`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF FLORIDA
`FORT LAUDERDALE DIVISION
`
`
`
`Plaintiff,
`
`
`Kristi Hoffman-Mock, individually and on
`behalf of all others similarly situated,
`
`
`
`v.
`
`20/20 EYE CARE NETWORK, INC., and
`ICARE HEALTH SOLUTIONS, LLC,
`
`
`
`
`Defendants.
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`Case No.:
`
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`Plaintiff Kristi Hoffman-Mock (“Plaintiff”) brings this Class Action Complaint against
`
`Defendants 20/20 Eye Care Network, Inc. (“20/20”) and iCare Health Solutions, Inc. (“iCare”
`
`and collectively, “Defendants”) as an individual and on behalf of all others similarly situated, and
`
`alleges, upon personal knowledge as to her own actions and her counsels’ investigations, and
`
`upon information and belief as to all other matters, as follows:
`
`I.
`
`NATURE OF THE ACTION
`
`1.
`
`Plaintiff brings this class action to provide relief to 3.2 million similarly situated
`
`people harmed by Defendants failure to secure personally identifiable information (“PII”) and
`
`private health information (“PHI”).
`
`2.
`
`Defendant 20/20 is an entity that provides eye and hearing care services and
`
`administration.
`
`3.
`
`Upon information and belief, Defendant iCare partially owns and is a partner with
`
`20/20 to provide integrated eye health, hearing health, and administrative services in Florida.
`
`4.
`
`In May 2021, Plaintiff received a letter dated May 28, 2021 that stated in January
`
`2021, PII/PHI that was on 20/20’s systems had been viewed, seen, or accessed by unauthorized
`
`- 1 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 2 of 30
`
`third parties (the “Data Breach”). The notifications revealed that hackers gained unauthorized
`
`access to 20/20’s system and deleted files.
`
`5.
`
`This Data Breach occurred because Defendants failed to implement reasonably
`
`adequate cyber-security measures to protect Plaintiff’s PII/PHI. The deficiencies in Defendants
`
`cyber-security measures allowed the hackers to access patient data, which included the ability to
`
`view and edit the data.
`
`6.
`
`Defendants disregarded the rights of Plaintiff and putative Class Members by:
`
`a. Intentionally, willfully, recklessly, or negligently failing to take adequate
`and reasonable measures to ensure its data systems were protected;
`
`b. Failing to disclose to their patients the material fact that they did not have
`adequate computer systems and security practices to safeguard their
`PII/PHI;
`
`c. Failing to take available steps to prevent the Data Breach; and
`
`d. Failing to provide Plaintiff and Class Members prompt and accurate notice
`of the Data Breach.
`
`7.
`
`Because of Defendants’ failure to secure Plaintiff’s and Class Members’ PII/PHI,
`
`hackers have stolen their PII/PHI. As such, Plaintiff and Class Members, which includes minors,
`
`face a substantial increased risk of identity theft. Further, Plaintiff and Class Members have paid,
`
`or will have to pay, private monitoring companies to protect themselves. On top of paying for
`
`monitoring, Plaintiff had fraudulent charges on her credit card (discussed below). This makes clear
`
`that the Data Breach will put Plaintiff and Class Members at a heightened risk for theft and fraud
`
`for the rest of their lives.
`
`8.
`
`Plaintiff seeks, among other things, that the Defendants be required to disclose the
`
`nature of the information taken by hackers. Further, Defendants must adopt sufficient cyber-
`
`security measures to prevent incidents like this Data Breach from happening in the future.
`
`9.
`
`On behalf of all others similarly situated, Plaintiff alleges claims for negligence,
`
`invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach
`
`- 2 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 3 of 30
`
`of confidence and violation of Florida’s Deceptive and Unfair Trade Practices Act.
`
`II.
`
`PARTIES
`
`10.
`
`Plaintiff Kristi Hoffman-Mock is a citizen of Florida residing in Summerfield,
`
`Florida.
`
`11.
`
`Defendant 20/20 Eye Care Network, Inc. is a vision care company that offers third
`
`party administrative services. 20/20 contracts with optometrists, ophthalmologists, ambulatory
`
`surgical centers, and retail vision centers to provide a full spectrum of eye care needs. Its
`
`management services include claims processing, credentialing, management utilization, and
`
`network leasing.
`
`12.
`
`Defendant 20/20 owns 20/20 Hearing Care Network, Inc., which is a health care
`
`provider for audiology and related administrative work.
`
`13.
`
`Defendant iCare Health Solutions, LLC is an integrated specialty network and
`
`administrator of comprehensive ocular care services. It contracts with health plans and
`
`multispecialty clinics to deliver comprehensive ocular health solutions through a network of
`
`optometrists and ophthalmologists.
`
`14.
`
`In September of 2020, Defendant iCare, backed by private equity firm Pine Tree
`
`Equity IV, LP, invested in Defendant 20/20. iCare now controls 20/20 in whole or in part, which
`
`makes it the largest ophthalmology and optometry provider with over 55 locations and the largest
`
`managed service provider.
`
`III.
`
`JURISDICTION AND VENUE
`
`15.
`
`This Court has subject matter jurisdiction over this action under the Class Action
`
`Fairness Act. (28 U.S.C. § 1332(d)(2)) The amount in controversy exceeds $5 million, exclusive
`
`of costs and interest. There are in excess of 100 putative class members, at least some of whom
`
`have a different citizenship from Defendants.
`
`16.
`
`This Court has personal jurisdiction over Defendant because Defendant iCare
`
`Health Solutions, LLC has its principal place of business within this District at 7352 NW 34 Street
`
`Miami, Florida 33122.
`
`- 3 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 4 of 30
`
`17.
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391 because a substantial
`
`part of the events or omissions giving rise to these claims occurred in, were directed to, and/or
`
`emanated from this District. The compromised 20/20 network that hackers stole Plaintiffs’ PII/PHI
`
`is within the district. Further, 20/20 is based in the District and likely stores more PII/PHI in the
`
`district.
`
`IV.
`
`FACTUAL ALLEGATIONS
`
`A.
`
`Background of the Data Breach
`
`18.
`
`Plaintiff received medical services from 20/20 Eye Care Network, Inc. and 20/20
`
`Hearing Care Network, Inc.
`
`19.
`
`Defendants reported to the Maine Attorney General that the Data Breach affected
`
`nearly 3.3 million individuals.1 The Defendants reported the breach as “insider wrongdoing”
`
`according to the Maine Attorney General’s data breach notification. Further, Defendants
`
`discovered the breach on February 18, 2021 and the breach occurred on January 11, 2021.
`
`20.
`
`However, it was not until May 28, 2021 that Plaintiff received a letter informing
`
`her of the breach. The letter explained that the 20/20 Hearing Care Network helps manage her
`
`benefits and that Plaintiff’s PII/PHI was exposed.
`
`21.
`
`Defendants’ letters stated that the information that was exposed in the data breach
`
`may have included:
`
`•
`
`•
`
`•
`
`•
`
`•
`
`Name
`
`Date of birth
`
`Social Security Number
`
`Member identification number
`
`Health insurance information
`
`22.
`
`Defendants acquire a large number of patients’ PHI and PII on a regular basis and
`
`maintain this data. Defendants require customers/patients to provide this information through the
`
`
`1 https://apps.web.maine.gov/online/aeviewer/ME/40/946029d6-7945-4a23-89c1-
`0ea29e9c18a2.shtml (last visited Jul. 7, 2021).
`
`- 4 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 5 of 30
`
`ordinary course of business so that they can process claims submitted by patient providers.
`
`23.
`
`According to the Notice of Data Breach letters and letters sent to state Attorneys
`
`General, the PHI and PII that Defendants collect “was accessed or downloaded prior to deletion.”2
`
`B.
`
`Defendants Were Aware of the Risks of a Data Breach
`
`24.
`
`25.
`
`Defendants knew that there was a risk of data breaches in the healthcare industry.
`
`Data breaches have become widespread. For example, The American Medical
`
`Association (“AMA”) has warned that 83% of physicians have experienced some form of
`
`cyberattack and 1-in-2 physicians are “very” or “extremely” concerned about future cyberattacks.
`
`26.
`
`Indeed, data breaches, such as the one experienced by Defendants, have become so
`
`notorious that the Federal Bureau of Investigation (“FBI”) has issued a warning to potential targets,
`
`so they are aware of, and prepared for, potential attacks. The FBI says, “malicious actors target
`
`healthcare related systems, perhaps for the purpose of obtaining [PHI and PII]”.3 Therefore, the
`
`increase in such attacks, and attendant risk of future attacks, was widely known and foreseeable to
`
`the public and to anyone in Defendants’ industry, including Defendants.
`
`C.
`
`Personally Identifiable Information
`
`27.
`
`According to the Federal Trade Commission (“FTC”), identity theft wreaks havoc
`
`on consumers’ finances, credit history, and reputation and can take time, money, and patience to
`
`resolve.4 Identity thieves use stolen personal information for a variety of crimes, including credit
`
`card fraud, phone or utilities fraud, and bank and finance fraud.5
`
`2
`https://2020incident.com/home.htm (last visited July 7, 2021).
`3
`Jim Finkle, FBI Warns Healthcare Firms that they are Targeted by Hackers, Reuters
`(Aug. 2014) https://www.reuters.com/article/us-cybersecurity-healthcare-fbi/fbi-warns-
`healthcare-firms-they-are-targeted-by-hackers-idUSKBN0GK24U20140820 (last accessed July
`7, 2021)
`4
`See Taking Charge, What to Do If Your Identity is Stolen, FTC, 3 (Apr. 2013),
`https://dss.mo.gov/cd/older-youth-program/files/taking-charge-what-to-do-if-identity-is-
`stolen.pdf (last visited July 7, 2021).
`5
`Id. The FTC defines identity theft as “a fraud committed or attempted using the identifying
`information of another person without authority.” 16 CFR § 603.2. The FTC describes “identifying
`information” as “any name or number that may be used, alone or in conjunction with any other
`information, to identify a specific person,” including, among other things, “[n]ame, social security
`number, date of birth, official State or government issued driver's license or identification number,
`
`- 5 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 6 of 30
`
`28.
`
`Hackers targeted and stole the PII/PHI of Plaintiff and Class members to engage in
`
`identity theft and or to sell it to other criminals who will purchase the PII/PHI for that purpose.
`
`The fraudulent activity resulting from the Data Breach may not come to light for years.
`
`29.
`
`Plaintiff and members of the Class now face years of constant surveillance of their
`
`financial and personal records, monitoring, and loss of rights. They are incurring and will continue
`
`to incur such damages in addition to any fraudulent use of their PII.
`
`D.
`
`Defendants Fail to Comply with HIPAA and Industry Standard Practices
`
`30.
`
`Title II of HIPAA authorizes the Department of Health and Human Services
`
`(“HHS”) to create rules to standardize the handling of PHI. 42 U.S.C. §§ 1301, et seq. The Data
`
`Breach resulted from a combination of insufficiencies that indicate that the Defendants failed to
`
`comply with the standards created by the HHS.
`
`31.
`
`The failures to comply with these standards include:
`
`a. Failing to ensure the confidentiality and integrity of electronic protected
`health information Defendants create, receive, maintain, and transmit in
`violation of 45 CFR 164.306(a)(1);
`
`b. Failing to implement technical policies and procedures for electronic
`systems that maintain electronic protected health information to allow
`access only to those persons or software programs that have been granted
`access rights in violation of 45 CFR 164.312(a)(1);
`
`c. Failing to implement policies and procedure to prevent, detect, contain, and
`correct security violations in violation of 45 CFR 164.308(a)(1);
`
`d. Failing to identify and respond to suspected or known security incidents;
`mitigate, to the extent practicable, harmful effects of security incidents that
`are known to the covered entity in violation of 45 CFR 164.308(a)(6)(ii);
`
`e. Failing to protect against any reasonably-anticipated threats or hazards to
`the security or integrity of electronic protected health information in
`violation of 45 CFR 164.306(a)(2);
`
`f. Failing to protect against any reasonably-anticipated uses or disclosures of
`electronic protected health information that are not permitted under the
`
`
`alien registration number, government passport number, employer or taxpayer identification
`number.” Id.
`
`- 6 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 7 of 30
`
`privacy rules regarding individually identifiable health information in
`violation of 45 CFR 164.306(a)(3);
`
`g. Failing to ensure compliance with HIPAA security standard rules in their
`workforce in violation of 45 CFR 164.306(a)(94);
`
`h. Impermissibly and improperly using and disclosing protected health
`information that is and remains accessible to unauthorized persons in
`violation of 45 CFR 164.502, et seq.;
`
`i. Failing to effectively train all members of their workforce (including
`independent contractors) on the policies and procedures with respect to
`protected health information as necessary and appropriate for the members
`of their workforce to carry out their functions and to maintain security of
`protected health information in violation of 45 CFR 164.530(b) and 45 CFR
`164.308(a)(5); and
`
`j. Failing to design, implement, and enforce policies and procedures
`establishing physical and administrative safeguards to reasonably safeguard
`protected health information, in compliance with 45 CFR 164.530(c).
`
`32.
`
`Defendants were at all times fully aware of their obligation to protect the PII/PHI
`
`of customers/patients and prospective customers/patients. Defendants were also aware of the
`
`significant repercussions that would result from their failure to do so.
`
`E.
`
`The Value of PII to Cyber Criminals
`
`33.
`
`Businesses that store personal information are likely to be targeted by cyber
`
`criminals. Credit card and bank account numbers are tempting targets for hackers. Information
`
`such as dates of birth and Social Security numbers, however, are even more attractive to hackers;
`
`they are not easily destroyed and can be easily used to perpetrate identity theft and other types of
`
`fraud.
`
`34.
`
`The PII of individuals remains of high value to criminals, as evidenced by the prices
`
`they will pay through the dark web. Numerous sources cite dark web pricing for stolen identity
`
`credentials. For example, personal information can be sold at a price ranging from $40 to $200,
`
`and bank details have a price range of $50 to $200.6
`
`6
`Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends,
`(Oct. 16, 2019), https://www.digitaltrends.com/computing/personal-data-sold-on-the-dark-web-
`how-much-it-costs (last visited July 7, 2021).
`
`- 7 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 8 of 30
`
`35.
`
`Social Security numbers, for example, are among the worst kind of personal
`
`information to have stolen because they may be put to a variety of fraudulent uses and are difficult
`
`for an individual to change. The Social Security Administration (“SSA”) stresses that the loss of
`
`an individual’s Social Security number, as is the case here, can lead to identity theft and extensive
`
`financial fraud:
`
` A
`
` dishonest person who has your Social Security number can use it to get other
`personal information about you. Identity thieves can use your number and your
`good credit to apply for more credit in your name. Then, they use the credit cards
`and don’t pay the bills, it damages your credit. You may not find out that someone
`is using your number until you’re turned down for credit, or you begin to get calls
`from unknown creditors demanding payment for items you never bought. Someone
`illegally using your Social Security number and assuming your identity can cause
`a lot of problems.7
`
`36. What is more, it is no easy task to change or cancel a stolen Social Security number.
`
`An individual cannot obtain a new Social Security number without significant paperwork and
`
`evidence of actual misuse. In other words, preventive action to defend against the possibility of
`
`misuse of a Social Security number is not permitted; an individual must show evidence of actual,
`
`ongoing fraud activity to obtain a new number.
`
`37.
`
`Even then, a new Social Security number may not be effective. According to Julie
`
`Ferguson of the Identity Theft Resource Center, “The credit bureaus and banks are able to link the
`
`new number very quickly to the old number, so all of that old bad information is quickly inherited
`
`into the new Social Security number.”8
`
`38.
`
`Furthermore, as the SSA warns:
`
`Keep in mind that a new number probably will not solve all your problems. This is
`because other governmental agencies (such as the IRS and state motor vehicle
`agencies) and private businesses (such as banks and credit reporting companies)
`likely will have records under your old number. Along with other personal
`information, credit reporting companies use the number to identify your credit
`
`7
`SSA, Identity Theft and Your Social Security Number, https://www.ssa.gov/pubs/EN-05-
`10064.pdf (last visited July 7, 2021).
