Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 1 of 30 PageID 1
`
`UNITED STATES DISTRICT COURT
`MIDDLE DISTRICT OF FLORIDA
`ORLANDO DIVISION
`
`
`
`
`BONNIE GILBERT, on behalf of herself
`and all others similarly situated,
`
`Plaintiff,
`
`
`
`Case No.
`
`
`
`v.
`
`CLASS ACTION COMPLAINT
`
`BIOPLUS SPECIALTY PHARMACY
`SERVICES, LLC,
`
`
`Defendant.
`
`JURY TRIAL DEMANDED
`
`
`
`
`
`Plaintiff Bonnie Gilbert (“Plaintiff”), by and through her attorneys, upon personal
`
`knowledge as to herself and her own acts and experiences, and upon information and belief as to
`
`all other matters, alleges as follows:
`
`NATURE OF THE ACTION
`
`1.
`
`Defendant BioPlus Specialty Pharmacy Services, LLC (“BioPlus” or “Defendant”)
`
`is a national specialty pharmacy that provides a complete range of specialty pharmacy services for
`
`patients with cancer, infusion, multiple sclerosis, hepatitis C, and other complex chronic
`
`conditions.
`
`2.
`
`This action arises out of a recent data breach (the “Data Breach”) involving
`
`information on Defendant’s network, including the personally identifiable information (“PII”) of
`
`its patients, such as names, dates of birth, addresses, and Social Security numbers, as well as
`
`protected health information (“PHI”), such as medical record numbers, current/former health plan
`
`member ID numbers, claims information, prescription medication information, and diagnoses
`
`1
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 2 of 30 PageID 2
`
`
`
`(PHI and PII are referred to collectively as “Sensitive Information”).
`
`3.
`
`In total, the Data Breach compromised the Sensitive Information of approximately
`
`350,000 current and former BioPlus patients (“Class Members”).
`
`4.
`
`BioPlus is responsible for allowing this Data Breach through its failure to
`
`implement and maintain reasonable data security safeguards, failure to exercise reasonable care in
`
`the hiring and supervision of its employees and agents, and failure to comply with industry-
`
`standard data security practices as well as federal and state laws and regulations governing data
`
`security and privacy, including security of PII and PHI.
`
`5.
`
`Despite its role in managing so much sensitive and personal PII and PHI, Defendant
`
`failed to recognize and detect unauthorized third parties accessing its network, and failed to
`
`recognize the substantial amounts of data that had been compromised. Had Defendant properly
`
`maintained and monitored its information technology infrastructure, it would have discovered the
`
`invasion sooner – and/or prevented it altogether.
`
`6.
`
`Defendant had numerous statutory, regulatory, and common law duties to Plaintiff
`
`and the Class Members to keep their PII, including PHI, confidential, safe, secure, and protected
`
`from unauthorized disclosure or access, including duties under the Health Insurance Portability
`
`and Accountability Act of 1996 (“HIPAA”). Plaintiff and Class Members rely upon Defendant to
`
`maintain the security and privacy of the Sensitive Information entrusted to it; when providing their
`
`Sensitive Information, they reasonably expected and understood that Defendant would ensure that
`
`it would comply with the obligation to keep Plaintiff’s Sensitive Information secure and safe from
`
`unauthorized access.
`
`7.
`
`In this era of frequent data security attacks and data breaches, particularly in the
`
`healthcare industry, Defendant’s failures leading to the Data Breach are particularly egregious.
`
`2
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 3 of 30 PageID 3
`
`
`
`8.
`
`By obtaining, collecting, using, and deriving benefit from Plaintiff’s and Class
`
`Members’ Sensitive Information, Defendant assumed legal and equitable duties and knew or
`
`should have known that it was responsible for protecting Plaintiff’s and Class Members’ Sensitive
`
`Information from disclosure.
`
`9.
`
`Plaintiff and Class Members have taken reasonable steps to maintain the
`
`confidentiality of their PII and PHI.
`
`10.
`
`Plaintiff and Class Members relied on Defendant to keep their PII and PHI
`
`confidential and securely maintained, to use this information for business purposes only, and to
`
`make only authorized disclosures of this information.
`
`11.
`
`As a result of Defendant’s failures to protect the PII and PHI of Plaintiff and Class
`
`Members, their PII and PHI were accessed and downloaded by malicious cyber criminals, who
`
`targeted that information through their wrongdoing. As a direct and proximate result, Plaintiff and
`
`the Class Members are now at a significant present and future risk of identity theft, financial fraud,
`
`and/or other identity-theft or fraud, imminently and for years to come.
