District Court (Cal.) Says Data Breach Victim Did Not Plead Enough

In Holly v. Alta Newport Hosp., Inc., No. 2:19-cv-07496-ODW (MRWx), 2020 U.S. Dist. LEXIS 64104, at *1-3 (C.D. Cal. Apr. 10, 2020), Judge Wright held that a data breach victim, on behalf of a putative class, did not plead enough.    The facts were as follows:

On October [*2]  18, 2019, Plaintiff Sallie Holly filed her First Amended Complaint (“FAC”). (FAC, ECF No. 12.) Holly’s claims against Defendants stem from allegations that a Hospital employee inadvertently posted photographs of Holly’s personal medical information on the employee’s public Facebook account. (FAC ¶¶ 23-24, 62-115.)  Holly received medical care at Hospital in March 2017 and, as part of that process, she provided her medical and personal information to Hospital. (FAC ¶ 23.) In September 2017, AHS sent Holly a letter informing her that Hospital discovered an inappropriate disclosure of Holly’s protected health information. (FAC ¶ 24.) AHS explained that, on August 24, 2017, a new employee was training on a software program, viewing medical records on a computer. (FAC ¶ 24.) The employee took six photographs of those medical records on her personal cellular telephone, some of which were Holly’s medical records. (FAC ¶ 24.) The employee then accidentally posted the photographs on her public Facebook account. (FAC ¶ 24.) The next day, a physician notified Hospital’s management about the photographs being posted. (FAC ¶ 24.) The information in the posted medical records included Holly’s name, date of birth, account number, and other diagnostic and treatment information. (FAC ¶ 24.) After receiving the letter, both Holly and her counsel contacted Defendants to seek remediation but received no response. (FAC ¶¶ 25-32.)  Based on these allegations, Holly asserts eight causes of action against Defendants: (1) public disclosure of private facts (invasion of privacy); (2) negligent disclosure; (3) negligent training; (4) breach of contract; (5) breach of fiduciary obligation; (6) violation of California Civil Code section 56.10(a) (disclosure of medical information by providers); (7) violation of 42 U.S.C. § 1320d-2 (wrongful disclosure of individually identifiable health information); and (8) negligent infliction of emotional distress. (FAC ¶¶ 62-115.) Holly brings her claims on behalf of a class of similarly situated persons defined as:  All persons who have been patients of Defendants . . . whose personal data has been published without their permission on the Internet during the Data Breach that occurred from at least August 24, 2017 to September 5, 2017 including all persons who were sent the September 5, 2017 letter informing them of the Data Breach.

Judge Wright held that the pleadings were insufficient.

