In re Premera Blue Cross Customer Data Sec. Breach Litig.

Full title: IN RE: PREMERA BLUE CROSS CUSTOMER DATA SECURITY BREACH LITIGATION This…

Court: UNITED STATES DISTRICT COURT FOR THE DISTRICT OF OREGON

Date published: Feb 9, 2017

Case No. 3:15-md-2633-SI (D. Or. Feb. 9, 2017)

Opinion

Case No. 3:15-md-2633-SI

02-09-2017

IN RE: PREMERA BLUE CROSS CUSTOMER DATA SECURITY BREACH LITIGATION This Document Relates to All Actions.

Kim D. Stephens, Christopher I. Brain, Chase C. Alvord, and Jason T. Dennett, TOUSLEY BRAIN STEPHENS PLLC, 1700 Seventh Avenue, Suite 2200, Seattle, WA 98101; Keith S. Dubanevich, Steve D. Larson, and Yoona Park, STOLL STOLL BERNE LOKTING & SHLACHTER PC, 209 SW Oak Street, Portland, OR 97204; Ari J. Scharg, EDELSON PC, 350 North LaSalle Street, Suite 1300, Chicago, IL 60654; Tina Wolfson, AHDOOT AND WOLFSON PC, 1016 Palm Avenue, West Hollywood, CA 90069; and James Pizzirusso, HAUSFELD LLP, 1700 K Street NW, Suite 650, Washington, DC 20006. Of Attorneys for Plaintiffs. Daniel R. Warren and David A. Carney, BAKERHOSTETLER LLP, 127 Public Square, Suite 2000, Cleveland, OH 44114; Paul G. Karlsgodt, BAKERHOSTETLER LLP, 1801 California Street, Suite 4400, Denver, CO 80202; and Darin M. Sands, LANE POWELL PC, 601 SW Second Avenue, Suite 2100, Portland, OR 97204. Of Attorneys for Defendant Premera Blue Cross.

Michael H. Simon, District Judge.

OPINION AND ORDER

Kim D. Stephens, Christopher I. Brain, Chase C. Alvord, and Jason T. Dennett, TOUSLEY BRAIN STEPHENS PLLC, 1700 Seventh Avenue, Suite 2200, Seattle, WA 98101; Keith S. Dubanevich, Steve D. Larson, and Yoona Park, STOLL STOLL BERNE LOKTING & SHLACHTER PC, 209 SW Oak Street, Portland, OR 97204; Ari J. Scharg, EDELSON PC, 350 North LaSalle Street, Suite 1300, Chicago, IL 60654; Tina Wolfson, AHDOOT AND WOLFSON PC, 1016 Palm Avenue, West Hollywood, CA 90069; and James Pizzirusso, HAUSFELD LLP, 1700 K Street NW, Suite 650, Washington, DC 20006. Of Attorneys for Plaintiffs. Daniel R. Warren and David A. Carney, BAKERHOSTETLER LLP, 127 Public Square, Suite 2000, Cleveland, OH 44114; Paul G. Karlsgodt, BAKERHOSTETLER LLP, 1801 California Street, Suite 4400, Denver, CO 80202; and Darin M. Sands, LANE POWELL PC, 601 SW Second Avenue, Suite 2100, Portland, OR 97204. Of Attorneys for Defendant Premera Blue Cross. Michael H. Simon, District Judge.

Plaintiffs bring this putative class action against Defendant Premera Blue Cross ("Premera"), a healthcare benefits servicer and provider. On March 17, 2015, Premera publicly disclosed that its computer network had been breached. Plaintiffs allege that this breach compromised the confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The compromised confidential information includes names, dates of birth, Social Security Numbers, member identification numbers, mailing addresses, telephone numbers, email addresses, medical claims information, financial information, and other protected health information (collectively, "Sensitive Information"). According to Plaintiffs, the breach began in May 2014 and went undetected for nearly a year. Plaintiffs allege that after discovering the breach, Premera unreasonably delayed in notifying all affected individuals. Based on these allegations, among others, Plaintiffs bring various state common law claims and state statutory claims.

On August 1, 2016, the Court granted in part and denied in part Premera's motion to dismiss Plaintiffs' Consolidated Class Action Allegation Complaint. In re Premera Blue Cross Customer Data Sec. Breach Litig., --- F. Supp. 3d ---, 2016 WL 4107717 (D. Or. Aug. 1, 2016) ("Premera I"). The Court dismissed Plaintiffs' fraud-based claims and contract claims and gave Plaintiffs leave to replead. On September 30, 2016, Plaintiffs filed their First Amended Consolidated Class Action Allegation Complaint ("FAC"). Before the Court is Premera's motion to dismiss Plaintiffs' FAC ("Motion"). Specifically, Premera moves to dismiss Plaintiffs' amended fraud-based and contract claims. Premera also moves to dismiss several claims asserted by two named Plaintiffs, arguing that those claims are preempted by the Employee Retirement Income Security Act ("ERISA"), 29 U.S.C. § 1001 et seq. For the reasons that follow, the Court grants in part and denies in part Premera's Motion.

STANDARDS

A motion to dismiss for failure to state a claim may be granted only when there is no cognizable legal theory to support the claim or when the complaint lacks sufficient factual allegations to state a facially plausible claim for relief. Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010). In evaluating the sufficiency of a complaint's factual allegations, the court must accept as true all well-pleaded material facts alleged in the complaint and construe them in the light most favorable to the non-moving party. Wilson v. Hewlett-Packard Co., 668 F.3d 1136, 1140 (9th Cir. 2012); Daniels-Hall v. Nat'l Educ. Ass'n, 629 F.3d 992, 998 (9th Cir. 2010). To be entitled to a presumption of truth, allegations in a complaint "may not simply recite the elements of a cause of action, but must contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively." Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011). All reasonable inferences from the factual allegations must be drawn in favor of the plaintiff. Newcal Indus. v. Ikon Office Solution, 513 F.3d 1038, 1043 n.2 (9th Cir. 2008). The court need not, however, credit the plaintiff's legal conclusions that are couched as factual allegations. Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009).

A complaint must contain sufficient factual allegations to "plausibly suggest an entitlement to relief, such that it is not unfair to require the opposing party to be subjected to the expense of discovery and continued litigation." Starr, 652 F.3d at 1216. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 556 U.S. at 678 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007)).

BACKGROUND

In Premera I, the Court described in detail the facts alleged by Plaintiffs concerning the events leading up to the breach, its discovery, and Premera's response. 2016 WL 4107717, at *2-4. In their amended pleading, Plaintiffs continue to allege a Nationwide Data Breach Class, consisting of all persons in the United States whose Sensitive Information was maintained on Premera's database and compromised as a result of the breach announced by Premera on or around March 17, 2015. Plaintiffs also allege a Nationwide Premera Policyholder and Plan Administration Subclass, consisting of all Nationwide Data Breach Class members who paid money to Premera before March 17, 2015 in exchange for health insurance or plan administration ("Policyholder Plaintiffs"). In the alternative, Plaintiffs allege several statewide common law classes, statewide statutory classes, and statewide Policyholder Plaintiffs subclasses. Plaintiffs further alleged that all individually-named Plaintiffs are members of one or more classes or subclasses. In their amended pleading, Plaintiffs assert the following ten claims for relief:

First: Violation of Washington Consumer Protection Act;
Second: Violation Washington Data Breach Disclosure Law;
Third: Negligence;
Fourth: Breach of Express Contract;
Fifth: Breach of Contract Implied-in-Fact;
Sixth: Quasi-Contract/Restitution/Unjust Enrichment;
Seventh: Violation of Other State Consumer Protection Laws;
Eighth: Violation of Other State Data Breach Notification Laws;
Ninth: Violation of California Confidential Medical Information Act; and
Tenth: Misrepresentation by Omission.

DISCUSSION

A. Plaintiffs' Fraud-Based Claims

In its Motion, Premera challenges the allegations of fraud contained in Plaintiffs' first, seventh, and tenth claims. Premera argues that Plaintiffs' claims that "sound in fraud" continue to fail to comply with the heightened pleading requirements of Rule 9(b) of the Federal Rules of Civil Procedure and should be dismissed. Plaintiffs respond that their new allegations cure the deficiencies identified by the Court in Premera I. Plaintiffs further respond that their state Consumer Protection Act ("CPA") claims allege that Premera's conduct was both deceptive and unfair and that the allegation of "unfair" conduct does not "sound in fraud" and thus is not subject to Rule 9(b).

1. Affirmative Misrepresentation

"To satisfy Rule 9(b), a pleading must identify 'the who, what, when, where, and how of the misconduct charged,' as well as 'what is false or misleading about [the purportedly fraudulent] statement, and why it is false.'" Cafasso v. Gen. Dynamics C4 Sys., Inc., 637 F.3d 1047, 1055 (9th Cir. 2011) (quoting Ebeid ex rel. United States v. Lungwitz, 616 F.3d 993, 998 (9th Cir. 2010)). In Premera I, the Court noted that Plaintiffs' allegations were unclear about whether Plaintiffs were alleging fraud by affirmative misrepresentation. To cure this deficiency, the Court directed that Plaintiffs must clearly and explicitly identify each specific affirmative misrepresentation alleged and provide all of the other information required under Rule 9(b).

Premera argues that Plaintiffs' allegations of fraud remain vague and lack the required specificity. Premera also argues that the statements are not false. Further, Premera states that Plaintiffs have not alleged that any of them even read, heard, saw or relied on any statement that could support a fraud claim. Plaintiffs respond that they have stated the alleged affirmative misrepresentations with sufficient specificity. Plaintiffs add that whether the alleged statements are true is an issue of fact not appropriate for resolution in a motion to dismiss. Plaintiffs do not directly respond to Premera's assertion that without a specific allegation that Plaintiffs actually read the alleged misrepresentations, Plaintiffs have not sufficiently alleged causation.

