EXTRA EXTRA–READ ALL ABOUT IT: Data Breach Suit Allowed to Move ForwardUnder Health Insurance Portability and Accountability Act

First, in regards to standing – there is currently a split among the federal courts of appeals regarding under what circumstances in data breach litigation a plaintiff has alleged injury sufficient for purposes of conferring Article III standing.  [Note: this is important because in the absence of Article III standing, a plaintiff is precluded from litigating their claims in federal court].  In Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Supreme Court clarified that a plaintiff cannot allege “a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III,” but “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact.”

Plaintiffs in Stasi argued, consistent with Spokeo and relevant Ninth Circuit precedent, that they sufficiently pled concrete injury by alleging that defendant violated the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §§ 56-56.265.  The court agreed, stating “[a]t the outset, the alleged intangible injury resulting from ‘posting’ or allowing access to disclosure of Plaintiffs’ medical information on the internet in violation of CMIA is, at first blush, just as concrete as the intangible injuries the Ninth Circuit has found to be concrete based on violations of other privacy-related statutes.”  The court also held that “it is reasonable to infer the [plaintiffs’] information could have been viewed or copied once available on the internet,” distinguishing this dispute from another case in which the Ninth Circuit declined to find standing.  As such, Plaintiffs’ alleged violation of CMIA sufficed for purposes of Article III.  The defendant’s motion to dismiss under Rule 12(b)(1) was denied.

In regards to Plaintiffs’ claims for negligence, breach of contract, violation of sections 56.101(a) and 56.36(b) of CMIA, as well as other violations of California statutory law, the court denied defendant’s motion to dismiss for failure to state a claim, construing Plaintiffs’ allegations across the board generously (even in the face of obvious gaps the court itself identified).  While three of Plaintiffs’ claims were dismissed, the bulk of them were allowed to proceed past the pleading stage.  This included for the following reasons, among others: