In Stasi v. Inmediata Health Grp. Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 79303, at *1-4 (S.D. Cal. May 5, 2020), Judge Miller dismissed a nationwide identity theft/data breach class action. The facts were as follows:
Plaintiffs allege that in January of 2019, Inmediata learned it was experiencing a large “data security incident” resulting in the exposure of “personal information” of over 1.5 million “affected individuals.” (Compl. ¶ 1.) Inmediata provides software and service solutions to healthcare providers. (Id. ¶ 11.) The affected individuals’ data was viewable online and downloadable. (Id. at ¶ 2.) “[D]ue to a webpage setting that permitted search engines to index internal webpages that Inmediata use[d] for business operations,” the affected individuals’ information “was also searchable, findable, viewable, and downloadable by anyone with access to an internet search engine[.]” (Id.) The affected individuals’ data exposed included “the types of information that federal and state law requires companies to take security measures to protect: names, addresses, [s]ocial [s]ecurity numbers, dates of birth, gender, and medical claim information including dates of service, diagnosis codes, procedure codes and treating physicians.” (Id. at ¶ 3.) By letter dated April 22, 2019, Inmediata notified Plaintiffs “of a data security incident that may have resulted in the potential disclosure of your personal and medical [*3] information.” (Id. ¶¶ 4-6; Doc. No. 1-2 at 2.) On April 24, 2019, Inmediata issued a press release regarding the incident. (Compl. ¶ 14.) Inmediata also filed sample “notice of data security incident” letters with various state attorneys general that mirrored the language of the letters sent to Plaintiffs. (Id. ¶ 15.) The letters stated that “[i]n January 2019, Inmediata became aware that some of its member patients’ electronic patient health information was publicly available online as a result of a webpage setting that permitted search engines to index pages that are part of an internal website we use for our business operations.” (Id. ¶ 16.) The letters also stated that “information potentially impacted by this incident may have included your name, address, date of birth, gender, and medical claim information including dates of service, diagnosis codes, procedure codes and treating physician.” (Id. ¶ 17.) Inmediata offered to provide identity monitoring services, but only to those who had their social security numbers disclosed. (Id. ¶ 20.) On December 9, 2019, Plaintiffs filed a putative nationwide class action containing claims for negligence, negligence per se, breach of contract, [*4] violation of California’s Confidentiality of Medical Information Act, CAL. CIV. CODE §§ 56-56.37, and the Minnesota Health Records Act, MINN. STAT. ANN. §§ 144.291-144.34. Plaintiffs bring the action on behalf of themselves and “[a]ll persons . . . . whose [p]ersonal [i]nformation was compromised as a result of the Inmediata Data Security Incident announced by Inmediata on or around April 24, 2019.” (Compl. ¶¶ 40-41.)
Judge Miller found no Article III standing due to lack of injury in fact.
The parties’ threshold dispute is whether Plaintiffs have adequately alleged an injury in fact. Clearly, at this juncture, the prevailing theme of Plaintiffs’ alleged concrete, particularized, and actual or imminent injury is anticipated financial loss, either through identity theft or other fraud. In their Complaint, Plaintiffs allege they suffered an injury in fact because they are “subject to continued, future risk of identity theft, fraudulent charges and other damages.” (Compl. ¶ 21.) Inmediata argues that Plaintiffs have not adequately alleged a risk of future identity theft that is imminent or certainly impending because Plaintiffs do not allege that their specific “electronic health information” was accessed or viewed by an unauthorized person, used to commit identity theft, or that there is any factual basis to assume that harm would ever occur. (Mot. 13-15.) Inmediata also points out that it has been over a year since its “errant web page setting.” (Id. at 13.) Plaintiffs respond by arguing that under Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018), cert. denied sub nom. Zappos.com, Inc. v. Stevens, 139 S. Ct. 1373, 203 L. Ed. 2d 609 (2019), the risk of future identity theft based on the exposure of their personal information is sufficient to establish an injury in fact. (Opp. 12.) . . . Plaintiffs are correct that under Krottner and Zappos the threat of identity theft can constitute an injury in fact, even if identity theft has not yet occurred. Krottner, 628 F.3d at 1140; Zappos, 888 F.3d at 1029. However, the type of information that was allegedly exposed here, and the resulting risk of identity theft, does not rise to the level the court found sufficient in Krottner and Zappos, and is not, as Plaintiffs claim, “enough to enable any crook to steal the identities of Plaintiffs and putative class members.” (Opp. 12.) For several reasons, Krottner and Zappos are distinguishable and do not establish Plaintiffs’ injury in fact. . . .At the outset, Krottner and Zappos are distinguishable because Plaintiffs do not allege their social security numbers were included in the information that was potentially exposed on the internet. Although Plaintiffs allege that “affected individuals” had their social security numbers exposed, a careful reading of the Complaint reveals that Plaintiffs do not actually allege that their social security numbers were exposed. . . .Finally, Plaintiffs do not actually allege that their names, addresses, dates of birth, gender, and medical claims information were exposed. Plaintiffs merely state, as they did with respect to their social security numbers, that “affected individuals” had their “data” exposed, which included the “types” of information companies are required by law to protect, such as names, addresses, dates of birth, gender, and medical claims information. (Compl. ¶ 3.) Even if Plaintiffs had alleged their individual names, addresses, dates of birth, gender, and medical claims information were exposed, Plaintiffs do not allege, and cite no caselaw supporting, this information is of the type “needed to open accounts or spend money in the plaintiffs’ names.” . . . The instant case is also distinguishable from Krottner and Zappos because Plaintiffs do not allege their information was stolen or hacked. Plaintiffs’ allegation that their information was temporarily accessible via the internet, but not necessarily copied or even viewed by a potential identity thief, implicates the warning in Krottner that if a plaintiff were to allege that no information was actually stolen, but nonetheless sued “based on the risk that it would be stolen at some point in the future,” the court would find the threat “far less credible.” 628 F.3d at 1143. . . .Even in Krottner and Zappos, which held that misuse of information is not necessarily required for standing, there was still some indication of actual misuse that is absent from the instant case. See Krottner, 628 F.3d at 1142 (noting that one of the plaintiffs alleged that someone attempted to open a bank account in his name); Zappos, 888 F.3d at 1027-28 (noting that some non-parties had their accounts commandeered and suffered financial losses, and that two plaintiffs had their e-mail accounts taken over). . . Finally, Zappos is distinguishable because it relied on several facts not present here, including that hackers commandeered some non-parties’ accounts and caused financial losses, hackers used one of the plaintiff’s e-mail accounts to send advertisements, and the plaintiffs alleged their stolen information could be used to conduct “phishing” and “pharming.” 888 F.3d at 1027-28. Although some of the reasoning upon which the court in Zappos relied could arguably apply to the instant case, Plaintiffs do not argue that it does. . . .Two of the three named Plaintiffs also allege they suffered an injury in fact based on the time and money they spent protecting themselves from future identity theft. (Compl. ¶¶ 4, 6.) Ms. Staci alleges she now engages in regular monitoring of her credit reports, credit cards, and bank accounts, and that she has spent twenty hours “attempting to determine how she is connected to Inmediata, how her information came into the possession of Inmediata, and trying to make sure she . . . . does not become victimized because of the Inmediata Data Security Incident.” (Id. ¶ 4.) Ms. Garcia alleges she “placed credit freezes on her credit reports with the three major U.S. consumer credit reporting agencies in order to detect potential identity theft and fraudulent activity,” and “now engages in monthly monitoring of her credit and her bank accounts.” (Id. ¶ 6.) Additionally, Ms. Garcia alleges she has “spent her own money and numerous hours addressing issues arising from the Inmediata Data Security Incident.” (Id.) Citing Krottner and Zappos, Plaintiffs argue “[i]t is well established that mitigation expenses constitute an injury-in-fact when the risk of identity theft is real and imminent.” (Opp. 14.) As discussed above, however, under Krottner and Zappos, the risk of identity theft here is not imminent. In the cases cited by Plaintiffs, i.e. those finding that the time and money associated with protection against identity theft support standing, the courts all found the threat of identity theft to be imminent. See Bass, 394 F. Supp. 3d at 1035 (“Plaintiff . . . . has established standing through the dual harms of increased risk of future harm and loss of time.”); In re Anthem, Inc. Data Breach Litig., Case No. 15-MD-02617-LHK, 2016 U.S. Dist. LEXIS 70594, 2016 WL 3029783, at *26 (N.D. Cal. May 27, 2016) (denying motion to dismiss under Rule 12(b)(6) because time and money expended for credit monitoring in response to the “imminent” threat of identity theft constitutes recoverable damages); In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1217 (N.D. Cal. 2014) (“[I]n order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent.”). Plaintiffs cite no case in which the expenditure of time or money to prevent future identity theft was sufficient in and of itself to support standing without a finding that the threat of identity theft was imminent.