throbber
Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 1 of 28 PageID 1
`
`UNITED STATES DISTRICT COURT
`MIDDLE DISTRICT OF FLORIDA
`ORLANDO DIVISION
`
`CRYSTAL HULLET, on behalf of
`herself and all others similarly
`situated,
`
`
`
`
`
`
`
`Case No.
`
`Plaintiff,
`
`CLASS ACTION COMPLAINT
`
`v.
`
`BIOPLUS SPECIALTY
`PHARMACY SERVICES, LLC,
`
`Defendant.
`
`JURY TRIAL DEMANDED
`
`Plaintiff, Crystal Hullet (“Ms. Hullet” or “Plaintiff”), through her attorneys,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`brings this Class Action Complaint against the Defendant, BioPlus Specialty
`
`Pharmacy Services, LLC (“BioPlus” or “Defendant”), alleging as follows:
`
`INTRODUCTION
`
`1.
`
`BioPlus, a pharmacy provider servicing over 350,000 patients
`
`throughout the United States, lost control over patients’ highly sensitive medical
`
`and personal information in a data breach by cybercriminals (“Data Breach”). The
`
`Data Breach compromised the personally identifiable information (“PII”) and
`
`personal health information (“PHI”) of every patient in its system, meaning all
`
`patients are at risk of identity theft and harm. Cybercriminals could steal patient
`
`
`
`1
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 2 of 28 PageID 2
`
`data because BioPlus did not adequately protect and secure patient PII and PHI,
`
`leaving the data an unguarded target for theft and misuse. Ms. Hullet was a victim
`
`of the Data Breach and brings this Class Action on behalf of herself and all patients
`
`harmed by BioPlus’s conduct.
`
`2.
`
`On November 11, 2021, BioPlus learned that cybercriminals had
`
`breached its data systems and potentially accessed all patients’ PII and PHI.
`
`BioPlus internally investigated the breach over the next month but failed to
`
`identify exactly what the cybercriminals stole and from which patients. But the
`
`investigation did reveal that hackers started accessing BioPlus’s data systems on
`
`October 25, 2021, over two weeks before BioPlus identified the Data Breach.
`
`3.
`
`Due to BioPlus’s inability to detect and prevent the Data Breach
`
`earlier, cybercriminals had access to patients’ highly sensitive PII and PHI,
`
`including patient “name, address, date of birth, Social Security number, medical
`
`record number, current/former member ID number, claims information,
`
`diagnosis and/or prescription information.”
`
`4.
`
`BioPlus’s inability to safeguard patients’ highly sensitive PII and PHI
`
`and determine the scale of the Data Breach violates Florida law and Biolife’s
`
`implied contract with patients to safeguard their PII and PHI.
`
`5.
`
`Ms. Hullet and class members face a lifetime risk of identity theft due
`
`to the nature of the information lost, including patients’ dates of birth and Social
`
`2
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 3 of 28 PageID 3
`
`Security numbers, which they cannot change.
`
`6.
`
`BioPlus’s harmful conduct has injured Ms. Hullet and class members
`
`in multiple ways, including: (i) the lost or diminished value of their PII and PHI;
`
`(ii) costs associated with the prevention, detection, and recovery from identity
`
`theft, tax fraud, and other unauthorized use of their data; (iii) lost opportunity
`
`costs to mitigate the Data Breach’s consequences, including lost time; and (iv)
`
`emotional distress associated with the loss of control over their highly sensitive PII
`
`and PHI.
`
`7.
`
`BioPlus’s failure to protect patients’ PII and PHI violates Florida law
`
`and harms hundreds of thousands of patients, causing Ms. Hullet to seek relief on
`
`a class wide basis.
`
`PARTIES
`
`8.
`
`Plaintiff, Crystal Hullet, is a natural person and resident of North
`
`Carolina.
`
`9.
`
`BioPlus is a limited liability company registered to do business in
`
`Florida with headquarters at 376 Northlake Blvd., Alamonte Springs, Florida
`
`32701. On information and belief, BioPlus has two manager members, Stephen C.
`
`Vogt and Stephen H. Garner, who have listed addresses at 376 Northlake Blvd.,
`
`Alamonte Springs, Florida 32701. On information and belief, BioPlus also has an
`
`“authorized” member, BioPlus Parent, LLC, with an address at 50 Kennedy Plaza,
`
`3
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 4 of 28 PageID 4
`
`12th Floor, Providence, Rhode Island 02903.
`
`JURISDICTION & VENUE
`
`10.
`
`This Court has subject matter and diversity jurisdiction over this
`
`action under 28 U.S.C. § 1332(d) because this is a class action in which the amount
`
`in controversy exceeds $5 million, exclusive of costs and interest, there are more
`
`than 100 members in the proposed class, and at least one class member is a citizen
`
`of a different state than BioPlus, establishing minimal diversity.
`
`11.
`
`This Court has personal jurisdiction over BioPlus because it is
`
`organized in Florida and its headquarters is in Alamonte Springs, Florida.
`
`12.
`
`Venue is proper in this Court under 28 U.S.C. §§ 1391 because a
`
`substantial part of the alleged wrongful conduct and events giving rise to the
`
`claims occurred in this District and because BioPlus conducts business in this
`
`District.
`
`A.
`
`13.
`
`FACTUAL ALLEGATIONS
`
`BioPlus
`
`BioPlus provides drugs that treat cancer, infusion, multiple sclerosis,
`
`hepatitis C, and complex chronic conditions, boasting itself as the “first and only
`
`independent, national specialty pharmacy[.]” On information and belief, BioPlus
`
`has over 350,000 current and former patients.
`
`14.
`
`In exchange for its services, BioPlus requires its patients to provide
`
`4
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 5 of 28 PageID 5
`
`their highly sensitive PII and PHI, including their name, address, date of birth,
`
`Social Security number, medical record number, current/former member ID
`
`number, claims information, diagnosis and/or prescription information.
`
`15.
`
`BioPlus promises to safeguard patients’ PII and PHI as part of its
`
`services, providing patients its “Notice of Protected Health Information Practices
`
`and Privacy Statement” (“Privacy Notice”).
`
`16.
`
`The Privacy Notice explains how BioPlus collects patient data as part
`
`of its services:
`
`17.
`
`BioPlus’s Privacy Notice recognizes BioPlus’s duty to secure and
`
`maintain patient PII and PHI and use it only in delivering BioPlus’s services:1
`
`
`
`
`1 See BioPlus’s Privacy Notice, https://bioplusrx.com/privacy-policy/ (last visited January 4,
`2021).
`
`
`
`5
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 6 of 28 PageID 6
`
`
`
`18. Ms. Hullet and the proposed class are current and former BioPlus
`
`patients.
`
`19. As a condition of providing treatment, BioPlus required Ms. Hullet
`
`and the proposed class to provide their PII and PHI.
`
`20.
`
`BioPlus then collected and maintained patients’ PII and PHI in its
`
`computer systems.
`
`21.
`
`In collecting and storing patients’ PII and PHI, BioPlus implied that it
`
`would protect and maintain their data according to state and federal law and its
`
`Privacy Notice.
`
`22. Ms. Hallet and the proposed class relied on BioPlus’s representations
`
`in agreeing to provide their PII and PHI.
`
`B.
`
`BioPlus fails to safeguard patients’ PII and PHI
`
`23. On October 25, 2021, BioPlus lost control of patients’ PII and PHI to
`
`cybercriminals in the Data Breach. Due to inadequate systems to safeguard patient
`
`
`
`6
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 7 of 28 PageID 7
`
`data, BioPlus was unaware of the breach for over two weeks, allowing
`
`cybercriminals to pilfer patients’ PII and PHI undetected.
`
`24. On November 11, 2021, BioPlus finally discovered the Data Breach
`
`and allegedly began taking measures to stop it. But through an internal
`
`investigation, BioPlus was unable to determine the scale of the Data Breach and
`
`the exact information cybercriminals stole.
`
`25.
`
`BioPlus’s inability to determine the scale of the Data Breach led it to
`
`conclude that all of its approximately 350,000 patients may have had their PII and
`
`PHI exposed to cybercriminals.
`
`26. On December 10, 2021, a month after discovering the Data Breach,
`
`BioPlus announced the Data Breach in a notice to patients (“Breach Notice”). A
`
`true and correct copy of the Breach Notice is attached as Exhibit A.
`
`27.
`
`The Breach Notice reiterated that BioPlus was “committed to
`
`protecting the confidentiality and security of the information we maintain,”
`
`including patient PII and PHI.
`
`28.
`
`The Breach Notice explained that BioPlus lost control over patients’
`
`highly sensitive PII and PHI, including their names, addresses, dates of birth,
`
`Social Security numbers, medical record numbers, current/former member ID
`
`numbers, claims information, diagnosis and/or prescription information.
`
`
`
`7
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 8 of 28 PageID 8
`
`29. Recognizing the severity of the Data Breach and its impact on
`
`patients, BioPlus included: “We deeply regret any inconvenience or concern this
`
`incident may cause and take this matter very seriously.”
`
`30.
`
`BioPlus then explained that it implemented new safeguards to protect
`
`patient PII and PHI, which should have been in place before the Data Breach: “To
`
`help prevent something like this from happening again, we have implemented,
`
`and will continue to adopt, additional safeguards and technical security measures
`
`to further protect and monitor our systems.”
`
`31.
`
`The Breach Notice also recognized the ongoing threat the Data Breach
`
`posed to patients, offering them credit monitoring services. But the “free” services
`
`continued for only one year.
`
`32.
`
`The Breach Notice did not clarify how many times cybercriminals
`
`breached BioPlus’s systems, how long cybercriminals had access to BioPlus’s
`
`systems, exactly what they took, and how BioPlus changed its security protocols
`
`to prevent future breaches.
`
`33.
`
`BioPlus alerted the attorney generals’ offices for Florida, Montana,
`
`and California under those states’ breach notification laws.
`
`34. On information and belief, BioPlus failed to adequately train its
`
`employees on reasonable cybersecurity protocols or implement reasonable
`
`security measures, causing it to lose control over patients’ PII and PHI. BioPlus’s
`
`
`
`8
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 9 of 28 PageID 9
`
`negligence is evidenced by its failure to recognize the Data Breach for over two
`
`weeks while cybercriminals had access to patient data, meaning BioPlus had no
`
`effective means to detect and prevent attempted data breaches. Further, the Breach
`
`Notice makes clear that BioPlus cannot even determine the full scope of the Data
`
`Breach, as it has been unable to determine exactly what information was stolen
`
`and when.
`
`C.
`
`Plaintiff’s experience
`
`35. Hullet has been a BioPlus customer from August 2021 to present.
`
`36. As a condition of receiving BioPlus’s services, BioPlus requires Ms.
`
`Hullet to provide her PII and PHI.
`
`37.
`
`Since becoming a BioPlus customer, Ms. Hullet has provided BioPlus
`
`her PII and PHI to purchase BioPlus’s services and medications.
`
`38. On or about December of 2021, Ms. Hullet received notice from
`
`BioPlus that her PII and PHI were compromised by the Data Breach.
`
`39.
`
`In response, Ms. Hullet has spent considerable time and effort
`
`monitoring her accounts to protect herself from additional identity theft. Ms.
`
`Hullet fears for her personal financial security and uncertainty over what medical
`
`information was revealed in the Data Breach. She is experiencing feelings of
`
`anxiety, sleep disruption, stress, and fear because of the Data Breach. This goes far
`
`
`
`9
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 10 of 28 PageID 10
`
`beyond allegations of mere worry or inconvenience; it is exactly the sort of injury
`
`and harm to a Data Breach victim that is contemplated and addressed by law.
`
`40.
