throbber
Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 1 of 30
`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF FLORIDA
`FORT LAUDERDALE DIVISION
`
`
`
`Plaintiff,
`
`
`Kristi Hoffman-Mock, individually and on
`behalf of all others similarly situated,
`
`
`
`v.
`
`20/20 EYE CARE NETWORK, INC., and
`ICARE HEALTH SOLUTIONS, LLC,
`
`
`
`
`Defendants.
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`Case No.:
`
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`Plaintiff Kristi Hoffman-Mock (“Plaintiff”) brings this Class Action Complaint against
`
`Defendants 20/20 Eye Care Network, Inc. (“20/20”) and iCare Health Solutions, Inc. (“iCare”
`
`and collectively, “Defendants”) as an individual and on behalf of all others similarly situated, and
`
`alleges, upon personal knowledge as to her own actions and her counsels’ investigations, and
`
`upon information and belief as to all other matters, as follows:
`
`I.
`
`NATURE OF THE ACTION
`
`1.
`
`Plaintiff brings this class action to provide relief to 3.2 million similarly situated
`
`people harmed by Defendants failure to secure personally identifiable information (“PII”) and
`
`private health information (“PHI”).
`
`2.
`
`Defendant 20/20 is an entity that provides eye and hearing care services and
`
`administration.
`
`3.
`
`Upon information and belief, Defendant iCare partially owns and is a partner with
`
`20/20 to provide integrated eye health, hearing health, and administrative services in Florida.
`
`4.
`
`In May 2021, Plaintiff received a letter dated May 28, 2021 that stated in January
`
`2021, PII/PHI that was on 20/20’s systems had been viewed, seen, or accessed by unauthorized
`
`- 1 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 2 of 30
`
`third parties (the “Data Breach”). The notifications revealed that hackers gained unauthorized
`
`access to 20/20’s system and deleted files.
`
`5.
`
`This Data Breach occurred because Defendants failed to implement reasonably
`
`adequate cyber-security measures to protect Plaintiff’s PII/PHI. The deficiencies in Defendants
`
`cyber-security measures allowed the hackers to access patient data, which included the ability to
`
`view and edit the data.
`
`6.
`
`Defendants disregarded the rights of Plaintiff and putative Class Members by:
`
`a. Intentionally, willfully, recklessly, or negligently failing to take adequate
`and reasonable measures to ensure its data systems were protected;
`
`b. Failing to disclose to their patients the material fact that they did not have
`adequate computer systems and security practices to safeguard their
`PII/PHI;
`
`c. Failing to take available steps to prevent the Data Breach; and
`
`d. Failing to provide Plaintiff and Class Members prompt and accurate notice
`of the Data Breach.
`
`7.
`
`Because of Defendants’ failure to secure Plaintiff’s and Class Members’ PII/PHI,
`
`hackers have stolen their PII/PHI. As such, Plaintiff and Class Members, which includes minors,
`
`face a substantial increased risk of identity theft. Further, Plaintiff and Class Members have paid,
`
`or will have to pay, private monitoring companies to protect themselves. On top of paying for
`
`monitoring, Plaintiff had fraudulent charges on her credit card (discussed below). This makes clear
`
`that the Data Breach will put Plaintiff and Class Members at a heightened risk for theft and fraud
`
`for the rest of their lives.
`
`8.
`
`Plaintiff seeks, among other things, that the Defendants be required to disclose the
`
`nature of the information taken by hackers. Further, Defendants must adopt sufficient cyber-
`
`security measures to prevent incidents like this Data Breach from happening in the future.
`
`9.
`
`On behalf of all others similarly situated, Plaintiff alleges claims for negligence,
`
`invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach
`
`- 2 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 3 of 30
`
`of confidence and violation of Florida’s Deceptive and Unfair Trade Practices Act.
`
`II.
`
`PARTIES
`
`10.
`
`Plaintiff Kristi Hoffman-Mock is a citizen of Florida residing in Summerfield,
`
`Florida.
`
`11.
`
`Defendant 20/20 Eye Care Network, Inc. is a vision care company that offers third
`
`party administrative services. 20/20 contracts with optometrists, ophthalmologists, ambulatory
`
`surgical centers, and retail vision centers to provide a full spectrum of eye care needs. Its
`
`management services include claims processing, credentialing, management utilization, and
`
`network leasing.
`
`12.
`
`Defendant 20/20 owns 20/20 Hearing Care Network, Inc., which is a health care
`
`provider for audiology and related administrative work.
`
`13.
`
`Defendant iCare Health Solutions, LLC is an integrated specialty network and
`
`administrator of comprehensive ocular care services. It contracts with health plans and
`
`multispecialty clinics to deliver comprehensive ocular health solutions through a network of
`
`optometrists and ophthalmologists.
`
`14.
`
`In September of 2020, Defendant iCare, backed by private equity firm Pine Tree
`
`Equity IV, LP, invested in Defendant 20/20. iCare now controls 20/20 in whole or in part, which
`
`makes it the largest ophthalmology and optometry provider with over 55 locations and the largest
`
`managed service provider.
`
`III.
`
`JURISDICTION AND VENUE
`
`15.
`
`This Court has subject matter jurisdiction over this action under the Class Action
`
`Fairness Act. (28 U.S.C. § 1332(d)(2)) The amount in controversy exceeds $5 million, exclusive
`
`of costs and interest. There are in excess of 100 putative class members, at least some of whom
`
`have a different citizenship from Defendants.
`
`16.
`
`This Court has personal jurisdiction over Defendant because Defendant iCare
`
`Health Solutions, LLC has its principal place of business within this District at 7352 NW 34 Street
`
`Miami, Florida 33122.
`
`- 3 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 4 of 30
`
`17.
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391 because a substantial
`
`part of the events or omissions giving rise to these claims occurred in, were directed to, and/or
`
`emanated from this District. The compromised 20/20 network that hackers stole Plaintiffs’ PII/PHI
`
`is within the district. Further, 20/20 is based in the District and likely stores more PII/PHI in the
`
`district.
`
`IV.
`
`FACTUAL ALLEGATIONS
`
`A.
`
`Background of the Data Breach
`
`18.
`
`Plaintiff received medical services from 20/20 Eye Care Network, Inc. and 20/20
`
`Hearing Care Network, Inc.
`
`19.
`
`Defendants reported to the Maine Attorney General that the Data Breach affected
`
`nearly 3.3 million individuals.1 The Defendants reported the breach as “insider wrongdoing”
`
`according to the Maine Attorney General’s data breach notification. Further, Defendants
`
`discovered the breach on February 18, 2021 and the breach occurred on January 11, 2021.
`
`20.
`
`However, it was not until May 28, 2021 that Plaintiff received a letter informing
`
`her of the breach. The letter explained that the 20/20 Hearing Care Network helps manage her
`
`benefits and that Plaintiff’s PII/PHI was exposed.
`
`21.
`
`Defendants’ letters stated that the information that was exposed in the data breach
`
`may have included:
`
`•
`
`•
`
`•
`
`•
`
`•
`
`Name
`
`Date of birth
`
`Social Security Number
`
`Member identification number
`
`Health insurance information
`
`22.
`
`Defendants acquire a large number of patients’ PHI and PII on a regular basis and
`
`maintain this data. Defendants require customers/patients to provide this information through the
`
`
`1 https://apps.web.maine.gov/online/aeviewer/ME/40/946029d6-7945-4a23-89c1-
`0ea29e9c18a2.shtml (last visited Jul. 7, 2021).
`
`- 4 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 5 of 30
`
`ordinary course of business so that they can process claims submitted by patient providers.
`
`23.
`
`According to the Notice of Data Breach letters and letters sent to state Attorneys
`
`General, the PHI and PII that Defendants collect “was accessed or downloaded prior to deletion.”2
`
`B.
`
`Defendants Were Aware of the Risks of a Data Breach
`
`24.
`
`25.
`
`Defendants knew that there was a risk of data breaches in the healthcare industry.
`
`Data breaches have become widespread. For example, The American Medical
`
`Association (“AMA”) has warned that 83% of physicians have experienced some form of
`
`cyberattack and 1-in-2 physicians are “very” or “extremely” concerned about future cyberattacks.
`
`26.
`
`Indeed, data breaches, such as the one experienced by Defendants, have become so
`
`notorious that the Federal Bureau of Investigation (“FBI”) has issued a warning to potential targets,
`
`so they are aware of, and prepared for, potential attacks. The FBI says, “malicious actors target
`
`healthcare related systems, perhaps for the purpose of obtaining [PHI and PII]”.3 Therefore, the
`
`increase in such attacks, and attendant risk of future attacks, was widely known and foreseeable to
`
`the public and to anyone in Defendants’ industry, including Defendants.
`
`C.
`
`Personally Identifiable Information
`
`27.
`
`According to the Federal Trade Commission (“FTC”), identity theft wreaks havoc
`
`on consumers’ finances, credit history, and reputation and can take time, money, and patience to
`
`resolve.4 Identity thieves use stolen personal information for a variety of crimes, including credit
`
`card fraud, phone or utilities fraud, and bank and finance fraud.5
`
`2
`https://2020incident.com/home.htm (last visited July 7, 2021).
`3
`Jim Finkle, FBI Warns Healthcare Firms that they are Targeted by Hackers, Reuters
`(Aug. 2014) https://www.reuters.com/article/us-cybersecurity-healthcare-fbi/fbi-warns-
`healthcare-firms-they-are-targeted-by-hackers-idUSKBN0GK24U20140820 (last accessed July
`7, 2021)
`4
`See Taking Charge, What to Do If Your Identity is Stolen, FTC, 3 (Apr. 2013),
`https://dss.mo.gov/cd/older-youth-program/files/taking-charge-what-to-do-if-identity-is-
`stolen.pdf (last visited July 7, 2021).
`5
`Id. The FTC defines identity theft as “a fraud committed or attempted using the identifying
`information of another person without authority.” 16 CFR § 603.2. The FTC describes “identifying
`information” as “any name or number that may be used, alone or in conjunction with any other
`information, to identify a specific person,” including, among other things, “[n]ame, social security
`number, date of birth, official State or government issued driver's license or identification number,
`
`- 5 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 6 of 30
`
`28.
`
`Hackers targeted and stole the PII/PHI of Plaintiff and Class members to engage in
`
`identity theft and or to sell it to other criminals who will purchase the PII/PHI for that purpose.
`
`The fraudulent activity resulting from the Data Breach may not come to light for years.
`
`29.
`
`Plaintiff and members of the Class now face years of constant surveillance of their
`
`financial and personal records, monitoring, and loss of rights. They are incurring and will continue
`
`to incur such damages in addition to any fraudulent use of their PII.
`
`D.
`
`Defendants Fail to Comply with HIPAA and Industry Standard Practices
`
`30.
`
`Title II of HIPAA authorizes the Department of Health and Human Services
`
`(“HHS”) to create rules to standardize the handling of PHI. 42 U.S.C. §§ 1301, et seq. The Data
`
`Breach resulted from a combination of insufficiencies that indicate that the Defendants failed to
`
`comply with the standards created by the HHS.
`
`31.
`
`The failures to comply with these standards include:
`
`a. Failing to ensure the confidentiality and integrity of electronic protected
`health information Defendants create, receive, maintain, and transmit in
`violation of 45 CFR 164.306(a)(1);
`
`b. Failing to implement technical policies and procedures for electronic
`systems that maintain electronic protected health information to allow
`access only to those persons or software programs that have been granted
`access rights in violation of 45 CFR 164.312(a)(1);
`
`c. Failing to implement policies and procedure to prevent, detect, contain, and
`correct security violations in violation of 45 CFR 164.308(a)(1);
`
`d. Failing to identify and respond to suspected or known security incidents;
`mitigate, to the extent practicable, harmful effects of security incidents that
`are known to the covered entity in violation of 45 CFR 164.308(a)(6)(ii);
`
`e. Failing to protect against any reasonably-anticipated threats or hazards to
`the security or integrity of electronic protected health information in
`violation of 45 CFR 164.306(a)(2);
`
`f. Failing to protect against any reasonably-anticipated uses or disclosures of
`electronic protected health information that are not permitted under the
`
`
`alien registration number, government passport number, employer or taxpayer identification
`number.” Id.
`
`- 6 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 7 of 30
`
`privacy rules regarding individually identifiable health information in
`violation of 45 CFR 164.306(a)(3);
`
`g. Failing to ensure compliance with HIPAA security standard rules in their
`workforce in violation of 45 CFR 164.306(a)(94);
`
`h. Impermissibly and improperly using and disclosing protected health
`information that is and remains accessible to unauthorized persons in
`violation of 45 CFR 164.502, et seq.;
`
`i. Failing to effectively train all members of their workforce (including
`independent contractors) on the policies and procedures with respect to
`protected health information as necessary and appropriate for the members
`of their workforce to carry out their functions and to maintain security of
`protected health information in violation of 45 CFR 164.530(b) and 45 CFR
`164.308(a)(5); and
`
`j. Failing to design, implement, and enforce policies and procedures
`establishing physical and administrative safeguards to reasonably safeguard
`protected health information, in compliance with 45 CFR 164.530(c).
`
`32.
`
`Defendants were at all times fully aware of their obligation to protect the PII/PHI
`
`of customers/patients and prospective customers/patients. Defendants were also aware of the
`
`significant repercussions that would result from their failure to do so.
`
`E.
`
`The Value of PII to Cyber Criminals
`
`33.
`
`Businesses that store personal information are likely to be targeted by cyber
`
`criminals. Credit card and bank account numbers are tempting targets for hackers. Information
`
`such as dates of birth and Social Security numbers, however, are even more attractive to hackers;
`
`they are not easily destroyed and can be easily used to perpetrate identity theft and other types of
`
`fraud.
`
`34.
`
`The PII of individuals remains of high value to criminals, as evidenced by the prices
`
`they will pay through the dark web. Numerous sources cite dark web pricing for stolen identity
`
`credentials. For example, personal information can be sold at a price ranging from $40 to $200,
`
`and bank details have a price range of $50 to $200.6
`
`6
`Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends,
`(Oct. 16, 2019), https://www.digitaltrends.com/computing/personal-data-sold-on-the-dark-web-
`how-much-it-costs (last visited July 7, 2021).
`
`- 7 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 8 of 30
`
`35.
`
`Social Security numbers, for example, are among the worst kind of personal
`
`information to have stolen because they may be put to a variety of fraudulent uses and are difficult
`
`for an individual to change. The Social Security Administration (“SSA”) stresses that the loss of
`
`an individual’s Social Security number, as is the case here, can lead to identity theft and extensive
`
`financial fraud:
`
` A
`
` dishonest person who has your Social Security number can use it to get other
`personal information about you. Identity thieves can use your number and your
`good credit to apply for more credit in your name. Then, they use the credit cards
`and don’t pay the bills, it damages your credit. You may not find out that someone
`is using your number until you’re turned down for credit, or you begin to get calls
`from unknown creditors demanding payment for items you never bought. Someone
`illegally using your Social Security number and assuming your identity can cause
`a lot of problems.7
`
`36. What is more, it is no easy task to change or cancel a stolen Social Security number.
`
`An individual cannot obtain a new Social Security number without significant paperwork and
`
`evidence of actual misuse. In other words, preventive action to defend against the possibility of
`
`misuse of a Social Security number is not permitted; an individual must show evidence of actual,
`
`ongoing fraud activity to obtain a new number.
`
`37.
`
`Even then, a new Social Security number may not be effective. According to Julie
`
`Ferguson of the Identity Theft Resource Center, “The credit bureaus and banks are able to link the
`
`new number very quickly to the old number, so all of that old bad information is quickly inherited
`
`into the new Social Security number.”8
`
`38.
`
`Furthermore, as the SSA warns:
`
`Keep in mind that a new number probably will not solve all your problems. This is
`because other governmental agencies (such as the IRS and state motor vehicle
`agencies) and private businesses (such as banks and credit reporting companies)
`likely will have records under your old number. Along with other personal
`information, credit reporting companies use the number to identify your credit
`
`7
`SSA, Identity Theft and Your Social Security Number, https://www.ssa.gov/pubs/EN-05-
`10064.pdf (last visited July 7, 2021).
`8
`Bryan Naylor, Victims of Social Security Number Theft Find It’s Hard to Bounce Back,
`NPR
`(Feb. 9, 2015), http://www.npr.org/2015/02/09/384875839/data-stolen-by-anthem-s-
`hackers-has-millionsworrying-about-identity-theft (last visited July 7, 2021).
`
`- 8 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 9 of 30
`
`record. So using a new number will not guarantee you a fresh start. This is
`especially true if your other personal information, such as your name and address,
`remains the same.
`
`If you receive a new Social Security Number, you should not be able to use the old
`number anymore.
`
`For some victims of identity theft, a new number actually creates new problems. If
`the old credit information is not associated with your new number, the absence of
`any credit history under the new number may make more difficult for you to get
`credit.9
`
`39.
`
`Here, the unauthorized access left the cyber criminals with the tools to perform the
`
`most thorough identity theft—they have obtained all essential PII and PHI to mimic the identity
`
`of the user. The personal data of Plaintiff and members of the Class stolen in the Data Breach
`
`constitutes a dream for hackers and a nightmare for Plaintiff and the Class. Stolen personal data
`
`of Plaintiff and members of the Class represents essentially one-stop shopping for identity thieves.
`
`40.
`
`The FTC has released its updated publication on protecting PII for businesses,
`
`which includes instructions on protecting PII, properly disposing of PII, understanding network
`
`vulnerabilities, implementing policies to correct security problems, using intrusion detection
`
`programs, monitoring data traffic, and having in place a response plan.
`
`41.
`
`General policy reasons support such an approach. A person whose personal
`
`information was compromised may not see any signs of identity theft for years. According to the
`
`United States Government Accountability Office (“GAO”) Report to Congressional Requesters:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be held for
`up to a year or more before being used to commit identity theft. Further, once stolen
`data have been sold or posted on the Web, fraudulent use of that information may
`continue for years. As a result, studies that attempt to measure the harm resulting
`from data breaches cannot necessarily rule out all future harm.10
`
`42.
`
`PII is a valuable commodity. A “cyber black-market” exists in which criminals
`
`openly post stolen Social Security numbers and other PII or PHI on a number of Internet websites.
`
`
`9
`SSA, Identity Theft and Your Social Security Number, SSA Publication No. 05-10064 (Jun.
`2018), http://www.ssa.gov/pubs/EN-05-10064.pdf (last visited July 7, 2021).
`10
`See https://www.gao.gov/assets/gao-07-737.pdf (June 2007) at 29 (last visited July 7,
`2021).
`
`- 9 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 10 of 30
`
`The stolen personal data of Plaintiff and members of the Class has a high value on both legitimate
`
`and black markets.
`
`43.
`
`Identity thieves may commit various types of crimes such as immigration fraud,
`
`obtaining a driver’s license or identification card in the victim’s name but with another’s picture,
`
`and/or using the victim’s information to obtain a fraudulent tax refund or fraudulent unemployment
`
`benefits. The United States government and privacy experts acknowledge that it may take years
`
`for identity theft to come to light and be detected.
`
`44.
`
`As noted above, the disclosure of Social Security numbers in particular poses a
`
`significant risk. For example, criminals can use Social Security numbers to create false bank
`
`accounts or file fraudulent tax returns. Defendants’ former and current patients whose Social
`
`Security numbers have been compromised now face a real and imminent substantial risk of identity
`
`theft and other problems associated with the disclosure of their Social Security number and will
`
`need to monitor their credit and tax filings for an indefinite duration.
`
`45.
`
`Based on the foregoing, the information compromised in the Data Breach is
`
`significantly more valuable than the loss of, for example, credit card information in a retailer data
`
`breach, because, there, victims can cancel or close credit and debit card accounts. The information
`
`compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to change
`
`— Social Security number, driver’s license number or government-issued identification number,
`
`name, and date of birth.
`
`46.
`
`This data demands a much higher price on the black market. Martin Walter, senior
`
`director at cybersecurity firm RedSeal, explained, “Compared to credit card information,
`
`personally identifiable information and Social Security numbers are worth more than 10x on the
`
`black market.”11
`
`47.
`
`Among other forms of fraud, identity thieves may obtain driver’s licenses,
`
`
`11
`Tim Greene, Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card
`Numbers, IT World, (Feb. 6, 2015), https://www.networkworld.com/article/2880366/anthem-
`hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html
`(last visited
`July 7, 2021).
`
`- 10 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 11 of 30
`
`government benefits, medical services, and housing or even give false information to police.
`
`48.
`
`According to a recent article in the New York Times, cyber thieves are using
`
`driver’s licenses obtained via insurance company application prefill processes to submit and
`
`fraudulently obtain unemployment benefits.12 An individual may not know that his or her driver’s
`
`license was used to file for unemployment benefits until law enforcement notifies the individual’s
`
`employer of the suspected fraud, or until the individual attempts to lawfully apply for
`
`unemployment and is denied benefits (due to the prior, fraudulent application and award of
`
`benefits).
`
`F.
`
`Plaintiff Kristi Hoffman-Mock’s Experience
`
`49.
`
`Plaintiff Hoffman-Mock received the Defendants’ May 28, 2021 Notice of Data
`
`Breach on or about that date. The Notice informed her that Defendants lost a file containing at
`
`least her full name, Social Security number, date of birth, member identification number, and
`
`health insurance information.
`
`50.
`
`Shortly after the Data Breach, on or about January 30 and 31, 2021, unknown
`
`third parties used Ms. Hoffman-Mock’s credit card to make unauthorized purchases via the
`
`internet. Then again, on or about April 4 and 13, 2021, unknown third parties used Ms. Hoffman-
`
`Mock’s credit card to make additional unauthorized purchases via the internet. As of this filing,
`
`none of those fraudulent charges have been reimbursed.
`
`51. Moreover, subsequent to the Data Breach, Ms. Hoffman-Mock experienced a
`
`significant increase in the amount of suspicious phishing telephone calls she receives. Each day,
`
`Plaintiff Hoffman-Mock receives at least two scam phone calls, each of which appear to be placed
`
`with the intent to obtain personal information to commit identity theft by way of a social
`
`engineering attack.
`
`52.
`
`Additionally, beginning in or about March 2021, an unknown third party arranged
`
`
`12
`How Identity Thieves Took My Wife for a Ride, New York Times, (April 27, 2021)
`https://www.nytimes.com/2021/04/27/your-money/identity-theft-auto-insurance.html (last visited
`July 7, 2021)
`
`- 11 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 12 of 30
`
`to have Ms. Hoffman-Mock’s U.S. mail diverted from her home address.
`
`53.
`
`In response to the Data Breach and the subsequent credit card fraud, Plaintiff
`
`Hoffman-Mock made reasonable efforts to mitigate the impact of the Data Breach, including but
`
`not limited to: researching the Data Breach; reviewing credit reports and financial account
`
`statements for any indications of actual or attempted identity theft or fraud; contacting her credit
`
`card companies regarding the fraudulent charges; contacting the U.S. Postal Service regarding her
`
`diverted mail service; dealing with the uptick in unwanted phishing telephone calls; and
`
`researching credit monitoring and identity theft protection services.
`
`54.
`
`Since signing up for Defendants’ free credit monitoring, Ms. Hoffman-Mock
`
`reviews her credit monitoring reports and/or checking account statements for irregularities two or
`
`three times per week, each time for approximately five minutes. This is valuable time Plaintiff
`
`Hoffman-Mock otherwise would have spent on other activities, including but not limited to work
`
`and/or recreation.
`
`55.
`
`Plaintiff Hoffman-Mock is deeply concerned about identity theft and fraud, as well
`
`as the consequences of such identity theft and fraud resulting from the Data Breach.
`
`56.
`
`Plaintiff Hoffman-Mock suffered actual injury from having her PII/PHI
`
`compromised as a result of the Data Breach including, but not limited to (a) damage to and
`
`diminution in the value of her Private Information, a form of property that Defendants obtained
`
`from Plaintiff Hoffman-Mock; (b) violation of her privacy rights; (c) imminent and impending
`
`injury arising from the increased risk of identity theft and fraud; and (d) actual fraudulent charges
`
`on credit cards in her name.
`
`57.
`
`As a result of the Data Breach, Plaintiff Hoffman-Mock anticipates spending
`
`considerable time and money on an ongoing basis to try to mitigate and address harms caused by
`
`the Data Breach. As a result of the Data Breach, Plaintiff Hoffman-Mock will continue to be at
`
`increased risk of identity theft and fraud for years to come.
`
`V.
`
`CLASS ALLEGATIONS
`
`58.
`
`Plaintiff brings this nationwide class action pursuant to rules 23(b)(2), 23(b)(3), and
`
`- 12 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 13 of 30
`
`23(c)(4) of the Federal Rules of Civil Procedure, individually and on behalf of all members of the
`
`following class:
`All natural persons residing in the United States whose PII/PHI was
`compromised in the Data Breach first announced on or about May 28,
`2021 (the “Nationwide Class”).
`
`59.
`
`Plaintiff also seeks certification of a Florida sub-class defined as follows:
`All natural persons residing in the State of Florida whose PII/PHI was
`compromised in the Data Breach first announced on or about May 28, 2021
`(the “Florida Class”).
`
`60.
`
`Excluded from the Classes are all individuals who make a timely election to be
`
`excluded from this proceeding using the correct protocol for opting out, and all judges assigned to
`
`hear any aspect of this litigation and their immediate family members.
`
`61.
`
`Plaintiff reserves the right to modify or amend the definitions of the proposed
`
`Classes before the Court determines whether certification is appropriate.
`
`62.
`
`Numerosity: The Classes are so numerous that joinder of all members is
`
`impracticable. Defendants have identified thousands of customers/patients whose PII may have
`
`been improperly accessed in the Data Breach, and the Classes are apparently identifiable within
`
`Defendants’ records.
`
`63.
`
`Commonality: Questions of law and fact common to the Classes exist and
`
`predominate over any questions affecting only individual members of the Classes. These include:
`
`a. When Defendants actually learned of the Data Breach and whether their
`response was adequate;
`
`b. Whether Defendants owed a duty to the Classes to exercise due care in
`collecting, storing, safeguarding and/or obtaining their PII;
`
`c. Whether Defendants breached that duty;
`
`d. Whether Defendants implemented and maintained reasonable security
`procedures and practices appropriate to the nature of storing the PII of
`Plaintiff and members of the Classes;
`
`e. Whether Defendants acted negligently in connection with the monitoring
`and/or protection of PII belonging to Plaintiff and members of the Classes;
`
`- 13 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`

`

`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 14 of 30
`
`f. Whether Defendants knew or should have known that they did not employ
`reasonable measures to keep the PII of Plaintiff and members of the Class
`secure and to prevent loss or misuse of that PII;
`
`g. Whether Defendants have adequately addressed and fixed the vulnerabilities
`which permitted the Data Breach to occur;
`
`h. Whether Defendants caused Plaintiffs’ and members of the Classes damage;
`
`i. Whether Defendants violated the law by failing to promptly notify Plaintiff
`and members of the Classes that their PII had been compromised;
`
`j. Whether Defendants violated the consumer protection statutes invoked
`below; and
`
`k. Whether Plaintiff and the other members of the Classes are entitled to credit
`monitoring and other monetary relief.
`
`64.
`
`Typicality: Plaintiff’s claims are typical of those of the other members of the
`
`Classes because all had their PII compromised as a result of the Data Breach due to Defendants’
`
`misfeasance.
`
`65.
`
`Adequacy: Plaintiff will fairly and adequately represent and protect

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket