Class Action Complaint filed in Central District of California Alleging Violation of the CCPA Based on a 2019 Data Breach
News

Class Action Complaint filed in Central District of California Alleging Violation of the CCPA Based on a 2019 Data Breach

Mar 11, 2020

by Nora Wetzel

A class action complaint, Fuentes v. Sunshine Behavioral Health Group, was filed yesterday, stating a claim for violation of the California Consumer Privacy Act (“CCPA”), in addition to claims of violation of HIPAA, the Confidentiality of Medical Information Act (Civil Code §56 et seq.), the California Consumer Records Act (Civ. Code §1798.82 et seq.), the Unfair Competition Law (Bus. & Prof. Code §17200 et seq.) (“UCL”), and contract and tort claims.

According to the complaint, Sunshine Behavioral Health Group suffered a data breach affecting medical and personal information beginning in 2017, which it first learned of in September 2019; Sunshine Behavioral Health notified individuals and Attorneys General in January 2020, though it notified the Department of Health and Human Services’ Office for Civil Rights in early December 2019.

With regard to the CCPA, plaintiff claims that Sunshine Behavioral Health violated the CCPA by allowing unauthorized access, exfiltration, theft, or disclosure of unencrypted and unredacted personal and medical information by violating its duty to implement and maintain reasonable security procedures and practices (Compl. ¶211).  And, the plaintiff alleges he satisfied his pre-lawsuit notice obligations required by Civil Code section 1798.150(b) before filing his complaint by serving Sunshine Behavioral Health with notice of the claimed CCPA violation (Compl. ¶212).  The plaintiff did not allege that Sunshine Behavioral Health violated the CCPA’s other requirements with regard to the rights to deletion, access, disclosure, non-discrimination, or to opt out of sale of personal information.

In terms of the remedy for the asserted CCPA violation, the plaintiff sought injunctive relief alone in the form of an order enjoining Sunshine Behavioral Health from “continuing to violate the CCPA” (Compl. ¶213). But, the plaintiff went on to allege that he would seek actual, punitive, and statutory damages ($100-$750 per consumer), restitution, and attorneys’ fees and costs, if Sunshine Behavioral Health failed to respond to his notice letter or agree to rectify the CCPA violation.  While the injunctive relief remedy may not be so concerning to potential defendants, the threat of statutory damages is significant, particularly where there is a class of any significant size (3,500 estimated class members in this case (Compl. ¶99) resulting in a potential statutory damages amount of $350,000-$2.625 million).  Seeking damages and fees would certainly increase plaintiff’s leverage in this action, though it is not clear how plaintiff theorizes he would obtain attorney fees and costs for violation of the CCPA, as the CCPA allows for “any other relief the court deems proper” (Civ. Code §1798.150(a)(1)), but does not refer to awarding attorney fees.

As for the plaintiff’s UCL claim, the UCL prohibits unlawful, unfair, or fraudulent business acts and practices, and unfair, deceptive, untrue, or misleading advertising that constitute acts of unfair completion. This means that violations of other laws can serve as the predicate or underlying offense for a claim of violation of the UCL.  Plaintiff in this case does not assert a claim of violating the CCPA as a “predicate” offense for his UCL claim (Compl. ¶¶ 170-177), though he does assert violations of HIPAA’s Privacy and Security Rules, the Confidentiality of Medical Information Act, and the California Consumer Records Act, particularly for failing to disclose the data breach in a timely and accurate manner.

The plaintiff separately asserted that Sunshine Behavioral Health violated the UCL directly by “representing and advertising that it would maintain adequate data privacy and security practices and procedures to safeguard Plaintiff’s and Class Members’ Personal and Medical Information from unauthorized disclosure, release, data breach, and theft; representing and advertising that it did and would comply with the requirement of relevant federal and state laws pertaining to the privacy and security of Plaintiff’s and Class Members’ Personal and Medical Information; and omitting, suppressing, and concealing the material fact of the inadequacy of the privacy and security protections for Plaintiff’s and Class Members’ Personal and Medical Information” (Compl. ¶172).  How the Court treats the defendant’s representations regarding its privacy and security practices and procedures will prove insightful in terms of viability of UCL claims when data breaches occur.

This class action lawsuit is important in that the Court will deal with issues of what remedies are sought and recovered under the CCPA, and whether the CCPA can apply retroactively to a breach that occurred before January 2020 when the CCPA went into effect.