Doe v. Kaiser Found. Health Plan

1

JOHN DOE, et al., Plaintiffs, v. KAISER FOUNDATION HEALTH PLAN, INC., et al., Defendants.

No. 23-cv-02865-EMC

United States District Court, N.D. California

April 11, 2024

ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS' MOTION TO DISMISS

DOCKET NO. 88

EDWARD M. CHEN UNITED STATES DISTRICT JUDGE

Plaintiffs are seven individuals who are proceeding anonymously: John Doe, John Doe II, Jane Doe, and Jane Does II-V.^[1] They have filed suit on their own behalf and on the behalf of others similarly situated against three Kaiser entities: Kaiser Foundation Health Plan., Inc. (“KFHP”); Kaiser Foundation Hospitals (“Hospitals”); and The Permanente Medical Group (“TPMG”). Collectively the Kaiser entities shall be referred to as “Kaiser.” According to Plaintiffs, Kaiser installed code from third parties on its website and two mobile applications (i.e., the Kaiser Permanente App and the Kaiser Permanente Washington App); that code allows the third parties “to intercept the content of [a Kaiser plan member's] patient status, identifying information, medical topics researched, choices made information shared and communications with their medical providers, including personally identifiable medical information and other confidential information and communications, when that information is in transit” (i.e., between the Kaiser plan member and Kaiser). FAC ¶ 4. The third parties whose code is allegedly on the Kaiser website and mobile applications are: Quantum Metric, Twitter, Adobe, Bing, Google, and Dynatrace.^[2]

Now pending before the Court is Kaiser's motion to dismiss. Kaiser has challenged each of the twenty-one claims asserted in the operative first amended complaint (“FAC”). All of the claims are class claims. In some instances, Plaintiffs have asserted claims on behalf of a multistate class (i.e., a class consisting of people who live in the states where Kaiser operates, also referred to as the Kaiser Operating States Class). In other instances, Plaintiffs have asserted claims on behalf of a single state subclass. Plaintiffs have asserted a number of different claims. A few are based on the common law - e.g., intrusion upon seclusion, breach of contract (express and implied), and negligence. Most are based on a statute. The statutes include wiretapping statutes, computer crime statutes, consumer protection statutes, and statutes similar to the federal Health Insurance Portability and Accountability Act (“HIPAA”).

Having considered the parties' briefs as well as the oral argument of counsel, the Court hereby GRANTS in part and DENIES in part Kaiser's motion to dismiss.

I. FACTUAL & PROCEDURAL BACKGROUND

In the FAC, Plaintiffs allege as follows. KFHP, Hospitals, and TPMG operate under the trade name Kaiser Permanente. KFHP offers health care plans, with hospital care and physician care provided through hospitals and physician practices operated by Hospitals and TPMG. Altogether, Kaiser operates in nine jurisdictions: California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, and Washington, D.C. (referred to collectively as the “Kaiser Operating States”). See FAC ¶¶ 41-46. Plaintiffs and the members of the classes they seek to represent are members of Kaiser health plans in the various jurisdictions. See FAC ¶ 51.

Kaiser operates a website and two mobile applications. Through the website, Kaiser plan members “can perform various tasks that traditionally were only available by physically visiting their health care providers' offices or speaking directly to their health care providers, such as scheduling appointments; checking medical results; reviewing medical histories; researching doctors, locations, and medical services; communicating with providers and paying medical bills.” FAC ¶ 52. Members can do certain tasks, such as researching health conditions and finding doctors, without logging into a patient portal. See FAC ¶ 53. For other tasks, such as accessing medical information, scheduling appointments, and communicating with providers, members must log into the patient portal. See FAC ¶ 57. By signing into the patient portal, a Kaiser plan member agrees to the website and mobile application Terms and Conditions (“TAC”) and related Privacy Statement. See FAC ¶ 64; see also FAC, Exs. 1-2 (TAC and Privacy Statement).

Similar to above, Kaiser plan members can also use mobile applications “to communicate with their doctor's office, schedule appointments, review information about past appointments, fill or refill prescriptions, view their medical history (including allergies, immunizations, ongoing health conditions, and lab test results), choose a doctor, and receive personalized reminders and health information.” FAC ¶ 62.

Through the TAC and Privacy Statement, Kaiser expressly and impliedly promises Kaiser plan members that “it will maintain the privacy and confidentiality of the information shared, and the communications engaged in, on the Site, Portal, and mobile applications.” FAC ¶ 73. But despite these promises, Kaiser intentionally

installed code from multiple third parties throughout the Kaiser Permanente website and mobile applications that allows third party companies such as Quantum Metric, Twitter, Adobe, Bing, and Google [as well as Dynatrace] (collectively, “Third Party Wiretappers”) to intercept the content of Plaintiffs and Class Members' patient status, identifying information, medical topics researched, choices made, information shared and communications with their medical providers, including personally identifiable medical information and other confidential information and communications, when that information is in transit [i.e., between the member and Kaiser].

FAC ¶ 4.

Based on the allegations in the FAC, it appears that Kaiser installed the code from third parties so that Kaiser could use the information collected by the third parties for its own benefit. See, e.g., FAC ¶ 108 (alleging that Adobe's “Experience Cloud . . . allow[s] businesses to personalize and improve their marketing on websites, apps, and social media pages by collecting and analyzing information about website visitors”); FAC ¶ 142 (alleging that Twitter partners with companies such as Kaiser so that the partner “can use [Twitter's] analytic tools for marketing”).

However, it also appears that third parties used the information collected for their own benefit and not just Kaiser's. See, e.g., FAC ¶ 83 (alleging that “Quantum Metric also uses Kaiser Plan Members' communications for its own research and analysis purposes”).

Plaintiffs maintain that they and others similarly situated did not consent to the interception of their information by the third parties. Plaintiffs also contend that Kaiser allowed the interception even though it was required to protect that information under, e.g., HIPAA. See FAC ¶ 7; see also 42 U.S.C. § 1320d-6 (providing for a criminal penalty if a person knowingly, e.g., “discloses individually identifiable health information to another person”); 45 C.F.R. § 164.508(a)(1) (providing that, as a general rule, “a covered entity may not use or disclose protected health information without an authorization that is valid under this section”).

Based on the above as well as other allegations, Plaintiffs bring the following class claims (some on behalf of a multistate class and some on behalf of a subclass(es)^[3]):

(1) Violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq.

(2) Violation of the California Invasion of Privacy Act, Cal. Pen. Code § 631.

(3) Common law invasion of privacy - intrusion upon seclusion.

(4) Invasion of privacy and violation of the California Constitution, Art. I, § 1.

(5) Breach of express contract.

(6) Breach of implied contract.

(7) Negligence per se.

(8) Violation of the California Consumer Legal Remedies Act, Cal. Civ. Code § 1750 et seq.

(9) Violation of the California Confidentiality of Medical Information Act, Cal. Civ. Code § 56.10.

(10) Statutory larceny, Cal. Pen. Code §§ 484, 496.

(11) Violation of the District of Columbia Consumer Protection Procedures Act, D.C. Code § 28-3901, et seq. (brought by Jane Doe II only).

(12) Violation of the Georgia Uniform Deceptive Trade Practices Act, Ga. Code Ann. § 10-1-370 et seq. (brought by John Doe II only).

(13) Violation of the Georgia Computer Systems Protection Act, Ga. Code Ann. § 16-9-93. (brought by John Doe II only).

(14) Violation of the Georgia Insurance and Information Privacy Protection Act, Ga. Code Ann. § 33-39-1 et seq. (brought by John Doe II only).

(15) Violation of the Maryland Wiretapping and Electronic Surveillance Act, Md. Code Ann., Cts. & Jud. Proc. § 10-401 et seq. (brought by Jane Doe III only).

(16) Violation of the Oregon Unlawful Trade Practices Act, Or. Rev. Stat. § 646.605 et seq. (brought by Jane Doe V only),

(17) Violation of the Virginia Computer Crimes Act, Va. Code Ann. § 18.2152.1 et seq. (brought by Jane Doe IV only).

(18) Violation of the Virginia Insurance Information and Privacy Protection Act, Va. Code Ann. § 38.2-600 et seq. (brought by Jane Doe IV only).

(19) Violation of the Washington Consumer Protection Act, Wash. Rev. Code § 19.86 et seq. (brought by Jane Doe only).

(20) Violation of the Washington Privacy Act, Wa. Rev. Code § 9.73 et seq. (brought by Jane Doe only).

(21) Violation of the Washington Health Care Information Act, Wash. Rev. Code § 70.02.005 et seq. (brought by Jane Doe only).

Kaiser has challenged all of Plaintiffs' claims, arguing that some of the Plaintiffs lack standing to proceed with suit and that all of the claims should be dismissed for failure to state a claim for relief.

II. STANDING

A. Legal Standard

A motion to dismiss for lack of subject matter jurisdiction - including...