`
`BioPlus’s proposed fix, a one-year credit monitoring service, is
`
`inadequate to address Ms. Hullet’s losses, as she faces a risk of identity theft for
`
`the rest of her life.
`
`D. Ms. Hullet and the proposed class face significant risk of identity theft
`
`41. Ms. Hullet and members of the proposed class have suffered injury
`
`from the misuse of their PII and PHI that can be directly traced to BioPlus.
`
`42.
`
`The ramifications of BioPlus’s failure to keep Plaintiff’s and the
`
`Class’s PII and PHI secure are severe. Identity theft occurs when someone uses
`
`another’s personal and financial information such as that person’s name, account
`
`number, Social Security number, driver’s license number, date of birth, or other
`
`information, without permission, to commit fraud or other crimes.
`
`43. According to experts, one out of four data breach notification
`
`recipients become a victim of identity fraud.
`
`44.
`
`Because BioPlus failed to prevent the Data Breach, Ms. Hullet and the
`
`proposed Class have suffered and will continue to suffer damages, including
`
`monetary losses, lost time, anxiety, and emotional distress. They have suffered or
`
`are at an increased risk of suffering:
`
`a.
`
`The loss of the opportunity to control how their PII and PHI are used;
`
`
`
`10
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 11 of 28 PageID 11
`
`b.
`
`c.
`
`d.
`
`The diminution in value of their PII and PHI;
`
`The compromise and continuing publication of their PII and PHI;
`
`Out-of-pocket costs associated with the prevention, detection,
`
`recovery, and remediation from identity theft or fraud;
`
`e.
`
`Lost opportunity costs and lost wages associated with the time and
`
`effort expended addressing and trying to mitigate the actual and
`
`future consequences of the Data Breach, including, but not limited to,
`
`efforts spent researching how to prevent, detect, contest, and recover
`
`f.
`
`g.
`
`h.
`
`from identity theft and fraud;
`
`Delay in receipt of tax refund monies;
`
`Unauthorized use of stolen PII and PHI; and
`
`The continued risk to their PII and PHI, which remains in the
`
`possession of BioPlus and is subject to further breaches so long as
`
`BioPlus fails to undertake the appropriate measures to protect the PII
`
`and PHI in their possession.
`
`45.
`
`Stolen PII and PHI is one of the most valuable commodities on the
`
`criminal information black market. According to Experian, a credit-monitoring
`
`service, stolen PHI can be worth up to $1,000.00 depending on the type of
`
`information obtained.
`
`
`
`11
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 12 of 28 PageID 12
`
`46.
`
`The value of Plaintiff’s and the proposed Class’s PII and PHI on the
`
`black market is considerable. Stolen PII and PHI trades on the black market for
`
`years, and criminals often post stolen private information openly on various “dark
`
`web” internet websites, like Marketo, making the information publicly available,
`
`for a fee.
`
`47.
`
`It can take victims years to spot identity or PII and PHI theft, giving
`
`criminals time to sell that information for cash.
`
`48. One such example of criminals using PII and PHI for profit is the
`
`development of “Fullz” packages.
`
`49. Cybercriminals can cross-reference multiple sources of PII and PHI to
`
`marry unregulated data available elsewhere to criminally stolen data with an
`
`astonishingly complete scope and degree of accuracy to assemble complete
`
`dossiers on individuals. These dossiers are known as “Fullz” packages.
`
`50.
`
`The development of “Fullz” packages means that stolen PII and PHI
`
`from the Data Breach can easily be used to link and identify it to Plaintiff’s and the
`
`proposed Class’s phone numbers, email addresses, and other unregulated sources
`
`and identifiers. In other words, even if certain information such as emails, phone
`
`numbers, or credit card numbers may not be included in the PII and PHI stolen by
`
`the cybercriminals in the Data Breach, criminals can easily create a Fullz package
`
`and sell it at a higher price to unscrupulous operators and criminals (such as illegal
`
`
`
`12
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 13 of 28 PageID 13
`
`and scam telemarketers) over and over. That is exactly what is happening to
`
`Plaintiff and members of the proposed Class, and it is reasonable for any trier of
`
`fact, including this Court or a jury, to find that Plaintiff’s and other members of
`
`the proposed Class’s stolen PII and PHI is being misused, and that such misuse is
`
`fairly traceable to the Data Breach.
`
`51. According to the FBI’s Internet Crime Complaint Center (IC3) 2019
`
`Internet Crime Report, Internet-enabled crimes reached their highest number of
`
`complaints and dollar losses that year, leading to more than $3.5 billion in losses
`
`to individuals and business victims.
`
`52.
`
`Further, according to the same report, “rapid reporting can help law
`
`enforcement stop fraudulent transactions before a victim loses the money for
`
`good.”
`
`53. Victims of identity theft also often suffer embarrassment, blackmail,
`
`or harassment in person or online, and experience financial losses resulting from
`
`fraudulently opened accounts or misuse of existing accounts.
`
`54. Along with out-of-pocket expenses that can exceed thousands of
`
`dollars for the victim of new account identity theft, and the emotional toll identity
`
`theft can take, some victims must spend a considerable time repairing the damage
`
`caused by the theft of their PHI. Victims of new account identity theft will likely
`
`have to spend time correcting fraudulent information in their credit reports and
`
`
`
`13
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 14 of 28 PageID 14
`
`continually monitor their reports for future
`
`inaccuracies, close existing
`
`bank/credit accounts, open new ones, and dispute charges with creditors.
`
`55.
`
`Further complicating the issues faced by victims of identity theft,
`
`data thieves may wait years before trying to use the stolen PII and PHI. To
`
`protect themselves, Plaintiff and the proposed Class will need to remain vigilant
`
`against unauthorized data use for years or even decades to come.
`
`56.
`
`The Federal Trade Commission (“FTC”) has also recognized that
`
`consumer data is a new and valuable form of currency. In an FTC roundtable
`
`presentation, former Commissioner, Pamela Jones Harbour, stated that “most
`
`consumers cannot begin to comprehend the types and amount of information
`
`collected by businesses, or why their information may be commercially valuable.
`
`Data is currency.”
`
`57.
`
`The FTC has also issued several guidelines for businesses that
`
`highlight reasonable data security practices. The FTC has noted the need to factor
`
`data security into all business decision-making. According to the FTC, data
`
`security requires: (1) encrypting information stored on computer networks; (2)
`
`retaining payment card information only as long as necessary; (3) properly
`
`disposing of personal information that is no longer needed; (4) limiting
`
`administrative access to business systems; (5) using industry-tested and accepted
`
`methods for securing data; (6) monitoring activity on networks to uncover
`
`
`
`14
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 15 of 28 PageID 15
`
`unapproved activity; (7) verifying that privacy and security features function
`
`properly; (8) testing for common vulnerabilities; and (9) updating and patching
`
`third-party software.
`
`58. According to the FTC, unauthorized PHI disclosures are extremely
`
`damaging to consumers’ finances, credit history, and reputation, and can take
`
`time, money, and patience to resolve the fallout. The FTC treats the failure to
`
`employ reasonable and appropriate measures to protect against unauthorized
`
`access to confidential consumer data as an unfair act or practice prohibited by
`
`Section 5(a) of the FTC Act.
`
`59.
`
`To that end, the FTC has issued orders against businesses that failed
`
`to employ reasonable measures to secure sensitive payment card data. See In the
`
`matter of Lookout Services, Inc., No. C-4326, ⁋ 7 (June 15, 2011) (“[Defendant] allowed
`
`users to bypass authentication procedures” and “failed to employ sufficient
`
`measures to detect and prevent unauthorized access to computer networks, such
`
`as employing an intrusion detection system and monitoring system logs.”); In the
`
`matter of DSW, Inc., No. C-4157, ⁋ 7 (Mar. 7, 2006) (“[Defendant] failed to employ
`
`sufficient measures to detect unauthorized access.”); In the matter of The TJX Cos.,
`
`Inc., No. C-4227 (Jul. 29, 2008) (“[R]espondent stored . . . personal information
`
`obtained to verify checks and process unreceipted returns in clear text on its in-
`
`store and corporate networks[,]” “did not require network administrators . . . to
`
`
`
`15
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 16 of 28 PageID 16
`
`use different passwords to access different programs, computers, and networks[,]”
`
`and “failed to employ sufficient measures to detect and prevent unauthorized
`
`access to computer networks . . .”); In the matter of Dave & Buster’s Inc., No. C-4291
`
`(May 20, 2010) (“[Defendant] failed to monitor and filter outbound traffic from its
`
`networks to identify and block export of sensitive personal information without
`
`authorization” and “failed to use readily available security measures to limit
`
`access between instore networks . . .”). These orders, which all preceded the Data
`
`Breach, further clarify the measures businesses must take to meet their data
`
`security obligations.
`
`CLASS ACTION ALLEGATIONS
`
`60. Ms. Hullet sues on behalf of herself and the proposed class (“Class”),
`defined as follows:
`
`
`All individuals residing in the United States whose personal
`information was compromised in the Data Breach disclosed by
`BioPlus in December 2021.
`
`
`Excluded from the Class are BioPlus, its agents, affiliates, parents, subsidiaries,
`
`any entity in which BioPlus has a controlling interest, any BioPlus officer or
`
`director, any successor or assign, and any Judge who adjudicates this case,
`
`including their staff and immediate family.
`
`61. Ms. Hullet reserves the right to amend the class definition.
`
`
`
`16
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 17 of 28 PageID 17
`
`62.
`
`This action satisfies the numerosity, commonality, typicality, and
`
`adequacy requirements under Fed. R. Civ. P. 23.
`
`a.
`
`Numerosity. Ms. Hullet is a representative of the proposed
`
`Class consisting of over 350,000 members—far too many to join in a single
`
`action;
`
`b.
`
`Ascertainability. Class members are readily identifiable from
`
`information in BioPlus’s possession, custody, and control;
`
`c.
`
`Typicality. Ms. Hullet’s claims are typical of Class member’s
`
`claims as each arises from the same Data Breach, the same alleged
`
`negligence and statutory violations by BioPlus, and the same unreasonable
`
`manner of notifying individuals about the Data Breach.
`
`d.
`
`Adequacy. Ms. Hullet will fairly and adequately protect the
`
`proposed Class’s interests. Her interests do not conflict with Class members’
`
`interests and she has retained counsel experienced in complex class action
`
`litigation and data privacy to prosecute this action on the Class’s behalf,
`
`including as lead counsel.
`
`e.
`
`Commonality. Ms. Hullet’s and the Class’s claims raise
`
`predominantly common fact and legal questions that a class wide
`
`proceeding can answer for all Class members. Indeed, it will be necessary
`
`to answer the following questions:
`
`
`
`17
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 18 of 28 PageID 18
`
`i. Whether BioPlus had a duty to use reasonable care in
`
`safeguarding Ms. Hullet and the Class’s PII and PHI;
`
`ii. Whether BioPlus
`
`failed
`
`to
`
`implement and maintain
`
`reasonable security procedures and practices appropriate to
`
`the nature and scope of the information compromised in the
`
`Data Breach;
`
`iii. Whether BioPlus was negligent in maintaining, protecting,
`
`and securing PII and PHI;
`
`iv. Whether BioPlus breached contractual promises to safeguard
`
`Ms. Hullet and the Class’s PII and PHI;
`
`v. Whether BioPlus took reasonable measures to determine the
`
`extent of the Data Breach after discovering it;
`
`vi. Whether BioPlus’s Breach Notice was reasonable;
`
`vii. Whether the Data Breach caused Ms. Hullet and the Class
`
`injuries;
`
`viii. What the proper damages measure is;
`
`ix. Whether BioPlus violated the statutes alleged in this
`
`complaint; and
`
`x. Whether Ms. Hullet and the Class are entitled to damages,
`
`treble damages, or injunctive relief.
