In Stasi v. Inmediata Health Grp. Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 217097 (S.D. Cal. Nov. 19, 2020), Judge Miller allowed a data security breach class action to proceed. The basis of the class action was as follows:
According to Plaintiffs’ FAC,1 Inmediata provides billing and health record software and service solutions to healthcare providers. (FAC ¶¶ 17, 19.) In January of 2019, Inmediata first learned it was experiencing a “large data breach” resulting in the “unauthorized acquisition, access, use, or disclosure of unsecured protected health information and personal information” of 1,565,338 individuals. (¶ 2.)2 Plaintiffs’ information was “posted on the Internet” and “searchable and findable by anyone with access to an internet search engine such as Google[.]” (¶ 7.) Plaintiffs’ information was “disclosed and released to the entire world – it was viewable online by anyone in the world, printable by anyone in the world, copiable by anyone in the world, and downloadable by anyone in the world.” (¶ 8.) The breach did not involve data thieves or hackers. (¶ 9.) Rather, the exposure was “[d]ue to a webpage setting that permitted search engines to index webpages Inmediata uses for business operations[.]” (¶ 7.) By letter dated April 22, 2019, Inmediata notified Plaintiffs of a “data security incident that may have resulted [*3] in the potential disclosure of [their] personal and medical information.” (¶ 24; see also Doc. Nos. 16-3, 16-4, 16-5.) Inmediata also filed sample “notice of data security incident” letters with various state attorneys general that mirrored the language of the letters sent to Plaintiffs. (¶ 26.) There were two versions of the letter – one for persons whose social security numbers were part of the breach, and another version for persons whose social security numbers were not part of the breach. (¶ 26 n.1.) Plaintiffs received the version for persons whose social security numbers were not part of the breach. (Id.) The letters stated that “[i]n January 2019, Inmediata became aware that some of its member patients’ electronic patient health information was publicly available online as a result of a webpage setting that permitted search engines to index pages that are part of an internal website [Inmediata] use[s] for . . . . business operations.” (¶ 27.) The letters also stated that “information potentially impacted by this incident may have included your name, address, date of birth, gender, and medical claim information including dates of service, diagnosis codes, procedure codes and treating physician.” (¶ 29.) Inmediata did not offer Plaintiffs fraud insurance or identity monitoring services. (¶ 34.) On December 9, 2019, Plaintiffs filed a putative class action. On May 5, 2020, Plaintiffs’ initial Complaint was dismissed under Rule 12(b)(1). (Doc. No. 15.) On May 19, 2020, Plaintiffs filed their FAC, which included claims for: (1) negligence; (2) breach of contract; (3) unjust enrichment; (4) violation of the California Confidentiality of Medical Information Act; (5) violation of the California Consumer Privacy Act; (6) violation of the California Consumer Records Act; (7) violation of the Minnesota Health Records Act; and (8) invasion of privacy and violation of the California Constitution. (¶¶ 212-324.) Plaintiffs seek to certify a nationwide class consisting of “[a]ll persons . . . . whose [p]ersonal and [m]edical [i]nformation was compromised as a result of the [d]ata [b]reach announced by Inmediata on or around April 24, 2019.” (¶ 199.) Plaintiffs alternatively seek to certify statewide classes for California, Minnesota, and Florida. (¶ 200.)
The court found standing under 9th circuit precedent.
Although the Ninth Circuit has found, in near uniformity, that intangible injuries based on alleged violations of privacy-related statutes are sufficiently concrete, Inmediata nonetheless urges the court to follow Bassett v. ABM Parking Servs., Inc., 883 F.3d 776 (9th Cir. 2018). In Bassett, the court held the plaintiff did not sufficiently plead a concrete injury by alleging that a parking garage displayed his unredacted credit card expiration [*12] date on his receipt, in alleged violation of the FCRA, where the information was not seen by anyone else. Id. at 783. The court reasoned, “[w]e need not answer whether a tree falling in the forest makes a sound when no one is there to hear it.” Id. Bassett is distinguishable, however, because in Bassett it was known that nobody else saw, or could have seen, the plaintiffs’ protected information. Here, Plaintiffs repeatedly allege their information “was viewed by unauthorized persons.” (¶¶ 269-271, 277.) Although the basis for Plaintiffs’ assertion that their information was actually viewed is sketchy (and, absent ultimate proof, would likely be fatal for Plaintiffs’ case in this regard), it is reasonable to infer the information could have been viewed or copied once available on the internet. (See ¶¶ 7-8.) In other words, unlike in Bassett, the tree falling in the woods question is unavoidable here. Accordingly, even prior to applying the Spokeo test, Ninth Circuit precedent strongly supported the concreteness of Plaintiffs’ alleged injury resulting from a violation of CMIA. . .Additionally, at least one district court has found an allegation that the plaintiff “received extensive ‘phishing’ emails and text messages [and] spent as much as an hour managing the aftermath of the data breach” was sufficient to allege injury in fact. See Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1035 (N.D. Cal. 2019) (“As consequences of this data breach continue to unfold, so too, will plaintiff’s invested time. More phishing e-mails will pile up. At this stage, the time [*18] loss alleged suffices.”). Here, Plaintiffs allege they spent time “dealing with” and “addressing” issues arising from Inmediata’s breach notification. (¶¶ 139, 163, 195.) Plaintiffs also allege they noticed an “increase in spam/phishing” e-mails, calls, or both, from “persons apparently attempting to defraud” them. (¶¶ 136, 157, 192.) Finally, district courts have found that out-of-pocket expenses are sufficient to confer standing in data breach cases. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., Case No. 16-MD-02752-LHK, 2017 WL 3727318, at *16 (N.D. Cal. Aug. 30, 2017) (listing cases). Here, Plaintiffs allege that Ms. Garcia spent her own money “addressing issues” arising from the breach. (¶ 195.) Accordingly, these cases serve as additional support for the concreteness of Plaintiffs’ alleged injuries.
The court allowed the CCPA claim to proceed.
As discussed above, Plaintiffs do not merely allege that it should be inferred or rebuttably presumed that their information was accessed by an unauthorized individual. Plaintiffs repeatedly allege that their information “was viewed by unauthorized persons.” (See, e.g., ¶¶ 269-271, 277.) Moreover, Inmediata does not point to any authority requiring Plaintiffs to plead theft or unauthorized access in order to plead a plausible violation of the CCPA. The CCPA provides a private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” Id. § 1798.150(a). Plaintiffs argue, and Inmediata does not dispute, that the facts alleged in the FAC that Plaintiffs’ personal and medical information were accessible via the internet, constitutes a “disclosure” under the CCPA. (Doc. No. 22 at 22-23.) Further, although Inmediata is correct that the CCPA does not apply to medical information governed by CMIA, § 1798.145(c)(1)(A), Inmediata does not address the non-medical information that it admits was accessible on the internet. Accordingly, at this early stage in the litigation, Plaintiffs allege a plausible claim based on violation of the CCPA, and Inmediata has not met its burden of showing otherwise.