`
`UNITED STATES DISTRICT COURT
`MIDDLE DISTRICT OF FLORIDA
`ORLANDO DIVISION
`
`CRYSTAL HULLET, on behalf of
`herself and all others similarly
`situated,
`
`
`
`
`
`
`
`Case No.
`
`Plaintiff,
`
`CLASS ACTION COMPLAINT
`
`v.
`
`BIOPLUS SPECIALTY
`PHARMACY SERVICES, LLC,
`
`Defendant.
`
`JURY TRIAL DEMANDED
`
`Plaintiff, Crystal Hullet (“Ms. Hullet” or “Plaintiff”), through her attorneys,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`brings this Class Action Complaint against the Defendant, BioPlus Specialty
`
`Pharmacy Services, LLC (“BioPlus” or “Defendant”), alleging as follows:
`
`INTRODUCTION
`
`1.
`
`BioPlus, a pharmacy provider servicing over 350,000 patients
`
`throughout the United States, lost control over patients’ highly sensitive medical
`
`and personal information in a data breach by cybercriminals (“Data Breach”). The
`
`Data Breach compromised the personally identifiable information (“PII”) and
`
`personal health information (“PHI”) of every patient in its system, meaning all
`
`patients are at risk of identity theft and harm. Cybercriminals could steal patient
`
`
`
`1
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 2 of 28 PageID 2
`
`data because BioPlus did not adequately protect and secure patient PII and PHI,
`
`leaving the data an unguarded target for theft and misuse. Ms. Hullet was a victim
`
`of the Data Breach and brings this Class Action on behalf of herself and all patients
`
`harmed by BioPlus’s conduct.
`
`2.
`
`On November 11, 2021, BioPlus learned that cybercriminals had
`
`breached its data systems and potentially accessed all patients’ PII and PHI.
`
`BioPlus internally investigated the breach over the next month but failed to
`
`identify exactly what the cybercriminals stole and from which patients. But the
`
`investigation did reveal that hackers started accessing BioPlus’s data systems on
`
`October 25, 2021, over two weeks before BioPlus identified the Data Breach.
`
`3.
`
`Due to BioPlus’s inability to detect and prevent the Data Breach
`
`earlier, cybercriminals had access to patients’ highly sensitive PII and PHI,
`
`including patient “name, address, date of birth, Social Security number, medical
`
`record number, current/former member ID number, claims information,
`
`diagnosis and/or prescription information.”
`
`4.
`
`BioPlus’s inability to safeguard patients’ highly sensitive PII and PHI
`
`and determine the scale of the Data Breach violates Florida law and Biolife’s
`
`implied contract with patients to safeguard their PII and PHI.
`
`5.
`
`Ms. Hullet and class members face a lifetime risk of identity theft due
`
`to the nature of the information lost, including patients’ dates of birth and Social
`
`2
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 3 of 28 PageID 3
`
`Security numbers, which they cannot change.
`
`6.
`
`BioPlus’s harmful conduct has injured Ms. Hullet and class members
`
`in multiple ways, including: (i) the lost or diminished value of their PII and PHI;
`
`(ii) costs associated with the prevention, detection, and recovery from identity
`
`theft, tax fraud, and other unauthorized use of their data; (iii) lost opportunity
`
`costs to mitigate the Data Breach’s consequences, including lost time; and (iv)
`
`emotional distress associated with the loss of control over their highly sensitive PII
`
`and PHI.
`
`7.
`
`BioPlus’s failure to protect patients’ PII and PHI violates Florida law
`
`and harms hundreds of thousands of patients, causing Ms. Hullet to seek relief on
`
`a class wide basis.
`
`PARTIES
`
`8.
`
`Plaintiff, Crystal Hullet, is a natural person and resident of North
`
`Carolina.
`
`9.
`
`BioPlus is a limited liability company registered to do business in
`
`Florida with headquarters at 376 Northlake Blvd., Alamonte Springs, Florida
`
`32701. On information and belief, BioPlus has two manager members, Stephen C.
