Summary
holding Complaint sufficiently alleged allegations of unlawfulness prong
Summary of this case from In re Capital One Consumer Data Sec. Breach Litig.Opinion
Case No. 15-MD-02617-LHK
2016-02-14
In re Anthem, Inc. Data Breach Litigation
ORDER GRANTING IN PART AND DENYING IN PART ANTHEM DEFENDANTS' MOTION TO DISMISS AND ORDER GRANTING IN PART AND DENYING IN PART NON-ANTHEM DEFENDANTS' MOTION TO DISMISS
Re: Dkt. No. 410, 413
LUCY H. KOH, United States District Judge
Plaintiffs bring this putative class action against Anthem, Inc., 28 Anthem affiliates, Blue Cross Blue Shield Association, and 17 non-Anthem Blue Cross Blue Shield Companies. The Court shall refer to Anthem, Inc. and the Anthem affiliates as the “Anthem Defendants,” and shall refer to Blue Cross Blue Shield Association and the non-Anthem Blue Cross Blue Shield Companies as the “Non-Anthem Defendants.” The Court shall refer to the Anthem and Non-Anthem Defendants collectively as “Defendants.”
All named Plaintiffs are identified in paragraphs 12 through 108 of the Consolidated Amended Complaint. See ECF No. 334-6 (“CAC”) ¶¶ 12–108.
The Anthem affiliates are: Blue Cross and Blue Shield of Georgia; Blue Cross Blue Shield Healthcare Plan of Georgia; Anthem Blue Cross and Blue Shield of Indiana; Anthem Blue Cross of California; Anthem Blue Cross Life and Health Insurance Company; Anthem Blue Cross and Blue Shield of Colorado and Anthem Blue Cross and Blue Shield of Nevada; Anthem Blue Cross and Blue Shield of Connecticut; Anthem Blue Cross and Blue Shield of Kentucky; Anthem Blue Cross and Blue Shield of Maine; Anthem Blue Cross and Blue Shield of Missouri; Anthem Blue Cross and Blue Shield of Missouri (RightChoice Managed Care, Inc. & Healthy Alliance Life Insurance Company); Anthem Blue Cross and Blue Shield of New Hampshire; Empire Blue Cross and Blue Shield; Anthem Blue Cross and Blue Shield of Ohio; Anthem Blue Cross and Blue Shield of Virginia (Anthem Health Plans of Virginia & HMO HealthKeepers); Anthem Blue Cross and Blue Shield of Wisconsin (Blue Cross Blue Shield of Wisconsin & Compcare Health Services Insurance Corporation); Amerigroup Services; HealthLink; Unicare Life & Health Insurance Company; CareMore Health Plan; the Anthem Companies; the Anthem Companies of California; Amerigroup Corporation; and the Amerigroup Kansas, Inc.
The non-Anthem BCBS Companies are: Blue Cross and Blue Shield of Alabama; Blue Cross Blue Shield of Arizona; Arkansas Blue Cross and Blue Shield; Blue Shield of California; Blue Cross and Blue Shield of Illinois; Blue Cross and Blue Shield of Florida; CareFirst BlueCross BlueShield; Blue Cross and Blue Shield of Massachusetts; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of Minnesota; Horizon Blue Cross and Blue Shield of New Jersey; Blue Cross and Blue Shield of North Carolina; Highmark Blue Shield; Highmark Blue Cross Blue Shield West Virginia; BlueCross BlueShield of Tennessee; Blue Cross and Blue Shield of Texas; and Blue Cross and Blue Shield of Vermont.
Before the Court are separate motions to dismiss Plaintiffs' consolidated amended complaint (“CAC”) filed by the Anthem and Non-Anthem Defendants. See ECF No. 334-6 (“CAC”); ECF No. 410 (“Anthem Mot.”); ECF No. 413 (“Non-Anthem Mot.”). Having considered the parties' submissions, the relevant law, and the record in this case, the Court hereby GRANTS in part and DENIES in part the Anthem Defendants' motion to dismiss and GRANTS in part and DENIES in part the Non-Anthem Defendants' motion to dismiss.
I. BACKGROUND
A. Factual Background
Defendant Anthem, Inc. (“Anthem”) is one of the largest health benefits and health insurance companies in the United States. CAC ¶ 109. Anthem serves its members through various Blue Cross Blue Shield (“BCBS”) licensee affiliates and other non-BCBS affiliates. Id. ¶ 155. Anthem also cooperates with the Blue Cross Blue Shield Association (“BCBSA”) and several independent BCBS licensees via the BlueCard program. Id. ¶ 156. “Under the BlueCard program, members of one BCBS licensee may access another BCBS licensee's provider networks and discounts when the members are out of state.” Id.
In order to provide certain member services, the Anthem and Non-Anthem Defendants “collect, receive, and access their customers' and members' extensive individually identifiable health record information.” Id. ¶ 157. “These records include personal information (such as names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data) and individually-identifiable health information (pertaining to the individual claims process, medical history, diagnosis codes, payment and billing records, test records, dates of service, and all other health information that an insurance company has or needs to have to process claims).” Id. The Court shall refer to members' personal and health information as Personal Identification Information, or “PII.”
Anthem maintains a common computer database which contains the PII of current and former members of Anthem, Anthem's affiliates, BCBSA, and independent BCBS licensees. Id. ¶ 158. In total, Anthem's database contains the PII of approximately 80 million individuals. Id. ¶ 204. According to Plaintiffs, both the Anthem and Non-Anthem Defendants promised their members that their PII would be protected. Blue Cross of California, for instance, mailed the following privacy notice to its members:
We keep your oral, written and electronic [PII] safe using physical, electronic, and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your [PII] safe include securing offices that hold [PII], password-protecting computers, and locking storage areas and filing cabinets. We require our employees to protect [PII] through written policies and procedures.... Also, where required by law, our affiliates and nonaffiliates must protect the privacy of data we share in the normal course of business. They are not allowed to give [PII] to others without your written OK, except as allowed by law and outlined in this notice.
Id. ¶ 163 (emphasis removed). In February 2015, Anthem announced to the public that “cyberattackers had breached the Anthem Database, and [had] accessed [the PII of] individuals in the Anthem Database.” Id. ¶ 203. This was not the first time that Anthem had experienced problems with data security. In late 2009, approximately 600,000 customers of Wellpoint (Anthem's former trade name) “had their personal information and protected healthcare information compromised due to a data breach.” Id. ¶ 194. In addition, in 2013, the U.S. Department of Health and Human Services fined Anthem $1.7 million for various HIPAA violations related to data security. Id. ¶ 195. Finally, in 2014, the federal government informed Anthem and other healthcare companies of the possibility of future cyberattacks, and advised these companies to take appropriate measures, such as data encryption and enhanced password protection. Id. ¶¶ 200–01.
Plaintiffs allege that Defendants did not sufficiently heed these warnings, which allowed cyberattackers to extract massive amounts of data from Anthem's database between December 2014 and January 2015. Id. ¶ 226. After Anthem discovered the extent of this data breach, it proceeded to implement various containment measures. Id. ¶ 232. The cyberattacks ceased by January 31, 2015. Id. In addition, after learning of the cyberattacks, Anthem proceeded to retain Mandiant, a cybersecurity company, “to assist in assessing and responding to the Anthem Data Breach and to assist in developing security protocols for Anthem.” Id. ¶ 207. Mandiant's work culminated in the production of an Intrusion Investigation Report (“Mandiant Report”), which Mandiant provided to Anthem in July 2015. Id.
According to Plaintiffs, the Mandiant Report found that “Anthem and [its] Affiliates [had] failed to take reasonable measures to secure the [PII] in their possession.” Id. ¶ 236. Likewise, Plaintiffs allege that “Anthem and Anthem Affiliates [ ] lacked reasonable encryption policies.” Id. ¶ 237. Additionally, “BCBSA and non-Anthem BCBS allowed the [PII] that their current and former customers and members had entrusted with them to be placed into the Anthem Database even though there were multiple public indications and warnings that the Anthem and Anthem Affiliates' computer systems and data security practices were inadequate.” Id. ¶ 243. Plaintiffs further aver that although Anthem publicly disclosed the data breach in February 2015, many affected customers were not personally informed until March 2015, if at all. Id. ¶ 250. Finally, Plaintiffs contend that Anthem still has not disclosed whether it has made any changes to its security practices to prevent a future cyberattack.
B. Procedural History
A number of lawsuits were filed against the Anthem and Non-Anthem Defendants in the wake of the Anthem data breach. In general, these lawsuits bring putative class action claims alleging (1) failure to adequately protect Anthem's data systems, (2) failure to disclose to customers that Anthem did not have adequate security practices, and (3) failure to timely notify customers of the data breach.
In spring 2015, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) (“When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings.”). On June 12, 2015, the Judicial Panel on Multidistrict Litigation (“JPML”) issued a transfer order selecting the undersigned judge as the transferee court for “coordinated or consolidated pretrial proceedings” in the multidistrict litigation (“MDL”) arising out of the Anthem data breach. See ECF No. 1 at 1–3.
As of February 14, 2016, after remand or dismissal of 9 cases, this MDL is comprised of 114 active individual cases. ECF No. 451-1 at 4. An additional case is pending conditional transfer to this MDL.
On September 10, 2015, the Court held a hearing to appoint Lead Plaintiffs' counsel. Following this hearing, the Court issued an order appointing Co-Lead Plaintiffs' counsel and requesting that counsel file a single consolidated amended complaint by October 19, 2015. ECF No. 284 at 2. On October 19, 2015, Plaintiffs filed their consolidated amended complaint, which organized Plaintiffs' causes of action into thirteen different counts, with claims pursuant to various state and federal laws asserted under each count. The complaint's prayer for relief included requests for class certification, injunctive relief, and damages.
On this final form of relief, Plaintiffs seek damages arising from four separate economic losses. First, Plaintiffs allege that they “paid Anthem money for services that should have included protecting their [PII] from unauthorized disclosure”; Plaintiffs refer to these losses as “Benefit of the Bargain” losses. ECF No. 424 at 3. Second, Plaintiffs seek recovery for “the theft of Plaintiffs' [PII],” which Plaintiffs refer to as the “Loss of Value of PII.” Id. Third, Plaintiffs allege that many class members “incurred out-of-pocket losses, including delayed tax returns, and the time and costs of credit monitoring.” Plaintiffs refer to these losses as “Out of Pocket” costs. Id. Finally, Plaintiffs allege that all class members “are at significant risk of imminent identity theft...as a result of the exfiltration of their [PII],” which Plaintiffs refer to as the “Imminent Risk of Further Costs.” Id.
At the October 25, 2015 case management conference, the Court determined that the Anthem Defendants and Non-Anthem Defendants would file separate motions to dismiss. Both motions would be “limited to a combined total of 10 claims, with 5 claims selected by Plaintiffs, 3 claims selected by the Anthem Defendants, and 2 claims selected by the [Non-Anthem Defendants].” ECF No. 326 at 2–3. At the November 10, 2015 case management conference, the parties informed the Court of the 10 claims that would be addressed in Defendants' motions to dismiss. ECF No. 366 at 2.
On November 23, 2015, the Anthem Defendants and Non-Anthem Defendants filed their respective motions to dismiss. ECF No. 410 (“Anthem Mot.”); ECF No. 413 (“Non-Anthem Mot.”). Plaintiffs filed their oppositions on December 21, 2015, and the Anthem Defendants and Non-Anthem Defendants filed their replies on January 19, 2016. ECF No. 424 (“Anthem Opp'n”); ECF No. 425 (“Non-Anthem Opp'n”); ECF No. 432 (“Anthem Reply”); ECF No. 433 (“Non-Anthem Reply”).
II. LEGAL STANDARD
A. Motion to Dismiss
Pursuant to Federal Rule of Civil Procedure 12(b)(6), a defendant may move to dismiss an action for failure to allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (internal citations omitted). For purposes of ruling on a Rule 12(b)(6) motion, the Court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co. , 519 F.3d 1025, 1031 (9th Cir.2008).
Nonetheless, the Court is not required to “ ‘assume the truth of legal conclusions merely because they are cast in the form of factual allegations.’ ” Fayer v. Vaughn , 649 F.3d 1061, 1064 (9th Cir.2011) (quoting W. Mining Council v. Watt , 643 F.2d 618, 624 (9th Cir.1981) ). Mere “conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss.” Adams v. Johnson , 355 F.3d 1179, 1183 (9th Cir.2004) ; accord Iqbal , 556 U.S. at 678, 129 S.Ct. 1937. Furthermore, “ ‘a plaintiff may plead [him]self out of court’ ” if he “plead[s] facts which establish that he cannot prevail on his...claim.” Weisbuch v. Cnty. of L os A ngeles , 119 F.3d 778, 783 n. 1 (9th Cir.1997) (quoting Warzon v. Drew, 60 F.3d 1234, 1239 (7th Cir.1995) ).
For purposes of motions to dismiss, as with virtually all motions touching upon substantive legal matters, the general rule “is that the MDL transferee court is generally bound by the same substantive legal standards, if not always the same interpretation of them, as would have applied in the transferor court.” In re Korean Air Lines Co., Ltd. , 642 F.3d 685, 699 (9th Cir.2011).
B. Leave to Amend
Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend “shall be freely granted when justice so requires,” bearing in mind “the underlying purpose of Rule 15 to facilitate decision on the merits, rather than on the pleadings or technicalities.” Lopez v. Smith , 203 F.3d 1122, 1127 (9th Cir.2000) (en banc) (ellipses omitted). Generally, leave to amend shall be denied only if allowing amendment would unduly prejudice the opposing party, cause undue delay, or be futile, or if the moving party has acted in bad faith. Leadsinger, Inc. v. BMG Music Publ'g , 512 F.3d 522, 532 (9th Cir.2008).
III. DISCUSSION
A. Standing
Before addressing any of the specific claims at issue, the Court turns first to the three arguments that the Non-Anthem Defendants have raised regarding standing. First, “not one of the 98 named plaintiffs in the CAC alleges that he or she was insured by or had any connection with...Blue Cross and Blue Shield of Arizona, Inc., BlueCross BlueShield of Tennessee, Inc., and Highmark West Virginia, Inc.” Non-Anthem Mot. at 2 (emphasis added). Thus, the Non-Anthem Defendants request that these three Non-Anthem Defendants be dismissed from this action in its entirety.
Second, the consolidated amended complaint fails “to allege any facts regarding ten Non-Anthem Defendants with respect to” the selected claims at issue in the instant motions to dismiss. Non-Anthem Mot. at 1 (emphasis removed). Accordingly, the Non-Anthem Defendants request that the selected “claims...be dismissed as to those ten Non-Anthem Defendants.” Non-Anthem Reply at 3.
These ten Non-Anthem Defendants are: Blue Cross and Blue Shield of Alabama; Blue Cross and Blue Shield of Arizona, Inc.; CareFirst of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina, Inc.; Highmark Health Services; Highmark West Virginia, Inc.; BlueCross BlueShield of Tennessee, Inc.; Blue Cross and Blue Shield of Vermont; and Blue Cross and Blue Shield of Illinois. Non-Anthem Mot. at 1.
Third, the consolidated amended complaint fails to allege any specific facts as to Plaintiffs' Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, New York unjust enrichment, New York General Business Law § 349, and California Unfair Competition Law claims against 16 of the 17 Non-Anthem Defendants. Specifically, the consolidated amended complaint identifies a New Jersey Plaintiff—Elizabeth Ames—who was enrolled in a plan managed by Non-Anthem Defendant Horizon Blue Cross Blue Shield of New Jersey. See CAC ¶ 146; Non-Anthem Mot. at 3. Plaintiffs have thus properly asserted a New Jersey breach of contract claim against Horizon Blue Cross Blue Shield of New Jersey, but have not alleged any specific facts as to the remaining 16 Non-Anthem Defendants. The Non-Anthem Defendants therefore request dismissal of those Non-Anthem Defendants who have not had any specific facts alleged against them as to Plaintiffs' Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, New York unjust enrichment, New York General Business Law § 349, and California Unfair Competition Law claims.
All three of these arguments implicate the same thorny legal question: when, in the context of a nationwide consumer class action, should a federal court address issues of standing? Indeed, “[a]lthough standing is a ‘threshold issue’ usually considered at the outset of the case,” two U.S. Supreme Court decisions—Amchem Products, Inc. v. Windsor , 521 U.S. 591, 117 S.Ct. 2231, 138 L.Ed.2d 689 (1997), and Ortiz v. Fibreboard Corp. , 527 U.S. 815, 119 S.Ct. 2295, 144 L.Ed.2d 715 (1999) —“make clear that there are situations in which a court may defer that issue to later in the case.” In re Target Corp. Data Sec. Breach Litig. , 66 F.Supp.3d 1154, 1160 (D.Minn.2014). As the In re Target court summarized, both Amchem and Ortiz involved “global settlements of [consumer] class actions” where the district court “was simultaneously presented with class certification issues and Article III issues.” Id. at 1159–60. In both Amchem and Ortiz, the U.S. Supreme Court determined that the district court could defer standing questions until after class certification. In the instant case, Plaintiffs request that the Court adopt the same approach.
Neither Amchem nor Windsor, however, created a blanket exception for standing in the consumer class action context. Rather, the U.S. Supreme Court “in both cases stated that class certification questions could be addressed first [because] they were ‘logically antecedent’ to the standing questions.” In re Carrier IQ, Inc. , 78 F.Supp.3d 1051, 1071 (N.D.Cal.2015) (quoting Ortiz , 527 U.S. at 831, 119 S.Ct. 2295 ; Amchem , 521 U.S. at 612, 117 S.Ct. 2231 ). The scope and applicability of this “logically antecedent” exception has, in the aftermath of Amchem and Windsor, confounded both courts and commentators alike. See, e.g. , In re Target , 66 F.Supp.3d at 1160 (“Although some courts [have] interpreted [Amchem and Windsor ] to require deferral of the Article III standing determination until after class certification, [others courts have] found more persuasive the decisions that interpreted the Supreme Court precedent to allow consideration of the named plaintiff's Article III standing at an earlier stage, thus requiring a named plaintiff to establish standing for each claim set forth in a class action when the issue is presented prior to class certification.”) (internal quotation marks omitted); Linda S. Mullenix, Standing and Other Dispositive Motions After Amchem and Ortiz : The Problem of “Logically Antecedent” Inquiries , 2004 Mich. St. L. Rev. 703. Even district courts within the Northern District of California have split ways on when (and how) Amchem and Ortiz should apply in the consumer class action context. See generally In re Carrier IQ , 78 F.Supp.3d at 1068–75 (reviewing cases that have considered standing before and after class certification).
On this particular question, the Court finds instructive the reasoning in In re Carrier IQ. In In re Carrier IQ, the district court undertook a comprehensive analysis of U.S. Supreme Court and Ninth Circuit precedent, decisions from various federal district courts, and pertinent legal scholarship. See id. After surveying these sources in detail, the In re Carrier IQ court concluded “that it ha[d] the discretion to defer questions of standing until after class certification”—which it could decide to exercise on a case by case (or even an issue by issue) basis. Id. at 1074. In exercising this discretion, the In re Carrier IQ court noted that a district court might consider factors such as the cost and burden of discovery, “the breadth of the proposed class and the number of state law claims asserted on behalf of the class,” and whether a named plaintiff's “claim is typical of those individuals whose claims arise under the laws of...other states.” Id. at 1072–75. Following In re Carrier IQ, the Court finds that it has discretion to decide in the instant action when to consider issues of standing, and shall exercise this discretion as follows.
1. All Claims as to Three Non-Anthem Defendants
As to Blue Cross and Blue Shield of Arizona, Inc., BlueCross BlueShield of Tennessee, Inc., and Highmark West Virginia, Inc., “not one of the 98 named plaintiffs in the CAC alleges that he or she was insured by or had any connection with” these entities. Non-Anthem Mot. at 2. The Non-Anthem Defendants request that these three entities be dismissed from this action in its entirety. The Court finds the Non-Anthem Defendants' contentions well taken, for the reasons stated below.
First, each of the factors described in In re Carrier IQ weigh in favor of the Court addressing standing questions at the outset of this litigation, rather than deferring such questions until class certification. As to the cost and burden of discovery, for instance, the Court observes that the parties must litigate the selected claims “through two motions to dismiss, through class cert[ification], [and] through summary judgment.” ECF No. 359 at 60. The parties expect discovery to be expensive and time-consuming. As this action moves forward, Plaintiffs may not be able to find a single class member who can assert any claim with specific factual allegations against Blue Cross and Blue Shield of Arizona, Inc., BlueCross BlueShield of Tennessee, Inc., and Highmark West Virginia, Inc. Under such circumstances, it would make little sense to require these three Non-Anthem Defendants to be subject to extensive discovery and motions practice.