`8
`Bryan Naylor, Victims of Social Security Number Theft Find It’s Hard to Bounce Back,
`NPR
`(Feb. 9, 2015), http://www.npr.org/2015/02/09/384875839/data-stolen-by-anthem-s-
`hackers-has-millionsworrying-about-identity-theft (last visited July 7, 2021).
`
`- 8 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 9 of 30
`
`record. So using a new number will not guarantee you a fresh start. This is
`especially true if your other personal information, such as your name and address,
`remains the same.
`
`If you receive a new Social Security Number, you should not be able to use the old
`number anymore.
`
`For some victims of identity theft, a new number actually creates new problems. If
`the old credit information is not associated with your new number, the absence of
`any credit history under the new number may make more difficult for you to get
`credit.9
`
`39.
`
`Here, the unauthorized access left the cyber criminals with the tools to perform the
`
`most thorough identity theft—they have obtained all essential PII and PHI to mimic the identity
`
`of the user. The personal data of Plaintiff and members of the Class stolen in the Data Breach
`
`constitutes a dream for hackers and a nightmare for Plaintiff and the Class. Stolen personal data
`
`of Plaintiff and members of the Class represents essentially one-stop shopping for identity thieves.
`
`40.
`
`The FTC has released its updated publication on protecting PII for businesses,
`
`which includes instructions on protecting PII, properly disposing of PII, understanding network
`
`vulnerabilities, implementing policies to correct security problems, using intrusion detection
`
`programs, monitoring data traffic, and having in place a response plan.
`
`41.
`
`General policy reasons support such an approach. A person whose personal
`
`information was compromised may not see any signs of identity theft for years. According to the
`
`United States Government Accountability Office (“GAO”) Report to Congressional Requesters:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be held for
`up to a year or more before being used to commit identity theft. Further, once stolen
`data have been sold or posted on the Web, fraudulent use of that information may
`continue for years. As a result, studies that attempt to measure the harm resulting
`from data breaches cannot necessarily rule out all future harm.10
`
`42.
`
`PII is a valuable commodity. A “cyber black-market” exists in which criminals
`
`openly post stolen Social Security numbers and other PII or PHI on a number of Internet websites.
`
`
`9
`SSA, Identity Theft and Your Social Security Number, SSA Publication No. 05-10064 (Jun.
`2018), http://www.ssa.gov/pubs/EN-05-10064.pdf (last visited July 7, 2021).
`10
`See https://www.gao.gov/assets/gao-07-737.pdf (June 2007) at 29 (last visited July 7,
`2021).
`
`- 9 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 10 of 30
`
`The stolen personal data of Plaintiff and members of the Class has a high value on both legitimate
`
`and black markets.
`
`43.
`
`Identity thieves may commit various types of crimes such as immigration fraud,
`
`obtaining a driver’s license or identification card in the victim’s name but with another’s picture,
`
`and/or using the victim’s information to obtain a fraudulent tax refund or fraudulent unemployment
`
`benefits. The United States government and privacy experts acknowledge that it may take years
`
`for identity theft to come to light and be detected.
`
`44.
`
`As noted above, the disclosure of Social Security numbers in particular poses a
`
`significant risk. For example, criminals can use Social Security numbers to create false bank
`
`accounts or file fraudulent tax returns. Defendants’ former and current patients whose Social
`
`Security numbers have been compromised now face a real and imminent substantial risk of identity
`
`theft and other problems associated with the disclosure of their Social Security number and will
`
`need to monitor their credit and tax filings for an indefinite duration.
`
`45.
`
`Based on the foregoing, the information compromised in the Data Breach is
`
`significantly more valuable than the loss of, for example, credit card information in a retailer data
`
`breach, because, there, victims can cancel or close credit and debit card accounts. The information
`
`compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to change
`
`— Social Security number, driver’s license number or government-issued identification number,
`
`name, and date of birth.
`
`46.