`
`Vogt and Stephen H. Garner, who have listed addresses at 376 Northlake Blvd.,
`
`Alamonte Springs, Florida 32701. On information and belief, BioPlus also has an
`
`“authorized” member, BioPlus Parent, LLC, with an address at 50 Kennedy Plaza,
`
`3
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 4 of 28 PageID 4
`
`12th Floor, Providence, Rhode Island 02903.
`
`JURISDICTION & VENUE
`
`10.
`
`This Court has subject matter and diversity jurisdiction over this
`
`action under 28 U.S.C. § 1332(d) because this is a class action in which the amount
`
`in controversy exceeds $5 million, exclusive of costs and interest, there are more
`
`than 100 members in the proposed class, and at least one class member is a citizen
`
`of a different state than BioPlus, establishing minimal diversity.
`
`11.
`
`This Court has personal jurisdiction over BioPlus because it is
`
`organized in Florida and its headquarters is in Alamonte Springs, Florida.
`
`12.
`
`Venue is proper in this Court under 28 U.S.C. §§ 1391 because a
`
`substantial part of the alleged wrongful conduct and events giving rise to the
`
`claims occurred in this District and because BioPlus conducts business in this
`
`District.
`
`A.
`
`13.
`
`FACTUAL ALLEGATIONS
`
`BioPlus
`
`BioPlus provides drugs that treat cancer, infusion, multiple sclerosis,
`
`hepatitis C, and complex chronic conditions, boasting itself as the “first and only
`
`independent, national specialty pharmacy[.]” On information and belief, BioPlus
`
`has over 350,000 current and former patients.
`
`14.
`
`In exchange for its services, BioPlus requires its patients to provide
`
`4
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 5 of 28 PageID 5
`
`their highly sensitive PII and PHI, including their name, address, date of birth,
`
`Social Security number, medical record number, current/former member ID
`
`number, claims information, diagnosis and/or prescription information.
`
`15.
`
`BioPlus promises to safeguard patients’ PII and PHI as part of its
`
`services, providing patients its “Notice of Protected Health Information Practices
`
`and Privacy Statement” (“Privacy Notice”).
`
`16.
`
`The Privacy Notice explains how BioPlus collects patient data as part
`
`of its services:
`
`17.
`
`BioPlus’s Privacy Notice recognizes BioPlus’s duty to secure and
`
`maintain patient PII and PHI and use it only in delivering BioPlus’s services:1
`
`
`
`
`1 See BioPlus’s Privacy Notice, https://bioplusrx.com/privacy-policy/ (last visited January 4,
`2021).
`
`
`
`5
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 6 of 28 PageID 6
`
`
`
`18. Ms. Hullet and the proposed class are current and former BioPlus
`
`patients.
`
`19. As a condition of providing treatment, BioPlus required Ms. Hullet
`
`and the proposed class to provide their PII and PHI.
`
`20.
`
`BioPlus then collected and maintained patients’ PII and PHI in its
`
`computer systems.
`
`21.
`
`In collecting and storing patients’ PII and PHI, BioPlus implied that it
`
`would protect and maintain their data according to state and federal law and its
`
`Privacy Notice.
`
`22. Ms. Hallet and the proposed class relied on BioPlus’s representations
`
`in agreeing to provide their PII and PHI.
`
`B.
`
`BioPlus fails to safeguard patients’ PII and PHI
`
`23. On October 25, 2021, BioPlus lost control of patients’ PII and PHI to
`
`cybercriminals in the Data Breach. Due to inadequate systems to safeguard patient
`
`
`
`6
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 7 of 28 PageID 7
`
`data, BioPlus was unaware of the breach for over two weeks, allowing
`
`cybercriminals to pilfer patients’ PII and PHI undetected.
`
`24. On November 11, 2021, BioPlus finally discovered the Data Breach
`
`and allegedly began taking measures to stop it. But through an internal
`
`investigation, BioPlus was unable to determine the scale of the Data Breach and
`
`the exact information cybercriminals stole.
`
`25.
`
`BioPlus’s inability to determine the scale of the Data Breach led it to
`
`conclude that all of its approximately 350,000 patients may have had their PII and
`
`PHI exposed to cybercriminals.
`
`26. On December 10, 2021, a month after discovering the Data Breach,
`
`BioPlus announced the Data Breach in a notice to patients (“Breach Notice”). A
`
`true and correct copy of the Breach Notice is attached as Exhibit A.
`
`27.
`
`The Breach Notice reiterated that BioPlus was “committed to
`
`protecting the confidentiality and security of the information we maintain,”
`
`including patient PII and PHI.
`
`28.
`
`The Breach Notice explained that BioPlus lost control over patients’
`
`highly sensitive PII and PHI, including their names, addresses, dates of birth,
`
`Social Security numbers, medical record numbers, current/former member ID
`
`numbers, claims information, diagnosis and/or prescription information.
`
`
`
`7
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 8 of 28 PageID 8
`
`29. Recognizing the severity of the Data Breach and its impact on
`
`patients, BioPlus included: “We deeply regret any inconvenience or concern this
`
`incident may cause and take this matter very seriously.”
`
`30.
`
`BioPlus then explained that it implemented new safeguards to protect
`
`patient PII and PHI, which should have been in place before the Data Breach: “To
`
`help prevent something like this from happening again, we have implemented,
`
`and will continue to adopt, additional safeguards and technical security measures
`
`to further protect and monitor our systems.”
`
`31.
`
`The Breach Notice also recognized the ongoing threat the Data Breach
`
`posed to patients, offering them credit monitoring services. But the “free” services
`
`continued for only one year.
`
`32.
`
`The Breach Notice did not clarify how many times cybercriminals
`
`breached BioPlus’s systems, how long cybercriminals had access to BioPlus’s
`
`systems, exactly what they took, and how BioPlus changed its security protocols
`
`to prevent future breaches.
`
`33.
`
`BioPlus alerted the attorney generals’ offices for Florida, Montana,
`
`and California under those states’ breach notification laws.
`
`34. On information and belief, BioPlus failed to adequately train its
`
`employees on reasonable cybersecurity protocols or implement reasonable
`
`security measures, causing it to lose control over patients’ PII and PHI. BioPlus’s
`
`
`
`8
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 9 of 28 PageID 9
`
`negligence is evidenced by its failure to recognize the Data Breach for over two
`
`weeks while cybercriminals had access to patient data, meaning BioPlus had no
`
`effective means to detect and prevent attempted data breaches. Further, the Breach
`
`Notice makes clear that BioPlus cannot even determine the full scope of the Data
`
`Breach, as it has been unable to determine exactly what information was stolen
`
`and when.
`
`C.
`
`Plaintiff’s experience
`
`35. Hullet has been a BioPlus customer from August 2021 to present.
`
`36. As a condition of receiving BioPlus’s services, BioPlus requires Ms.
`
`Hullet to provide her PII and PHI.
`
`37.
`
`Since becoming a BioPlus customer, Ms. Hullet has provided BioPlus
`
`her PII and PHI to purchase BioPlus’s services and medications.
`
`38. On or about December of 2021, Ms. Hullet received notice from
`
`BioPlus that her PII and PHI were compromised by the Data Breach.
`
`39.
`
`In response, Ms. Hullet has spent considerable time and effort
`
`monitoring her accounts to protect herself from additional identity theft. Ms.
`
`Hullet fears for her personal financial security and uncertainty over what medical
`
`information was revealed in the Data Breach. She is experiencing feelings of
`
`anxiety, sleep disruption, stress, and fear because of the Data Breach. This goes far
`
`
`
`9
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 10 of 28 PageID 10
`
`beyond allegations of mere worry or inconvenience; it is exactly the sort of injury
`
`and harm to a Data Breach victim that is contemplated and addressed by law.
`
`40.
