Opinion
Case No.: 19cv2353 JM (LL)
05-05-2020
VICKI STASI, SHANE WHITE, and CRYSTAL GARCIA, individually and on behalf of all others similarly situated, Plaintiffs, v. INMEDIATA HEALTH GROUP CORP., Defendant.
ORDER GRANTING DEFENDANT'S MOTION TO DISMISS
Defendant Inmediata Health Group Corp. ("Inmediata") moves to dismiss this putative class action brought by Plaintiffs Vicki Stasi, Shane White, and Chrystal Garcia ("Plaintiffs") under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). The motion has been briefed and the court finds it suitable for submission without oral argument in accordance with Civil Local Rule 7.1(d)(1). For the below reasons, Inmediata's motion to dismiss under Rule 12(b)(1) is GRANTED.
I. BACKGROUND
In their Complaint, Plaintiffs allege that in January of 2019, Inmediata learned it was experiencing a large "data security incident" resulting in the exposure of "personal information" of over 1.5 million "affected individuals." (Compl. ¶ 1.) Inmediata provides software and service solutions to healthcare providers. (Id. ¶ 11.) The affected individuals' data was viewable online and downloadable. (Id. at ¶ 2.) "[D]ue to a webpage setting that permitted search engines to index internal webpages that Inmediata use[d] for business operations," the affected individuals' information "was also searchable, findable, viewable, and downloadable by anyone with access to an internet search engine[.]" (Id.) The affected individuals' data exposed included "the types of information that federal and state law requires companies to take security measures to protect: names, addresses, [s]ocial [s]ecurity numbers, dates of birth, gender, and medical claim information including dates of service, diagnosis codes, procedure codes and treating physicians." (Id. at ¶ 3.)
By letter dated April 22, 2019, Inmediata notified Plaintiffs "of a data security incident that may have resulted in the potential disclosure of your personal and medical information." (Id. ¶¶ 4-6; Doc. No. 1-2 at 2.) On April 24, 2019, Inmediata issued a press release regarding the incident. (Compl. ¶ 14.) Inmediata also filed sample "notice of data security incident" letters with various state attorneys general that mirrored the language of the letters sent to Plaintiffs. (Id. ¶ 15.) The letters stated that "[i]n January 2019, Inmediata became aware that some of its member patients' electronic patient health information was publicly available online as a result of a webpage setting that permitted search engines to index pages that are part of an internal website we use for our business operations." (Id. ¶ 16.) The letters also stated that "information potentially impacted by this incident may have included your name, address, date of birth, gender, and medical claim information including dates of service, diagnosis codes, procedure codes and treating physician." (Id. ¶ 17.) Inmediata offered to provide identity monitoring services, but only to those who had their social security numbers disclosed. (Id. ¶ 20.)
On December 9, 2019, Plaintiffs filed a putative nationwide class action containing claims for negligence, negligence per se, breach of contract, violation of California's Confidentiality of Medical Information Act, CAL. CIV. CODE §§ 56-56.37, and the Minnesota Health Records Act, MINN. STAT. ANN. §§ 144.291-144.34. Plaintiffs bring the action on behalf of themselves and "[a]ll persons . . . . whose [p]ersonal [i]nformation was compromised as a result of the Inmediata Data Security Incident announced by Inmediata on or around April 24, 2019." (Compl. ¶¶ 40-41.)
II. LEGAL STANDARDS
Federal Rule of Civil Procedure 12(b)(1) allows a party to move for dismissal of an action based on lack of subject-matter jurisdiction. "Dismissal for lack of subject matter jurisdiction is appropriate if the complaint, considered in its entirety, on its face fails to allege facts sufficient to establish subject matter jurisdiction." In re Dynamic Random Access Memory Antitrust Litig., 546 F.3d 981, 984-85 (9th Cir. 2008) (citation omitted). The plaintiff bears the burden of establishing that subject matter jurisdiction exists. U.S. v. Orr Water Ditch Co., 600 F.3d 1152, 1157 (9th Cir. 2010). If the court finds that it lacks subject matter jurisdiction at any time, it must dismiss the action. Fed. R. Civ. P. 12(h)(3).
A party challenging jurisdiction under Rule 12(b)(1) may do so either on the face of the pleadings or by presenting extrinsic evidence. White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000) ("Rule 12(b)(1) jurisdictional attacks can be either facial or factual"). In a facial attack, the court accepts the allegations in the complaint as true and draws all reasonable inferences in the plaintiff's favor. Wolfe v. Strankman, 392 F.3d 358, 362 (9th Cir. 2004). In a factual attack, the court need not presume the truthfulness of the plaintiff's allegations, and the court may look beyond the complaint without having to convert the motion into one for summary judgment. White, 227 F.3d at 1242 (citation omitted); see also Thornhill Pub. Co., Inc. v. Gen. Tel. & Elec.'s Corp., 594 F.2d 730, 733 (9th Cir. 1979) ("[N]o presumptive truthfulness attaches to plaintiff's allegations, and the existence of disputed material facts will not preclude the trial court from evaluating for itself the merits of jurisdictional claims.") (internal quotation marks and citation omitted).
III. DISCUSSION
The parties dispute whether Plaintiffs have Article III standing based on the potential disclosure of some of their personal and medical information on the internet. "A suit brought by a plaintiff without Article III standing is not a 'case or controversy,' and an Article III federal court therefore lacks subject matter jurisdiction over the suit." Cetacean Cmty. v. Bush, 386 F.3d 1169, 1174 (9th Cir. 2004) (citation omitted). To show standing, Plaintiffs must establish: (1) they suffered an injury in fact, i.e., an invasion of a legally protected interest which is concrete and particularized, and actual or imminent, not conjectural or hypothetical; (2) a causal connection by proving that their injury is fairly traceable to the challenged conduct; and (3) their injuries will likely be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992); Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1121-22 (9th Cir. 2010).
Plaintiffs, invoking federal jurisdiction, bear the burden of establishing actual or imminent injury. Lujan, 504 U.S. at 561; see also City of Los Angeles v. Lyons, 461 U.S. 95, 101 (1983) ("[T]hose who seek to invoke the jurisdiction of the federal courts must satisfy the threshold requirement imposed by Article III of the Constitution by alleging an actual case or controversy."). Plaintiffs can meet this burden by putting forth "the manner and degree of evidence required at the successive stages of the litigation." Lujan, 504 U.S. at 561. At the motion to dismiss stage, standing is demonstrated through allegations of "specific facts plausibly explaining" that standing requirements are met. Barnum Timber Co. v. Envtl. Prot. Agency, 633 F.3d 894, 899 (9th Cir. 2011). "That a suit may be a class action . . . . adds nothing to the question of standing." Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 n.6 (2016) (internal quotation marks and citation omitted). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton, 414 U.S. 488, 494 (1974) (citations omitted).
The parties' threshold dispute is whether Plaintiffs have adequately alleged an injury in fact. Clearly, at this juncture, the prevailing theme of Plaintiffs' alleged concrete, particularized, and actual or imminent injury is anticipated financial loss, either through identity theft or other fraud. In their Complaint, Plaintiffs allege they suffered an injury in fact because they are "subject to continued, future risk of identity theft, fraudulent charges and other damages." (Compl. ¶ 21.) Inmediata argues that Plaintiffs have not adequately alleged a risk of future identity theft that is imminent or certainly impending because Plaintiffs do not allege that their specific "electronic health information" was accessed or viewed by an unauthorized person, used to commit identity theft, or that there is any factual basis to assume that harm would ever occur. (Mot. 13-15.) Inmediata also points out that it has been over a year since its "errant web page setting." (Id. at 13.) Plaintiffs respond by arguing that under Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018), cert. denied sub nom. Zappos.com, Inc. v. Stevens, 139 S. Ct. 1373 (2019), the risk of future identity theft based on the exposure of their personal information is sufficient to establish an injury in fact. (Opp. 12.)
A. Caselaw
In Krottner, a laptop was stolen from Starbucks Corporation that contained the names, addresses, and social security numbers of approximately 97,000 employees. 628 F.3d at 1140. The plaintiffs alleged they were injured based on the increased risk of future identity theft, and as a result, enrolled themselves in credit monitoring services (even though Starbucks provided those services at no cost to affected employees). Id. at 1142. One of the plaintiffs also alleged that someone attempted to open a bank account in his name, but the bank closed the account before he suffered any loss. Id. The court found the plaintiffs sufficiently alleged an injury in fact based on "a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data." Id. at 1143. However, the court warned that "[w]ere [the plaintiffs'] allegations more conjectural or hypothetical - for example, if no laptop had been stolen, and [p]laintiffs had sued based on the risk that it would be stolen at some point in the future - we would find the threat far less credible." Id.
After Krottner, in Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013), the Supreme Court emphasized the strictness of the standard for finding an injury in fact based on a threatened future injury. Clapper involved a constitutional challenge to a portion of the Foreign Intelligence Surveillance Act authorizing surveillance of communications with certain foreign persons. Id. at 404. Upon the law's enactment, attorneys, human rights workers, and journalists claimed they were injured because the government would likely acquire their communications under the statute's authority at some point in the future. Id. at 407. The petitioners also argued the risk was so substantial they were forced to take costly and burdensome measures to protect the confidentiality of their international communications. Id. The Court stressed that, in order to confer standing, threatened injuries must be "certainly impending" and not "too speculative" or merely "possible." Id. at 409.
The Court found the threatened injury based on the potential interception of plaintiffs' communications was not fairly traceable to the challenged statute because the injury was not certainly impending. Id. at 410. The Court found the threatened injury to be "highly speculative" and based on a "highly attenuated chain of possibilities," including that the government would intercept the communications of the particular petitioners under the challenged statute instead of another source of authority. Id. In reaching its decision, the Court rejected the argument that the petitioners were required to assume their communications would be intercepted. Id. at 411. The Court stated, "[w]e decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors." Id. at 414. Regarding the costly protective measures allegedly taken by the petitioners, the Court stated, "respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending." Id. at 416; see also id. at 417 ("[T]he costs that they have incurred to avoid surveillance are simply the product of their fear of surveillance . . . . [and] such a fear is insufficient to create standing."). The Court acknowledged, however, that "[o]ur cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about," and "[i]n some instances, we have found standing based on a "substantial risk" that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm." Id. at 414 n.5 (citations omitted).
The full "chain of possibilities" the Court found must occur in order for the petitioners to suffer their alleged injury was described as follows:
(1) the Government will decide to target the communications of non-U.S. persons with whom they communicate; (2) in doing so, the Government will choose to invoke its authority under [the challenged statute] rather than utilizing another method of surveillance; (3) the Article III judges who serve on the Foreign Intelligence Surveillance Court will conclude that the Government's proposed surveillance procedures satisfy [the challenged statute's] many safeguards and are consistent with the Fourth Amendment; (4) the Government will succeed in intercepting the communications of respondents' contacts; and (5) [the] respondents will be parties to the particular communications that the Government intercepts.Clapper, 568 U.S. at 410.
Lastly, in Zappos, 888 F.3d at 1026, the Ninth Circuit held that Krottner was not clearly irreconcilable with Clapper, and thus Krottner remained good law, because: (1) the plaintiffs' alleged injury in Krottner did not require a "speculative multi-link chain of inferences;" (2) the Krottner laptop thief had all the information he needed to open accounts or spend money in the plaintiffs' names; (3) Clapper's standing analysis was "especially rigorous" because, unlike Krottner, the case implicated national security and separation of powers issues; and (4) Clapper recognized the "substantial risk" of injury standard, and in Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014), the Supreme Court "reemphasized" that an allegation of future injury may suffice if the threatened injury is certainly impending, or if there is a substantial risk the harm will occur. See also Antman v. Uber Techs., Inc., No. 3:15-CV-01175-LB, 2015 WL 6123054, at *10 (N.D. Cal. Oct. 19, 2015) ("The court thinks that a credible threat of immediate identity theft based on stolen data is sufficiently different than the speculative harm articulated in Clapper."); Corona v. Sony Pictures Entm't, Inc., No. 14-CV-09600 RGK (Ex), 2015 WL 3916744, at *2 (C.D. Cal. June 15, 2015) ("While the Court [in Clapper] found no standing based on the facts before it, despite the slight difference in wording, the injury-in-fact standard remained unchanged.").
The court also noted that two other circuit courts since Clapper found that theft of personal information can be sufficient to establish standing. Zappos, 888 F.3d at 1026 n.6.
In Zappos, hackers breached the servers of an online retailer and allegedly stole the names, account numbers, passwords, e-mail addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million customers. 888 F.3d at 1023. The court found the plaintiffs sufficiently alleged an injury in fact based on the substantial risk the hackers would commit identity theft. Id. at 1029. Regarding Krottner, the court stated it was "the sensitivity of the personal information, combined with its theft, [that] led us to conclude that the plaintiffs had adequately alleged an injury in fact supporting standing." Id. Even though the stolen information in Zappos did not include social security numbers, the court found the "sensitivity of the stolen data in this case is sufficiently similar to that in Krottner to require the same conclusion here." Id. at 1027. The court reasoned that: (1) the plaintiffs alleged their information could be used to commit identity theft, as well as "phishing" and "pharming," which are ways for hackers to get even more information; (2) the stolen information allegedly included credit card numbers, and Congress has treated credit card numbers as sufficiently sensitive to warrant legislation prohibiting merchants from printing the numbers on receipts; (3) by urging affected customers to change their passwords on any other account for which they may have used the same or a similar password, Zappos acknowledged the information taken could be used to commit identity theft; (4) other plaintiffs, who were not parties to the appeal because the district court ruled they had standing, alleged that the hackers had already commandeered their accounts or identities, and that they suffered financial losses; (5) two of the plaintiffs alleged the hackers took over their e-mail accounts and sent advertisements to people in their address books; and (6) even though months passed since the breach without harm, the plaintiffs alleged it could take years for victims of the breach to experience identity theft, or to find out they were victims. Id. at 1027-28.
B. Threat of Identity Theft
Plaintiffs are correct that under Krottner and Zappos the threat of identity theft can constitute an injury in fact, even if identity theft has not yet occurred. Krottner, 628 F.3d at 1140; Zappos, 888 F.3d at 1029. However, the type of information that was allegedly exposed here, and the resulting risk of identity theft, does not rise to the level the court found sufficient in Krottner and Zappos, and is not, as Plaintiffs claim, "enough to enable any crook to steal the identities of Plaintiffs and putative class members." (Opp. 12.) For several reasons, Krottner and Zappos are distinguishable and do not establish Plaintiffs' injury in fact.
1. Social Security Numbers
At the outset, Krottner and Zappos are distinguishable because Plaintiffs do not allege their social security numbers were included in the information that was potentially exposed on the internet. Although Plaintiffs allege that "affected individuals" had their social security numbers exposed, a careful reading of the Complaint reveals that Plaintiffs do not actually allege that their social security numbers were exposed. See Spokeo, 136 S. Ct. at 1547 n.6 ("[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.") (internal quotation marks and citation omitted). Instead, Plaintiffs allege that the "affected individuals' data" that was exposed included "the types of information that federal and state law requires companies to take security measures to protect," including social security numbers. (Compl. ¶ 3 (emphasis added).) Plaintiffs also define "personal information" to include social security numbers, and allege that they received letters from Inmediata "informing [them] that [their] [p]ersonal [i]nformation may have been compromised." (Id. ¶¶ 4-6.) Plaintiffs do not, however, attach to their Complaint copies of the actual letters they received. Rather, they attach "[t]he California sample letters," which consist of two different letters, that "mirrored" the language of the letters they received. (Id. ¶ 15.) Only one of the two attached sample letters, however, states that social security numbers may have been compromised. Notably, the first letter states that "neither your Social Security number nor your financial information is involved in this incident." (Doc. No. 1-2 at 2.) The second letter states that social security numbers, but not financial information, may have been involved. (Id. at 4.) The second letter also offers identity monitoring services for one year at no cost. (Id.) Here, Plaintiffs do not allege they received the second letter, or that they were offered free identity monitoring services. Instead, Plaintiffs admit the letter they received contained the language in the first letter, (see Compl. ¶ 17), which specifically informed them that neither their social security numbers, nor their financial information, were exposed, (Doc. No. 1-2 at 2).
Neither do Plaintiffs allege the potentially exposed information included their account numbers, passwords, e-mail addresses, billing and shipping addresses, telephone numbers, full credit card numbers, or credit and debit card information, as was the case in Zappos. See 888 F.3d at 1023.
Paragraph 17 of the Complaint states in full: "[t]he notice further explained that 'information potentially impacted by this incident may have included your name, address, date of birth, gender, and medical claim information including dates of service, diagnosis codes, procedure codes and treating physician.'" (Compl. ¶ 17.)
In their Complaint, Plaintiffs include multiple factual allegations regarding the potential harm resulting from the theft of social security numbers. (Compl. ¶¶ 29-36.) Also, in their opposition to the instant motion, Plaintiffs allege "their" social security numbers were exposed. (See Opp. 12 ("Plaintiffs allege [in the third paragraph of their Complaint] that Inmediata exposed their [p]ersonal [i]nformation . . . . which included [s]ocial [s]ecurity numbers[.]") It is therefore unclear whether Plaintiffs' Complaint was artfully worded to suggest, without specifically alleging, that Plaintiffs' social security numbers were exposed, or whether Plaintiffs meant to allege that their social security numbers were exposed, but nonetheless failed to do so. Regardless, Plaintiffs' Complaint simply does not include an allegation that Plaintiffs' individual social security numbers were exposed. The court will not presume the omission of a potentially important and easily made factual allegation was inadvertent, nor will it presume that reading the Complaint to include an allegation that Plaintiffs do not explicitly make is acceptable.
Furthermore, the Complaint indicates that Plaintiffs' knowledge about the specific information that was exposed is based primarily, if not entirely, on the information contained in Inmediata's letter informing them of the "data security incident." (Compl. ¶¶ 4-6, 15-20.) Although Inmediata's letter acknowledges that "some of its member patients' electronic patient health information was publicly available online," the letter does not specify the information that was exposed. (Doc. No. 1-2 at 2.) The letter merely states that the "potentially impacted" information "may" have included names, addresses, dates of birth, gender, and medical claims information. (Id.) The only specificity the letter provides regarding the information that was exposed is that social security numbers and financial information were not involved. (Id.)
Finally, Plaintiffs do not actually allege that their names, addresses, dates of birth, gender, and medical claims information were exposed. Plaintiffs merely state, as they did with respect to their social security numbers, that "affected individuals" had their "data" exposed, which included the "types" of information companies are required by law to protect, such as names, addresses, dates of birth, gender, and medical claims information. (Compl. ¶ 3.) Even if Plaintiffs had alleged their individual names, addresses, dates of birth, gender, and medical claims information were exposed, Plaintiffs do not allege, and cite no caselaw supporting, this information is of the type "needed to open accounts or spend money in the plaintiffs' names." See Zappos, 888 F.3d at 1026; see also Ables v. Brooks Bros. Grp., Case No. CV 17-4309-DMG (Ex), 2018 WL 8806667, at *5 (C.D. Cal. June 7, 2018) ("Assuming, without deciding, that a third party intends to commit identity theft using [the plaintiff's] compromised [personal information], [the plaintiff] still has not made allegations that give rise to the reasonable inference that the stolen [personal information] is sufficient to actually commit identity theft."). The laptop thief in Krottner stole unencrypted names, addresses, and social security numbers, 628 F.3d at 1140, and the Zappos hackers obtained names, account numbers, passwords, e-mail addresses, billing and shipping addresses, telephone numbers, full credit card numbers, and unspecified credit and debit card information, 888 F.3d at 1023. Plaintiffs' current allegations are simply too general, opaque, and untethered to Plaintiffs' particular circumstances to properly analyze whether the Krottner/Zappos standard has been met. Without alleging that their social security numbers were stolen, or in the alternative, information tantamount to their account numbers, passwords, billing addresses, phone numbers, and credit and debit card information was hacked, Plaintiffs cannot rely on Krottner or Zappos to establish an injury in fact based on the future threat of identity theft. District courts examining whether data breaches that did not involve these specific types of information have found a lack of standing. See In re Uber Techs., Inc., Data Sec. Breach Litig., CV 18-2970 PSG (GJSx), 2019 WL 6522843, at *4 (C.D. Cal. Aug. 19, 2019) ("Plaintiff fails to explain how gaining access to one's basic contact information and driver's license number creates a credible threat of fraud or identity theft."); Jackson v. Loews Hotels, Inc., Case No. ED CV 18-827-DMG (JCx), 2019 WL 6721637, at *3 (C.D. Cal. July 24, 2019) (theft of name, e-mail address, phone number, and mailing address, but not social security number, account number, or account password, does not suggest that hackers obtained any information that would allow them to assume the plaintiff's identity or access any of her accounts); Brett v. Brooks Bros. Grp., Case No. CV 17-4309-DMG (Ex), 2018 WL 8806668, at *3 (C.D. Cal. Sept. 6, 2018) (hackers' theft of names, credit and debit card numbers (along with card expiration dates and verification codes), and possibly the store zip codes where the plaintiffs made purchases, as well as the times of purchase, "does not rise to the level of sensitivity of the information in Krottner and Zappos"); Dugas v. Starwood Hotels & Resorts Worldwide, Inc., Case No.: 3:16-cv-00014-GPC-BLM, 2016 WL 6523428, at *5 (S.D. Cal. Nov. 3, 2016) (theft of names, addresses, billing information, and credit card numbers, was insufficient for standing under Krottner because it did not include social security numbers, usernames, passwords, or e-mails); Antman, 2015 WL 6123054, at *11 ("[The plaintiff's] allegations are not sufficient because his complaint alleges only the theft of names and driver's licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury."); see also Antman v. Uber Techs., Inc., Case No. 15-cv-01175-LB, 2018 WL 2151231, at *10 (N.D. Cal. May 10, 2018) (Antman II) (theft of Uber drivers' names and driver's license numbers, combined with bank account and routing numbers, "does not change the court's conclusion that the disclosed information does not plausibly amount to a credible threat of identity theft that risks real, immediate injury"). Accordingly, Plaintiffs' failure to allege that the exposed information included their social security numbers, or similarly sensitive financial or account information as identified in Zappos, leaves Plaintiffs short of what is required by Krottner and Zappos.
Some district courts have found that theft of detailed personal information collected by Facebook, which does not include social security numbers or credit card information, can nonetheless "g[i]ve hackers the means to commit further fraud or identity theft." See, e.g., Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1034 (N.D. Cal. 2019) (alleging theft of plaintiff's name, e-mail address, telephone number, date of birth, locations, work and education history, hometown, relationship status, and photographs). Although, in Bass, the plaintiff "personally" alleged this information was stolen, and that he received extensive "phishing" e-mails and text messages since the theft. Id. ("Between the hacking and the phishing, plaintiff . . . . has plausibly shown risk of further fraud and identity theft."); see also Adkins v. Facebook, Inc., No. C 18-05982-WHA, 2019 WL 7212315, at *1 (N.D. Cal. Nov. 26, 2019); In re Facebook, Inc., Consumer Privacy User Profile Litig., 402 F. Supp. 3d 767, 786 (N.D. Cal. 2019). Additionally, one district court found, without citing Krottner, that theft of the plaintiffs' personal information, including social security numbers and medical information, did not constitute an injury in fact even where the plaintiffs alleged that various unsuccessful attempts to steal their identity occurred. See Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1088 (E.D. Cal. 2015).
Because Plaintiffs do not allege in their Complaint that their social security numbers were included in the exposed information, the court need not resolve the parties' dispute as to whether the court can consider a declaration from Inmediata stating that social security numbers were not included in the exposed information. (See Doc. No. 6-2.) Accordingly, because the court's decision here does not depend, even in part, on Inmediata's declaration, Plaintiffs' evidentiary objection to the declaration, (Doc. No. 11-1), is OVERRULED as moot at this point. The court's decision also does not turn, even in part, on Inmediata's factual attack on the pleadings, which would only add to Plaintiffs' burden of proof. See Savage v. Glendale Union High Sch., 343 F.3d 1036, 1039-40 n.2 (9th Cir. 2003) ("Once the moving party has converted the motion to dismiss into a factual motion by presenting affidavits or other evidence properly brought before the court, the party opposing the motion must furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction."); Foster v. Essex Prop. Tr., Inc., Case No. 5:14-cv-05531-EJD, 2015 WL 7566811, at *2 (n.D. Cal. Nov. 25, 2015) (faulting the plaintiffs for not responding to a facial attack by attaching affidavits or other evidence to their opposition brief). Even under the more favorable facial attack standard, Plaintiffs have not met their burden. Also, based on the absence of a material dispute regarding social security numbers, as well as the multiple grounds for the court's decision, the jurisdictional issue here is not, at this stage, so intertwined with the substantive claims to warrant jurisdictional discovery. See Augustine v. U.S. 704 F.2d 1074, 1077 (9th Cir. 1983).
2. Theft
The instant case is also distinguishable from Krottner and Zappos because Plaintiffs do not allege their information was stolen or hacked. Plaintiffs' allegation that their information was temporarily accessible via the internet, but not necessarily copied or even viewed by a potential identity thief, implicates the warning in Krottner that if a plaintiff were to allege that no information was actually stolen, but nonetheless sued "based on the risk that it would be stolen at some point in the future," the court would find the threat "far less credible." 628 F.3d at 1143. As the Zappos court explained, it was "the sensitivity of the personal information, combined with its theft, [that] led us to conclude [in Krottner] that the plaintiffs had adequately alleged an injury in fact supporting standing." 888 F.3d at 1027 (emphasis added).
District courts have also recognized the importance of the element of theft in data breach cases to support an injury in fact based on a future risk of identity theft. In Whitaker v. Health Net of California, Inc., No. CIV S-11-0910 KJM-DAD, 2012 WL 174961, at *1 (E.D. Cal. Jan. 20, 2012), which was decided before Zappos, computer server drives containing the plaintiffs' "personal and medical information" were "lost." In finding that Krottner did not control, the court rejected the plaintiffs' argument that loss was equivalent to theft. Id. at *2. The court found the plaintiffs did not have standing because they did not explain how the loss of their information actually harmed them or threatened to harm them, or that third parties accessed their information. Id. In Khan v. Children's Nat'l Health Sys., 188 F. Supp. 3d 524, 532 (D. Md. 2016), the court surveyed cases and concluded that, in the data breach context, plaintiffs adequately allege an injury in fact arising from increased risk of identity theft only by showing "(1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs' personal data to engage in identity fraud." Even in Krottner and Zappos, which held that misuse of information is not necessarily required for standing, there was still some indication of actual misuse that is absent from the instant case. See Krottner, 628 F.3d at 1142 (noting that one of the plaintiffs alleged that someone attempted to open a bank account in his name); Zappos, 888 F.3d at 1027-28 (noting that some non-parties had their accounts commandeered and suffered financial losses, and that two plaintiffs had their e-mail accounts taken over).
Additionally, although Inmediata's letter acknowledges that "some of its member patients' electronic patient health information was publicly available online," the letter also states that Inmediata had "no evidence that any files were copied or saved," and that Inmediata had "not discovered any evidence that any information that may be involved in this incident has been misused." (Doc. No. 1-2 at 2.) Plaintiffs cite no case in which a court has found the temporary accessibility of personal information on the internet, or anywhere else, without any evidence that it was taken or viewed by a bad actor, constitutes a sufficient injury in fact. As was the case in Clapper, finding harm here requires finding the substantial risk or impending certainty of an attenuated chain of events, i.e. that during the unspecified period when the information of over 1.5 million individuals was viewable on the internet, a bad actor with the capability of using or selling the information for identity theft purposes, discovered the particular Plaintiffs' information and took it so it could be used, at some point over a year later, to commit identity theft.
In the relatively few data breach cases that did not involve a confirmed theft or breach by hackers, courts have found that without a theft or hack, the exposure of personal information does not constitute an injury in fact. In re Facebook, 402 F. Supp. 3d at 784, for example, found plaintiffs inadequately alleged an injury in fact when Facebook made sensitive user information available to countless companies and individuals without preventing them from selling or otherwise misusing the information. The court stated, "this is not a case involving, say, hackers, and it is not a case about the theft of, say, social security or credit card numbers. Although the risk of identity theft is admittedly greater than if Facebook had not made the plaintiffs' personal information available, the risk is too speculative to confer standing." Id.; see also Rechnitz v. Transamerica Life Ins. Co., LACV 17-03970-VAP (AFMx), 2018 WL 6164267, at *5 (C.D. Cal. July 18, 2018) ("Plaintiffs' allegations [that an unauthorized beneficiary was added to their life insurance policy] do not give rise to the reasonable inference that their information has been stolen or in any way accessed by third parties."); Foster, 2015 WL 7566811, at *3 ("Since [p]laintiffs have not shown, contrary to [d]efendants' evidence, that any of their information was actually stolen, their theory of potential future harm is implausible.").
Plaintiffs' supplemental citation to In re Facebook, Inc. Internet Tracking Litig., No. 17-17486, 2020 WL 1807978, *1 (9th Cir. Apr. 9, 2020) is unpersuasive because that case involved Facebook's use of programs to track users' web browsing, not whether the plaintiffs' information was exposed to outside identity thieves. Additionally, the plaintiffs' standing argument was based on statutory violations, not the risk of identity theft. Id. at *5.
3. Medical Information
The instant case is also distinguishable from Krottner and Zappos because it involves medical information. Accordingly, in their Complaint, Plaintiffs bring claims for violation of the California Confidentiality of Medical Information Act (CMIA), CAL. CIV. CODE §§ 56-56.37, and the Minnesota Health Records Act (MHRA), MINN. STAT. ANN. §§ 144.29-144.34, both of which protect the confidentiality of medical information. A violation of a statute, even a procedural violation, can constitute a sufficiently concrete injury to establish an injury in fact. Spokeo, 36 S. Ct. at 1549. On multiple occasions, the Ninth Circuit has addressed whether an alleged statutory violation constitutes an injury in fact in cases involving privacy rights. See Patel v. Facebook, Inc., 932 F.3d 1264, 1273-74 (9th Cir. 2019) (plaintiff sufficiently alleged an injury in fact by alleging that Facebook's facial recognition technology violated an Illinois statute prohibiting the use of biometric identifiers), cert. denied, 140 S. Ct. 937 (2020); Bassett v. ABM Parking Servs., Inc., 883 F.3d 776, 782-83 (9th Cir. 2018) (plaintiff did not sufficiently allege a concrete injury by alleging that a parking garage displayed his unredacted credit card expiration date on his receipt in violation of the Fair Credit Reporting Act (FCRA) where the information was not seen by anyone else); Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037, 1041-43 (9th Cir. 2017) (plaintiff suffered an injury in fact when he received unauthorized text messages from a gym in alleged violation of the Telephone Consumer Protection Act); Robins v. Spokeo, Inc., 867 F.3d 1108, 1118 (9th Cir. 2017) (Spokeo II) (plaintiff established concrete injury by alleging that a website allowing users to obtain data on other people published incorrect information about him in violation of the FCRA).
While the lack of the theft of Plaintiffs' social security numbers, credit card information, passwords, e-mail addresses, etc. cuts against the imminence of identity theft, the alleged exposure of Plaintiffs' private medical information potentially supports the actuality and concreteness of an injury based on statutory law. Again, however, Plaintiffs do not argue or allege that their standing is based on a statutory violation. To be sure, Plaintiffs allege that Inmediata breached multiple statutes and bring claims for violations of CMIA and MHRA, as well as negligence per se. (See Compl. ¶¶ 27 (alleging violations of federal regulations), 65-76 (alleging negligence per se based on CMIA and MHRA, as well as several federal statutes), 84-110 (alleging violations of CMIA and MHRA). But, as discussed above and emphasized below, Plaintiffs' theory of injury is risk of financial fraud, not of mere exposure of protected medical information in violation of statutory law. Moreover, Plaintiffs do not discuss the legislative history or intent regarding the various statutes they cite, which is a necessary step in determining whether standing exists based on the violation of a statute. See Spokeo, 36 S. Ct. at 1549 ("In determining whether an intangible harm constitutes injury in fact, both history and the judgment of Congress play important roles."); Spokeo II, 867 F.3d at 1113 ("In evaluating . . . . harm, we . . . . ask: (1) whether the statutory provisions at issue were established to protect [the plaintiff's] concrete interests (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests"). Plaintiffs also do not discuss whether the alleged violations of CMIA and MHRA are substantive or procedural, which is also a relevant consideration. See Spokeo II, 867 F.3d at 1113; see also Bassett, 883 F.3d at 782-83. Although Inmediata concedes that CMIA provides a private cause of action, (Mot. 26), "Congress cannot erase Article III's standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing." See Spokeo, 136 S. Ct. at 1549; Spokeo II, 867 F.3d at 1113.
Notably, nothing in Plaintiffs' papers suggests their alleged injury is based on anything other than the increased risk of future harm due to financial fraud (including identity theft) as defined by Krottner and Zappos. For example, rather than alleging injury based on the exposure of their private medical information per se, they cite studies supporting the value of a "medical identity" and the cost of "medical identity theft." (Compl. ¶¶ 35-36.) However, Plaintiffs cite no case, and the court is aware of none, involving the theft or hack of medical information that did not include social security numbers and/or financial information. See, e.g., Beck v. McDonald, 848 F.3d 262, 275 (4th Cir. 2017) (theft and loss of medical information, including social security numbers, was insufficient to confer standing under Clapper based on the required chain of assumptions, including that thieves would successfully select the personal information belonging to the named plaintiffs, as opposed to one of the thousands of other affected persons); Khan, 188 F. Supp. 3d at 527. Plaintiffs do not explain what injurious acts, if any, an identity thief could commit with medical information that does not include the patient's social security number. Additionally, in a series of district court cases brought by prisoners based on the theft of a laptop of a correctional healthcare worker that allegedly contained the prisoners' medical information, courts have uniformly found that the prisoners lacked standing because it was unknown, as it is unknown here, whether any of the prisoners' sensitive information was ever "compromised." See, e.g., Cassells v. McNeal, No. 2:15-cv-0313 KJM AC P, 2017 WL 1272482, at *6 (E.D. Cal. Jan. 27, 2017). Accordingly, Plaintiffs have not met, or even attempted to meet, their burden to establish standing based on the exposure of their "medical claim information including dates of service, diagnosis codes, procedure codes and treating physicians." (Compl. ¶ 3.)
Although Plaintiffs argue "[t]he disclosure of information to unauthorized persons, as proscribed by the state laws at issue and as confirmed by Inmediata, alone disposes of Inmediata's contentions," (Opp. 8), this argument is not used to support Plaintiffs' standing, but rather to defend against Inmediata's challenge under Rule 12(b)(6) to Plaintiffs' CMIA and MHRA claims.
4. Other Factors
Finally, Zappos is distinguishable because it relied on several facts not present here, including that hackers commandeered some non-parties' accounts and caused financial losses, hackers used one of the plaintiff's e-mail accounts to send advertisements, and the plaintiffs alleged their stolen information could be used to conduct "phishing" and "pharming." 888 F.3d at 1027-28. Although some of the reasoning upon which the court in Zappos relied could arguably apply to the instant case, Plaintiffs do not argue that it does. First, the court reasoned that the Zappos company "effectively acknowledged" that the plaintiffs were at risk of identity theft "by urging affected customers to change their passwords." Id. at 1027. Here, in contrast, Plaintiffs minimize the import of Inmediata's letter urging them to "follow the recommendations included with this letter to protect your personal information," such as reviewing account statements and placing fraud alerts on their credit reports. (Doc. No. 1-2 at 2-3.) Rather than consistently alleging that this constitutes an admission by Inmediata concerning the risk of identity theft, Plaintiffs concede that "all of these steps [recommended by Inmediata] are mandated generalities used by virtually every company when publishing alerts about data security breaches." (See Compl. ¶ 20.) While Inmediata's motive for notifying Plaintiffs of the potential exposure of their information is not contained in the record, its letter is consistent with California law regarding notice obligations in the event of a data breach. See CAL. CIV. CODE § 1798.82(d)(1). As recognized by the district court in Brett, interpreting Inmediata's letter as an admission of imminent identity theft is problematic because "such an interpretation would require courts to conclude that a data breach's mere occurrence establishes imminent risk of future harm, which is contrary to controlling Article III precedent, and it would perversely incentivize companies to provide vague or misleading disclaimers to customers affected by a data breach in an attempt to avoid litigation." See 2018 WL 8806668, at *5.
Second, the Zappos court reasoned that stolen credit card information was as sensitive as social security numbers because "Congress has treated credit card numbers as sufficiently sensitive to warrant legislation prohibiting merchants from printing such numbers on receipts - specifically to reduce the risk of identity theft." 888 F.3d at 1027. As previously discussed, Plaintiffs cite both state and federal statutes protecting the confidentiality of medical records. They do not argue, however, that these statutes support their standing, or that the statutes were enacted to reduce the risk of identity theft. Accordingly, the reasoning in Zappos does not control the outcome of the instant standing challenge.
C. Time and Money
Two of the three named Plaintiffs also allege they suffered an injury in fact based on the time and money they spent protecting themselves from future identity theft. (Compl. ¶¶ 4, 6.) Ms. Staci alleges she now engages in regular monitoring of her credit reports, credit cards, and bank accounts, and that she has spent twenty hours "attempting to determine how she is connected to Inmediata, how her information came into the possession of Inmediata, and trying to make sure she . . . . does not become victimized because of the Inmediata Data Security Incident." (Id. ¶ 4.) Ms. Garcia alleges she "placed credit freezes on her credit reports with the three major U.S. consumer credit reporting agencies in order to detect potential identity theft and fraudulent activity," and "now engages in monthly monitoring of her credit and her bank accounts." (Id. ¶ 6.) Additionally, Ms. Garcia alleges she has "spent her own money and numerous hours addressing issues arising from the Inmediata Data Security Incident." (Id.)
Mr. White, in contrast, merely alleges he spent two hours "attempting to determine how he is connected to Inmediata and how his information came into the possession of Inmediata." (Compl. ¶ 5.) Plaintiffs cite no authority suggesting that time expended towards such an endeavor constitutes an injury in fact.
Citing Krottner and Zappos, Plaintiffs argue "[i]t is well established that mitigation expenses constitute an injury-in-fact when the risk of identity theft is real and imminent." (Opp. 14.) As discussed above, however, under Krottner and Zappos, the risk of identity theft here is not imminent. In the cases cited by Plaintiffs, i.e. those finding that the time and money associated with protection against identity theft support standing, the courts all found the threat of identity theft to be imminent. See Bass, 394 F. Supp. 3d at 1035 ("Plaintiff . . . . has established standing through the dual harms of increased risk of future harm and loss of time."); In re Anthem, Inc. Data Breach Litig., Case No. 15-MD-02617-LHK, 2016 WL 3029783, at *26 (N.D. Cal. May 27, 2016) (denying motion to dismiss under Rule 12(b)(6) because time and money expended for credit monitoring in response to the "imminent" threat of identity theft constitutes recoverable damages); In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1217 (N.D. Cal. 2014) ("[I]n order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent.").
Plaintiffs also cite a case from the Seventh Circuit that did not directly address standing, but dealt with whether the plaintiffs had suffered damages under a Rule 12(b)(6) motion to dismiss. See Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) ("To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if they have suffered an injury then damages are available[.]").
Plaintiffs cite no case in which the expenditure of time or money to prevent future identity theft was sufficient in and of itself to support standing without a finding that the threat of identity theft was imminent. Courts addressing the issue have come to the opposite conclusion. See Antman II, 2018 WL 2151231, at *10 ("Given this holding [that the threat of identity theft was not imminent] the mitigation expenses do not qualify as injury because the risk of identity theft must be real before mitigation can establish injury in fact."); Antman, 2015 WL 6123054, at *11 ("[M]itigation expenses do not qualify as injury; the risk of identity theft must first be real and imminent, and not speculative, before mitigation costs establish injury in fact."). Accordingly, for standing purposes, the risk of future identity theft, and the related mitigation costs, are injuries that rise and fall together. As the Supreme Court noted in Clapper, Plaintiffs "cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending." 568 U.S. at 416.
IV. CONCLUSION
For the foregoing reasons, Inmediata's Motion to Dismiss is GRANTED under Rule 12(b)(1) for lack of standing. The court declines to decide whether Plaintiffs' claims must also be dismissed under Rule 12(b)(6). Plaintiffs' request for leave to amend, (Opp. 26 n.15, 29 n.17), is GRANTED. See Fed. R. Civ. P. 15(a) (leave to amend "should be freely granted when justice so requires"); Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc) ("[T]he underlying purpose of Rule 15 . . . . [is] to facilitate decision on the merits, rather than on the pleadings or technicalities.") (internal quotation marks omitted); Moss v. U.S. Secret Serv., 572 F.3d 962, 972 (9th Cir. 2009) (requests for leave should be granted with "extreme liberality"). Plaintiffs shall file their first amended complaint, should they choose to file one, within 14 days of the filing of this order. Inmediata's response to the operative complaint is due within 21 days after the expiration of the Plaintiffs' deadline to file their first amended complaint. See Fed. R. Civ. P. 15(a)(3).
IT IS SO ORDERED. DATED: May 5, 2020
/s/_________
JEFFREY T. MILLER
United States District Judge