Cousin v. Sharp Healthcare, No. 3:2022cv02040 - Document 42 (S.D. Cal. 2023)
Court Description: ORDER Granting in Part and Denying in Part 28 Defendant's Motion to Dismiss. Signed by Judge Michael M. Anello on 11/17/23. (aas)
Download PDF
<![CDATA[
Cousin v. Sharp Healthcare Doc. 42 1 2 3 4 5 6 7 8 9 UNITED STATES DISTRICT COURT 10 SOUTHERN DISTRICT OF CALIFORNIA 11 12 13 HANNAH COUSIN, et al., individually and on behalf of all others similarly situated, 14 15 16 17 Case No.: 22-cv-2040-MMA-DDL ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO DISMISS Plaintiffs, v. SHARP HEALTHCARE, [Doc. No. 28] Defendant. 18 19 20 This action consists of three consolidated cases brought by Hannah Cousin, Linda 21 Camus, and Edward Barbat (“Plaintiffs”) against Defendant Sharp Healthcare 22 (“Defendant” or “Sharp”). See Case Nos. 22-cv-2040-MMA-DDL, 23-cv-33-MMA- 23 DDL, 23-cv-330-MMA-DDL. The Court previously granted Defendant’s motion to 24 dismiss the Consolidated Class Action Complaint, see Doc. No. 20, and on August 2, 25 2023, Plaintiffs filed a First Amended Consolidated Class Action Complaint, see Doc. 26 No. 23 (“First Amended Complaint” or “FAC”). On August 2, 2023, Defendant filed a 27 motion to dismiss. See Doc. No. 26. Plaintiffs have filed an opposition, to which 28 Defendant replied. See Doc. Nos. 32, 40. The Court found the matter suitable for 1 22-cv-2040-MMA-DDL Dockets.Justia.com 1 determination on the papers and without oral argument pursuant to Civil Local Rule 2 7.1.d.1. See Doc. No. 41. For the reasons set forth below, the Court GRANTS IN 3 PART and DENIES IN PART Defendant’s motion to dismiss. I. BACKGROUND 1 4 5 The background factual allegations as set forth in the initial Consolidated 6 Complaint remain largely unchanged in the First Amended Complaint, and so the Court 7 incorporates its prior Order by reference here. See Doc. No. 22.2 Defendant is a non- 8 profit corporation that operates multiple hospitals and medical groups, and offers a 9 healthcare plan, throughout San Diego, California. FAC ¶ 13. One such hospital 10 operated by Defendant is Sharp Memorial Hospital (“Sharp Memorial”). Id. Plaintiffs 11 are residents of California and Sharp patients, who used Defendant’s website, 12 www.sharp.com, to either search for health care providers, schedule medical 13 appointments, or conduct other health care related matters. Id. ¶¶ 10–12, 70–88. 14 Generally speaking, Plaintiffs allege that Defendant utilizes an online tracking tool, 15 Meta Pixel, on its website sharp.com and related “subpages” to surreptitiously collect 16 their, and other patients’, sensitive health information. See, e.g., id. ¶¶ 1–4, 45–48. The 17 website and subpages are defined as “unauthenticated” because they do not require a 18 patient or user to log in to access the websites. See id. ¶ 42. According to Plaintiffs, the 19 information is shared with Meta in “data packets” labelled with personally identifiable 20 information such as a user’s IP address, and that Meta in turn “processes this information, 21 analyzes it, and assimilates it in order to provide targeted advertisements to businesses 22 23 24 25 26 27 28 1 Reviewing Defendant’s motion to dismiss, the Court accepts as true all facts alleged in the Consolidated Class Action Complaint and construes them in the light most favorable to the Plaintiffs. See Snyder & Assocs. Acquisitions LLC v. United States, 859 F.3d. 1152, 1157 (9th Cir. 2017). 2 Due to the sensitive nature of the health-related allegations, an unredacted version of the Court’s prior Order was docketed at Doc. No. 22. The Court also notes that Plaintiffs were permitted to file unredacted versions of their FAC and opposition under seal. Doc. Nos. 25, 39. The Court’s citations to the FAC, Plaintiffs’ opposition, and the Court’s prior Order are to the redacted versions, as discussion of the confidential allegations is unnecessary at this stage. 2 22-cv-2040-MMA-DDL 1 such as Sharp.” Id. ¶¶ 26, 29. Plaintiffs contend they did not agree to have their 2 information collected and used this way. See, e.g., id. ¶ 3. 3 As a result, Plaintiffs bring the following five causes of action on behalf of a class 4 of Sharp’ website users in California: (1) violation of common law invasion of privacy – 5 intrusion upon seclusion; (2) invasion of privacy under the California Constitution, Art. I 6 § 1; (3) violation of the California Confidentiality of Medical Information Act, California 7 Civil Code § 56 et seq. (“CMIA”); and (4) violation of the California Invasion of Privacy 8 Act, California Penal Code § 630 et seq. (“CIPA”). 