`
`This data demands a much higher price on the black market. Martin Walter, senior
`
`director at cybersecurity firm RedSeal, explained, “Compared to credit card information,
`
`personally identifiable information and Social Security numbers are worth more than 10x on the
`
`black market.”11
`
`47.
`
`Among other forms of fraud, identity thieves may obtain driver’s licenses,
`
`
`11
`Tim Greene, Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card
`Numbers, IT World, (Feb. 6, 2015), https://www.networkworld.com/article/2880366/anthem-
`hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html
`(last visited
`July 7, 2021).
`
`- 10 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 11 of 30
`
`government benefits, medical services, and housing or even give false information to police.
`
`48.
`
`According to a recent article in the New York Times, cyber thieves are using
`
`driver’s licenses obtained via insurance company application prefill processes to submit and
`
`fraudulently obtain unemployment benefits.12 An individual may not know that his or her driver’s
`
`license was used to file for unemployment benefits until law enforcement notifies the individual’s
`
`employer of the suspected fraud, or until the individual attempts to lawfully apply for
`
`unemployment and is denied benefits (due to the prior, fraudulent application and award of
`
`benefits).
`
`F.
`
`Plaintiff Kristi Hoffman-Mock’s Experience
`
`49.
`
`Plaintiff Hoffman-Mock received the Defendants’ May 28, 2021 Notice of Data
`
`Breach on or about that date. The Notice informed her that Defendants lost a file containing at
`
`least her full name, Social Security number, date of birth, member identification number, and
`
`health insurance information.
`
`50.
`
`Shortly after the Data Breach, on or about January 30 and 31, 2021, unknown
`
`third parties used Ms. Hoffman-Mock’s credit card to make unauthorized purchases via the
`
`internet. Then again, on or about April 4 and 13, 2021, unknown third parties used Ms. Hoffman-
`
`Mock’s credit card to make additional unauthorized purchases via the internet. As of this filing,
`
`none of those fraudulent charges have been reimbursed.
`
`51. Moreover, subsequent to the Data Breach, Ms. Hoffman-Mock experienced a
`
`significant increase in the amount of suspicious phishing telephone calls she receives. Each day,
`
`Plaintiff Hoffman-Mock receives at least two scam phone calls, each of which appear to be placed
`
`with the intent to obtain personal information to commit identity theft by way of a social
`
`engineering attack.
`
`52.
`
`Additionally, beginning in or about March 2021, an unknown third party arranged
`
`
`12
`How Identity Thieves Took My Wife for a Ride, New York Times, (April 27, 2021)
`https://www.nytimes.com/2021/04/27/your-money/identity-theft-auto-insurance.html (last visited
`July 7, 2021)
`
`- 11 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 12 of 30
`
`to have Ms. Hoffman-Mock’s U.S. mail diverted from her home address.
`
`53.
`
`In response to the Data Breach and the subsequent credit card fraud, Plaintiff
`
`Hoffman-Mock made reasonable efforts to mitigate the impact of the Data Breach, including but
`
`not limited to: researching the Data Breach; reviewing credit reports and financial account
`
`statements for any indications of actual or attempted identity theft or fraud; contacting her credit
`
`card companies regarding the fraudulent charges; contacting the U.S. Postal Service regarding her
`
`diverted mail service; dealing with the uptick in unwanted phishing telephone calls; and
`
`researching credit monitoring and identity theft protection services.
`
`54.
`
`Since signing up for Defendants’ free credit monitoring, Ms. Hoffman-Mock
`
`reviews her credit monitoring reports and/or checking account statements for irregularities two or
`
`three times per week, each time for approximately five minutes. This is valuable time Plaintiff
`
`Hoffman-Mock otherwise would have spent on other activities, including but not limited to work
`
`and/or recreation.
`
`55.
`
`Plaintiff Hoffman-Mock is deeply concerned about identity theft and fraud, as well
`
`as the consequences of such identity theft and fraud resulting from the Data Breach.
`
`56.
`
`Plaintiff Hoffman-Mock suffered actual injury from having her PII/PHI
`
`compromised as a result of the Data Breach including, but not limited to (a) damage to and
`
`diminution in the value of her Private Information, a form of property that Defendants obtained
`
`from Plaintiff Hoffman-Mock; (b) violation of her privacy rights; (c) imminent and impending
`
`injury arising from the increased risk of identity theft and fraud; and (d) actual fraudulent charges
`
`on credit cards in her name.
`
`57.
`
`As a result of the Data Breach, Plaintiff Hoffman-Mock anticipates spending
`
`considerable time and money on an ongoing basis to try to mitigate and address harms caused by
`
`the Data Breach. As a result of the Data Breach, Plaintiff Hoffman-Mock will continue to be at
`
`increased risk of identity theft and fraud for years to come.
`
`V.
`
`CLASS ALLEGATIONS
`
`58.
`
`Plaintiff brings this nationwide class action pursuant to rules 23(b)(2), 23(b)(3), and
`
`- 12 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 13 of 30
`
`23(c)(4) of the Federal Rules of Civil Procedure, individually and on behalf of all members of the
`
`following class:
`All natural persons residing in the United States whose PII/PHI was
`compromised in the Data Breach first announced on or about May 28,
`2021 (the “Nationwide Class”).
`
`59.
`
`Plaintiff also seeks certification of a Florida sub-class defined as follows:
`All natural persons residing in the State of Florida whose PII/PHI was
`compromised in the Data Breach first announced on or about May 28, 2021
`(the “Florida Class”).
`
`60.
`
`Excluded from the Classes are all individuals who make a timely election to be
`
`excluded from this proceeding using the correct protocol for opting out, and all judges assigned to
`
`hear any aspect of this litigation and their immediate family members.
`
`61.
`
`Plaintiff reserves the right to modify or amend the definitions of the proposed
`
`Classes before the Court determines whether certification is appropriate.
`
`62.
`
`Numerosity: The Classes are so numerous that joinder of all members is
`
`impracticable. Defendants have identified thousands of customers/patients whose PII may have
`
`been improperly accessed in the Data Breach, and the Classes are apparently identifiable within
`
`Defendants’ records.
`
`63.
`
`Commonality: Questions of law and fact common to the Classes exist and
`
`predominate over any questions affecting only individual members of the Classes. These include:
`
`a. When Defendants actually learned of the Data Breach and whether their
`response was adequate;
`
`b. Whether Defendants owed a duty to the Classes to exercise due care in
`collecting, storing, safeguarding and/or obtaining their PII;
`
`c. Whether Defendants breached that duty;
`
`d. Whether Defendants implemented and maintained reasonable security
`procedures and practices appropriate to the nature of storing the PII of
`Plaintiff and members of the Classes;
`
`e. Whether Defendants acted negligently in connection with the monitoring
`and/or protection of PII belonging to Plaintiff and members of the Classes;
`
`- 13 –
`Devine Goodman & Rasco, LLP 2800 Ponce De Leon Boulevard, Suite 1400, Coral Gables, Florida 33134 P 305.374.8200 F 305.374.8208
`
`
`
`Case 0:21-cv-61406-XXXX Document 1 Entered on FLSD Docket 07/08/2021 Page 14 of 30
`
`f. Whether Defendants knew or should have known that they did not employ
`reasonable measures to keep the PII of Plaintiff and members of the Class
`secure and to prevent loss or misuse of that PII;
`
`g. Whether Defendants have adequately addressed and fixed the vulnerabilities
`which permitted the Data Breach to occur;
`
`h. Whether Defendants caused Plaintiffs’ and members of the Classes damage;
`
`i. Whether Defendants violated the law by failing to promptly notify Plaintiff
`and members of the Classes that their PII had been compromised;
`
`j. Whether Defendants violated the consumer protection statutes invoked
`below; and
`
`k. Whether Plaintiff and the other members of the Classes are entitled to credit
`monitoring and other monetary relief.
`
`64.
`
`Typicality: Plaintiff’s claims are typical of those of the other members of the
`
`Classes because all had their PII compromised as a result of the Data Breach due to Defendants’
`
`misfeasance.
`
`65.
`
`Adequacy: Plaintiff will fairly and adequately represent and protect