronzo was enrolled in a “Blue Cross Blue Shield of California health plan,” Non-Anthem Defendants allege that no such entity exists. Non-Anthem Mot. at 10 n.2.
. The Anthem Defendants also allege that three California Plaintiffs (Joseph Blanchard, Lillian Brisko, and Alvin Lawson) do not have a contractual relationship with an Anthem Defendant. Anthem Mot. at 4. Plaintiffs concede this point, and acknowledge that these three Plaintiffs "do not bring [California] breach of contract claims against [the] Anthem Affiliates with whom they had no relationship.” Anthem Opp'n at 6-7 n.6.
. The consolidated amended complaint also alleges economic injury in the form of the "Loss of Value of PII.” Plaintiffs, however, concede "that the loss of Value of PII” does not "constitute!] economic injury for purposes of the UCL.” Anthem Opp’n at 14 n.16.
. Plaintiffs did not seek recovery for this form of injury with respect to their UCL claim.
. Plaintiffs refer to Contract No. CS 1039 in the consolidated amended complaint, and the Non-Anthem Defendants have submitted a copy of this contract, the 2014 and 2015 amendments to the contract, and the contract's 2014 and 2015 Statement of Benefits. See ECF No. 416-1 ("Fed. BCBSA Contract’’); ECF No. 416-2 ("2014 Amendments”); ECF No. 416-3 ("2015 Amendments”); ECF No. 416-4 ("2014 Statement of Benefits”); ECF No. 416-5 ("2015 Statement of Benefits”). Unlike the Summary Plan Descriptions described above, Plaintiffs do not dispute that these documents are true and accurate copies of their contract with BCBSA and the accompanying statement of benefits. Non-Anthem Opp’n at 13 n.9. Accordingly, the Court takes judicial notice of these documents. See Warren v. Fox Family Worldwide, Inc.,
. The Federal BCBSA contract defines "Act” to mean "FEHBA.” Fed. BCBSA Contract § 1.1.
. The remaining Federal Employee Plaintiffs are residents of Connecticut and Nevada. The instant motions to dismiss do not address claims brought under Connecticut and Nevada law, Non-Anthem Opp’n at 15 n.10; Non-Anthem Mot. at 19.
. The Non-Anthem Defendants also assert that "the Federal Employee Plaintiffs' state law claims are displaced by federal common law.” Non-Anthem Reply at 9. Consistent with the approach taken by other federal courts, the Court addresses this displacement theory in its conflict preemption discussion. See Helfrich v. Blue Cross and Blue Shield Ass’n,