throbber
Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 1 of 22
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MASSACHUSETTS
`
`
` Case No.:
`CLASS ACTION COMPLAINT
`JURY TRIAL DEMANDED
`
`TENNIE KOMAR, on behalf of herself and
`all others similarly situated,
`Plaintiff,
`
`v.
`SHIELDS HEALTH CARE GROUP, INC.,
`Defendant.
`
`
`Plaintiff Tennie Komar (“Plaintiff”) brings this Class Action Complaint on behalf of
`
`herself and all others similarly situated, against Defendant, Shields Health Care Group, Inc.
`
`(“Shields” or “Defendant”), alleging as follows based upon information and belief and
`
`investigation of counsel, except as to the allegations specifically pertaining to them, which are
`
`based on personal knowledge:
`
`NATURE OF THE CASE
`
`1.
`
`Healthcare providers that handle sensitive, personally identifying information
`
`(“PII”) or protected health information (“PHI”) owe a duty to the individuals to whom that data
`
`relates. This duty arises because it is foreseeable that the exposure of PII or PHI to unauthorized
`
`persons—and especially hackers with nefarious intentions—will result in harm to the affected
`
`individuals, including, but not limited to, the invasion of their private health matters.
`
`2.
`
`The harm resulting from a data breach manifests in a number of ways, including
`
`identity theft and financial fraud, and the exposure of a person’s PII or PHI through a data breach
`
`ensures that such person will be at a substantially increased and certainly impending risk of identity
`
`theft crimes compared to the rest of the population, potentially for the rest of their lives. Mitigating
`
`that risk—to the extent it is even possible to do so—requires individuals to devote significant time
`
`1
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 2 of 22
`
`and money to closely monitor their credit, financial accounts, health records, and email accounts,
`
`and take a number of additional prophylactic measures.
`
`3.
`
`As a healthcare provider, Shields knowingly obtains patient PII and PHI and has a
`
`resulting duty to securely maintain such information in confidence.
`
`4.
`
`Shields’s Privacy Practice informs patients “how medical information about
`
`[patients] may be used and disclosed how [they] can get access to [that] information.”1 The Privacy
`
`Practice acknowledges Shields’s duty to maintain the privacy of patients’ health information.
`
`5.
`
`Plaintiff brings this class action on behalf of individual patients who used Shields’s
`
`services whose PII and/or PHI were accessed and exposed to unauthorized third parties during a
`
`data breach of Shields’s system, which Shields states occurred between March 7, 2022, and March
`
`28, 2022 (the “Data Breach”) and involved the “managing and imaging services” Shields provides
`
`for approximately 56 distinct “facility partners.”
`
`6.
`
`Despite that Shields became aware of the Data Breach by March 28, 2022,2 it failed
`
`to notify Plaintiff and the putative Class members within 60 days as required by law. Notably,
`
`Shields failed to notify Plaintiff of the Data Breach for more than two months from its discovery
`
`of the same.
`
`7.
`
`Plaintiff, on behalf of herself and the Class as defined herein, brings claims for
`
`negligence, negligence per se, breach of fiduciary duty, and declaratory judgment, seeking actual
`
`and putative damages, with attorneys’ fees, costs, and expenses, and appropriate injunctive and
`
`declaratory relief.
`
`
`1 Shields Health Care Group, Privacy, https://shields.com/privacy/ (last accessed June 27, 2022).
`2 Shields Health Care Group, Notice of Data Security Incident, https://shields.com/notice-of-data-
`security-incident/ (last accessed June 27, 2022).
`
`2
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 3 of 22
`
`8.
`
`Based on the public statements of Shields to date, a wide variety of PII and PHI
`
`was implicated in the breach, including full name, Social Security number, date of birth, home
`
`address, provider information, diagnosis, billing information, insurance number and information,
`
`medical record number, patient ID, and other medial or treatment information.3
`
`9.
`
`As a direct and proximate result of Shields’s inadequate data security, and its breach
`
`of its duty to handle PII and PHI with reasonable care, Plaintiff and Class Members’ PII and PHI
`
`has been accessed by hackers and exposed to an untold number of unauthorized individuals.
`
`10.
`
`Plaintiff and Class Members are now at a significantly increased risk of fraud,
`
`identity theft, misappropriation of health insurance benefits, intrusion of their health privacy, and
`
`similar forms of criminal mischief, which risk may last for the rest of their lives. Consequently,
`
`Plaintiff and Class Members must devote substantially more time, money, and energy to protect
`
`themselves, to the extent possible, from these crimes.
`
`11.
`
`To recover from Shields for these harms, Plaintiff and the Class seek damages in
`
`an amount to be determined at trial, declaratory judgment, and injunctive relief requiring Shields
`
`to: 1) disclose, expeditiously, the full nature of the Data Breach and the types of PII and PHI
`
`accessed, obtained, or exposed by the hackers; 2) implement improved data security practices to
`
`reasonably guard against future breaches of PII and PHI possessed by Shields; and 3) provide, at
`
`its own expense, all impacted victims with lifetime identity theft protection services.
`
`PARTIES
`
`12.
`Plaintiff Tennie Komar is an adult individual who at all relevant times has been a
`citizen and resident of the Commonwealth of Massachusetts and was a patient of Defendant’s,
`receiving services at the following facilities:
`
`3 Id.
`
`
`
`3
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 4 of 22
`
`a.
`Emerson Hospital located at 133 Old Road to Nine Acre Corner, Concord,
`Massachusetts 01742; and
`b.
`UMass Memorial Hospital HealthAlliance Hospital Leominster located at
`100 Hospital Road, Suite 1A, Leominster, Massachusetts 01453.
`13.
`Defendant Shields is a Massachusetts corporation with its principal place of
`business in this District, and a substantial part of the events raising out of the claims alleged
`occurred within this District.
`
`JURISDICTION AND VENUE
`14.
`This Court has jurisdiction over this action pursuant to 28 U.S.C. § 1332(d)(2)(A),
`as modified by the Class Action Fairness Act of 2005, because at least one member of the Class,
`as defined below, is a citizen of a different state than Defendant, there are more than 100 members
`of the Class, and the aggregate amount in controversy exceeds $5,000,000 exclusive of interests
`and costs.
`15.
`This Court has personal jurisdiction over Defendant because Defendant has its
`principal place of business is in Massachusetts.
`16.
`Venue is proper in this District, pursuant to 28 U.S.C. § 1391(b)(1), because a
`substantial part of the acts, omissions, and events giving rise to Plaintiff’s claims occurred in this
`District. Further, Defendant has its principal place of business in this District.
`
`FACTUAL BACKGROUND
`
`A. Shields Health Care Group and the Services Provided
`17.
`Shields is a for-profit company that provides management and imaging services on
`behalf of several dozen partner facilities in the New England region, including Massachusetts,
`Maine, and New Hampshire.4
`
`
`4 Shields Health Care Group, Find a Location, https://shields.com/find-location/ (last accessed
`June 27, 2022).
`
`4
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 5 of 22
`
`18.
`Shields provides services such as MRI, PET/CT, ASC, Radiation Oncology, and
`Ambulatory Surgical Centers.5
`19.
`The company provides services to many thousands of patients a year.
`20. While administering these services and treatment, Defendant on a daily basis
`receives, creates, and handles PII and PHI, which includes, inter alia, patients’ full name, address,
`date of birth, Social Security number, other contact information, diagnosis, billing information,
`insurance information, medical records, patient ID, and other necessary information for treatment
`at the facilities.
`21.
`Patients must entrust PII and PHI to Defendant to receive care, and in return, they
`reasonably expect that Defendant will safeguard their highly sensitive information and keep their
`PHI confidential.
`22.
`Defendant refers to patients’ information as “protected health information” and
`promises disclosure of highly sensitive personal information will only occur for the “purpose of
`treatment, payment or health care operations.” 6
`
`B. Shields Knew the Risks of Storing Valuable PII and PHI and the Foreseeable Harm
`to Victims
`23.
`At all relevant times, Shields knew it was storing sensitive PII and PHI and that, as
`a result Shields’s systems would be attractive for cybercriminals.
