In 2019, the health care sector was the most frequent target of cybercriminals.  This trend has persisted in 2020.  As CPW’s Kristin Bryan covered, in response to this growing threat, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation and U.S. Department of Health and Human Services issued a joint alert regarding an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Well, one recent data breach litigation underscores the scale of protected health information (“PHI” under the Health Insurance Portability and Accountability Act Privacy Rule) and personal information available to bad actors when such attacks do occur.  It also suggests defendants named in data breach litigation may face increasing difficulty having conclusory claims dismissed at the pleadings stage.  In Stasi v. Inmediata Health Grp. Corp., a federal court in California ruled on a healthcare software provider’s motion to dismiss claims brought against it in the wake of a “large scale data breach” resulting in the alleged “unauthorized acquisition, access, use, or disclosure of unsecured protected health information and personal information” of over 1.5 million individuals.  Case No. 19cv2353, 2020 U.S. Dist. LEXIS 217097 (S.D. Cal. Nov. 19, 2020).  The overwhelming majority of Plaintiffs’ claims were allowed to proceed, in a warning shot to defendants named in other data breach disputes.

The defendant in Stasi is one of many companies that provides billing and health record software and service solutions to healthcare providers.  In 2019, as alleged in the litigation, it was purportedly discovered that the PHI and personal information (including in some instances social security numbers) of over 1.5 million individuals were “posted on the Internet” and “searchable and findable by anyone with access to an internet search engine such as Google.”  Rather than being caused by cybercriminals, the breach in this case was allegedly caused by “a webpage setting that permitted search engines to index webpages” the defendant used for its business operations.

Plaintiffs, consisting of individuals whose information was disclosed in the breach, filed a putative class action.  After their first complaint was dismissed for lack of standing, they filed a First Amended Complaint (“FAC”) that included claims for: (1) negligence; (2) breach of contract; (3) unjust enrichment; (4) violation of the California Confidentiality of Medical Information Act; (5) violation of the California Consumer Privacy Act; (6) violation of the California Customer Records Act; (7) violation of the Minnesota Health Records Act; and (8) invasion of privacy and violation of the California Constitution.  Plaintiffs sought to certify a nationwide class consisting of “[a]ll persons . . . . whose [p]ersonal and [m]edical [i]nformation was compromised as a result of the [d]ata [b]reach announced by [defendant] . . .” or in the alternative, separate statewide classes.  The defendant moved to dismiss for lack of standing and failure to state a cognizable claim under federal pleading standards.

First, in regards to standing – there is currently a split among the federal courts of appeals regarding under what circumstances in data breach litigation a plaintiff has alleged injury sufficient for purposes of conferring Article III standing.  [Note: this is important because in the absence of Article III standing, a plaintiff is precluded from litigating their claims in federal court].  In Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Supreme Court clarified that a plaintiff cannot allege “a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III,” but “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact.”

Plaintiffs in Stasi argued, consistent with Spokeo and relevant Ninth Circuit precedent, that they sufficiently pled concrete injury by alleging that defendant violated the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §§ 56-56.265.  The court agreed, stating “[a]t the outset, the alleged intangible injury resulting from ‘posting’ or allowing access to disclosure of Plaintiffs’ medical information on the internet in violation of CMIA is, at first blush, just as concrete as the intangible injuries the Ninth Circuit has found to be concrete based on violations of other privacy-related statutes.”  The court also held that “it is reasonable to infer the [plaintiffs’] information could have been viewed or copied once available on the internet,” distinguishing this dispute from another case in which the Ninth Circuit declined to find standing.  As such, Plaintiffs’ alleged violation of CMIA sufficed for purposes of Article III.  The defendant’s motion to dismiss under Rule 12(b)(1) was denied.

In regards to Plaintiffs’ claims for negligence, breach of contract, violation of sections 56.101(a) and 56.36(b) of CMIA, as well as other violations of California statutory law, the court denied defendant’s motion to dismiss for failure to state a claim, construing Plaintiffs’ allegations across the board generously (even in the face of obvious gaps the court itself identified).  While three of Plaintiffs’ claims were dismissed, the bulk of them were allowed to proceed past the pleading stage.  This included for the following reasons, among others:

  • Plaintiffs’ negligence claim was not precluded under the economic loss doctrine. This was because, the court held, “the compromised information here includes medical information, the disclosure of which leads to damages that are not necessarily as ‘economic’ as those resulting from the theft of credit card information and social security numbers.”
  • Plaintiffs also sufficiently alleged that defendant owed them a duty to safeguard their personal and medical information as consistent with medical privacy statutes and industry standards. This was so notwithstanding that Plaintiffs and defendant were not in privity with each other.
  • Plaintiffs sufficiently alleged damages to support their negligence claim, which included generalized allegations of “lost time” and “lost money” responding to the disclosure of their information.
  • Plaintiffs also sufficiently alleged a breach of contract claim based on the theory that they are intended third party beneficiaries of contracts between defendant and its customers that required defendant to take appropriate steps to safeguard Plaintiffs’ information (a claim the court described as “tenuous at best”).
  • Plaintiffs adequately alleged a claim under the California Consumer Privacy Act (“CCPA”) as Plaintiffs: (i) alleged that their information was viewed by unauthorized persons and (ii) while the CCPA does not apply to medical information, the FAC alleged other non-medical information was accessible on the internet as a result of the breach.

The court’s detailed opinion in Stasi is a strong warning to defendants named in data breach litigation that motions to dismiss complaints for lack of standing and under Rule 12(b)(6) grounds should be taken seriously and be tailored to the specific allegations in a complaint.  Failure to adequately explain to the court how other data privacy and data breach precedent supports dismissal of a plaintiff’s claims can be fatal strategic oversights.  As the number of data breach cases continues to increase, so will the body of case law exploring these issues.  Stay tuned.