Dionne Maxwell vs. The Regents of the University of California

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Tentative Ruling

Defendants the Regents of the University of California (“the Regents”) and Steve Telliano, Vicki Bencken, Michele Taber, Andon Carling, Cesar Cervantes, Davor Miksic, Tyler Vogel, Sarah Barr, Doreen Pichotti, Jenny Carrick, and Erin Cherovsky (each, an “Individual Defendant;” together, the “Individual Defendants;” and collectively with the Regents, the “Defendants”) demurrer to Plaintiff Dionne Maxwell’s (“Plaintiff”) Corrected Second Amended Complaint. Defendants also move to strike certain language regarding the damages Plaintiff seeks and the named Individual Defendants. In the interests of judicial economy and efficiency, the Court combines its rulings on these matters into this single Tentative Ruling.

Moving counsel’s Notices of Motion do not provide notice of the Court’s tentative ruling system, as required by Local Rule 1.06. Moving counsel is directed to contact opposing counsel and advise them of Local Rule 1.06, the Court’s tentative ruling procedure, and the manner to request a hearing.

MEET AND CONFER

Code of Civil Procedure (“CCP”) section 430.41(a) provides, “[b]efore filing a demurrer pursuant to this chapter, the demurring party shall meet and confer in person or by telephone with the party who filed the pleading that is subject to demurrer for the purpose of determining whether an agreement can be reached that would resolve the objections to be raised in the demurrer. If an amended complaint, cross-complaint, or answer is filed, the responding party shall meet and confer again with the party who filed the amended pleading before filing a demurrer to the amended pleading.”

Here, moving counsel adequately establishes that the Parties met and conferred regarding the alleged pleading deficiencies in Plaintiff’s complaint and were unable to reach any agreement that would resolve Defendants’ objections and otherwise avoid filing the instant demurrer and motion to strike. (Vitruk Decl., ¶¶ 2-3.)

BACKGROUND

Plaintiff initiated this putative class action against Defendant on March 22, 2023, asserting three causes of action for violation of the California Invasion of Privacy Act (“CIPA”), violation of the Confidentiality of Medical Information Act (“CMIA”), and invasion of privacy in violation of California’s Constitution. (See generally, Complaint.) On September 29, 2023, the Regents demurred to Plaintiff’s First Amended Complaint (“FAC”). On January 19, 2024, the Court

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

sustained in part the Regents’ demurrer to the First Cause of Action for violation of the CIPA, the second cause of action for violation of the CMIA, and the third cause of action for invasion of privacy. (1-19-24 Minute Order.) Given the Court’s ruling on the Regents’ demurrer, the Court declined to reach the Regents’ motion to strike. (Ibid.)

On June 21, 2024, Plaintiff filed a Second Amended Complaint (“SAC”) alleging the same three causes of action. (See generally, SAC.) On August 2, 2024, Plaintiff filed a Corrected SAC, correcting the spelling of Defendant Jenny Carrick’s name. (See generally, Corrected SAC (“CSAC”).) This action arises out of Plaintiff’s use of the website or mobile app associated with UC Davis Health, a health system that provides care across Northern and Central California and which is owned and operated by Defendant. (CSAC, ¶ 1, 3.)

Plaintiff alleges that she has “used the Website and App to communicate her medical information to Defendant.” (Id., ¶ 16.) Specifically, Plaintiff alleges that she “has used the Website for several years and accesses it using her computer. Plaintiff has also used UC Davis Health’s Android app. Plaintiff has used the Website and App to communicate with Defendant in various ways, thereby requiring disclosure of medical information regarding her medical condition, history, or treatment.” (Id., ¶ 90.)

Plaintiff further provides the following list of examples:  “Plaintiff has used the patient portal on the UC Davis Health’s Website and App to book medical appointments and manage her medical appointments, communicating with Defendants the reasons for her medical appointments.”  “She has used the patient portal to obtain bloodwork exams, communicating with Defendants the type of medical exam she was seeking.”  “She has used the patient portal to then review the bloodwork exam results, communicating with Defendants that she indeed obtained the medical exams sought and communicating information on the type of health condition being measured or tested by the bloodwork exam.”  “She used the patient portal to view test results of her mammogram and pap smear exams, communicating with Defendants that she received such examinations.”  “She used the patient portal to view detailed medical bills, communicating with Defendants her history of medical care received and therefore disclosing her medical conditions, history, and/or treatments obtained.”  “Further, Plaintiff used the patient portal to communicate with her care team, including her primary care physician and psychiatrist.”

(CSAC, ¶ 91.) In addition, Plaintiff alleges that she “has further used UC Davis Health’s Website and App to search for specific medical conditions Plaintiff was experiencing such as hernias,

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

migraines, and meniscus tears, thereby communicating with Defendants her specific medical conditions. She also used the Website and App to search for primary care physicians for her to book appointments with, communicating with Defendants that she was seeking primary care treatment.” (Id., ¶ 92.)

Plaintiff includes extensive allegations regarding Third Parties, whose services were allegedly employed by UC Davis Health to “track user behavior, including users’ health-related communications.” (CSAC, ¶ 35.) These Third Parties include Facebook, Google, LinkedIn, X, and Siteimprove. (Id., ¶¶ 36-89, 96-112.) Plaintiff generally describes the Third Parties’ tracking tools and the information transmitted as a result. (Ibid.) Plaintiff alleges that by “installing, integrating and embedding the Facebook Pixel, Google Analytics, X Pixel, Floodlight, Insight Tag (collectively the “Trackers”), and other third-party trackers into the Website and App, and by directing such installation, integration and embedding, the Individual and Doe Defendants aided and conspired with the Third Parties and others to allow those third-party entities to contemporaneously and surreptitiously intercept the Website and App communications of UC Davis Health patients without patients’ consent.” (Id., ¶ 95.)

Defendants now demurrer to the entire FAC, arguing that each cause of action fails to allege facts sufficient to state a cause of action. Defendants also move to strike certain damages requests and the named Individual Defendants.

LEGAL STANDARD

1. Demurrer

A defendant may demur to a complaint where the complaint or any cause of action therein 'does not state facts sufficient to constitute a cause of action.' (CCP § 430.10(e).) A demurrer may only challenge defects on the face of the complaint or from matters that are judicially noticeable. (Blank v. Kirwan (1985) 39 Cal.3d 311, 318; Donabedian v. Mercury Ins. Co. (2004) 116 Cal.App.4th 968, 994.) Consideration of extrinsic facts asserted in the memorandum supporting the demurrer is improper. (Ion Equipment Corp. v. Nelson (1980) 110 Cal.App.3d 868, 881.) However, the face of the complaint includes facts contained in exhibits attached to the complaint. (Frantz v. Blackwell (1987) 189 Cal.App.3d 91, 94.)

A demurrer may be sustained only if the complaint lacks any sufficient allegations to entitle the plaintiff to relief. (Financial Corp. of America v. Wilburn (1987) 189 Cal.App.3d 764, 778.) However, “to state a cause of action against a public entity, every fact material to the existence of its statutory liability must be pleaded with particularity.” (Lopez v. Southern Cal. Rapid Transit Dist. (1985) 40 Cal.3d 780, 795 (quotations and citations omitted) (citing cases); see also

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Covenant Care, Inc. v. Super. Ct. (2004) 32 Cal.4th 771, 790 [finding “statutory causes of action must be pleaded with particularity.”].) “Less particularity is required in pleading matters of which the defendant has superior knowledge; e.g., allegations as to D's knowledge or notice or intent.” (Weil & Brown, Cal. Practice Guide: Civil Procedure Before Trial (The Rutter Group 2022) ¶ 6:121.5, citing Foster v. Sexton, 61 Cal.App.5th 998, 1028.) The complaint will be upheld “so long as it gives notice of the issues sufficient to enable preparation of a defense.” (Doe v.

City of Los Angeles (“Doe”) (2007) 42 Cal.4th 531, 549-550.) “Plaintiff need only plead facts showing that he may be entitled to some relief, we are not concerned with plaintiff’s possible inability or difficulty in proving the allegations of the complaint.” (Highlanders, Inc. v. Olsan (1978) 77 Cal.App.3d 690, 696-97.) “[Courts] are required to construe the complaint liberally to determine whether a cause of action has been stated, given the assumed truth of the facts pleaded.” (Picton v. Anderson Union High School Dist. (1996) 50 Cal.App.4th 726, 733, citation omitted.)

A demurrer admits the truth of all material facts properly pled and the sole issue raised by a general demurrer is whether the facts pled state a valid cause of action – not whether they are true. (Serrano v. Priest (1971) 5 Cal.3d 584, 591.) That said, while the Court will “accept as true the properly pleaded allegations of fact in the complaint,” it will not consider “the contentions, deductions or conclusions of fact or law.” (Canton Poultry & Deli, Inc. v. Stockwell, Harris, Widom & Woolverton (2003) 109 Cal.App.4th 1219, 1225.)

Applicable substantive law does not change merely because the case is a class action. (Washington Mut. Bank, FA v. Superior Court (2001) 24 Cal.4th 906, 914.) Indeed, it is “settled that courts are authorized to weed out legally meritless class action suits prior to certification by demurrer or pretrial motion.” (Tucker v. Pacific Bell Mobile Services (2012) 208 Cal.App.4th 201, 211 [citing Linder v. Thrifty Oil Co. (2000) 23 Cal.4th 429, 440].)

2. Motion to Strike

A party can move to strike any portions of a complaint that are legally deficient or contrary to the law. (CCP §§ 435, 436.) A motion to strike is proper when a portion of a cause of action has a clear substantive defect, such as a violation of the applicable statute of limitations, seeking punitive damages without basis, when the face of the complaint fails to state facts showing a primary right of the plaintiff and primary duty of, or wrong committed by, the defendant. (PH II, Inc. v. Superior Court (1995) 33 Cal.App.4th 1680, 1683.)

Similarly, a motion to strike is appropriate where the complaint alleges a “purported claim of right which is legally invalid” (Id., at p. 1682-1683.) When a plaintiff seeks punitive damages, but is legally barred from recovering such damages, a motion to strike should be granted. (Los Angeles Unified School Dist. v. Superior Court (2021) 64 Cal.App.5th 549, 567, review granted 282 Cal.Rptr.3d 638.) However, a motion to strike may not be used as a procedural line item veto for the civil defendant. (Id., at p. 1683.)

The use of the motion to strike should be cautious and sparing.

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Motions to strike are disfavored. Courts considering such motions must presume the allegations contained therein are true and must consider those allegations in context. (Clauson v. Superior Court (1998) 67 Cal.App.4th 1253, 1255.) “Matter that is essential to a cause of action should not be struck and it is error to do so.” (Quiroz v. Seventh Avenue Ctr. (2006) 140 Cal.App.4th 1256, 1281.)

ANALYSIS

Demurrer

1. Individual Defendant Immunity (All Causes of Action)

With regard to each cause of action, Defendants assert that the Complaint makes clear that any alleged conduct by the Individual Defendants would constitute basic policy decisions, rendering them immune from liability pursuant to Government Code section 820.2. (Demurrer, pp. 19:5- 20:12, 22:27-28, 24:24-25.)

As with the Regents’ prior demurrer on the ground of discretionary immunity, the demurrer on this basis appears to be premature. In general, sovereign immunity is the rule in California. “Except as otherwise provided by statute: (a) [a] public entity is not liable for an injury, whether such injury arises out of an act or omission of the public entity or a public employee or any other person.” (Gov. Code § 815.) However, “[e]xcept as otherwise provided by statute a public employee is liable for injury caused by his act or omission to the same extent as a private person.” (Gov.

Code § 820.) Government Code section 820.2 provides one such exception: “[e]xcept as otherwise provided by statute, a public employee is not liable for an injury resulting from his act or omission where the act or omission was the result of the exercise of the discretion vested in him, whether or not such discretion be abused.” (Gov. Code § 820.2.) Generally, the exercise of discretionary immunity under Government Code section 820.2 is not an appropriate subject for demurrer. (Lopez v. S. Cal. Rapid Transit Dist. (1985) 40 Cal. 3d 780, 794.)

Here, Plaintiff identifies the Individual Defendants, describes their roles and responsibilities, and alleges that “[a]t relevant times, [Individual Defendant] was acting under color of law and within the scope of his employment and/or agency in connection with the installation, integration, embedding and use of tracking technologies on the Website and App.” (CSAC, ¶¶ 4-14.) The facts required to resolve this dispute cannot be determined from the face of the Corrected SAC and accordingly, Defendants’ argument must fail at this stage.

The Court sees no reason to depart from its prior conclusion and Defendants remain free to

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

address the merits of this defense later through an appropriate, noticed motion. Accordingly, Defendants’ demurrer on this ground is OVERRULED.

2. California Invasion of Privacy Act (First Cause of Action)

Section 631 penalizes various forms of secret monitoring of conversations. (Ribas v. Clark (1985) 38 Cal.3d 355, 359.) It provides, in pertinent part: “(a) Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in the county jail not exceeding one year, or by imprisonment pursuant to subdivision (h) of Section 1170, or by both a fine and imprisonment in the county jail or pursuant to subdivision (h) of Section 1170 ” (Cal.

Pen. Code § 631(a).)

Defendants argue that Plaintiff’s First Cause of Action fails to state a claim under the CIPA because (1) regarding all Defendants, Plaintiff fails to allege facts showing that the “contents” of her communications were disclosed; (2) regarding all Defendants, Plaintiff fails to distinguish between the public website and the patient portal; (3) regarding the Individual Defendants, “Plaintiff cannot circumvent the plain language and intent of [CIPA] foreclosing liability against the Regents, by simply suing its employees”; (4) Plaintiff has not alleged facts showing that any of the Individual Defendants actually took part in any alleged wiretapping; and (5) regarding the Individual Defendants, the Complaint makes clear that any alleged conduct by the Individual Defendants would constitute basic policy decisions, rendering them immune from liability. (Notice; Demurrer, pp. 15:1-20:12.)

Whether the “contents” of Plaintiff’s communications were disclosed via the public website and/or patient portal

“The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.” (In re Meta Pixel Healthcare Litig. (2022) 647 F.Supp.3d 778, 791.) Under the Wiretap Act, the term

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

“‘contents’ refers to the intended message conveyed by the communication – ‘any information concerning the substance, purport, or meaning” of the communication (18 U.S.C. §2510) – and does not include record information regarding the characteristics of the message that is generated in the course of the communication.’” (In re Zynga Priv Litig. (9th Cir. 2014) 750 F.3d 1098, 1106 (“Zynga”).)

Therefore, tracking “keystrokes, mouse clicks, [and] pages viewed” are not “content” under CIPA. (Yoon v. Lululemon USA, Inc. (C.D. Cal. 2021) 549 F.Supp.3d 1073, 1082-83 (“[n]one of these pieces of data constitutes message content in the same way that words of a text message or an email do”); Graham v. Noom, Inc. (N.D. Cal. 2021) 533 F.Supp.3d 823, 833; Johnson v. Blue Nile, Inc., No. C 20-08183 LB (N.D. Cal. Apr. 8, 2021) 2021 WL 1312771, *3, *5 [providing that IP addresses are “not content”].) The Complaint here alleges more than just keystrokes, mouse clicks, and pages viewed.

Defendants are not aided by their citation to Zynga. In Zynga, the plaintiffs alleged the defendants violated the federal Wiretap Act “by disclosing the HTTP referrer information to third parties.” (Zynga, supra, 750 F.3d at p. 1105.) The court explained that “‘contents’ does not include ‘record’ information,” and that “ ‘contents’ refers to the intended message conveyed by the communication.” (Id., at p. 1106.) The information allegedly disclosed – the HTTP referrer information – included an ID and the address of a webpage, none of which were contents of a communication. (Id., at p. 1107.) However, “[u]nder some circumstances, a user’s request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to a disclosure of contents of a communication.” (Id., at pp. 1108-1109.)

In Cousin v. Sharp Healthcare (Nov. 17, 2023 S.D. Cal.) 702 F.Supp.3d 967 (“Cousin II”), the court held that allegations “that the data included personal search queries – such as specialty healthcare providers and treatments for medical conditions plausibly conveyed content: their PHI.” (Id., at p. 976.) Likewise, “descriptive URLs” that include the path and a query string with detailed information about the search contain “the substance of a communication.” (In re Meta Pixel Healthcare Litigation (N.D. Cal. 2022) 647 F.Supp.3d 778, 795-796.) This kind of “fullstring detailed URL” is not like an IP address because it reveals the contents of what the user was searching for. (Brown v. Google LLC (N.D. Cal. 2023) 685 F.Supp.3d 909, 936.)

Defendants maintain that Plaintiff “fails to plead facts showing (a) what technologies, if any, were actually on the portal, (b) how they were configured, and (c) as a result of such configuration, what actual medical information from Plaintiff (if any) was transmitted to what third party, and whether Plaintiff was personally identifiable.” (Demurrer, p. 17:20-24.) In support, Defendants cite Doe I v. Google LLC (N.D. Cal. July 22, 2024) 2024 WL 3490744.

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

There, the court dismissed a CIPA claim where “the plaintiffs do not adequately allege where on a web property the source code actually exists. This means it’s not clear whether Google is, in fact, reading and learning the contents of the plaintiffs’ private health information.” (Doe I, supra, 2024 WL 3490744 at p. *6.) However, in Doe I, the court considered generalized and conclusory allegations regarding an “investigation” in which the “plaintiffs allege they examined 5,297 ‘web properties,’ and determined Google source code is present on 91 percent of these properties,” and that Google intercepted information about each plaintiff’s specific medical needs and conditions. (Id., at p. *2.)

However, the complaint at issue failed to offer any details about the investigation or how they determined that their private information was intercepted. (Ibid.) Critically, the court considered documents attached to the complaint and concluded that “the plaintiffs cannot simply allege that a ‘web property’ contains source code and then assume this means every single page on that property contains source code” where that assumption was contradicted by the attached documents. (Ibid.)

Construing the Corrected SAC liberally and accepting all pleaded facts as true, as the Court must on demurrer, the Court is persuaded that Plaintiff has alleged that tracking cookies and technologies were installed and embedded within the UC Davis Health website, including both the publicly available website and the secure patient portal. (See CSAC, ¶¶ 18, 33-89 [describing tracking technologies], 90-93 [describing Plaintiff’s use of the website]; 94-112 [describing how tracking technologies functioned in with website and/or app].) In Doe I, the plaintiffs apparently assumed that if a tracking cookie was embedded on any webpage, it was embedded on every page. Here, at the very least, Plaintiff alleges that tracking technologies were embedded on a variety of publicly available and secure portal webpages.

While Plaintiff’s prior allegations were conclusory and/or premised on hypotheticals, now Plaintiff alleges that she “has used the Website and App to communicate with Defendant in various ways, thereby requiring disclosure of medical information regarding her medical condition, history, or treatment” including:  to book medical appointments and manage her medical appointments, communicating with Defendants the reasons for her medical appointments;  to obtain bloodwork exams, communicating with Defendants the type of medical exam she was seeking;  to then review the bloodwork exam results, communicating with Defendants that she indeed obtained the medical exams sought and communicating information on the type of health condition being measured or tested by the bloodwork exam;  to view test results of her mammogram and pap smear exams, communicating with Defendants that she received such examinations;  to view detailed medical bills, communicating with Defendants her history of medical

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

care received and therefore disclosing her medical conditions, history, and/or treatments obtained;  to communicate with her care team, including her primary care physician and psychiatrist;  to search for specific medical conditions Plaintiff was experiencing such as hernias, migraines, and meniscus tears, thereby communicating with Defendants her specific medical conditions; and  to search for primary care physicians for her to book appointments with, communicating with Defendants that she was seeking primary care treatment.

(CSAC, ¶¶ 90-92.) On information and belief, Plaintiff alleges her “communications with UC Davis Health were disclosed by Defendants to the Third Parties and/or intercepted in transit by the Third Parties via full-string detailed URLs, which contain such information as the name of the website, the pages being viewed, and the search terms entered into the website. Along with disclosing Plaintiff’s protected health communications, Defendants also disclosed Plaintiff’s PII, such as Plaintiff’s Facebook ID, allowing Third Parties, like Facebook, to make the connection between her health information and her identity.” (Id., ¶ 93.)

Contrary to Defendants’ suggestion, no logical leap is required to support Plaintiff’s allegations regarding the publicly available website. Plaintiff alleges the specific medical conditions she searched for on the public website and indicates that those specific search terms were conveyed in “full-string detailed URLs.” To the extent Defendants suggest that public browsing activity is not actionable at all, Defendants are mistaken. (Demurrer, pp. 15:25-16:7 [citing Smith v. Facebook (N.D. Cal. 2017) 262 F.

Supp. 3d 943, 954 (“Smith I”); Smith v. Facebook, Inc. (9th Cir. 2018) 745 F. App’x 8, 9 (“Smith II”); Nienaber v. Overlake Hosp. Med. Ctr. (W.D. Wash. May 13, 2024) 2024 WL 2133709, at *5].) These cases make clear that the disclosure of public browsing activity that does not relate “to the past, present, or future physical or mental health or condition of an individual” is not actionable. That is far from a categorical bar on the disclosure of public browsing activity. Nienaber provides a useful comparison.

Unlike the plaintiff there; here, Plaintiff alleges that the text and phrases of searches are transmitted, in addition to information identifying her as a patient, and describes her specific searches. As the courts in Cousin II and In re Meta Pixel Healthcare Litigation recognized, URLs may reveal the substance of communications and PHI. The Court is persuaded that these allegations are sufficiently related to Plaintiff’s past, present, or future physical or mental health or condition.

Plaintiff initially made no effort to distinguish between the publicly available website at www.health.ucdavis.edu and any secure patient portal. In fact, Plaintiff did not even mention the secure public portal, referring only to the “website” in conclusory and/or hypothetical terms.

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

However, in her Corrected SAC, Plaintiff separates her allegations related to information disclosed while using the patient portal (paragraph 91) and the website and mobile app outside the patient portal (paragraph 92). Plaintiff reiterates these allegations in paragraph 145, again noting where information was disclosed via tracking cookies embedded within the website, including the patient portal and the publicly available website and/or app.

For these reasons, Defendants’ demurrer on this basis is OVERRULED.

Vicarious liability against the Regents

Defendants argue that “the Regents cannot be held vicariously liable under CIPA or any other cause of action, as a matter of law.” (Demurrer, p. 18:3-4.) Defendants argue that “Plaintiff should not be allowed to circumvent the clear legislative intent of the CIPA, a specific wiretapping statute under Cal. Pen. Code § 631, through the language of a more general statute, Cal. Gov. Code § 820.2, and hold the Regents vicariously liable for its employees’ or agents’ alleged violations of CIPA.” (Id., p. 18:7-10.) In support, Defendants cite Wells v. One2One Learning Foundation (2006) 39 Cal. 4th 1164, 1190 (“Wells”).

Plaintiff opposes, arguing that (1) the argument is procedurally improper insofar as it only resolves the vicarious liability claim against the Regents and not the entire CIPA cause of action; and (2) the vicarious liability theory is appropriate pursuant to Government Code section 815.2. (Opp., pp. 11:12-13:3.)

As a threshold matter, the Court agrees that a general demurrer does not lie to only part of a cause of action and a motion to strike would have been the more appropriate procedural mechanism to address this issue. However, as previously explained, the Court has the discretion to construe Defendants’ demurrer as a motion to strike and reach the issue. (See 1-19-24 Minute Order [citing Austin v. Los Angeles Unified School Dist. (2016) 244 Cal.App.4th 918, 930; see also Hernandez v. Superior Court (2003) 112 Cal.App.4th 285, 296 [“The trial court has broad discretion to fashion suitable methods of practice to manage complex litigation.”]].)

Considering Wells, the Court previously concluded that the Legislature did not intend to include public entities within the definition of “person” for the purposes of section 631(a). (1-19-24 Minute Order.) However, the Court also made clear that it only resolved Plaintiff’s direct liability theory, not her vicarious liability theory. (Ibid.) Moreover, in considering the definition of “person” in a related section, the Court acknowledged that the Legislature included an “individual acting or purporting to act for or on behalf of any government or subdivision thereof” within the definition of persons. (See Cal. Penal Code, § 632(b).)

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Defendants refer to Government Code section 820.2, which provides that a public employee is not liable for an injury resulting from his act or omission where the act or omission was the result of the exercise of the discretion vested in him. (Gov. Code, § 820.2.) However, Government Code section 815.2 appears to be more relevant for the purposes of vicarious liability. Section 815.2 provides that a “public entity is liable for injury proximately caused by an act or omission of an employee of the public entity within the scope of his employment if the act or omission would, apart from this section, have given rise to a cause of action against that employee or his personal representative” and “[e]xcept as otherwise provided by statute, a public entity is not liable for an injury resulting from an act or omission of an employee of the public entity where the employee is immune from liability.” (Id., § 815.2(a) and (b).)

In asserting that the Regents cannot be held vicariously liable pursuant to Government Code section 820.2, the Regents appear to be conceding that the ordinary rules of vicarious liability for public entities control. If the Regents are ultimately correct that the Individual Defendants cannot be held liable because their alleged acts or omissions were the result of the exercise of discretion pursuant to section 820.2, then the Regents could not be held vicariously liable pursuant to section 815.2 because the “public entity is not liable for an injury resulting from an act or omission of an employee of the public entity where the employee is immune from liability.” As the Court has explained above, it is premature to resolve on demurrer whether the alleged acts or omissions of the Individual Defendants were the result of the exercise of discretion under section 820.2.

Thus, it is premature to address whether the Regents could be held vicariously liable under section 815.2.

In any event, Defendants offer no authority for their assertion that the Regents cannot be held vicariously liable as a matter of law. “When [a party] fails to raise a point, or asserts it but fails to support it with reasoned argument and citations to authority, we treat it as waived.” (Badie v. Bank of America (1998) 67 Cal.App.4th 779, 784-785.)

Accordingly, Defendants’ demurrer on this basis is OVERRULED.

Whether the Individual Defendants actually took part in any alleged wiretapping

Next, Defendants argue that “[t]here are no facts showing any wrongdoing by any Individual Defendant” and those facts alleged “fall woefully short of establishing this statutory CIPA claim.” (Demurrer, p. 18:18-19:3.)

Here, Plaintiff identifies the Individual Defendants, describes their roles and responsibilities, and alleges that “[a]t relevant times, [Individual Defendant] was acting under color of law and within the scope of his employment and/or agency in connection with the installation, integration,

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

embedding and use of tracking technologies on the Website and App.” (CSAC, ¶¶ 4-14.) Each Individual Defendant’s role relates to UC Davis Health’s website, marketing, and/or related data analytics. (Ibid.) Plaintiff further alleges that “[t]hrough the Third Parties’ tracking services, which UC Davis Health used via code installed, integrated and embedded into the Website and App by and at the direction of the Individual and Doe Defendants, Defendants disclosed patients’ identities and online activity, including information and search results related to their private medical treatment” and “[b]y installing, integrating and embedding the Facebook Pixel, Google Analytics, X Pixel, Floodlight, Insight Tag (collectively the “Trackers”), and other third-party trackers into the Website and App, and by directing such installation, integration and embedding, the Individual and Doe Defendants aided and conspired with the Third Parties and others to allow those third-party entities to contemporaneously and surreptitiously intercept the Website and App communications of UC Davis Health patients without patients’ consent. (Id., ¶¶ 94-95 [emphasis added]; see also ¶¶ 96 [“Defendant Regents, acting through the Individual and Doe Defendants, aided the Third Parties”], 142 [“At all relevant times, the Individual and Doe Defendants aided, agreed with, and conspired with the Third Parties, and other third-party trackers to track and intercept Plaintiff’s and Class Members’ internet communications while accessing www.health.ucdavis.edu.”], 143 [“The Individual and Doe Defendants, when aiding and assisting the wiretapping as alleged herein, intended to help the Third Parties, and other third-party trackers learn some meaning of the content in the URLs and the content the visitor requested.”]; 145 [“as a result of the Individual and Doe Defendants’ integration, installation and embedding of the Trackers, and other third-party trackers”]; 146 [“As demonstrated hereinabove, the Individual and Doe Defendants violated CIPA by aiding, agreeing with and conspiring with the Third Parties in a manner that allowed those Third Parties to contemporaneously and surreptitiously intercept patients’ online communications through the Website and App without patients’ consent.”].)

Defendants cite City of Whittier v. Everest National Ins. Co. (2023) 97 Cal. App. 5th 895, 903, for the proposition that “[i]n a typical wiretapping case against an individual, that individual (e.g., police personnel) is alleged to have actually participated in the wiretapping.” (Demurrer, p. 18:21-23.) However, City of Whittier, involved “a question of first impression: whether Insurance Code section 533 (section 533), [] bars indemnification for claims under Labor Code section 1102.5.” (City of Whittier, supra, 97 Cal.App.5th at p. 902.) It is not a wiretapping case and did not address the adequacy of any wiretapping allegations at the pleading stage. “A case is not authority for points not decided.” (Paterno v. State of California (1999) 74 Cal.App.4th 68, 88.) The Court is not persuaded that more is required at the pleading stage.

Accordingly, Defendants demurrer on this basis is OVERRULED.

3. Confidentiality of Medical Information Act (Second Cause of Action)

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Defendant further argues that Plaintiff’s Second Cause of Action fails to state a claim under the CMIA because Plaintiff has not plead facts sufficient to show that (1) her medical information was actually transmitted to Meta or any other third party; (2) any third party actually viewed any medical information; (3) the Individual Defendants are health providers, insurers, or contractors; (4) the Individual Defendants actually took part in any alleged wiretapping; and (5) the Individual Defendants are not immune under Government Code section 820.2 for making basic policy decisions. (Notice; Demurrer, pp. 20:14-22:28.)

Medical Information

CMIA prohibits the unauthorized disclosure of medical information and the negligent maintenance or preservation of medical information. (Civ. Code §§ 56.10(a), 56.101(a).) CMIA defines “Medical Information” as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan ... regarding a patient's medical history, mental health application information, mental or physical condition, or treatment.” (Civ.

Code § 56.05(i).) “‘Individually identifiable’ means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.” (Id.) “It is clear from the plain meaning of the statute that medical information cannot mean just any patient-related information held by a health care provider but must be ‘individually identifiable information’ and also include ‘a patient's medical history, mental or physical condition, or treatment.’” (Eisenhower Medical Center v.

Superior Court (2014) 226 Cal.App.4th 430, 435.)

For the reasons stated above, the Court is not persuaded by Defendants’ assertion that “public website browsing activity does not constitute medical information as a matter of law.” (Demurrer, p. 20:25-27.) Moreover, to the extent that Defendants argue that only medical records or patient-doctor communications constitute “medical information,” Defendants read the statutory language too narrowly.

In ruling on the Regents prior demurrer, the Court took issue with Plaintiff’s general and conclusory allegations and hypotheticals. (1-19-24 Minute Order.) While Plaintiff offers the same hypotheticals regarding cervical cancer and searching for a doctor (compare FAC, ¶¶ 31, 34 and CSAC, ¶¶ 43, 96), Plaintiff now provides specific facts regarding her use of the publicly available and secure webpages associated with UC Davis Health. (CSAC, ¶¶ 90-92.)

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

The Cousin decisions provide a useful example. In July 2023, the district court concluded that the plaintiffs’ allegations of disclosure of personal, confidential, health information were conclusory and lacked factual support since the plaintiffs did not allege, among other things, what information was provided to defendant and only provided an example of a search by a hypothetical patient. (Cousin v. Sharp Healthcare, No. 22-CV-2040-MMA (DDL) (S.D. Cal. July 12, 2023) 2023 WL 4484441, at *3, 9.)

Following the district court’s decision, the plaintiffs were granted leave to file an amended complaint. Plaintiffs did so, seeking leave to file portions of their First Amended Complaint under seal. The district court granted the plaintiffs’ motion because the amended complaint contained “new allegations detailing the confidential and sensitive health information of Plaintiffs.” (Cousin v. Sharp Healthcare, No. 22-CV-2040-MMA (DDL) (S.D. Cal. Aug. 14, 2023) 2023 WL 6370771, at *1.) It was that amended complaint, containing additional allegations specifically describing how the plaintiffs used the website, what information was conveyed, even setting forth their specific medical conditions and the searches they conducted for doctors and treatments for those conditions, that the district court considered in its November 2023 decision. (Cousin II, supra, 702 F.Supp.3d at p. 975.)

Based on these new allegations, the district court concluded that plaintiffs plausibly pleaded their protected medical information was disclosed and denied defendant’s motion to dismiss.

For the reasons stated above with regard to CIPA, the Court is persuaded that Plaintiff has alleged interactions with the website that plausibly convey information about present medical conditions and the provision of medical care. (See Cousin II, supra, 702 F.Supp.3d at pp. 973, 975.) These allegations are sufficient to survive demurrer.

Accordingly, Defendants’ demurrer on this ground is OVERRULED.

Actual Viewing

The CMIA protects the confidentiality of patients’ medical information. (Loder v. City of Glendale (1997) 14 Cal.4th 846, 859.) California decisions construing the CMIA make it clear that to qualify as a breach of the provisions of this statute, the medical information must have actually been read by an unauthorized person. (Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 1557 (“Sutter Health”); see also Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549, 570 [holding demurrer to CMIA cause of action should have been sustained, where thief stole encrypted hard drive with patient information, and the plaintiff could not “allege her medical records were, in fact, viewed by an unauthorized individual.”].)

As the Court stated in Sutter Health, “without an actual confidentiality breach, a health care provider has not violated section 56.101 and therefore does not invoke the remedy provided in section 56.36 ... [¶] [S]ection 56.36 provides remedies when a health care provider has ‘negligently released confidential information or records concerning [the plaintiff] in

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

violation of this part ....’ [Citation] For the reasons given, there is no ‘negligent[] release[] ... in violation of [the Confidentiality Act],’ if there is no actual breach of confidentiality. Because Sutter Health has not negligently released information or records in violation of the Confidentiality Act, there is no remedy.” (Id. at pp. 1555, 1558 [emphasis added].)

This interpretation of the CMIA determination is also supported by the recent decision in Vigil v. Muir Medical Group IPA, Inc. (2022) 84 Cal.App.5th 197. In Vigil, a patient filed a class action lawsuit against an independent medical association, a medical group of doctors whose former employee stole a spreadsheet listing approximately 5,400 patients with certain personal and medical information. (Id. at pp. 205-206.) The Court of Appeal affirmed an order which denied class certification in part because an individualized determination would have to be made for each class member as to whether their specific personal and medical information had actually been viewed in order for that class member to have a claim for breach of confidentiality under CMIA. (Id. at p. 213 ['Based on the statute's plain language, we agree with Sutter Health that a breach of confidentiality under the CMIA requires a showing that an unauthorized party viewed the confidential information.'].)

Regents, Sutter Health, and Vigil addressed Civil Code sections 56.101 and 56.36(b) addressing the negligent release of confidential patient information and the remedies provided for that violation, rather than Civil Code §§ 56.10(a) and 56.36(c)(1), which address violation and remedies based on negligent disclosure of confidential patient information. And Plaintiff correctly notes that this case only involves a section 56.10(a) claim, not a section 56.101 claim. Nevertheless, based on the reasoning of the decisions in those cases, the Court is not persuaded that a breach of confidentiality would not also be required to state a cause of action for a violation based on a negligent disclosure.

As the cases explain, the injury the CMIA is intended to address is the breach of confidentiality which, based on the meaning of the term confidentiality, only occurs if someone has actually viewed the medical information. (Vigil, 84 Cal.App.5th at p. 213 [“Thus, under the ordinary meaning of 'confidential,' the confidential nature of information is not breached unless the information is reviewed by unauthorized parties. This construction is consistent with the purpose of the CMIA to protect patients' privacy.”]; Sutter Health, supra, 227 Cal.App.4th at p. 1557 [“No breach of confidentiality takes place until an unauthorized person views the medical information.

It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act. While there is certainly a connection between the information and its physical form, possession of the physical form without actually viewing the information does not offend the basic public policy advanced by the Confidentiality Act.”].)

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

In ruling on the Regents’ prior demurrer, the Court concluded that Plaintiff’s single allegation (“[a]fter collecting and intercepting the information described in the preceding paragraph, Facebook processed it, analyzed it, and assimilated it into datasets like Core Audiences and Custom Audiences” (FAC, ¶ 32)) was speculative and non-specific. (1-19-24 Minute Order.) Critically, Plaintiff drew conclusions from that allegation that simply were not alleged. In contrast, now Plaintiff alleges that each of the third parties identified in the Corrected SAC viewed and used the health information collected and/or intercepted by the tracking technologies. (CSAC, ¶¶ 44, 51, 54, 72, 81, 89.) Plaintiff also describes how the named third parties use the information they collect for their own business purposes. (Ibid., see also ¶¶ 45, 49-50, 52-53, 55- 56, 59, 63-64, 68-70, 73, 75-77, 79, 82-86.)

These kinds of allegations have been found sufficient to survive a pleading challenge and the Court sees no reason reach a different conclusion here. (See Cousin II, supra, 702 F. Supp. 3d at p. 975 [allegations upon information and belief that “Meta regularly viewed” the information and regarding Meta's business model and how it uses the information for targeted advertising found sufficient]; Doe v. Regents of University of California (N.D. Cal. May 8, 2023) 672 F.Supp.3d 813, 819 [“UC Regents responds that even if plaintiff has alleged that the information was transferred to Meta, she has not sufficiently alleged that it was viewed by an authorized party.

This challenge fails because plaintiff has alleged that Meta acted upon the information transmitted to it by tailoring advertisements to her based on her medical condition. This is sufficient to raise a plausible claim that her medical information was inappropriately accessed. To require more would place the burden on her to describe UC Regents’ technical systems without the benefit of discovery.”]; St. Aubin v. Carbon Health Technologies, Inc. (N.D. Cal. Oct. 1, 2024) 2024 WL 4369675, at *11 [“Plaintiff alleges that the business models for Facebook and Google use the information gathered from the Carbon Website for targeted advertising (including for Carbon Health). [] She further alleges that after collecting and intercepting the information, Facebook process it, analyzes it, and assimilates it into relevant datasets. [] Similarly, Google uses the data to personalize content ads on Google and partners' sites. [] Finally, she alleges that after scheduling an appointment for her COVID-19 vaccine, Plaintiff received advertisements relating to COVID-19 vaccination. [] These allegations are sufficient.”].)

Accordingly, Defendants’ demurrer on this basis is OVERRULED.

Individual Defendants

Next, Defendants argue that the CMIA claim against the Individual Defendants must be dismissed because (1) the CMIA only applies to a “provider of health care, health service plan, or contractor” and the Individual Defendants do not fall into any of these categories; (2) there are

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

no facts alleging any wrongdoing against them; and (3) they are immune under Government Code section 820.2. (Demurrer, p. 22:22-28.)

These conclusory arguments are not well developed and not proper on demurrer insofar as they fail to resolve Plaintiff’s entire CMIA claim. Moreover, as the Court has explained above, Defendants’ second and third arguments are not persuasive. Defendants offer no argument or analysis specific to Plaintiff’s CMIA claim and the Court sees no reason to reach a different conclusion.

“When [a party] fails to raise a point, or asserts it but fails to support it with reasoned argument and citations to authority, we treat it as waived.” (Badie v. Bank of America (1998) 67 Cal.App.4th 779, 784-785.) Here, Defendants fail to present any reasoned argument, supported by citations to authority, that the CMIA does not apply to the Individual Defendants because they work for UC Davis Health in marketing or communications roles. Defendants fail to even address the statutory definitions for a provider of health care, health service plan, or contractor, let alone whether the employees of a covered entity must separately satisfy those definitions.

Accordingly, the Court considers this argument waived and declines to address it. Defendants’ demurrer on these grounds is OVERRULED.

4. Invasion of Privacy (Third Cause of Action)

Finally, Defendants argue that Plaintiff’s Third Cause of Action fails to state a claim for invasion of privacy because (1) there can be no invasion of privacy where the alleged intrusion is by a third party, not defendant; (2) Plaintiff has no reasonable expectation of privacy on the public website, and otherwise fails to plead facts showing that her medical records or communications were disclosed through the patient portal; (3) Plaintiff has failed to plead facts showing a serious invasion of privacy; (4) regarding the Individual Defendants, Plaintiff has not alleged facts showing that any of the Individual Defendants actually took part in any alleged wiretapping; and (5) regarding the Individual Defendants because, at minimum, the Complaint makes clear that any alleged conduct by the Individual Defendants would constitute basic policy decisions, rendering them immune from liability. (Notice; Demurrer, pp. 23:1-24:25.)

To state a claim for invasion of privacy under the California Constitution, Plaintiff must plead “that: (1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion [is] ‘so serious ... as to constitute an egregious breach of the social norms’ such that the breach is ‘highly offensive.’” (In re Facebook, Inc. Internet Tracking Litig., supra, 956 F. 3d at p. 601) (quoting Hernandez v. Hillsides, Inc. (2009) 47 Cal.4th 272, 287.)

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Third-Party Intrusion

Defendants argue that there can be no intrusion upon seclusion claim against Defendants because Plaintiff voluntarily shared her information with UC Davis Health. (Demurrer, p. 22:9-27.) In opposition, Plaintiff argues that in disclosing her information to UC Davis Health, Plaintiff did not consent to the disclosure of her private information to third parties and that any question regarding the scope of her consent constitutes a jury question. (Opp., pp. 19:9-20:4.)

In support, Defendants cite to Nienaber v. Overlake Hosp. Med. Ctr. (No. 2:23-CV-01159-TL, W.D. Wash. May 13, 2024) 2024 WL 2133709, at p. *9 and Kurowski v. Rush System for Health (N.D. Ill., March 3, 2023) 659 F. Supp. 3d 931, 944. In Nienaber, the court considered an “intrusion upon seclusion” claim under Washington state common law. Similarly, Kurowski considered the question as a matter of Illinois state law. In those cases, the courts concluded that “[b]ecause Plaintiff voluntarily shared her information with Defendant, there was no intrusion upon Plaintiff's solitude, seclusion, or private affairs by Defendant.” (Nienaber, supra, at p. *9 [emphasis original; relying on the same conclusion reached in Kurowski].)

Ultimately, Defendants offer no California authority in support of this argument. Nor do Defendants explain how these common law cases apply to Plaintiff’s constitutional claim. Absent any such authority, the Court declines to conclude that Plaintiff’s invasion of privacy claim fails as a matter of law. Here, Plaintiff alleges that Defendants implemented a system of tracking technologies that surreptitiously allowed third parties to track, record, and intercept Plaintiff’s and other patients’ confidential communications, personally identifiable information, and PHI, and use that information for marketing and other purposes. (CSAC, ¶¶ 18, 35-112.)

Plaintiff further alleges that she “never consented, agreed, authorized, or otherwise permitted Defendants to disclose her PII and PHI” and “was never provided with any written notice that Defendants disclosed the PHI of users of the Website or App, nor was she provided any means of opting out of such disclosures.” (Id., ¶ 114.) The Court concludes these facts are sufficient to state a claim.

Accordingly, Defendants’ demurrer on this ground is OVERRULED.

Serious Invasion of Privacy

Whether an invasion of privacy is “highly offensive” requires the consideration of all-inclusive factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive. (Cousin, supra, 2023 WL 4484441, at p. *8 (citing In re

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Facebook, Inc. Internet Tracking Litig., supra, 956 F.3d at p. 606.) The focus must also be on the degree to which the invasion is unacceptable as a matter of public policy. (In re Facebook, Inc. Internet Tracking Litig., supra, 956 F.3d at p. 606.)

Additionally, some courts have concluded that the “ultimate question of whether Facebook's tracking and collection practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage.” (In re Facebook, Inc. Internet Tracking Litig., supra, 956 F.3d at p. 606; see also, In re Meta Pixel Healthcare Litig., supra, 647 F.Supp.3d at p. 799 [courts are generally hesitant to decide claims of this nature at the pleading stage]; In re Facebook, Inc. (N.D. Cal. 2019) 402 F. Supp. 3d 767, 797 [“Under California law, courts must be reluctant to reach a conclusion at the pleading stage about how offensive or serious the privacy intrusion is.”]; Cousin, supra, 2023 WL 4484441, at *8-9 [same].)

Again, Defendants’ attempt to redefine “medical information” as medical records or doctorpatient communications is too narrow. Plaintiff’s allegations allege more than mere routine commercial behavior. Plaintiff specifically describes how she used the publicly available website and the patient portal and what information was conveyed. (CSAC, ¶¶ 90-93, 96-98.) She alleges that the tracking technologies were “used via code installed, integrated and embedded into the Website and App by and at the direction of the Individual and Doe Defendants, Defendants disclosed patients’ identities and online activity, including information and search results related to their private medical treatment.” (Id., ¶ 94.) Finally, Plaintiff alleges how her PII was also disclosed through the alleged surreptitious communications. (Id., ¶¶ 99-112.)

As described in detail above, the Court is persuaded that Plaintiff has sufficiently alleged a highly offensive disclosure. (See, e.g., Doe v. Regents of the Univ. of Cal., 2023 WL 3316766 at pp. *4, 14 [finding that Plaintiff sufficiently alleged a common law privacy claim when she alleged that the pixel tool was incorporated onto the website and secure portal, what specific information she entered into the portal, and how that information was transmitted to Facebook.]; In re Meta Pixel Healthcare Litig., supra, 647 F.Supp.3d at p. [finding that plaintiff sufficiently alleged an invasion of privacy claim when he alleged that the Pixel tool was installed on the secure patient portal, which transmitted the patient’s identity, status as a patient, the contents of the page from which the patient clicked to log in to the patient portal, and the contents of the page the patient would land on as a result.

Plaintiff also alleged that the Pixel continued to transmit information about the pages the patient browsed after logging in.].)

Accordingly, Defendants’ demurrer on this basis is OVERRULED.

Individual Defendants

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Defendants conclusively argue that “[s]eparately, the CMIA should be dismissed against the Individual Defendants for the same reasons discussed above in regard to the CIPA and CMIA claims. See infra at § IV(B)(d)-(e).” (Demurrer, p. 24:24-25.) The Court presumes Defendants intended to argue that Plaintiff’s invasion of privacy, not CMIA, claim should be dismissed. For the same reasons the Court rejected those arguments above, the Court rejects them here.

Accordingly, Defendants’ demurrer on this basis is OVERRULED.

Motion to Strike

Defendants moves to strike the following portions of Plaintiff’s FAC: 1. Paragraph 29, “and statutory damages of $5,000 per violation.” 2. Paragraph 148, “the greater of, $5,000 dollars per violation or three times the amount of actual damages.” 3. Paragraph 160, “punitive damages not to exceed $3,000 dollars” and “Alternatively, a patient may recover nominal damages of $1,000 for any negligent release of medical information.” 4. Prayer for Relief, line e, “including statutory damages where available,” 5. Prayer for Relief, line f, “For punitive damages, as warranted, in an amount to be determined at trial;” and 6. Each of the Individual Defendants.

(Notice, p. 2:17-26.) Defendants argue that Plaintiff seeks damages not recoverable as a matter of law because (1) the Regents is a public entity and therefore Plaintiff’s express request for punitive damages against the Regents in her CMIA claim and Prayer for Relief are not permitted under Government Code section 818; (2) the statutory damages Plaintiff seeks under CIPA and CMIA are “effectively punitive damages under Gov. Code § 818 because they only serve to punish the Regents, not compensate Plaintiff”; (3) Plaintiff has improperly named the Individual Defendants “in an effort to circumvent the unavailability of direct liability against the Regents as a public entity under CIPA” and relying on the same arguments above regarding vicarious liability, the sufficiency of the allegations against the Individual Defendants, and immunity; and (4) Plaintiff has improperly requested punitive damages against the Individual Defendants without a showing of malice, oppression, or fraud. (Notice, p. 3:1-23; MTS, pp. 9:17-10:14.)

Damages

With respect to Plaintiff’s express requests for punitive damages, Defendants argue that Government Code section 818 bars punitive damages against public entities. (Mot. to Strike, pp. 12:12-13:24.) Regarding Plaintiff’s requests for statutory damages pursuant to CIPA and the

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

CMIA, Defendants argue that these damages do not serve to compensate Plaintiff, but to punish the Regents and are therefore effectively punitive and should be similarly stricken. (Id., pp. 13:27-17:23.) These arguments are framed only as to damages sought against the Regents.

In reply, Defendants argue that “Plaintiff provides no legal authority holding that a public entity may be held vicariously liable for punitive damages under Gov. Code § 818, and Defendants are aware of none. Accordingly, the Court should strike any request for punitive damages against the Regents under any theory of liability: direct, vicarious, or otherwise.” (Reply MTS, pp. 3:23- 4:2.) However, as the moving party, Defendants bear the burden of demonstrating that there is no legal basis to support a claim for punitive damages.

While Defendants appear to be correct that Plaintiff’s express requests for punitive damages are not appropriate against the Regents as a public entity, such a conclusion would not necessarily preclude Plaintiff from seeking punitive damages against the Individual Defendants or Doe Defendants or warrant striking the request. Looking to Defendants’ Notice, none of the challenged language is specific to the Regents.

Moreover, even if Defendants are correct that Plaintiff cannot recover statutory damages from the Regents under a vicarious liability theory as opposed to a direct liability theory, there is nothing here for the Court to strike. As Plaintiff rightly notes, Defendants do not seek to strike language regarding Plaintiff’s vicarious liability theory. And in any event, the Court does not find persuasive Defendants’ assertion on demurrer that Plaintiff cannot pursue a vicarious liability theory where her direct liability theory failed.

It may well be that Plaintiff cannot recovery punitive (including statutory penalties that are punitive, as opposed to compensatory, in nature) against the Regents under any theory of liability, but Defendants have failed to articulate a basis upon which the Court may strike the challenged allegations.

Individual Defendants

Defendants argue that the Court should strike the Individual Defendants named in the Corrected SAC for the following reasons: (1) the Regents cannot be held vicariously liable and “Plaintiff should not be allowed to circumvent the clear legislative intent of the CIPA” by naming the Regents’ employees; (2) Plaintiff fails to allege how the Individual Defendants “personally intercepted or transmitted any substantive patient communications, or disclosed any medical information”; and (3) the Individual Defendants are subject to discretionary immunity. (MTS, pp. 18:1-19:1.) These arguments generally track Defendants’ argument on demurrer. For the same reasons stated above, the Court does not find them persuasive. Moreover, even if

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Defendants were correct that Plaintiff cannot pursue a vicarious liability theory for her CIPA claim, it does not follow that Plaintiff could not pursue her claim directly against the Individual Defendants.

Finally, Defendants argue that the Court should strike the punitive damages asserted against the Individual Defendants because “Plaintiff does not plead any facts showing that the Individual Defendants acted with malice, oppression, or fraud” citing Civil Code section 3294. (MTS, pp. 20:8-21:12.) Plaintiff opposes, arguing that she has sufficiently alleged facts from which malice can be inferred because she “alleges facts showing that the Individual Defendants acted with a conscious disregard for Plaintiff’s privacy rights.” (MTS Opp., pp. 13:8-15:9.)

Punitive damages may be recovered under Cal Civ. Code § 3294 “where it is proven by clear and convincing evidence that the defendant has been guilty of oppression, fraud, or malice.” (Cal. Civ. Code, § 3294(a).) The statute defines malice as “conduct which is intended by the defendant to cause injury to the plaintiff or despicable conduct which is carried on by the defendant with a willful and conscious disregard of the rights or safety of others.” (Id., § 3294(c)(1).) Oppression “means despicable conduct that subjects a person to cruel and unjust hardship in conscious disregard of that person's rights.” (Id., § 3294(c)(2).)

Finally, fraud “means an intentional misrepresentation, deceit, or concealment of a material fact known to the defendant with the intention on the part of the defendant of thereby depriving a person of property or legal rights or otherwise causing injury.” (Id., § 3294(c)(3).) However, neither Plaintiff nor Defendants acknowledge that Plaintiff seeks punitive damages pursuant to California Civil Code section 56.35, not section 3294. Section 56.35 does not refer to section 3294 and it is not clear that those general requirements are required to recover punitive damages for a CMIA claim. (Wilcox, California Employment Law (Matthew Bender 2024) Ch. 3, § 51.13.)

Here, Plaintiff identifies the Individual Defendants, describes their roles and responsibilities, alleges that they acted “under color of law and within the scope of [their] employment and/or agency in connection with the installation, integration, embedding and use of tracking technologies on the Website and App.” (CSAC, ¶¶ 4-14.) Plaintiff further alleges as follows:  “On information and belief, the Plaintiff’s communications with UC Davis Health were disclosed by Defendants to the Third Parties and/or intercepted in transit by the Third Parties via full-string detailed URLs, which contain such information as the name of the website, the pages being viewed, and the search terms entered into the website.

Along with disclosing Plaintiff’s protected health communications, Defendants also disclosed Plaintiff’s PII, such as Plaintiff’s Facebook ID, allowing Third Parties, like Facebook, to make the connection between her health information and her identity.” (Id., ¶ 93.)  “Through the Third Parties’ tracking services, which UC Davis Health used via code installed, integrated and embedded into the Website and App by and at the direction of

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

the Individual and Doe Defendants, Defendants disclosed patients’ identities and online activity, including information and search results related to their private medical treatment.” (Id., ¶ 94.)  “By installing, integrating and embedding the Facebook Pixel, Google Analytics, X Pixel, Floodlight, Insight Tag (collectively the “Trackers”), and other third-party trackers into the Website and App, and by directing such installation, integration and embedding, the Individual and Doe Defendants aided and conspired with the Third Parties and others to allow those third-party entities to contemporaneously and surreptitiously intercept the Website and App communications of UC Davis Health patients without patients’ consent.” (Id., at ¶ 95.)

Plaintiff also alleges that the federal government has warned about the use of tracking technologies on healthcare websites, including a letter sent to UC Davis Health through its Chief Counsel. (CSAC, ¶¶ 116-125.)

Reviewing the allegations in context, the Court is persuaded that Plaintiffs have sufficiently alleged a cause of action for violation of the CMIA (specifically, Civil Code section 56.10) and thus can seek remedies, including punitive damages, pursuant to section 56.35. While it is not clear that the requirements of section 3294 apply to Plaintiff’s claim here, the Court is also persuaded that these allegations are sufficient to demonstrate a “conscious disregard” of Plaintiff’s rights for pleading purposes.

Accordingly, Defendants’ motion to strike is DENIED.

Disposition

For the reasons stated above, Defendants’ demurrer to Plaintiff’s Corrected SAC is OVERRULED in its entirety and Defendants’ motion to strike is DENIED in its entirety.

This minute order is effective immediately. No formal order pursuant to CRC Rule 3.1312 or other notice is required.

To request oral argument on this matter, you must call Department 22 at (916) 874-5762 by 4:00 p.m., the court day before this hearing and notification of oral argument must be made to the opposing party/counsel. If no call is made, the tentative ruling becomes the order of the court. (Local Rule 1.06.)

SUPERIOR COURT OF CALIFORNIA COUNTY OF SACRAMENTO

34-2023-00336792-CU-BT-GDS: Dionne Maxwell vs. The Regents of the University of California 12/06/2024 Hearing on Demurrer & Motion to Strike in Department 22

Parties requesting services of a court reporter may arrange for private court reporter services at their own expense, pursuant to Government code §68086 and California Rules of Court, Rule 2.956. Requirements for requesting a court reporter are listed in the Policy for Official Reporter Pro Tempore available on the Sacramento Superior Court website at https://www.saccourt.ca.gov/court-reporters/docs/crtrp-6a.pdf. The list of Court Approved Official Reporters Pro Tempore is available at https://www.saccourt.ca.gov/courtreporters/docs/crtrp-13.Pdf.

If you are not using a reporter from the Court’s Approved Official Reporter Pro Tempore list, a Stipulation and Appointment of Official Reporter Pro Tempore (CV/E-206) must be signed by each party, the private court reporter, and the Judge. The signed form must be filed with the clerk prior to the hearing.

If a litigant has been granted a fee waiver and requests a court reporter, the party must submit a Request for Court Reporter by a Party with a Fee Waiver (CV/E-211). The form must be filed with the clerk at least 10 days prior to the hearing or at the time the hearing is scheduled if less than 10 days away. Once approved, the clerk will forward the form to the Court Reporter’s Office and an official reporter will be provided.

If oral argument is requested, the Parties are encouraged to appear via Zoom with the links below:

To join by Zoom link - https://saccourt-ca-gov.zoomgov.com/my/sscdept22 To join by phone dial (833) 568-8864 ID 16184738886

Counsel for Plaintiff is directed to notice all parties of this order.

Please note that the Complex Civil Case Department now provides information to assist you in managing your complex case on the Court website at https://www.saccourt.ca.gov/civil/complex-civil-cases.aspx. The Court strongly encourages parties to review this website regularly to stay abreast of the most recent complex civil case procedures. Please refer to the website before directly contacting the Court Clerk for information.