`
`BioPlus’s proposed fix, a one-year credit monitoring service, is
`
`inadequate to address Ms. Hullet’s losses, as she faces a risk of identity theft for
`
`the rest of her life.
`
`D. Ms. Hullet and the proposed class face significant risk of identity theft
`
`41. Ms. Hullet and members of the proposed class have suffered injury
`
`from the misuse of their PII and PHI that can be directly traced to BioPlus.
`
`42.
`
`The ramifications of BioPlus’s failure to keep Plaintiff’s and the
`
`Class’s PII and PHI secure are severe. Identity theft occurs when someone uses
`
`another’s personal and financial information such as that person’s name, account
`
`number, Social Security number, driver’s license number, date of birth, or other
`
`information, without permission, to commit fraud or other crimes.
`
`43. According to experts, one out of four data breach notification
`
`recipients become a victim of identity fraud.
`
`44.
`
`Because BioPlus failed to prevent the Data Breach, Ms. Hullet and the
`
`proposed Class have suffered and will continue to suffer damages, including
`
`monetary losses, lost time, anxiety, and emotional distress. They have suffered or
`
`are at an increased risk of suffering:
`
`a.
`
`The loss of the opportunity to control how their PII and PHI are used;
`
`
`
`10
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 11 of 28 PageID 11
`
`b.
`
`c.
`
`d.
`
`The diminution in value of their PII and PHI;
`
`The compromise and continuing publication of their PII and PHI;
`
`Out-of-pocket costs associated with the prevention, detection,
`
`recovery, and remediation from identity theft or fraud;
`
`e.
`
`Lost opportunity costs and lost wages associated with the time and
`
`effort expended addressing and trying to mitigate the actual and
`
`future consequences of the Data Breach, including, but not limited to,
`
`efforts spent researching how to prevent, detect, contest, and recover
`
`f.
`
`g.
`
`h.
`
`from identity theft and fraud;
`
`Delay in receipt of tax refund monies;
`
`Unauthorized use of stolen PII and PHI; and
`
`The continued risk to their PII and PHI, which remains in the
`
`possession of BioPlus and is subject to further breaches so long as
`
`BioPlus fails to undertake the appropriate measures to protect the PII
`
`and PHI in their possession.
`
`45.
`
`Stolen PII and PHI is one of the most valuable commodities on the
`
`criminal information black market. According to Experian, a credit-monitoring
`
`service, stolen PHI can be worth up to $1,000.00 depending on the type of
`
`information obtained.
`
`
`
`11
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 12 of 28 PageID 12
`
`46.
`
`The value of Plaintiff’s and the proposed Class’s PII and PHI on the
`
`black market is considerable. Stolen PII and PHI trades on the black market for
`
`years, and criminals often post stolen private information openly on various “dark
`
`web” internet websites, like Marketo, making the information publicly available,
`
`for a fee.
`
`47.
`
`It can take victims years to spot identity or PII and PHI theft, giving
`
`criminals time to sell that information for cash.
`
`48. One such example of criminals using PII and PHI for profit is the
`
`development of “Fullz” packages.
`
`49. Cybercriminals can cross-reference multiple sources of PII and PHI to
`
`marry unregulated data available elsewhere to criminally stolen data with an
`
`astonishingly complete scope and degree of accuracy to assemble complete
`
`dossiers on individuals. These dossiers are known as “Fullz” packages.
`
`50.
`
`The development of “Fullz” packages means that stolen PII and PHI
`
`from the Data Breach can easily be used to link and identify it to Plaintiff’s and the
`
`proposed Class’s phone numbers, email addresses, and other unregulated sources
`
`and identifiers. In other words, even if certain information such as emails, phone
`
`numbers, or credit card numbers may not be included in the PII and PHI stolen by
`
`the cybercriminals in the Data Breach, criminals can easily create a Fullz package
`
`and sell it at a higher price to unscrupulous operators and criminals (such as illegal
`
`
`
`12
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 13 of 28 PageID 13
`
`and scam telemarketers) over and over. That is exactly what is happening to
`
`Plaintiff and members of the proposed Class, and it is reasonable for any trier of
`
`fact, including this Court or a jury, to find that Plaintiff’s and other members of
`
`the proposed Class’s stolen PII and PHI is being misused, and that such misuse is
`
`fairly traceable to the Data Breach.
`
`51. According to the FBI’s Internet Crime Complaint Center (IC3) 2019
`
`Internet Crime Report, Internet-enabled crimes reached their highest number of
`
`complaints and dollar losses that year, leading to more than $3.5 billion in losses
`
`to individuals and business victims.
`
`52.
`
`Further, according to the same report, “rapid reporting can help law
`
`enforcement stop fraudulent transactions before a victim loses the money for
`
`good.”
`
`53. Victims of identity theft also often suffer embarrassment, blackmail,
`
`or harassment in person or online, and experience financial losses resulting from
`
`fraudulently opened accounts or misuse of existing accounts.
`
`54. Along with out-of-pocket expenses that can exceed thousands of
`
`dollars for the victim of new account identity theft, and the emotional toll identity
`
`theft can take, some victims must spend a considerable time repairing the damage
`
`caused by the theft of their PHI. Victims of new account identity theft will likely
`
`have to spend time correcting fraudulent information in their credit reports and
`
`
`
`13
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 14 of 28 PageID 14
`
`continually monitor their reports for future
`
`inaccuracies, close existing
`
`bank/credit accounts, open new ones, and dispute charges with creditors.
`
`55.
`
`Further complicating the issues faced by victims of identity theft,
`
`data thieves may wait years before trying to use the stolen PII and PHI. To
`
`protect themselves, Plaintiff and the proposed Class will need to remain vigilant
`
`against unauthorized data use for years or even decades to come.
`
`56.
`
`The Federal Trade Commission (“FTC”) has also recognized that
`
`consumer data is a new and valuable form of currency. In an FTC roundtable
`
`presentation, former Commissioner, Pamela Jones Harbour, stated that “most
`
`consumers cannot begin to comprehend the types and amount of information
`
`collected by businesses, or why their information may be commercially valuable.
`
`Data is currency.”
`
`57.
`
`The FTC has also issued several guidelines for businesses that
`
`highlight reasonable data security practices. The FTC has noted the need to factor
`
`data security into all business decision-making. According to the FTC, data
`
`security requires: (1) encrypting information stored on computer networks; (2)
`
`retaining payment card information only as long as necessary; (3) properly
`
`disposing of personal information that is no longer needed; (4) limiting
`
`administrative access to business systems; (5) using industry-tested and accepted
`
`methods for securing data; (6) monitoring activity on networks to uncover
`
`
`
`14
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 15 of 28 PageID 15
`
`unapproved activity; (7) verifying that privacy and security features function
`
`properly; (8) testing for common vulnerabilities; and (9) updating and patching
`
`third-party software.
`
`58. According to the FTC, unauthorized PHI disclosures are extremely
`
`damaging to consumers’ finances, credit history, and reputation, and can take
`
`time, money, and patience to resolve the fallout. The FTC treats the failure to
`
`employ reasonable and appropriate measures to protect against unauthorized
`
`access to confidential consumer data as an unfair act or practice prohibited by
`
`Section 5(a) of the FTC Act.
`
`59.
`
`To that end, the FTC has issued orders against businesses that failed
`
`to employ reasonable measures to secure sensitive payment card data. See In the
`
`matter of Lookout Services, Inc., No. C-4326, ⁋ 7 (June 15, 2011) (“[Defendant] allowed
`
`users to bypass authentication procedures” and “failed to employ sufficient
`
`measures to detect and prevent unauthorized access to computer networks, such
`
`as employing an intrusion detection system and monitoring system logs.”); In the
`
`matter of DSW, Inc., No. C-4157, ⁋ 7 (Mar. 7, 2006) (“[Defendant] failed to employ
`
`sufficient measures to detect unauthorized access.”); In the matter of The TJX Cos.,
`
`Inc., No. C-4227 (Jul. 29, 2008) (“[R]espondent stored . . . personal information
`
`obtained to verify checks and process unreceipted returns in clear text on its in-
`
`store and corporate networks[,]” “did not require network administrators . . . to
`
`
`
`15
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 16 of 28 PageID 16
`
`use different passwords to access different programs, computers, and networks[,]”
`
`and “failed to employ sufficient measures to detect and prevent unauthorized
`
`access to computer networks . . .”); In the matter of Dave & Buster’s Inc., No. C-4291
`
`(May 20, 2010) (“[Defendant] failed to monitor and filter outbound traffic from its
`
`networks to identify and block export of sensitive personal information without
`
`authorization” and “failed to use readily available security measures to limit
`
`access between instore networks . . .”). These orders, which all preceded the Data
`
`Breach, further clarify the measures businesses must take to meet their data
`
`security obligations.
`
`CLASS ACTION ALLEGATIONS
`
`60. Ms. Hullet sues on behalf of herself and the proposed class (“Class”),
`defined as follows:
`
`
`All individuals residing in the United States whose personal
`information was compromised in the Data Breach disclosed by
`BioPlus in December 2021.
`
`
`Excluded from the Class are BioPlus, its agents, affiliates, parents, subsidiaries,
`
`any entity in which BioPlus has a controlling interest, any BioPlus officer or
`
`director, any successor or assign, and any Judge who adjudicates this case,
`
`including their staff and immediate family.
`
`61. Ms. Hullet reserves the right to amend the class definition.
`
`
`
`16
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 17 of 28 PageID 17
`
`62.
`
`This action satisfies the numerosity, commonality, typicality, and
`
`adequacy requirements under Fed. R. Civ. P. 23.
`
`a.
`
`Numerosity. Ms. Hullet is a representative of the proposed
`
`Class consisting of over 350,000 members—far too many to join in a single
`
`action;
`
`b.
`
`Ascertainability. Class members are readily identifiable from
`
`information in BioPlus’s possession, custody, and control;
`
`c.
`
`Typicality. Ms. Hullet’s claims are typical of Class member’s
`
`claims as each arises from the same Data Breach, the same alleged
`
`negligence and statutory violations by BioPlus, and the same unreasonable
`
`manner of notifying individuals about the Data Breach.
`
`d.
`
`Adequacy. Ms. Hullet will fairly and adequately protect the
`
`proposed Class’s interests. Her interests do not conflict with Class members’
`
`interests and she has retained counsel experienced in complex class action
`
`litigation and data privacy to prosecute this action on the Class’s behalf,
`
`including as lead counsel.
`
`e.
`
`Commonality. Ms. Hullet’s and the Class’s claims raise
`
`predominantly common fact and legal questions that a class wide
`
`proceeding can answer for all Class members. Indeed, it will be necessary
`
`to answer the following questions:
`
`
`
`17
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 18 of 28 PageID 18
`
`i. Whether BioPlus had a duty to use reasonable care in
`
`safeguarding Ms. Hullet and the Class’s PII and PHI;
`
`ii. Whether BioPlus
`
`failed
`
`to
`
`implement and maintain
`
`reasonable security procedures and practices appropriate to
`
`the nature and scope of the information compromised in the
`
`Data Breach;
`
`iii. Whether BioPlus was negligent in maintaining, protecting,
`
`and securing PII and PHI;
`
`iv. Whether BioPlus breached contractual promises to safeguard
`
`Ms. Hullet and the Class’s PII and PHI;
`
`v. Whether BioPlus took reasonable measures to determine the
`
`extent of the Data Breach after discovering it;
`
`vi. Whether BioPlus’s Breach Notice was reasonable;
`
`vii. Whether the Data Breach caused Ms. Hullet and the Class
`
`injuries;
`
`viii. What the proper damages measure is;
`
`ix. Whether BioPlus violated the statutes alleged in this
`
`complaint; and
`
`x. Whether Ms. Hullet and the Class are entitled to damages,
`
`treble damages, or injunctive relief.
`
`
`
`18
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 19 of 28 PageID 19
`
`63.
`
`Further, common questions of law and fact predominate over any
`
`individualized questions, and a class action is superior to individual litigation or
`
`any other available method to fairly and efficiently adjudicate the controversy. The
`
`damages available to individual plaintiffs are insufficient to make individual
`
`lawsuits economically feasible.
`
`FIRST CLAIM FOR RELIEF
`Negligence
`(On Behalf of Plaintiff and the Class)
`
`64.
`
`Plaintiff incorporates paragraphs 1 through 63 as if fully set forth
`
`
`
`below.
`
`65.
`
`Plaintiff and members of the Class entrusted their PII and PHI to
`
`Defendant. Defendant owed to Plaintiff and other members of the Class a duty to
`
`exercise reasonable care in handling and using the PII and PHI in its care and
`
`custody,
`
`including
`
`implementing
`
`industry-standard security procedures
`
`sufficient to reasonably protect the information from the Data Breach, theft, and
`
`unauthorized use that came to pass, and to promptly detect attempts at
`
`unauthorized access.
`
`66. Defendant owed a duty of care to Plaintiff and members of the Class
`
`because it was foreseeable that Defendant’s failure to adequately safeguard their
`
`PII and PHI in accordance with state-of-the-art industry standards for data
`
`security would result in the compromise of that PII and PHI—just like the Data
`
`
`
`19
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 20 of 28 PageID 20
`
`Breach that ultimately came to pass. Defendant acted with wanton and reckless
`
`disregard for the security and confidentiality of Plaintiff’s and members of the
`
`Class’s PII and PHI by disclosing and providing access to this information to third
`
`parties and by failing to properly supervise both the way the PII and PHI was
`
`stored, used, and exchanged, and those in its employ who made that happen.
`
`67. Defendant owed to Plaintiff and members of the Class a duty to notify
`
`them within a reasonable time frame of any breach to the security of their PII and
`
`PHI. Defendant also owed a duty to timely and accurately disclose to Plaintiff and
`
`members of the Class the scope, nature, and occurrence of the Data Breach. This
`
`duty is required and necessary for Plaintiff and members of the Class to take
`
`appropriate measures to protect their PII and PHI, to be vigilant in the face of an
`
`increased risk of harm, and to take other necessary steps to mitigate the harm
`
`caused by the Data Breach.
`
`68. Defendant owed these duties to Plaintiff and members of the Class
`
`because they are members of a well-defined, foreseeable, and probable class of
`
`individuals whom Defendant knew or should have known would suffer injury-in-
`
`fact from Defendant’s inadequate security protocols. Defendant actively sought
`
`and obtained Plaintiff’s and members of the Class’s PII and PHI for
`
`pharmaceutical services. Plaintiff and members of the Class needed to provide
`
`
`
`20
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 21 of 28 PageID 21
`
`their PII and PHI to Defendant to receive pharmaceutical services from Defendant,
`
`and Defendant retained that information.
`
`69.
`
`The risk that unauthorized persons would try to gain access to the PII
`
`and PHI and misuse it was foreseeable. Given that Defendant holds vast amounts
`
`of PII and PHI, it was inevitable that unauthorized individuals would try to access
`
`Defendant’s databases containing the PII and PHI—whether by malware or
`
`otherwise.
`
`70.
`
`PII and PHI is highly valuable, and Defendant knew, or should have
`
`known, the risk in obtaining, using, handling, emailing, and storing the PII and
`
`PHI of Plaintiff and members of the Class’s and the importance of exercising
`
`reasonable care in handling it.
`
`71. Defendant breached its duties by failing to exercise reasonable care in
`
`supervising its agents, contractors, vendors, and suppliers, and in handling and
`
`securing the personal information and PII and PHI of Plaintiff and members of the
`
`Class which actually and proximately caused the Data Breach and Plaintiff’s and
`
`members of the Class’s injury.
`
`72. Defendant also breached its duties by failing to provide reasonably
`
`timely notice of the Data Breach to Plaintiff and members of the Class, which
`
`actually and proximately caused and exacerbated the harm from the Data Breach
`
`and Plaintiff’s and members of the Class’s injuries-in-fact.
`
`
`
`21
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 22 of 28 PageID 22
`
`73. As a direct and traceable result of Defendant’s negligence or negligent
`
`supervision, Plaintiff, and members of the Class have suffered or will suffer
`
`damages,
`
`including monetary damages,
`
`increased risk of future harm,
`
`embarrassment, humiliation, frustration, and emotional distress.
`
`74. Defendant’s breach of its common-law duties to exercise reasonable
`
`care and its failures and negligence actually and proximately caused Plaintiff’s and
`
`members of the Class’s actual, tangible, injury-in-fact and damages, including,
`
`without limitation, the theft of their PII and PHI by criminals, improper disclosure
`
`of their PII and PHI, lost benefit of their bargain, lost value of their PII and PHI,
`
`and lost time and money incurred to mitigate and remediate the effects of the Data
`
`Breach that resulted from and were caused by Defendant’s negligence, which
`
`injury-in-fact and damages are ongoing, imminent, immediate, and which they
`
`continue to face.
`
`SECOND CLAIM FOR RELIEF
`Negligence Per Se
`(On Behalf of Plaintiff and the Class)
`
`Plaintiff incorporates paragraphs 1 through 63 as if fully set forth
`
`75.
`
`below.
`
`76. Defendant had a duty to protect and maintain and provide adequate
`
`data security to maintain Plaintiff and the Class’s PII and PHI under § 5 of the
`
`FTC Act, 15 U.S.C. § 45.
`
`
`
`22
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 23 of 28 PageID 23
`
`77.
`
`The FTC Act prohibits unfair business practices affecting commerce,
`
`which the FTC has interpreted to include a failure to use reasonable measures to
`
`safeguard PII.
`
`78. Defendant’s violation of these duties is negligence per se under Florida
`
`law.
`
`79.
`
`Plaintiff and the proposed Class are included in the class of persons
`
`that the FTC Act was intended to protect.
`
`80.
`
`The harm the Data Breach caused is the type the FTC Act was
`
`intended to guard against.
`
`81. Defendant’s negligence per se caused Plaintiff and the proposed Class
`
`actual, tangible, injury-in-fact and damages, including, without limitation, the
`
`theft of their PII and PHI by criminals, improper disclosure of their PII and PHI,
`
`lost benefit of their bargain, lost value of their PII and PHI, and lost time and
`
`money incurred to mitigate and remediate the effects of the Data Breach that
`
`resulted from and were caused by Defendant’s negligence, which injury-in-fact
`
`and damages are ongoing, imminent, immediate, and which they continue to face.
`
`THIRD CLAIM FOR RELIEF
`Breach of Implied Contract
`(On Behalf of Plaintiff and the Class)
`
`Plaintiff incorporates paragraphs 1 through 63 as if fully set forth
`
`23
`
`82.
`
`below.
`
`
`
`
`
`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 24 of 28 PageID 24
`
`83. Defendant offered to provide goods and services to Plaintiff and
`
`members of the Class in exchange for payment.
`
`84. Defendant also required Plaintiff and the members of the Class to
`
`provide Defendant with their PII and PHI to receive services.
`
`85.
`
`In turn, and through the Privacy Notice, Defendant agreed it would
`
`not disclose the PHI it collects from patients to unauthorized persons. Defendant
`
`also impliedly promised to maintain safeguards to protect its patients’ PII and
`
`PHI.
`
`86. Defendant recognized its implied promise in its Breach Notice, stating
`
`that Defendant was “committed to protecting the confidentiality and security of
`
`the information we maintain,” including patient PII and PHI.
`
`87.
`
`Plaintiff and the members of the Class accepted Defendant’s offer by
`
`providing PII a