9 II. LEGAL STANDARD A Rule 12(b)(6)3 motion tests the legal sufficiency of the claims made in a 10 11 complaint. Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). A pleading must 12 contain “a short and plain statement of the claim showing that the pleader is entitled to 13 relief . . . .” Fed. R. Civ. P. 8(a)(2). However, plaintiffs must also plead “enough facts to 14 state a claim to relief that is plausible on its face.” Fed. R. Civ. P. 12(b)(6); Bell Atl. 15 Corp. v. Twombly, 550 U.S. 544, 570 (2007). The plausibility standard demands more 16 than “a formulaic recitation of the elements of a cause of action,” or “naked assertions 17 devoid of further factual enhancement.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) 18 (internal quotation marks omitted). Instead, the complaint “must contain allegations of 19 underlying facts sufficient to give fair notice and to enable the opposing party to defend 20 itself effectively.” Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011). 21 In reviewing a motion to dismiss under Rule 12(b)(6), courts must assume the truth 22 of all factual allegations and must construe them in the light most favorable to the 23 nonmoving party. See Cahill v. Liberty Mut. Ins. Co., 80 F.3d 336, 337–38 (9th Cir. 24 1996). The court need not take legal conclusions as true merely because they are cast in 25 26 27 28 3 Unless otherwise noted, all “Rule” references are to the Federal Rules of Civil Procedure. Additionally, all citations to electronically filed documents refer to the pagination assigned by the CM/ECF system. 3 22-cv-2040-MMA-DDL 1 the form of factual allegations. See Roberts v. Corrothers, 812 F.2d 1173, 1177 (9th Cir. 2 1987). Similarly, “conclusory allegations of law and unwarranted inferences are not 3 sufficient to defeat a motion to dismiss.” Pareto v. FDIC, 139 F.3d 696, 699 (9th Cir. 4 1998). In deciding whether to dismiss the complaint for failure to state a claim, the court 5 is generally bound by the facts and allegations contained within the four corners of the 6 complaint. Hydrick v. Hunter, 500 F.3d 978, 985 (9th Cir. 2007). 7 Where dismissal is appropriate, a court should grant leave to amend unless the 8 plaintiff could not possibly cure the defects in the pleading. See Knappenberger v. City 9 of Phoenix, 566 F.3d 936, 942 (9th Cir. 2009) (quoting Lopez v. Smith, 203 F.3d 1122, 10 1127 (9th Cir. 2000)). 11 12 III. DISCUSSION As an initial matter, the Court previously addressed the issue of whether collecting 13 and sharing of mere browsing activity on a publicly facing website is actionable. See 14 Doc. No. 20 at 6. Defendant again moves to dismiss all claims on the basis that browsing 15 activity on a publicly facing website is not protected, relying largely on the Court’s prior 16 Order. See Doc. No. 28 at 14. In opposition, Plaintiffs point out that they now plead that 17 the Department of Health and Human Servies (“HHS”) issued a privacy bulletin on 18 December 1, 2022, providing that the Health Insurance Portability and Accountability 19 Act (“HIPAA”) applies to the use of tracking technologies such as Meta Pixel embedded 20 on an unauthenticated webpage that, for example, “addresses specific symptoms or health 21 conditions, such as pregnancy or miscarriage, or that permits individuals to search for 22 doctors or schedule appointments without entering credentials may have access to PHI in 23 certain circumstances.” FAC ¶ 101. 24 HIPAA defines “protected health information,” or “PHI” as “individually 25 identifiable” information that is “created or received by a health care provider” and that 26 “[r]elates to the past, present, or future physical or mental health or condition of an 27 individual” or the “provision of health care to an individual.” 45 C.F.R. § 160.103. 28 Having reviewed Plaintiffs’ allegations, see FAC ¶¶ 70–91, the Court finds that their 4 22-cv-2040-MMA-DDL 1 interactions on Defendant’s website, while “unauthenticated” or publicly facing, 2 plausibly involve PHI. As to whether the information is individually identifiable, all 3 three Plaintiffs plead that they are Facebook users. Id. ¶¶ 70, 75, 84. Plaintiffs allege at 4 length how Meta Pixel uses JavaScript code to connect internet activity to a specific 5 individual using IP addresses and Facebook credentials. See id. ¶¶ 23, 27–28, 50–68. 