Opinion
Case No. 13-cv-00341-JST
02-23-2015
JOHN FALKENBERG, et al., Plaintiffs, v. ALERE HOME MONITORING, INC., Defendant.
ORDER 1) GRANTING IN PART AND DENYING IN PART ALERE'S MOTION TO DISMISS; 2) DENYING ALERE'S MOTION TO STRIKE
Re: ECF Nos. 48, 50
Defendant Alere Home Monitoring, Inc. ("Alere") moves to dismiss Plaintiffs John Falkenberg and Steven Ingargiola's ("Plaintiffs") first amended class action complaint for violations of the California Confidentiality of Medical Information Act ("CMIA") and the Fair Credit Reporting Act ("FCRA"). ECF No. 48. Alere has also moved to strike portions of the complaint. ECF No. 50.
I. BACKGROUND
A. Factual Background
Alere, a medical monitoring company, assists physicians and insurance companies in tracking the medical care delivered to patients, including Plaintiffs, who require significant home-monitoring. First Amended Class Action Complaint ("FAC"), ECF No. 47, at ¶¶ 2, 11-12. As a result, Alere collected and stored Plaintiffs' confidential personal and medical information. Id. at ¶ 4. This information included Plaintiffs' names, addresses, dates of birth, Social Security numbers, and medical diagnosis codes ("confidential information"). Id.
One of Alere's services is "Home INR Monitoring ("INR")." Id. at ¶ 77. To provide INR, Alere acts as a liaison between potential clients and their insurance providers. Id. at ¶ 81. Specifically, a potential client completes Alere's application, which includes the client's personal confidential information, and Alere submits this application to the client's insurance provider along with product and service descriptions, the physician's prescription, the insurance coverage request, and any other information. FAC, at ¶ 82. Then, the "insurance provider will approve or deny [INR] coverage . . . ." Id. at ¶ 84.
On September 23, 2012, in Fremont, California, an Alere employee's car was burglarized. Id. at ¶ 5. A password-protected laptop containing Plaintiffs' and approximately 116,000 other Alere patients' confidential information was removed from the vehicle. Id. The confidential information on the laptop was unencrypted. Id. at ¶ 6. On November 20, 2012, Alere informed its patients about the incident. Id. at ¶ 22.
Under Rule 201 of the Federal Rules of Evidence, "[t]he court may judicially notice a fact that is not subject to reasonable dispute because it (1) is generally known within the trial court's territorial jurisdiction; or (2) can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201(b). In addition, the "incorporation by reference" doctrine allows judicial notice of a document attached to a motion to dismiss when a "plaintiff's claim depends on the contents of a document" and "the parties do not dispute the authenticity of the document." Knievel v. ESPN, 393 F.3d 1068, 1076 (9th Cir. 2005). The Court GRANTS Alere's requests for judicial notice of the sample letter sent to Alere enrollees, ECF No. 49-1, Exhibit "A," and the police report, ECF No. 49-1, Exhibit "C." The Court also GRANTS both parties' other unopposed requests for judicial notice in connection with the motion to dismiss.
"[W]ithin weeks to months" of the laptop theft, Plaintiff Steven Ingargiola suffered identity theft. Id. at ¶ 46. A debt collection agency informed Ingargiola that an account had been opened in his name with his confidential information, including Social Security number. Id. at ¶ 47. Ingargiola has always taken extra precautions to ensure that his personal and confidential information was not disclosed to unknown third parties. Id. at ¶ 48. This was the first identity theft in his life. Id. at ¶ 49.
Similarly to Ingargiola, Carol Fertig, another Alere's patient, was subject to identity theft. Id. at ¶ 37. Fertig shared confidential information with Alere prior to the September 2012 laptop theft, and on or about October 19, 2012, criminals opened a fraudulent utilities account using her full name, date of birth, and Social Security number. Id. at ¶¶ 36, 39. Fertig always took extra precautions to ensure that her confidential information was not disclosed to unknown third parties, and this was the first identity theft in her life. Id. at ¶ 42, 43.
B. Procedural Background
Plaintiffs filed their complaint on January 24, 2013. Class Action Complaint ("Complaint"), ECF No. 1. They brought this action on behalf of themselves and proposed to represent a class of "[a]ll persons whose confidential personal and medical information was contained on the laptop stolen from an Alere employee's vehicle in September, 2012 ('the Class')." Complaint at ¶ 31. Plaintiffs brought six causes of action, Complaint, ¶¶ 35-84, and Alere moved to dismiss each cause of action and to strike portions of the proposed class action. Order Granting Defendants' Motion to Dismiss and Denying Defendant's Motion to Strike ("Order"), ECF No. 46, at 1.