In addition, there are nearly 80 million potential class members, with each class member asserting a variety of state and federal law claims. Deferring questions of standing until class certification would only make the Court's class certification decision all the more unwieldy, and would not be in the interest of promoting efficient litigation. See In re Carrier IQ , 78 F.Supp.3d at 1074–75 (“Moreover, given the breadth of the proposed class and the number of state law claims asserted on behalf of the class, there is a meaningful risk that the requirements of class certification under Rule 23 may not be met or, if they are, subclasses may have to be created which would engender delay.”).
Furthermore, as the parties acknowledge, there are subtle but significant differences in the various state and federal law claims at issue. Plaintiffs might, for instance, be able to move forward with a breach of contract claim under California law but not a breach of contract claim under the law of a different state. Under such circumstances, grouping all Non-Anthem Defendants together—particularly those who have had no specific factual allegations asserted against them—makes little sense. See id. at 1072 (holding that deferring issues of standing until after class certification may be appropriate where a claim brought by an individual with standing “is typical of those individuals whose claims arise under the laws of the other states.”).
In addition to the specific In re IQ Carrier factors discussed above, Plaintiffs acknowledge that “named Plaintiffs from a particular state do not bring their individual state law claims against Non-Anthem Defendants with whom they did not have a relationship.” Non-Anthem Opp'n at 5; see also Armstrong v. Davis , 275 F.3d 849, 860 (9th Cir.2001), recognized as abrogated on other grounds by Nordstrom v. Ryan , 762 F.3d 903, 911 (9th Cir.2014) (“In order to assert claims on behalf of a class, a named plaintiff must have personally sustained or be in immediate danger of sustaining some direct injury as a result of the challenged statute or official conduct.”). Thus, under Plaintiffs' own theory of the case, there is little reason to keep certain Non-Anthem Defendants in this action when no specific factual allegations have been asserted against them with respect to any of the claims in the consolidated amended complaint.
As a final point, in this particular instance, case law appears to tilt in the Non-Anthem Defendants' favor. In In re Carrier IQ, for instance, the district court addressed standing prior to class certification and “require[d] the [p]laintiffs to present a named class member who possesses individual standing to assert each state law's claims against Defendants.” 78 F.Supp.3d at 1074. As in the instant case, the In re Carrier IQ court cited both “the expense and burden of nationwide discovery” and “the breadth of the proposed class” in reaching this determination. Id. Likewise, in Pardini v. Unilever United States, Inc. , 961 F.Supp.2d 1048, 1061 (N.D.Cal.2013), the district court observed that “there is only one named plaintiff and she has not alleged that she purchased [defendant's product] outside of California.” Thus, “[p]laintiff does not have standing to assert a claim under the consumer protection laws of the other states named in the Complaint.” Id. ; accord Harris v. CVS Pharmacy, Inc. , 2015 WL 4694047, *4 (C.D.Cal. Aug. 6, 2015) (finding that, “[a]s the party advocating for the application of Rhode Island law, [p]laintiff must make at least [a] prima facie showing that the RIDTPA applies to him such that he would have standing to bring that claim.”).
Plaintiffs' attempt to distinguish this line of cases by relying on In re Target is unavailing. Although the In re Target court did defer issues of standing until after class certification, the district court reasoned that, “[a]s Target undoubtedly knows, there are consumers in Delaware, Maine, Rhode Island, Wyoming, and the District of Columbia whose personal financial information was stolen in the 2013 breach.” 66 F.Supp.3d at 1160. Accordingly, even though no named plaintiffs hailed from these specific jurisdictions at the time Target filed its motion to dismiss, residents from these jurisdictions were almost certainly affected by the data breach and could almost certainly be identified at some later point in the litigation.
This same principle does not apply with equal force in the instant case. Here, unlike in In re Target, Plaintiffs do not bring their claims against a single nationwide entity. Instead, Plaintiffs have brought suit against Anthem, 28 Anthem affiliates, and 17 Non-Anthem Defendants. The Non-Anthem Defendants do not dispute that the Anthem data breach affected upwards of 80 million individuals, and that these individuals have standing to bring their claims against at least some Defendants. The Non-Anthem Defendants, however, contest whether three specific Non-Anthem Defendants should remain in this action when not a single named Plaintiff has been able to assert any specific factual allegations against these three Non-Anthem Defendants. Unless and until Plaintiffs demonstrate otherwise, the Court finds that there is little use in keeping these three Non-Anthem Defendants in this action.
Accordingly, the Court DISMISSES Blue Cross and Blue Shield of Arizona, Inc., BlueCross BlueShield of Tennessee, Inc., and Highmark West Virginia, Inc. from this action in its entirety. Plaintiffs, however, shall have leave to amend. It is possible that Plaintiffs may be able to assert specific factual allegations against the three Non-Anthem Defendants listed above by, for instance, adding a new named Plaintiff. See Lopez , 203 F.3d at 1127 (holding that “a district court should grant leave to amend...unless it determines that the pleading could not possibly be cured by the allegation of other facts.”). The Court therefore GRANTS with leave to amend the Non-Anthem Defendants' motion to dismiss Blue Cross and Blue Shield of Arizona, Inc., BlueCross BlueShield of Tennessee, Inc., and Highmark West Virginia, Inc. from this action in its entirety.
2. All Selected Claims as to Ten Non-Anthem Defendants
For substantially the same reasons, the Court also GRANTS with leave to amend the Non-Anthem Defendants' motion to dismiss the ten selected claims at issue in the instant motion to dismiss against Blue Cross and Blue Shield of Alabama; Blue Cross and Blue Shield of Arizona, Inc.; CareFirst of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina, Inc.; Highmark Health Services; Highmark West Virginia, Inc.; BlueCross BlueShield of Tennessee, Inc.; Blue Cross and Blue Shield of Vermont; and Blue Cross and Blue Shield of Illinois.
As noted above, the consolidated amended complaint fails to allege any specific facts regarding these ten Non-Anthem Defendants with respect to the selected claims at issue in the instant motions to dismiss. Non-Anthem Mot. at 1. Requiring these particular Non-Anthem Defendants to undergo extensive discovery and motions practice in this action is both costly and unnecessary. Moreover, dismissing these ten Non-Anthem Defendants from the ten selected claims at issue does not altogether absolve these Defendants from liability. By requiring the parties to focus on a set of selected claims, the Court sought to narrow the issues presented in order to move forward with this MDL in a timely and cost-effective manner. The Court's decision to adopt such a streamlined approach, however, does not result in dismissal of the many remaining, non-selected claims against these ten Non-Anthem Defendants asserted in the consolidated amended complaint.
3. Selected Claims as to Most Non-Anthem Defendants
Finally, the Non-Anthem Defendants request that the Court dismiss Plaintiffs' Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, California Unfair Competition Law (“UCL”), New York unjust enrichment, and New York General Business Law (“GBL”) § 349 claims against all Non-Anthem Defendants about whom the consolidated amended complaint makes no factual allegations.
As an initial matter, this argument is moot with respect to Plaintiffs' Indiana negligence and Kentucky Consumer Protection Act claims. As discussed in greater detail below, Plaintiffs can not maintain these claims as a matter of law. These claims will therefore be dismissed with prejudice.
That leaves the Court with the following four claims: New Jersey breach of contract, California Unfair Competition Law (“UCL”), New York unjust enrichment, and New York General Business Law (“GBL”) § 349. Although the Non-Anthem Defendants acknowledge that Plaintiffs have properly brought these claims against at least one Anthem or Non-Anthem Defendant, the Non-Anthem Defendants contend that there is little point in keeping all Non-Anthem Defendants in this litigation with respect to these particular claims. The Court agrees.
Consistent with its reasoning throughout this section, the Court finds that it would be improvident to require all 17 non-Anthem Blue Cross Blue Shield Defendants to answer for a claim when Plaintiffs assert factual allegations against only a handful of these 17 Defendants. The breadth and complexity of this action make streamlining this litigation all the more important. Thus, the Court GRANTS the Non-Anthem Defendants' motion to dismiss Plaintiffs' Indiana negligence, Kentucky Consumer Protection Act, New Jersey breach of contract, California Unfair Competition Law (“UCL”), New York unjust enrichment, and New York General Business Law (“GBL”) § 349 claims against all Non-Anthem Defendants about whom the consolidated amended complaint makes no factual allegations. As above, Plaintiffs shall have leave to amend.
In the same vein, Plaintiffs must specifically and accurately identify the health plan of each named Plaintiff. For example, although the consolidated amended complaint alleges that California Plaintiff Michael Bronzo was enrolled in a “Blue Cross Blue Shield of California health plan,” Non-Anthem Defendants allege that no such entity exists. Non-Anthem Mot. at 10 n.2.
B. Indiana Negligence (against Anthem and Non-Anthem Defendants)
“The elements of a negligence claim under Indiana law are: (1) a duty owed to plaintiff by defendant, (2) breach of duty by allowing conduct to fall below the applicable standard of care, and (3) a compensable injury proximately caused by defendant's breach of duty.” Pisciotta v. Old Nat'l Bancorp , 499 F.3d 629, 635 (7th Cir.2007) (internal quotation marks omitted). Here, Plaintiffs allege that the Anthem and Non-Anthem Defendants “violated the duty of care owed Indiana Plaintiffs and Class Members by collecting and storing their [PII] without adequate data security.” Anthem Opp'n at 3.
Defendants contend that Plaintiffs' negligence claim fails for three reasons. First, Defendants assert “that Indiana law does not allow a cause of action in tort against a database owner for failing to protect adequately personal information.” Anthem Mot. at 2. Second, Defendants argue that the economic loss doctrine bars recovery for Defendants' alleged negligence. Id. at 3. Third, Defendants contend that the allegations in the consolidated amended complaint fail to establish proximate causation. Non-Anthem Mot. at 8.
As to whether Indiana law provides Plaintiffs a private cause of action, the parties acknowledge that no Indiana court has yet ruled on this question. The Court therefore looks to the law of the Seventh Circuit, of which Indiana is a part. On this point, the Court finds instructive the Seventh Circuit's decision in Pisciotta v. Old National Bancorp. In Pisciotta, Old National Bancorp (“ONB”) maintained a website containing the personal information of potential customers. In 2005, ONB learned that its website had been hacked, and ONB subsequently informed affected potential customers of this breach. Upon receiving this information, Luciano Pisciotta (“Pisciotta”) and Daniel Mills (“Mills”) proceeded to file a putative class action complaint against ONB. As in the instant case, the Pisciotta complaint asserted a negligence claim under Indiana law. The District Court for the Southern District of Indiana determined that Pisciotta and Mills could not bring such a claim as a matter of law, and granted ONB's motion for judgment on the pleadings. 499 F.3d at 632–33 (reciting procedural history). The Seventh Circuit upheld the district court's decision on appeal.
In reaching this conclusion, the Seventh Circuit first observed that “[n]either the parties' efforts nor our own have identified any Indiana precedent addressing” whether “Indiana would consider that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitutes an existing compensable injury and consequent damages required to state a claim for negligence.” Id. at 635. Accordingly, “[w]ithout state authority to guide us, ‘[w]hen given a choice between an interpretation of [state] law which reasonably restricts liability, and one which greatly expands liability, we should”—as a general matter—“choose the narrower and more reasonable path (at least until the [state] Supreme Court tells us differently).’ ” Id. at 635–36 (quoting Todd v. Societe Bic, S.A., 21 F.3d 1402, 1412 (7th Cir.1994) (en banc)) (alterations in original).
With this general canon of interpretation in mind, the Seventh Circuit further observed that “the Indiana authority most closely addressed to the issue”—a series of statutes enacted by the Indiana legislature in 2006—weighed against finding that Pisciotta and Mills could assert a private right of action against ONB. Id. at 636–37. The statutory provisions “applicable to private entities storing personal information require only that a database owner disclose a security breach to potentially affected consumers; they do not require the database owner to take any other affirmative act in the wake of a breach.” Id. at 637. Moreover, “[i]f the database owner fails to comply with the only affirmative duty imposed by the statute—the duty to disclose—the statute provides for enforcement only by the Attorney General of Indiana. It creates no private right of action against the database owner.” Id. Thus, disclosure to those affected is the only duty imposed upon the database owners by Indiana's data breach statutes, and these statutes only allow for enforcement by the Indiana Attorney General.
The Seventh Circuit went on to reject the view “that the statute is evidence that the Indiana legislature believes that an individual has suffered a compensable injury at the moment his personal information is exposed because of a security breach.” Id. Indeed, “given the novelty of the legal questions posed by information exposure and theft, it is unlikely that the legislature intended to sanction the development of common law tort remedies that would apply to the same factual circumstances addressed by the statute.” Id.
The Court finds Pisciotta persuasive for the following reasons. First, this Court, as an MDL court, “must apply the law of the transferor forum, that is, the law of the state in which the action was filed.” In re Vioxx Prods. Liab. Litig. , 478 F.Supp.2d 897, 903 (E.D.La.2007) ; see also In re Korean Air , 642 F.3d at 699 (“[T]he MDL transferee court is generally bound by the same substantive legal standards...as would have applied in the transferor court.”). This legal principle means that, for a negligence claim brought under the laws of Indiana, the MDL court should—as a general matter—follow the lead of the Seventh Circuit.
Second, although Pisciotta was decided in 2007, the parties have identified no subsequent cases—state or federal—that have discussed Indiana's data breach statutes. The Court has found none in its own research. Thus, Pisciotta continues to serve as the final word on how courts should interpret Indiana's data breach statutes and, critically, whether individuals may maintain a private cause of action for negligence. 499 F.3d at 637 (“Had the Indiana legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent.”).
Third, the Pisciotta decision is consistent with the negligence law of other jurisdictions. In Amburgy v. Express Scripts, Inc. , 671 F.Supp.2d 1046, 1054 (E.D.Mo.2009), for instance, plaintiff alleged “that defendant was negligent in its failure to properly secure its computerized database system [,] thereby rendering the system vulnerable to a security breach and, further, was negligent in its failure to timely disclose the alleged breach.” In rejecting plaintiff's claim, the Amburgy court “note[d] that the Missouri legislature [had] recently enacted a data breach notification law.” Id. at 1055. That law, like Indiana's statutes, holds that the state “Attorney General [is] to have exclusive authority in bringing claims against data handlers for a violation of the notice requirements.” Id. The Missouri statute did not provide a private cause of action, and the Amburgy court declined to create a cause of action “where one does not exist.” Id.
Similarly, in Willingham v. Global Payments, Inc. , 2013 WL 440702, *17 n. 19 (N.D.Ga. Feb. 5, 2013), plaintiffs sought to assert a common law negligence claim against defendant. In arguing that defendant owed plaintiffs such a duty, plaintiffs cited data breach statutes from Kansas and California. Id. After carefully reviewing these statutes, the Willingham court concluded that the statutes “do not give [p]laintiffs a [private] cause of action for negligence.” Id. As the district court explained, these statutes contain a notice provision which requires companies to provide notice to affected customers of a data breach. Like the statutes at issue in Pisciotta and Amburgy, however, these statutes do not contain a private enforcement mechanism.
Third, and finally, Plaintiffs' attempts to distinguish Pisciotta are unavailing. Plaintiffs, for instance, point to the fact that the Indiana legislature amended Indiana's data breach statutes in 2009. The statutes now require database owners to “maintain reasonable procedures...to protect and safeguard from unlawful use or disclosure any personal information,” a provision that did not exist at the time Pisciotta was decided. Anthem Opp'n at 4. The amendments also exempt some “database owners with security policies under HIPAA from some...[statutory] requirements.” Anthem Mot. at 2 n.3. None of these amendments, however, address whether individual plaintiffs may maintain a private cause of action in negligence. Indiana's data breach statutes continue to provide a single enforcement mechanism: an action brought by the state Attorney General. Ind. Code. Ann. § 24–4.9–4–2. The Court thus fails to see how the 2009 amendments give support to Plaintiffs' attempts to maintain a private cause of action. Pisciotta was decided in 2007. The Indiana legislature, presumably aware of the Pisciotta decision, declined to provide plaintiffs a private cause of action when given the opportunity to amend the state's data breach statutes in 2009.
Plaintiffs also contend that Indiana courts “frequently borrow from statutes that do not contain a private right of action to impose common law duties.” Anthem Opp'n at 4. Plaintiffs cite Kho v. Pennington , 875 N.E.2d 208, 212 (Ind.2007), where the Indiana Supreme Court recognized a private right of action for statutory negligence “arising from the violation of the identity confidentiality provision in Indiana Code § 34–18–8–7(a)(1).”
There are two key flaws with Plaintiffs' reliance on Kho. First, the fact that Indiana courts have recognized claims for statutory negligence in some cases does not suggest that this Court should recognize a private cause of action in the instant case. This point is all the more pronounced where, as here, the District Court for the Southern District of Indiana and the Seventh Circuit—two federal courts that are significantly more familiar with Indiana law than this Court—declined to recognize a private cause of action under nearly identical circumstances in Pisciotta. Cf. Butner v. United States , 440 U.S. 48, 58, 99 S.Ct. 914, 59 L.Ed.2d 136 (1979) (“The federal judges who deal regularly with questions of state law in their respective districts and circuits are in a better position than we to determine how local courts would dispose of comparable issues.”).
Second—and relatedly—all of the decisions cited in Kho are Indiana Supreme Court or Indiana Court of Appeals decisions. None are federal court decisions, much less decisions by a federal court sitting in a different state. This result is, in the Court's view, consistent with the view of the Seventh Circuit, that “[w]hen [a federal court is] given a choice between an interpretation of [state] law which reasonably restricts liability, and one which greatly expands liability, [the federal court] should choose the narrower and more reasonable path.” Todd , 21 F.3d at 1412. In light of these circumstances, Plaintiffs can not pursue their Indiana negligence claim against Defendants.
Because Plaintiffs can not pursue such a claim as a matter of law, the Court need not address Defendants' arguments concerning the economic loss doctrine and proximate causation. Accordingly, Defendants' motions to dismiss Plaintiffs' Indiana negligence claim is GRANTED. Moreover, the Court finds that amendment would be futile. Case law and statutory authority indicates that, in Indiana, data breach actions must be brought by the Indiana Attorney General. Plaintiffs have identified no relevant authority that would allow private individuals to bring an Indiana data breach action under a common law negligence theory. In the absence of supporting authority for Plaintiffs' position, the Court finds that leave to amend would be futile, and therefore denies leave to amend. See Bonin v. Calderon , 59 F.3d 815, 845 (9th Cir.1995) (“Futility of amendment can, by itself, justify the denial of a motion for leave to amend.”). Therefore, Plaintiffs' Indiana negligence claim is DISMISSED with prejudice.
C. California Breach of Contract (against Anthem Defendants)
The consolidated amended complaint asserts against the Anthem Defendants a breach of contract claim under California law. Specifically, Plaintiffs allege that “Anthem and Anthem Affiliates did not satisfy their promises and obligations to Plaintiffs and Statewide Class Members under the contracts in that they did not take reasonable measures to keep Plaintiffs' and Statewide Class Members' [PII] secure and confidential and did not comply with the applicable laws, regulations, and industry standards.” CAC ¶ 305. In moving to dismiss Plaintiffs' claim, the Anthem Defendants contend that “(a) the CAC fails to identify the contractual provisions that allegedly were breached, (b) the CAC fails to allege facts showing any breach caused Plaintiffs to suffer damages that are cognizable under California law, and (c) certain Plaintiffs' claims are preempted by ERISA.” Anthem Mot. at 4.
The Anthem Defendants also allege that three California Plaintiffs (Joseph Blanchard, Lillian Brisko, and Alvin Lawson) do not have a contractual relationship with an Anthem Defendant. Anthem Mot. at 4. Plaintiffs concede this point, and acknowledge that these three Plaintiffs “do not bring [California] breach of contract claims against [the] Anthem Affiliates with whom they had no relationship.” Anthem Opp'n at 6–7 n.6.
As to whether the consolidated amended complaint identifies the contractual provisions that were breached, the Court observes that, “[u]nder California law, to state a claim for breach of contract a plaintiff must plead the contract, plaintiffs' performance (or excuse for nonperformance), defendant's breach, and damage to plaintiff therefrom.” Low v. LinkedIn Corp. , 900 F.Supp.2d 1010, 1028 (N.D.Cal.2012) (internal quotation marks omitted). With respect to this first requirement—the need to plead the contract—a plaintiff must, in actions involving breach of a written contract, “allege the specific provisions in the contract creating the obligation the defendant is said to have breached.” Young v. Facebook, Inc. , 790 F.Supp.2d 1110, 1117 (N.D.Cal.2011) ; see also Frances T. v. Vill. Green Owners Ass'n , 42 Cal.3d 490, 229 Cal.Rptr. 456, 723 P.2d 573, 586 (1986) (“Plaintiff's allegation that defendants breached that contract...must fail because she does not allege that any provision in any of the writings imposed such an obligation on defendant.”); Murphy v. Hartford Accident & Indem. Co. , 177 Cal.App.2d 539, 2 Cal.Rptr. 325, 328 (Ct.App.1960) (“In order for an action to be based upon an instrument in writing, the writing must express the obligation sued upon.”).
The Court finds that the consolidated amended complaint fails to satisfy this requirement, based on a review of (1) the language in the consolidated amended complaint, (2) the language on Anthem's public websites and in various privacy notices, (3) the exhibits submitted in connection with the consolidated amended complaint, and (4) relevant state and federal law. The Court addresses these four areas in detail below.
1. Language in Consolidated Amended Complaint
First, with respect to the language in the consolidated amended complaint, Plaintiffs allege that class members “who purchased individual insurance plans from Anthem Affiliates or who received health insurance...under a contract between an employer...and Anthem or Anthem Affiliates had valid, binding, and enforceable express, third party beneficiary, or implied contracts with Anthem and Anthem Affiliates.” CAC ¶ 303.
However, under the section of the consolidated amended complaint titled “Breach of Contract,” id. ¶¶ 302–311, Plaintiffs do not refer to any contractual language or any contractual provisions that the Anthem Defendants allegedly breached. Instead, Plaintiffs state—without reference to an underlying contract or other documents—that class members provided “Anthem and/or Anthem Affiliates with their [PII].” Id. ¶ 303(a). In exchange, the Anthem Defendants promised “to protect [class members' PII] in compliance with federal and state laws and regulations, including HIPAA, and industry standards.” Id. In the very next paragraph, Plaintiffs state that “[t]he terms of Plaintiffs' and Statewide Class Members' contracts with Anthem and Anthem Affiliates that concern the protection of Plaintiffs' [PII] [are] set forth above.” Id. ¶ 304. However, this paragraph does not refer specifically to any other part of the consolidated amended complaint. The remaining paragraphs in this section do no better. One paragraph addresses Plaintiffs' implied contract theory, id. ¶ 303(c), another paragraph alleges that Plaintiffs “fully performed their obligations under their contracts,” id. ¶ 307, and several paragraphs address the damages that Plaintiffs seek, id. ¶¶ 308–310. Considered together, none of these paragraphs identify a specific contractual provision that the Anthem Defendants breached.
These stray allegations mirror the facts in Young v. Facebook, where plaintiff stated in the complaint that “Facebook did not perform in accordance with the terms of [the] agreement in their Statement of Rights and Responsibilities contract by arbitrarily and impulsively handling [plaintiff's] member account.” Young , 790 F.Supp.2d at 1117 (internal quotation marks omitted). However, as the district court pointed out, plaintiff's “complaint [did] not allege any provision of the contract prohibiting Facebook from terminating an account in the manner alleged.” Id. Because plaintiff had failed to identify a relevant contractual provision that was breached, the Young court granted Facebook's motion to dismiss plaintiff's California breach of contract claim. Id. (finding that plaintiff had failed to “allege the specific provisions in the contract creating the obligation the defendant is said to have breached.”). As in Young, Plaintiffs' conclusory statements in the “Breach of Contract” section of the consolidated amended complaint are insufficient to survive a motion to dismiss.
2. Language on Public Websites and in Privacy Notices
Plaintiffs, however, contend that the paragraphs discussed above constitute “only...the summary language [of Plaintiffs'] breach of contract count.” Anthem Opp'n at 5. Instead, Plaintiffs note, “specific promises...regarding data security” are located in paragraphs 161 through 170. Id. at 5–6. These paragraphs include language from the public websites of the Anthem Defendants and from statements made by the Anthem Defendants in various privacy notices. The website for every Anthem BCBS affiliate, for instance, states:
[PII] (including Social Security Number) Privacy Protection Policy [Name of Anthem BCBS Affiliate] maintains policies that protect the confidentiality of [PII], including Social Security numbers, obtained from its members and associates in the course of its regular business functions. [Name of Anthem BCBS Affiliate] is committed to protecting information about its customers and associates, especially the confidential nature of their [PII].
CAC ¶ 166 (second and fourth alterations in original). Likewise, Blue Cross of California mailed the following privacy notice to customers:
We keep your oral, written and electronic [PII] safe using physical, electronic, and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your [PII] safe include securing offices that hold [PII], password-protecting computers , and locking storage areas and filing cabinets. We require our employees to protect [PII] through written policies and procedures. These policies limit access to [PII] to only those employees who need the data to do their job. Employees are also required to wear ID badges to help keep people who do not belong out of areas where sensitive data is kept. Also, where required by law, our affiliates and nonaffiliates must protect the privacy of data we share in the normal course of business. They are not allowed to give [PII] to others without your written OK, except as allowed by law and outlined in this notice.
Id. ¶ 163. Although this language is more specific than the conclusory paragraphs discussed above, this language still does not give rise to a viable California breach of contract claim.
First, the consolidated amended complaint provides no information on when the language at issue was posted onto the Anthem Defendants' websites and when the various privacy notices were sent to class members. Clearly, such notices would be of little assistance to Plaintiffs' claim if Plaintiffs received these notices after the data breach at issue.
More importantly, the consolidated amended complaint makes no attempt to connect the language in paragraphs 161 through 170 with the terms of Plaintiffs' alleged contracts. At no point in paragraphs 161 through 170 do Plaintiffs allege that the privacy notices or public website statements were part of or were incorporated by reference into Plaintiffs' contracts with the Anthem Defendants. In fact, the word “contract” does not appear at all in paragraphs 161 through 170. By this same token, under the section of the consolidated amended complaint titled “Breach of Contract,” id. ¶¶ 302–311, Plaintiffs do not at any point refer to the privacy notices or public websites discussed in paragraphs 161 through 170.
Plaintiffs can not bring a breach of contract claim based on language from documents that might have been issued after the alleged breach and based on language from documents that might not even have been part of the alleged contract. In reaching this conclusion, the Court returns to the legal principle discussed above: that, “[i]n an action for breach of a written contract, a plaintiff must allege the specific provisions in the contract creating the obligation the defendant is said to have breached.” Young , 790 F.Supp.2d at 1117 ; see also Miron v. Herbalife Int'l, Inc. , 11 Fed.Appx. 927, 929 (9th Cir.2001) (“The district court's dismissal of the Mirons' breach of contract claims was proper because the Mirons failed to allege any provision of the contract which supports their claim.”). Plaintiffs have failed to identify any such contractual provision because Plaintiffs have made no effort to connect the language in paragraphs 161 through 170 with the terms in Plaintiffs' contracts with the Anthem Defendants. On this basis alone, the Court finds that dismissal of Plaintiffs' California breach of contract claim is warranted. Below, the Court addresses additional bases upon which Plaintiffs' California breach of contract claim is unavailing.
3. Exhibits Submitted in Connection With Consolidated Amended Complaint
Plaintiffs have failed to submit any relevant exhibits, such as a copy of the contract between an Anthem Defendant and a California Plaintiff, which might counsel against dismissal. Although Plaintiffs are not required to submit such exhibits, these exhibits would certainly provide clarity on the scope and nature of the Anthem Defendants' obligations. Thus, in Young, plaintiff included a copy of Facebook's Statement of Rights and Responsibility with the complaint. 790 F.Supp.2d at 1118. Likewise, in Zepeda v. PayPal, Inc. , 777 F.Supp.2d 1215, 1220 (N.D.Cal.2011), plaintiff included Paypal's user agreement as an exhibit to accompany the complaint. In Woods v. Google Inc. , 2011 WL 3501403, *3–4 (N.D.Cal. Aug. 10, 2011), plaintiff also filed a copy of Google's advertising contract with the complaint. In all of these cases—Young, Zepeda, and Woods —the district court, after reviewing the allegations made in the complaint and the terms of the pertinent agreement, determined that the plaintiff could not maintain a cause of action for breach of contract under California law. Here, on the other hand, there is nothing for the Court to review as Plaintiffs have submitted no contracts or other materials for the Court to examine.
In fact, the only possibly relevant exhibits filed were submitted by the Anthem Defendants, not Plaintiffs. The Anthem Defendants, for instance, filed a copy of the Summary Plan Description under which Plaintiffs Daniel and Kelly Tharp allegedly received coverage. See ECF No. 411 at 1–2. This Plan Description includes a five page “Privacy Notice.” See ECF No. 411-4 at 58–62. This Privacy Notice provides a list of specific circumstances where Anthem or an Anthem affiliate might disclose a member's personal health information. Id. The Notice further provides that “[o]ther than as stated above, the Health Plan will not disclose your health information other than with your written authorization.” Id. at 61. Moreover, “[t]he Health Plan is required by law to maintain the privacy of your health information and to provide you with this Notice of the Plan's legal duties and privacy practices with respect to your health information. If you participate in an insured plan option, you will receive a notice directly from the Insurer.” Id. at 62. This final statement in the Summary Plan Description could plausibly be taken to incorporate by reference future privacy notices sent to class members.
However, the problem with relying on this Summary Plan Description is that Plaintiffs have, in the consolidated amended complaint, stated that such documents do not represent the contract between class members and the Anthem Defendants. See CAC ¶ 303(b) (“With respect to contracts between employers and Anthem and/or Anthem Affiliates, the applicable contract is the services agreement between the employer and Anthem and/or Anthem Affiliates, not the employer benefits plan document.”). Plaintiffs repeat this assertion in opposing the Anthem Defendants' motion to dismiss. See Anthem Opp'n at 25 (describing Summary Plan Description documents as “non-enforceable”). Given Plaintiffs' position, the Court can not rely upon the Summary Plan Description to save Plaintiffs' breach of contract of claim from dismissal.
4. Incorporation of Applicable State and Federal Law
As a final point, Plaintiffs state that, “[u]nder California law, Defendants' contracts necessarily incorporate applicable laws even absent specific promises.” Anthem Opp'n at 7 (citing Edwards v. Arthur Andersen LLP , 44 Cal.4th 937, 81 Cal.Rptr.3d 282, 189 P.3d 285, 297 (2008) ). This contention alone, however, does not save Plaintiffs' breach of contract claim.
First, the consolidated amended complaint provides little guidance as to which “applicable laws” were incorporated into the contract. Instead, the consolidated amended complaint merely alleges that the Anthem Defendants were required to comply with “federal and state laws and regulations, including HIPAA, and industry standards.” CAC ¶ 303(a). In other words, outside of a single passing reference to HIPAA, Plaintiffs have provided little detail on what other laws, regulations, or standards the Anthem Defendants might have violated. As other district courts have noted, “plaintiffs must...do something more to allege a breach of contract claim than merely point to allegations of a statutory violation.” Wiebe v. NDEX West, LLC , 2010 WL 2035992, *3 (C.D.Cal. May 17, 2010) (quoting Berger v. Home Depot U.S.A., Inc. , 476 F.Supp.2d 1174, 1177 (C.D.Cal.2007) ). The consolidated amended complaint fails to meet this requirement.
Second, Plaintiffs' breach of contract claim reaches beyond mere violation of “applicable laws.” Plaintiffs, for instance, also allege that the Anthem Defendants' actions ran afoul of certain “industry standards.” CAC ¶ 303(a). Thus, simply stating that Defendants' contracts incorporate applicable laws does not accurately reflect the nature of Plaintiffs' breach of contract claim.
In sum, after examining the consolidated amended complaint, the exhibits (or lack thereof) filed in connection with the consolidated amended complaint, and relevant case law and statutory authority, the Court finds that Plaintiffs have failed to identify the specific contractual provisions that were breached, as Plaintiffs must do in order to bring a breach of written contract claim under California law.
5. Breach of Implied Contract
In addition to Plaintiffs' breach of express contract claim, Plaintiffs also state that “[b]y demanding and accepting Plaintiffs' and Statewide Class Members' [PII], Anthem and Anthem Affiliates entered into implied contracts with Plaintiffs and Statewide Class Members.” CAC ¶ 303(c). The consolidated amended complaint does not delve into additional detail on the terms and scope of this alleged implied contract. In moving to dismiss Plaintiffs' California breach of contract claim, the Anthem Defendants contend that “[t]he CAC fails to allege any facts showing that [any] implied contracts existed beyond vague, conclusory allegations.” Anthem Mot. at 6. Relying upon both federal and state case law, the Anthem Defendants argue that Plaintiffs' implied contract theory is not well taken. Id.
Plaintiffs declined to respond to these arguments in Plaintiffs' opposition. See Anthem Opp'n at 6 n.7 (“The fact that Plaintiffs have pled theories of contract formation in the alternative is no reason to dismiss Plaintiffs' breach of contract claims. This Court need not resolve now the merits of any challenge to these alternative theories of contract formation.”) (citation omitted). In light of Plaintiffs' position, the Court finds Plaintiffs' implied contract theory unavailing. If Plaintiffs intend to pursue an implied contract theory in lieu of an express contract claim, Plaintiffs must elaborate upon the nature and scope of the implied contract in the pleadings and must respond to any specific arguments made by the Anthem Defendants.
6. Conclusion
The consolidated amended complaint fails to identify the contractual provisions that were breached. In addition, Plaintiffs' opposition fails to respond to the Anthem Defendants' arguments concerning Plaintiffs' implied contract theory. Accordingly, the Court finds that Plaintiffs can not maintain a breach of contract claim under California law. The Anthem Defendants' motion to dismiss Plaintiffs' California breach of contract claim is therefore GRANTED. Pursuant to this decision, the Court need not address the Anthem Defendants' arguments regarding contract damages and ERISA preemption.
However, Plaintiffs shall have leave to amend because the Court finds that amendment would not be futile. Plaintiffs may, for instance, be able to allege sufficient facts to show that the privacy notices were incorporated by reference into Plaintiffs' contracts with the Anthem Defendants. Alternatively, Plaintiffs may be able to more specifically explain the scope and nature of their implied contracts with the Anthem Defendants. Plaintiffs' California breach of contract claim is therefore DISMISSED with leave to amend.
D. New Jersey Breach of Contract (against Non-Anthem Defendants)
Plaintiffs' have also asserted against the Non-Anthem Defendants a breach of contract claim under New Jersey law. Specifically, Plaintiffs allege that the Non-Anthem Defendants “did not satisfy their promises and obligations to Plaintiffs...[because] they failed to ensure that Plaintiffs' and Statewide Class Members' [PII] would be secured as required by the contracts. Instead, Plaintiffs' and Statewide Class Members' [PII] was stored in the inadequately-secured Anthem Database and accessed and exfiltrated in the Anthem Data Breach.” CAC ¶ 316. In response, the Non-Anthem Defendants contend that the CAC “fails to identify the contractual provisions that allegedly were breached.” Non-Anthem Mot. at 4.
As the Non-Anthem Defendants acknowledge, this arguments essentially repeat the Anthem Defendants' arguments concerning Plaintiffs' California breach of contract claim. Id. at 4–6. As with Plaintiffs' California breach of contract claim, the Court finds that the consolidated amended complaint fails to identify the relevant contractual provisions that were breached.
Indeed, as with California breach of contract claims, parties seeking “[t]o prevail on a breach of contract claim under New Jersey law” must “identify the specific contract or provision that was allegedly breached.” CIBC Inc. v. Grande Vill., LLC , 2015 WL 5723135, *5 (D.N.J. Sept. 29, 2015) ; see also Skypala v. Mortg. Elec. Registration Sys., Inc. , 655 F.Supp.2d 451, 460 (D.N.J.2009) (same). The consolidated amended complaint fails to meet this requirement—no New Jersey contracts are attached, no specific provisions are referred to, and no contractual language is discussed.
Moreover, although the Non-Anthem Defendants filed a copy of the policy provided to purchasers of the Horizon Blue Cross Blue Shield of New Jersey health plan, see ECF Nos. 414–1 & 414–2, which includes a section regarding privacy practices, Plaintiffs dispute that this exhibit constitutes a true and accurate copy of the policy agreement between Plaintiffs and the Non-Anthem Defendants, see Non-Anthem Opp'n at 8.
Accordingly, consistent with the Court's determination as to Plaintiffs' California breach of contract claim, the Non-Anthem Defendants' motion to dismiss Plaintiffs' New Jersey breach of contract claim is GRANTED, and Plaintiffs' New Jersey breach of contract claim is thus DISMISSED with leave to amend.
E. New York Unjust Enrichment (against Anthem and Non-Anthem Defendants)
Plaintiffs assert an unjust enrichment claim under New York law against the Anthem and Non-Anthem Defendants. See, e.g. , CAC ¶¶ 350–58. Specifically, Plaintiffs argue that Defendants “should not be permitted to retain the money belonging to Plaintiffs and Class Members because Defendant[s] failed to implement (or adequately implement) the data security and security practices and procedures that Plaintiffs and Class Members paid for.” Id. ¶ 355. Defendants contend that this claim “should be dismissed because” such claims can not be brought “where there exists an enforceable express contract.” Anthem Mot. at 11. According to Defendants, Plaintiffs must, pursuant to New York law, bring their claim against Defendants as a breach of contract claim, and not as an unjust enrichment claim. See, e.g. , Goldman v. Metro. Life Ins. Co. , 5 N.Y.3d 561, 807 N.Y.S.2d 583, 841 N.E.2d 742, 746–47 (2005) (“Given that the disputed terms and conditions fall entirely within the insurance contract, there is no valid claim for unjust enrichment.”).
As the parties acknowledge, the viability of Plaintiffs' New York unjust enrichment claim depends largely upon the viability of Plaintiffs' breach of contract claims. See Anthem Mot. at 11; Anthem Opp'n at 11. As Plaintiffs point out, parties are barred from bringing unjust enrichment claims in New York where “there is a ‘valid written agreement, the existence of which is undisputed, and the scope of which clearly covers the dispute between the parties .’ ” Anthem Opp'n at 11 (quoting Clark – Fitzpatrick, Inc. v. Long Island R.R. Co. , 70 N.Y.2d 382, 521 N.Y.S.2d 653, 516 N.E.2d 190, 193 (1987) ). Here, there is significant uncertainty over the nature and scope of Plaintiffs' contracts with Defendants, as Plaintiffs have failed to identify the specific contractual provisions that were breached. Based on this reason, the Court dismissed Plaintiffs' California and New Jersey breach of contract claims.
Because Plaintiffs' New York unjust enrichment claim depends upon Plaintiffs' breach of contract claims, the Court DISMISSES Plaintiffs' New York unjust enrichment claim. However, consistent with the Court's ruling regarding Plaintiffs' breach of contract claims, Plaintiffs shall have leave to amend their New York unjust enrichment claim.
F. California Unfair Competition Law (against Anthem and Non-Anthem Defendants)
California's Unfair Competition Law (“UCL”) provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus & Prof. Code § 17200, et seq. “The UCL's coverage is sweeping, and its standard for wrongful business conduct intentionally broad.” Moore v. Apple, Inc. , 73 F.Supp.3d 1191, 1204 (N.D.Cal.2014) (internal quotation marks omitted). “Although the UCL targets a wide range of misconduct, its remedies are limited because UCL actions are equitable in nature.” Pom Wonderful LLC v. Welch Foods, Inc. , 2009 WL 5184422, *2 (C.D.Cal. Dec. 21, 2009). “Remedies for private individuals bringing suit under the UCL are limited to restitution and injunctive relief.” Id.
Each prong of the UCL provides a separate and distinct theory of liability, Lozano v. AT&T Wireless Servs., Inc. , 504 F.3d 718, 731 (9th Cir.2007), and Plaintiffs assert that Defendants' conduct was unlawful, unfair, and fraudulent, see CAC ¶¶ 366. Before addressing whether Plaintiffs have sufficiently pleaded liability under these three prongs, however, the Court must first determine whether Plaintiffs have standing to bring suit. In order to establish standing under the UCL, “a plaintiff must make a twofold showing: he or she must demonstrate injury in fact and a loss of money or property caused by unfair competition.” Susilo v. Wells Fargo Bank, N.A. , 796 F.Supp.2d 1177, 1195–96 (C.D.Cal.2011) (internal quotation marks omitted). The California Supreme Court has referred to these elements as the “economic injury” and “caus[ation]” requirement. Kwikset Corp. v. Superior Court , 51 Cal.4th 310, 120 Cal.Rptr.3d 741, 246 P.3d 877, 885 (2011).
1. Standing
a. Economic Injury
As to whether Plaintiffs have demonstrated “injury in fact” and “a loss of money or property caused by unfair competition,” Susilo , 796 F.Supp.2d at 1195–96, the California Supreme Court has stated that “[t]here are innumerable ways in which economic injury from unfair competition may be shown,” Kwikset , 246 P.3d at 885. A plaintiff may, for instance,
(1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; or (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary
Id. at 885–86. Here, Plaintiffs seek recovery under the UCL for three types of economic injury: “Loss of Benefit of the Bargain,” “Out of Pocket Costs,” and “Imminent Risk of Further Costs.” Plaintiffs' request for “Loss of Benefit of the Bargain” mirrors the California Supreme Court's determination in Kwikset that a plaintiff who has “surrender[ed] in a transaction more, or acquire[d] in a transaction less, than he or she otherwise would have” may bring a UCL claim. 246 P.3d at 885 ; see also CAC ¶ 309 (“As a result of Anthem and Anthem Affiliates' failure to implement the security measures required by the contracts, Plaintiffs and Statewide Class Members did not receive the full benefit of their bargain, and instead received health insurance and/or related health care services that were less valuable than what they paid for.”).
The consolidated amended complaint also alleges economic injury in the form of the “Loss of Value of PII.” Plaintiffs, however, concede “that the loss of Value of PII” does not “constitute[ ] economic injury for purposes of the UCL.” Anthem Opp'n at 14 n.16.
Moreover, more recent case law within the data breach context confirms that benefit of the bargain damages represent economic injury for purposes of the UCL. See In re Adobe Sys., Inc. Privacy Litig. , 66 F.Supp.3d 1197, 1224 (N.D.Cal.2014) (finding standing under the UCL because “[f]our of the six [p]laintiffs allege they personally spent more on Adobe products than they would had they known Adobe was not providing the reasonable security Adobe represented it was providing.”); In re LinkedIn User Privacy Litig. , 2014 WL 1323713, *4 (N.D.Cal. Mar. 28, 2014) (finding that benefit of the bargain losses are “sufficient to confer...statutory standing under the UCL.”). Taken together, Kwikset, In re Adobe, and In re LinkedIn demonstrate that benefit of the bargain losses, as alleged in the consolidated amended complaint, constitute economic injury cognizable under the UCL.
Incidentally, the fact that Plaintiffs have sufficiently pleaded benefit of the bargain losses also establishes that Plaintiffs may seek restitution under the UCL. “[I]n the context of the UCL, ‘restitution’ is limited to the return of property or funds in which the plaintiff has an ownership interest (or is claiming through someone with an ownership interest).” Madrid v. Perot Sys. Corp. , 130 Cal.App.4th 440, 30 Cal.Rptr.3d 210, 219 (Ct.App.2005). “Under the UCL, an individual may recover profits unfairly obtained to the extent that these profits represent monies given to the defendant or benefits in which the plaintiff has an ownership interest.” Pom Wonderful , 2009 WL 5184422, *2 (internal quotation marks omitted). In requesting benefit of the bargain damages, Plaintiffs allege (1) that Defendants promised to undertake reasonable data security measures in accordance with the law, (2) that some portion of Plaintiffs' plan premiums went towards data security, and (3) that Defendants failed to undertake the promised data security measures. Plaintiffs therefore “overpa[id]” for their health insurance. CAC ¶ 309. In other words, Defendants profited from their lax security measures. Because Plaintiffs seek to “recover profits unfairly obtained,” Pom Wonderful , 2009 WL 5184422, *2, Plaintiffs have sufficiently established that they may seek restitution in the instant action.
Defendants' reliance on In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (“Sony I”) , 903 F.Supp.2d 942 (S.D.Cal.2012), to challenge this conclusion is misplaced. In Sony I, defendants provided users with access to the Playstation Network (“PSN”) free of charge. 903 F.Supp.2d at 966. Because the Sony I plaintiffs “received the PSN services free of cost,” the district court concluded that “[p]laintiffs have not alleged ‘lost money or profits,’ ” as required to seek restitution under the UCL. Id. In contrast, in the instant action, Plaintiffs did pay Defendants for their health benefits. Moreover, Plaintiffs understood that some portion of this payment would be directed “to protect Plaintiffs' and Statewide Class Members' [PII] in compliance with federal and state laws and regulations.” CAC ¶ 303(a). Based on these allegations, Plaintiffs have established that Defendants received money in exchange for protecting Plaintiffs' data and that Plaintiffs now seek recovery of this money.
Because Plaintiffs have established economic injury and restitution under the UCL by pleading benefit of the bargain losses, the Court need not address whether “Out of Pocket Costs” and “Imminent Risk of Further Costs” constitute economic injury under the UCL. The Court recognizes, however, that the case law on these questions is still developing. On the one hand, some district courts have held that such costs are not actionable under the UCL. See, e.g. , Sony I , 903 F.Supp.2d at 966 (“Plaintiffs' allegations that the heightened risk of identity theft, time and money spent on mitigation of that risk, and property value in one's information, do not suffice as injury under the UCL.”); Ruiz v. Gap, Inc. , 2009 WL 250481, *4 (N.D.Cal. Feb. 3, 2009) (“[I]t is far from clear that the time and expenditure associated with monitoring one's credit is the kind of loss of money or property necessary for standing to assert a claim under section 17200.”).
Several other district courts, however, have found otherwise. See, e.g. , Corona v. Sony Pictures Entm't, Inc. , 2015 WL 3916744, *5 (C.D.Cal. June 15, 2015) (“[T]he Court finds that [p]laintiffs adequately allege a cognizable injury by way of costs relating to credit monitoring, identity theft protection, and penalties.”); Witriol v. LexisNexis Grp. , 2006 WL 4725713, *6 (N.D.Cal. Feb. 10, 2006) (“Plaintiff has expressly alleged that[ ] he and the Class Members have incurred costs associated with monitoring and repairing credit impaired by the unauthorized release of private information. Thus, plaintiff has sufficiently alleged that he has suffered actual injury and sustained monetary loss as a result of [d]efendants' actions.”) (internal quotation marks omitted).
Although Kwikset does contain language that appears to weigh in Plaintiffs' favor, see, e.g. , 246 P.3d at 885–86 (economic injury includes instances where an individual is “required to enter into a transaction, costing money or property, that would otherwise have been unnecessary”), because Plaintiffs have already established economic injury under the UCL by pleading “Benefit of the Bargain” losses, the Court need not resolve whether “Out of Pocket Costs” and “Imminent Risk of Further Costs” constitute economic injury under the UCL.
b. Causation
“Generally, to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.” Resnick v. AvMed, Inc. , 693 F.3d 1317, 1326 (11th Cir.2012). “[P]urely temporal connections are often insufficient to establish causation.” Stollenwerk v. Tri – West Health Care All. , 254 Fed.Appx. 664, 668 (9th Cir.2007). Instead, the “pleadings must indicate a logical connection between the two incidents.” Resnick , 693 F.3d at 1327.
Here, the consolidated amended complaint sufficiently establishes a logical connection between the Anthem data breach and the harm suffered by Plaintiffs. Every Plaintiff was at one point enrolled in a health plan administered by a Defendant. See CAC ¶¶ 12–108. As a condition of this enrollment, each Plaintiff provided his or her PII to a Defendant, which was thereafter inputted into Anthem's database. Defendants do not contest that each Plaintiff had his or her PII stolen as a result of the Anthem data breach. Finally, many Plaintiffs allege that third parties used Plaintiffs' PII in the wake of the data breach. See, e.g. , id. ¶ 21 (“[T]he Tharps received a confirmatory letter from the IRS informing them that someone may have attempted to impersonate them by using their names and Social Security numbers to file a 2014 federal tax return.”). These allegations—that each Plaintiff was enrolled in a health plan administered by a Defendant, that each Plaintiff had his or her PII stolen, and that specific aspects of Plaintiff's PII were used for illicit financial gain after the breach—establish the requisite logical and temporal connection necessary to demonstrate causation.
Defendants' contentions to the contrary lack merit. Defendants argue that Plaintiffs “rel[y] ...on tenuous temporal relationships that fail to connect the cyberattack and the alleged injuries, rather than stating sufficient facts to show economic injury caused by the unfair business practice.” Anthem Mot. at 16 (internal quotation marks and alteration omitted). As the Court has pointed out, however, Plaintiffs do more than simply allege a temporal relationship between their economic injury and the data breach at issue. Rather, Plaintiffs state that (1) they were enrolled in a particular health plan administered by a Defendant, (2) that they provided their PII to Anthem, (3) that their PII was compromised as a result of the data breach, and (4) that their PII was used for illicit financial gain. Taken together, these allegations “plausibly link Plaintiffs' purported injuries to the Anthem cyberattack.” Id. at 9.
On this particular point, the Court also observes that Defendants have argued that “[s]cores of other cyber intrusions and data thefts have compromised the personal information of tens of millions of individuals.” Id. at 9 n. 7. In support of this argument, Defendants point to recent data breaches at eBay, Target, Home Depot, Neiman Marcus, and various other entities. Id. This contention fails for multiple reasons. First, Defendants' argument relies upon facts taken from a Forbes magazine article—an article not cited or referred to in the consolidated amended complaint. Defendants' argument thus represents little more than an end around the rule that, on a motion to dismiss, the Court may generally “consider only the contents of the complaint.” Cooper v. Pickett , 137 F.3d 616, 622 (9th Cir.1997).
Second, and more importantly, under Defendants' theory, a company affected by a data breach could simply contest causation by pointing to the fact that data breaches occur all the time, against various private and public entities. This would, in turn, create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable. No part of the UCL, the relevant authority addressing causation, or the specific facts of this case support such a legal theory.
As a final matter, Defendants focus on the allegations of Plaintiff Joseph Blanchard (“Blanchard”). Blanchard alleges that he “spent over 60 hours addressing credit fraud, monitoring his accounts, and addressing issues arising from the Anthem data breach.” CAC ¶ 22. However, according to Defendants, Blanchard never received notice that his PII had been “compromised in the Anthem cyberattack.” Non-Anthem Mot. at 11. “Rather, the CAC alleges that Plaintiff Blanchard's wife—who is not a named Plaintiff—received notice that her [PII] may have been compromised.” Id.
As with Defendants' other arguments concerning causation, the Court finds this argument unavailing. The consolidated amended complaint states that Blanchard “was enrolled in a Blue Cross Blue Shield of Texas health plan,” and that he provided his PII to Blue Cross Blue Shield of Texas as a condition of his enrollment. CAC ¶ 22. The consolidated amended complaint further states that Blanchard and his wife were enrolled in the same health plan. Thus, the only apparent difference between the two is that Blanchard's wife received notice of the data breach, but Blanchard did not. This difference in circumstances, however, does not excuse the Non-Anthem Defendants from liability. Again, Plaintiffs allege that every individual enrolled in a health plan administered by an Anthem or Non-Anthem Defendant was affected by the data breach. Id. ¶¶ 1, 3. That means that Blanchard, after reviewing the notice sent to his wife, could have reasonably concluded that his PII had also been compromised.
Additional allegations in the consolidated amended complaint lend further support to Blanchard's decision to take action. According to Blanchard, “[f]ollowing announcement of the Anthem breach, at least 10 credit cards or credit accounts were opened or attempted to be opened in Mr. Blanchard's name and using his [PII].” Id. ¶ 22. Although Blanchard spent significant time contesting the new charges on his accounts, Blanchard's credit score nonetheless dropped by approximately 130 points. These events suggest that Blanchard's data was not only compromised, but also that Blanchard suffered significant financial harm as a result of the Anthem data breach.
To summarize, the Court finds that Plaintiffs have sufficiently demonstrated both a logical and temporal relationship necessary to establish causation. Defendants' attempts to direct the Court to the facts (1) that many other data breaches occurred during the relevant time period and (2) that a named Plaintiff did not receive notice from an Anthem or Non-Anthem Defendant do not negate this finding. Thus, by demonstrating both causation and economic loss, Plaintiffs have sufficiently established standing under the UCL.
2. Unlawful
“The unlawful prong of the UCL prohibits anything that can properly be called a business practice and that at the same time is forbidden by law.” In re Adobe , 66 F.Supp.3d at 1225 (internal quotation marks omitted). “Generally, violation of almost any law may serve as a basis for a UCL claim.” Antman v. Uber Technologies, Inc. , 2015 WL 6123054, *6 (N.D.Cal. Oct. 19, 2015) (internal quotation marks omitted). However, a UCL claim “must identify the particular section of the statute that was violated, and must describe with reasonable particularity the facts supporting the violation.” Baba v. Hewlett – Packard Co. , 2010 WL 2486353, *6 (N.D.Cal. June 16, 2010) (internal quotation marks omitted).
Plaintiffs allege that, with respect to the UCL's unlawful prong, Defendants' actions violated the Federal Trade Commission Act, HIPAA, the Gramm-Leach-Bliley Act, California's Confidentiality of Medical Information Act, California's unfair insurance practices statutes, California's Insurance Information and Privacy Protection Act, and California's data breach statute. CAC ¶ 366(b). In support of this contention, the consolidated amended complaint identifies specific provisions of HIPAA, id. ¶¶ 177–81, the Gramm-Leach-Bliley Act, id. ¶ 182, the Federal Trade Commission Act, id. ¶ 183, and California's data breach statute, id. ¶ 366(b), that were allegedly violated. Such references directly rebut Defendants' claim that the consolidated amended complaint “references...statutes only generally, and does not specify how ...Defendants supposedly violated them.” Anthem Mot. at 17. Instead, a review of the complaint demonstrates that Plaintiffs' allegations “identify the particular section of the statute that was violated,” and other allegations in the consolidated amended complaint “describe with reasonable particularity the facts supporting the violation.” Baba , 2010 WL 2486353, *6. Accordingly, the Court finds that Plaintiffs' claim survives under the UCL's unlawful prong.
3. Unfair
“The ‘unfair’ prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law.” In re Adobe , 66 F.Supp.3d at 1225. “The UCL does not define the term ‘unfair.’... [And] the proper definition of ‘unfair’ conduct against consumers ‘is currently in flux’ among California courts.” Id.
Some California appellate courts apply a balancing approach, which requires courts to “weigh the utility of the defendant's conduct against the gravity of the harm to the alleged victim.” Davis v. HSBC Bank Nevada, N.A. , 691 F.3d 1152, 1169 (9th Cir.2012) (internal quotation marks omitted). Other California appellate courts have held that “unfairness must be tethered to some legislatively declared policy or proof of some actual or threatened impact on competition.” Lozano , 504 F.3d at 735. Finally, at least one California appellate court has adopted and applied the three-part test set forth in § 5 of the Federal Trade Commission Act: “(1) the consumer injury must be substantial; (2) the injury must not be outweighed by any countervailing benefits to consumers or competition; and (3) it must be an injury that consumers themselves could not reasonably have avoided.” Camacho v. Auto. Club of Southern California , 142 Cal.App.4th 1394, 48 Cal.Rptr.3d 770, 777 (Ct.App.2006). The Court shall refer to these tests as the “balancing test,” the “tethering test,” and the “FTC test,” respectively.
In challenging whether Plaintiffs have sufficiently pleaded a UCL claim under the unfair prong, Defendants argue that the consolidated amended complaint “does not allege facts that support the conclusion that Defendants' failure to prevent the cyberattack resulted from immoral, unethical, oppressive, or unscrupulous conduct on Defendants' part.” Anthem Mot. at 18. Defendants' singular focus on whether their actions were immoral, unethical, oppressive, or unscrupulous, however, is misplaced.
None of the three tests for unfairness require plaintiffs to plead that defendants acted in an immoral, unethical, oppressive, or unscrupulous manner. With respect to the balancing test, for instance, the California Courts of Appeal have stated that “an unfair business practice occurs when it offends an established public policy or when the practice is immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers.” Bardin v. Daimlerchrysler Corp. , 136 Cal.App.4th 1255, 39 Cal.Rptr.3d 634, 638 (Ct.App.2006) (internal quotation marks omitted) (emphasis added). In other words, parties may proceed with a UCL claim under the balancing test by either alleging immoral, unethical, oppressive, unscrupulous, or substantially injurious conduct by Defendants or by demonstrating that Defendants' conduct violated an established public policy. Similarly, with respect to the tethering test, parties need not show immoral, unethical, oppressive, unscrupulous, or substantially injurious conduct in order to move forward with a UCL claim. The tethering test only requires parties to show “that the public policy which is a predicate to a consumer unfair competition action under the ‘unfair’ prong of the UCL [is] tethered to specific constitutional, statutory, or regulatory provisions.” In re Adobe , 66 F.Supp.3d at 1226. Finally, the FTC test also does not require parties to show immoral, unethical, oppressive, unscrupulous, or substantially injurious conduct by Defendants.
In any event, the Court finds dismissal of Plaintiffs' UCL claim under the unfair prong unwarranted. In In re Adobe, this Court observed that various California statutes—including several statutes upon which Plaintiffs rely here—reflect “California's public policy of protecting customer data.” Id. at 1227 (internal quotation marks omitted). Based on the allegations in the consolidated amended complaint, Defendants' actions violated this public policy. Whether Defendants' public policy violation is outweighed by the utility of their conduct under the balancing test is a question to be resolved at a later stage in this litigation. Thus, based on the balancing test alone, the Court DENIES Defendants' motion to dismiss Plaintiffs' UCL claim under the unfair prong.
4. Fraudulent
“To state a claim under the ‘fraud’ prong of [the UCL], a plaintiff must allege facts showing that members of the public are likely to be deceived by the alleged fraudulent business practice.” Antman , 2015 WL 6123054, *6. Claims stated under the fraud prong of the UCL are subject to the particularity requirements of Federal Rule of Civil Procedure 9(b). Kearns v. Ford Motor Co. , 567 F.3d 1120, 1125 (9th Cir.2009). Under this Rule, “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake.” Fed. R. Civ. P. 9(b). Plaintiffs must include “an account of the time, place, and specific content of the false representations” at issue. Swartz v. KPMG LLP , 476 F.3d 756, 764 (9th Cir.2007) (internal quotation marks omitted).
The gravamen of Plaintiffs' fraud claim is that Defendants promised to carry out reasonable security measures, but ultimately failed to carry through with this promise. See generally CAC ¶¶ 2–6. At first blush, these allegations appear sufficient to state a claim under the fraud prong of the UCL: Defendants represented to Plaintiffs that they would do one thing, but ended up doing another. In general, such allegations constitute a misrepresentation in the most classic sense. See Northstar Fin. Advisors Inc. v. Schwab Invs. , 135 F.Supp.3d 1059, 1082, 2015 WL 5785549, *16 (N.D.Cal. Oct. 5, 2015) (“[Defendant] represented...to shareholders that [defendant] would do one thing, but ended up doing another. That is a misrepresentation in the most classic sense.”).
However, Plaintiffs' fraud claim suffers from one notable flaw: as with Plaintiffs' breach of contract claims, Plaintiffs have not “include[d] an account of the time ...of the false representations” at issue. Swartz , 476 F.3d at 764 (emphasis added). Instead, Plaintiffs once again direct the Court to review statements made by Defendants in various privacy notices and on Defendants' public websites. See Anthem Opp'n at 17 (citing CAC ¶¶ 161–76). As the Court has explained, the consolidated amended complaint does not specify when these privacy notices were received or when certain statements were made on Defendants' websites. In fact, for several of the statements at issue, the only date identified in the consolidated amended complaint is October 19, 2015, the last day that Plaintiffs visited Defendants' websites. That date postdates the Anthem data breach and does not establish that Plaintiffs relied upon or were deceived by promises that Defendants made to Plaintiffs prior to the data breach.
Consistent with the Court's reasoning with respect to Plaintiffs' breach of contract claims, it is possible that Plaintiffs may amend the complaint to state with particularity the time that the specific misrepresentations occurred. Accordingly, the Court finds that Plaintiffs have not stated a fraud claim under the UCL, but that Plaintiffs may be able to do so after amendment. Thus, Plaintiffs' fraud claim under the UCL is DISMISSED with leave to amend. Plaintiffs, however, have sufficiently established standing under the UCL and have sufficiently stated a UCL claim to survive dismissal under the unlawful and unfair prongs. Defendants' motion to dismiss Plaintiffs' UCL claim is therefore GRANTED in part and DENIED in part.
G. New York General Business Law § 349 (against Anthem and Non-Anthem Defendants)
New York General Business Law (“GBL”) § 349 prohibits “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service.” N.Y. Gen. Bus. § 349(a). To successfully assert a claim under this section, “a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice.” Orlander v. Staples, Inc. , 802 F.3d 289, 300 (2d Cir.2015). In moving to dismiss Plaintiffs' GBL § 349 claim, Defendants contend, with respect to (1), that Plaintiffs' claim is based on a private contract dispute, and is therefore not the result of consumer-oriented conduct. Anthem Mot. at 19–20. Defendants also argue, with respect to (3), that Plaintiffs have failed to demonstrate actual harm and causation. The Court addresses these contentions in turn.
1. Consumer-Oriented Conduct
“To provide the basis for a Section 349 claim, a disputed private transaction must have ‘ramifications for the public at large,’ or be harmful to the general public interest.” M & T Mortg. Corp. v. White , 736 F.Supp.2d 538, 571 (E.D.N.Y.2010). “The conduct need not be repetitive or recurring but defendant's acts or practices must have a broad impact on consumers at large; private contract disputes unique to the parties would not fall within the ambit of the statute.” Id. (internal quotation marks omitted) (emphasis added). Similarly, the New York Court of Appeals held, in Oswego Laborers' Local 214 Pension Fund v. Marine Midland Bank, N.A. , 85 N.Y.2d 20, 623 N.Y.S.2d 529, 647 N.E.2d 741, 744 (1995), that “[p]rivate contract disputes, unique to the parties...would not fall within the ambit of [GBL § 349 ].” See also id. (finding that single shot transactions are not covered by section 349 ). In general, New York courts have held that the consumer-oriented requirement should be “construed liberally.” New York v. Feldman , 210 F.Supp.2d 294, 301 (S.D.N.Y.2002).
In interpreting this requirement, courts have found consumer-oriented conduct where banks operated a standard savings account policy for customers, Oswego , 623 N.Y.S.2d 529, 647 N.E.2d at 745, and where a mortgage company offered a standard lending policy to prospective borrowers, M & T Mortg. Corp. , 736 F.Supp.2d at 571. On the other hand, courts have determined that the consumer-oriented requirement was not met where an insurance company denied an individual's claim for coverage, Daniels v. Provident Life & Cas. Ins. Co. , 2001 WL 877329, *8 (W.D.N.Y. July 25, 2001), and where a party failed to fulfill a specific provision in an advertising contract, WorldHomeCenter.com, Inc. v. PLC Lighting, Inc. , 851 F.Supp.2d 494, 498 (S.D.N.Y.2011).
Plaintiffs' claims satisfy the GBL's consumer-oriented requirement. The instant case does not involve a unique, single shot dispute over the nature or scope of an individual's insurance coverage. Instead, Plaintiffs seek to bring a putative class action on behalf of approximately 80 million individuals who were affected by the Anthem data breach. The purpose of bringing this litigation as a putative class action is to ensure that consumers who might not have the resources to serve as named Plaintiffs can nonetheless recover for Defendants' alleged misconduct. Moreover, Plaintiffs aver that the instant breach is but the latest in a series of data security incidents. Notably, Anthem's database was also breached in 2009. In 2013, the Office of the Inspector General found Anthem's information systems deficient in several respects. See CAC ¶¶ 193–98. Anthem's continued non-compliance with data security practices would therefore not only affect the named Plaintiffs, but also “a broad group of individuals”—all 80 million individuals whose PII is stored on Anthem's database. See Feldman , 210 F.Supp.2d at 301. Accordingly, Plaintiffs have sufficiently alleged that Defendants' conduct was consumer-oriented in nature.
2. Actual Harm
Parties seeking damages under the GBL must provide “proof that a material deceptive act or practice caused actual, although not necessarily pecuniary, harm.” Small v. Lorillard Tobacco Co., Inc. , 94 N.Y.2d 43, 698 N.Y.S.2d 615, 720 N.E.2d 892, 897 (1999) (internal quotation marks and emphasis omitted). As with Plaintiffs' UCL claim, Plaintiffs allege the following forms of harm under the GBL: “Out of Pocket Costs,” “Imminent Risk of Further Costs,” and “Loss of Benefit of the Bargain.” Plaintiffs also allege harm in the form of “Loss of Value of PII.” Anthem Opp'n at 18.
Plaintiffs did not seek recovery for this form of injury with respect to their UCL claim.
a. “Out of Pocket Costs” and “Imminent Risk of Further Costs”
As to “Out of Pocket Costs” and “Imminent Risk of Further Costs,” the Court finds instructive the Southern District of New York's decision in Shafran v. Harley – Davidson, Inc. , 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008). In Shafran, plaintiff brought suit against defendants “seeking monetary damages and injunctive relief for himself and on behalf of a putative class of 60,000...who were informed by [defendants] that a laptop computer containing members' personal information had been lost.” Id. at *1. As in the instant case, plaintiff in Shafran asserted a claim under GBL § 349. In reviewing defendants' motion to dismiss, the district court summarized the question before it as follows: “whether, under New York law, the time and money that could be spent to guard against identity theft constitutes an existing compensable injury.” Id. at *2. The Shafran court observed that “New York courts have not addressed the issue,” but that several other courts had considered and rejected such claims. Id. Consistent with these decisions, the Shafran court determined that plaintiff's claim for credit monitoring damages failed as a matter of law. Id. at *3.
Several district courts within the Second Circuit have relied upon Shafran to find that “Out of Pocket Costs” and “Imminent Risk of Further Costs” do not represent injuries cognizable under GBL § 349. See, e.g. , Hammond v. The Bank of New York Mellon Corp. , 2010 WL 2643307, *13 (S.D.N.Y. June 25, 2010) (citing Shafran and concluding that “[p]laintiffs cannot establish that [d]efendant engaged in consumer-oriented fraud or other misconduct which caused actual damages within the meaning of the laws of their respective states.”); Willey v. J.P. Morgan Chase, N.A. , 2009 WL 1938987, *10 (S.D.N.Y. July 7, 2009) (“Willey's claims for expenses related to credit monitoring, anxiety, emotional distress, and loss of privacy all arise due to the probability that his data might have been misused. Because this does not rise to the level of actual damages, the state law claims fail to allege actual damages and must be dismissed.”).
Tellingly, Plaintiffs have not cited any cases interpreting GBL § 349 that have found to the contrary. Instead, Plaintiffs rely upon the First Circuit's decision in Anderson v. Hannaford Bros. Co. , 659 F.3d 151 (1st Cir.2011). Plaintiffs' reliance on this case is misplaced. In Anderson, the First Circuit was charged with interpreting and applying Maine tort and contract law. Id. at 162–67. The Anderson court did not interpret, apply, or consider whether “Out of Pocket Costs” and “Imminent Risk of Further Costs” were recoverable under GBL § 349. Thus, rather than rely upon Anderson —which did not address the state statutory provision at issue here—the Court shall, in the instant case, follow the lead of Shafran, Hammond, and Willey and find that “Out of Pocket Costs” and “Imminent Risk of Further Costs” are not cognizable injuries under GBL § 349.
b. “Loss of Value of PII”
As to the “Loss of Value of PII,” the Court observes that no New York state courts have yet ruled on this question. Nor has the Second Circuit or any federal district court in the Second Circuit provided guidance on whether such losses constitute cognizable injury under GBL § 349. Instead, Defendants rely entirely upon the Southern District of California's decision in In re Sony Gaming Networks & Consumer Data Security Breach Litigation (“Sony II”) , 996 F.Supp.2d 942, 1004–05 (S.D.Cal.2014). In Sony II, the district court held that “a loss of privacy and/or a loss in value of [one's] Personal Information” does not constitute injury under GBL § 349. In reaching this decision, the Sony II court relied solely upon the three Southern District of New York decisions discussed above (Shafran, Hammond, and Willey ), as well as the Seventh Circuit's decision in Pisciotta.
The Court finds Sony II inapposite. First, Shafran, Hammond, and Willey did not address whether “Loss of Value of PII” represented a cognizable injury under GBL § 349. Instead, the Shafran, Hammond, and Willey courts examined whether “Out of Pocket Costs” and “Imminent Risk of Further Costs” represented a cognizable injury under GBL § 349. See, e.g. , Shafran , 2008 WL 763177, *2 (“Thus, the question before the Court is whether, under New York law, the time and money that could be spent to guard against identity theft constitutes an existing compensable injury.”); Hammond , 2010 WL 2643307, *13 (focusing on whether plaintiffs could recover for costs of credit monitoring); Willey , 2009 WL 1938987, *10 (same). Although these concepts are somewhat similar to one another, they are not the same. Indeed, as this Court explained in In re Adobe, the “[i]ncreased risk of harm” to an individual's personal information that arises after a data breach and the money that an individual spends to mitigate a data breach are two different injuries. See, e.g. , 66 F.Supp.3d at 1217 (“[T]he Court finds that Plaintiffs have plausibly alleged that the substantial risk of harm [p]laintiffs face following the 2013 data breach constitutes a cognizable injury-in-fact. The costs [certain] [p]laintiffs...incurred to mitigate this risk of harm constitute an additional cognizable injury .”) (emphasis added).
In addition, in Pisciotta —the only other decision cited by the Sony II court—plaintiffs did not bring a GBL § 349 claim. Instead, plaintiffs asserted an Indiana negligence claim, and the Pisciotta court examined whether plaintiffs could proceed under Indiana law with a “cause of action in tort against a database owner for failing to” adequately protect personal information. Anthem Mot. at 2. Given the fact that Pisciotta interpreted a different cause of action from a different state, the Court declines to rely upon Pisciotta to find that “Loss of Value of PII” is not a cognizable injury under GBL § 349.
To summarize, none of the cases cited in Sony II addressed whether “Loss of Value of PII” constitutes a cognizable injury under GBL § 349. Under such circumstances, the Court need not follow Sony II. Instead, the Court finds more persuasive a set of more recent decisions, all published after Sony II, where courts have recognized that “Loss of Value of PII” does represent a cognizable economic harm.
In In re Adobe, for instance, this Court rejected defendant's argument that an “ ‘increased risk [of future harm]’ is not a cognizable injury for Article III standing purposes.” 66 F.Supp.3d at 1211. In reaching this conclusion, this Court held that “the risk that [p]laintiffs' personal data will be misused by the hackers who breached Adobe's network is immediate and very real.” Id. at 1214. According to plaintiffs in In re Adobe, “hackers deliberately targeted Adobe's servers and spent several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates.” Id. After the Adobe data breach, hackers misused plaintiffs' personal information to decrypt credit card accounts and “to discover vulnerabilities in Adobe's products.” Id. at 1215–16. Under these facts, this Court concluded that “[p]laintiffs' allegations of a concrete and imminent threat of future harm suffice to establish Article III injury-in-fact at the pleadings stage under both” prevailing Ninth Circuit and U.S. Supreme Court precedent. Id. at 1216 ; see also Corona , 2015 WL 3916744, *3 (determining that plaintiffs had sufficiently established injury under Article III by alleging “that the[ir] PII was stolen and posted on file- sharing websites for identity thieves to download.”).
Here, too, Plaintiffs allege that cyberattackers extracted Plaintiffs' PII from the Anthem database over an extended time period, from December 2014 to January 2015. Plaintiffs further allege that these cyberattackers misused Plaintiffs' personal information. A false tax return, for instance, was allegedly filed on behalf of New York Plaintiff Juan Carlos Cerro. CAC ¶ 87. Thus, under the reasoning set forth in In re Adobe, Plaintiffs' “Loss of Value of PII” would represent a cognizable injury under Article III.
Likewise, in In re Facebook Privacy Litigation , 572 Fed.Appx. 494, 494 (9th Cir.2014), plaintiffs contended that “they were harmed both by the dissemination of their personal information and by losing the sales value of that information.” The Ninth Circuit concluded that, “[i]n the absence of any applicable contravening state law,” such “allegations [were] sufficient to show the element of damages for [plaintiffs'] breach of contract and fraud claims,” and that “the district court erred in dismissing these state law claims.” Id.
Most recently, in Svenson v. Google, Inc. , 2015 WL 1503429, *5 (N.D.Cal. Apr. 1, 2015), the district court, following In re Facebook, concluded that plaintiff's “allegations of diminution in value of her personal information are sufficient to show contract damages for pleading purposes.”
The Court acknowledges that the In re Adobe, Corona, In re Facebook, and Svenson decisions are not perfectly analogous to the claim that is currently before the Court. Both In re Adobe and Corona, for instance, addressed the loss in value of an individual's PII in the standing context, and both In re Facebook and Svenson addressed the loss in value of an individual's PII in the context of a common law breach of contract claim. However, the consistent theme running through these decisions—all of which were, again, published after Sony II —is that “Loss of Value of PII” represents a cognizable form of economic injury. Absent any state law or Second Circuit precedent that holds to the contrary, the Court finds that it would be appropriate to apply this general principle to Plaintiffs' GBL § 349 claim. Accordingly, the Court finds that “Loss of Value of PII” constitutes a cognizable injury under GBL § 349.
c. “Loss of Benefit of the Bargain”
Finally, the Court turns to consider harm in the form of “Loss of Benefit of the Bargain.” On this point, the case law tips in Plaintiffs' favor. In Orlander v. Staples, Inc. , 802 F.3d 289, 301 (2d Cir.2015), the Second Circuit determined that plaintiff had “sufficiently alleged an injury stemming from [a] misleading practice” by pleading that “he would not have purchased [a set of services] had he known that [d]efendant intended to decline to provide him any [such] services” during the first of year of his contract. The reasoning in Orlander directly governs Plaintiffs' claim here for “Benefit of the Bargain” losses: Plaintiffs allege that, “[h]ad Defendants disclosed to Affected Individuals that their computer systems and data security practices were inadequate to safeguard Affected Individuals' highly sensitive [PII], Affected Individuals would not have entrusted their [PII] to Defendants and would not have enrolled in their insurance or health care plans.” CAC ¶ 249.
In challenging this finding, Defendants rely upon an earlier Second Circuit decision, Spagnola v. Chubb Corp. , 574 F.3d 64, 74 (2d Cir.2009). Anthem Mot. at 20. Defendants' reliance on Spagnola is not well taken. In fact, in Orlander, the Second Circuit discussed and distinguished Spagnola. Specifically, the Second Circuit observed that, in Spagnola, although plaintiffs alleged “damages in the amount of the purchase price of their contracts,” plaintiffs “failed to allege that defendants had denied them the services for which they contracted.” 802 F.3d at 302. In Orlander, however, “[p]laintiff...alleged both [1] a monetary loss stemming from the deceptive practice and [2] the [d]efendant's failure to deliver contracted-for services.” Id. Similarly, in the instant case, Plaintiffs have alleged both (1) a monetary loss stemming from a deceptive practice—“overpayment[ ] to Defendants for health insurance or health care services purchased,” CAC ¶ 267(h)—and (2) Defendants' failure to deliver to Plaintiffs certain services—“reasonable and adequate security measures to protect Affected Individuals' [PII],” id.
In sum, although “Out of Pocket Costs” and “Fear of Imminent Further Costs” are not cognizable injuries under GBL § 349, “Loss of Value of PII” and “Loss of Benefit of the Bargain” are cognizable injuries under GBL § 349. Accordingly, Plaintiffs have sufficiently pleaded injury under GBL § 349.
3. Causation
Last, “[t]o properly allege causation, a plaintiff must state in his complaint that he has seen the misleading statements of which he complains before he came into possession of the products he purchased.” Goldemberg v. Johnson & Johnson Consumer Cos., Inc. , 8 F.Supp.3d 467, 480 (S.D.N.Y.2014). Unlike the UCL, “an action under § 349 is not subject to the pleading-with-particularity requirements of Rule 9(b), but need only meet the bare-bones notice-pleading requirements of Rule 8(a).” Pelman ex rel. Pelman v. McDonald's Corp , 396 F.3d 508, 511 (2d Cir.2005) (citation omitted); see also id. (“[B]ecause § 349 extends well beyond common-law fraud to cover a broad range of deceptive practices,...a private action under § 349 does not require proof of the same essential elements (such as reliance) as common-law fraud.”).
As the Court has explained, Plaintiffs aver that Defendants made various representations that Plaintiffs' PII would be protected. These representations came in the form of statements made on Defendants' websites and statements made in Defendants' privacy notices. The Court finds that Plaintiffs have sufficiently alleged causation under GBL § 349 based on GBL § 349's pleading requirements and case law interpreting GBL § 349.
First, as the Court has pointed out, GBL § 349 is not subject to the more demanding pleading requirements of Federal Rule of Civil Procedure 9(b). Thus, the New York Court of Appeals has held that Plaintiffs bringing claims under GBL § 349 must simply raise a reasonable inference of causation rather than demonstrating reliance. See, e.g. , Stutman v. Chem. Bank , 95 N.Y.2d 24, 709 N.Y.S.2d 892, 731 N.E.2d 608, 612 (2000) (“Reliance and causation are twin concepts, but they are not identical.”); see also id. , at 612–13 (elaborating upon differences between reliance and causation).
Several recent federal district court decisions from the Eastern and Southern Districts of New York help illustrate the difference between causation and reliance. In Dash v. Seagate Technology (U.S.) Holdings, Inc. , 27 F.Supp.3d 357 (E.D.N.Y.2014), for instance, the district court denied dismissal of plaintiff's deceptive practices claim under GBL § 349, but granted dismissal on plaintiff's common law fraud claim. Although plaintiff did not specify when plaintiff saw the misrepresentations at issue, “[t]he reasonable inference to be drawn from [plaintiff's] allegations is that [plaintiff] saw the misleading statements and, as a result of such, purchased the [product] at issue.” Id. at 361. Accordingly, the Dash court found causation “sufficiently pled” for purposes of GBL § 349. Id. However, after reciting the applicable pleading requirements under Rule 9(b), the Dash court determined that, under these same facts, plaintiffs' “concluso[ry] alleg [ations]” were insufficient to state a claim for common law fraud. Id. at 362–63.
Consistent with Dash, plaintiff in Goldemberg v. Johnson & Johnson “describe[d] in particular [detail] the allegedly misleading advertising and other statements.” 8 F.Supp.3d at 480. Plaintiff “then allege[d] that ‘[defendant]'s false, misleading, and deceptive misrepresentations and omissions...deceived and misled [plaintiff].’ ” Id. Although plaintiff did not specify when defendant made the “false, misleading, and deceptive misrepresentations” at issue, the district court concluded that “[t]he reasonable inference to be drawn from these allegations...is that [plaintiff] saw the [misrepresentations] described previously in the Complaint, and was thus deceived into purchasing the products in question.” Id.
Finally, in Belfiore v. Proct e r & Gamble Co. , 94 F.Supp.3d 440, 446 (E.D.N.Y.2015), the pleadings also failed to specify when plaintiff viewed the misrepresentation at issue. The district court, however, found this detail “not decisive” for purposes of plaintiff's GBL § 349 claim. Id. Consistent with Goldemberg and Dash, the district court stated that the reasonable inference to be drawn was that plaintiff first viewed the misrepresentation, and then went on to purchase the product at issue. Id.
In sum, after reviewing the allegations in the consolidated amended complaint, the different pleading requirements between GBL § 349 and Federal Rule of Civil Procedure 9(b), and case law addressing GBL § 349, the Court finds that Plaintiffs have sufficiently alleged causation for purposes of their GBL § 349 claim.
4. ERISA Preemption
As a final matter, the consolidated amended complaint includes four named New York Plaintiffs, all of whom assert a GBL § 349 claim on behalf of themselves and a putative statewide class. CAC ¶¶ 85–88. Defendants contend that New York Plaintiff Matthew Gates' (“Gates”) GBL § 349 claim is preempted by ERISA. See Anthem Mot. at 22. Defendants, however, do not assert ERISA preemption against New York Plaintiffs Barbara Gold, Marne Onderdonk, and Juan Carlos Cerro. Thus, because Plaintiffs have demonstrated all of the required elements to plead a GBL § 349 claim, Plaintiffs' GBL § 349 claim survives whether or not Gates' claim is preempted. Defendants' motion to dismiss Plaintiffs' GBL § 349 claim is therefore DENIED.
Additionally, the Court denies without prejudice Defendants' motion to dismiss Gates' GBL § 349 claim as preempted by ERISA. As the Ninth Circuit has observed, “[t]here are two strands of ERISA preemption: (1) ‘express' preemption under ERISA § 514(a), 29 U.S.C. § 1144(a) ; and (2) preemption due to a ‘conflict’ with ERISA's exclusive remedial scheme set forth in [ERISA § 502(a),] 29 U.S.C. § 1132(a).” Fossen v. Blue Cross and Blue Shield of Mont., Inc. , 660 F.3d 1102, 1107 (9th Cir.2011). “Under § 514(a), ERISA broadly preempts any and all State laws insofar as they may now or hereafter relate to any covered employee benefit plan.” Id. at 1108 (internal quotation marks and alteration omitted) (emphasis added). “A [state] law ‘relates to’ an employee benefit plan, in the normal sense of the phrase, if it has a connection with or reference to such a plan.” Shaw v. Delta Air Lines, Inc. , 463 U.S. 85, 96–97, 103 S.Ct. 2890, 77 L.Ed.2d 490 (1983). “[T]he words ‘relate to,’ ” however, “cannot be taken too literally.” Roach v. Mail Han dlers Benefit Plan , 298 F.3d 847, 849 (9th Cir.2002). “If ‘relate to’ were taken to extend to the furthest stretch of its indeterminacy, then for all practical purposes pre-emption would never run its course, for ‘really, universally, relations stop nowhere.’ ” N.Y. State Conf. of Blue Cross & Blue Shield Plans v. Travelers Ins. Co. , 514 U.S. 645, 655, 115 S.Ct. 1671, 131 L.Ed.2d 695 (1995) (alteration omitted). Instead, “relates to” must be “read in the context of the presumption that in fields of traditional state regulation the historic police powers of the States are not to be superseded by a Federal Act unless that was the clear and manifest purpose of Congress.” Roach , 298 F.3d at 850 (internal quotation marks and alteration omitted).
Under ERISA § 502(a), a civil enforcement action may be brought:
(1) by a participant or beneficiary—...(B) to recover benefits due to him under the terms of his plan, to enforce his rights under the terms of the plan, or to clarify his rights to future benefits under the terms of the plan.
29 U.S.C. § 1132(a). Pursuant to this provision, a “state-law cause of action that duplicates, supplements, or supplants the ERISA civil enforcement remedy” is preempted because it “conflicts with the clear congressional intent to make the ERISA remedy exclusive.” Aetna Health Inc. v. Davila , 542 U.S. 200, 209, 124 S.Ct. 2488, 159 L.Ed.2d 312 (2004).
The primary points of disagreement between the parties is whether, for purposes of both conflict and express preemption, (1) Defendants' promises to protect Plaintiffs' PII represents a “benefit” under Plaintiffs' health plans, as defined by ERISA, and (2) whether state laws that implicate Plaintiffs' data security “relate to” or conflict with ERISA.
There is insufficient information at this time to make a determination on either question. As noted above, Plaintiffs have failed to produce a copy of their insurance contracts with Defendants and have failed to identify which contractual provisions Defendants allegedly breached. In addition, although Defendants have submitted a copy of Gates' Summary Plan Description, see ECF No. 412-1, Plaintiffs contend that Gates' contract and the Summary Plan Description are different documents. Anthem Opp'n at 25. Defendants' obligations to protect Gates' data, Plaintiffs argue, were memorialized in Gates' contract, and “[t]here is no preemption when plaintiffs sue to enforce the terms of some contract other than the ERISA plan.” Id. As a final point, neither party has provided briefing on whether Congress necessarily intended for ERISA to preempt state consumer protection laws such as New York's GBL § 349.
Given the disputed contentions made by the parties and the fact that the parties have not produced a copy of Gates' contract, the Court can not decide whether Gates' GBL § 349 claim is preempted by ERISA. In reaching this conclusion, the Court finds instructive statements made by U.S. Department of Labor (“DOL”) staff at the 2010 Joint Committee of Employee Benefits Technical Session, hosted by the American Bar Association. Specifically, DOL staff were asked the following:
In an era of enhanced privacy protections, some participants have complained that personally identifiable information (PII) releases have occurred under State privacy laws...
Does the DOL agree that State privacy laws regarding PII releases are not applicable to plan administration communications from authorized third party service providers?
Questions and Proposed Answers for the Department of Labor Staff for the 2010 Joint Committee of Employee Benefits Technical Section at 20–21 (May 5, 2010), available at http://tinyurl.com/jhp2hcp. DOL staff declined to provide a definitive “answer [to] this question due to insufficient information.” Id. at 21. After citing and discussing ERISA § 514(a) and the applicable legal standards behind this section, DOL “staff note[d] that without specific statutory language and a description of how the statute relates to [a specific] ERISA-covered employee benefit plan, [DOL] staff [could not] determine whether a particular state privacy statute is preempted by ERISA.” Id. In sum, when confronted with a general inquiry as to whether state privacy laws were preempted by ERISA, DOL staff declined to provide a sweeping response, and instead requested additional information on the specific laws at issue.
The Court's decision to deny without prejudice is in line with DOL's position. Without specific information on the contours of Gates' health plan and the statutory purpose behind GBL § 349, the Court can not decide whether Gates' GBL § 349 claim is subject to ERISA preemption. Accordingly, the Court DENIES without prejudice Defendants' motion to dismiss Gates GBL § 349 claim as preempted by ERISA.
H. Kentucky Consumer Protection Act (against Anthem and Non-Anthem Defendants)
Plaintiffs allege that the Anthem and Non-Anthem Defendants “engaged in deceptive, unfair, and unlawful trade acts or practices in the conduct of trade or commerce,” in violation of the Kentucky Consumer Protection Act (“KCPA”), Ky. Rev. Stat. § 367.170, et seq. CAC ¶ 425. Defendants contend that Plaintiffs' KCPA claim fails “because the Act cannot be used to bring a class action.” Anthem Mot. at 12. Moreover, Defendants assert that Plaintiffs do not have standing to bring a KCPA claim. Id. at 12–13.
With respect to the viability of class certification, the Court turns first to the Kentucky Circuit Court's decision in Arnold v. Microsoft Corporation , 2000 WL 36114007 (Ky.Cir. Ct. July 21, 2000). In Arnold, plaintiffs brought suit against Microsoft under the KCPA and under Kentucky's version of the Sherman Antitrust Act. Id. at *1. Plaintiffs sought damages and class certification. Id. In granting Microsoft's motion to dismiss, the Kentucky Circuit Court concluded that “[t]he Court does not believe that KRS 367.170 [the KCPA] is the correct statute to bring a claim based on monopolistic practices.” Id. at *6. Moreover, “[t]he Court also does not believe that KRS 367.170 was meant to be a vehicle for Class Action suits and declines to open such a sweepingly vague statute for use as a blunt instrument in a Class Action suit.” Id. ; see also id. at *8 (“Based on venue requirements and other language[,]...this Court...feels that KRS 367.170 was never meant to encompass class action litigants.”). The Kentucky Court of Appeals affirmed the Circuit Court's judgment. Arnold v. Microsoft Corp. , 2001 WL 1835377, *7–8 (Ky.Ct.App. Nov. 21, 2001).
A number of federal courts—including several in the MDL context—have relied upon Arnold to find that plaintiffs can not bring a class action claim under the KCPA. In In re Pharmaceutical Industry Average Wholesale Price Litigation , 230 F.R.D. 61, 84 (D.Mass.2005), for instance, the district court relied upon Arnold to find that, “[u]nder the laws of...Kentucky. .. there is no right to bring a class action to enforce the consumer protection statutes.” Id. Thus, the court concluded that “[c]onsumers in [Kentucky] may be excluded out of hand” in an MDL brought against 42 pharmaceutical manufacturers. Id. Likewise, in In re Grand Theft Auto Video Game Consumer Litigation (No. II) , 251 F.R.D. 139, 160 (S.D.N.Y.2008), the district court, citing Arnold, held that “Kentucky['s] consumer-fraud provision does not permit [a] class-action suit.” Id. Finally, in Mazza v. American Honda Motor Co., Inc. , 666 F.3d 581 (9th Cir.2012), the Ninth Circuit vacated the district court's decision to certify a nationwide class. In reaching this decision, the Ninth Circuit determined that nationwide class certification was inappropriate because of differences amongst various state consumer protection laws. See id. at 590–92. In dissent, Judge Dorothy Nelson disagreed with the majority's conclusion “that material differences exist between California law and that of the 43 jurisdictions in which class members reside.” Id. at 597 (Nelson, J., dissenting). As Judge Nelson observed, “I find only one potentially material difference: Louisiana, Georgia, Mississippi, Kentucky, Virginia and Alabama prohibit class actions that allege unfair trade practices under state law.” Id. at 597–98 ; see also id. at 598 (citing Arnold ). Thus, even though Judge Nelson disagreed with the majority's determination, she nonetheless acknowledged that consumer protection laws in some states—including Kentucky—bar private plaintiffs from bringing class action claims.
More recently, in In re Target, the District of Minnesota district court dismissed plaintiffs' KCPA claim upon finding that “[t]he consumer-protection statutes in eight states—Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, and Tennessee—prohibit class-action treatment of claims under those statutes.” 66 F.Supp.3d at 1163. The In re Target court did not cite Arnold ; instead, the In re Target court cited Davenport v. Charter Communications, LLC , 35 F.Supp.3d 1040 (E.D.Mo.2014). 66 F.Supp.3d at 1165. As Plaintiffs note, the Davenport court was not presented with a KCPA claim. Anthem Opp'n at 12. Instead, the Davenport court was presented with a claim under Ky. Rev. Stat. § 337.385, a statute governing unpaid overtime. See Davenport , 35 F.Supp.3d at 1051. The Court therefore finds the In re Target decision to be less instructive than the decisions in In re Pharmaceutical and In re Grand Theft Auto. Nonetheless, the common theme running through all of these cases is that, consistent with Arnold, courts have found that plaintiffs can not pursue a class action claim under the KCPA.
Plaintiffs have not cited any case law that would compel a different conclusion. Instead, Plaintiffs argue only that the KCPA “does not contain an express class action ban,” and that some “courts have certified class actions under the KCPA, both before and after Arnold.” Anthem Opp'n at 12. In support of this latter point, Plaintiffs rely upon two Western District of Kentucky decisions: Brummett v. Skyline Corporation , 1984 WL 262559 (W.D.Ky. Apr. 11, 1984), and Clark v. BellSouth Telecommunications, Inc. , 461 F.Supp.2d 541 (W.D.Ky.2006).
As Plaintiffs acknowledge, Brummett was decided sixteen years prior to Arnold. This fact alone renders Plaintiffs' reliance on Brummett unavailing. As the Sixth Circuit, of which Kentucky is a part, has noted, “[t]he function of [a federal court] is to apply the law of the state which governs the suit, not to take a position regarding the advisability or fairness of the rule applied.” San Francisco Real Estate Inv'rs v. J.A. Jones Real Estate Constr. Co. , 703 F.2d 976, 977 n. 2 (6th Cir.1983) ; see also In re Korean Air , 642 F.3d at 699 (“[T]he MDL transferee court is generally bound by the same substantive legal standards...as would have applied in the transferor court.”). Here, the federal district court for the Western District of Kentucky predicted that the KCPA would be interpreted one way in Brummett, and then the Kentucky Circuit Court concluded in Arnold that the KCPA should be interpreted in a different way. Under such circumstances, Arnold —not Brummett —is more persuasive. See Goranson v. Kloeb , 308 F.2d 655, 656–57 (6th Cir.1962) (“We should not attempt to make new law for the state in conflict with its existing decisions.”).
In addition, the Brummett plaintiffs sought class certification on a number of different claims. See Brummett , 1984 WL 262559, *1 (asserting claims under the KCPA, the Kentucky Uniform Commercial Code, the Kentucky Mobile Home Sales Act, Kentucky common law, and various federal laws). The parties did not assert and the district court did not conduct a separate analysis of plaintiffs' KCPA claim. Thus, in light of this procedural posture and intervening state authority in Arnold, the Court finds Brummett insufficient to allow Plaintiffs to proceed with their KCPA class action claim in the instant case.
Plaintiffs' reliance on Clark v. BellSouth Telecommunications is likewise unavailing. As in Brummett, plaintiffs in Clark asserted a number of claims under state and federal law. With respect to plaintiffs' KCPA claim, the Clark court found the parties' briefing incomplete. 461 F.Supp.2d at 549. Consequently, the district court stated that it would “set a schedule for additional briefing on” plaintiffs' KCPA claim. Id. Following this discussion of the KCPA claim, the Clark court reviewed plaintiffs' motion for class certification, and found class certification appropriate. The district court, however, described its certification decision as being “provision[al]” in nature, id. at 550, a description which would comport with the court's decision to order additional briefing on the KCPA claim. Under these circumstances, the Court is not persuaded by Plaintiffs' argument that the Clark court “certified [a] class action[ ] under the KCPA...after Arnold.” Anthem Opp'n at 12.
Outside of Brummett and Clark, Plaintiffs have not identified any cases where courts have allowed parties to proceed with a class action claim under the KCPA. The Court has found none in its own research. Instead, Arnold remains the most pertinent state authority on this issue, and several courts have relied upon Arnold to hold that parties can not, as a matter of law, bring a KCPA claim as a class action. See In re Pharm. , 230 F.R.D. at 84 ; In re Grand Theft Auto , 251 F.R.D. at 160. Consistent with the reasoning of Arnold and of these courts, the Court finds that Plaintiffs can not maintain a putative class action claim under the KCPA. In addition, because Plaintiffs can not pursue such a claim as a matter of law, the Court need not address Defendants' arguments regarding standing. Accordingly, Defendants' motions to dismiss Plaintiffs' KCPA claim is GRANTED.
Furthermore, in the absence of any authority for the position that a KCPA claim may be brought as a class action, the Court finds that leave to amend would be futile, and thus denies Plaintiffs leave to amend. See Bonin , 59 F.3d at 845 (“Futility of amendment can, by itself, justify the denial of a motion for leave to amend.”). Plaintiffs' KCPA claim is therefore dismissed with prejudice.
I. Kentucky Data Breach Act (against Anthem Defendants)
In opposing the instant motions to dismiss, Plaintiffs have moved to withdraw their cause of action against the Anthem Defendants for violation of Kentucky's Data Breach Act. Anthem Opp'n at 11 n.13. Accordingly, the Anthem Defendants' motion to dismiss Plaintiffs' Kentucky data breach claim is GRANTED, and Plaintiffs' Kentucky data breach claim is DISMISSED with prejudice.
J. Georgia Insurance Information and Privacy Protection Act (against Anthem Defendants)
The Georgia Insurance Information and Privacy Protection Act (“IIPA”) states that “[a]n insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure ” falls under a list of specifically enumerated exceptions. Ga. Code. Ann. § 33–39–14 (emphasis added). In the consolidated amended complaint, Plaintiffs allege that “Defendants Anthem and Anthem Affiliates disclosed individually-identifiable [PII] regarding members of the Georgia Class that was collected or received in connection with an insurance transaction without their authorization, in violation of” the IIPA. CAC ¶ 801.
In response, the Anthem Defendants contend that Plaintiffs' PII was never “disclosed.” See, e.g. , Anthem Reply at 12. Rather, Plaintiffs' PII was “stole[n]” by “a third-party cyberattacker.” Id. The IIPA, the Anthem Defendants argue, protects only against disclosure, and not against theft. In addition, the Anthem Defendants contend that Plaintiffs have failed to allege any actual damages. See id. at 13.
As to the scope of the IIPA's disclosure requirement, the Court notes that neither party has identified a case—state or federal—interpreting Ga. Code. Ann. § 33-39-14. The Court has found none in its own research. Thus, this action presents an issue of first impression: whether the IIPA, which proscribes the unlawful disclosure of personal information, also applies to the theft of one's personal information.
In interpreting the IIPA, the Court must examine statutory rules of construction as applied by courts in Georgia. See In re Korean Air , 642 F.3d at 699 (“[T]he MDL transferee court is generally bound by the same substantive legal standards...as would have applied in the transferor court.”). On this particular point, the Georgia Supreme Court has stated that, “[w]e begin our analysis of the statute by recognizing that fundamental rules of statutory construction require us to construe a statute according to its terms, to give words their plain and ordinary meaning, and to look diligently for the intention of the General Assembly.” Atlanta Indep. Sch. Sys. v. Atlanta Neighborhood Charter Sch., Inc. , 293 Ga. 629, 748 S.E.2d 884, 886 (2013). “Where the plain language of a statute is clear and susceptible of only one reasonable construction, we must construe the statute according to its terms.” Thus, following the Georgia Supreme Court, the Court shall begin by reviewing the IIPA's text, before examining other pertinent canons of statutory interpretation.
1. Statutory Text
As an initial point, the Court observes that the Georgia Code does not define the term “disclose” or “disclosure” in the IIPA. See Ga. Code. Ann. § 33–39–3 (providing list of definitions). Where a statute does not define a key term, the Court must “look to the ordinary meaning of that word.” Jackson v. State , 309 Ga.App. 24, 709 S.E.2d 44, 46 (Ct.App.2011). With respect to the ordinary meaning analysis, courts generally begin by examining dictionary definitions of the term at issue. Id. ; see also Jacob Scott, Codified Canons and the Common Law of Interpretation , 98 Geo. L.J. 341, 357 (2010) (finding use of dictionary definitions to be the most commonly used textual canon).
Black's Law Dictionary defines “disclosure” as “[t]he act or process of making known something that was previously unknown; a revelation of facts.” Black's Law Dictionary 531 (9th ed. 2009). Black's Law Dictionary also defines “act” as “[s]omething done or performed, esp. voluntarily.” Id. at 27. The Oxford English Dictionary defines “disclose” as “[t]o uncover and expose to view (anything material); to remove a covering from; to reveal, allow to be seen.” Oxford English Dictionary Online (3d ed. 2013), available at tinyurl.com/jlynyc8. Taken together, these definitions suggest that, in order to “disclose” something, the information holder must commit some affirmative, voluntary act.
An analysis of the structure of the IIPA lends further support to this conclusion. As noted above, the IIPA states that “[a]n insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information...unless the disclosure” falls under a set of 18 exceptions. These exceptions allow the insurance institution, agent, or insurance-support organization to disclose an individual's personal information “[t]o a medical-care institution or medical professional,” Ga. Code Ann. § 33–39–14(4), “[t]o an insurance regulatory authority,” Ga. Code Ann. § 33–39–14(5), and “[t]o a law enforcement or other governmental authority,” Ga. Code Ann. § 33–39–14(6), among other entities. Indeed, for each of these 18 exceptions, the insurance institution, agent, or insurance-support organization must affirmatively provide an individual's personal information to a third party. Thus, under the dictionary definition of “disclosure” and under the structure of the IIPA, it is unlikely that the Georgia Legislature intended for “disclosure” to encompass instances of third party cyberhacking and data breach.
2. Additional Considerations
In addition to the IIPA's text and structure, several other considerations lend support to this more narrow reading of the IIPA's scope. Indeed, in predicting how the Georgia Supreme Court would rule on this issue, the Court believes that the Georgia Supreme Court would review how the terms “disclose” or “disclosure” have been defined in other statutes and how these terms have been interpreted by other courts.