Defendants argue that Holly’s negligence, contract, and fiduciary-based claims against Hospital fail because Holly has not alleged any actual, non-speculative damages. Defendants argue that, in the data breach context, speculative fear [*14]  of identity theft is not sufficient to establish an injury in fact. (Mot. 23-26.)  As an initial matter, “California law permits asserting a breach of fiduciary duty claim even when the damages are nominal.” Sorensen v. New Koosharem Corp., No. CV 15-01088 RGK (PJWx), 2016 WL 4925917, at *7 (C.D. Cal. Mar. 2, 2016) (quoting Tribeca Cos., LLC v. First Am. Title Ins. Co., 239 Cal. App. 4th 1088, 1103 n.12, 192 Cal. Rptr. 3d 354 (2015)). To prove a breach of fiduciary duty, a plaintiff must show: “(1) the existence of a fiduciary duty; (2) breach of the fiduciary duty; and (3) damage proximately caused by the breach.” Jameson v. Desta, 215 Cal. App. 4th 1144, 1164, 155 Cal. Rptr. 3d 755 (2013) (quoting Stanley v. Richmond, 35 Cal. App. 4th 1070, 1086, 41 Cal. Rptr. 2d 768 (1995)). Accordingly, Holly is not required to plead or prove actual damages to state a claim for breach of fiduciary duty. In contrast, Holly’s breach of contract and negligence claims do require actual damages resulting from the complained-of conduct. See Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d 1010, 1015 (9th Cir. 2000) (“Under California law, a breach of contract claim requires a showing of appreciable and actual damage.”); Ruiz v. Gap, Inc., 380 F. App’x 689, 691 (9th Cir. 2010) (“California also holds that ‘[n]ominal damages, to vindicate a technical right, cannot be recovered in a negligence action, where no actual loss has occurred.'”) (quoting Fields v. Napa Milling Co., 164 Cal. App. 2d 442, 448, 330 P.2d 459 (1958)). Holly alleges that she suffered “emotional harm and distress and has been injured in her mind and body.” (FAC ¶ 49.) She also alleges that she “experienced fear of identity theft, embarrassment, anxiety, emotional  pain and upset” and was “injured in her health, strength and activity, sustaining injury to her nervous system and person, all of which injuries have caused and continue to cause [Holly] great mental, physical, emotional and nervous pain and suffering.” (FAC ¶¶ 50-51.) Additionally, Holly alleges that she and other class members have suffered damages, including increased risk of identity theft and identity fraud, improper disclosure of personal information, value of time and expenses spent mitigating and remediating the increased risk of identity theft and identity fraud, and the decreased value of their personal information. (FAC ¶¶ 52-53; see also FAC ¶¶ 81-84, 89-90, 97.)  These conclusory and vague allegations are not sufficient to establish that Holly suffered actual damages to support her breach of contract and negligence claims. Burns v. HSBC Bank, No. EDCV 12-1748 JGB (OPx), 2013 WL 12136377, at *5 (C.D. Cal. Aug. 26, 2013) (“[V]ague and conclusory allegations regarding damages are insufficient to survive a motion to dismiss.”). To start, Holly’s bare allegation of increased risk of identity theft is “too speculative to satisfy the pleading requirement” to show actual damages. Svenson v. Google Inc., 65 F. Supp. 3d 717, 725 (N.D. Cal. 2014) (holding that the conclusory assertion of an increased risk of  identity theft was insufficient to satisfy the pleading requirement of contract damages); Sion v. SunRun, Inc., No. CV 16-05834 JST, 2017 U.S. Dist. LEXIS 35730, 2017 WL 952953, at *3 (N.D. Cal. Mar. 13, 2017) (holding the same as to plaintiff’s negligence claims because both breach of contract and negligence require a showing of actual damages).  Next, “[a]lthough actual damages can include emotional distress, a plaintiff must support her claim for pain and suffering with something more than [her] own conclusory allegations, such as specific claims of genuine injury.” Sion, 2017 U.S. Dist. LEXIS 35730, 2017 WL 952953, at *2 (internal quotation marks omitted). Here, Holly’s allegations concerning her physical, mental, and emotional pain “are too sparse and conclusory to support” her claims for damages. Id.; see also Burnell v. Marin Humane Soc’y, No. CV 14-5635 JSC, 2015 U.S. Dist. LEXIS 150607, 2015 WL 6746818, at *19 (N.D. Cal. Nov. 5, 2015) (dismissing intentional infliction of emotional distress claim where complaint lacked “any facts pertaining to the nature and extent of plaintiffs’ emotional or mental suffering”). Similarly, Holly’s conclusory allegations concerning any mitigation or remediation efforts fail because she has not provided any supporting factual allegations or alleged how any credit monitoring was reasonable and necessary. See Ruiz, 380 F. App’x at 691 (finding  plaintiff’s claims failed because plaintiff offered no evidence on the amount of time and money spent on the credit monitoring despite making a bare assertion to that effect). Finally, Holly’s claim concerning the decreased value of personal data also fails for lack of supporting facts. See Razuki v. Caliber Home Loans, Inc., No. CV 17-1718-LAB (WVGx), 2018 U.S. Dist. LEXIS 196070, 2018 WL 6018361, at *1 (S.D. Cal. Nov. 15, 2018) (finding plaintiff failed to sufficiently allege damages to support his negligence claim where plaintiff’s “claim alleging diminution of value of his personal data fails to allege enough facts to establish how his personal information is less valuable as a result of the breach.”).  Accordingly, because Holly’s conclusory and vague allegations are insufficient to establish that she suffered actual damages as a result of the data breach, Defendants’ Motion to Dismiss Holly’s breach of contract and negligence claims is GRANTED. However, as a claim for breach of fiduciary duty may be sustained on nominal damages, Defendant’s Motion to Dismiss Holly’s breach of fiduciary duty claim is DENIED.