`
`12.
`
`Plaintiff and Class Members have now lost the economic value of their PII and PHI.
`
`Indeed, there is both a healthy black market and a legitimate market for that PII and PHI. Just as
`
`Plaintiff’s and Class Members’ PII and PHI were stolen, inter alia, because of its inherent value
`
`in the black market, the inherent value of Plaintiff and the Class Members’ PII and PHI in the
`
`legitimate market is now significantly and materially decreased.
`
`13.
`
`Plaintiff and Class Members have suffered numerous actual and imminent injuries
`
`as a direct result of the Data Breach, including: (a) theft of their PII and PHI; (b) costs associated
`
`with the detection and prevention of identity theft; (c) costs associated with time spent and the loss
`
`of productivity from taking time to address and attempt to ameliorate, mitigate, and deal with the
`
`3
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 4 of 30 PageID 4
`
`
`
`consequences of the Data Breach; (d) invasion of privacy; (e) the emotional distress, stress,
`
`nuisance, and annoyance of responding to, and resulting from, the Data Breach; (f) the actual
`
`and/or imminent injury arising from actual and/or potential fraud and identity theft posed by their
`
`personal data being placed in the hands of the ill-intentioned hackers and/or criminals; (g) damages
`
`to and diminution in value of their personal data entrusted to Defendant with the mutual
`
`understanding that Defendant would safeguard Plaintiff’s and Class Members’ PII and PHI against
`
`theft and not allow access and misuse of their personal data by others; and (h) the continued risk
`
`to their PII and PHI, which remains in the possession of Defendant, and which is subject to further
`
`breaches, so long as Defendant fails to undertake appropriate and adequate measures to protect
`
`Plaintiff’s and Class Members’ PII and PHI.
`
`14.
`
`Plaintiff seeks to remedy these harms, and to prevent their future occurrence, on
`
`behalf of herself and all similarly situated persons whose PII and PHI were compromised as a
`
`result of the Data Breach.
`
`15.
`
`Accordingly, Plaintiff, on behalf of herself and other Class Members, asserts claims
`
`for negligence, negligence per se, and declaratory judgment. Plaintiff seeks injunctive relief,
`
`declaratory relief, monetary damages, and all other relief as authorized in equity or by law.
`
`Plaintiff Bonnie Gilbert
`
`THE PARTIES
`
`16.
`
`17.
`
`Plaintiff Bonnie Gilbert is a natural person and a resident of Georgia.
`
`Plaintiff received a letter dated December 10, 2021 from Defendant concerning the
`
`Data Breach. The letter stated that her name, address, date of birth, Social Security number,
`
`medical record number, current/former health plan member ID number, claims information,
`
`diagnosis, and/or prescription information were exposed in the Data Breach.
`
`4
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 5 of 30 PageID 5
`
`
`
`18.
`
`Recognizing the substantial risk Plaintiff faces, Defendant provided Plaintiff a one-
`
`year subscription to a credit monitoring service. However, Plaintiff was forced to spend time
`
`signing up for this service. Moreover, Plaintiff will be forced to incur costs to maintain this service
`
`after her subscription expires in one year.
`
`19.
`
`Plaintiff was forced to spend significant time speaking with her local pharmacy to
`
`place a fraud alert so that moving forward, no one can pick up Plaintiff’s prescriptions on her
`
`behalf unless Plaintiff has calls ahead and gives preauthorization. Plaintiff will be forced to spend
`
`significant time in the future providing preauthorization for others to pick up her medication.
`
`20.
`
`Since learning of the Data Breach, Plaintiff has spent time every day reviewing her
`
`bank statements and credit cards. Plaintiff has also spent significant time speaking with her bank
`
`regarding her concerns about the Data Breach, in part because she spent approximately $90
`
`ordering new checks before learning of the Data Breach, and if she changes her checking account
`
`information, she will lose the $90 that she just spent to obtain the new checks.
`
`21.
`
`The Data Breach has caused Plaintiff to suffer significant fear, anxiety, and stress.
`
`Plaintiff has lost a lot of sleep thinking about all the ways the Sensitive Information that was
`
`exposed can be used to commit fraud and identity theft.
`
`22.
`
`Plaintiff plans on taking additional time-consuming, yet necessary, steps to help
`
`mitigate the harm caused by the Data Breach, such as implementing credit freezes.
`
`Defendant BioPlus
`
`23.
`
`Defendant BioPlus is a limited liability company organized in the State of Florida.
`
`It is headquartered in Altamonte Springs, Florida.
`
`24.
`
`BioPlus advertises itself as its patients’ “24/7 partner in health.” It helps provides
`
`medications and individual therapeutic care plans to help patients manage conditions like hepatitis,
`
`5
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 6 of 30 PageID 6
`
`
`
`Crohn’s disease, multiple sclerosis, rheumatoid arthritis, psoriasis, psoriatic arthritis, and cancer.
`
`This includes online services, which provide patients “expert advice on how to best manage [their]
`
`health and keep [them] feeling better.”1
`
`JURISDICTION & VENUE
`
`25.
`
`This Court has original jurisdiction under the Class Action Fairness Act, 28 U.S.C.
`
`§1332(d)(2), because this is a putative class action involving more than 100 Class Members and
`
`because the amount in controversy exceeds $5,000,000, exclusive of interest and costs. Moreover,
`
`Plaintiff Gilbert as a resident of Georgia and Defendant are citizens of different states. According
`
`one of its recent business filing with the Florida Secretary of State, BioPlus’s principal place of
`
`business is in this District and it has manager members who are residents of the State of Florida
`
`and an authorized member named BioPlus Parent, LLC that is a resident of the Rhode Island with
`
`an address of 50 Kennedy Plaza, 12th Floor, Providence, RI 02903.2 Furthermore, members of the
`
`class are located in various other states, such as California and Montana, according to the data
`
`breach notifications BioPlus issued to those states’ Attorney Generals.3 Accordingly, minimal
`
`diversity under CAFA exists given that the members of BioPlus as an LLC are minimally diverse
`
`from members of the Class.
`
`26.
`
`This Court has general personal jurisdiction over Defendant because Defendant is
`
`organized in Florida and has its principal place of business in Altamonte Springs, Florida.
`
`27.
`
`Venue is proper in this District under 28 U.S.C. §§1391(a)(2), 1391(b)(2), and
`
`
`1 https://bioplusrx.com/patients/personalized-support/ (last visited December 23, 2021).
`2
`https://search.sunbiz.org/Inquiry/CorporationSearch/GetDocument?aggregateId=flal-l20000120596-
`5c9eb297-ea42-4079-afba-d91a65cb2e1b&transactionId=l20000120596-d098315b-c625-4630-b486-
`b6ff162c41b0&formatType=PDF (last visited on December 27, 2021).
`3 https://oag.ca.gov/ecrime/databreach/reports/sb24-548450 (reporting to the California Attorney General
`is required for data breaches affected 500 or more California residents) (last visited on December 27, 2021);
`https://dojmt.gov/consumer/databreach/ (noting that at least 534 Montana residents were impacted by the
`BioPlus data breach) (last visited on December 27, 2021).
`
`6
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 7 of 30 PageID 7
`
`
`
`1391(c)(2) as a substantial part of the events giving rise to the claims emanated from activities
`
`within this District, and Defendant conducts substantial business in this District.
`
`FACTUAL ALLEGATIONS
`
`The Data Breach
`
`28.
`
`On or about November 11, 2021, BioPlus identified suspicious activity in its IT
`
`network. BioPlus later determined that an unauthorized party gained access to its IT network
`
`between October 25, 2021 and November 11, 2021. During that time, the unauthorized party
`
`accessed files containing the Sensitive Information of BioPlus’s patients.
`
`29.
`
`BioPlus did not begin notifying its patients that their Sensitive Information had
`
`been compromised until it began mailing notification letters, such as the one received by Plaintiff,
`
`on or about December 10, 2021.
`
`30.
`
` The letters received by Plaintiff and Class Members indicate that the following
`
`Sensitive Information was exposed in the breach: patient names, dates of birth, addresses, medical
`
`record numbers, current/former health plan member ID numbers, claims information, diagnoses,
`
`and/or prescription information. BioPlus has disclosed that certain patients, such as Plaintiff, also
`
`had their Social Security numbers exposed in the breach.
`
`31.
`
`The notification letters provided to Plaintiff and Class Members recommend
`
`several time-consuming steps that victims of the Data Breach can take to try to mitigate the risk of
`
`future fraud and identity theft, such as fraud alerts and credit freezes.
`
`32.
`
`Patients whose Social Security numbers were determined to be exposed in the Data
`
`Breach, such as Plaintiff, were offered a one-year subscription to Experian credit monitoring and
`
`identity protection services. BioPlus has not offered to extend this credit monitoring longer than
`
`one year Plaintiff and Class Members facing a substantial risk of fraud and identity theft both now
`
`7
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 8 of 30 PageID 8
`
`
`
`and for years to come.
`
`33.
`
`But for Defendant’s failure to take reasonable steps to secure Plaintiff’s and Class
`
`Members’ Sensitive Information and to exercise reasonable care in the hiring and/or supervision
`
`of its employees, malicious actors would not have been able to gain access to Defendant’s network.
`
`34.
`
`It is common sense that the criminal(s) that breached Defendant’s systems and
`
`acquired the victims’ PII and PHI did so for the purpose of using that data to commit fraud, theft,
`
`and other crimes, or for the purpose of the selling or providing the PII and PHI to other individuals
`
`intending to commit fraud, theft, and other crimes. Given that this is the reason such PII and PHI
`
`are sought by criminals, it is similarly common sense that Plaintiff and the Class Members have
`
`already suffered injury and face a substantial risk for imminent and certainly impending future
`
`injury.
`
`35.
`
`Defendant acknowledged the risk faced by victims of the Data Breach. For
`
`example, Defendant has offered to provide Plaintiff with a one-year membership to credit
`
`monitoring services. It is common sense that Defendant would not pay for such services if it did
`
`not believe Plaintiff and Class Members faced a substantial risk of harm from the exposure of their
`
`Sensitive Information in the Data Breach.
`
`36.
`
`According to the Federal Trade Commission (“FTC”), identity theft wreaks havoc
`
`on consumers’ finances, credit history, and reputation and can take time, money, and patience to
`
`resolve.4 Identity thieves use stolen personal information for a variety of crimes, including credit
`
`card fraud, phone or utilities fraud, and bank and finance fraud.5
`
`
`4 See Taking Charge, What
`is Stolen, FTC, 3
`Identity
`If Your
`to Do
`(2012),
`http://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf
`(last visited April 20, 2021).
`https://www.consumer.ftc.gov/articles/pdf-0009_identitytheft_a_recovery_plan.pdf.
`5 Id. The FTC defines identity theft as “a fraud committed or attempted using the identifying information
`of another person without authority.” 16 CFR § 603.2. The FTC describes “identifying information” as
`“any name or number that may be used, alone or in conjunction with any other information, to identify a
`
`8
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 9 of 30 PageID 9
`
`
`
`37.
`
`The physical, emotional, and social toll suffered (in addition to the financial toll)
`
`by identity theft victims cannot be understated.6 “A 2016 Identity Theft Resource Center survey
`
`of identity theft victims sheds light on the prevalence of this emotional suffering caused by identity
`
`theft: 74 percent of respondents reported feeling stressed, 69 percent reported feelings of fear
`
`related to personal financial safety, 60 percent reported anxiety, 42 percent reported fearing for the
`
`financial security of family members, and 8 percent reported feeling suicidal.”7
`
`38. More recently, the FTC released an updated publication on protecting PII for
`
`businesses, which includes instructions on protecting PII, properly disposing of PII, understanding
`
`network vulnerabilities, implementing policies to correct security problems, using intrusion
`
`detection programs, monitoring data traffic, and having in place a response plan.
`
`39.
`
`The FTC has brought enforcement actions against businesses for failing to protect
`
`customers’ PII. The FTC has done this by treating a failure to employ reasonable measures to
`
`protect against unauthorized access to PII as a violation of the FTC Act, 15 U.S.C. §45.
`
`40.
`
`Identity thieves may commit various types of crimes such as, inter alia,
`
`immigration fraud, obtaining a driver’s license or identification card in the victim’s name but with
`
`another’s picture, fraudulently obtaining medical services, and/or using the victim’s information
`
`to obtain a fraudulent tax refund.
`
`41.
`
`The United States government and privacy experts acknowledge that it may take
`
`years for identity theft to come to light and be detected. Moreover, identify thieves may wait years
`
`before using the stolen data.
`
`
`specific person,” including, among other things, “[n]ame, social security number, date of birth, official State
`or government issued driver's license or identification number, alien registration number, government
`passport number, employer or taxpayer identification number.” Id.
`6 Id.
`7 Id.
`
`9
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 10 of 30 PageID 10
`
`
`
`42.
`
`Because the information Defendant allowed to be compromised and taken is of such
`
`a durable and permanent quality (i.e., names, Social Security Numbers, dates of birth, and PHI),
`
`the harms to Plaintiff and the Class will continue and increase, and Plaintiff and the Class will
`
`continue to be at substantial risk for further imminent and future harm.
`
`Defendant Knew It Was and Continues to Be a Prime Target for Cyberattacks.
`
`43.
`
`Defendant is fully aware of how sensitive the PII and PHI it stores and maintains
`
`is. It is also aware of how much PII and PHI it collects, uses, and maintains from Plaintiff and
`
`Class Members.
`
`44.
`
`Defendant knew or should have known that it was an ideal target for hackers and
`
`those with nefarious purposes related to sensitive personal and health data. It processed and saved
`
`multiple types, and many levels, of PII and PHI through its computer data and storage systems.
`
`45.
`
`By requiring the production of, collecting, obtaining, using, and deriving benefits
`
`from Plaintiff’s and the Class Members’ PII and PHI, Defendant assumed certain legal and
`
`equitable duties, and it knew or should have known that it was responsible for the diligent
`
`protection of that PII and PHI it collected and stored.
`
`46.
`
`As a large and highly successful company, Defendant had the resources to invest
`
`in the necessary data security and protection measures. Yet, Defendant failed to exercise
`
`reasonable care in the hiring and/or supervision of its employees and agents and failed to undertake
`
`adequate analyses and testing of its own systems, adequate personnel training, and other data
`
`security measures to avoid the failures that resulted in the Data Breach.
`
`47.
`
`The seriousness with which Defendant should have taken its data security is shown
`
`by the number of data breaches perpetrated in the healthcare industry over the past few years.
`
`48.
`
` Over 41 million patient records were breached in 2019, with a single hacking
`
`10
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 11 of 30 PageID 11
`
`
`
`incident affecting close to 21 million records.8 Healthcare breaches in 2019 almost tripled those
`
`the healthcare industry experienced in 2018, when 15 million patient records were affected by data
`
`breach incidents, according to a report from Protenus and DataBreaches.net.9
`
`49.
`
`Protenus, a healthcare compliance analytics firm, analyzed data breach incidents
`
`disclosed to the U.S. Department of Health and Human Services or the media during 2019, finding
`
`that there has been an alarming increase in the number of data breaches of patient privacy since
`
`2016, when there were 450 security incidents involving patient data. 10 In 2019 that number
`
`jumped to 572 incidents, which is likely an underestimate, as two of the incidents for which there
`
`were no data affected 500 dental practices and clinics and could affect significant volumes of
`
`patient records. There continues to be on average at least one health data breach every day.11
`
`50.
`
`One recent report found that in 2020, healthcare was one of the industries most
`
`affected by tracked ransomware incidents.12
`
`PII and PHI Are Very Valuable
`
`51.
`
` At an FTC public workshop in 2001, then-Commissioner Orson Swindle described
`
`the value of a consumer’s personal information as follows:
`
`The use of third party information from public records, information aggregators and
`even competitors for marketing has become a major facilitator of our retail
`economy. Even [Federal Reserve] Chairman [Alan] Greenspan suggested here
`some time ago that it’s something on the order of the life blood, the free flow of
`
`
`8 Heather Landi, Number of patient records breached nearly triples in 2019, FIERCE HEATLHCARE (Feb.
`20, 2020), https://www.fiercehealthcare.com/tech/number-patient-records-breached-2019-almost-tripled-
`from-2018-as-healthcare-faces-new-threats#:~:text=Over%2041%20million%20patient%20records,
`close%20to%2021%20million%20records (last visited December 23, 2021).
`9 Id.
`10 Id.
`11 Id.
`12 Kat Jerich, Healthcare hackers demanded an average ransom of $4.6 last year, says BakerHostetler,
`HEALTHCARE IT NEWS (May 4, 2021), https://www.healthcareitnews.com/news/healthcare-hackers-
`demanded-average-ransom-46m-last-year-says-bakerhostetler (last visited December 23, 2021).
`
`11
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 12 of 30 PageID 12
`
`
`
`information.13
`
`52.
`
`Consumers rightfully place a high value not only on their PII and PHI, but also on
`
`the privacy of that data. Researchers have already begun to shed light on how much consumers
`
`value their data privacy – and the amount is considerable. Notably, one study on website privacy
`
`determined that U.S. consumers valued the restriction of improper access to their personal
`
`information – the very injury at issue here – between $11.33 and $16.58 per website. The study
`
`also determined that “[a]mong U.S. subjects, protection against errors, improper access, and
`
`secondary use of personal information is worth US$30.49 – 44.62.”14 This study was done in
`
`2002, almost twenty years ago. The sea-change in how pervasive the Internet is in everyday lives
`
`since then indicates that these values—when associated with the loss of PII and PHI to bad actors—
`
`would be exponentially higher today.
`
`The PII and PHI at Issue Here is Particularly Valuable to Hackers
`
`53.
`
`Businesses that store personal information are likely to be targeted by cyber
`
`criminals. Credit card and bank account numbers are tempting targets for hackers, but credit and
`
`debit cards can be cancelled, quickly mitigating the hackers’ ability to cause further harm. Instead,
`
`PHI and types of PII that cannot be easily changed (such as dates of birth and Social Security
`
`Numbers) are the most valuable to hackers.15
`
`54.
`
`The unauthorized disclosure of Social Security numbers can be particularly
`
`
`13 The Information Marketplace: Merging and Exchanging Consumer Data, FTC (Mar. 13, 2001),
`transcript available at http://www.ftc.gov/news-events/events-calendar/2001/03/information-marketplace-
`merging-exchanging-consumer-data (last visited December 23, 2021).
`14 Il-Horn Hann, Kai-Lung Hui, et al, The Value of Online Information Privacy: Evidence from the USA
`and
`Singapore,
`at
`17. Marshall
`Sch.
`Bus., Univ.
`So.
`Cal.
`(Oct.
`2002),
`https://www.comp.nus.edu.sg/~ipng/research/privacy.pdf (last visited December 23, 2021).
`15 Calculating the Value of a Data Breach – What Are the Most Valuable Files to a Hacker? Donnellon
`McCarthy Enters., https://www.dme.us.com/2020/07/21/calculating-the-value-of-a-data-breach-what-are-
`the-most-valuable-files-to-a-hacker/ (last visited December 23, 2021).
`
`
`12
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 13 of 30 PageID 13
`
`
`
`damaging, because Social Security numbers cannot easily be replaced. In order to obtain a new
`
`Social Security number a person must prove, among other things, that he or she continues to be
`
`disadvantaged by the misuse. Thus, no new Social Security number can be obtained until the
`
`damage has been done.
`
`55.
`
`Furthermore, as the Social Security Administration (“SSA”) warns:
`
`Keep in mind that a new number probably will not solve all your problems. This
`is because other governmental agencies (such as the IRS and state motor vehicle
`agencies) and private businesses (such as banks and credit reporting companies)
`likely will have records under your old number. Along with other personal
`information, credit reporting companies use the number to identify your credit
`record. So using a new number will not guarantee you a fresh start. This is
`especially true if your other personal information, such as your name and address,
`remains the same.
`
`If you receive a new Social Security Number, you should not be able to use the old
`number anymore.
`
`For some victims of identity theft, a new number actually creates new problems. If
`the old credit information is not associated with your new number, the absence of
`any credit history under the new number may make more difficult for you to get
`credit.16
`
`56.
`
`Criminals can, for example, use Social Security numbers to create false bank
`
`accounts or file fraudulent tax returns.17 Victims of the Data Breach will spend, and already have
`
`spent, time contacting various agencies, such as the Internal Revenue Service and the Social
`
`Security Administration. They also now face a real and imminent substantial risk of identity theft
`
`and other problems associated with the disclosure of their Social Security number and will need to
`
`monitor their credit and tax filings for an indefinite duration.
`
`57.
`
`PHI is just as, if not more, valuable than Social Security Numbers. According to a
`
`
`16 SSA, Identity Theft and Your Social Security Number, SSA Publication No. 05-10064 (Dec. 2013),
`http://www.ssa.gov/pubs/EN-05-10064.pdf (last visited December 23, 2021).
`17 When fraudulent tax returns are filed, the requirements for a legitimate taxpayer to file their tax returns
`with the IRS increase, including the necessity to obtain and utilize unique PIN numbers just to be able to
`file a tax return.
`
`13
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 14 of 30 PageID 14
`
`
`
`report by the Federal Bureau of Investigation’s (“FBI”) Cyber Division, healthcare records can be
`
`sold by criminals for 50 times the price of stolen Social Security numbers or credit card numbers.18
`
`A file containing private health insurance information can be bought for between $1,200 and
`
`$1,300 each on the black market.19
`
`58.
`
`Similarly, the most recent edition of the annual Baker Hostetler Data Security
`
`Incident Response Report found that in 2020, hackers in ransomware attacks made an average
`
`initial ransomware demand of $4,583,090 after obtaining PHI. In 2020, final payouts to hackers
`
`committing ransomware attacks involving PHI averaged $910,335.20
`
`59.
`
`Companies recognize that PII and PHI are valuable assets. Indeed, PII and PHI are
`
`valuable commodities. A “cyber black-market” exists in which criminals openly post stolen PII
`
`and PHI on a number of Internet websites. Plaintiff’s and Class Members’ compromised PII has
`
`a high value on both legitimate and black markets.
`
`60.
`
`Some companies recognize PII, and especially PHI, as a close equivalent to
`
`personal property. Software has been created by companies to value a person’s identity on the
`
`black market. The commoditization of this information is thus felt by consumers as theft of
`
`personal property in addition to an invasion of privacy.
`
`61. Moreover, compromised health information can lead to falsified information in
`
`medical records and fraud that can persist for years as it “is also more difficult to detect, taking
`
`
`18 FBI Cyber Division Bulletin: Health Care Systems and Medical Devices at Risk for Increased Cyber
`Intrusions for Financial Gain, FBI (April 8, 2014), https://publicintelligence.net/fbi-health-care-cyber-
`intrusions/ (last visited December 23, 2021).
`19 Elizabeth Clarke, Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit
`Documents, SecureWorks (July 15, 2013), https://www.secureworks.com/blog/general-hackers-sell-
`health-insurance-credentials-bank-accounts-ssns-and-counterfeit-documents (last visited December 23,
`2021).
`20 Jerich, supra n.10.
`
`14
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 15 of 30 PageID 15
`
`
`
`twice as long as normal identity theft.”21
`
`62.
`
`Because the information Defendant allowed to be compromised and taken is of such
`
`a durable and permanent quality, the harms to Plaintiff and the Class will continue and increase,
`
`and Plaintiff and Class Members will continue to be at substantial risk for further imminent and
`
`future harm.
`
`Defendant’s Post-Breach Activity Was (and Remains) Inadequate
`
`63.
`
`Immediate notice of a security breach is essential to protect victims such as Plaintiff
`
`and Class Members. Defendant failed to provide such immediate notice, thus further exacerbating
`
`the harm to Plaintiff and Class Members resulting from the Data Breach.
`
`64.
`
`Such failure to protect Plaintiff’s and Class Members’ PII and PHI, and timely
`
`notify them of the Data Breach, has significant ramifications. The information stolen allows
`
`criminals to commit theft, identity theft, and other types of fraud. Moreover, because the data
`
`points stolen are persistent—for example, names, dates of birth, Social Security numbers, and
`
`prescription medication data—as opposed to transitory, criminals who access, stole, or purchase
`
`the PII and PHI belonging to Plaintiff and the Class Members, do not need to use the information
`
`to commit fraud immediately. The PII and PHI can be used or sold for use years later, and often
`
`is.
`
`65.
`
`Plaintiff and Class Members are now at a significant risk of imminent and future
`
`fraud, misuse of their PII and PHI, and identity theft for many years in the future as a result of the
`
`Defendant’s actions and the Data Breach. The theft of their PHI is particularly impactful, as many
`
`banks or credit card providers have substantial fraud detection systems with quick freeze or
`
`cancellation programs in place, whereas the breadth and usability of PHI allows criminals to get
`
`21 See FBI, supra n.16.
`
`
`
`15
`
`

`

`Case 6:21-cv-02158-RBD-DCI Document 1 Filed 12/27/21 Page 16 of 30 PageID 16
`
`
`
`away with misuse for years before healthcare-related fraud is spotted.
`
`66.
`
`Plaintiff and Class Members have suffered real and tangible losses, including but
`
`not limited to the loss in the inherent value of their PII and PHI, the loss of their time as they have
`
`had to spend additional time monitoring accounts and activity, and additional economic loss to
`
`mitigate the costs of injuries realiz