Patterson v. Medical Review Institute of America, LLC, No. 3:2022cv00413 - Document 23 (N.D. Cal. 2022)
Court Description: ORDER GRANTING DEFENDANT'S MOTION TO DISMISS OR TRANSFER; AFFORDING PLAINTIFF LEAVE TO AMEND; VACATING HEARING; CONTINUING CASE MANAGEMENET CONFERENCE. Should plaintiff wish to file an amended complaint, he shall file it no later than Jul y 14, 2022. The Case Management Conference is continued from August 5, 2022, to October 14, 2022, at 10:30 a.m. A Joint Case Management Conference Statement shall be filed no later than October 7, 2022. Signed by Judge Maxine M. Chesney on June 23, 2022. (mmclc2, COURT STAFF) (Filed on 6/23/2022)
Download PDF
<![CDATA[
Patterson v. Medical Review Institute of America, LLC Doc. 23 1 2 3 4 IN THE UNITED STATES DISTRICT COURT 5 FOR THE NORTHERN DISTRICT OF CALIFORNIA 6 7 ALBERT PATTERSON, Plaintiff, 8 9 10 United States District Court Northern District of California 11 Case No. 22-cv-00413-MMC v. MEDICAL REVIEW INSTITUTE OF AMERICA, LLC, Defendant. ORDER GRANTING DEFENDANT’S MOTION TO DISMISS OR TRANSFER; AFFORDING PLAINTIFF LEAVE TO AMEND; VACATING HEARING; CONTINUING CASE MANAGEMENT CONFERENCE 12 13 Before the Court is defendant Medical Review Institute of America, LLC’s 14 (“MRIoA”) Motion, filed May 31, 2022, “to Dismiss Plaintiff’s Complaint Pursuant to 15 F.R.C.P. 12(b)(1), 12(b)(6), or Transfer the Case Pursuant to 28 U.S.C. § 1404(a).” 16 Plaintiff Albert Patterson (“Patterson”) has filed opposition, to which MRIoA has replied. 17 Having read and considered the papers filed in support of and in opposition to the motion, 18 the Court deems the matter suitable for determination on the parties’ respective written 19 submissions, VACATES the hearing scheduled for July 8, 2022, and rules as follows. 20 BACKGROUND 21 In the Complaint, Patterson alleges MRIoA is an entity that “acquired, collected[,] 22 and stored” customers’ “personal health information” (“PHI”) and “personally identifiable 23 information” (“PII”) “to facilitate clinical peer review of healthcare services.” (See Compl. 24 ¶¶ 1, 5.) Patterson further alleges he received a letter from MRIoA, dated January 7, 25 2022, “informing him that his PHI/PII and/or financial information was involved” in a data 26 breach whereby hackers “infiltrated” MRIoA’s “information network” and “accessed highly 27 sensitive” data stored thereon. (See Compl. ¶¶ 2, 20.) 28 Based on said allegations, Patterson asserts the following nine claims for relief: Dockets.Justia.com 1 (1) “Negligence”; (2) “Confidentiality of Medical Information Act (Cal. Civ. Code § 56, et 2 seq.)”; (3) “Invasion of Privacy”; (4) “Breach of Confidence”; (5) “Information Practices Act 3 of 1977 (Cal. Civ. Code § 1798, et seq.)”; (6) “Breach of Implied Contract”; (7) “Breach of 4 the Implied Covenant of Good Faith and Fair Dealing”; (8) “Unfair Business Practices 5 (Cal. Bus. & Prof. Code § 17200, et seq.)”; and (9) “Unjust Enrichment.”1 6 United States District Court Northern District of California 7 DISCUSSION By the instant motion, MRIoA seeks an order dismissing the above-titled action, or, 8 in the alternative, transferring it to the District of Utah, on the grounds that (1) Patterson 9 lacks Article III standing, (2) Patterson has failed to allege facts sufficient to support any 10 of his claims for relief, and (3) the District of Utah is a more convenient forum. The Court 11 first turns to the question of standing. 12 A district court has subject matter jurisdiction only where the plaintiff has 13 “[s]tanding to sue” under Article III of the Constitution. See Spokeo, Inc. v. Robins, 578 14 U.S. 330, 337-38 (2016). To satisfy Article III’s standing requirements, (1) “the plaintiff 15 must have suffered an injury in fact” that is “concrete and particularized” and “actual or 16 imminent, not conjectural or hypothetical,” (2) the injury must be “fairly traceable” to the 17 challenged conduct of the defendant, and (3) “it must be likely . . . that the injury will be 18 redressed by a favorable decision.” See Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 19 (1992) (internal quotation, citation, and alteration omitted). “The party invoking federal 20 jurisdiction bears the burden of establishing” the elements of standing, see id. at 561, and 21 a plaintiff who lacks standing may not “seek relief on behalf of himself or any other 22 member of [a] class” he purports to represent, see Warth v. Seldin, 422 U.S. 490, 502 23 24 25 26 27 28 1 The First, Third, Fourth, Sixth, Seventh, and Ninth Claims for Relief are brought on behalf of a “Nationwide Class,” defined as “[a]ll individuals within the United States of America whose PHI/PII and/or financial information was exposed to unauthorized third parties as a result of the data breach discovered on November 9, 2021.” (See Compl. ¶ 29.) The Second, Fifth, and Eighth Claims for Relief are brought on behalf of a “California Subclass,” defined as “[a]ll individuals within the State of California whose PII/PHI was stored by Defendant and/or was exposed to unauthorized third parties as a result of the data breach discovered on November 9, 2021.” (See id.) 2 United States District Court Northern District of California 1 (1975) (internal quotation and citation omitted). 2 A defendant seeking dismissal for lack of standing may raise a “facial” or “factual” 3 challenge. See Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). “In 4 a facial attack, the challenger asserts that the allegations contained in a complaint are 5 insufficient on their face to invoke federal jurisdiction,” whereas, “in a factual attack, the 6 challenger disputes the truth of the allegations that, by themselves, would otherwise 7 invoke federal jurisdiction.” See id. “Once the moving party . . . convert[s] [a] motion to 8 dismiss into a factual motion by presenting affidavits or other evidence properly brought 9 before the court, the party opposing the motion must furnish affidavits or other evidence 10 necessary to satisfy its burden of establishing subject matter jurisdiction.” Savage v. 11 Glendale Union High Sch., 343 F.3d 1036, 1039 n.2 (9th Cir. 2003). 12 In the instant motion, MRIoA, raising both facial and factual challenges, contends 13 Patterson lacks Article III standing for the asserted reason that he has not established a 14 cognizable injury in fact. In that regard, MRIoA identifies five theories of injury on which it 15 understands Patterson’s complaint to be based, specifically, (1) increased risk of fraud 16 and identity theft, (2) lost time, (3) anxiety, (4) diminution in the value of PHI and PII, and 17 (5) loss of privacy. (See Mot. at 5:20-25 (citing Compl. ¶¶ 21-24).) In his opposition, 18 Patterson relies only on a theory of “lost time . . . associated with [the] data breach” and 19 makes no argument with respect to the other above-referenced theories of injury. (See 20 Opp. at 3:23-25.) As set forth below, the Court finds Patterson has not met his burden of 21 showing he has suffered a cognizable injury. 22 First, with respect to an increased risk of fraud and identity theft, although 23 Patterson alleges the hackers “accessed highly sensitive PHI/PII and financial 24 information” from MRIoA’s network (see Compl. ¶ 2), MRIoA has submitted undisputed 25 evidence that none of the information about Patterson potentially exposed in the data 26 breach was sufficiently sensitive to create a credible risk of future fraud or identity theft 27 (see Leichliter Decl. ¶ 10 (stating the only information regarding Patterson that was 28 “potentially accessed by the hackers . . . consisted of a single one-page document” 3 United States District Court Northern District of California 1 containing Patterson’s name, a date, the title “Advisory,” a reference to Patterson as the 2 “Insured” and the “Patient,” the phrase “Review Time 60 minutes,” and that the “[t]otal 3 amount[] to be billed [was] $327.000”)); see also In re Zappos.com, Inc., Customer Data 4 Sec. Breach Litig., 888 F.3d 1020, 1027 (9th Cir. 2018) (holding injury in fact exists where 5 information obtained from data breach is “sufficiently sensitive” to “g[ive] hackers the 6 means to commit fraud or identity theft”); Greenstein v. Noblr Reciprocal Exch., Case No. 7 21-cv-04537-JSW, 2022 WL 472183, at *4 (N.D. Cal. Feb. 15, 2022) (finding no “credible 8 and imminent threat of future” identity theft where data breach did not involve “social 9 security or credit card information” or other information that could be used to “open a new 10 account in [p]laintiffs’ names or to gain access to personal accounts likely to have more 11 sensitive information”); Antman v. Uber Techs., Inc., Case No. 3:15-cv-01175-LB, 2015 12 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) (holding no “credible risk of identity theft” 13 exists “[w]ithout a hack of information such as social security numbers, account numbers, 14 or credit card numbers”). 15 Next, with respect to lost time and anxiety associated with the breach, where, as 16 here, there is no credible threat of future identity theft, Patterson cannot “manufacture 17 standing by inflicting harm on [himself] based on [his] fear of hypothetical future harm that 18 is not certainly impending.” See Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013); 19 see also Greenstein (finding no injury in fact based on “time and effort spent 20 monitoring . . . credit reports” after data breach where “risk of identity theft and fraud” was 21 not “real and imminent”); Antman, 2015 WL 6123054, at *11 (holding “risk of identity theft 22 must first be real and imminent[] . . . before mitigation costs establish injury in fact”); 23 Callahan v. Ancestry.com, Inc., Case No. 20-cv-08437-LB, 2021 WL 2433893, at *4-5 24 (N.D. Cal. June 15, 2021) (holding, in data breach context, “anxiety and stress” without 25 “credible threat of future identity theft” is not cognizable injury in fact). 26 With respect to diminution in value, although Patterson alleges a market for PHI, 27 PII, and financial information exists on the “dark web” (see Compl ¶ 75), he does not 28 explain how his information is “less valuable than before the breach,” nor does he allege 4 1 he “had plans to sell” or is “prevent[ed] . . . from selling such information in the future,” 2 see Greenstein, 2022 WL 472183, at *5-6 (holding, “to successfully demonstrate injury in 3 fact by diminution in value of PI, [p]laintiff[] must establish both the existence of a market 4 for her personal information and an impairment of her ability to participate in that market” 5 (internal quotation and citation omitted)).2 United States District Court Northern District of California 6 Lastly, with respect to loss of privacy, Patterson, as MRIoA points out, has not 7 “allege[d] facts to show any unauthorized individual actually viewed” or misused his 8 information (see Mot. at 8:7-17); rather, MRIoA has submitted undisputed evidence that 9 the hackers “demanded a ransom payment . . . in exchange [for] return [of] the data” and 10 that, after receiving such payment from MRIoA, “returned the data they had obtained” 11 (see Sullivan Decl. ¶¶ 7-9); see also In re Practicefirst Data Breach Litig., Case No. 1:21- 12 CV-00790 (JLS/MJR), 2022 WL 354544, at *8 (W.D.N.Y. Feb. 2, 2022) (finding no 13 cognizable injury based on loss of privacy theory where there was no allegation that the 14 “data . . . copied by a hacker and held hostage for payment of a fee . . . was 15 ever . . . viewed by any [unauthorized] person”); Storm v. Paytime, Inc., 90 F. Supp. 3d 16 359, 368 (M.D. Penn. 2015) (finding no cognizable injury where plaintiffs did not allege 17 “unidentified hacker was actually able to view, read, or otherwise understand the data it 18 accessed”; noting privacy is not “violated” unless unauthorized person “has viewed” or “is 19 [imminently] about to view” private information (internal quotation and citation omitted)); 20 In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 786 (N.D. 21 Cal. 2019) (noting plaintiff cannot establish standing “by simply intoning that she suffered 22 an intangible privacy injury”).3 23 24 25 26 27 28 2 Moreover, as MRIoA points out, even if Patterson could plausibly allege he intended to sell his information on the dark web, there is no indication that a market exists for his “innocuous” information that was involved in the subject data breach. (See Mot. at 8:2-6; see also Compl. ¶ 75 (listing, as examples of “sensitive information” sold on dark web, “patient[s’] complete [medical] record, . . . payment card numbers,” and “[s]ocial [s]ecurity numbers”).) 3 To the extent Patterson contends a “risk of future harm” exists because MRIoA’s information system “remains open to attack” (see Opp. at 4:19-24), such “theory of future injury” is “too speculative to satisfy the . . . requirement that threatened injury must be 5 1 2 Court will, however, afford Patterson leave to amend. See Warth, 422 U.S. at 501 3 (holding, where defendant successfully challenges plaintiff’s standing at pleading stage, 4 district courts ordinarily should afford plaintiff leave to amend).4 5 CONCLUSION 6 For the reasons stated above, MRIoA’s motion is hereby GRANTED, and the 7 complaint is hereby DISMISSED for lack of subject matter jurisdiction. Should Patterson 8 wish to file an amended complaint, he shall file it no later than July 14, 2022. 9 United States District Court Northern District of California Accordingly, Patterson’s complaint is subject to dismissal for lack of standing. The In light of the above, the Case Management Conference currently scheduled for 10 August 5, 2022, is hereby CONTINUED to October 14, 2022, at 10:30 a.m. A Joint Case 11 Management Statement shall be filed no later than October 7, 2022. 12 13 IT IS SO ORDERED. 14 15 Dated: June 23, 2022 MAXINE M. CHESNEY United States District Judge 16 17 18 19 20 21 22 23 24 25 26 27 28 certainly impending,” see Clapper, 568 U.S. at 401 (internal quotation, citation, and emphasis omitted). 4 In light of this finding, the Court does not reach MRIoA’s alternative arguments that Patterson has failed to state a claim and that the District of Utah is a more convenient forum. 6
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
