`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MASSACHUSETTS
`
`
`
`ELIZABETH TAYLOR, on behalf of herself
`and all others similarly situated,
`
`Plaintiffs,
`
` vs.
`
`
`Case No. _____________
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`ISRAEL
`BETH
`and
`INC.,
`UKG,
`DEACONESS HOSPITAL - PLYMOUTH,
`INC.
`
`Defendants.
`
`
`
`
`
`
`
`
`Plaintiff Elizabeth Taylor (“Ms. Taylor” or “Plaintiff”) on behalf of herself and all others
`
`similarly situated (the “Class” or “Class Members”), brings this action against Defendants UKG,
`
`Inc. (“UKG”) and Beth Israel Deaconess Hospital - Plymouth, Inc. (“Beth Israel”) (collectively,
`
`the “Defendants”) to obtain damages, restitution, and injunctive relief for the Class. Plaintiff
`
`alleges the following based on personal knowledge, the investigation of counsel, and information
`
`and belief.
`
`NATURE OF THE ACTION
`
`1.
`
`Plaintiff and Class Members are hourly employees who were not paid the full
`
`amount of wages to which they are entitled for all of their work in a timely fashion by Defendants.
`
`2.
`
`Plaintiff and Class Members provided their personally identifiable information
`
`(“PII”) to Defendants at their request, including names, addresses, employee IDs, and social
`
`security numbers. Due to Defendants’ failure to implement and maintain reasonable safeguards
`
`to protect Plaintiff’s PII, criminals obtained access to Plaintiff’s PII, which resulted in substantial
`
`
`
`1
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 2 of 24
`
`harm to Plaintiff and the Class.1
`
`3.
`
`This class action seeks to redress Defendants’ unlawful withholding of wages for
`
`Plaintiff and Class Members and the negligent disclosure of over 8 million employees’ PII in a
`
`massive data breach on or around December 11, 2021 (“Data Breach”). On that date, and possibly
`
`on others, Defendants’ inadequate security measures allowed unauthorized individuals to access
`
`and render unusable a workforce management software application Defendants used to process
`
`payroll and store data that contained the PII of Plaintiff and other individuals.2
`
`4.
`
`As a result of the Data Breach, Plaintiff and Class Members were not timely paid
`
`the full amount of wages to which they are entitled.
`
`5.
`
`Plaintiff and the Class Members also now bear an immediate and heightened risk
`
`of all manners of identity theft. Plaintiff has incurred, and will continue to incur, damages in the
`
`form of, inter alia, an imminent threat of identity theft, loss of privacy and the value of personal
`
`information, deprivation of the benefit of the bargain, and/or the additional damages set forth in
`
`detail below.
`
`JURISDICTION AND VENUE
`
`6.
`
`This Court has personal jurisdiction over Defendant Beth Israel Deaconess Hospital
`
`- Plymouth, Inc., because it maintains a headquarters in and has its principal place of business in
`
`Massachusetts.
`
`7.
`
`This Court has personal jurisdiction over Defendant UKG Inc. because it has had
`
`systematic and continuous contacts with the State of Massachusetts. UKG is registered to do
`
`business in Massachusetts with the Massachusetts Secretary of State. UKG contracts with many
`
`
`1 See UKG Kronos Community, Communications Sent to Impact Kronos Private Cloud (KPC)
`Customers, https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US.
`2 See id.
`
`
`
`2
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 3 of 24
`
`businesses in Massachusetts to provide human resources services, including payroll services.
`
`8.
`
`This Court has jurisdiction over this action under the Class Action Fairness Act
`
`(“CAFA”), 28 U.S.C. § 1332(d), because the aggregate amount in controversy exceeds
`
`$5,000,000, exclusive of interests and costs, there are more than 100 class members, and Plaintiff
`
`and one or more members of the classes are residents of a different state from a defendant.
`
`9.
`
`This Court has jurisdiction over the Massachusetts Wage Act claim pursuant to
`
`M.G.L c. 149, § 150, as well as the federal supplemental jurisdiction statute 28 U.S.C. § 1367(a).
`
`10.
`
`Venue is proper in the District of Massachusetts because, pursuant to 28 U.S.C. §
`
`1391(b)(2) in that a substantial part of the events or omissions giving rise to the claims occurred
`
`in Massachusetts.
`
`PARTIES
`
`11.
`
`Plaintiff Elizabeth Taylor is a citizen of Massachusetts and a resident of Carver,
`
`Massachusetts.
`
`12.
`
`On approximately December 11, 2021, Plaintiff’s PII was exposed in the Data
`
`Breach. On one or more weeks after December 11, 2021, Plaintiff was not timely paid for the full
`
`amount of wages due and her PII was exposed. If Plaintiff had known that Defendants would not
`
`adequately protect her PII, she would have either refused to provide such information, or taken
`
`action to challenge the condition of employment imposed by Defendant Beth Israel that she
`
`disclose PII and prohibit Defendants’ access to this sensitive and private information until the Data
`
`Breach security issue was resolved.
`
`13.
`
`Defendant Beth Israel Deaconess Hospital – Plymouth, Inc. is a Massachusetts
`
`Corporation with its principal place of business at 275 Sandwich St., Plymouth, MA 02360.
`
`14.
`
`Defendant UKG Inc. is a Delaware Corporation with its principal place of business
`
`
`
`3
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 4 of 24
`
`at 2000 Ultimate Way, Weston, FL 33326.
`
`FACTUAL BACKGROUND
`
`A.
`
`Plaintiff’s Status As An Employee
`
`15.
`
`Plaintiff was employed by Beth Israel as an hourly employee during the relevant
`
`time period.
`
`16.
`
`During the relevant time period, Beth Israel employed hourly employees to work
`
`in numerous sectors of the health care industry.
`
`17.
`
`Plaintiff’s principal job duties included, but were not limited to, providing care for
`
`Beth Israel’s patients as a registered nurse.
`
`18.
`
`19.
`
`20.
`
`21.
`
`22.
`
`Plaintiff was paid on an hourly basis.
`
`Beth Israel regularly scheduled Plaintiff’s work hours.
`
`Plaintiff regularly reported her hours to Beth Israel, as instructed by Beth Israel.
`
`Beth Israel regularly received reports indicating the hours worked by Plaintiff.
`
`On or about December 13, 2021, Beth Israel instituted a “payment freeze” for all
`
`hourly employees, such that the pay for each pay period following that date was set arbitrarily to
`
`the period prior to the freeze, with limited exception.
`
`23.
`
`Beth Israel failed to pay Plaintiff the full amount of wages to which she was entitled
`
`for all of her work time in a timely fashion.
`
`24.
`
`Plaintiff or Plaintiff's representative made numerous requests for payment of their
`
`wages in full, but these requests were denied.
`
`25.
`
`26.
`
`Plaintiff did not furnish her work gratuitously.
`
`Plaintiff worked with the expectation that she would be paid in full for all hours
`
`worked in a timely fashion.
`
`
`
`4
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 5 of 24
`
`27.
`
`28.
`
`Beth Israel did not expect Plaintiff to perform any work for Defendant gratuitously.
`
`UKG operated and provided a workforce and management software, Kronos
`
`Private Cloud, by which Beth Israel maintained and distributed its payroll to employees.
`
`29.
`
`UKG was acting in the interest of Beth Israel in relation to Plaintiff, Class
`
`Members, and all employees, by providing this workface and management software.
`
`30.
`
`Defendants set compensation policies for Plaintiff and the Class. Defendants were
`
`jointly responsible for ensuring that Plaintiff and the Class were properly paid each pay period.
`
`Defendants were also jointly responsible for the unlawful withholding of payments subsequent to
`
`the Data Breach.
`
`B.
`
`UKG’s Data Breach.
`
`31.
`
`Due to inadequate security measures, on or about December 11, 2021, UKG was
`
`the subject of a ransomware attack, whereby criminals obtained access to Plaintiff’s and Class
`
`Members’ PII and Kronos Private Cloud was rendered unusable.3
`
`32.
`
`Kronos Private Cloud is used by thousands of employers, including Beth Israel, and
`
`8 million employees to manage work schedules, track hours, and calculate paychecks.4
`
`33.
`
`Defendants store employees’ PII in Kronos Private Cloud, which can include, inter
`
`alia, employee names, addresses, employee ID numbers, and social security numbers.5
`
`34.
`
`The PII of millions of individuals may have been exposed to unauthorized
`
`cybercriminals when they gained access to UKG’s server.6
`
`
`
`3 Id.
`4 Becky Sullivan, Hackers disrupt payroll for thousands of employers – including hospitals, NPR
`(Jan. 15, 2022), https://www.npr.org/2022/01/15/1072846933/kronos-hack-lawsuits.
`5 Jennifer Korn, Kronos ransomware attack could impact employee paychecks and timesheets for
`weeks, CNN (Dec. 17, 2021), https://www.cnn.com/2021/12/16/tech/kronos-ransomware-
`attack/index.html.
`6 See id.
`
`
`
`5
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 6 of 24
`
`35.