`
`
`
`18
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 19 of 28 PageID 19
`
`63.
`
`Further, common questions of law and fact predominate over any
`
`individualized questions, and a class action is superior to individual litigation or
`
`any other available method to fairly and efficiently adjudicate the controversy. The
`
`damages available to individual plaintiffs are insufficient to make individual
`
`lawsuits economically feasible.
`
`FIRST CLAIM FOR RELIEF
`Negligence
`(On Behalf of Plaintiff and the Class)
`
`64.
`
`Plaintiff incorporates paragraphs 1 through 63 as if fully set forth
`
`
`
`below.
`
`65.
`
`Plaintiff and members of the Class entrusted their PII and PHI to
`
`Defendant. Defendant owed to Plaintiff and other members of the Class a duty to
`
`exercise reasonable care in handling and using the PII and PHI in its care and
`
`custody,
`
`including
`
`implementing
`
`industry-standard security procedures
`
`sufficient to reasonably protect the information from the Data Breach, theft, and
`
`unauthorized use that came to pass, and to promptly detect attempts at
`
`unauthorized access.
`
`66. Defendant owed a duty of care to Plaintiff and members of the Class
`
`because it was foreseeable that Defendant’s failure to adequately safeguard their
`
`PII and PHI in accordance with state-of-the-art industry standards for data
`
`security would result in the compromise of that PII and PHI—just like the Data
`
`
`
`19
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 20 of 28 PageID 20
`
`Breach that ultimately came to pass. Defendant acted with wanton and reckless
`
`disregard for the security and confidentiality of Plaintiff’s and members of the
`
`Class’s PII and PHI by disclosing and providing access to this information to third
`
`parties and by failing to properly supervise both the way the PII and PHI was
`
`stored, used, and exchanged, and those in its employ who made that happen.
`
`67. Defendant owed to Plaintiff and members of the Class a duty to notify
`
`them within a reasonable time frame of any breach to the security of their PII and
`
`PHI. Defendant also owed a duty to timely and accurately disclose to Plaintiff and
`
`members of the Class the scope, nature, and occurrence of the Data Breach. This
`
`duty is required and necessary for Plaintiff and members of the Class to take
`
`appropriate measures to protect their PII and PHI, to be vigilant in the face of an
`
`increased risk of harm, and to take other necessary steps to mitigate the harm
`
`caused by the Data Breach.
`
`68. Defendant owed these duties to Plaintiff and members of the Class
`
`because they are members of a well-defined, foreseeable, and probable class of
`
`individuals whom Defendant knew or should have known would suffer injury-in-
`
`fact from Defendant’s inadequate security protocols. Defendant actively sought
`
`and obtained Plaintiff’s and members of the Class’s PII and PHI for
`
`pharmaceutical services. Plaintiff and members of the Class needed to provide
`
`
`
`20
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 21 of 28 PageID 21
`
`their PII and PHI to Defendant to receive pharmaceutical services from Defendant,
`
`and Defendant retained that information.
`
`69.
`
`The risk that unauthorized persons would try to gain access to the PII
`
`and PHI and misuse it was foreseeable. Given that Defendant holds vast amounts
`
`of PII and PHI, it was inevitable that unauthorized individuals would try to access
`
`Defendant’s databases containing the PII and PHI—whether by malware or
`
`otherwise.
`
`70.
`
`PII and PHI is highly valuable, and Defendant knew, or should have
`
`known, the risk in obtaining, using, handling, emailing, and storing the PII and
`
`PHI of Plaintiff and members of the Class’s and the importance of exercising
`
`reasonable care in handling it.
`
`71. Defendant breached its duties by failing to exercise reasonable care in
`
`supervising its agents, contractors, vendors, and suppliers, and in handling and
`
`securing the personal information and PII and PHI of Plaintiff and members of the
`
`Class which actually and proximately caused the Data Breach and Plaintiff’s and
`
`members of the Class’s injury.
`
`72. Defendant also breached its duties by failing to provide reasonably
`
`timely notice of the Data Breach to Plaintiff and members of the Class, which
`
`actually and proximately caused and exacerbated the harm from the Data Breach
`
`and Plaintiff’s and members of the Class’s injuries-in-fact.
`
`
`
`21
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 22 of 28 PageID 22
`
`73. As a direct and traceable result of Defendant’s negligence or negligent
`
`supervision, Plaintiff, and members of the Class have suffered or will suffer
`
`damages,
`
`including monetary damages,
`
`increased risk of future harm,
`
`embarrassment, humiliation, frustration, and emotional distress.
`
`74. Defendant’s breach of its common-law duties to exercise reasonable
`
`care and its failures and negligence actually and proximately caused Plaintiff’s and
`
`members of the Class’s actual, tangible, injury-in-fact and damages, including,
`
`without limitation, the theft of their PII and PHI by criminals, improper disclosure
`
`of their PII and PHI, lost benefit of their bargain, lost value of their PII and PHI,
`
`and lost time and money incurred to mitigate and remediate the effects of the Data
`
`Breach that resulted from and were caused by Defendant’s negligence, which
`
`injury-in-fact and damages are ongoing, imminent, immediate, and which they
`
`continue to face.
`
`SECOND CLAIM FOR RELIEF
`Negligence Per Se
`(On Behalf of Plaintiff and the Class)
`
`Plaintiff incorporates paragraphs 1 through 63 as if fully set forth
`
`75.
`
`below.
`
`76. Defendant had a duty to protect and maintain and provide adequate
`
`data security to maintain Plaintiff and the Class’s PII and PHI under § 5 of the
`
`FTC Act, 15 U.S.C. § 45.
`
`
`
`22
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 23 of 28 PageID 23
`
`77.
`
`The FTC Act prohibits unfair business practices affecting commerce,
`
`which the FTC has interpreted to include a failure to use reasonable measures to
`
`safeguard PII.
`
`78. Defendant’s violation of these duties is negligence per se under Florida
`
`law.
`
`79.
`
`Plaintiff and the proposed Class are included in the class of persons
`
`that the FTC Act was intended to protect.
`
`80.
`
`The harm the Data Breach caused is the type the FTC Act was
`
`intended to guard against.
`
`81. Defendant’s negligence per se caused Plaintiff and the proposed Class
`
`actual, tangible, injury-in-fact and damages, including, without limitation, the
`
`theft of their PII and PHI by criminals, improper disclosure of their PII and PHI,
`
`lost benefit of their bargain, lost value of their PII and PHI, and lost time and
`
`money incurred to mitigate and remediate the effects of the Data Breach that
`
`resulted from and were caused by Defendant’s negligence, which injury-in-fact
`
`and damages are ongoing, imminent, immediate, and which they continue to face.
`
`THIRD CLAIM FOR RELIEF
`Breach of Implied Contract
`(On Behalf of Plaintiff and the Class)
`
`Plaintiff incorporates paragraphs 1 through 63 as if fully set forth
`
`23
`
`82.
`
`below.
`
`
`
`

`

`Case 6:22-cv-00147-RBD-LRH Document 1 Filed 01/24/22 Page 24 of 28 PageID 24
`
`83. Defendant offered to provide goods and services to Plaintiff and
`
`members of the Class in exchange for payment.
`
`84. Defendant also required Plaintiff and the members of the Class to
`
`provide Defendant with their PII and PHI to receive services.
`
`85.
`
`In turn, and through the Privacy Notice, Defendant agreed it would
`
`not disclose the PHI it collects from patients to unauthorized persons. Defendant
`
`also impliedly promised to maintain safeguards to protect its patients’ PII and
`
`PHI.
`
`86. Defendant recognized its implied promise in its Breach Notice, stating
`
`that Defendant was “committed to protecting the confidentiality and security of
`
`the information we maintain,” including patient PII and PHI.
`
`87.
`
`Plaintiff and the members of the Class accepted Defendant’s offer by
`
`providing PII a

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket