Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Premera Blue Cross Customer Data Security Breach Litigation

United States District Court, D. Oregon

February 9, 2017


          Kim D. Stephens, Christopher I. Brain, Chase C. Alvord, and Jason T. Dennett, Tousley Brain Stephens PLLC, Keith S. Dubanevich, Steve D. Larson, and Yoona Park, Stoll Stoll Berne Lokting & Shlachter PC, Ari J. Scharg, Edelson PC, Tina Wolfson, Ahdoot and Wolfson PC, and James Pizzirusso, Hausfeld LLP Of Attorneys for Plaintiffs.

          Daniel R. Warren and David A. Carney, BakerHostetler LLP, Paul G. Karlsgodt, BakerHostetler LLP, and Darin M. Sands, Lane Powell PC, Of Attorneys for Defendant Premera Blue Cross.


          Michael H. Simon United States District Judge

         Plaintiffs bring this putative class action against Defendant Premera Blue Cross (“Premera”), a healthcare benefits servicer and provider. On March 17, 2015, Premera publicly disclosed that its computer network had been breached. Plaintiffs allege that this breach compromised the confidential information of approximately 11 million current and former members, affiliated members, and employees of Premera. The compromised confidential information includes names, dates of birth, Social Security Numbers, member identification numbers, mailing addresses, telephone numbers, email addresses, medical claims information, financial information, and other protected health information (collectively, “Sensitive Information”). According to Plaintiffs, the breach began in May 2014 and went undetected for nearly a year. Plaintiffs allege that after discovering the breach, Premera unreasonably delayed in notifying all affected individuals. Based on these allegations, among others, Plaintiffs bring various state common law claims and state statutory claims.

         On August 1, 2016, the Court granted in part and denied in part Premera's motion to dismiss Plaintiffs' Consolidated Class Action Allegation Complaint. In re Premera Blue Cross Customer Data Sec. Breach Litig., __ F.Supp.3d __, 2016 WL 4107717 (D. Or. Aug. 1, 2016) (“Premera I”). The Court dismissed Plaintiffs' fraud-based claims and contract claims and gave Plaintiffs leave to replead. On September 30, 2016, Plaintiffs filed their First Amended Consolidated Class Action Allegation Complaint (“FAC”). Before the Court is Premera's motion to dismiss Plaintiffs' FAC (“Motion”). Specifically, Premera moves to dismiss Plaintiffs' amended fraud-based and contract claims. Premera also moves to dismiss several claims asserted by two named Plaintiffs, arguing that those claims are preempted by the Employee Retirement Income Security Act (“ERISA”), 29 U.S.C. § 1001 et seq. For the reasons that follow, the Court grants in part and denies in part Premera's Motion.


         A motion to dismiss for failure to state a claim may be granted only when there is no cognizable legal theory to support the claim or when the complaint lacks sufficient factual allegations to state a facially plausible claim for relief. Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010). In evaluating the sufficiency of a complaint's factual allegations, the court must accept as true all well-pleaded material facts alleged in the complaint and construe them in the light most favorable to the non-moving party. Wilson v. Hewlett-Packard Co., 668 F.3d 1136, 1140 (9th Cir. 2012); Daniels-Hall v. Nat'l Educ. Ass'n, 629 F.3d 992, 998 (9th Cir. 2010). To be entitled to a presumption of truth, allegations in a complaint “may not simply recite the elements of a cause of action, but must contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively.” Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011). All reasonable inferences from the factual allegations must be drawn in favor of the plaintiff. Newcal Indus. v. Ikon Office Solution, 513 F.3d 1038, 1043 n.2 (9th Cir. 2008). The court need not, however, credit the plaintiff's legal conclusions that are couched as factual allegations. Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009).

         A complaint must contain sufficient factual allegations to “plausibly suggest an entitlement to relief, such that it is not unfair to require the opposing party to be subjected to the expense of discovery and continued litigation.” Starr, 652 F.3d at 1216. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007)).


         In Premera I, the Court described in detail the facts alleged by Plaintiffs concerning the events leading up to the breach, its discovery, and Premera's response. 2016 WL 4107717, at *2-4. In their amended pleading, Plaintiffs continue to allege a Nationwide Data Breach Class, consisting of all persons in the United States whose Sensitive Information was maintained on Premera's database and compromised as a result of the breach announced by Premera on or around March 17, 2015. Plaintiffs also allege a Nationwide Premera Policyholder and Plan Administration Subclass, consisting of all Nationwide Data Breach Class members who paid money to Premera before March 17, 2015 in exchange for health insurance or plan administration (“Policyholder Plaintiffs”). In the alternative, Plaintiffs allege several statewide common law classes, statewide statutory classes, and statewide Policyholder Plaintiffs subclasses. Plaintiffs further alleged that all individually-named Plaintiffs are members of one or more classes or subclasses. In their amended pleading, Plaintiffs assert the following ten claims for relief:

First: Violation of Washington Consumer Protection Act;
Second: Violation Washington Data Breach Disclosure Law;
Third: Negligence; Fourth: Breach of Express Contract;
Fifth: Breach of Contract Implied-in-Fact;
Sixth: Quasi-Contract/Restitution/Unjust Enrichment;
Seventh: Violation of Other State Consumer Protection Laws;
Eighth: Violation of Other State Data Breach Notification Laws;
Ninth: Violation of California Confidential Medical Information Act; and
Tenth: Misrepresentation by Omission.


         A. Plaintiffs' Fraud-Based Claims

         In its Motion, Premera challenges the allegations of fraud contained in Plaintiffs' first, seventh, and tenth claims. Premera argues that Plaintiffs' claims that “sound in fraud” continue to fail to comply with the heightened pleading requirements of Rule 9(b) of the Federal Rules of Civil Procedure and should be dismissed. Plaintiffs respond that their new allegations cure the deficiencies identified by the Court in Premera I. Plaintiffs further respond that their state Consumer Protection Act (“CPA”) claims allege that Premera's conduct was both deceptive and unfair and that the allegation of “unfair” conduct does not “sound in fraud” and thus is not subject to Rule 9(b).

         1. Affirmative Misrepresentation

         “To satisfy Rule 9(b), a pleading must identify ‘the who, what, when, where, and how of the misconduct charged, ' as well as ‘what is false or misleading about [the purportedly fraudulent] statement, and why it is false.'” Cafasso v. Gen. Dynamics C4 Sys., Inc., 637 F.3d 1047, 1055 (9th Cir. 2011) (quoting Ebeid ex rel. United States v. Lungwitz, 616 F.3d 993, 998 (9th Cir. 2010)). In Premera I, the Court noted that Plaintiffs' allegations were unclear about whether Plaintiffs were alleging fraud by affirmative misrepresentation. To cure this deficiency, the Court directed that Plaintiffs must clearly and explicitly identify each specific affirmative misrepresentation alleged and provide all of the other information required under Rule 9(b).

         Premera argues that Plaintiffs' allegations of fraud remain vague and lack the required specificity. Premera also argues that the statements are not false. Further, Premera states that Plaintiffs have not alleged that any of them even read, heard, saw or relied on any statement that could support a fraud claim. Plaintiffs respond that they have stated the alleged affirmative misrepresentations with sufficient specificity. Plaintiffs add that whether the alleged statements are true is an issue of fact not appropriate for resolution in a motion to dismiss. Plaintiffs do not directly respond to Premera's assertion that without a specific allegation that Plaintiffs actually read the alleged misrepresentations, Plaintiffs have not sufficiently alleged causation.

         In their amended pleading, Plaintiffs allege that Premera's policy booklets, Notice of Privacy Practices (“Privacy Notice”), and Code of Conduct contain affirmative misrepresentations. Although Plaintiffs did not attach to their amended pleading copies of Premera's policy booklets, Privacy Notice, or Code of Conduct, Plaintiffs' amended pleading quotes from those documents and Plaintiffs provide identifying Bates numbers and web addresses showing precisely where these documents can be found. FAC ¶¶ 40-44. Premera has attached to its Motion a copy of its Notice of Privacy Practices dated November 20, 2015 (ECF 78-1), the two referenced policy booklets (ECF 78-3 and 78-4), and Premera's Code of Conduct dated May 2015 (ECF 78-5). The Court may consider these documents in ruling on Premera's Motion.[1]

         a. Causation and reliance

         Premera did not expressly and sufficiently raise its argument regarding causation and reliance in its opening brief.[2] Accordingly, the court allowed Plaintiffs to respond at oral argument, and allowed both parties to submit supplemental briefs after oral argument.

         Premera's argument essentially is that in an affirmative misrepresentation case, without any allegation that any plaintiff read and relied upon the allegedly false or misleading statements, a plaintiff cannot show the requisite causation.[3] This argument, however, reads a reliance requirement into the causation element in a CPA claim that the Washington Supreme Court has not adopted.

         In Indoor Billboard/Washington, Inc. v. Integra Telecom of Washington, Inc., 162 Wash.2d 59 (2007), the Washington Supreme Court addressed what is required to prove causation under Washington's CPA when there has been an affirmative misrepresentation. In that case, the court rejected the defendant's argument that “a plaintiff must establish that the plaintiff relied on the defendant's unfair or deceptive act or practice to establish a causal link with the plaintiff's injury” and adopted the position argued by amici curaie in that case that a plaintiff need only establish a causal link between the alleged unfair or deceptive act or practice and the injury. Id. at 78, 83. The court further held that the causal link required is proximate causation and that “[a] plaintiff must establish that, but for the defendant's unfair or deceptive practice, the plaintiff would not have suffered an injury.” Id. at 83. In addition, the court stated that “[p]roximate cause is a factual question to be decided by the trier of fact.” Id.

         Two years after the Washington Supreme Court decided Indoor Billboard, that court addressed the issue again in a decision that may be considered somewhat confusing. In this case, the Washington Supreme Court stated:

Depending on the deceptive practice at issue and the relationship between the parties, the plaintiff may need to prove reliance to establish causation, as in Indoor Billboard. Most courts have concluded a private right of action under state consumer protection law does not necessarily require proof of reliance, consistently with legislative intent to ease the burden ordinarily applicable in cases of fraud.

Panag v. Farmers Ins. Co. of Washington, 166 Wash.2d 27, 59 n.15 (2009) (citing, among others, Bob Cohen, Annotation, Right to Private Action under State Consumer Protection Act- Preconditions to Action, 117 A.L.R.5th 155, § 10, at 222 (2004) (noting jurisdictions, including Washington, where reliance is not required). Two years after deciding Panag, however, the Washington Supreme Court clarified that Indoor Billboard “firmly rejected the principle that reliance is necessarily an element of the plaintiff's case.” Schnall v. AT & T Wireless Servs., Inc., 171 Wash.2d 260, 277 (2011); see also Thornell v. Seattle Serv. Bureau, Inc., 184 Wash.2d 793, 802 (2015) (“In Indoor Billboard this court rejected the principle that reliance is necessarily an element of plaintiff's CPA claim.”).

         Some cases decided in the Western District of Washington have indicated that under Washington's CPA, there is some level of reliance required to prove or allege causation. See, e.g., Kelley v. Microsoft Corp., 251 F.R.D. 544, 558 (W.D. Wash. 2008) (noting that a trier-of-fact would need to determine, among other things, whether each class member saw the allegedly misleading statement); Minnick v. Clearwire US, LLC, 683 F.Supp.2d 1179, 1188 (W.D. Wash. 2010) (finding allegations that alleged misrepresentations on a website were deceptive insufficient where none of the plaintiffs alleged that they visited the website). These cases, however, decided before Schnall, do not imply that reliance is always required.

         The Court holds that under the facts presented here, reliance is not required. The Washington CPA's purpose is “to protect the public and foster fair and honest competition.” Wash. Rev. Code. § 19.86.020. It is intended to “ease the burden ordinarily applicable in cases of fraud.” Panag, 166 Wash.2d at 59 n.15. With this purpose in mind, the Court agrees with the discussion of causation and reliance in the context of class action certification by United States District Judge Richard A. Jones. In a relatively recent decision, Judge Jones explained that when there are substantially identical representations given to all plaintiffs, “the problems associated with proving reliance may be somewhat relaxed” and is distinguished from “a situation where each class member must prove the falsity of different representations, . . . but rather must prove the misleading nature of a substantially identical representation.” Weidenhamer v. Expedia, Inc., 2015 WL 7157282, at *20 (W.D. Wash. Nov. 13, 2015) (emphasis in original). Here, as discussed below, the Court is allowing the Policyholder Plaintiffs' affirmative misrepresentation claim to proceed for those plaintiffs who received the Preferred Select policy booklet, Privacy Notice, or Code of Conduct. Plaintiffs allege that the Privacy Notice was sent with the policy booklet. Thus, the relevant Policyholder Plaintiffs received the same alleged misrepresentations.

         Under such circumstances, and because Washington does not require proof of reliance and holds that proximate causation is an issue of fact, the Court agrees with courts in other jurisdictions that have held that such claims should not be dismissed unless “it is clear that no reasonable person would be deceived by defendant's conduct.” Smith v. Wells Fargo Bank, N.A., 158 F.Supp.3d 91, 101 (D. Conn. 2016), aff'd, 2016 WL 7323985 (2d Cir. Dec. 16, 2016); see also Carrera v. Bayer Corp., 727 F.3d 300, 309 (3d Cir. 2013) (holding that when Florida consumer protection law does not require actual reliance on the deceptive act, the relevant question is whether the alleged practice was likely to deceive a consumer acting reasonably in the same circumstances); Fitzpatrick v. Gen. Mills, Inc., 635 F.3d 1279, 1283 (11th Cir. 2011) (holding that when reliance is not required, “a plaintiff must simply prove that an objective reasonable person would have been deceived”); In re Gerber Probiotic Sales Practices Litig., 2013 WL 4517994, at *9 (D.N.J. Aug. 23, 2013) (noting that “the appropriate inquiry is whether a reasonable person would be misled by the overall advertising”).

         Further, in the context of analyzing class certification, the Central District of California, applying Washington law (as well as the law of three other relevant states), reached the same conclusion, holding that for CPA claims “materiality and reliance on alleged misrepresentations can be proven by reference to a reasonable consumer.” Todd v. Tempur-Sealy Int'l, Inc., 2016 WL 5746364, at *8 (N.D. Cal. Sept. 30, 2016). Here, the Court declines to find that no reasonable person would be deceived by Premera's alleged conduct and representations. Thus, the court declines to dismiss Plaintiffs' affirmative misrepresentation claims for failing to allege causation, at least at the motion to dismiss stage of the proceedings.

         b. Premera's policy booklets

         Plaintiffs allege that Premera's policy booklets are sent to its members. FAC ¶ 181. Plaintiffs further allege that these booklets contain affirmative misrepresentations. Specifically, Plaintiffs assert that Premera's “Preferred Select” policy booklet states: “We protect your privacy by making sure your information stays confidential. We have a company confidentiality policy and we require all employees to sign it.” FAC ¶ 43 and n.1; see also ECF 78-3 at 59. The statement that Premera protects policyholders' privacy and makes sure information stays confidential is a sufficiently specific representation. Plaintiffs allege that this statement is false because Premera did not protect its policyholders' privacy and did not “make sure” that their information stays confidential. See FAC ¶¶ 75-77, 137-141, 144. Plaintiffs also allege that Premera knew this statement was false at the time it made the statement because Premera knew of its inadequate data security measures. These allegations are sufficient under Rule 9(b) to allege a fraudulent misrepresentation for Policyholder Plaintiffs who were sent this booklet. Premera's argument that it did, in fact, reasonably protect the privacy of their policyholders' Sensitive Information presents a question that is inappropriate to resolve at this stage of the litigation.

         Plaintiffs also allege that the “Preferred Bronze” policy contains a misrepresentation. FAC ¶ 43 and n.2. This policy states: “To safeguard your privacy, we take care to ensure that your information remains confidential by having a company confidentiality policy and by requiring all employees to sign it.” FAC ¶ 43; see also ECF 78-4 at 52. Plaintiffs argue that this statement is a promise to take care to ensure that the policyholders' information stays confidential and it is false because Premera did not take adequate care to protect data security. Plaintiffs' argument, however, overlooks the second half of the sentence. Premera promised that it would ensure confidentiality “by having a company confidentiality policy and by requiring employees to sign it.” FAC ¶ 43 (emphasis added). Thus, the Preferred Bronze policy contains a promise to have a company confidentiality policy and to have employees sign that policy. Plaintiffs do not allege that Premera did not have such a policy or did not require that its employees sign the policy. Thus, Plaintiffs' allegations are insufficient to allege fraud by misrepresentation based on the Preferred Bronze policy booklet.

         c. Privacy Notice

         Plaintiffs allege that Premera's Privacy Notice also was provided to its members. FAC ¶ 181. Plaintiffs allege in Paragraph 40 that the Privacy Notice contained misrepresentations, including:

• Premera is “committed to maintaining the confidentiality of your medical and financial information”;
• Under federal law, Premera “must take measures to protect the privacy of your personal information” and “[i]n addition, other state and federal privacy laws may provide additional privacy protection”;
• Premera “protect[s] your personal information in a variety of ways, ” including “authorizing] access to your personal information . . . only to the extent necessary to conduct our business of serving you”;
• Premera “take[s] steps to secure our buildings and electronic systems from unauthorized access”;
• Premera “train[s] our employees on our written confidentiality policy and procedures and employees are subject to discipline if they violate them”;
• Premera “will protect the privacy of your information even if you no longer maintain coverage through us”; and
• Premera is required by law to protect the privacy of Sensitive Information, provide the Privacy Notice to members, and notify members following a breach of Sensitive Information.

         Plaintiffs allege that these statements are false or misleading because Premera was not committed to protecting Plaintiffs' Sensitive Information, did not take the appropriate measures required under federal and state law, did not protect Plaintiffs' Sensitive Information, did not properly train its employees, and did not provide adequate notice of the breach. See FAC ¶¶ 75-77, 137-141, 144. Some of these alleged representations are more appropriate for Plaintiffs' claim of fraud by omission or half-truth (e.g., that Premera represented that under federal law it was required to protect Plaintiffs' Sensitive Information while knowing that it was not adequately complying with those federal laws). Others, however, are representations that, if false, as Plaintiffs allege, are sufficient to allege a claim of affirmative misrepresentations (e.g., that Premera does not limit access to Sensitive Information, train and discipline its employees on data security, or protect privacy of Sensitive Information after a person no longer has coverage with Premera). Accordingly, for Plaintiffs who were provided Premera's Privacy Notice, Plaintiffs' adequately have alleged a claim of affirmative misrepresentation.

         d. ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.