6 Turning to the information that is tracked and whether it is protected, Plaintiff Cousin 7 alleges that she used Sharp’s website to search for a primary care physician. Id. ¶ 71. 8 Namely, she filtered the results of Sharp’s physician directory by, among other things, 9 specialty. This just narrowly survives dismissal by demonstrating that her interactions 10 plausibly relate to the provision of health care. Plaintiffs Camus and Barbat, on the other 11 hand, set forth their particular medical conditions and allege that they searched 12 Defendant’s website for doctors who specialize in these conditions and for information 13 about their conditions (i.e., symptoms, treatments, procedures). Id. ¶¶ 77–82, 85–87. 14 Camus also alleges she booked an appointment to obtain treatment for a medical 15 condition. Id. ¶ 81. These interactions plausibly convey information about a present 16 medical condition and the provision of medical care covered by HIPAA. 17 For these reasons, the Court DENIES Defendant’s motion to the extent it seeks to 18 dismiss all claims on this basis. 19 A. 20 Claim 1: Common Law Invasion of Privacy – Intrusion Upon Seclusion “To state a claim for intrusion upon seclusion under California common law, a 21 plaintiff must show that: (1) a defendant ‘intentionally intrude[d] into a place, 22 conversation, or matter as to which the plaintiff has a reasonable expectation of privacy 23 [,]’ and (2) that the intrusion ‘occurred in a manner highly offensive to a reasonable 24 person.’” Davis v. Facebook Inc., (In re Facebook, Inc. Internet Tracking Litig.) 956 F. 25 3d 589, 601 (9th Cir. 2020) (quoting Hernandez v. Hillsides, Inc., 97 Cal. Rptr. 3d 274, 26 285 (Cal. 2009)). In moving to dismiss this claim, Defendant challenges Plaintiffs’ 27 pleading of the second element, arguing that any intrusion is not “highly offensive.” 28 Doc. No. 28 at 15–17. 5 22-cv-2040-MMA-DDL 1 Whether an alleged intrusion is highly offensive to a reasonable person is an issue 2 not capable of resolution, on these facts, at the motion to dismiss stage. As both parties 3 note, the Ninth Circuit has explained that such a determination “requires a holistic 4 consideration of factors such as the likelihood of serious harm to the victim, the degree 5 and setting of the intrusion, the intruder’s motives and objectives, and whether 6 countervailing interests or social norms render the intrusion inoffensive.” In re 7 Facebook, 956 F.3d at 606 (citing Hernandez, 97 Cal. Rptr. 3d at 287). Here, Plaintiffs 8 allege that their medical conditions and statuses as patients with certain doctors were 9 tracked on Defendant’s website and transmitted to Meta. They contend this information, 10 which was collected during their use of Defendant’s website, was linked to them using 11 their Facebook accounts and/or IP address. FAC ¶ 4. They assert Defendant’s use of 12 Meta Pixel, and Meta’s collection of this information, is for targeted advertising. Id. 13 ¶¶ 18, 29. And they identify a variety of sources that note privacy and policy concerns. 14 Id. ¶¶ 35–40. Simply put, in light of Plaintiffs’ allegations, “[t]he ultimate question of 15 whether [Defendant’s disclosure of their information through Meta Pixel] could highly 16 offend a reasonable individual is an issue that cannot be resolved at the pleading stage.” 17 Id. Accordingly, the Court DENIES Defendant’s motion on this basis. 18 B. 19 Claim 2: California Constitution Invasion of Privacy “A claim for invasion of privacy under the California Constitution involves similar 20 elements.” Id. Plaintiffs must plead “that: (1) they possess a legally protected privacy 21 interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion [is] 22 ‘so serious . . . as to constitute an egregious breach of the social norms’ such that the 23 breach is ‘highly offensive.’” Id. (quoting Hernandez, 97 Cal. Rptr. 3d at 285). 24 “Because of the similarity of the tests, courts consider the claims together and ask 25 whether: (1) there exist a reasonable expectation of privacy, and (2) the intrusion was 26 highly offensive.” Id. at 601. 27 28 Defendant challenges Plaintiffs’ second cause of action for substantively the same reason discussed above: that Plaintiffs fail to plausibly plead any invasion was 6 22-cv-2040-MMA-DDL 1 sufficiently egregious. Doc. No. 28 at 18. For the same reasons, the Court DENIES 2 Defendant’s motion to dismiss Plaintiff’s second claim. Plaintiffs have plausibly pleaded 3 that the alleged invasion of privacy is highly offensive. 4 Defendant also moves to dismiss this claim to the extent Plaintiffs seek monetary 5 damages. Id. As the Court previously explained, “California’s ‘constitutional provision 6 protecting the right of privacy . . . supports a cause of action for an injunction’ but it does 7 not confer on a litigant a private right of action for damages.” Moore v. Rodriguez, No. 8 20-cv-01481-BAS-BGS, 2021 U.S. Dist. LEXIS 103725 at *58–59 (S.D. Cal. June 2, 9 2021) (dismissing an invasion of privacy claim against private defendants under Rule 10 12(b)(6) because the plaintiffs only sought “damages, and not an injunction, as relief”) 11 (citing Clausing v. San Francisco Unified Sch. Dist., 271 Cal. Rptr. 72, 78, (Cal. Ct. App. 12 1990)). Plaintiffs do not address this argument in opposition, and therefore seemingly 13 concede they cannot seek monetary damages in connection with this claim. Therefore, 14 the Court GRANTS Defendant’s motion to dismiss Plaintiff’s claim for monetary 15 damages under Article 1, Section 1 of the California Constitution. 16 C. 17 Claim 3: Violation of CMIA CMIA prohibits the unauthorized disclosure of medical information and the 18 negligent maintenance or preservation of medical information. Cal. Civ. Code 19 §§ 56.10(a), 56.101(a). CMIA defines “Medical Information” as “any individually 20 identifiable information, in electronic or physical form, in possession of or derived from a 21 provider of health care, health care service plan . . . regarding a patient’s medical history, 22 mental health application information, mental or physical condition, or treatment.” Cal. 23 Civ. Code § 56.05(i). “‘Individually identifiable’ means that the medical information 24 includes or contains any element of personal identifying information sufficient to allow 25 identification of the individual, such as the patient’s name, address, electronic mail 26 address, telephone number, or social security number, or other information that, alone or 27 in combination with other publicly available information, reveals the identity of the 28 individual.” Id. 7 22-cv-2040-MMA-DDL 1 It is clear that the California Civil Code’s definition for information protected by 2 CMIA largely tracks HIPAA’s definition of PHI. Therefore, for the reasons discussed 3 above, the Court finds that Plaintiffs have plausibly pleaded their protected medical 4 information, as defined by HIPAA and California Civil Code § 56.05, was disclosed by 5 Defendant. For this reason, the Court DENIES Defendant’s motion to dismiss Plaintiffs’ 6 CMIA claim on this basis. 7 Defendant also argues that Plaintiffs fail to allege their information was transmitted 8 or viewed and therefore have not plausibly pleaded their claim. Doc. No. 28 at 19–23. 9 However, Plaintiffs do plead their information was transmitted to Meta. See, e.g., FAC 10 ¶¶ 29, 74, 83, 88. Plaintiffs must also plausibly plead that their medical information was 11 “improperly viewed or otherwise accessed.” Stasi v. Inmediata Health Grp. Corp., 501 12 F. Supp. 3d 898, 923 (S.D. Cal. 2020) (citing Regents of Univ. of Cal. v. Superior Court, 13 163 Cal. Rptr. 3d 205, 208 (Cal. Ct. App. 2013)). Here Plaintiffs allege upon information 14 and belief that “Meta regularly viewed” the information. FAC ¶ 29. Plaintiffs also plead 15 information regarding Meta’s business model and how it uses the information for targeted 16 advertising. See, e.g., id. ¶ 174. Whether Meta, as an entity and not a human being, can 17 “view” information for CMIA purposes is a question the Court cannot resolve at this 18 stage. Similarly, whether the alleged use by Meta of the information, through perhaps 19 algorithms, amounts to viewing or accessing under CMIA is a question the Court cannot 20 answer on Defendant’s motion to dismiss. It is sufficiently plausible at this time that 21 Plaintiffs’ information was “viewed or otherwise accessed” as contemplated by CMIA. 22 Accordingly, the Court DENIES Defendant’s motion to dismiss Plaintiff’s CMIA claim 23 on this basis as well. 24 D. 25 Claim 4: Violation of CIPA CIPA “broadly prohibits the interception of wire communications and disclosure of 26 the contents of such intercepted communications.” Tavernetti v. Superior Court of San 27 Diego Cty., 148 Cal. Rptr. 883, 