In their amended pleading, Plaintiffs allege that Premera's policy booklets, Notice of Privacy Practices ("Privacy Notice"), and Code of Conduct contain affirmative misrepresentations. Although Plaintiffs did not attach to their amended pleading copies of Premera's policy booklets, Privacy Notice, or Code of Conduct, Plaintiffs' amended pleading quotes from those documents and Plaintiffs provide identifying Bates numbers and web addresses showing precisely where these documents can be found. FAC ¶¶ 40-44. Premera has attached to its Motion a copy of its Notice of Privacy Practices dated November 20, 2015 (ECF 78-1), the two referenced policy booklets (ECF 78-3 and 78-4), and Premera's Code of Conduct dated May 2015 (ECF 78-5). The Court may consider these documents in ruling on Premera's Motion.¹

1 As a general rule, a district court may not consider any material beyond the pleadings in ruling on a motion under Rule 12(b)(6) of the Federal Rules of Civil Procedure. Lee v. City of Los Angeles, 250 F.3d 668, 688-89 (9th Cir. 2001). When matters outside the pleadings are presented to the court, a motion to dismiss generally must be converted to a motion for summary judgment under Rule 56, with the parties being given an opportunity to present all pertinent material. Fed. R. Civ. P. 12(d). There are, however, two exceptions to this rule. First, a court may consider "material which is properly submitted as part of the complaint." Lee, 250 F.3d at 688. This includes both documents physically attached to the complaint and those on which the complaint "necessarily relies" whose authenticity is not contested. Id. Second, the court may take judicial notice of "matters of public record" pursuant to Rule 201(b) of the Federal Rules of Evidence without being required to convert the Rule 12(b)(6) motion into a motion for summary judgment under Rule 56. Lee, 250 F.3d at 688-89.

a. Causation and reliance

Premera did not expressly and sufficiently raise its argument regarding causation and reliance in its opening brief.² Accordingly, the court allowed Plaintiffs to respond at oral argument, and allowed both parties to submit supplemental briefs after oral argument.

2 Premera noted only generally in its introductory section that "Plaintiffs also have not alleged that any of them even read, heard, saw or relied on any statement that could support a fraud claim." ECF 78 at 7. Then, in discussing Plaintiffs' implied-in-fact contract claim, Premera argued that Plaintiffs failed to allege a meeting of the minds, citing and quoting the unpublished appellate decision in Krottner v. Starbucks Corp., 406 F. App'x 129, 131 (9th Cir. 2010), for the proposition that an implied contract claim must be dismissed "where plaintiffs could not allege 'they read or even saw the documents' relied on in their complaint, 'or that they understood them as an offer.'" ECF 78 at 24. Premera, however, did not offer any specific argument or authority for the proposition that Plaintiffs failed to allege causation or reliance in support of their affirmative misrepresentation claims. It was not until its reply brief that Premera expressly articulated its argument that without an allegation that any Plaintiff saw the alleged misrepresentations, those claims must fail. ECF 84 at 10-11.

Premera's argument essentially is that in an affirmative misrepresentation case, without any allegation that any plaintiff read and relied upon the allegedly false or misleading statements, a plaintiff cannot show the requisite causation.³ This argument, however, reads a reliance requirement into the causation element in a CPA claim that the Washington Supreme Court has not adopted.

3 At oral argument, Premera indicated that it also intended to raise this argument with respect to Plaintiffs' fraud by omission or half-truth claim. The Court finds that Premera did not sufficiently raise this argument in its motion. In its reply brief, when Premera articulated its causation theory, Premera stated: "In any event, the simple fact that no plaintiff alleges he or she ever saw any of these statements is alone dispositive of their affirmative misrepresentation claim." ECF 84 at 10 (emphasis added). Moreover, even if Premera had adequately raised this argument, it would be rejected. See Vernon v. Qwest Commc'ns Int'l, Inc., 643 F. Supp. 2d 1256, 1268 (W.D. Wash. 2009) (finding that allegations that the defendant failed to disclose a particular fee before the plaintiffs signed up to use the defendant's internet service were sufficient under Washington's CPA and noting that "Washington courts do not require a plaintiff to allege individual reliance on Defendants' conduct, particularly where the non-disclosure of a material fact is alleged." (emphasis added)).

In Indoor Billboard/Washington, Inc. v. Integra Telecom of Washington, Inc., 162 Wash. 2d 59 (2007), the Washington Supreme Court addressed what is required to prove causation under Washington's CPA when there has been an affirmative misrepresentation. In that case, the court rejected the defendant's argument that "a plaintiff must establish that the plaintiff relied on the defendant's unfair or deceptive act or practice to establish a causal link with the plaintiff's injury" and adopted the position argued by amici curaie in that case that a plaintiff need only establish a causal link between the alleged unfair or deceptive act or practice and the injury. Id. at 78, 83. The court further held that the causal link required is proximate causation and that "[a] plaintiff must establish that, but for the defendant's unfair or deceptive practice, the plaintiff would not have suffered an injury." Id. at 83. In addition, the court stated that "[p]roximate cause is a factual question to be decided by the trier of fact." Id.

Two years after the Washington Supreme Court decided Indoor Billboard, that court addressed the issue again in a decision that may be considered somewhat confusing. In this case, the Washington Supreme Court stated:

Depending on the deceptive practice at issue and the relationship between the parties, the plaintiff may need to prove reliance to establish causation, as in Indoor Billboard. Most courts have concluded a private right of action under state consumer protection law does not necessarily require proof of reliance, consistently with legislative intent to ease the burden ordinarily applicable in cases of fraud.

Panag v. Farmers Ins. Co. of Washington, 166 Wash. 2d 27, 59 n.15 (2009) (citing, among others, Bob Cohen, Annotation, Right to Private Action under State Consumer Protection Act—Preconditions to Action, 117 A.L.R.5th 155, § 10, at 222 (2004) (noting jurisdictions, including Washington, where reliance is not required). Two years after deciding Panag, however, the Washington Supreme Court clarified that Indoor Billboard "firmly rejected the principle that reliance is necessarily an element of the plaintiff's case." Schnall v. AT & T Wireless Servs., Inc., 171 Wash. 2d 260, 277 (2011); see also Thornell v. Seattle Serv. Bureau, Inc., 184 Wash. 2d 793, 802 (2015) ("In Indoor Billboard this court rejected the principle that reliance is necessarily an element of plaintiff's CPA claim.").

Some cases decided in the Western District of Washington have indicated that under Washington's CPA, there is some level of reliance required to prove or allege causation. See , e.g., Kelley v. Microsoft Corp., 251 F.R.D. 544, 558 (W.D. Wash. 2008) (noting that a trier-of-fact would need to determine, among other things, whether each class member saw the allegedly misleading statement); Minnick v. Clearwire US, LLC, 683 F. Supp. 2d 1179, 1188 (W.D. Wash. 2010) (finding allegations that alleged misrepresentations on a website were deceptive insufficient where none of the plaintiffs alleged that they visited the website). These cases, however, decided before Schnall, do not imply that reliance is always required.

The Court holds that under the facts presented here, reliance is not required. The Washington CPA's purpose is "to protect the public and foster fair and honest competition." Wash. Rev. Code. § 19.86.020. It is intended to "ease the burden ordinarily applicable in cases of fraud." Panag, 166 Wash. 2d at 59 n.15. With this purpose in mind, the Court agrees with the discussion of causation and reliance in the context of class action certification by United States District Judge Richard A. Jones. In a relatively recent decision, Judge Jones explained that when there are substantially identical representations given to all plaintiffs, "the problems associated with proving reliance may be somewhat relaxed" and is distinguished from "a situation where each class member must prove the falsity of different representations, . . . but rather must prove the misleading nature of a substantially identical representation." Weidenhamer v. Expedia, Inc., 2015 WL 7157282, at *20 (W.D. Wash. Nov. 13, 2015) (emphasis in original). Here, as discussed below, the Court is allowing the Policyholder Plaintiffs' affirmative misrepresentation claim to proceed for those plaintiffs who received the Preferred Select policy booklet, Privacy Notice, or Code of Conduct. Plaintiffs allege that the Privacy Notice was sent with the policy booklet. Thus, the relevant Policyholder Plaintiffs received the same alleged misrepresentations.

Under such circumstances, and because Washington does not require proof of reliance and holds that proximate causation is an issue of fact, the Court agrees with courts in other jurisdictions that have held that such claims should not be dismissed unless "it is clear that no reasonable person would be deceived by defendant's conduct." Smith v. Wells Fargo Bank, N.A., 158 F. Supp. 3d 91, 101 (D. Conn. 2016), aff'd, 2016 WL 7323985 (2d Cir. Dec. 16, 2016); see also Carrera v. Bayer Corp., 727 F.3d 300, 309 (3d Cir. 2013) (holding that when Florida consumer protection law does not require actual reliance on the deceptive act, the relevant question is whether the alleged practice was likely to deceive a consumer acting reasonably in the same circumstances); Fitzpatrick v. Gen. Mills, Inc., 635 F.3d 1279, 1283 (11th Cir. 2011) (holding that when reliance is not required, "a plaintiff must simply prove that an objective reasonable person would have been deceived"); In re Gerber Probiotic Sales Practices Litig., 2013 WL 4517994, at *9 (D.N.J. Aug. 23, 2013) (noting that "the appropriate inquiry is whether a reasonable person would be misled by the overall advertising").

Further, in the context of analyzing class certification, the Central District of California, applying Washington law (as well as the law of three other relevant states), reached the same conclusion, holding that for CPA claims "materiality and reliance on alleged misrepresentations can be proven by reference to a reasonable consumer." Todd v. Tempur-Sealy Int'l, Inc., 2016 WL 5746364, at *8 (N.D. Cal. Sept. 30, 2016). Here, the Court declines to find that no reasonable person would be deceived by Premera's alleged conduct and representations. Thus, the court declines to dismiss Plaintiffs' affirmative misrepresentation claims for failing to allege causation, at least at the motion to dismiss stage of the proceedings.

b. Premera's policy booklets

Plaintiffs allege that Premera's policy booklets are sent to its members. FAC ¶ 181. Plaintiffs further allege that these booklets contain affirmative misrepresentations. Specifically, Plaintiffs assert that Premera's "Preferred Select" policy booklet states: "We protect your privacy by making sure your information stays confidential. We have a company confidentiality policy and we require all employees to sign it." FAC ¶ 43 and n.1; see also ECF 78-3 at 59. The statement that Premera protects policyholders' privacy and makes sure information stays confidential is a sufficiently specific representation. Plaintiffs allege that this statement is false because Premera did not protect its policyholders' privacy and did not "make sure" that their information stays confidential. See FAC ¶¶ 75-77, 137-141, 144. Plaintiffs also allege that Premera knew this statement was false at the time it made the statement because Premera knew of its inadequate data security measures. These allegations are sufficient under Rule 9(b) to allege a fraudulent misrepresentation for Policyholder Plaintiffs who were sent this booklet. Premera's argument that it did, in fact, reasonably protect the privacy of their policyholders' Sensitive Information presents a question that is inappropriate to resolve at this stage of the litigation.

Plaintiffs also allege that the "Preferred Bronze" policy contains a misrepresentation. FAC ¶ 43 and n.2. This policy states: "To safeguard your privacy, we take care to ensure that your information remains confidential by having a company confidentiality policy and by requiring all employees to sign it." FAC ¶ 43; see also ECF 78-4 at 52. Plaintiffs argue that this statement is a promise to take care to ensure that the policyholders' information stays confidential and it is false because Premera did not take adequate care to protect data security. Plaintiffs' argument, however, overlooks the second half of the sentence. Premera promised that it would ensure confidentiality "by having a company confidentiality policy and by requiring employees to sign it." FAC ¶ 43 (emphasis added). Thus, the Preferred Bronze policy contains a promise to have a company confidentiality policy and to have employees sign that policy. Plaintiffs do not allege that Premera did not have such a policy or did not require that its employees sign the policy. Thus, Plaintiffs' allegations are insufficient to allege fraud by misrepresentation based on the Preferred Bronze policy booklet.

c. Privacy Notice

Plaintiffs allege that Premera's Privacy Notice also was provided to its members. FAC ¶ 181. Plaintiffs allege in Paragraph 40 that the Privacy Notice contained misrepresentations, including:

• Premera is "committed to maintaining the confidentiality of your medical and financial information";

• Under federal law, Premera "must take measures to protect the privacy of your personal information" and "[i]n addition, other state and federal privacy laws may provide additional privacy protection";

• Premera "protect[s] your personal information in a variety of ways," including "authoriz[ing] access to your personal information . . . only to the extent necessary to conduct our business of serving you";

• Premera "take[s] steps to secure our buildings and electronic systems from unauthorized access";

• Premera "train[s] our employees on our written confidentiality policy and procedures and employees are subject to discipline if they violate them";

• Premera "will protect the privacy of your information even if you no longer maintain coverage through us"; and

• Premera is required by law to protect the privacy of Sensitive Information, provide the Privacy Notice to members, and notify members following a breach of Sensitive Information.

Plaintiffs allege that these statements are false or misleading because Premera was not committed to protecting Plaintiffs' Sensitive Information, did not take the appropriate measures required under federal and state law, did not protect Plaintiffs' Sensitive Information, did not properly train its employees, and did not provide adequate notice of the breach. See FAC ¶¶ 75-77, 137-141, 144. Some of these alleged representations are more appropriate for Plaintiffs' claim of fraud by omission or half-truth (e.g., that Premera represented that under federal law it was required to protect Plaintiffs' Sensitive Information while knowing that it was not adequately complying with those federal laws). Others, however, are representations that, if false, as Plaintiffs allege, are sufficient to allege a claim of affirmative misrepresentations (e.g., that Premera does not limit access to Sensitive Information, train and discipline its employees on data security, or protect privacy of Sensitive Information after a person no longer has coverage with Premera). Accordingly, for Plaintiffs who were provided Premera's Privacy Notice, Plaintiffs' adequately have alleged a claim of affirmative misrepresentation.

d. Code of Conduct

Plaintiffs allege that Premera's Code of Conduct is found on its website and available to Premera's members. FAC ¶ 44 and n.3. Plaintiffs allege this Code of Conduct contains misrepresentations, including that: (1) Premera is "committed to complying with federal and state privacy laws"; (2) Premera uses "privacy principles to guide our actions," including that customers "should enjoy the full array of privacy protections"; (3) Premera uses, "where appropriate," technical and physical security safeguards; (4) Premera is "committed to ensuring the security of our facilities and electronic systems to prevent unauthorized access"; and (5) Premera is "expected to be aware of and follow established corporate policies, processes and procedures" to protect its buildings and computer systems in compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

To prevail on a CPA claim under Washington law, a plaintiff must establish each of the following elements: "(1) unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or her business or property; [and] (5) causation." Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wash. 2d 778, 785-93 (Wash. 1986). The first two elements "may be established by a showing that (1) an act or practice which has a capacity to deceive a substantial portion of the public (2) has occurred in the conduct of any trade or commerce." Id. at 785-86. "Whether an alleged act is unfair or deceptive presents a question of law." Walker v. Quality Loan Serv. Corp., 176 Wash. App. 294, 318 (2013), as modified (Aug. 26, 2013). "'Implicit in the definition of 'deceptive' under the CPA is the understanding that the practice misleads or misrepresents something of material importance.'" Id. (quoting Holiday Resort Cmty. Ass'n v. Echo Lake Assocs., LLC, 134 Wash. App. 210, 226 (2006)).

Premera argues that its statements in the Code of Conduct are not deceptive both because they are mere "puffery" or expressions of corporate optimism and because they are not false. Premera cites to securities fraud cases in which courts have found statements in a code of conduct or code of ethics not to be material because they are merely expressions of corporate optimism. To show that an act or statement is "unfair or deceptive" under Washington's CPA, however, "[a] plaintiff need not show that the act in question was intended to deceive, but that the alleged act had the capacity to deceive a substantial portion of the public." Hangman Ridge, 105 Wash.2d at 785 (emphasis in original) (quotation marks omitted). Thus, the relevant inquiry is different than in traditional fraud cases—although materiality is an "implicit" element, the critical factor is whether the alleged statements contained in the Code of Conduct had the capacity to deceive a substantial portion of the public.

In looking at the statements contained in the Code of Conduct, the Court agrees with Premera that these are not guarantees and that they are closer being aspirational statements. Cf. Lorona v. Arizona Summit Law Sch., LLC, 151 F. Supp. 3d 978, 995 (D. Ariz. 2015) (finding statement that a for-profit school "believes" lawyers should enter the workplace with sufficient preparation was aspirational); Nathanson v. Polycom, Inc., 87 F. Supp. 3d 966, 976 (N.D. Cal. 2015) (finding statements in a Code of Business Ethics that company funds must be used for company purposes, not personal gain, and that employees must ensure that the company receives good value for its expenditures were "'inherently aspirational' and hence immaterial"); Cement & Concrete Workers Dist. Council Pension, 964 F. Supp. 2d 1128, 1138-39 (N.D. Cal. 2013) (finding statements in a code of ethics immaterial because they are merely vague statements of corporate optimism).

In an unpublished opinion, the Washington Court of Appeals recently applied the concept of "puffery" in the context of a CPA claim. Babb v. Regal Marine Indus., Inc., 179 Wash. App. 1036, 2014 WL 690154, review granted, cause remanded on other grounds, 180 Wash. 2d 1021, 329 P.3d 67 (2014). The court explained that "[g]eneral, subjective, unverifiable claims about a product or service are 'mere puffery' that cannot give rise to false advertising or, in this context, an unfair or deceptive act." 2014 WL 690154, 15 *3. The court found that statements that a company stands behind its product, strives for exceptional customer services, and prides itself on being family owned were mere puffery and not actionable. Id. In another case, however, the Washington Court of Appeals found that statements included in marketing materials that the company's goal is to provide homes of the highest quality and workmanship and that home maintenance would be deferred because of the high quality and workmanship were actionable under the CPA. Carlile v. Harbour Homes, Inc., 147 Wash. App. 193, 212 (2008) (failing to discuss the concept of "puffery" in a CPA claim).

The Court finds the statements in Premera's Code of Conduct to be more similar to those in Carlile than in Babb. For purposes of a Washington CPA claim, the Code of Conduct statements have the capacity to deceive if, as Plaintiffs' allege, Premera did not provide adequate data security. A reasonable person, reading these statements, would believe that Premera provides reasonable and adequate data security. Moreover, whether a company that will be receiving a person's most highly sensitive personal information will keep that information secure is an issue of material importance. Thus, Plaintiffs' adequately allege a claim under Washington's CPA for alleged deceptive statements in Premera's Code of Conduct.

2. Active Concealment

As the Court explained in Premera I, active concealment is a species of fraud that requires more than allegations of an affirmative misrepresentation or "failing to own up to the truth." Premera I, 2016 WL 4107717, at *7. The Court granted Plaintiffs leave to replead this claim, if they could "clearly and explicitly allege what Premera did that constitutes active concealment, beyond merely making an affirmative misrepresentation or omitting to disclose material information." Id.

Plaintiffs argue that they have cured this deficiency by alleging that Premera continued to provides services and enroll new members despite knowing that it had failed in its obligations to protect data security. Essentially, Plaintiffs allege that by continuing to do business after learning about its data security vulnerabilities and breach, Premera actively concealed this information. But that is nothing more than an allegation that Premera failed or omitted to disclose material information of which it was aware. Plaintiffs do not allege any active concealment or any act that Premera engaged in to make it more difficult for Plaintiffs to discover the alleged data security problems or the nature of the alleged misrepresentations. This is insufficient to allege a claim for active concealment. Plaintiffs' claims of active concealment are dismissed.

3. Fraud by Omission

In Premera I, the Court held that in Plaintiffs' claims of fraud by omission Plaintiffs adequately had alleged materiality, reliance, the duty to speak, and the duty to avoid making a material omission. Premera I, 2016 WL 4107717, at *7. The Court found, however, that Plaintiffs had not alleged a clear articulation of precisely what should have been disclosed to Plaintiffs in order to prevent the statements that Premera did make from being misleading, i.e. a half-truth. Id. at 8. To cure this deficiency in their amended pleading, Plaintiffs add Paragraph 256, which alleges that Premera should have disclosed that it did not implement industry standard access controls, did not fix known vulnerabilities in its electronic security protocols, failed to protect against reasonably anticipated threats, and otherwise did not comport with its assurances regarding protecting information.

Premera argues that Plaintiffs' new allegations do not cure the deficiency identified by the Court and are unreasonably vague. The Court disagrees. Plaintiffs' allegations are sufficient to articulate what Plaintiffs allege should have been disclosed to prevent Premera's statements from being misleading. Premera also argues that its delay in notifying Plaintiffs was reasonable and necessary to prevent greater harm. Weighing the potential benefits and harm of earlier disclosure, however, raises an issue that is inappropriate to resolve in a motion to dismiss under Rule 12(b)(6).

4. Unfair Conduct

Plaintiffs argue that because they have added the allegation that Premera's conduct that allegedly violated Washington and other states' CPA laws was "unfair," these allegations are not subject to Rule 9(b). Plaintiffs cite to two cases involving alleged violations of the prohibition against unfair or deceptive acts or practices affecting commerce contained in section 5 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 45. In In re LabMD, 2016 WL 4128215 (F.T.C. July 29, 2016), the Federal Trade Commission ("FTC") held that LabMD's data security practices constituted an unfair act or practice within the meaning of the FTC Act. The FTC found that LabMD had failed to use proper detection or monitoring on its computer system, "provided essentially no data security training to its employees," and never deleted customer data. Id. at *1. The FTC then concluded that these practices satisfied the requirements of 15 U.S.C. § 45(n) that a practice is "unfair" if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by the consumer and the injury is not outweighed by countervailing benefits to consumers or competition. Id.at *7, 15-23.

In F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), the Third Circuit analyzed the authority of the FTC and the meaning of "unfair" under the FTC Act and held that a company's alleged failure to maintain reasonable and appropriate data security measures could constitute an unfair act under the FTC Act. Id. at 244-49. In analyzing unfairness, the Third Circuit stated:

We recognize this analysis of unfairness encompasses some facts relevant to the FTC's deceptive practices claim. But facts relevant to unfairness and deception claims frequently overlap. See, e.g., Am. Fin. Servs. Ass'n v. FTC, 767 F.2d 957, 980 n.27 (D.C. Cir. 1985) ("the FTC has determined that . . . making unsubstantiated advertising claims may be both an unfair and a deceptive practice."); Orkin Exterminating Co. v. FTC, 849 F.2d 1354, 1367 (11th Cir. 1988) ("[A] practice may be both deceptive and unfair . . . ."). We cannot completely disentangle the two theories here.

Id. at 245 (alterations in original) (footnote omitted, observing that the FTC and its employees have sometimes "described deception as a subset of unfairness").

Plaintiffs argue that because Washington's CPA directs that courts should be guided by federal decisions interpreting similar federal laws regarding unfair trade and competition, this Court should follow courts analyzing the FTC Act and find that the alleged "unfair" conduct is separate from the alleged "deceptive" conduct and is thus not subject to Rule 9(b). Premera does not respond to this specific argument and case law, but instead argues generally that Plaintiffs' allegations "sound in fraud" and Plaintiffs cannot amend their complaint in briefing.

The FTC Act cases relied on by Plaintiffs do not offer guidance about whether the allegations of "unfair" conduct sound in fraud such that they are subject to Rule 9(b). Those cases do not even mention Rule 9(b). Instead, they address the question of whether certain conduct may be considered "unfair" under 15 U.S.C. § 45(n). As the Court discussed in Premera I, in considering the applicability of Rule 9(b), a court must look to the alleged conduct underlying the claim—if it is fraudulent conduct, then Rule 9(b) applies. See Premera I, 2016 WL 4107717, at *5 (discussing Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1103 (9th Cir. 2003)). Here, the underlying conduct that Plaintiffs allege is "unfair" is the alleged misrepresentations, concealment, half-truths, and omissions. This is alleged fraudulent conduct and the nature of the conduct does not change because Plaintiffs label the same conduct as both "deceptive" and "unfair."

The third case cited by Plaintiffs, McGraw Co. v. Aegis Gen. Ins. Agency, 2016 WL 3745063 (N.D. Cal. July 13, 2016), is instructive on this point. The plaintiffs in McGraw alleged that the defendants had disparaged the plaintiffs in the market place (i.e., rade libel), took proprietary information from their computers, and "poached" their employees. Id. at *1. The court held that "[t]he latter two claims do not involve any factual averment of fraud; neither the information-stealing nor the employee-poaching charges involve factual allegations of misrepresentation, concealment, or other deception." Id. at *3. Thus, the court concluded that Rule 9(b) did not apply to those claims. Id. Here, to the contrary, the "unfair" conduct alleged by Plaintiffs involve only factual allegations of acts of deception—misrepresentation, concealment, and omissions. Thus, Rule 9(b) applies to Plaintiffs' CPA claims that Premera engaged in unfair conduct. As discussed above, the Court dismisses Plaintiffs' claims that Premera engaged in the unfair act of active concealment. The Court does not, however, dismiss Plaintiffs' claims that Premera engaged in the unfair acts of affirmative misrepresentation and fraud by omission and concludes that, except as expressly noted above, Plaintiffs have satisfied the requirements of Rule 9(b).

5. Conclusion

Plaintiffs sufficiently allege a claim for fraud by omission and claims based on alleged misrepresentations in statements made in Premera's Preferred Select policy booklet, Privacy Notice, and Code of Conduct. Plaintiffs, however, do not sufficiently allege an active concealment claim or claims based on affirmative misrepresentations contained in statements made in Premera's Preferred Bronze policy booklet. Those claims are dismissed.

B. Plaintiffs' Contract-Based Claims

1. Breach of Express Terms in the Express Contract

In Premera I, the Court agreed with Premera that Plaintiffs had not identified any express provision in the parties' health benefit contracts that contains any promise relating to data security and that Plaintiffs' references to Premera's Privacy Notice and Code of Conduct give rise to the question of whether those documents are part of the parties' health benefits contract. 2016 WL 4107717, at *9. In response, Plaintiffs added more specific allegations relating to the policy booklets, Privacy Notice, and Code of Conduct.

a. Policy booklets

The FAC identifies the specific provisions contained in the policy booklets that Plaintiffs contend were breached. FAC ¶ 43. For the reasons discussed in addressing Plaintiffs' claims of affirmative misrepresentation based on the policy booklets, the Court concludes that Plaintiffs adequately allege a breach of express contract for the Policyholder Plaintiffs who were sent the Preferred Select policy, but not those who were sent only the Preferred Bronze policy.

b. Privacy Notice

Plaintiffs also allege that Premera made promises in its Privacy Notice that were part of the health benefits contract and were materially breached. Plaintiffs allege that "Premera sends its Notice of Privacy Policy and its policy booklets to all members of the Nationwide Premera Policyholder and Plan Administration Subclass, forming an express contract." FAC ¶ 181. Premera argues that because Plaintiffs do not specifically allege that the Privacy Notice was attached to the policy booklet, Plaintiffs' allegations are insufficient to support a claim that the Privacy Notice was sent along with the policy booklet. The Court disagrees. It is a reasonable inference from Plaintiffs' allegations in Paragraph 181 that the two documents were sent together.

Premera also argues that even if the Privacy Notice was sent with the policy booklets, the policy booklets contain clauses that preclude interpreting any contract among the parties as including the Privacy Notice. The Preferred Select policy has an integration clause, titled "Entire Contract," which states that the contract includes the policy booklet, summary of costs, application, and "[a]ll attachments and endorsements included now or issued later." ECF 78-3 at 57. The Preferred Bronze policy does not have this specific clause. Instead, it states that Premera agrees to "the terms and conditions appearing on this and the following pages, including any endorsements, amendments, and addenda to this contract which are signed and issued by Premera Blue Cross." ECF 78-4 at 2.

The Court is persuaded by the reasoning stated by United States District Judge Ruben Castillo in the Northern District of Illinois in addressing similar arguments from the defendant insurance company moving to dismiss a breach of contract claim involving similar policy provisions and deciding whether a notice of privacy was included in the policy. Judge Castillo explained:

The matter is complicated, however, because the policy also expressly incorporates by reference certain extraneous documents. Specifically, it defines "policy" as "this policy with any attached application(s), and any riders and endorsements." The policy's table of contents specifies that "[a] copy of the application and any riders and endorsements follow page 17." As the documents have been submitted to the Court, there are several documents following page 17, including the Privacy Pledge. Based on the manner in which the Privacy Pledge was given to her, Plaintiff argues that this document qualifies as an endorsement. Defendant responds that the Privacy Pledge could not possibly constitute an endorsement under the plain meaning of that term.

"[A]n endorsement has been defined as being merely an amendment to an insurance policy; a rider." Alshwaiyat v. Amer. Serv. Ins. Co., 986 N.E.2d 182, 191 (Ill. App. Ct. 2013) (internal quotation marks and citation omitted). A "rider," in turn, is defined as "[a]n attachment to some document, such as ... an insurance policy, that amends or supplements the document." BLACK'S

LAW DICTIONARY (10th ed. 2014). The Court disagrees with Defendant that the Privacy Pledge could not possibly satisfy these definitions. Plaintiff alleges that the Privacy Pledge accompanied the policy that was mailed to her, and this document can be read to supplement the policy by providing additional benefits to insureds regarding the handling of their personal information. The policy does require that endorsements be approved by Defendant's president or one if its vice-presidents, but the Privacy Pledge states that it was authored by Defendant's "Chairman, President and Chief Executive Officer."

Defendant argues that "an endorsement must be properly attached to the policy so as to indicate that it and the policy are parts of the same contract and must be construed together." But again, Plaintiff alleges that the Privacy Pledge was sent to her along with the policy documents, and the Court must accept this allegation as true. The policy itself states that the documents following page 17 are considered part of the policy, which would appear to include the Privacy Pledge. Based on Plaintiff's allegations and the language of the policy, her claim that the policy incorporated the Privacy Pledge is not implausible.

Defendant could have avoided any ambiguity by clearly labeling the documents sent with the policy that were intended to be incorporated by reference, but it did not do so. Or Defendant could have drafted an integration clause that did not reference outside documents, in which case Plaintiff would have been precluded from relying on outside documents to assert a breach of contract claim. But that is not how the policy was drafted, and any ambiguities must be construed against Defendant. Therefore, the Court rejects Defendant's argument that the contract documents foreclose Plaintiff's claim as a matter of law.

Dolmage v. Combined Ins. Co. of Am., 2016 WL 754731, at *4-6 (N.D. Ill. Feb. 23, 2016) (emphasis in original) (citations and footnotes omitted).

The Court holds that Plaintiffs have sufficiently alleged that Premera's Privacy Notice was expressly attached to and incorporated in the health benefits contracts. Further, for the same reasons the Court found the representations in the Privacy Notice are sufficiently specific for a misrepresentation claim, they are also sufficient for a breach of contract claim.

c. Code of Conduct

Regarding the Code of Conduct, as Plaintiffs quote in their FAC, the policy booklets connect the assurances relating to the protection of policyholders' Sensitive Information to a "company confidentiality policy." Plaintiffs allege that the Code of Conduct "appears to include the 'company confidentiality policy' referenced in the policy booklets." FAC ¶ 44. Premera argues that: (1) the mere reference to this policy is insufficient to incorporate clearly and unequivocally the terms of a company confidentiality policy for Premera employees into the contract between Premera and its policyholders; (2) the policy is not clearly identified and Plaintiffs are guessing that the Code of Conduct contains the policy; and (3) even if the Code of Conduct were incorporated, it does not contain any enforceable promises.

Under Washington law, "'[i]f the parties to a contract clearly and unequivocally incorporate by reference into their contract some other document, that document becomes part of their contract.'" Cedar River Water & Sewer Dist. v. King Cty., 178 Wash. 2d 763, 785, (2013), as modified (Jan. 22, 2014) (alteration in original) (quoting Satomi Owners Ass'n v. Satomi, LLC, 167 Wash. 2d 781, 801 (2009)). "It must also be clear that the parties to the agreement had knowledge of and assented to the incorporated terms." Swinerton Builders Nw., Inc. v. Kitsap Cty., 168 Wash. App. 1002 (2012) (quotation marks omitted).

Addressing Premera's first argument, the Preferred Select policy states: "We protect your privacy by making sure your information stays confidential. We have a company confidentiality policy and we require all employees to sign it." FAC ¶ 43. The Court concludes this is an enforceable promise to protect data security. It is not, however, an incorporation by reference to the company confidentiality policy. It contains a factual statement that a policy exists. It does not link any promise made to policyholders or obligation of Premera to the existence or terms of that confidentiality policy.

The Preferred Bronze policy, on the other hand, states: "To safeguard your privacy, we take care to ensure that your information remains confidential by having a company confidentiality policy and by requiring all employees to sign it." Id. As discussed above, the Court holds that this is not an enforceable promise to protect data security in and of itself. It does, however, incorporate by reference the confidentiality policy. The reason the Preferred Bronze policy, unlike the Preferred Select policy, incorporates the company confidentiality policy by reference is because Premera is promising to protect the privacy of policyholders' information by having a company confidentiality policy. Thus, the logical reading of this clause is that it is the terms of the confidentiality policy that will protect policyholders' private information and that the parties intended those terms to be incorporated by reference. See Brown v. Poston, 44 Wash. 2d 717, 719 (1954) (finding that where subcontractor contracted to perform plastering work on building "as per plans and specifications," those documents were thereby incorporated by reference into the contract); W. Washington Corp. of Seventh-Day Adventists v. Ferrellgas, Inc., 102 Wash. App. 488, 494 (2000) (finding that where a contract provides that work will be performed in accordance with other documents, those other documents are clearly and unequivocally incorporated by reference); Santos v. Sinclair, 76 Wash. App. 320, 325 (1994) (finding that where legal description of a property was vague, but the property was identified as "'Tract(s) 3 of short plat No. 702' the parties intended to use the more exact legal description of Tract 3 contained in Short Plat 702" and thus that legal description was incorporated by reference).

The fact that policyholders are not parties to the confidentiality policy does not prohibit its incorporation by reference. In fact, "[i]ncorporation by reference allows the parties to 'incorporate contractual terms by reference to a separate . . . agreement to which they are not parties, and including a separate document which is unsigned.'" W. Washington Corp. of Seventh-Day Adventists v. Ferrellgas, Inc., 102 Wash. App. 488, 494 (2000) (quoting 11 WILLISTON ON CONTRACTS § 30:25, at 233-34 (4th ed. 1999)).

Regarding Premera's second argument, the Court agrees that Plaintiffs' allegation that the Code of Conduct "appears" to contain the confidentiality clause incorporated into the Preferred Bronze policy indicates some doubt by Plaintiffs. Dismissal for inarticulate pleading, however, is not appropriate. Plaintiffs' allegations sufficiently place Premera on notice of what document Plaintiffs are claiming is the confidentiality policy and how it has been breached. Premera's argument that the Code of Conduct might not actually contain the referenced confidentiality policy is more appropriate to consider at summary judgment or trial.

Premera's final argument, that the Code of Conduct does not contain any enforceable promises, is well taken. As discussed above, the representations in the Code of Conduct are not guarantees but are expressions of corporate optimism. Although these statements are sufficiently alleged to be "deceptive" under Washington's CPA, they are not enforceable promises sufficient to support Plaintiffs' express contract claim.

2. Breach of Implied Terms in the Express Contract

The FAC clarifies that, in the alternative to their claim for breach of express terms in the express contract, the Policyholder Plaintiffs allege that there was an implied term in their express contract. FAC ¶ 183. Specifically, the Policyholder Plaintiffs allege that the express contracts included "implied terms requiring Premera to implement data security adequate to safeguard and protect the confidentiality of their Sensitive Information, including in accordance with HIPAA regulations, federal, state and local laws, and industry standards." Id.

Under Washington law, a court may imply an obligation into a contract when five requirements are met:

(1) the implication must arise from the language used or it must be indispensable to effectuate the intention of the parties; (2) it must appear from the language used that it was so clearly within the contemplation of the parties that they deemed it unnecessary to express it; (3) implied covenants can only be justified on the grounds of legal necessity; (4) a promise can be implied only where it can be rightfully assumed that it would have been made if attention had been called to it; (5) there can be no implied covenant where the subject is completely covered by the contract.

Brown v. Safeway Stores, 94 Wash. 2d 359, 370 (1980); see also Condon v. Condon, 177 Wash. 2d 150, 163 (2013) ("Courts will also not imply obligations into contracts, absent legal necessity typically resulting from inadequate consideration."). Legal necessity means "that a court will find an implied obligation only to save an otherwise invalid contract. Typically this means a contract otherwise lacking in consideration." Oliver v. Flow Int'l Corp., 137 Wash. App. 655, 663 (2006) (rejecting the reasoning of an out-of-state case implying a contractual term where there is adequate consideration because "in Washington . . . our courts do not imply an obligation in the absence of legal necessity" and noting that "[t]ypically, a term is implied in order to supply consideration, without which there would not be a valid contract").

At oral argument, the Court asked how to reconcile the fact that Washington courts imply the duty of good faith and fair dealing into every contract, which is not a "legal necessity," with the fact that one of the Brown requirements is that a term will not be implied absent legal necessity. The parties discussed this issue in their supplemental briefing. Neither the parties, nor the Court, however, has located any analysis performed by the Washington courts of this apparent tension. What is apparent, however, is that for decades Washington courts have implied the duty of good faith and fair dealing into every contract. See, e.g., Miller v. Othello Packers, Inc., 67 Wash. 2d 842, 844 (1966). Thus, in 1980 when the Washington Supreme Court in Brown enunciated the factors required to imply a term into a contract, taken from a 1975 Washington Court of Appeals case quoting a California case, the Washington Supreme Court knewabout its longstanding acceptance of the implied duty of good faith and fair dealing.

Moreover, the Washington Supreme Court has explained that "the duty of good faith does not extend to obligate a party to accept a material change in the terms of its contract. Nor does it 'inject substantive terms into the parties' contract.' Rather, it requires only that the parties perform in good faith the obligations imposed by their agreement. Thus, the duty arises only in connection with terms agreed to by the parties." Badgett v. Sec. State Bank, 116 Wash. 2d 563, 569 (1991) (citations omitted). The reconciliation of these two doctrines may be that the Washington Supreme Court simply has adopted the widely accepted implied duty of good faith and fair dealing into every contract, but requires that the five Brown factors be met before implying any other term into a contract governed by Washington law.

Here, Premera argues that the Policyholder Plaintiffs do not allege legal necessity because the health benefits contracts are valid and implying a data security obligation is not required to prevent the contracts from being invalid. Premera also argues that implying a term into the parties' contract that requires data security is impermissible because it is essentially allowing a private right of action to enforce HIPAA requirements, which is expressly prohibited under that statute.

Plaintiffs respond that the legal necessity requirement is met under Washington law because HIPAA and other data breach and privacy laws require Premera to protect Plaintiffs' Sensitive Information. Plaintiffs note that any contract that disavowed such an obligation likely would be invalid as violating these laws. Assuming without deciding that Plaintiffs' argument is correct, Plaintiffs offer no authority for the proposition that if a contract could not expressly disclaim a particular obligation, a contract that does not expressly include that same obligation would be invalid. Nor do Plaintiffs provide authority for the proposition that if a clause disclaiming data security were included in a health insurance contract, a court necessarily would invalidate the entire contract, as opposed to invalidating only the improper (and unenforceable) disclaimer. The Court declines to so hold in the context of determining legal necessity for an implied term. Thus, for those contracts governed by Washington law, the Court declines to imply a term into the parties' contracts that would require adequate data security measures be taken.

Plaintiffs, however, also cite to an Oregon case that follows the RESTATEMENT (SECOND) OF CONTRACTS § 204⁴ to imply a term into a contract without requiring legal necessity. Harrisburg Educ. Ass'n v. Harrisburg Sch. Dist. No. 7, 186 Or. App. 335 (2003). In Harrisburg, the court implied a term into the contract, even though the contract would not have otherwise been invalid. Id. at 347 ("Because it is consistent with the 'courageous common sense' principle articulated in the analogous contractual disputes, and because it best serves the parties' bargain and their expectations, this is an appropriate circumstance in which to follow section 204 of the Restatement."). Premera does not persuasively respond to the law in Oregon that governs implied contractual terms or to the law in any state other than Washington.

4 The RESTATEMENT (SECOND) OF CONTRACTS § 204 provides: "When the parties to a bargain sufficiently defined to be a contract have not agreed with respect to a term which is essential to a determination of their rights and duties, a term which is reasonable in the circumstances is supplied by the court."

The Court agrees with Plaintiffs that under the circumstances of this case, it is apparent that the parties intended that Plaintiffs or their health care providers would give Plaintiffs' Sensitive Information to Premera and that Premera would take reasonable and adequate steps to protect the confidentiality of that information. Thus, under Oregon law, this is an appropriate circumstance in which to follow Section 204 and imply Plaintiffs' proposed omitted essential term into the parties' contract.⁵ The Court also notes that although Premera argues that nowhere did it indicate that it would follow state law or industry standards, that argument is contradicted by the documents submitted by Premera. For example, the Privacy Notice and Code of Conduct both expressly reference state law protecting confidential information, and the Code of Conduct also notes that Premera is expected to be aware of and follow established corporate policies and procedures to protect confidential information.

5 The Court does not reach the issue of whether implying this term is allowable under any other state's law because the parties only discussed the state law in Oregon and Washington.

Premera's final argument is that implying a data security term into the parties' contract would frustrate the purpose of Congress in not allowing a private right of action under HIPAA. The fact that there is no private right of action under HIPAA, however, does not preclude causes of action under state law, even if such a cause of action requires as an element that HIPAA was violated. In Webb v. Smart Document Solutions, LLC, the Ninth Circuit noted that for jurisdictional purposes a "'complaint alleging a violation of a federal statute as an element of a state cause of action, when Congress has determined that there should be no private, federal cause of action for the violation, does not state a claim arising under the Constitution, laws, or treaties of the United States.'" 499 F.3d 1078, 1084 (9th Cir. 2007) (quoting Merrell Dow Pharm. v. Thompson, 478 U.S. 804, 817 (1986)). The court in that case, however, also concluded that when jurisdiction is not contingent on 28 U.S.C. § 1331 (federal question jurisdiction), the fact that there is no private right of action under HIPAA does not foreclose a state law claim, even if that claim requires as an element allegations that HIPAA was violated. Id. ("This jurisdictional concern is not present here. Had [the defendant] removed this case to federal court on the basis of federal question jurisdiction under § 1331, the lack of a private right of action to enforce HIPAA may have foreclosed Plaintiffs' [state law] claim. However, [the defendant] invoked diversity jurisdiction pursuant to 28 U.S.C. § 1332(d) to justify the removal." (alterations added)). Thus, the Ninth Circuit analyzed whether the plaintiffs' allegations showed a violation of HIPAA regulations to determine whether the plaintiffs had stated a claim for relief under state law. Id. at 1084-88 (noting that "[h]aving satisfied ourselves that we have jurisdiction, therefore, in accordance with California substantive law, we must analyze the federal regulations that will decide whether Plaintiffs have stated a claim for relief"). Here, like in Webb, Plaintiffs do not invoke jurisdiction under § 1331, but instead assert diversity jurisdiction under 28 U.S.C. § 1332(d) and the Class Action Fairness Act of 2005. Accordingly, HIPAA's lack of a private right of action does not foreclose Plaintiffs' state law breach of contract claim.

Premera also cites to Astra USA, Inc. v. Santa Clara County, 563 U.S. 110 (2011), and Grochowski v. Phoenix Constr., 318 F.3d 80 (2d Cir. 2003), to support its argument that a plaintiff may not label a breach of contract claim what is really a claim for breach of a federal statute that does not allow a private right of action. These cases are distinguishable.

Astra USA involved form contracts between the government and pharmaceutical companies that contained no negotiable terms, merely incorporated statutory obligations, and were the means by which pharmaceutical companies could opt into a federal statutory program. 563 U.S. at 117-18. The Supreme Court rejected a breach of contract claim where health providers attempted to enforce as third-party beneficiaries the price-ceiling terms of the form contracts that incorporated the statute's obligations. Id. at 118. The Supreme Court explained:

The County's argument overlooks that the PPAs simply incorporate statutory obligations and record the manufacturers' agreement to abide by them. The form agreements, composed by HHS, contain no negotiable terms. Like the Medicaid Drug Rebate

Program agreements, the 340B Program agreements serve as the means by which drug manufacturers opt into the statutory scheme. A third-party suit to enforce an HHS-drug manufacturer agreement, therefore, is in essence a suit to enforce the statute itself. The absence of a private right to enforce the statutory ceiling price obligations would be rendered meaningless if 340B entities could overcome that obstacle by suing to enforce the contract's ceiling price obligations instead. The statutory and contractual obligations, in short, are one and the same.

Id. (citation omitted). Similarly, in Grochowski, the Second Circuit held that when a government contract confirms a statutory obligation, "a third-party private contract action [to enforce that obligation] would be inconsistent with . . . the legislative scheme . . . to the same extent as would a cause of action directly under the statute" and "the plaintiffs' efforts to bring their claims as state common-law claims are clearly an impermissible 'end run' around the [federal statute]." 318 F.3d at 86.

Here, however, the policy booklets are not government contracts that merely confirm a statutory obligation or opt-in to a federal statutory scheme. Plaintiffs ask the Court to imply a term that Premera has agreed to provide reasonable and adequate data security, including data security that complies with HIPAA as well as with state and local laws and industry standards. This goes beyond merely confirming Premera's obligations under HIPAA and thus the fact that HIPAA does not provide a private right of action does not preclude the Court from implying this proposed term. See In re: Cmty. Health Sys., Inc., 2016 WL 4732630, at *23 (N.D. Ala. Sept. 12, 2016) (evaluating breach of contract claims for breaching contractual promises reasonably to protect data and allowing such claims to proceed); Dolmage, 2016 WL 754731, at *9 (same); In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 1010-11 (N.D. Cal. 2016) ("Anthem I") (rejecting the argument that under the relevant statute exclusive enforcement lies with the government and finding the plaintiffs could pursue breach of contract claims as third-party beneficiaries because the contract terms established that the defendant "could be held to privacy standards above and beyond the standards required under federal law"); accord In re Anthem, Inc. Data Breach Litig., 2016 WL 3029783, at *20 (N.D. Cal. May 27, 2016) ("Anthem II") ("A breach of contract claim based solely upon a pre-existing legal obligation to comply with HIPAA cannot survive dismissal." (emphasis in original)); Wiebe v. NDEX West, LLC, 2010 WL 2035992, *3 (C.D. Cal. May 17, 2010) (noting that "plaintiffs must . . . do something more to allege a breach of contract claim than merely point to allegations of a statutory violation").

3. Breach of Implied-in-Fact Contract

Plaintiffs also allege in the alternative to their express contract claim that by "providing their Sensitive Information, and upon Defendant's acceptance of such information, [the parties] entered into implied-in-fact contracts for the provision of data security, separate and apart from any express contracts." FAC ¶ 198. Plaintiffs further allege that the implied contracts "obligated Defendant to take reasonable steps to secure and safeguard Class members' Sensitive Information," that "[t]he terms of these implied contracts are further described in the federal laws, state law, local laws, and industry standards," and that Premera assented to these terms through its Privacy Notice, Code of Conduct, and other public statements. FAC ¶ 199.

As the Court explained in Premera I, Washington law recognizes contracts that are implied in fact. Such contracts are an agreement between parties "arrived at from their acts and conduct viewed in the light of surrounding circumstances, . . . . it grows out of the intentions of the parties to the transaction, and there must be a meeting of the minds." Milone & Tucci, Inc. v. Bona Fide Builders, Inc., 49 Wash. 2d 363, 367-68 (1956) (emphasis in original) (quotation marks omitted). An implied-in-fact contract still requires an offer, acceptance within the terms of the offer and communicated to the offeror, mutual intention to contract, and a meeting of the minds. Id.

Premera argues that Plaintiffs continue to fail adequately to allege that there was a meeting of the minds with respect to the alleged implied contract. Specifically, Premera asserts that because this claim is alleged on behalf of every plaintiff in the putative class, it includes persons whose Sensitive Information came into Premera's possession without any relationship between the parties, such as persons who obtained medical treatment in Washington state who had a health benefits provider other than Premera and may not have known that Premera was given their Sensitive Information. At least for such persons, Premera argues, Plaintiffs fail to allege the formation of an implied-in-fact contract.

Plaintiffs respond that they have alleged that all Plaintiffs "gave" their sensitive information to Premera and thus Premera did not just "come into possession" of the information. Although Plaintiffs allege in a conclusory fashion that all of them provided their Sensitive Information to Premera, Plaintiffs do not allege facts that plausibly suggest that Plaintiffs other than the Policyholder Plaintiffs gave information to Premera, as opposed to merely obtaining medical treatment in the state of Washington, giving their Sensitive Information to the Washington provider, who then may have sent that information to Premera for processing. There are no allegations of (1) an offer by Premera to accept Sensitive Information from those Plaintiffs, (2) a mutual intention to agree with those Plaintiffs regarding data security, or (3) any meeting of the minds between Premera and those plaintiffs regarding data security. Thus, there are insufficient allegations for any Plaintiffs or putative class members who are not Policyholder Plaintiffs to demonstrate the formation of an implied-in-fact contract relating to data security. Plaintiffs' claim of such an implied-in-fact contract for Plaintiffs other than the Policyholder Plaintiffs is therefore dismissed.

To the extent Premera intends to assert this argument against Policyholder Plaintiffs, however, the Court rejects Premera's position. For those Plaintiffs, there are sufficient allegations to support an alternative claim of a contract implied-in-fact. The policy booklets, Code of Conduct, and Privacy Notice all demonstrate Premera's commitment and intent to take reasonable and adequate steps to safeguard the Sensitive Information of its policyholders. Because the contractual relationship between Premera and the Policyholder Plaintiffs necessarily requires those Plaintiffs (and their doctors) to provide their Sensitive Information to Premera, Plaintiffs' allegations that they did so with an understanding and the intent that Premera would adequately protect that data is a plausible inference.

Premera also argues that this implied-in-fact contract is barred by the preexisting duty rule. Premera contends that the only specific law cited by Plaintiffs in the FAC is HIPAA, and thus that is the only law Plaintiffs sufficiently allege with which Premera must comply. Premera then concludes that because it is already obligated to comply with HIPAA under federal law, there could be no consideration for the promise to comply with federal law.

Premera is correct that Washington law recognizes the preexisting duty rule and that "the performance of an act which one party is legally bound to render to the other party is not legal consideration." Stephen Haskell Law Offices, PLCC v. Westport Ins. Corp., 2011 WL 1303376, at *3 (E.D. Wash. Apr. 5, 2011). Premera's argument, however, overlooks Plaintiffs' allegations that include promises other than compliance with HIPAA, such as promises that Premera will restrict access to Plaintiffs' Sensitive Information and will train and discipline employees. Plaintiffs specifically reference in their implied-in-fact contract claim all of Premera's alleged promises, including those contained in its Privacy Notice, which include more than just the protections provided by HIPAA. Thus, Premera's argument is rejected. See Dolmage, 2016 WL 754731, at *9 (rejecting argument that preexisting duty required dismissal of claim for breach of contract based on a privacy notice where that notice "contains other provisions unrelated to Defendant's compliance with federal law," including promises to restrict access to confidential information and to ensure third parties will protect confidential information); see also RESTATEMENT (SECOND) OF CONTRACTS, § 73, Cmt. b ("The requirement of consideration is satisfied . . . if the consideration includes a performance in addition to or materially different from the performance of a legal duty.").

4. Conclusion

The Policyholder Plaintiffs have sufficiently alleged claims for breach of express contract for alleged breach of Premera's obligations contained in the Preferred Select policy and Privacy Notice. Plaintiffs have not sufficiently alleged claims for breach of express contract for promises or obligations contained in the Preferred Bronze policy or Code of Conduct. Under Oregon law, Plaintiffs adequately allege breach of an implied term in their express contract, but this claim is not adequately alleged under the common law of contract in Washington. In addition, the Policyholder Plaintiffs sufficiently allege an alternative claim for breach of an implied-in-fact contract, but the non-Policyholder Plaintiffs have not.

C. ERISA Preemption

Under ERISA § 502(a), a civil enforcement action may be brought: (1) by a participant or beneficiary . . . (B) to recover benefits due to him under the terms of his plan, to enforce his rights under the terms of the plan, or to clarify his rights to future benefits under the terms of the plan. 29 U.S.C. § 1132(a). The Supreme Court has explained that "any state-law cause of action that duplicates, supplements, or supplants the ERISA civil enforcement remedy conflicts with the clear congressional intent to make the ERISA remedy exclusive and is therefore preempted." Aetna Health Inc. v. Davila, 542 U.S. 200, 207-08 (2004). Complete preemption applies when: (1) an individual, at some point in time, could have brought the claim under ERISA § 502(a)(1)(B); and (2) there is no other independent legal duty that is implicated by a defendant's actions. Id. at 211. There is, however, a presumption against federal preemption of state laws, and the Supreme Court has "made clear that this presumption plays an important role in ERISA cases." Gobeille v. Liberty Mut. Ins. Co., 136 S. Ct. 936, 954 (2016) ("In framing preemption doctrine, the Court does not 'assum[e] lightly that Congress has derogated state regulation, but instead . . . addresse[s] claims of pre-emption with the starting presumption that Congress does not intend to supplant state law[.]" (alterations in original) (citations omitted)); see also Anthem II, 2016 WL 3029783, at *45 (noting that the presumption against preemption applies "with equal force to cases involving ERISA preemption").

In their FAC, Plaintiffs identify specific provisions in the policy booklets and in other documents that Plaintiffs allege were incorporated into the health benefits contract that Plaintiffs allege were breached by Premera. Thus, argues Premera, Plaintiffs Forseter and Kalowitz⁶ are seeking to enforce rights they assert are due to them under their ERISA plan—specifically, data security rights. Premera further argues that these claims are completely preempted because they could have been brought under Section 502(a)(1)(B) of ERISA.

6 Premera makes this argument only with respect to these two plaintiffs to "simplify the issues before the Court on this motion," but Premera anticipates that the Court's analysis "will have ramifications for the majority of the other policyholder plaintiffs, who likewise allege they participate in employer-sponsored health plans." ECF 78 at 29. --------

Plaintiffs respond that: (1) Premera waived this argument by not raising it in the previous motion to dismiss; (2) data protection is not a "benefit" as that term is used in ERISA and thus Plaintiffs could not bring a claim under Section 502(a); and (3) even if data protection is an ERISA benefit, complete preemption is not applicable because Plaintiffs allege that Premera's duty to protect Plaintiffs' Sensitive Information arises independently from the ERISA plan documents.

1. Waiver

The Court rejects Plaintiffs' argument that Premera waived its right to raise a challenge based on ERISA preemption. Plaintiffs did not identify the express contractual provisions it contends were breached until the FAC, in which Plaintiffs for the first time relied on representations made in the policy booklets. Plaintiffs' original class action complaint did not reference or quote the policy booklets. Thus, Premera did not waive its ERISA challenge by failing to raise that argument previously against Plaintiffs' original complaint.

2. Whether Plaintiffs could have brought a claim under Section 502(a)

Plaintiffs urge the Court to follow the opinion of Anthem II in finding that data security is not a "benefit" as that term is used in ERISA and that all potential claims under Section 502(a)(1)(B) necessarily involve a "benefit." The Court finds Anthem II persuasive in its discussion of why data security is not a "benefit" under ERISA. Anthem II, 2016 WL 3029783, at *47 (observing that several of ERISA's "statutory subsections suggest that benefits must concern payments for healthcare-related services").

The Court disagrees, however, that all three types of claims under Section 502(a)(1)(B) must involve a "benefit." Section 502(a)(1)(B) provides for three types of claims: (1) to recover benefits due under the plan; (2) to enforce rights under the terms of the plan; or (3) to clarify rights to future benefits under the terms of the plan. 29 U.S.C. § 1132(a)(1)(B). As the Supreme Court has noted, "[t]his provision is relatively straightforward." Davila, 542 U.S. at 210. The first and third types of claims involve benefits under the ERISA plan. The second type of claim, however, more broadly allows a participant or beneficiary to enforce his or her rights under the plan, without reference to "benefits." If Congress intended the second type of claim to only involve the enforcement of benefits, it could easily have stated as much, like it did with the first and third types of claims. The fact that Congress did not include the term "benefits" in the second type of claim is presumed intentional under the doctrine of expressio unius est exclusio alterius. See Russello v. United States, 464 U.S. 16, 23 (1983) ("Where Congress includes particular language in one section of a statute but omits it in another section of the same Act, it is generally presumed that Congress acts intentionally and purposely in the disparate inclusion or exclusion." (quotation marks omitted)); United States v. Vance Crooked Arm, 788 F.3d 1065, 1075 (9th Cir. 2015) (applying the "longstanding canon" of expressio unius est exclusio alterius to presume that the exclusion of certain words in one part of a statute was intentional).

Additionally, if the second type of claim is interpreted as solely involving "benefits" under the plan, then it overlaps with either the first type of claim (looking backward, for benefits improperly withheld) or the third type of claim (looking forward, to ascertain rights to future benefits). Thus, there would be no need for the enumerated second type of claim. Interpreting the statute in this manner violates the surplusage canon of statutory construction, which requires a court to "avoid a reading [of a statute] that renders some words altogether redundant." Antonin Scalia and Bryan A. Garner, READING LAW: THE INTERPRETATION OF LEGAL TEXTS 176 (1st ed. 2012), citing inter alia, Lowe v. S.E.C., 472 U.S. 181, 208 n. 53 (1985) (Stevens, J.) ("[W]e must give effect to every word that Congress used in the statute."); Reiter v. Sonotone Corp., 442 U.S. 330, 339 (1979) (Burger, C.J.) ("In construing a statute we are obliged to give effect, if possible, to every word Congress used.").

The Court's interpretation that the second type of claim does not solely involve rights to "benefits" is also supported by the Supreme Court's description of the types of claims under Section 502(a)(1)(B). The Supreme Court noted that "[i]f a participant or beneficiary believes that benefits promised to him under the terms of the plan are not provided, he can bring suit seeking provision of those benefits. A participant or beneficiary can also bring suit generically to 'enforce his rights' under the plan, or to clarify any of his rights to future benefits." Davila, 542 U.S. at 210 (emphasis added). The Supreme Court thus identified the second type of claim as one that can be brought "generically" and is in addition to a claim for withheld benefits.

The Court in Anthem II found differently—that the second type of claim, to enforce rights under the terms of the plan, means "enforcing rights to retain benefits" under the plan. Anthem II, 2016 WL 3029783, at *47. Thus, the court in Anthem II concluded that "all three parts of ERISA § 502(a) refer to benefits" and that "ERISA complete preemption applies where ERISA benefits are at issue, and does not apply when ERISA benefits are not at issue." Id.

In reaching the conclusion that the second type of claim necessarily involved ERISA benefits, the court in Anthem II relied on the Fifth Circuit's opinion in Arana v. Ochsner Health Plan, 338 F.3d 433 (5th Cir. 2003) (en banc). Arana involved a declaratory judgment suit in which the plaintiff sought a declaration that his medical insurance provider, who had paid the plaintiff's medical claims, was required under Louisiana law to release its lien and subrogation claims against the personal injury settlement the plaintiff had received. Id. at 435-36. The plaintiff had filed suit in state court, and the defendant insurance company removed the case to federal court, basing jurisdiction on the argument that ERISA completely preempted the state law claims. Id. at 436. The district court agreed that ERISA preempted the state law claims and resolved the claims on the merits. Id. A panel of the Fifth Circuit held that the plaintiff's claim was not completely preempted by ERISA. Id. The panel held that the suit was not seeking to recover benefits under the plan because the plan had already paid out the benefits and was not seeking to enforce a right under the terms of the plan because the plaintiff was seeking a declaration that certain plan terms violated Louisiana law and were invalid. Id. The Fifth Circuit accepted review en banc to consider the jurisdictional issue.

The Fifth Circuit found that the plaintiff's first claim

can fairly be characterized either as a claim "to recover benefits due to him under the terms of his plan" or as a claim "to enforce his rights under the terms of the plan." As it stands, Arana's benefits are under something of a cloud, for OHP is asserting a right to be reimbursed for the benefits it has paid for his account. It could be said, then, that although the benefits have already been paid, Arana has not fully "recovered" them because he has not obtained the benefits free and clear of OHP's claims. Alternatively, one could say that Arana seeks to enforce his rights under the terms of the plan, for he seeks to determine his entitlement to retain the benefits based on the terms of the plan

Id. at 438. The court in Anthem II relied on the last sentence to conclude that, as used in ERISA, a suit to enforce rights under the terms of the plan means seeking to enforce rights to retain benefits under the plan. Anthem II, 2016 WL 3029783, at *47.

The interpretation of "to enforce his rights under the terms of the plan" as meaning "to enforce his rights to retain benefits under the plan" adds words that Congress did not include. It is also not required by the en banc opinion in Aranda. The fact that a claim could be considered both to recover benefits under the plan and to enforce rights under the plan (such as in Aranda) does not mean that a claim to enforce rights under the plan must always be to retain benefits under the plan.

The Court declines to follow the conclusion in Anthem II that all three types of claims under Section 502(a) require ERISA benefits to be at issue. Accordingly, the fact that data security protection is not a "benefit" under ERISA is not determinative of whether complete ERISA preemption applies in this case.

Plaintiffs' reliance on Wickens v. Blue Cross of California, Inc., 2015 WL 4255129 (S.D. Cal. July 14, 2015), is misplaced. Unlike Plaintiffs here, the plaintiff in Wickens did not identify any express or implied term in his ERISA plan that allegedly had been breached, and the court in Wickens relied heavily on that fact. The court explained:

Plaintiff asserts an express and implied breach of contract claim. Although the breach of an express contract cause of action references the health insurance plan provided by Defendants, it does not provide any provisions of the contract that was breached. A careful look at Plaintiff's claim reveals that it does not relate to benefits under the plan and does not require an interpretation of the contract for purposes of benefits.

* * *

As to enforcing his rights under the plan, Plaintiff does not allege any express provisions of the plan that were breached.

Id. at *3.

Here, Plaintiffs allege that the express terms of their health benefit plans (including the allegedly incorporated documents) require Premera to provide reasonable and adequate data security measures and that those terms have been materially breached. Plaintiffs cite to the specific provisions they allege have been breached. Premera argues that those provisions are not promises to provide adequate data security. Thus, the Court must interpret those provisions in the health benefits contracts to determine whether they include data security promises, the contours of any promises, and whether the promises were breached. As alleged in this case, Plaintiffs' claims seek to enforce their alleged rights under their ERISA plan, and interpretation of the plan is required. Accordingly, at least some of the claims asserted in this case could have been brought under Section 502(a).

3. Independent Duty

Plaintiffs also argue that Premera had a duty independent from its ERISA plan reasonably and adequately to protect Plaintiffs' data privacy, and thus the second part of the Davila test is not met in this case. This argument is well taken. Plaintiffs have alleged that Premera was obligated to protect Plaintiffs' Sensitive Information under HIPAA, various state laws, and industry standards. Here, the court's discussion in Wickens is instructive:

"No independent legal duty exists where interpretation of the terms of the ERISA-regulated benefits plan forms an essential part of the claim and where the defendant's liability exists only due to its administration of the ERISA-regulated plan." Nielson v. Unum Life Ins. Co. of Amer., 58 F. Supp. 3d 1152, 1162 (W.D. Wash.v2014) (quoting Davila, 542 U.S. at 213); Marin Gen. Hosp., 581 F.3d at 950 ("Since the state-law claims asserted in this case are in no way based on an obligation under an ERISA plan, and since they would exist whether or not an ERISA plan existed, they are based on 'other independent legal dut[ies]' within the meaning of Davila." ).

* * *

Plaintiff's breach of contract claim is not based on the interpretation of the plan for benefits but based on an independent duty of an entity to protect the personal information of individuals if such information is required to be provided to the entity

Wickens, 2015 WL 4255129, at *3.

Plaintiffs' allegations include that Premera, irrespective of the ERISA plan, was obligated to protect Plaintiffs' Sensitive Information. This distinguishes Plaintiffs' claims from those at issue in Davila because there the potential state law liability "exist[ed] only because of petitioners' administration of ERISA-regulated benefit plans" and thus any potential state law liability "derives entirely from the particular rights and obligations established by the benefit plans." Davila, 542 U.S. at 213-14 (emphasis added). Plaintiffs here allege that Premera was required to protect Plaintiffs' Sensitive Information under state law, HIPAA, and industry standards, regardless of what is contained in the health insurance contracts. Plaintiffs' allegations are sufficient to show that their claims are not solely and entirely dependent on the ERISA plan. Id.; see also Nutrishare, Inc. v. Connecticut Gen. Life Ins. Co., 2014 WL 1028351, at *7 (E.D. Cal. Mar. 14, 2014) ("However, the UCL and fraud claims both involve violations of duties completely independent of ERISA. CIGNA has alleged that Nutrishare fraudulently misrepresented the rates for its services. This would be an actionable claim and a violation of a legal duty regardless of whether an ERISA plan was involved.").

The Supreme Court instructs that "[i]n order to evaluate whether the normal presumption against pre-emption has been overcome in a particular [ERISA] case," a court "must go beyond the unhelpful text [of ERISA] . . . and look instead to the objectives of the ERISA statute as a guide to the scope of the state law that Congress understood would [or would not] survive." De Buono v. NYSA-ILA Med. and Clinical Servs. Fund, 520 U.S. 806, 813-14 (1997). In a similar context, involving a claim of invasion of privacy, the Ninth Circuit followed this instruction and held: "Though there is clearly some relationship between the conduct alleged [invasion of privacy] and the administration of the plan, it is not enough of a relationship to warrant preemption. We are certain that the objective of Congress in crafting Section 1144(a) was not to provide ERISA administrators with blanket immunity from garden variety torts which only peripherally impact daily plan administration." Dishman v. Unum Life Ins. Co. of Am., 269 F.3d 974, 984 (9th Cir. 2001); see also Duran v. Cisco Sys., Inc., 2008 WL 4793486, at *4 (C.D. Cal. Oct. 27, 2008) (finding that claims for negligence and breach of fiduciary duty are not preempted by ERISA because "[f]inding preemption would immunize defendant from liability for alleged behavior—negligently allowing a third party to access plaintiff's personal information—that is only peripherally related to the administration of the plan" and concluding that "[t]his is not a result envisioned by Congress").

The Court similarly finds that although there is some relationship between data security and the administration of Plaintiffs' ERISA plans, it is not enough to overcome the presumption against preemption of state law. Moreover, Plaintiffs have sufficiently alleged an independent legal duty separate from the ERISA plan that has been implicated by Premera's alleged actions. Thus, complete preemption under ERISA does not apply.

At oral argument, Premera cited the Supreme Court's decision in Ingersoll-Rand Co. v. McClendon, 498 U.S. 133 (1990), as supporting ERISA preemption in this case. Ingersoll-Rand, however, is distinguishable. In that case, the Supreme Court explained that preemption would apply because:

We are not dealing here with a generally applicable statute that makes no reference to, or indeed functions irrespective of, the existence of an ERISA plan. . . . Here, the existence of a pension plan is a critical factor in establishing liability under the State's wrongful discharge law. As a result, this cause of action relates not merely to pension benefits, but to the essence of the pension plan itself.

Id. at 139-40 (emphasis in original). As discussed above, however, the state statutory and common law claims here are generally applicable, and they function irrespective of the existence of an ERISA plan. Further, the state law causes of action alleged by Plaintiffs do not relate to the "essence of the [ERISA] plan itself." Accordingly, Ingersoll-Rand does not support Premera's argument that complete preemption under ERISA applies in this case.

CONCLUSION

Premera's Motion to Dismiss (ECF 78) is GRANTED IN PART AND DENIED IN PART. Premera's motion is GRANTED against Plaintiffs' claims as follows: (1) Plaintiffs' fraud-based claims alleging active concealment of fraud are dismissed; (2) Plaintiffs' fraud-based claims alleging affirmative misrepresentations that are contained in Premera's Preferred Bronze policy booklet are dismissed; (3) Plaintiffs' contract-based claims alleging breach of express contract based on either the Preferred Bronze policy or Premera's Code of Conduct are dismissed; (4) Plaintiffs' contract-based claims alleging breach of an implied term in an express contract is dismissed for those Plaintiffs whose contract is governed by Washington law; and (5) the alternative claim for breach of an implied-in-fact contract asserted by Plaintiffs other than the Policyholder Plaintiffs is dismissed. Premera's Motion to Dismiss is DENIED in all other respects.

IT IS SO ORDERED.

DATED this 9th day of February, 2017.

/s/ Michael H. Simon

Michael H. Simon

United States District Judge