Opinion
Lead Case No.: SACV 20-00791-CJC (KESx)
2021-10-18
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS’ MOTION TO DISMISS PLAINTIFFS’ SECOND AMENDED CONSOLIDATED CLASS ACTION COMPLAINT [Dkt. 95]
CORMAC J. CARNEY, UNITED STATES DISTRICT JUDGE
I. INTRODUCTION
In this consolidated putative class action, Plaintiffs from 15 different states allege 13 claims against Defendants Ambry Genetics Corporation ("Ambry") and Konica Minolta Precision Medicine, Inc. ("KMPM") arising out of a 2020 data breach. (Dkt. 90 [Unredacted Second Amended Consolidated Class Action Complaint, hereinafter "SAC"].) Before the Court is Defendants’ motion to dismiss the SAC. (Dkt. 95 [hereinafter "Mot."]). For the following reasons, Defendants’ motion is GRANTED IN PART AND DENIED IN PART .
II. BACKGROUND
Ambry provides genetic testing that screens and diagnoses medical issues including hereditary cancer, hereditary cardiovascular disease, neurodevelopmental disorders, and epilepsy. (SAC ¶¶ 1, 45.) Between January 22 and 24, 2020, it experienced a data breach involving names, dates of birth, Ambry account numbers, health insurance information, confidential medical information, medical diagnoses, billing information including addresses, email addresses, and telephone numbers, and Social Security numbers. (Id. ¶¶ 2–3, 13, 24–48, 67, 71, 76); see also Ambry Genetics Substitute Notice, available at https://www.ambrygen.com/legal/substitute-notice. Specifically, hackers accessed through a phishing incident the email account of an Ambry employee for multiple days, giving the hackers access to about 233,000 customers’ information. (SAC ¶¶ 66–67.) Plaintiffs allege that "[t]he Data Breach was a direct result of Defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect patients’ Private Information." (Id. ¶ 17.) Nearly 3 months later, on April 15, 2020, Ambry sent a Notice of Data Breach to the affected customers. (Id. ¶ 73.)
Plaintiffs allege claims for (1) negligence, (2) invasion of privacy, (3) breach of contract, (4) breach of implied contract, (5) unjust enrichment, (6) breach of fiduciary duty, (7) breach of confidence, (8) violation of the California Unfair Competition Law (the "UCL," Cal. Business & Professions Code § 17200, et seq. ), (9) violation of the California Confidentiality of Medical Information Act (the "CMIA," Cal. Civ. Code § 56, et seq. ), (10) violation of the California Consumer Legal Remedies Act (the "CLRA," Cal. Civ. Code § 1750, et seq. ), (11) violation of the California Consumer Records Act (the "CRA," Cal. Civ. Code § 1798.82 et seq. ), (12) violation of the Illinois Genetic Information Privacy Act (the "IGIPA," 410 ILCS 513), and (13) injunctive and declaratory relief. (Id. ¶ 21.)
Plaintiffs seek to represent the following classes: (1) a nationwide class, (2) a nationwide adult sub-class, (3) a nationwide minor sub-class, (4) an Arizona subclass, (5) a California sub-class, (6) a Florida sub-class, (7) a Georgia sub-class, (8) an Illinois sub-class, (9) an Indiana sub-class, (10) a Michigan sub-class, (11) a Minnesota sub-class, (12) a New Jersey sub-class, (13) a New York sub-class, (14) an Ohio sub-class, (15) a Pennsylvania sub-class, (16) a Tennessee sub-class, (17) a Virginia sub-class, and (18) a West Virginia sub-class. (Id. ¶¶ 376–78.)
III. ANALYSIS
Defendants argue that KMPM is not properly named as a defendant in this action and that Plaintiffs lack standing. Defendants further move to dismiss each of Plaintiffs’ 13 claims for reasons described below. The Court addresses each of Defendants’ arguments in turn.
A. KMPM
KMPM argues that it is not properly named as a defendant in this case. (Mot. at 6–8.) Plaintiffs allege that "KMPM was founded in 2018 after Konica Minolta, Inc. acquired Ambry in 2017 for up to $1 billion." (SAC ¶ 50.) Plaintiffs further allege that "KMPM either failed to engage in ... due diligence [prior to Ambry's acquisition] or failed to take appropriate and necessary measures as a result of the due diligence that would have protected the Private Information of Plaintiffs and Class Members." (Id. ¶ 56.) However, according to Plaintiffs’ allegations, it would have been impossible for KMPM to participate in any due diligence before the acquisition because KMPM did not even exist. (See id. ¶ 50.) Plaintiffs therefore cannot state a claim for relief against KMPM on the theory that it failed to engage in due diligence. They can only state a claim for relief against KMPM on the theory that it failed to take appropriate and necessary measures in response to due diligence after it was founded.
B. Standing
Defendants next argue that Plaintiffs lack standing to pursue their claims. Article III of the United States Constitution requires that courts adjudicate only actual cases or controversies. To constitute an actual case or controversy, the plaintiffs bringing a case must have standing. The party invoking federal jurisdiction bears the burden of establishing standing. See Lujan v. Defs. of Wildlife , 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). To satisfy the standing requirement, a plaintiff must show that (1) he has suffered an injury in fact that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical, (2) the injury is fairly traceable to the defendant's challenged actions, and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Friends of the Earth, Inc. v. Laidlaw Env't Servs., Inc. , 528 U.S. 167, 180–81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000). Defendants do not argue that Plaintiffs have failed to state a concrete and particularized and actual or imminent injury. Rather, they argue that (1) Plaintiffs’ alleged injury is not fairly traceable to Defendants’ challenged actions, and (2) that it is not likely that Plaintiffs’ injury will be redressed by the injunctive relief they seek. (Mot. at 9–14.)
1. Causation
For Article III standing to exist, "there must be a causal connection between the injury and the conduct complained of—the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court." Lujan , 504 U.S. at 560, 112 S.Ct. 2130 (cleaned up). Although at the pleading stage, allegations that the plaintiff's injury was caused by the defendant's conduct may suffice, those allegations must be supported by facts, not merely legal conclusions. Id. at 561, 112 S.Ct. 2130 ; Ashcroft v. Iqbal , 556 U.S. 662, 679, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009).
Defendants argue that Plaintiffs fail to plausibly allege that their injuries were caused by Defendants’ actions. The Court disagrees. Plaintiffs allege that the information exposed in the data breach includes their names, dates of birth, Ambry account numbers, health insurance information, confidential medical information, medical diagnoses, billing information including addresses, email addresses, and telephone numbers, and Social Security numbers. (SAC ¶¶ 2–3, 13, 24–48, 67, 71, 76.) Plaintiffs allege that they suffered injuries including receiving suspicious telephone calls, emails, and text messages (SAC ¶¶ 116 [Annoni], 130 [Brodsky], 142 [Coleman], 156 [Domingues], 162 [Ferrier], 186 [Jasielum], 213 [Nakagoshi], 227 [O'Hara], 255 [Taglioli], 269 [Velardi]), notifications that a bank conducted a hard inquiry on their credit without authorization (id. ¶ 254 [Taglioli]), notifications that someone attempted to pass bad checks through use of their identity and other fraudulent bank activity (id. ¶¶ 191 [Kanawati], 222 [Neumann]), notifications that an unauthorized party obtained their passwords (id. ¶¶ 156 [Domingues], 192 [Kanawati]), and notifications that they were logged into their accounts from new, unrecognized devices (id. ¶ 220 [Neumann]). They further allege that they had to contact banks, credit card agencies, and credit bureaus to cancel credit or debit cards and monitor checking accounts and credit, (id. ¶¶ 122 [Barduca], 134 [Cercas], 139 [Coleman], 146 [Cooperson], 153 [Domingues], 183 [Jasielum], 190 [Kanawati], 198 [McMurphy], 246 [Stewart]), and contact insurance companies to alert them of the breach and request new account numbers (id. ¶¶ 134 [Cercas], 183 [Jasielum]). Unlike in past iterations of the SAC, (see Dkt. 68 [Order Granting Defendants’ Motion to Dismiss Plaintiffs’ First Amended Consolidated Complaint]), Plaintiffs sufficiently connect the information stolen and the alleged injuries to establish standing at the pleading stage.
2. Redressability as to Injunctive Relief
Defendants next argue that Plaintiffs cannot show that the injunctive relief they seek will redress Plaintiffs’ injury stemming from a previous data breach. (Mot. at 13–14.) To show redressability, Plaintiffs must show that it is likely, as opposed to merely speculative, that their injury will be redressed by a favorable decision. Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc. , 528 U.S. 167, 180–81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000). They "must demonstrate standing separately for each form of relief sought." Id. at 185, 120 S.Ct. 693. "To demonstrate standing to pursue prospective injunctive relief, plaintiffs must demonstrate a concrete injury and a realistic likelihood that the injury will be repeated." Taylor v. Westly , 488 F.3d 1197, 1199 (9th Cir. 2007).
Plaintiffs seek injunctive relief requiring Defendants to "implement and maintain reasonable security measures," including ordering that Defendants hire security auditors, audit and train their security personnel, segment patient data through firewalls and access controls, and other measures. (SAC ¶ 566.) They allege that these measures are necessary because Defendants still possess their private information and "Defendants have announced few if any changes to [their] data security infrastructure, processes or procedures to fix the vulnerabilities in [their] computer systems and/or security practices which permitted the Data Breach to occur." (Id. ¶¶ 561–62.) Plaintiffs further allege that "now that Defendants’ insufficient data security is known to hackers, the Private Information in Defendants’ possession is even more vulnerable to cyberattack." (Id. ¶ 563.) At the pleading stage, these allegations are sufficient to allege that a data breach is sufficiently likely to recur such that injunctive relief will redress Plaintiffs’ injuries.
C. Negligence
Defendants move to dismiss Plaintiffs’ negligence claim on the bases that (1) Plaintiffs fail to allege causation and (2) the economic loss doctrine bars the claim. Defendants also argue that Plaintiffs should not be able to rely on the negligence per se doctrine.
1. Causation
The elements of a negligence claim under California law are duty, breach, causation, and injury. Vasilenko v. Grace Family Church , 3 Cal. 5th 1077, 1083, 224 Cal.Rptr.3d 846, 404 P.3d 1196 (2017). "[T]o demonstrate actual or legal causation, the plaintiff must show that the defendant's act or omission was a ‘substantial factor’ in bringing about the injury." Saelzler v. Advanced Group 400 , 25 Cal. 4th 763, 774, 107 Cal.Rptr.2d 617, 23 P.3d 1143 (2001).
Plaintiffs allege that Defendants were negligent by (1) failing to take steps to prevent a data breach (SAC ¶¶ 398–411), and (2) waiting 3 months to notify Plaintiffs of the breach (id. ¶¶ 3, 5, 70–71, 366, 408). Defendants argue that Plaintiffs’ negligence claim must be dismissed on both theories because Plaintiffs have failed to show causation between the data breach and Plaintiffs’ alleged damages. (Mot. at 14.)
As to the first theory, as explained in Section III.B.1., Plaintiffs have sufficiently demonstrated causation between the data breach and Plaintiffs’ alleged damages. As to the second theory, Plaintiffs have also sufficiently demonstrated causation between the delayed notification and Plaintiffs’ increased damages. Specifically, Plaintiffs allege that the delay prevented them from taking appropriate protective measures that could have prevented some of the damages they suffered, and they therefore suffered "incrementally increased damages" that they would not have suffered with timely notice. (SAC ¶¶ 544–45.) Indeed, some Plaintiffs allege that they suffered injuries resulting from the breach before they were notified of it that they might have been able to take steps to avoid had they been notified sooner. (See, e.g., id. ¶¶ 142 [Coleman receiving fraudulent phone call from someone attempting to get money on March 5, 2020], 263 [Terrano being denied credit limit increase in March 2020].) These allegations are sufficient to state a claim that Defendants were negligent by failing to notify Plaintiffs of the data breach sooner.
2. Economic Loss Doctrine
Defendants also argue that Plaintiffs’ negligence claim is barred by the economic loss doctrine. Under the economic loss doctrine, "purely economic losses are not recoverable in tort." NuCal Foods, Inc. v. Quality Egg LLC , 918 F. Supp. 2d 1023, 1028 (E.D. Cal. 2013) (citation omitted). In the absence of personal injury, physical damage to property, a special relationship between the parties, or some other common law exception to the rule, recovery of purely economic loss for negligence is foreclosed. J'Aire Corp. v. Gregory , 24 Cal. 3d 799, 803–04, 157 Cal.Rptr. 407, 598 P.2d 60 (1979).
However, Plaintiffs have not alleged merely economic injury. Rather, they have alleged a privacy injury stemming from the unauthorized sharing of their private medical information. (See SAC ¶¶ 119, 124, 129, 136, 141, 148, 155, 161, 168, 175, 180, 185, 195, 200, 205, 212, 219, 229, 234, 241, 248, 253, 261, 268, 275, 419–421.) They have further alleged injuries such as anxiety, concern, and unease. (Id. ¶¶ 118, 128, 135, 147, 154, 160, 167, 204, 218, 247, 267, 274.) And they have alleged that they spent many hours responding to the data breach. (See, e.g., id. ¶¶ 115, 122, 127, 134, 139, 146, 153, 159, 166, 183, 190, 198, 203, 210); see also Stasi v. Inmediata Health Grp. Corp. , 501 F.Supp.3d 898, 913 (S.D. Cal. 2020) ("[T]ime spent responding to a data breach is a non-economic injury, that when alleged to support a negligence claim, defeats an economic loss doctrine argument.") (citing In re Solara Medical Supplies, LLC Customer Data Security Breach Litig. , ––– F.Supp.3d ––––, ––––, 2020 WL 2214152, at *4 (S.D. Cal. 2020) (involving theft of medical information); Bass v. Facebook, Inc. , 394 F. Supp. 3d 1024, 1039 (N.D. Cal. 2019) (involving the hack of non-financial personal information)). Accepting their allegations as true and construing them in their favor, Plaintiffs have sufficiently alleged a claim for negligence.
3. Negligence Per Se
Under California law, "negligence per se is not a separate cause of action, but rather an evidentiary presumption that a party failed to exercise due care in certain limited circumstances." Ward v. Litton Loan Servicing, LP , 2012 WL 13024081, at *5 (C.D. Cal. Apr. 10, 2012). Plaintiffs allege that Defendants were negligent in their handling of Plaintiffs’ private information. In support of their contention that Defendants failed to exercise due care, they allege that Defendants violated Section 5 of the FTC Act, which prohibits "unfair ... practices in or affecting commerce," as well as HIPAA privacy laws. (SAC ¶¶ 413, 418–19.)
Defendants argue that Plaintiffs’ reliance on the doctrine of negligence per se fails because the FTC Act and HIPAA do not provide a private right of action. (Mot. at 18.) But Plaintiffs are not attempting to sue under these statutes. Rather, the statutes "instead serve[ ] the subsidiary function of providing evidence of an element of a pre-existing common law cause of action." Crusader Ins. Co. v. Scottsdale Ins. Co. , 54 Cal. App. 4th 121, 125, 62 Cal.Rptr.2d 620 (1997) ; see Bureerong v. Uvawas , 959 F. Supp. 1231, 1237 (C.D. Cal. 1997) ("The Court disagrees with Hub's broad and general contention that the Court may not recognize a negligence per se claim simply because the statute upon which the claim is based confers no private right of action.") In other words, "it is the tort of negligence, and not the violation of the statute itself, which entitles a plaintiff to recover civil damages ... [T]he plaintiff is not attempting to pursue a private cause of action for violation of the statute; rather, he is pursuing a negligence action and is relying upon the violation of a statute, ordinance, or regulation to establish part of that cause of action." Sierra–Bay Fed. Land Bank Ass'n. v. Superior Court , 227 Cal. App. 3d 318, 333, 277 Cal.Rptr. 753 (1991). Accordingly, Plaintiffs’ reliance on the negligence per se doctrine does not fail merely because the statutes they allege Defendants violated do not provide a private right of action. "Because Plaintiffs’ negligence cause of action may proceed, the Court does not dismiss the references to the negligence per se doctrine." Tinoco v. San Diego Gas & Elec. Co. , 2018 WL 4562479, at *2 (S.D. Cal. Sept. 21, 2018).
D. Invasion of Privacy
To state a claim for invasion of privacy, "Plaintiffs must show that (1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is "so serious ... as to constitute an egregious breach of the social norms" such that the breach is "highly offensive." In re Facebook, Inc. Internet Tracking Litig. , 956 F.3d 589, 601 (9th Cir. 2020), cert. denied sub nom. Facebook, Inc. v. Davis , ––– U.S. ––––, 141 S. Ct. 1684, 209 L.Ed.2d 464 (2021). "Determining whether a defendant's actions were ‘highly offensive to a reasonable person’ requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive." Id. at 606.
Plaintiffs have adequately alleged an invasion of privacy claim. In support of that claim, Plaintiffs allege that Defendants (1) knew their information security practices were inadequate and had numerous security vulnerabilities (SAC ¶¶ 300, 433, 486), (2) "intentionally, willfully, recklessly, or negligently" failed to take adequate and reasonable measures to ensure Ambry's data systems were protected (id. ¶¶ 53–58), (3) knew their inadequate data security measures would likely result in a breach (id. ¶ 433), and (4) knew that such a breach would harm Plaintiffs (id. ¶ 434). Courts have refused to dismiss invasion of privacy claims at the motion to dismiss stage where, as here, a data breach involved medical information, because the disclosure of such information is more likely to constitute an "egregious breach of the social norms" that is "highly offensive." See, e.g., Stasi , 501 F. Supp. 3d at 926 ; Doe v. Beard , 63 F. Supp. 3d 1159, 1170 (C.D. Cal. 2014).
E. Breach of Express and Implied Contract
Plaintiffs allege that Defendants breached contracts including "test requisition forms, patient signature cards, HIPAA authorization forms, and patient consent forms," in which Defendants "impliedly if not explicitly, agreed to protect Plaintiffs’ and other Class Members’ Private Information." (SAC ¶¶ 439–40.) Plaintiffs alternatively allege that the parties "entered into implied-in-fact contracts for the provision of data security, separate and apart from any express contracts concerning genetic testing or other services to be provided by Defendants to Plaintiffs." (Id. ¶ 450.)
Defendants argue that Plaintiffs’ breach of express contract claim fails because "there is no independent contractual agreement in which KMPM or Ambry assumed obligations regarding data security or data breach notification." (Mot. at 20.) The Court agrees. A claim for breach of contract "must allege the specific provisions in the contract creating the obligation the defendant is said to have breached." Young v. Facebook, Inc. , 790 F. Supp. 2d 1110, 1117 (N.D. Cal. 2011). Plaintiffs fail to do so. Rather, they state generally that "Ambry agreed to maintain Plaintiffs’ privacy in accordance with HIPAA and otherwise," and did not. (Dkt. 104-1 [Opposition, hereinafter "Opp."] at 25 [citing SAC ¶¶ 280–87].) The alleged contract terms do not contain promises from Defendants to keep Plaintiffs’ information safe. Instead, they are broad statements including "Ambry is committed to protecting the privacy of all users of the Services," "Ambry Genetics cares about your patients and your data as much as you do," "Information that you provide to Ambry through ambrygen.com is encrypted using industry standard Secure Sockets Layer (SSL) technology," and "We are required by law to: Maintain the confidentiality of your protected health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’) and applicable state law." (SAC ¶¶ 280–84.) These allegations are not sufficient to allege a breach of express contract. See Young , 790 F. Supp. 2d at 1117.
However, Plaintiffs have adequately stated a breach of implied contract. "An implied-in-fact contract requires proof of the same elements necessary to evidence an express contract: mutual assent or offer and acceptance, consideration, legal capacity and lawful subject matter." Corona v. Sony Pictures Entm't, Inc. , 2015 WL 3916744, at *5 (C.D. Cal. June 15, 2015). "An implied contract requires that both parties agree to its terms and have a ‘meeting of the minds,’ but the creation of an implied contract can be manifested by conduct rather than words." Castillo v. Seagate Tech., LLC , 2016 WL 9280242, at *8 (N.D. Cal. Sept. 14, 2016).
Plaintiffs allege that they gave their private information to Defendants for purposes of obtaining genetic testing, with the understanding that Defendants would take adequate measures to protect the information. "While [Defendants] made no explicit promises as to the ongoing protection of personal information, it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient's assent to protect the information sufficiently." Id. at *9 (citing In re Target Corp. Data Sec. Breach Litig. , 66 F. Supp. 3d 1154, 1176 (D. Minn. 2014) (holding that the plaintiffs had sufficiently pleaded "an implied contract in which Plaintiffs agreed to use their credit or debit cards to purchase goods at Target and Target agreed to safeguard Plaintiffs’ personal and financial information")); see Rudolph v. Hudson's Bay Co. , 2019 WL 2023713, at *11 (S.D.N.Y. May 7, 2019) ("Other courts applying California law have concluded that an implied contract is formed where a person discloses sensitive information in order to receive a benefit, with the expectation that such information will be protected."); In re GE/CBPS Data Breach Litig. , 2021 WL 3406374, at *12 (S.D.N.Y. Aug. 4, 2021) (concluding that employees in data breach case failed to sufficiently state a claim for breach of express contract, but sufficiently stated a claim for breach of implied contract).
F. Unjust Enrichment
"While California case law appears unsettled on the availability of [an independent unjust enrichment] cause of action, [the Ninth] Circuit has construed the common law to allow an unjust enrichment cause of action through quasi-contract." ESG Cap. Partners, LP v. Stratos , 828 F.3d 1023, 1038 (9th Cir. 2016) ; see Astiana v. Hain Celestial Grp., Inc. , 783 F.3d 753, 762 (9th Cir. 2015) (explaining that when a plaintiff alleges unjust enrichment, a court may "construe the cause of action as a quasi-contract claim seeking restitution"). "To allege unjust enrichment as an independent cause of action, a plaintiff must show that the defendant received and unjustly retained a benefit at the plaintiff's expense." ESG Capital Partners, LP v. Stratos , 828 F.3d 1023, 1038–39 (9th Cir. 2016) ; see Bruton v. Gerber Prod. Co. , 703 F. App'x 468, 470 (9th Cir. 2017) (reversing dismissal of an unjust enrichment claim in action regarding food labeling because "the California Supreme Court has clarified California law, allowing an independent claim for unjust enrichment to proceed in an insurance dispute").
"Courts have concluded that the failure to secure a plaintiff's data can give rise to an unjust enrichment claim," reasoning "that a defendant has accepted the benefits accompanying plaintiff's data, but does so at the plaintiff's expense by not implementing adequate safeguards, thus making it inequitable and unconscionable to permit defendant to retain funds that it saved by shirking data-security and leaving the plaintiff to suffer the consequences." Rudolph , 2019 WL 2023713, at *12. This is exactly what Plaintiffs allege. Plaintiffs allege that they paid Defendants money for Defendants’ services, and expected that a portion of their payments would go toward "data management and security." (SAC ¶¶ 461, 463.) They further allege that Defendants retained this benefit despite not having implemented adequate safeguards for Plaintiffs’ private information. (Id. ¶¶ 42, 464, 466.) This is sufficient to overcome a motion to dismiss. Rudolph , 2019 WL 2023713, at *12 (collecting cases); In re Premera Blue Cross Customer Data Sec. Breach Litig. , 198 F. Supp. 3d 1183, 1201 (D. Or. 2016) (concluding that allegations that plaintiffs made payments to Premera expecting that a portion of their fees would be used for data management and security and that "under the circumstances it is unjust for Premera to retain the benefits received without payment" were "sufficient to withstand a motion to dismiss").
G. Breach of Fiduciary Duty
Plaintiffs allege that "Defendants have become a fiduciary, created by its undertaking and guardianship of patients’ Private Information, to act primarily for the benefit of its patients, including Plaintiffs and Class Members." (SAC ¶ 473.) They further allege that Defendants breached their fiduciary duty to act for the benefit of Plaintiffs when they failed to protect Plaintiffs’ private information. (Id. ¶ 474.)
Defendants argue that Plaintiffs’ breach of fiduciary duty claim fails because they did not owe Plaintiffs a fiduciary duty. "A fiduciary relationship is any relation existing between parties to a transaction wherein one of the parties is duty bound to act with the utmost good faith for the benefit of the other party." Gilman v. Dalby , 176 Cal. App. 4th 606, 613, 98 Cal.Rptr.3d 231 (2009). "[T]raditional examples of fiduciary relationships include those of trustee/beneficiary, corporate directors and majority shareholders, business partners, joint adventurers, and agent/principal." Id. at 614, 98 Cal.Rptr.3d 231. "Inherent in each of these relationships is the duty of undivided loyalty the fiduciary owes to its beneficiary, imposing on the fiduciary obligations far more stringent than those required of ordinary contractors." Id. (internal quotation omitted).
Plaintiffs have failed to allege sufficient facts to establish a fiduciary relationship between themselves and Defendants. Plaintiffs simply allege that Defendants collected Plaintiffs’ private information so Defendants could provide their genetic testing to screen for and diagnose diseases. (See SAC ¶¶ 1, 473.) This is not a situation where the parties have a special relationship. See, e.g., Giles v. Gen. Motors Acceptance Corp. , 494 F.3d 865, 883 (9th Cir. 2007) (finding no special relationship between plaintiff car dealership operators and representative from defendant wholesale car financer, even though plaintiffs alleged that they placed a "special trust" or "special confidence" in the representative, because the relationship was "a standard friendly but arms-length business relationship"). Nor is the relationship alleged between the parties one in which Defendants assumed obligations to act with the utmost good faith for the benefit of Plaintiffs. Defendants never "agreed to subordinate [their] interests to those of Plaintiff[s]," and Plaintiffs were not "so vulnerable as to give rise to equitable concerns underlying the protection afforded by law governing fiduciaries." ReactX v. Mendez , 2018 WL 6164275, at *6 (C.D. Cal. Jan. 4, 2018). Rather, Plaintiffs entered into an arms-length business relationship with Defendants, which is insufficient to create a fiduciary duty even though Plaintiffs entrusted Defendants with their confidential information as part of the relationship. Giles , 494 F.3d at 883 ; see Worldvision Enterprises, Inc. v. Am. Broad. Companies, Inc. , 142 Cal. App. 3d 589, 595, 191 Cal.Rptr. 148 (1983) ("The mere fact that in the course of their business relationships the parties reposed trust and confidence in each other does not impose any corresponding fiduciary duty in the absence of an act creating or establishing a fiduciary relationship known to law."); Anderson v. Hannaford Bros. Co. , 659 F.3d 151, 157 (1st Cir. 2011) (rejecting contention that "a fiduciary relationship arises in the context of credit and debit card use because the customer trusts the merchant to safeguard her credit or debit card information").
H. Breach of Confidence
The tort for breach of confidence under California law "is based upon the concept of an implied obligation or contract between the parties that confidential information will not be disclosed." Ent. Rsch. Grp., Inc. v. Genesis Creative Grp., Inc. , 122 F.3d 1211, 1226–27 (9th Cir. 1997). To sufficiently allege a breach of confidence claim, a plaintiff must allege that "(1) the plaintiff conveyed ‘confidential and novel information’ to the defendant; (2) the defendant had knowledge that the information was being disclosed in confidence; (3) there was an understanding between the defendant and the plaintiff that the confidence be maintained; and (4) there was a disclosure or use in violation of the understanding." Id. at 1227.
Defendants argue that Plaintiffs’ breach of confidence claim fails because Plaintiffs do not allege that Defendants gave their private information away, but rather allege that the information was involuntarily stolen from Defendants. (Mot. at 25–26.) The Court agrees. The question turns on the meaning of the word "disclosure" in the fourth element. California courts have found that the "ordinary meaning" of the word "disclosure" "suggest[s] that disclosure occurs when the health care provider affirmatively shares medical information with another person or entity." Sutter Health v. Superior Ct. , 227 Cal. App. 4th 1546, 1555–56, 174 Cal.Rptr.3d 653 (2014) ; see In re Brinker Data Incident Litig. , 2020 WL 691848, at *22 (M.D. Fla. Jan. 27, 2020) ("According to Black's Law Dictionary, ‘disclosure’ is ‘[t]he act or process of making known something that was previously unknown.’ ").
Here, Plaintiffs allege that "unauthorized parties accessed the email account of an Ambry employee allowing unauthorized parties to access and acquire Plaintiffs’ and Class Members’ Private Information." (SAC ¶ 66.) Plaintiffs do not allege that Defendants affirmatively shared any information or performed any act that gave hackers information. Since Defendants made no "disclosure" of Plaintiffs’ confidential information, they cannot be held liable on a claim for breach of confidence. See In re Brinker Data Incident Litig. , 2020 WL 691848, at *22 (dismissing breach of confidence claim where the plaintiff "did not do any act that made Plaintiffs’ information known—the information was stolen by third-parties").
I. Unfair Competition Law
Plaintiff's eighth claim alleges a violation of California's UCL, which prohibits "any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising." Cal. Bus. & Prof. Code § 17200. Remedies under the UCL are limited to restitution and injunctive relief, and do not include damages. Silvercrest Realty, Inc. v. Great Am. E&S Ins. Co. , 2012 WL 13028094, at *2 (C.D. Cal. Apr. 4, 2012). Restitution and injunctive relief are equitable remedies, and thus are not available unless the plaintiff lacks an adequate remedy at law. Id. A plaintiff "must establish that she lacks an adequate remedy at law before securing equitable restitution for past harm under the UCL." Sonner v. Premier Nutrition Corp. , 971 F.3d 834, 844 (9th Cir. 2020).
Plaintiff alleges that "[b]y reason of Defendants’ ... wrongful actions, inaction, and omissions, the resulting Data Breach, and the unauthorized disclosure of Plaintiffs and Class members’ Private Information, Defendants engaged in unlawful, unfair, and fraudulent practices within the meaning of the UCL." (SAC ¶ 491.) Defendants argue that Plaintiffs’ UCL claim must be dismissed because Plaintiffs fail to allege they lack an adequate legal remedy for the harm sustained from the data breach. (Mot. at 27.) The Court agrees.
Plaintiffs’ UCL claim is based on the allegation that Defendants failed to take adequate measures to protect Plaintiffs’ private information—Defendants’ past conduct—not any allegation that Defendants are failing to prevent future data breaches. Specifically, Plaintiffs allege that Defendants’ business practices are unfair because they are "immoral, unethical, oppressive, unscrupulous, and substantially injurious to consumers, in that the Private Information of Plaintiffs and Class Members has been compromised for unauthorized parties to see, use, and otherwise exploit." (SAC ¶ 493.) They allege Defendants’ business practices are unlawful "because Defendants failed to take reasonable measures to protect Plaintiffs’ and Class Members’ Private Information and failed to take remedial measures such as notifying its users when it first discovered that their Private Information may have been compromised." (Id. ¶ 496.) And they allege Defendants’ business practices are fraudulent because they deceived consumers into believing their private information would remain secure. (Id. ¶ 498.) Throughout their SAC, Plaintiffs seek compensatory damages for this past harm. Plaintiffs have failed to allege that the legal remedies they seek for the injuries they incurred as a result of Defendants’ past failure to protect their information are inadequate.
J. Confidentiality of Medical Information Act
Plaintiffs allege violations of two provisions of the CMIA: Section 56.10, which prohibits disclosure of medical information without prior authorization, and Section 56.101, which penalizes negligently maintaining or storing medical information.
1. Section 56.10
Plaintiffs first allege that "Defendants’ misuse and/or disclosure of medical information regarding Plaintiffs and Class Members constitutes a violation of Civil Code § 56.10." (SAC ¶ 514.) Section 56.10 states, "A provider of health care, health care service plan, or contractor shall not disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization." Cal. Civ. Code § 56.10 (emphasis added). "Disclosure" in this context "refers to affirmative communicative acts—giving out medical information on a patient." Sutter Health , 227 Cal. App. 4th at 1554, 174 Cal.Rptr.3d 653 ; see Regents of Univ. of California v. Superior Ct. , 220 Cal. App. 4th 549, 564, 163 Cal.Rptr.3d 205 (2013), as modified on denial of reh'g (Nov. 13, 2013) ("Disclose" ... is an active verb, denoting in the context of CMIA and the protections afforded confidential medical information an affirmative act of communication.").
Here, as already explained, Plaintiffs allege that hackers gained unauthorized access to an Ambry employee's email account. They do not allege that Defendants performed any affirmative communicative act that gave hackers information. See Sutter Health , 227 Cal. App. 4th at 1554, 174 Cal.Rptr.3d 653 ; Regents , 220 Cal. App. 4th at 564, 163 Cal.Rptr.3d 205. Accordingly, Plaintiff's claim under Section 56.10 fails. See Stasi , 501 F. Supp. 3d at 922 ("Based on the meaning of ‘disclose’ as defined in Sutter and Regents , Plaintiffs have not pled a plausible violation of section 56.10(a) of CMIA.").
2. Section 56.101
However, Plaintiffs allege that Defendants also violated Section 56.101 of the CMIA. (SAC ¶ 517.) Section 56.101 penalizes those who negligently maintain or store medical information. Cal. Civ. Code § 56.101 (emphasis added). Under Section 56.36, an individual may bring an action for damages against an entity that has negligently released confidential information or records. In contrast to disclosure under Section 56.10, "negligent release under section 56.36 does not require an affirmative communicative act but instead can be accomplished by negligently allowing information to end up in the possession of an unauthorized person." Sutter Health , 227 Cal. App. 4th at 1554–55, 174 Cal.Rptr.3d 653. A plaintiff must allege that a defendant's "negligence result[ed] in unauthorized or wrongful access to the information," i.e. that the information was "improperly viewed or otherwise accessed." Regents , 220 Cal. App. 4th at 554, 163 Cal.Rptr.3d 205 ; see Sutter Health , 227 Cal. App. 4th at 1557, 174 Cal.Rptr.3d 653 ("No breach of confidentiality takes place until an unauthorized person views the medical information.").
Defendants argue that Plaintiffs’ claim under Section 56.101 must be dismissed because Plaintiffs do not sufficiently allege that their information was viewed by third parties. (Mot. at 32–33.) But Plaintiffs do so allege: they allege that "unauthorized parties have accessed and viewed Plaintiffs’ and Class Members’ unencrypted, unredacted information, including ... relevant medical records." (SAC ¶ 76; see id. ¶ 92 ["Plaintiffs’ and Class Members’ unencrypted personal information that was acquired by an unauthorized person as a result of the Data Breach, was viewed by unauthorized persons."]; id. ¶ 512 ["The hacker or hackers who committed the Data Breach obtained Plaintiffs’ and Class Members’ personal medical information, viewed it, and now have it available to them to sell to others bad actors or otherwise misuse."].) At the pleading stage, Plaintiffs have sufficiently stated a claim under Section 56.101. See Stasi , 501 F. Supp. 3d at 924 ("Ultimately, it may be that Plaintiffs’ allegation that their information was actually viewed while it was accessible on the internet will prove to be unsubstantiated. At this early stage in the litigation, however, Plaintiffs allege a plausible claim based on violations of sections 56.101(a) and 56.36(b) of CMIA.").
K. Consumer Legal Remedies Act
The CLRA makes unlawful "unfair methods of competition and unfair or deceptive acts or practices undertaken by any person in a transaction intended to result or that results in the sale or lease of goods or services to any consumer." Cal. Civ. Code § 1770. For example, as relevant here, it is unlawful to "represent[ ] that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities that they do not have or that a person has a sponsorship, approval, status, affiliation, or connection that the person does not have." Cal. Civ. Code § 1770(a)(5).
Plaintiffs’ CLRA claim fails for the same reasons their UCL claim fails. Specifically, the claim is targeted at Defendants’ past conduct. Plaintiffs allege that Defendants violated the CLRA by representing that they took appropriate measures to protect Plaintiffs’ private information, but then failing to protect the information. (SAC ¶ 527.) Plaintiffs fail to allege that the legal remedies they seek to redress that past conduct are inadequate. See Sonner , 971 F.3d at 844 ("A plaintiff "must establish that she lacks an adequate remedy at law before securing equitable restitution for past harm under the UCL and CLRA."); Section III.I., supra.
Defendants also argue that Plaintiffs’ CLRA claim fails because Plaintiffs failed to comply with the CLRA's pre-filing requirements. (Mot. at 35–36.) The CLRA requires that at least 30 days before filing a CLRA action, a plaintiff must notify the person alleged to have violated Section 1770 of the particular violations alleged, and also demand that the person correct, repair, replace, or otherwise rectify the goods or services alleged to be in violation of Section 1770. Cal. Civ. Code § 1782. Plaintiffs do not dispute that they did not comply with the CLRA's notice requirements. (See Opp. at 35–36.) Rather, Plaintiffs allege that "Defendants have long had notice of Plaintiffs’ allegations, claims and demands, including from the filing of numerous underlying actions against it arising from the Data Breach, the first of which were filed on or about April 22, 2020," and that "Defendants are the parties with the most knowledge of the underlying facts giving rise to Plaintiffs’ allegations, so that any pre-suit notice would not put Defendants in a better position to evaluate those claims." (SAC ¶ 522.) But Plaintiffs cite no authority showing that the CLRA's notice requirements may be excused in such a situation, and the SAC admits that Plaintiffs have not complied with the statutory requirements.
L. Consumer Records Act
The CRA requires California businesses that own or license computerized data that includes personal information to disclose a data breach after discovering one "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, ... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." Cal. Civ. Code § 1798.82. Plaintiffs allege that "Defendants unreasonably delayed informing Plaintiffs and Class Members about the Data Breach." (SAC ¶ 540.)
Defendants argue that Plaintiffs fail to sufficiently allege unreasonable delay because Defendants’ delay is explained by their need to "take measures to first determine the breach's scope and restore the integrity of the data system." (Mot. at 38); see Cal. Civ. Code § 1798.82. However, at the pleading stage the Court must accept as true Plaintiffs’ allegation that Defendants’ approximately 3-month delay was unreasonable. More specifically, Plaintiffs allege that Defendants’ delay prevented them from taking appropriate protective measures that could have prevented some of the damages they suffered, and that they therefore suffered "incrementally increased damages" that they would not have suffered with timelier notice. (SAC ¶¶ 544–45.) Indeed, some Plaintiffs allege that they suffered injuries resulting from the breach before they were notified of it that they might have been able to take steps to avoid had they been notified sooner. (See, e.g., id. ¶¶ 142 [Coleman], 263 [Terrano].) Plaintiffs therefore sufficiently allege that Defendants’ delay caused them to incur more damages than they would have incurred with timely notice.
Finally, Defendants argue that Plaintiffs’ CRA claim should be dismissed insofar as Plaintiffs seek to assert it on behalf of non-California residents. Defendants are right on this point. "[D]istrict courts have dismissed CRA claims brought on behalf of non-California Plaintiffs because the CRA is clear that it applies only to ensure the personal information of California residents is protected." In re Yahoo! Inc. Customer Data Sec. Breach Litig. , 2017 WL 3727318, at *34 (N.D. Cal. Aug. 30, 2017) (cleaned up) (collecting cases). Plaintiffs do not argue otherwise. (See Opp. at 37.) Accordingly, Plaintiffs’ CRA claim may only be asserted on behalf of California residents.
M. Illinois Genetic Information Privacy Act
The IGIPA provides that "genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual to receive the information." 410 Ill. Comp. Stat. Ann. 513/15. It further requires that "[w]hen using or disclosing genetic-related information under this Act, a covered entity shall do so in accordance with the minimum necessary standard under HIPAA." 410 Ill. Comp. Stat. Ann. 513/31.10. Finally, it states that "[n]o person may disclose ... the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test." 410 Ill. Comp. Stat. Ann. 513/30. Plaintiffs allege, on behalf of Plaintiff Taglioli and the Illinois sub-class, that Defendants violated each of these provisions "[b]y disclosing Plaintiffs’ and Class Members’ Private Information to unauthorized parties." (SAC ¶ 553.)
For the same reasons described in Sections III.H. and III.J.1., Plaintiffs have not sufficiently alleged disclosure of their private information. Thus, Plaintiffs may not pursue a claim under 410 Ill. Comp. Stat. Ann. 513/31.10 or 410 Ill. Comp. Stat. Ann. 513/30. But Plaintiffs can state a claim under 410 Ill. Comp. Stat. Ann. 513/15, which governs to whom genetic testing and information derived from genetic testing may be released. Defendants argue that Plaintiffs have failed to allege any harm stemming from the disclosure of their genetic information, as Plaintiffs allege harm in the form of identity theft and fraud, not harm occurring from the disclosure of genetic information. Plaintiffs, however, have alleged harm stemming from disclosure of their genetic information—harm to their privacy interests in that information. (See, e.g. , SAC ¶¶ 119, 124, 129); see Patel v. Facebook, Inc. , 932 F.3d 1264, 1274 (9th Cir. 2019), cert. denied , ––– U.S. ––––, 140 S. Ct. 937, 205 L.Ed.2d 524 (2020) (finding that plaintiffs had standing "[b]ecause the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data," and therefore "Facebook's alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests").
The parties agree that courts consider the IGIPA as similar to the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. Ann. 14/10, 14/1 ("BIPA"), as both statutes were created at the same time and feature the same language for a private right of action for an "aggrieved" party. (Mot. at 40; Opp. at 39.)
Defendants also argue that Plaintiffs fail to allege that the information the IGIPA protects—information derived from genetic testing—was released. (Mot. at 42.) But Plaintiffs allege that "medical information" and "diagnosis information" were released in the breach. (SAC ¶ 71.) Given that Defendants are a genetic testing company, it is plausible that information derived from genetic testing was among the medical information and diagnosis information released in the breach.
N. Injunctive and Declaratory Relief
Plaintiffs’ final claim in their SAC is for "Injunctive and Declaratory Relief." Defendants argue that this claim must be dismissed because Plaintiffs have failed to show that they lack an adequate remedy at law. (Mot. at 43–44.) But as already explained, Plaintiffs may seek both damages for past harm and injunctive relief to prevent future harm. See Section III.B.2., supra ; see also Sections III.I. and III.K., supra (explaining that to the extent Plaintiffs failed to allege they lacked an adequate remedy at law in support of their UCL and CLRA claims, it was because those claims sought relief based on Defendants’ past conduct, not relief to prevent future harm).
O. Leave to Amend
"Although leave to amend ‘shall be freely given when justice so requires,’ it may be denied" where it "would not serve any purpose because to grant it would be futile in saving the plaintiff's suit." Chinatown Neighborhood Ass'n v. Harris , 794 F.3d 1136, 1144 (9th Cir. 2015) (quoting Fed. R. Civ. P. 15(a) ). For some of Plaintiffs’ claims, leave to amend is not appropriate. This is Defendants’ fourth motion to dismiss Plaintiffs’ complaints—Defendants moved to dismiss Plaintiffs’ Consolidated Complaint (Dkt. 43), their First Amended Consolidated Complaint (Dkt. 63), their Second Amended Consolidated Complaint (Dkt. 75), and their Second Amended Consolidated Complaint a second time by this motion. With limited exception, each of those motions raised the arguments presented in this motion. Plaintiffs have failed to cure the deficiencies in the dismissed claims despite multiple opportunities to do so, and nothing in the record suggests that they could allege any new facts that would suffice to plausibly state most of these claims.
Recognizing this, Plaintiffs seek leave to amend only their UCL claim, asserting that Defendants’ argument based on Sonner was raised for the first time in this motion to dismiss. (Opp. at 31.) The Court will grant this request. Since the Court granted Defendants’ motion on Plaintiffs’ CLRA claim on the same basis as Plaintiffs’ UCL claim, the Court will also permit amendment of that claim.
IV. CONCLUSION
For the foregoing reasons, Defendants’ motion to dismiss is GRANTED IN PART AND DENIED IN PART . Defendants’ motion is GRANTED as to Plaintiffs’ claim against KMPM on the theory that it failed to engage in due diligence before it existed, and Plaintiffs’ claims for breach of express contract, breach of fiduciary duty, breach of confidence, violation of the UCL, violation of Section 56.10 of the CMIA, violation of the CLRA, and violation of the CRA as to non-California residents. Defendants’ motion is DENIED as to Plaintiffs’ claim against KMPM on the theory that it failed to take action after it had come into existence based on due diligence, and Plaintiffs’ claims for negligence, invasion of privacy, breach of implied contract, unjust enrichment, violation of Section 56.101 of the CMIA, violation of the CRA as to California residents, violation of the IGIPA, and injunctive and declaratory relief. Plaintiffs’ request for leave to amend is GRANTED as to Plaintiffs’ claims under the UCL and CLRA only.