885 (Cal. 1978). Namely, it prohibits the use of 28 electronic means to “learn the contents or meaning of any message, report, or 8 22-cv-2040-MMA-DDL 1 communication” “without the consent of all parties to the communication.” Cal. Pen. 2 Code § 631(a). Liability may be had against those who aid another in violating this 3 statute. Id. 4 Here, Defendant argues that Plaintiffs fail to allege facts showing that “contents of 5 communications are at issue.” Doc. No. 28 at 24. “The analysis for a violation of CIPA 6 is the same as that under the federal Wiretap Act.” Cline v. Reetz-Laiolo, 329 F. Supp. 3d 7 1000, 1051 (N.D. Cal. 2018) (internal citation omitted). The Wiretap Act defines the 8 term “contents” as “any information concerning the substance, purport, or meaning of 9 that communication.” 18 U.S.C. § 2510. The Ninth Circuit has held that “contents” 10 means “the intended message conveyed by the communication and does not include 11 record information regarding the characteristics of the message that is generated in the 12 course of the communication.” Graf v. Zynga Game Network, Inc. (In re Zynga Privacy 13 Litig.), 750 F.3d 1098, 1107 (9th Cir. 2014). Defendant discusses Zynga as supporting its 14 position. See Doc. No. 28 at 24. But the Ninth Circuit in Zynga expressly left open the 15 possibility that transmission of electronic data such as URLs could amount to the 16 conveyance of the content of a communication: “Under some circumstances, a user’s 17 request to a search engine for specific information could constitute a communication such 18 that divulging a URL containing that search term to a third party could amount to 19 disclosure of the contents of a communication.” 750 F.3d at 1108–09. Thereafter, in In 20 re Facebook, the Ninth Circuit explained that search “terms and the resulting URLs could 21 divulge a user’s personal interests, queries, and habits on third-party websites” but did 22 not consider whether such information amounted to “content” for the purpose of CIPA or 23 the federal Wiretap Act. 956 F.3d at 605, 607. 24 25 The Court finds the approach and discussion in Hammerling v. Google, LLC, persuasive. 26 27 28 Courts employ a contextual “case-specific” analysis hinging on “how much information would be revealed” by the information’s tracking and disclosure. Google Cookie Placement, 806 F.3d at 137-38. Generally, customer 9 22-cv-2040-MMA-DDL 1 2 3 4 5 information such as a person’s name, address, and subscriber number or identity is record information, but it may be contents when it is part of the substance of the message conveyed to the recipient. See id. at 137; Zynga, 750 F.3d at 1104, 1108-09. Similarly, URLs are record information when they only reveal a general webpage address and basic identification information, but when they reproduce a person’s personal search engine queries, they are contents. See id. at 1108; Forrester, 512 F.3d at 510 n.6. 6 7 615 F. Supp. 3d 1069, 1092–93 (N.D. Cal. 2022). However, unlike the information 8 collected by Google in Hammerling, which merely involved “usage and engagement” 9 data, id. 1078, here Plaintiffs allege that their data included personal search queries— 10 such as specialty healthcare providers and treatments for medical conditions—and 11 therefore plausibly conveyed content: their PHI. See In re Google RTB Consumer Priv. 12 Litig., 606 F. Supp. 3d 935, 949 (N.D. Cal. 2022); see also Gershzon v. Meta Platforms, 13 Inc., No. 23-cv-00083-SI, 2023 U.S. Dist. LEXIS 147448, at *35 (N.D. Cal. Aug. 22, 14 2023); In re Meta Pixel Healthcare Litig., No. 22-cv-03580-WHO, 2022 U.S. Dist. 15 LEXIS 230754, at *36 (N.D. Cal. Dec. 22, 2022). Accordingly, the Court DENIES 16 Defendant’s motion to dismiss Plaintiff’s CIPA claim on this basis. 17 18 IV. CONCLUSION Based upon the foregoing, the Court GRANTS IN PART and DENIES IN PART 19 Defendant’s motion to dismiss. Namely, the Court DISMISSES Plaintiffs’ invasion of 20 privacy claim under the California Constitution (Claim 2) only to the extent Plaintiffs 21 seek monetary damages. The Court DENIES the remainder of Defendant’s motion. The 22 Court DIRECTS Defendant to file an answer within twenty-one (21) days of the date of 23 this Order. 24 25 IT IS SO ORDERED. Dated: November 17, 2023 26 _____________________________ 27 HON. MICHAEL M. ANELLO United States District Judge 28 10 22-cv-2040-MMA-DDL
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