`24.
`Shields also knew that a breach of its systems, and exposure of the information
`stored therein, would result in the increased risk of identity theft and fraud against the individuals
`whose PII and PHI was compromised, as well as intrusion into their highly private health
`information.
`25.
`These risks are not theoretical; in recent years, numerous high-profile breaches
`have occurred at business such as Equifax, Facebook, Yahoo, Marriott, Anthem, and many others.
`
`
`5 Shields Health Care Group, Our Services, https://shields.com/our-services/overview/ (last
`accessed June 27, 2022).
`6 Shields Health Care Group, supra note 1.
`
`5
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 6 of 22
`
`26.
`PII has considerable value and constitutes an enticing and well-known target to
`hackers. Hackers easily can sell stolen data as well as the “proliferation of open and anonymous
`cybercrime forums on the Dark Web that server as a bustling marketplace for such commerce.”7
`PHI, in addition to being of a highly personal and private nature, can be used for medical fraud
`and to submit false medical claims for reimbursement.
`27.
`The prevalence of data breaches and identity theft has increased dramatically in
`recent years, accompanied by a parallel and growing economic drain on individuals, businesses,
`and government entities in the U.S. In 2021, there were 4,145 publicly disclosed data breaches,
`exposing 22 billion records. The United States specifically saw a 10% increase in the total number
`of data breaches.8
`28.
`In tandem with the increase in data breaches, the rate of identity theft complaints
`has also increased over the past few years. For instance, in 2017, 2.9 million people reported some
`form of identity fraud compared to 5.7 million people in 2021.9
`29.
`The healthcare industry has become a prime target for threat actors: “High demand
`for patient information and often-outdated systems are among the nine reasons healthcare is now
`the biggest target for online attacks.”10
`30.
`“Hospitals store an incredible amount of patient data. Confidential data that’s worth
`a lot of money to hackers who can sell it on easily – making the industry a growing target.”11
`
`
`7 Brian Krebs, The Value of a Hacked Company, Krebs on Security (July 14, 2016),
`http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/ (last visited 6/29/2022).
`8Data Breach Report: 2021 Year End, Risk Based Security
`(February 4, 2022),
`https://www.riskbasedsecurity.com/2022/02/04/data-breach-report-2021-year-end/ (last accessed
`June 29, 2022).
`9 Insurance Information Institute, Facts + Statistics: Identity theft and cybercrime, available at
`https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime#Identity%20Theft
`%20And%20Fraud%20Reports,%202015-2019%20 (last visited 6/29/2022).
`10 SwivelSecure, The healthcare industry is at risk,
`https://swivelsecure.com/solutions/healthcare/healthcare-is-the-biggest-target-for-cyberattacks/
`(last visited on 6/29/2022).
`11 Id.
`
`6
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 7 of 22
`
`31.
`The breadth of data compromised in the Data Breach makes the information
`particularly valuable to thieves and leaves Shield’s patients especially vulnerable to identity theft,
`tax fraud, medical fraud, credit and bank fraud, and more.
`32.
`As indicated by Jim Trainor, former second in command at the FBI’s cyber security
`division: “Medical records are a gold mine for criminals—they can access a patient’s name, DOB,
`Social Security and insurance numbers, and even financial information all in one place. Credit
`cards can be, say, five dollars or more where PHI records can go from $20 say up to—we’ve even
`seen $60 or $70.”12 A complete identity theft kit that includes health insurance credentials may be
`worth up to $1,000 on the black market, whereas stolen payment card information sells for about
`$1.13
`
`According to Experian:
`
`33.
`
`Having your records stolen in a healthcare data breach can be a prescription for
`financial disaster. If scam artists break into healthcare networks and grab your
`medical information, they can impersonate you to get medical services, use your
`data open credit accounts, break into your bank accounts, obtain drugs illegally,
`and even blackmail you with sensitive personal details.
`ID theft victims often have to spend money to fix problems related to having their
`data stolen, which averages $600 according to the FTC. But security research firm
`Ponemon Institute found that healthcare identity theft victims spend nearly $13,500
`dealing with their hassles, which can include the cost of paying off fraudulent
`medical bills.
