Opinion
22-cv-00413-MMC
08-26-2022
ORDER GRANTING DEFENDANT'S MOTION TO DISMISS PLAINTIFF'S FIRST AMENDED COMPLAINT OR TRANSFER; DISMISSING FIRST AMENDED COMPLAINT WITHOUT FURTHER LEAVE TO AMEND; VACATING HEARING
MAXINE M. CHESNEY UNITED STATES DISTRICT JUDGE
Before the Court is defendant Medical Review Institute of America, LLC's (“MRIoA”) Motion, filed July 28, 2022, “to Dismiss Plaintiff's First Amended Complaint Pursuant to F.R.C.P. 12(b)(1), 12(b)(6), or Transfer the Case Pursuant to 28 U.S.C. § 1404(a).” Plaintiff Albert Patterson (“Patterson”) has filed opposition, to which MRIoA has replied. Having read and considered the papers filed in support of and in opposition to the motion, the Court deems the matter suitable for determination on the parties' respective written submissions, VACATES the hearing scheduled for September 2, 2022, and rules as follows.
In his operative complaint, the First Amended Complaint (“FAC”), Patterson alleges MRIoA is an entity that “acquired, collected[,] and stored” customers' “personal health information [“PHI”]” and “personally identifiable information [“PII”]” to “facilitate clinical peer review of healthcare services.” (See FAC ¶¶ 1, 5.) Patterson further alleges he received a letter from MRIoA, dated January 7, 2022, “informing him that his PHI/PII and/or financial information was involved” in a data breach whereby hackers “infiltrated” MRIoA's “information network” and “accessed highly sensitive” data stored thereon. (See FAC ¶¶ 2, 20.)
Based on said allegations, Patterson asserts the following seven claims for relief: (1) “Negligence”; (2) “Confidentiality of Medical Information Act (Cal. Civ. Code § 56, et seq.)”; (3) “Invasion of Privacy”; (4) “Breach of Confidence”; (5) “Breach of Implied Contract”; (6) “Unfair Business Practices (Cal. Bus. & Prof. Code § 17200, et seq.)”; and (7) “Unjust Enrichment.”
The First, Third, Fourth, Fifth, and Seventh Claims for Relief are brought on behalf of a “Nationwide Class,” defined as “[a]ll individuals within the United States of America whose PHI/PII and/or financial information was exposed to unauthorized third-parties as a result of the data breach discovered on November 9, 2021.” (See FAC ¶ 29.) The Second and Sixth Claims for Relief are brought on behalf of a “California Subclass,” defined as “[a]ll individuals within the State of California whose PII/PHI was stored by Defendant and/or was exposed to unauthorized third parties as a result of the data breach discovered on November 9, 2021.” (See id.)
On May 31, 2022, MRIoA filed a motion seeking an order dismissing the instant action or, in the alternative, transferring it to the District of Utah, on the grounds that (1) Patterson lacks Article III standing, (2) Patterson had failed to allege facts sufficient to support any of his claims for relief, and (3) the District of Utah is a more convenient forum. By order filed June 23, 2022, the Court, finding Patterson had not met his burden to show he has suffered a cognizable injury, dismissed Patterson's initial complaint for lack of Article III standing and afforded Patterson leave to amend. (See Doc. No. 23 (“June 23 Order”).) On July 14, 2022, Patterson filed his FAC.
By the instant motion, MRIoA again seeks an order dismissing, or in the alternative transferring, the instant action, on the same grounds asserted in its earlier motion to dismiss. The Court first turns to the question of standing.
A district court has subject matter jurisdiction only where the plaintiff has “[s]tanding to sue” under Article III of the Constitution. See Spokeo, Inc. v. Robins, 578 U.S. 330, 337-38 (2016). To satisfy Article III's standing requirements, (1) “the plaintiff must have suffered an injury in fact” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” (2) the injury must be “fairly traceable” to the challenged conduct of the defendant, and (3) “it must be likely . . . that the injury will be redressed by a favorable decision.” See Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (internal quotation, citation, and alteration omitted). “The party invoking federal jurisdiction bears the burden of establishing” the elements of standing, see id. at 561, and a plaintiff who lacks standing may not “seek relief on behalf of himself or any other member of [a] class” he purports to represent, see Warth v. Seldin, 422 U.S. 490, 502 (1975) (internal quotation and citation omitted).
A defendant seeking dismissal for lack of standing may raise a “facial” or “factual” challenge. See Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). “In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction,” whereas, “in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction.” See id. “Once the moving party . . . convert[s] [a] motion to dismiss into a factual motion by presenting affidavits or other evidence properly brought before the court, the party opposing the motion must furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction.” Savage v. Glendale Union High Sch., 343 F.3d 1036, 1039 n.2 (9th Cir. 2003).
Here, MRIoA, raising both facial and factual challenges, contends Patterson has, again, failed to establish a cognizable injury in fact. In his opposition, Patterson relies only on theories of “lost time” and “anxiety” caused by the data breach. (See Opp. at 3:23-27, 5:2-3.) Specifically, Patterson alleges that he has spent time “verifying the legitimacy and impact of the [d]ata [b]reach, exploring credit monitoring and identity theft insurance options, self-monitoring his accounts[,] and seeking legal counsel regarding his options for remedying and/or mitigating the effects of the [d]ata [b]reach” (see FAC ¶ 21), and that he has suffered “fear, apprehension, anxiety, and embarrassment” as a result of the breach (see FAC ¶ 23). As set forth below, the Court finds Patterson has not met his burden of showing he has suffered a cognizable injury.
As noted in the Court's June 23 Order, MRIoA has submitted evidence, which remains undisputed by Patterson, that “none of the information about Patterson potentially exposed in the data breach was sufficiently sensitive to create a credible risk of future fraud or identity theft” (see June 23 Order at 3:22-26; see also Leichliter Decl. ¶ 10 (averring the only information regarding Patterson that was “potentially accessed by the attackers . . . consisted of a single one-page document” containing “the date, the title ‘Advisory,' a reference to ‘Patterson, Albert' as ‘Insured' and ‘Patient,' a Policy number, ‘Review Time 60 minutes[,]' and ‘Total amount: to be billed $327.00'”)), and, contrary to Patterson's argument, lost time and anxiety, absent a credible risk, are not “sufficient to establish Article III standing” (see Opp. at 4:12); see also Burns v. Mammoth Media, Inc., Case No. CV 20-04855 DDP (SKx), 2021 WL 3500964, at *2-3 (C.D. Cal. Aug. 6, 2021) (finding no injury in fact based on “loss of time and enjoyment stemming from efforts to mitigate or prevent identity theft” where undisputed evidence showed plaintiff's compromised information could not be used to commit fraud or identity theft); Greenstein v. Noblr Reciprocal Exch., Case No. 21-cv-04537-JSW, 2022 WL 472183, at *6 (N.D. Cal. Feb. 15, 2022) (finding no injury in fact based on “time and effort spent monitoring . . . credit reports” after data breach where “risk of identity theft and fraud” was not “real and imminent”); Callahan v. Ancestry.com, Inc., Case No. 20-cv-08437-LB, 2021 WL 2433893, at *4-5 (N.D. Cal. June 15, 2021) (holding, in data breach context, “anxiety and stress” without “credible threat of future identity theft” is not cognizable injury in fact).
As MRIoA points out, the cases cited by Patterson are readily distinguishable. See Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1034-35 (N.D. Cal. 2019) (finding cognizable injury where plaintiff's stolen information gave “hackers the means to commit fraud or identity theft” and plaintiff spent time sorting through “extensive ‘phishing' emails and text messages” following data breach); Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 912 (N.D. Cal. 2020) (finding cognizable injury where plaintiffs' “sensitive medical information” was “disclosed and released to the entire world” on the internet and plaintiffs spent time and money dealing with “‘increase in spam/phishing e-mails, calls, or both, from persons apparently attempting to defraud' them”); Pruchnicki v. Envision Healthcare Corp., 845 Fed. App'x 613, 614 (9th Cir. 2021) (affirming, without describing nature of stolen information, district court's finding of cognizable injury); see also Pruchnicki v. Envision Healthcare Corp., 439 F.Supp.3d 1226, 1229-31, 1236 (D. Nev. 2020) (noting defendants “concede[d] standing” where plaintiff's “name, date of birth, social security number, driver's license number, and . . . financial information” were stolen in data breach (internal quotation and citation omitted)).
Likewise unavailing is Patterson's argument that he suffered a cognizable injury because his above-referenced mitigation efforts were assertedly “reasonable.” (See Opp. at 4:26-28.) In particular, although Patterson contends he was “[u]nderstandably alarmed” by the letter he received and MRIoA “did not update [him] about what information was accessed until the filing of its initial [m]otion to [d]ismiss” (see Opp. at 4:26-28, 5:7-9), where, as here, the future “harm [a plaintiff] seek[s] to avoid is not certainly impending,” even “costs and burdens” incurred “as a reasonable reaction to a risk of harm” do not suffice to establish the requisite injury in fact, see Clapper v. Amnesty Int'l USA, 568 U.S. 398, 416 (2013) (holding plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending”; noting, “[i]f the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear”).
Accordingly, Patterson's FAC is subject to dismissal for lack of Article III standing.
In light of this finding, the Court does not reach MRIoA's alternative arguments that Patterson has failed to state a claim and that the District of Utah is a more convenient forum.
CONCLUSION
For the reasons stated above, MRIoA's motion to dismiss is hereby GRANTED, and Patterson's FAC is hereby DISMISSED without further leave to amend.
IT IS SO ORDERED.