On this particular point, the Federal Privacy Act defines “disclosure” to “mean[ ] providing personal review of a record, or a copy thereof, to someone other than the data subject or the data subject's authorized representative.” 5 C.F.R. § 297.102. Courts have restricted this definition to situations where information holders have willfully provided data to an unauthorized third party. In Walia v. Chertoff , 2008 WL 5246014, *6 (E.D.N.Y. Dec. 17, 2008), for instance, plaintiff's medical and legal records were allegedly placed in an unlocked credenza located in the office of plaintiff's supervisor. Other employees, including those not authorized to review plaintiff's medical and legal records, had access to this office. Id. Upon learning these facts, plaintiff brought suit against his employer. The Walia court rejected plaintiff's Federal Privacy Act claim and held that plaintiff's claim rested “on the accessibility of [plaintiff's] medical and legal records to individuals in the office.” Id. at *11. Mere accessibility, however, is insufficient to constitute “willful or intentional disclosure by the agency, a required element of a [Federal Privacy Act] claim.” Id. Here, as in Walia, Plaintiffs' IIPA claim pivots around the idea of access and accessibility, not willful and active disclosure. See e.g. , Anthem Opp'n at 21 (“[A]s Plaintiffs contend... unauthorized access resulted from Anthem's actions.”) (emphasis added). Thus, at least as understood in the context of the Federal Privacy Act, Plaintiffs have failed to sufficiently allege that the Anthem Defendants “disclosed” Plaintiffs' PII to cyberattackers during the data breach. In addition, in Galaria v. Nationwide Mutual Insurance Co. , 998 F.Supp.2d 646, 650 (S.D.Ohio 2014), plaintiffs provided Nationwide Mutual Insurance (“Nationwide”) their PII “in the course of purchasing or seeking to purchase insurance products.” In November 2012, plaintiffs “received a letter from [Nationwide] indicating that on October 23, 2012, thieves hacked into a portion of [Nationwide's] computer network and that their PII was stolen and disseminated as part of the theft.” Id. In response, plaintiffs brought suit against Nationwide alleging, inter alia , common law invasion of privacy. Id. at 661.
The district court granted Nationwide's motion to dismiss. In reaching this decision, the district court observed that the common law tort of invasion of privacy requires publicity of a private fact. Publicity, in turn, “means that [a] matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Id. Plaintiffs had failed to satisfy this publicity requirement because “there is no allegation in the Complaint that [Nationwide] disclosed Named Plaintiffs' private affairs.” Id. at 662 (emphasis added). Moreover, “[t]here are no factual allegations in the Complaint to make plausible the allegation that [Nationwide] disseminated Named Plaintiffs' PII.” Id. Rather, “the Complaint alleges the PII was stolen from [Nationwide], not that [Nationwide] disseminated it to anyone.” Id. In sum, when presented with a substantially similar set of facts, the Galaria court clearly understood “disclosure” as requiring a party to commit some voluntary, affirmative act. The Galaria court, moreover, drew a distinction between when information is “disclosed” and when information is “stolen.” Thus, although the questions presented in Galaria were somewhat different than the questions presented in the instant case, this Court nevertheless finds the Galaria court's understanding of “disclosure” informative.
The D.C. District Court's decision in In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation , 45 F.Supp.3d 14 (D.D.C.2014), is similarly illuminating. In In re SAIC, as in Galaria, “[p]laintiffs...allege[d] that they ha[d] been injured because their privacy [had been] invaded by [a] data breach.” Id. at 28. In deciding to dismiss plaintiffs' invasion of privacy claim, the district court held that “[f]or a person's privacy to be invaded, their personal information must, at a minimum, be disclosed to a third party.” Id. (emphasis added). The In re SAIC court proceeded to refer to a number of different sources discussing disclosure. The district court, for instance, cited a decision by the Eastern District of Wisconsin, which defined disclosure as “the placing into the view of another information which was previously unknown.” Id. (quoting Schmidt v. Dep't of Veteran s Affairs , 218 F.R.D. 619, 630 (E.D.Wis.2003) ). The district court also cited a decision by the District of South Carolina, which defined disclosure as “the imparting of information which...was previously unknown to the person to whom it was imparted.” Id. (quoting Harper v. United States , 423 F.Supp. 192, 197 (D.S.C.1976) ). These definitions all conform to the Court's understanding of what disclosure should mean in the context of the IIPA: an active, voluntary decision by the information holder to provide data to an unauthorized third party.
In opposing the Anthem Defendants' motion to dismiss, Plaintiffs rely upon a statement in Shames – Yeakel v. Citizens Financial Bank , 677 F.Supp.2d 994, 1008 (N.D.Ill.2009). Specifically, in discussing the viability of an Indiana common law negligence claim, the Shames – Yeakel court stated that “[i]f th[e] duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts.” Id. Although this statement does appear to weigh in Plaintiffs' favor, Plaintiffs' reliance on Shames – Yeakel is ultimately inapposite.
First, as discussed above, private plaintiffs can not, under Pisciotta, bring a cause of action in Indiana for negligence for injuries arising out of a data breach. The Northern District of Illinois' decision in Shames – Yeakel is therefore, at the very least, in tension with the Seventh Circuit's decision in Pisciotta. Tellingly, in discussing the negligence claim in Shames – Yeakel, the district court did not refer to Pisciotta. The district court also acknowledged that “this court could not find an Indiana case addressing the matter” of whether a bank has a “duty to sufficiently secure its online banking system.” Id. Thus, by allowing plaintiffs in Shames – Yeakel to move forward with their Indiana negligence claim, the Shames – Yeakel court appeared to overlook both the specific and general precedent of its circuit court of appeals, the Seventh Circuit, that federal courts, sitting in diversity, should refrain from creating new causes of action under state law. See, e.g. , Pisciotta , 499 F.3d at 637 (“Had the Indiana legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent.”); Insolia v. Philip Morris, Inc. , 216 F.3d 596, 607 (7th Cir.2000) (“When confronted with a state law question that could go either way, the federal courts usually choose the narrower interpretation that restricts liability.”).
Second, with respect to the specific statement quoted by Plaintiffs—that a bank's duty not to disclose must include a duty to protect customers' personal information—the Shames – Yeakel court did not discuss, refer to, or cite any supporting authority. In the nearly six and a half years since the Shames – Yeakel decision, no federal or state court has cited Shames – Yeakel for this proposition. In light of these circumstances, and in light of the fact that Shames – Yeakel appears to be in tension with prevailing Seventh Circuit precedent, the Court finds Plaintiffs' reliance on Shames – Yeakel not well taken.
To conclude, Plaintiffs have failed to persuade the Court that a broader construction of the IIPA is warranted. Under the facts alleged in the consolidated amended complaint, the Anthem Defendants did not “disclose” Plaintiffs data, as required under the IIPA. Pursuant to the Court's finding, the Court need not address the Anthem Defendants' arguments regarding whether Plaintiffs have sufficiently alleged damages for purposes of the IIPA. The Anthem Defendants' motion to dismiss Plaintiffs' IIPA claim is GRANTED.
Plaintiffs, however, shall have leave to amend because the Court finds that amendment would not be futile. Plaintiffs may be able to allege facts to demonstrate that the Anthem Defendants disclosed Plaintiffs' PII to a third party. See Lopez , 203 F.3d at 1127 (holding that “a district court should grant leave to amend...unless it determines that the pleading could not possibly be cured by the allegation of other facts.”). Plaintiffs' IIPA claim is therefore DISMISSED with leave to amend.
K. Federal Law Third Party Beneficiary (against Non-Anthem Defendants)
Finally, Plaintiffs assert a third party beneficiary claim for breach of contract under federal law against the Non-Anthem Defendants. CAC ¶ 331–42. Specifically, Plaintiffs assert that Blue Cross Blue Shield Association (“BCBSA”) “had a valid, binding, and enforceable express contract with OPM [the Office of Personnel Management] to provide insurance and other benefits to those Plaintiffs who received health insurance and related benefits under the Federal BCBSA Plan.” Id. ¶ 332. Under this contract (hereinafter referred to as the “Federal BCBSA contract”), BCBSA “promised to take reasonable measures to protect the security and confidentiality of Federal Employee Plaintiffs' [PII].” Id. ¶ 333. Plaintiffs allege that the Federal Employee Plaintiffs were “intended third-party beneficiaries of the data security provisions in the contract between BCBSA ...and OPM, and are entitled to directly enforce its terms.” Id. ¶ 339.
The Non-Anthem Defendants contend that Plaintiffs' third party beneficiary claim fails because OPM is the only party that can seek relief under the Federal BCBSA contract. Plaintiffs can not, in other words, pursue a private cause of action against BCBSA. The Non-Anthem Defendants also argue that “the Federal Employee Plaintiffs' state law claims are preempted.” Non-Anthem Mot. at 19.
Given that adjudication of the instant claim involves a nuanced understanding of federal law, administrative regulations, and various rules governing contract interpretation, the Court first provides an overview of the background and statutory framework behind the Federal BCBSA contract. The Court shall then address the Non-Anthem Defendants' arguments in turn.
1. Background
The Federal Employee Health Benefits Act (“FEHBA”), enacted in 1959, “established a comprehensive program to provide federal employees and retirees with subsidized health care benefits.” Hayes v. Prudential Ins. Co. of Am. , 819 F.2d 921, 922 (9th Cir.1987). “Under the Act, the United States does not act as an insurer, but, through the Office of Personnel Management (OPM), contracts with various private carriers to develop health care plans with varying coverages and costs.” Id. “After OPM negotiates changes with the carriers[,] all federal enrollees are permitted to switch enrollment from one plan to another, regardless of their state of health, during a period called ‘open season.’ ” Id.
“Among the plans offered to federal employees is the Blue Cross Blue Shield Service Benefit Plan,” which is governed by the Federal BCBSA contract (known internally as 2013 Contract No. CS 1039). CAC ¶ 172. The Federal BCBSA contract provides that “[a]ny inconsistency in this contract shall be resolved by giving precedent in the following descending order: the Act, the regulations in part 890, title 5, Code of Federal Regulations, the regulations in chapters 1 and 16, title 48, Code of Federal Regulations, and this contract.” Fed. BCBSA Contract § 1.3. The Federal BCBSA contract also states that “[t]he Carrier [BCBSA] shall provide the benefits as described in the agreed upon” Statement of Benefits, which are attached as an addendum to the contract. Id. § 2.2(a).
Plaintiffs refer to Contract No. CS 1039 in the consolidated amended complaint, and the Non-Anthem Defendants have submitted a copy of this contract, the 2014 and 2015 amendments to the contract, and the contract's 2014 and 2015 Statement of Benefits. See ECF No. 416-1 (“Fed. BCBSA Contract”); ECF No. 416-2 (“2014 Amendments”); ECF No. 416-3 (“2015 Amendments”); ECF No. 416-4 (“2014 Statement of Benefits”); ECF No. 416-5 (“2015 Statement of Benefits”). Unlike the Summary Plan Descriptions described above, Plaintiffs do not dispute that these documents are true and accurate copies of their contract with BCBSA and the accompanying statement of benefits. Non-Anthem Opp'n at 13 n.9. Accordingly, the Court takes judicial notice of these documents. See Warren v. Fox Family Worldwide, Inc. , 328 F.3d 1136, 1141 n. 5 (9th Cir.2003) (stating that court “may consider documents on which the complaint necessarily relies and whose authenticity is not contested.”) (internal quotation marks and ellipses omitted).
The Federal BCBSA contract defines “Act” to mean “FEHBA.” Fed. BCBSA Contract § 1.1.
The framework under which the Federal BCBSA contract operates is notable in three important respects. First, Plaintiffs assert, and the Non-Anthem Defendants do not dispute, that the Federal Employee Plaintiffs are intended third party beneficiaries of the Federal BCBSA contract. See CAC ¶ 339; Non-Anthem Mot. at 14; Non-Anthem Opp'n at 14; see also Catholic Diocese of Biloxi Supplemental Med. Reimbursement Plan and Catholic Diocese of Biloxi v. Blue Cross, Blue Shield of Tex. , 960 F.Supp. 1145, 1146 (S.D.Miss.1997) (“The federal employee does not enter into a separate contract with the carrier, but rather is a third-party beneficiary of the OPM-carrier contract.”). As a result of this arrangement, “[a]ll health benefits claims [under the Federal BCBSA contract] must be submitted initially to the carrier of the covered individual's health benefits plan.” 5 C.F.R. § 890.105(a)(1) (emphasis added). “If the carrier denies a [health benefits] claim (or a portion of a claim), the covered individual may ask the carrier to reconsider its denial.” Id. “If the carrier affirms its denial or fails to respond...., the covered individual may ask OPM to review the claim.” Id. Notably, “[a] covered individual must exhaust both the carrier and OPM review processes specified in this section before seeking judicial review of [a] denied claim.” Id. The administrative apparatus designed to handle health benefits claims is, in short, fairly comprehensive.
Second, the Federal BCBSA contract and various administrative regulations vest OPM with general management authority over the contract. As discussed, individuals filing health benefits claims must, prior to going to federal court, present their claims in an administrative proceeding before OPM. Outside of handling such health benefits claims, OPM “shall” also “notify [BCBSA] of [various] deficiencies” which relate to BCBSA's “financial resources, facilities, providers, staff and other necessary resources to meet [BCBSA's] obligations under this contract.” Fed. BCBSA Contract § 1.12(a). Relatedly, BCBSA must “notify” OPM “of any Significant Event within ten (10) working days after [BCBSA] becomes aware of it.” Id. § 1.10; see also id. (providing list of Significant Events). If BCBSA does not address a Significant Event in a satisfactory manner, OPM may suspend new enrollments, advise enrollees of the asserted deficiencies and provide enrollees an opportunity to transfer to another plan, withhold payment, and refuse to renew the contract. Id. On a more general level, federal law provides that OPM “may prescribe reasonable minimum standards for health benefits plans,” 5 U.S.C. § 8902(e), and “may prescribe regulations necessary to carry out” FEHBA, 5 U.S.C. § 8913(a).
Third, and finally, the Federal BCBSA contract includes several provisions that address data privacy. Section 1.30(a) states that BCBSA must “at a minimum, comply with equivalent privacy and security policies as are required of a ‘covered entity’ under the HIPAA Privacy and Security regulations.” Id. § 1.30(a). The Federal BCBSA contract was specifically amended in 2014 so that BCBSA could be required to go beyond compliance with the minimum privacy standards required under federal law. Section 1.30(d), for instance, now states that an OPM representative “may recommend that the Carrier adopt a best practice drawn from NIST Special Publication 800-53 (or its current equivalent).” 2014 Amendments § 1.30(d). This document—NIST Special Publication 800-53—“provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations.” National Institute of Standards and Technology, NIST Special Publication 800-53 (Revision 4): Security and Privacy Controls for Federal Information Systems and Organizations , http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf (last updated Jan. 22, 2015). Notably, many of the practices listed in NIST Special Publication 800-53 are recommendations that go above and beyond current requirements under federal law. A third section of the Federal BCBSA contract, § 1.6(b), states that BCBSA “shall...hold all medical records, and information relating thereto, of Federal subscribers confidential.” Fed. BCBSA Contract § 1.6(b). Neither the Federal BCBSA contract nor federal law specifies who may seek a remedy for breach of these data privacy obligations.
2. Enforcement of Federal BCBSA Contract
a. “Health Benefits Claim”
The Non-Anthem Defendants first contend that Plaintiffs' third party beneficiary claims constitute health benefits claims. Thus, pursuant to the Federal BCBSA contract, Plaintiffs must exhaust the administrative apparatus described above before bringing their claims into federal court. The Court finds this contention unavailing.
The administrative apparatus to which Non-Anthem Defendants refer applies to “health benefits claims.” Federal regulations define “claim” to mean a “request for (i) payment of a health-related bill; or (ii) provision of a health-related service or supply.” 5 C.F.R. § 890.101. The Federal BCBSA contract, in turn, defines “[b]enefits” as “[c]overed services or payment for covered services set forth in [the Statement of Benefits], to which Members are entitled to the extent provided by this contract.” Fed. BCBSA Contract § 1.1. The Statement of Benefits accompanying the Federal BCBSA contract does not define “benefit.” See 2015 Statement of Benefits at 145 (providing list of definitions). However, the Statement of Benefits does list the following as “Benefits”: “Preventative care,” “Allergy care,” and “Prescription drug benefits.” Id. at 32. In short, “benefits”—at least as understood in the context of the Federal BCBSA contract and the Statement of Benefits—appears to refer only to the provision of medical-related coverage. Tellingly, neither patient privacy nor data security is listed as a “benefit” in the Statement of Benefits. Indeed, there is but one reference to patient privacy in the Statement of Benefits, confined to a single sentence in the 160 page document: “We [BCBSA] will keep your medical and claims information confidential.” Id. at 14. There is, in sum, little to suggest that “health benefits claims” were meant to encompass claims regarding data privacy.
In further support of this conclusion, the Court observes that, in Roach v. Mail Handlers Benefits Plan, the Ninth Circuit construed “benefits” under FEHBA narrowly. Specifically, the Ninth Circuit noted that, in interpreting the scope of FEHBA, several “courts have created a divide between claims based on a denial of benefits, which are preempted, and claims based on medical malpractice, which are not.” Roach , 298 F.3d at 850. Upon examining these decisions, the Ninth Circuit determined that such a “division protects the federal interest in uniformity of FEHBA plan interpretation” while also “preserv[ing] the traditional state interest in the quality of medical care.” Id. In sum, the Ninth Circuit distinguished “denial of benefit claims,” which “are preempted by... FEHBA,” from “malpractice claims,” which “are not” preempted by FEHBA. Id. Under this narrow construction, claims related to one's data privacy—which do not concern health benefits or payment for health benefits—would seem to fall outside the purview of a “denial of benefit” claim.
To summarize, the Federal BCBSA contract, the Statement of Benefits, and Ninth Circuit precedent all counsel in favor of finding that Plaintiffs here have not asserted a claim that should have first gone through an established administrative review apparatus.
The Non-Anthem Defendants have not cited any authority to support their arguments to the contrary. Instead, the Non-Anthem Defendants point to the allegations in the consolidated amended complaint, which state that “[a]s a result of BCBSA, Anthem BCBS Affiliates, and non-Anthem BCBS's failure to implement the security measures required by the Federal BCBSA contract, OPM did not receive the full benefit of its bargain.” CAC ¶ 340 (emphasis added). This argument lacks merit. In seeking benefit of the bargain damages, Plaintiffs state that they received “services that were less valuable than what OPM bargained for.” Id. This understanding of “benefit” differs significantly from the term of art referenced in FEHBA and employed in the Federal BCBSA contract. Accordingly, the Court finds that Plaintiffs' third party beneficiary claim is not a “health benefits claim.”
b. Exclusive Enforcement Authority
In the alternative, the Non-Anthem Defendants argue that even “[i]f the Federal Employee Plaintiffs are suing for something other than benefits, their claims are no less barred because FEHBA's scheme gives OPM exclusive authority over all aspects of the contractual relationship, not just over benefits.” Non-Anthem Mot. at 17. The gist of this contention is that “FEHBA leaves no room for” Plaintiffs to seek a remedy as a third party beneficiary. Bridges v. Blue Cross and Blue Shield Ass'n , 935 F.Supp. 37, 41 (D.D.C.1996). Instead, “the broad enforcement and oversight powers of the OPM established in the statute indicate that the exclusive remedy for an action cognizable under... FEHBA” lies with OPM. Id.
The Court disagrees with this argument. As an initial matter, the Court notes that, “[w]hen interpreting contracts under federal law, courts look to general common law on contracts.” Interface Kanner, LLC v. JPMorgan Chase Bank, N.A. , 704 F.3d 927, 932 (11th Cir.2013). “One such general principle is that only a party to a contract or an intended third-party beneficiary may sue to enforce the terms of a contract or obtain an appropriate remedy for breach.” GECCMC 2005 – C1 Plummer St. Office Ltd. P'ship v. JPMorgan Chase Bank, Nat'l Ass'n , 671 F.3d 1027, 1033 (9th Cir.2012). “This [rule] distinguishes intended beneficiaries to a contract whose rights are judicially enforceable from incidental beneficiaries whose rights are not judicially enforceable.” Id. In the instant case, Plaintiffs assert—and, more importantly, Defendants do not challenge—the fact that Plaintiffs are intended third party beneficiaries under the Federal BCBSA contract. See, e.g. , CAC ¶ 339 (“Federal Employee Plaintiffs and Class Members are intended third-party beneficiaries of the data security provisions in the contract between BCBSA...and OPM, and are entitled to directly enforce its terms.”). Thus, at least for purposes of the instant motions to dismiss, Plaintiffs have cleared the first hurdle by demonstrating intended third party beneficiary status.
Assuming that Plaintiffs are intended third party beneficiaries of the Federal BCBSA contract, it is—as a general matter—“no objection to an action by the third party that the contracting party (here the government) could also sue upon the contract for the same breach.” Shell v. Schmidt , 126 Cal.App.2d 279, 272 P.2d 82, 89 (Ct.App.1954) ; see also Malone v. Crescent City M & T Co. , 77 Cal. 38, 18 P. 858, 860 (1888) (“[I]t is no objection to the maintenance of a suit by him for whose benefit the promise is made that an action might be brought also against the one to whom the promise was made.”); id. (citing supporting case law from New York, Kansas, Wisconsin, and Alabama). To emphasize: as a matter of general contract law, both an intended third party beneficiary and a party to the contract may sue for breach. See generally Zigas v. Superior Court , 120 Cal.App.3d 827, 174 Cal.Rptr. 806, 811 (Ct.App.1981) (reaffirming holding in Shell ).
The Restatement of Contracts is in accord with this conclusion. Section 145, which addresses “Beneficiaries Under Promises to the United States,” states that:
A promisor bound to the United States...by contract to...render a service to some or all of the members of the public, is subject to no duty under the contract to such members to give compensation for the injurious consequences of performing or attempting to perform it, or of failing to do so, unless ,...an intention is manifested in the contract, as interpreted in the light of the circumstances surrounding its formation.
Restatement (First) of Contracts § 145 (emphasis added). In other words, under the Restatement, promisors such as BCBSA have duties to the Federal Employee Plaintiffs because these Plaintiffs are intended third party beneficiaries.
In addition, the U.S. Supreme Court's decision in Astra USA, Inc. v. Santa Clara County, California , 563 U.S. 110, 131 S.Ct. 1342, 179 L.Ed.2d 457 (2011), is not inconsistent with this conclusion. In Astra, the U.S. Supreme Court determined that plaintiffs did not have standing to sue as third party beneficiaries where plaintiffs merely sought to enforce certain statutory obligations memorialized in a federal contract. See, e.g. , id. at 118, 131 S.Ct. 1342 (“The absence of a private right to enforce the statutory ceiling price obligations would be rendered meaningless if 340B entities could overcome that obstacle by suing to enforce the contract's ceiling price obligations instead. The statutory and contractual obligations, in short, are one and the same.”). The Astra Court emphasized that “[t]he form agreements, composed by HHS, contain no negotiable terms.” Id.
On the other hand, as the Court has noted, the Federal BCBSA contract here was specifically amended in 2014 such that BCBSA could be held to privacy standards above and beyond the standards required under federal law. See 2014 Amendments § 1.3(d). In addition, in direct contrast to the contract in Astra, where the agreement contained “no negotiable terms,” the 2014 Amendments include three full paragraphs that allow BCBSA to negotiate with OPM over which best practices BCBSA should implement. See id. § 1.3(d)(2) (“In a written response to such a recommendation, [BCBSA] shall (i) agree to adopt the recommendation, (ii) explain that it is already in compliance with the recommendation, or (iii) explain why maintaining its current practice...is equally, if not more, appropriate for its business purposes than the recommended best practice.”). As a final point, the consolidated amended complaint alleges that BCBSA breached the contract by failing to comply with various laws, regulations, and—most importantly—“industry standards for data security.” CAC ¶ 335. Thus, Plaintiffs' claim clearly reaches beyond the mere statutory violations that were at issue in Astra. In sum, under general principles of contract law, as reflected in the Restatement, U.S. Supreme Court precedent, and relevant state court case law, the mere fact that OPM could also bring suit against BCBSA does not bar Plaintiffs from bringing suit as a third party beneficiary.
The Non-Anthem Defendants, however, contend that the Federal BCBSA contract does not comport with these general contract law principles. Rather, the Non-Anthem Defendants contend that the Federal BCBSA contract is unique because it is governed by FEHBA, which gives exclusive enforcement authority to OPM. In support of this contention, the Non-Anthem Defendants point to both the structure of the Federal BCBSA contract and case law interpreting FEHBA.
The Court is not persuaded by either of these points. With respect to the structure of the Federal BCBSA contract, the Court has already noted that the Federal BCBSA contract provides an extensive administrative review process for “health benefits claims,” but that Plaintiffs' claims are not “health benefits claims.” The Court also observes that, under § 1.10 of the Federal BCBSA contract, BCBSA must notify OPM within ten days if BCBSA becomes aware of the occurrence of a “Significant Event.” Fed. BCBSA Contract § 1.10(a). BCBSA and OPM must then work together to address the Significant Event. Id. § 1.10(b). The Federal BCBSA contract provides a list of 13 Significant Events. None of these Significant Events mention or relate to data security. Thus, under a plausible reading of this section, BCBSA might not even have been required to notify OPM of the Anthem data breach, and OPM would not necessarily have needed to take corrective action.
Taken together, the extensive administrative review process and the “Significant Event” provisions appear to delineate some of the contours of OPM's authority. On a conceptual level, it might be helpful to consider OPM, the BCBSA, and Plaintiffs as being three separate but related actors. Here, OPM contracts with BCBSA, and Plaintiffs serve as an intended third party beneficiary. The instant contract, however, is unique in two ways. First, if Plaintiffs have a health benefits claim, Plaintiffs must go to OPM first. Second, if BCBSA experiences a Significant Event, such as the “[d]isposal of major assets” or a loss of more than 15% of its membership, id. § 1.10(b)(1) & § 1.10(b)(2), then BCBSA must go to OPM. The contract is silent as to all remaining matters, including matters of data security. Given this contractual structure, the Court finds that it would be equally (if not more) plausible to find that general contract law principles govern matters where the Federal BCBSA contract is silent, rather than the Non-Anthem Defendants' exclusive enforcement theory.
The Court also finds unavailing the Non-Anthem Defendants' reliance on Miscellaneous Service Workers v. Philco – Ford Corp. , 661 F.2d 776 (9th Cir.1981), and Bridges v. Blue Cross and Blue Shield Association , 935 F.Supp. 37 (D.D.C.1996). Miscellaneous Service Workers addressed OPM's exclusive enforcement authority under the Service Contract Act, an altogether different act than FEHBA. 661 F.2d at 777. Given the complicated interplay here between specific contractual provisions, specific federal laws, and specific federal regulations, the Court declines to rely on a case interpreting a different contractual provision in the context of a different federal law.
Bridges appears to be more on point. In Bridges, plaintiffs “allege[d] that BCBSA's licensee entities, with BCBSA's knowledge and approval, secretly negotiated discounts on the cost of services of member facilities and physicians, and then failed to apply those discounts to the enrollees' coinsurance payments.” 935 F.Supp. at 39 (internal quotation marks omitted). Plaintiffs thereafter brought suit against BCBSA and OPM, with plaintiffs asserting violations of breach of contract and the Racketeer Influenced and Corrupt Organizations Act (“RICO”). Id. at 40. Plaintiffs did not bring a third party beneficiary claim. With respect to plaintiffs' breach of contract claim, the Bridges court observed that plaintiffs had “failed to exhaust... [the] administrative remedies under...FEHBA before filing suit against the carrier.” Id. at 44. With respect to plaintiffs' RICO claims, the Bridges court stated that “nothing in...FEHBA, nor in its implementing language or legislative history, indicates that the legislature had any intent to allow a civil RICO action to spring out of a violation of...FEHBA.” Id. at 42. The district court also noted that plaintiffs had failed to exhaust plaintiffs' breach of contract and RICO claims through the administrative review process. Finally, the district court observed that plaintiffs had failed “to allege injury resulting from BCBSA's investment of racketeering income into its business,” a substantive pleading requirement specific to RICO. Id. at 43 ; see also 18 U.S.C. § 1962(a) (specifying RICO pleading requirements).
The Court finds Bridges distinguishable for three reasons. First, the Bridges court did not rely only on an “exclusive enforcement” theory. Instead, the district court determined that plaintiffs had also failed to sufficiently allege a RICO violation as a substantive matter.
Second, the Court believes the RICO claim in Bridges is at least somewhat analogous to a “health benefits claim.” Indeed, the only way that plaintiffs in Bridges could have been overcharged for a coinsurance payment is if plaintiffs actually decided to exercise their health benefits. In the Statement of Benefits, for instance, the “Benefits Description” section provides a statement of what benefits are covered, followed by a discussion of the coinsurance payment that the insured must incur in exchange for a particular benefit. See, e.g. , 2014 Statement of Benefits at 37–118. On the other hand, the Statement of Benefits includes but a single sentence on data privacy, and a class member's data privacy could have been compromised even if that class member did not decide to exercise any health benefits.
Similarly, under the “Disputed Claims Process” section of the Statement of Benefits, an insured can readily dispute a coinsurance payment by including “copies of documents that support your claim, such as...bills...and explanation of benefits (EOB) forms.” Id. at 130. There is no clear parallel provision for recovery for a personal data breach.
Third, and finally, it is not clear that the Court should follow Bridges. Bridges was decided by the D.C. District Court in 1996. Since that time, more recent federal court precedent has appeared to take a more narrow understanding of OPM's enforcement authority. As this Court has noted, for instance, the Ninth Circuit allowed plaintiff in Roach, who was covered by a FEHBA plan, to proceed with a state medical malpractice claim against her health insurance carrier after finding that such a claim fell outside of OPM's purview. 298 F.3d at 850–51. In reaching this decision, the Ninth Circuit relied upon supporting decisions from the Third, Fifth, and Tenth Circuits. Id.
To conclude, neither the structure of the Federal BCBSA contract nor the case law cited by the Non-Anthem Defendants compels the Court to find, as a matter of law, that OPM has exclusive enforcement authority over the Anthem data breach as it applies to the Federal Employee Plaintiffs. Instead, under general principles of contract law and after a careful review of the interaction between relevant laws, regulations, and contractual provisions, the Court finds that Plaintiffs may proceed with their third party beneficiary claim. The Non-Anthem Defendants' motion to dismiss Plaintiffs' third party beneficiary claim is therefore DENIED.
3. Preemption of State Law Claims
In addition to arguments concerning OPM's enforcement of the Federal BCBSA contract, the Non-Anthem Defendants contend that the Federal Employee Plaintiffs' state law claims are preempted. This contention applies to two Plaintiffs in particular: Stella Williams (“Williams”), a resident of Indiana, and Alvin Lawson (“Lawson”), a resident of California.
The remaining Federal Employee Plaintiffs are residents of Connecticut and Nevada. The instant motions to dismiss do not address claims brought under Connecticut and Nevada law. Non-Anthem Opp'n at 15 n.10; Non-Anthem Mot. at 19.
The Court need not address whether Williams' Indiana state law claims are preempted. Only one of the ten causes of action selected by the parties is based on Indiana law—the Indiana negligence claim. As the Court has already determined, Plaintiffs can not proceed with this claim as a matter of law.
With respect to Lawson, two of the ten causes of action selected by the parties are based on California law—the California breach of contract claim and the California UCL claim. The Court finds Lawson's California breach of contract claim preempted, for two reasons. First, Plaintiffs do not contest that this claim is preempted. See, e.g. , Non-Anthem Opp'n at 15 (contesting Lawson's California UCL claim and Williams' Indiana negligence claim, but making no mention of Lawson's California breach of contract claim). Second, the Federal BCBSA contract expressly provides that “United States law will apply to resolve any claim of breach of this contract.” Fed. BCBSA Contract § 5.62; CAC ¶ 332 (“Under the...Federal BCBSA Contract, federal law applies to breach of contract claims.”).
On the other hand, whether or not Lawson's UCL claim is preempted is a more difficult question. The U.S. Supreme Court “has identified three types of preemption: express preemption, field preemption, and implied conflict preemption.” Deweese v. Nat'l R.R. Passenger Corp. (Amtrak) , 590 F.3d 239, 245 (3d Cir.2009). Express preemption “exists when Congress includes in a statute explicit language stating an intent to preempt conflicting state law.” Id. Field preemption “occurs when a state law impinges upon a field reserved for federal regulation.” Id. (internal quotation marks omitted). Finally, implied conflict preemption exists “when compliance with both federal and state regulations is a physical impossibility, or when a state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.” Chinatown Neighborhood Ass'n v. Harris , 794 F.3d 1136, 1141 (9th Cir.2015) (internal quotation marks omitted). Here, the Non-Anthem Defendants contend that Lawson's UCL claim is subject to both express and implied conflict preemption. The Court addresses these contentions in turn. a. Express Preemption
The Non-Anthem Defendants also assert that “the Federal Employee Plaintiffs' state law claims are displaced by federal common law.” Non-Anthem Reply at 9. Consistent with the approach taken by other federal courts, the Court addresses this displacement theory in its conflict preemption discussion. See Helfrich v. Blue Cross and Blue Shield Ass'n , 804 F.3d 1090, 1097 (10th Cir.2015) (“On the other hand, no conflict, no displacement.”).
On the issue of express preemption, FEHBA contains the following express preemption provision:
The terms of any contract under this chapter which relate to the nature, provision, or extent of coverage or benefits (including payments with respect to benefits) shall supersede and preempt any State or local law, or any regulation issued thereunder, which relates to health insurance or plans.
5 U.S.C. § 8902(m)(1) (emphasis added). Because this preemption provision mirrors ERISA's express preemption provision, see ERISA § 514, 29 U.S.C. § 1144(a), the Ninth Circuit has referred to U.S. Supreme Court decisions interpreting ERISA's “relate to” requirement in examining cases brought under FEHBA. Botsford v. Blue Cross and Blue Shield of Mont., Inc. , 314 F.3d 390, 393–94 (9th Cir.2002). Specifically, the Ninth Circuit has stated that FEHBA's “relate to” requirement must, as with ERISA's “relate to” requirement, not “be taken too literally.” Roach , 298 F.3d at 849. “If relate to were taken to extend to the furthest stretch of its indeterminacy, then for all practical purposes pre-emption would never run its course, for really, universally, relations stop nowhere.” Id. at 849–50 (internal quotation marks omitted).
With this principle in mind, the Ninth Circuit has “held that FEHBA preempts disputes over a “ ‘denial of benefits' and ‘the nature or extent of coverage for benefits.’ ” Botsford , 314 F.3d at 395. Indeed, “[t]he application of different state standards would disrupt the nationally uniform administration of benefits which FEHBA provides.” Id. (emphasis added). To further underscore this point, the Ninth Circuit has characterized “[a] dispute over benefits” as “precisely the kind of dispute that FEHBA preempts.” Id. Thus, in Botsford, the Ninth Circuit determined that a dispute over the amount of reimbursement of a particular claim constituted a dispute over benefits. Accordingly, plaintiff in Botsford could not pursue such a claim under Montana's Unfair Trade Practices Act.
In like manner, the Tenth Circuit recently observed that a number of federal courts have concluded that “FEHBA preempts state laws limiting subrogation and reimbursement.” Helfrich , 804 F.3d at 1107. Such state laws directly implicate how an insured's benefits are processed and how much an insured can receive after filing a health benefits claim. Thus, consistent with the decisions of these other federal courts, the Helfrich court determined that FEHBA preempted a “Kansas insurance regulation prohibiting subrogation and reimbursement clauses in insurance contracts.” Id. at 1092.
In contrast, as noted above, the Ninth Circuit has determined that state medical malpractice claims are not necessarily preempted by FEHBA. Roach , 298 F.3d at 850. In reaching this decision, the Ninth Circuit relied upon supporting case law from a number of other federal circuit courts, see id. (citing decisions from the Third, Fifth, and Tenth Circuits), and determined that state medical malpractice laws did not jeopardize “the federal interest in uniformity of FEHBA plan interpretation,” id.
After carefully reviewing these decisions, the Court concludes that Lawson's UCL claim does not represent a claim for benefits. The understanding of “benefits,” as elucidated in Roach, Helfrich, and Botsford, is that benefits pertain to an individual's medical coverage and payments related to such medical coverage. Benefits do not, however, pertain to claims related to data privacy. Accordingly, the Court finds that Lawson's UCL claim is not expressly preempted under FEHBA's express preemption provision, 5 U.S.C. § 8902(m)(1).
b. Conflict Preemption
Turning to the issue of conflict preemption, the Court notes that conflict preemption applies when compliance with federal and state law is physically impossible (hereinafter referred to as “impossibility preemption”) or where the state law is an obstacle to the purposes and objectives of the federal law (hereinafter referred to as “obstacle preemption”). “Courts will find impossibility preemption where it is impossible for a private party to comply with both state and federal requirements.” Fulgenzi v. PLIVA, Inc. , 711 F.3d 578, 584 (6th Cir.2013) (internal quotation marks omitted). Lawson's UCL claim is not subject to impossibility preemption. It would not be “impossible” for BCBSA to comply with both federal and state law. All BCBSA must do is take affirmative and reasonable measures to protect Plaintiffs' PII. According to Plaintiffs, Defendants' collective failure to take such steps resulted in the approximately 120 individual complaints filed against them.
Lawson's UCL claim is also not subject to obstacle preemption. The Non-Anthem Defendants' primary argument in this regard is that “the state law claims interfere with OPM's exclusive authority to police FEHBA carriers.” Non-Anthem Reply at 9. According to the Non-Anthem Defendants, the Federal BCBSA contract implicates uniquely federal interests, which thus preempts parties from asserting state law claims. Id. at 10. These arguments largely repeat the Non-Anthem Defendants' contentions concerning Plaintiffs' third party beneficiary claims. As with those claims, the Court finds that OPM's exclusive authority does not apply to claims over an individual's data privacy.
A review of the Congressional purpose behind FEHBA lends additional support to this finding. A report from the House of Representatives, for instance, “expressed fear that the imposition of state-law requirements on FEHBA contracts would result in...a lack of uniformity of benefits for enrollees in the same plan.” Helfrich , 804 F.3d at 1106 (quoting H.R. Rep. No. 95-282 at 4 (1977)) (alteration omitted) (emphasis added). Additional reports from the House and Senate further confirm the importance of FEHBA in the administration of benefits and medical coverage. See id. at 1106–07 (citing additional reports). In other words, health benefits—rather than promises concerning data privacy—represent the unique federal interests protected by FEHBA. Accordingly, because data privacy is not a “benefit” under FEHBA and is not, therefore, a uniquely federal interest, Lawson's UCL claim is not obstacle preempted.
In sum, the Court need not address whether Williams' Indiana negligence claim is preempted because Plaintiffs can not proceed with this claim as a matter of law. In addition, the Court finds that, as Plaintiffs concede, Lawson's California breach of contract claim is preempted. Lawson's California breach of contract claim is therefore DISMISSED with prejudice. Finally, the Court finds that Lawson's UCL claim is not preempted. Therefore, the Non-Anthem Defendants' motion to dismiss Lawson's UCL claim is DENIED.
IV. CONCLUSION
To conclude:
1. The Court GRANTS with leave to amend the Non-Anthem Defendants' motion to dismiss Blue Cross and Blue Shield of Alabama; Blue Cross and Blue Shield of Arizona, Inc.; CareFirst of Maryland, Inc.; Blue Cross and Blue Shield of Michigan; Blue Cross and Blue Shield of North Carolina,
Inc.; Highmark Health Services; Highmark West Virginia, Inc.; BlueCross BlueShield of Tennessee, Inc.; Blue Cross and Blue Shield of Vermont; and Blue Cross and Blue Shield of Illinois, with respect to the selected claims at issue in the instant motions to dismiss.
2. The Court GRANTS with leave to amend the Non-Anthem Defendants' motion to dismiss Blue Cross and Blue Shield of Arizona, Inc.; BlueCross BlueShield of Tennessee, Inc.; and Highmark West Virginia, Inc. from this action in its entirety.
3. The Court GRANTS with leave to amend the Non-Anthem Defendants' motion to dismiss all Non-Anthem Defendants against whom no specific factual allegations were made with respect to Plaintiffs' New Jersey breach of contract, New York unjust enrichment, New York General Business Law § 349, and California Unfair Competition Law claims.
4. The Court GRANTS with leave to amend Defendants' motions to dismiss Plaintiffs' California breach of contract, New Jersey breach of contract, New York unjust enrichment, and Georgia Information and Privacy Protection Act claims. In addition, the Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' fraud claim under California's Unfair Competition Law.
5. The Court GRANTS with prejudice Defendants' motions to dismiss Plaintiffs' Indiana negligence, Kentucky Consumer Protection Act, Kentucky Data Breach Act, and Plaintiff Lawson's California breach of contract claim.
6. The Anthem and Non-Anthem Defendants' motions to dismiss are otherwise DENIED.
Should Plaintiffs elect to file an amended complaint curing the deficiencies identified herein, Plaintiffs shall do so within 30 days of the date of this Order. Failure to meet the 30 day deadline to file an amended complaint or failure to cure the deficiencies identified in this Order will result in a dismissal with prejudice. Plaintiffs may not add new causes of actions or parties without leave of the Court or stipulation of the parties pursuant to Federal Rule of Civil Procedure 15.