`Victims of healthcare data breaches may also find themselves being denied care,
`coverage or reimbursement by their medical insurers, having their policies canceled
`or having to pay to reinstate their insurance, along with suffering damage to their
`credit ratings and scores. In the worst cases, they've been threatened with losing
`
`
`12 IDExperts, You Got It, They Want It: Criminals Targeting Your Private Healthcare Data, New
`Ponemon Study Shows: https://www.idexpertscorp.com/knowledge-center/single/you-got-it-
`they-want-it-criminals-are-targeting-your-private-healthcare-dat (last visited 6/29/2022).
`13 PriceWaterhouseCoopers, Managing cyber risks in an interconnected world, Key findings from
`The Global State of Information Security® Survey 2015: https://www.pwc.com /gx/en/consulting-
`services/information-security-survey/assets/the-global-state-of-information-security-survey-
`2015.pdf (last visited 6/29/2022).
`
`7
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 8 of 22
`
`custody of their children, been charged with drug trafficking, found it hard to get
`hired for a job, or even been fired by their employers.14
`
`34.
`According to the U.S. Government Accountability Office, which conducted a study
`regarding data breaches: “[I]n some cases, stolen data may be held for up to a year or more before
`being used to commit identity theft. Further, once stolen data have been sold or posted on the
`[Dark] Web, fraudulent use of that information may continue for years. As a result, studies that
`attempt to measure the harm resulting from data breaches cannot necessarily rule out all future
`harm.”15
`35.
`Even if stolen PII or PHI does not include financial or payment card account
`information, that does not mean there has been no harm, or that the breach does not cause a
`substantial risk of identity theft. Freshly stolen information can be used with success against
`victims in specifically targeted efforts to commit identity theft known as social engineering or
`spear phishing. In these forms of attack, the criminal uses the previously obtained PII about the
`individual, such as name, address, email address, and affiliations, to gain trust and increase the
`likelihood that a victim will be deceived into providing the criminal with additional information.
`36.
`Shields certainly knew the foreseeable risk of failing to implement adequate
`cybersecurity measures.
`C. Shields Breached Its Duty to Protect its Patients’ PII and PHI
`37.
`On or around June 7, 2022, Defendant released a “Notice of Data Security Incident”
`(“Notice”) that announced on or approximately around March 28, 2022, Defendant was alerted to
`suspicious activity and that an unknown actor gained access to Shields system from approximately
`March 7, 2022 to March 21, 2022. 16
`
`14 Experian, Healthcare Data Breach: What to Know About them and What to Do After One:
`https://www.experian.com/blogs/ask-experian/healthcare-data-breach-what-to-know-about-them-
`and-what-to-do-after-one/ (last visited 6/29/2021).
`15 United States Government Accountability Office, Report to Congressional Requesters, Personal
`Information, June 2007: https://www.gao.gov/new.items/d07737.pdf (last visited 6/29/2022).
`16 Shields Health Care Group, Notice of Data Security Incident, https://shields.com/notice-of-
`data-security-incident/ (last accessed June 27, 2022).
`
`8
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 9 of 22
`
`38.
`According to Shields, it is reviewing the extent of the breach and alleges there is no
`evidence to indicate the breach was to commit fraud,17 but based on the amount of sensitive
`information Shields’s possesses, it would be naïve to believe the cybercriminals did not
`purposefully steal sensitive information with a specific intent to use it or sell it to others who will.
`39.
`Defendant determined that the information that was impacted included full name,
`Social Security number, date of birth, home address, provider information, diagnosis, billing
`information, insurance number and information, medical record number, patient ID, and other
`medial or treatment information.18
`40.
`The unauthorized persons gained access to the PII and PHI of approximately 2
`million patients.19
`41. While the Data Breach occurred in March, Defendant alerted the public and its
`patients in the beginning of June, two full months after the breach. In those months Shields left the
`public in the dark, it failed to inform patients of the danger posed by the ongoing breach. Even
`now, Shields’ disclosures have been vague and evasive, leaving Plaintiff and class members with
`incomplete information regarding the true nature and extent of the data breach.
`42.
`The Data Breach occurred as a direct result of Shields’s failure to implement and
`follow basic security procedures in order to protect its patients’ PII and PHI.
`43.
`Shields says it “takes confidentiality, privacy, and security information in [their]
`care seriously” yet alerts its patients of the Data Breach while it is too late for patients to safeguard
`their information and provides no assistance to its patients in the event of their identity being
`stolen.20
`44.
`Plaintiff did not receive a personal notice of the Data Breach but instead had to
`search the internet to discover the quietly announced data breach.
`
`
`17 Id.
`18 Id.
`19 Marc Fortier, 2 million Impacted by Data Breach at Massachusetts Health Care Organization,
`10 NBC Boston (last updated June 8, 2022, 1:02pm), https://www.nbcboston.com/news/
`local/massachusetts-health-care -group-investigating-data-security-breach/2741994/.
`20 Shields Health Care Group, supra note 4.
`
`9
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 10 of 22
`
`D. Plaintiff and Class Members Suffered Damages
`45.
`For the reasons mentioned above, Shields’s conduct, which allowed the Data
`Breach to occur, caused the Plaintiff and members of the Class significant injuries and harm in
`several ways. Plaintiff and members of the Class must immediately devote time, energy, and
`money to: 1) closely monitor their medical statements, bills, records, and credit and financial
`accounts; 2) change login and password information on any sensitive account even more frequently
`than they already do; 3) more carefully screen and scrutinize phone calls, emails, and other
`communications to ensure that they are not being targeted in a social engineering or spear phishing
`attack; and 4) search for suitable identity theft protection and credit monitoring services, and pay
`to procure them.
`46.
`After learning of the data breach, and as a direct response to it, Plaintiff purchased
`increased identity theft protection services.
`47.
`Once PII and PHI is exposed, there is virtually no way to ensure that the exposed
`information has been fully recovered or obtained against future misuse. For this reason, Plaintiff
`and Class members will need to maintain these heightened measures for years, and possibly their
`entire lives, as a result of Shields’s conduct. Further, the value of Plaintiff and Class members’ PII
`and PHI has been diminished by its exposure in the Data Breach.
`48.
`As a result of Shields’s failures, Plaintiff and Class members are at substantial
`increased risk of suffering identity theft and fraud or misuse of their PHI.
`49.
`Plaintiff and Class members are also at a continued risk because their information
`remains in Shields’s systems, which have already been shown to be susceptible to compromise
`and attack and is subject to further attack so long as Shields fails to undertake the necessary and
`appropriate security and training measures to protect its patients’ PII and PHI.
`50.
`Plaintiff and Class members have suffered emotional distress as a result of the data
`breach, the increased risk of identity theft and financial fraud, and the unauthorized exposure of
`their private medical information to strangers.
`
`10
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 11 of 22
`
`CLASS ALLEGATIONS
`51.
`Plaintiff brings this case individually and, pursuant to Rule 23 of the Federal Rules
`of Civil Procedure, on behalf of the following class:
`
`
`All individuals in the United States whose PII and/or PHI was
`compromised in the Shields Health Care Group data breach which
`occurred on or about March 7, 2022 until on or about March 21,
`2022 (the “Class”).
`52.
`Excluded from the Class is Defendant, its subsidiaries and affiliates, its officers,
`directors and members of their immediate families and any entity in which Defendant has a
`controlling interest, the legal representative, heirs, successors, or assigns of any such excluded
`party, the judicial officer(s) to whom this action is assigned, and the members of their immediate
`families.
`53.
`This proposed class definition is based on the information available to Plaintiff at
`this time. Plaintiff may modify the class definition in an amended pleading or when she moves for
`class certification, as necessary to account for any newly learned or changed facts as the situation
`develops and discovery gets underway.
`54.
`The requirements of Rule 23(a)(1) are satisfied. The class described above is so
`numerous that joinder of all individual members in one action would be impracticable. The
`disposition of the individual claims of the respective class members through this class action will
`benefit both the parties and this Court. The exact size of the class and the identities of the individual
`members thereof are ascertainable through Defendant’s records, including but not limited to, the
`files implicated in the Data Breach, but based on public information, the Class includes
`approximately 2 million individuals.
`55.
`The requirements of Rule 23(a)(2) are satisfied. There is a well-defined community
`of interest, and there are common questions of fact and law affecting members of the Class. The
`questions of fact and law common to the Class predominate over questions which may affect
`individual members and include the following:
`
`11
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 12 of 22
`
`a.
`Whether Defendant had a duty to protect the PII and PHI of Plaintiff and
`Class Members;
`b.
`Whether Defendant was negligent in collecting and storing Plaintiff’s and
`Class Members’ PII and PHI, and breached its duties thereby;
`c.
`Whether Defendant breached its fiduciary duty to Plaintiff and the Class.
`d.
`Whether Plaintiff and Class Members are entitled to damages as a result of
`Defendant’s wrongful conduct; and
`e.
`Whether Plaintiff and Class Members are entitled to restitution as a result
`of Defendant’s wrongful conduct.
`56.
`The requirements of Rule 23(a)(3) are satisfied. Plaintiff’s claims are typical of the
`claims of the members of the Class. The claims of the Plaintiff and members of the Class are
`based on the same legal theories and arise from the same failure by Defendant to safeguard PII and
`PHI.
`
`57.
`Plaintiff and members of the Class were all patients of Shields, each having their
`PII and PHI obtained by an unauthorized third party.
`58.
`The requirements of Rule 23(a)(4) are satisfied. Plaintiff is an adequate
`representative of the Class because her interests do not conflict with the interests of the members
`of the Class. Plaintiff will fairly, adequately, and vigorously represent and protect the interests of
`the members of the Class and has no interests antagonistic to the members of the Class. In addition,
`Plaintiff has retained counsel who are competent and experienced in the prosecution of class action
`litigation. The claims of Plaintiff and the Class members are substantially identical as explained
`above.
`59.
`The requirements of Rule 23(b)(3) are satisfied here because a class action is the
`superior method of litigation for these issues, and common issues will predominate. While the
`aggregate damages that may be awarded to the members of the Class are likely to be substantial,
`the damages suffered by the individual members of the Class are relatively small. As a result, the
`expense and burden of individual litigation make it economically infeasible and procedurally
`
`12
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 13 of 22
`
`impracticable for each member of the Class to individually seek redress for the wrongs done to
`them. Certifying the case as a Class will centralize these substantially identical claims in a single
`proceeding, which is the most manageable litigation method available to Plaintiff and the Class
`and will conserve the resources of the parties and the court system, while protecting the rights of
`each member of the Class. Defendant’s uniform conduct is generally applicable to the Class as a
`whole, making relief appropriate with respect to each Class member.
`FIRST CAUSE OF ACTION
`NEGLIGENCE
`(On Behalf of Plaintiff and the Class)
`60.
`Plaintiff restates and realleges all proceeding factual allegations above as if fully
`set forth herein.
`61.
`Shields owed a duty under common law to Plaintiff and Class Members to exercise
`reasonable care in obtaining, retaining, securing, safeguarding, deleting, and protecting their PII
`and PHI in its possession from being compromised, lost, stolen, accessed, and misused by
`unauthorized persons.
`62.
`Shields’s duty to use reasonable care arose from several sources, including but not
`limited to those described below.
`63.
`Shields had a common law duty to prevent foreseeable harm to others. This duty
`existed because Plaintiff and Class Members were the foreseeable and probable victims of any
`inadequate security practices on the part of the Defendant. By collecting and storing valuable PII
`and PHI that is routinely targeted by criminals for unauthorized access, Shields was obligated to
`act with reasonable care to protect against these foreseeable threats.
`64.
`Shields’s duty also arose from Shield’s position as a healthcare provider. Shields
`holds itself out as a trusted provider of healthcare, and thereby assumes a duty to reasonably protect
`its patients’ information. Indeed, Shields, which directly manages imaging and management
`services, was in a unique and superior position to protect against the harm suffered by Plaintiff and
`Class Members as a result of the Data Breach.
`
`13
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 14 of 22
`
`65.
`Shields breached the duties owed to Plaintiff and Class Members and thus was
`negligent. Although the exact methodologies employed by the unauthorized third parties are
`unknown to Plaintiff at this time, on information and belief, Shields breached its duties through
`some combination of the following errors and omissions that allowed the data compromise to
`occur: (a) mismanaging its system and failing to identify reasonably foreseeable internal and
`external risks to the security, confidentiality, and integrity of customer information that resulted in
`the unauthorized access and compromise of PII and PHI; (b) mishandling its data security by
`failing to assess the sufficiency of its safeguards in place to control these risks; (c) failing to design
`and implement information safeguards to control these risks; (d) failing to adequately test and
`monitor the effectiveness of the safeguards’ key controls, systems, and procedures; (e) failing to
`evaluate and adjust its information security program in light of the circumstances alleged herein;
`(f) failing to detect the breach at the time it began or within a reasonable time thereafter; (g) failing
`to follow its own privacy policies and practices published to its patients; and (h) failing to
`adequately train and supervise employees and third party vendors with access or credentials to
`systems and databases containing sensitive PII or PHI.
`66.
`But for Shield’s wrongful and negligent breach of its duties owed to Plaintiff and
`Class members, their PII and PHI would not have been compromised.
`67.
`As a direct and proximate result of Shield’s negligence, Plaintiff and Class
`Members have suffered injuries, including:
`a.
`Theft of their PII and/or PHI;
`b.
`Costs associated with the detection and prevention of identity theft and
`unauthorized use of the financial accounts;
`c.
`Costs associated with purchasing credit monitoring and identity theft
`protection services;
`d.
`Lowered credit scores resulting from credit inquiries following fraudulent
`activities;
`
`14
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 15 of 22
`
`e.
`Costs associated with time spent and the loss of productivity from taking
`time to address and attempt to ameliorate, mitigate, and deal with the actual and future
`consequences of the Data Breach – including finding fraudulent charges, cancelling and
`reissuing cards, enrolling in credit monitoring and identity theft protection services,
`freezing and unfreezing accounts, and imposing withdrawal and purchase limits on
`compromised accounts;
`f.
`The imminent and certainly impending injury flowing from the increased
`risk of potential fraud and identity theft posed by their PII and/or PHI being placed in the
`hands of criminals;
`g.
`Damages to and diminution in value of their PII and PHI entrusted, directly
`or indirectly, to Shields with the mutual understanding that Shields would safeguard
`Plaintiff’s and Class Members’ data against theft and not allow access and misuse of their
`data by others; and
`h.
`Continued risk of exposure to hackers and thieves of their PII and/or PHI,
`which remains in Shields’s possession and is subject to further breaches so long as Shields
`fails to undertake appropriate and adequate measures to protect Plaintiff’s and Class
`Members’ data.
`i.
`Emotional distress from the unauthorized disclosure of PII and PHI to
`strangers who likely have nefarious intentions and now have prime opportunities to commit
`identity theft, fraud, and other types of attacks on Plaintiff and Class members.
`68.
`As a direct and proximate result of Shields’s negligence, Plaintiff and Class
`Members are entitled to damages, including compensatory, punitive, and/or nominal damages, in
`an amount to be proven at trial.
`SECOND CAUSE OF ACTION
`NEGLIGENCE PER SE
`(On Behalf of Plaintiff and the Class)
`69.
`Plaintiff restates and realleges all proceeding factual allegations above as if fully
`set forth herein.
`
`15
`
`
`
`

`

`Case 1:22-cv-11109-JCB Document 1 Filed 07/08/22 Page 16 of 22
`
`70.
`Section 5 of the FTC Act prohibits “unfair . . . practices in or affecting commerce”
`including, as interpreted and enforced by the FTC, the unfair act or practice by entities such as
`Shields or failing to use reasonable measures to protect PII and PHI. Various FTC publications
`and orders also form the basis of Shields’s duty.
`71.
`Shields violated Section 5 of the FTC Act by failing to use reasonable measures to
`protect PII and PHI and not complying with the industry standards. Shields’s conduct was
`particularly unre

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket