In Moore v. Centrelake Med. Grp., No. B310859, 2022 Cal. App. LEXIS 795, at *4-7 (Ct. App. Sep. 16, 2022), the Court of Appeal allowed a UCL claim to proceed in a data breach case. The data breach facts were as follows:
Centrelake is a medical provider operating eight medical facilities in southern California. Prior to January 9, 2019, appellants became patients of Centrelake. Centrelake “made repeated promises and representations” to appellants “that it would protect its patients’ PII from disclosure to unauthorized third parties.” Each appellant signed a contract with Centrelake that incorporated a contractually binding privacy policy, viz., Centrelake’s Notice of Privacy Practices (attached to the complaint as an exhibit), in which Centrelake promised to take appropriate steps to attempt to safeguard any medical or other personal information provided to it. Centrelake also published its Notice of Privacy Practices to the public on its website. However, the Notice of Privacy Practices contained false statements concerning data security. Centrelake failed to implement reasonable security practices to protect appellants’ PII. As a result, from January 9 to February 19, 2019, Centrelake suffered a data breach, during which appellants’ PII was “stolen” (in other words, “acquired” or “harvested”) by hackers, and “disseminat[ed] into the public domain.” The stolen PII included contact information (names, addresses, and phone numbers), Social Security numbers, driver’s license information, and medical information (services performed, diagnosis information, health insurance information, referring provider information, medical record number, and dates of service). In April 2019, Centrelake issued a Notice of Data Breach (attached to the complaint as an exhibit). The Notice stated that “suspicious activity” began on Centrelake’s network on January 9, 2019 and continued for over a month until, on February 19, Centrelake discovered that a hacker had infected Centrelake’s system with a virus that prohibited its access to its files. Centrelake announced that its ongoing investigation had yet to uncover any evidence that the hacker viewed or took patient information, or any indication that such information had been misused. However, Centrelake acknowledged that the hacker might have gained access to patient records and data. Centrelake encouraged affected individuals to “remain vigilant against incidents of identity theft and fraud” by regularly reviewing their credit reports, financial account statements, and explanations of benefits for suspicious activity. Centrelake provided a toll-free phone line staffed with individuals familiar with the data breach, and invited calls from patients with questions regarding how to protect themselves from “potential harm resulting from this incident,” including how to place fraud alerts on the patients’ credit files.
The Court of Appeals allowed the UCL claim to proceed forward.
We conclude appellants adequately pled UCL standing under their benefit-of-the-bargain theory. “[A] ‘benefit of the bargain’ approach to establishing UCL standing is rooted in the California Supreme Court’s recognition that a plaintiff may demonstrate economic injury from unfair competition by establishing he or she ‘surrender[ed] in a transaction more, or acquire[d] in a transaction less, than he or she otherwise would have.'” (Cappello v. Walmart Inc. (N.D. Cal. 2019) 394 F.Supp.3d 1015, 1019-1020, quoting Kwikset, supra, 51 Cal.4th at 323; see also Kwikset, at 332 [plaintiffs adequately pled UCL standing, where plaintiffs alleged “[t]hey bargained for locksets that were made in the United States” but “got ones that were not,” and thus did not receive the benefit of their bargain].) Here, appellants alleged they relied on Centrelake’s false representations and promises concerning data security in entering contracts with Centrelake and accepting its pricing terms, paying more than they would have had they known the truth that Centrelake had not implemented and would not maintain adequate data security practices. We conclude these allegations adequately pled UCL standing under Kwikset. (See Kwikset, at 330 [plaintiffs alleged they selected lock-sets for purchase in part because locksets were mislabeled as made in USA: “because of the misrepresentation the consumer (allegedly) was made to part with more money than he or she otherwise would have been willing to expend . . . . That increment, the extra money paid, is economic injury and affords the consumer standing to sue”].) Indeed, many federal courts, applying Kwikset in the context of data-breach litigation, have held plaintiffs adequately pled UCL standing under similar benefit-of-the-bargain theories. (See, e.g., In re Solara Medical Supplies, LLC Customer Data Security Breach Litigation (S.D. Cal., May 7, 2020, No. 3:19-CV-2284-H-KSC) 2020 U.S. Dist. LEXIS 80736, at *4, *27 (Solara) [“Plaintiffs have all pled that ‘they acquired less in their transactions with [medical supplier] than they would have if [supplier] had sufficiently protected their Personal Information.’ [Citation.] These allegations are enough to establish standing for purposes of the UCL”]; In re Marriott International, Inc., Customer Data Security Breach Litigation (D. Md. 2020) 440 F.Supp.3d 447, 492 [“Plaintiffs allege that ‘had consumers known the truth about Defendants’ data security practices — that they did not adequately protect and store their data — they would not have stayed at a Marriott Property, purchased products or services at a Marriott Property, and/or would have paid less.’ [Citation.] This is sufficient to establish standing for the UCL claim”].) We disagree with the trial court’s conclusion that appellants’ benefit-of-the-bargain theory failed because appellants did not allege “actual misappropriation of the PII.” As explained above, at this stage of the litigation, we are required to accept as true appellants’ allegations that their PII was stolen and disseminated into the public domain. In any event, appellants’ economic injury allegedly occurred at the time Centrelake unlawfully caused them to pay more than they otherwise would have. (See Kwikset, supra, 51 Cal.4th at 334 [“in the eyes of the law, a buyer forced to pay more than he or she would have is harmed at the moment of purchase”].) This alleged injury was not contingent upon any subsequent misappropriation of appellants’ PII. We also disagree with Centrelake’s contention that appellants’ benefit-of-the-bargain theory fails because data security was at most “incidental” to appellants’ bargain for medical services. To the contrary, appellants alleged that data security was sufficiently material to them that had they known the truth of the matter, they would not have entered into contracts for medical services with Centrelake, or would not have accepted Centrelake’s pricing terms. Such materiality is to be expected in light of the sensitive and confidential nature of the information appellants entrusted to Centrelake, including medical diagnoses and services performed, as well as Social Security numbers, driver’s license numbers, and health insurance information. Few prospective patients would entrust such information — and pay full market prices — to a medical provider known to be careless with it. Indeed, the Legislature has acted to protect patients’ expectations that their information will be kept confidential and secure. (See Civ. Code, § 56.101, subds. (a)-(b) [requiring health care providers to maintain medical information in manner that preserves its confidentiality, and electronic medical records systems to protect and preserve integrity of electronic medical information]; cf. Kwikset, supra, 51 Cal.4th at 333 [by prohibiting fraudulent made-in-America representations, Legislature made clear that products’ American origin “is precisely the sort of consideration reasonable people can and do attach importance to in their purchasing decisions”].) Moreover, “as ‘materiality is generally a question of fact’ [citation], it is not a basis on which to decide this case on demurrer.”7 (Kwikset, at 333.) Centrelake’s reliance on Irwin v. Jimmy John’s Franchise, LLC (C.D. Ill. 2016) 175 F.Supp.3d 1064 is misplaced. There, the plaintiff used debit and credit cards to purchase food at Jimmy John’s restaurant, which suffered a data breach potentially exposing the plaintiff’s financial information to unauthorized third parties, prompting the plaintiff to sue Jimmy John’s in federal court on behalf of herself and a putative class of affected consumers. (Id. at 1068.) In the portion of the opinion on which Centrelake relies, the court dismissed the plaintiff’s unjust enrichment claim under Arizona and Illinois law, reasoning: “[Plaintiff] paid for food products. She did not pay for a side order of data security and protection; it was merely incident to her food purchase . . . .” (Id. at 1071-1072.) But in a separate, more relevant portion of the opinion, the court held the plaintiff had adequately pled a claim under an Arizona consumer-protection statute similar to the UCL, by alleging the restaurant induced her and other consumers to make purchases in reliance on the restaurant’s deceptive indications that their financial information would be secure. (See id. at 1072-1073.) Thus, to the extent this case is relevant to appellants’ UCL claim, it supports their benefit-of-the-bargain theory. We conclude appellants adequately pled that theory as a basis for UCL standing.