On October 7, 2014, the Court granted Alere's motion to dismiss in its entirety, denied Alere's motion to strike without prejudice, and ordered Plaintiffs to file an amended complaint within twenty-one days. Id. Dismissing Plaintiffs' CMIA claims, the Court concluded that Plaintiffs had failed to plead that their confidential medical information ("CMI"), which was contained on the stolen laptop, had been actually viewed by a third party. Id. at 4-5. Regarding their FCRA claims, the Court concluded that Plaintiffs had not pleaded facts establishing that the information collected by Alere was "kept for the purpose of furnishing consumer reports, as defined by Section 1681a(d), to third parties, as required by Section 1681a(f)." Id. at 5-6.
Plaintiffs filed their first amended complaint on October 28, 2014. FAC, at 1. Plaintiffs now assert three causes of action on their and the Class's behalf: (1) CMIA violations, (2) a willful FCRA violation, and (3) a negligent FCRA violation. Id. at 14, 16, 21. Alere moved to dismiss all Plaintiffs' claims and to strike the CMIA class allegation. Defendant's Motion to Dismiss Plaintiffs' FAC ("MTD"), ECF No. 48; Defendant's Motion to Strike Plaintiffs' FAC ("MTS"), ECF No. 50.
C. Jurisdiction
Under 28 U.S.C. § 1332(d), subject-matter jurisdiction is proper because at least one class member is diverse to the Defendant's citizenship; there are more than 100 proposed class members nationwide; and the aggregate amount in controversy exceeds $5,000,000. The Court has subject-matter jurisdiction also over the FCRA claim, as it arises under federal law. 28 U.S.C. § 1331.
II. LEGAL STANDARD
On a motion to dismiss, the Court accepts the material facts alleged in the complaint, together with reasonable inferences to be drawn from those facts, as true. Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). However, "the tenet that a court must accept a complaint's allegations as true is inapplicable to threadbare recitals of a cause of action's elements, supported by mere conclusory statements." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).
To survive a motion to dismiss, a plaintiff must plead "enough facts to state a claim to relief that is plausible on its face." Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). Plausibility does not mean probability, but it requires "more than a sheer possibility that a defendant has acted unlawfully." Iqbal, 556 U.S. at 678. "To render [an] explanation plausible, plaintiffs must do more than allege facts that are merely consistent with both their explanation and defendants' competing explanation." In re Century Aluminum Co. Sec. Litig., 729 F.3d 1104, 1108 (9th Cir. 2013). Furthermore, "[i]f there are two alternative explanations, one advanced by defendant and the other advanced by plaintiff, both of which are plausible, plaintiff's complaint . . . may be dismissed only when defendant's plausible alternative explanation is so convincing that plaintiff's explanation is implausible." Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011) (emphasis in original).
III. ALERE'S MOTION TO DISMISS
A. Violations of the Confidential Medical Information Act
Alere moves to dismiss Plaintiffs' CMIA claims, which arise under California Civil Code sections 56.101(a) and 56.36(b). FCA, at ¶¶ 56, 64. Section 56.101(a) requires health care providers to maintain medical information "in a manner that preserves the confidentiality of the information contained therein" and creates a private right of action, enforced through section 56.36(b), for patients' whose health care provider "negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information." Cal. Civ. Code § 56.101(a). Under section 56.36(b), "any individual may bring an action against any person or entity who has negligently released information concerning him or her in violation of this part for . . . nominal damages of one thousand dollars ($1,000)." Cal. Civ. Code § 56.36(b)(1). When suing for nominal damages, plaintiffs do not have to prove they "suffered or [were] threatened with actual damages," Cal. Civ. Code § 56.36(b)(1), but they must plead that an unauthorized third party viewed or accessed their confidential information, Regents of the Univ. of Cal. v. Super Ct., 220 Cal. App. 4th 549, 570 (2013); Sutter Health v. Super Ct., 227 Cal. App. 4th 1546, 1555 (2014) ("[W]ithout an actual confidentiality breach, a health care provider has not violated section 56.101 and therefore does not invoke the remedy provided in section 56.36.").
Plaintiffs have pled that Alere is a health care or health care service plan provider and thus must maintain its patients' information confidentially. FAC, at ¶¶ 2, 3. Plaintiffs have also pled that Alere negligently maintained, preserved, and released confidential information concerning Plaintiffs because it maintained confidential information "on a laptop that was vulnerable to theft" and "failed to encrypt that data." Id. at ¶¶ 4-6.
The Court dismissed Plaintiffs' initial complaint for failing to plead that a third party had viewed Plaintiffs' CMI. The Court relied on the California Court of Appeal's decisions in Regents and Sutter Health, which held that a Plaintiff cannot prevail on a claim under sections 56.101 and 56.36 without demonstrating that their CMI had been actually been viewed by a third party. See ECF No. 46 at 4-5. Plaintiffs' FAC now makes an allegation that their CMI was in fact viewed by an unauthorized third party. The FAC supports this allegation by pleading the following facts: (1) that Plaintiff Ingargiola and non-Plaintiff Fertig gave Alere their personal and confidential information, FAC, at ¶ 4; (2) Ingargiola and Fertig suffered identity theft sometime from three weeks to "weeks-and-months" from when the Alere laptop containing their confidential information was stolen, FAC, at ¶¶ 46, 38; (3) Ingargiola and Fertig had never before suffered identity theft, id., at ¶¶ 49, 43; (4) Ingargiola and Fertig always took extra precautions to ensure their confidential information was not disclosed to unknown third parties, id., at ¶¶ 49, 43; and (5) the fraudulent accounts that thieves opened were done with Ingargiola's and Fertig's Social Security numbers, information that Alere had and is not generally as available as date of birth, full name, and address.
Alere asks the Court to strike the complaint's allegations regarding Fertig's identity theft, arguing that these allegations are improper because Fertig is not a named plaintiff. ECF No. 50. Although Fertig is not a named plaintiff, the complaint alleges that her CMI was contained on the same laptop along as the CMI of the named plaintiffs. Therefore, the complaint's allegations that Fertig's identity was stolen following the theft of the laptop make the named plaintiffs' claims that their CMI was viewed by a third party somewhat more plausible. Alere's motion to strike these portions of the complaint is therefore denied.
Alere argues that these allegations do not render plausible Plaintiffs' allegations that their CMI was viewed by an unauthorized third party, claiming that Plaintiffs' allegations "rest[] entirely on the logical fallacy post hoc ergo propter hoc." ECF No. 48 at 11. Alere claims that the temporal proximity between the theft of the Alere laptop and the theft of Ingargiola and Fertig's identities does not, on its own, provide sufficient factual support for Plaintiffs' claim that the CMI contained on the laptop was viewed by an unauthorized third party.
"Generally, to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence." Resnick v. AvMed, Inc., 693 F.3d 1317, 1326 (11th Cir. 2012). Relying on an unpublished Ninth Circuit opinion, the Eleventh Circuit in Resnick concluded that plaintiffs had stated a plausible claim that their health care provider's data breach had caused their identity theft by alleging that (1) plaintiffs gave the defendant their personal information; (2) the identity fraud incidents began fourteen months after the devices containing the personal information were stolen; (3) plaintiffs had previously not suffered any such incidents of identity theft; and (4) the jury could infer that the type of information stolen was the same type of information needed to open the fraudulent accounts. See id. at 1327-28 (citing Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664, 667 (9th Cir. 2007) (wherein plaintiffs' identity theft began just six weeks following data breach)).
Plaintiffs here have alleged similar facts to those alleged by the plaintiffs in Resnick and Stollenwerk. Fertig's identity was stolen three weeks following the theft of the laptop, an even closer temporal link than alleged in Stollenwerk or Resnick. ECF No. 47 at ¶ 38. Although it is unclear from the complaint precisely when Igargiola's information was first used following the laptop theft, Ingargiola was contacted regarding debts taken out in his name in August of 2012. The Court finds it plausible that an unauthorized third party viewed Plaintiffs' CMI on the stolen laptop. Citing statistics on identity theft, Alere argues that it is more likely that Ingargiola and Fertig's fraudulent accounts were opened by individuals who had received their confidential information, including the Social Security numbers, from a source other than Alere's stolen laptop. See MTD, at 11-13. But because the Court finds that the identity thefts plausibly suggest that the CMI contained on the laptop was viewed by an unauthorized third party, Alere cannot succeed on this motion unless it establishes a competing explanation that "is so convincing that [Plaintiffs'] explanation is implausible." Starr, 652 F.3d at 1216 (emphasis deleted). This Alere has failed to do.
Plaintiffs are not required to show that their identity was stolen as a result of the data breach to recover under the CMIA. Plaintiffs' allegations that Ingargiola and Fertig's identities were stolen following the laptop theft merely help to lend support to Plaintiffs' claim that their data was in fact viewed by an unauthorized third party as a result of Alere's negligent maintenance of their CMI.
Alere also argues that Plaintiffs have failed to plead injury. Alere claims that Section 56.36(b)'s statement that it applies to "any person or entity who has negligently released confidential information or records" means that, in order to allege a claim against Alere under the CMIA, Plaintiffs must plead the common law elements of the tort of negligence, including "actual injury." MTD, at 14. But 56.36(b)(1) makes clear that "it shall not be necessary that the plaintiff suffered or was threatened with actual damages" in order for a plaintiff to recover. The relevant injury the CMIA seeks to protect against is the unauthorized disclosure of an individual's CMI. See Sutter, 227 Cal. App. 4th at 1559 ("[N]ominal damages [under section 56.36(b)] are not available if the injury—the confidentiality breach—has not occurred.") (emphasis added). As discussed above, Plaintiffs have sufficiently pled that their information was viewed by a third party without their authorization.
The Court therefore denies Alere's motion to dismiss Plaintiffs' CMIA claims. Plaintiffs have plausibly alleged that an unauthorized third party viewed or accessed Plaintiffs' confidential information, so "that the confidential nature of the plaintiff's medical information was breached as a result of the health care provider's negligence." See Regents, 220 Cal. App. 4th at 570; Sutter, 227 Cal. App. 4th at 1555.
Alere also argues that proving a section 56.36(b) claim based on a section 56.101(a) violation requires an "affirmative communicative act." Alere acknowledges that this argument is contrary to the Court of Appeals decision in Regents, 220 Cal. App. 4th at 564, but makes the argument in its motion to "preserve its position for any further proceedings." MTD at 9. The Court finds Regents to be persuasive on this point and concludes that an affirmative communicative act is not required to state a CMIA claim.
--------
B. Violations of the Fair Credit Reporting Act
Plaintiffs' assert FCRA claims against Alere for negligent and willful violations of the FCRA. FAC, at ¶¶ 68-97. The FCRA requires "that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information." 15 U.S.C.A. § 1681. Alere argues that it is not subject to the FCRA for two reasons: (1) Alere does not prepare "consumer reports" and (2) Alere is not a "consumer reporting agency." See MTD, at 2, 16-17.
The FCRA defines "consumer report" as, "communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for - (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title." 15 U.S.C. § 1681a(d)(1) (emphasis added).
Plaintiffs have pled that Alere collects potential patients' medical and personal information, and passes this information along to insurance companies for the purpose of evaluating if the patient's existing insurance policy would cover Alere's services. FAC, at ¶¶ 80-83. Alere argues that this does not mean that it prepares "consumer reports" within the meaning of the FCRA, as verifying the details of a patient's coverage does not relate to "establishing a consumer's eligibility for . . . insurance" under section 1681a(d)(1)(A). Courts have routinely held that reports distributed for the purposes of evaluating claims for benefits, as opposed to determining an individual's eligibility for insurance, do not fall within the ambit of the FCRA. See, e.g. Cochran v. Metro. Life Ins. Co., 472 F. Supp. 827, 831 (N.D. Ga. 1979), Hovater v. Equifax, Inc., 823 F.2d 413, 419 (11th Cir. 1987) (reasoning that "Congress spoke in terms of information relating specifically to the inception and maintenance of the insurance contract . . . Congress declined in its explicit treatment of the subject of insurance to regulate insurance claims reports"). The Court agrees that the FCRA does not cover Alere's communications with insurance companies regarding whether patient's existing insurance policies will cover Alere's services.
The Court therefore grants Alere's motion to dismiss the FCRA claims with prejudice.
IV. ALERE'S MOTION TO STRIKE
Alere has moved to strike Plaintiffs' CMIA class certification. MTS, at 1. Under Rule 12(f) of the Federal Rules of Civil Procedure, the Court may strike from the pleadings any "insufficient defense or any redundant, immaterial, impertinent, or scandalous matter." Courts rarely grant motions to strike class allegations at the pleading stage. See In re Wal-Mart Stores, Inc. Wage and Hour Litigation, 505 F. Supp. 2d 609, 615 (N.D. Cal. 2007) (noting that "dismissal of class actions at the pleading stage should be done rarely and that the better course is to deny such a motion because 'the shape and form of a class action evolves only through the process of discovery'") (citation omitted). The Court declines to do so here.
V. CONCLUSION
For the reasons stated above, the Court denies Alere's motion to dismiss Plaintiffs' CMIA claims, grants Alere's motion to dismiss Plaintiffs' FCRA claims, and denies Alere's motion to strike.
IT IS SO ORDERED. Dated: February 23, 2015
/s/_________
JON S. TIGAR
United States District Judge