`
`By disclosing their PII to cybercriminals, Defendants caused Plaintiff and all Class
`
`Members not to timely receive the pay to which they were entitled and put Plaintiff and all Class
`
`Members at risk of identity theft, financial fraud, and other serious harms.
`
`36.
`
`Defendants negligently failed to take the necessary precautions required to
`
`safeguard and protect the PII of Plaintiff and Class Members from unauthorized disclosure.
`
`Defendants’ actions represent a flagrant disregard of Plaintiff’s and the other Class Members’
`
`rights, both as to privacy and property.
`
`C.
`
`Plaintiff And Class Members Were Not Paid Proper Wages.
`
`37.
`
`Following the Data Breach, Beth Israel was unable to operate Kronos Private Cloud
`
`and conduct its payroll services.
`
`38.
`
`UKG, through Kronos Private Cloud, maintained control over employee records
`
`and the rate and method of payment.
`
`39.
`
`As a result, numerous employers, including Beth Israel, who use Kronos Private
`
`Cloud for workforce management to manage employee schedules, track hours, and determine
`
`payment, were unable to do so.7
`
`40.
`
`As a result of the Data Breach, Kronos Private Cloud was unable to function
`
`properly which restricted the rate and method of payment to employees.
`
`41.
`
`Beth Israel’s employees were not paid for the full amount of time they worked in
`
`one or more pay periods, or in successive pay periods, from approximately December 11, 2021
`
`onward.
`
`
`7 Becky Sullivan, Hackers disrupt payroll for thousands of employers – including hospitals, NPR
`(Jan. 15, 2022), https://www.npr.org/2022/01/15/1072846933/kronos-hack-lawsuits.
`6
`
`
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 7 of 24
`
`42.
`
`Plaintiff and Class Members received payment for far fewer hours than they
`
`worked.8
`
`D.
`
`Plaintiff’s And Class Members’ Personally Identifiable Information Is Valuable.
`
`43.
`
`PII is of great value to hackers and cyber criminals, and the data compromised in
`
`the Data Breach can be used in a variety of unlawful manners.
`
`44.
`
`The term “personally identifiable information” refers to information that can be
`
`used to distinguish, identify, or trace an individual’s identity, such as their name, Social Security
`
`number, and biometric records. This can be accomplished alone, or in combination with other
`
`personal or identifying information that is connected, or linked to an individual, such as their
`
`birthdate, birthplace, and mother’s maiden name.9
`
`45.
`
`Given the nature of this breach, it is foreseeable that the compromised PII can be
`
`used by hackers and cybercriminals in a variety of different ways.
`
`46.
`
`A study by Javelin Strategy and Research found that individuals lost about $13
`
`billion in 2020 as a result of identity fraud.10 Data breaches and identity theft have a crippling
`
`effect on individuals and detrimentally impact the entire economy as a whole.
`
`47.
`
`Indeed, the Social Security Administration has warned that identity thieves can use
`
`an individual’s Social Security number to apply for additional credit lines.11 Such fraud may go
`
`undetected until debt collection calls commence months, or even years, later. Stolen Social
`
`
`8 Becky Sullivan, Hackers disrupt payroll for thousands of employers – including hospitals, NPR
`(Jan. 15, 2022), https://www.npr.org/2022/01/15/1072846933/kronos-hack-lawsuits.
`9 See OFFICE OF MGMT. & BUDGET, OMB MEMORANDUM M-07-16 n. 1.
`10 See Total Identify Fraud Losses Soar to $56 Billion in 2020, BUSINESSWIRE (Mar. 23, 2021),
`https://www.businesswire.com/news/home/20210323005370/en/Total-Identity-Fraud-Losses-
`Soar-to-56-Billion-in-2020.
`11 Identity Theft and Your Social Security Number, Social Security Administration (2018) at 1,
`https://www.ssa.gov/pubs/EN-05-10064.pdf.
`
`
`
`7
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 8 of 24
`
`Security Numbers also make it possible for thieves to file fraudulent tax returns, file for
`
`unemployment benefits, or apply for a job using a false identity.12 Each of these fraudulent
`
`activities is difficult to detect. An individual may not know that their Social Security Number was
`
`used to file for unemployment benefits until law enforcement notifies the individual’s employer
`
`of the suspected fraud. Fraudulent tax returns are typically discovered only when an individual’s
`
`authentic tax return is rejected.
`
`48. With access to an individual’s PII, cyber criminals can do more than just empty a
`
`victim’s bank account -- they can also commit all manner of fraud, including: obtaining a driver’s
`
`license or official identification card in the victim’s name but with the thief’s picture; using the
`
`victim’s name and social security number to obtain government benefits; or, filing a fraudulent tax
`
`return using the victim’s information. In addition, identity thieves may obtain a job using the
`
`victim’s SSN, rent a house, or receive medical services in the victim’s name, and may even give
`
`the victim’s personal information to police during an arrest, resulting in an arrest warrant being
`
`issued in the victim’s name.13
`
`E.
`
`Defendants Were Aware of the Risk of Cyber-Attacks.
`
`49.
`
`Data security breaches -- and data security breach litigation -- dominated the
`
`headlines in recent years, including in 2021.14
`
`
`
`12 Id. at 4.
`13
`FEDERAL TRADE COMMISSION,
`Theft,
`See Warning
`Identity
`of
`Signs
`https://www.identitytheft.gov/#/Warning-Signs-of-Identity-Theft.
`14 See e.g., Akanksha Rana, T-Mobile Breach Hits 53 Million Customers as Probe Finds Wider
`Impact, REUTERS (Aug. 20, 2021), https://www.reuters.com/technology/t-mobile-says-hackers-
`accessed-data-another-53-mln-subscribers-2021-08-20/; Jill McKeon, St. Joseph’s/Candler
`(June 21, 2021),
`Suffers Ransomware Attack, EHR Downtime, HEALTHITSECURITY
`https://healthitsecurity.com/news/st-josephs-candler-suffers-ransomware-attack-ehr-downtime;
`David E. Sanger, Clifford Krauss, and Nicole Perlroth, Cyberattack Forces a Shutdown of a Top
`Pipeline,
`N.Y.
`TIMES
`(May
`8,
`2021),
`U.S.
`https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html.
`8
`
`
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 9 of 24
`
`50.
`
`UKG’s knowledge of the risks of identity theft is evidenced by its privacy notice:
`
`To prevent unauthorized access or disclosure, to maintain data
`accuracy, and to allow only the appropriate use of your [personal
`information], UKG utilizes physical, technical, and administrative
`controls and procedures to safeguard the information we collect. To
`protect the confidentiality, integrity, availability and resilience of
`your PI, we utilize a variety of physical and logical access controls,
`firewalls, intrusion detection/prevention systems, network and
`database monitoring, anti-virus, and backup systems. We use
`encrypted sessions when collecting or transferring sensitive data
`through our websites. We limit access to your PI and data to those
`persons who have a specific business purpose for maintaining and
`processing such information. Our employees who have been granted
`access to your PI are made aware of their responsibilities to protect
`the confidentiality, integrity, and availability of that information and
`have been provided training and instruction on how to do so.15
`
`The cybercriminals who obtained Class Members’ PII may also exploit the PII they
`
`51.
`
`obtained by selling the data in the so-called “dark markets.” Having obtained these names,
`
`addresses, and Social Security numbers, cybercriminals can pair the data with other available
`
`information to commit a broad range of fraud in a Class Member’s name.
`
`52.
`
`In addition, if a Class Member’s Social Security number is used to create a false
`
`identification for someone who commits a crime, the Class Member may become entangled in the
`
`criminal justice system, impairing the employee’s ability to gain employment or obtain a loan.
`
`F.
`
`Class Members Have Suffered Concrete Injury as a Result of Defendants’ Inadequate
`Security and the Data Breach It Allowed.
`
`53.
`
`Defendants represented to customers that they provided adequate security
`
`protections for their PII, and Class Members provided Defendants with sensitive personal
`
`information, including their Social Security numbers.
`
`
`15 Privacy Notice, Ultimate Kronos Group, https://www.ukg.com/privacy#4243725865-
`507775231.
`
`
`
`9
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 10 of 24
`
`54.
`
`The cybercriminals will certainly use Class Members’ PII, and Class Members will
`
`be at a heightened risk of identity theft for the rest of their lives. Plaintiff has incurred (and will
`
`continue to incur) damages in the form of, inter alia, non-payment of wages, loss of privacy and
`
`costs of protecting their credit. By this action, Plaintiff seeks to hold Defendants responsible for
`
`the harm caused by their negligence.
`
`55.
`
`In addition, as a direct and/or proximate result of Defendants’ wrongful actions
`
`and/or inaction and the resulting Data Breach, Plaintiff and Class Members have been deprived of
`
`the value of their PII, for which there is a well-established national and international market.
`
`56.
`
`Defendants’ wrongful actions and/or inaction and the resulting Data Breach have
`
`also placed Plaintiff and the other Class Members at an imminent, immediate, and continuing
`
`increased risk of identity theft and identity fraud.16 Indeed, “[t]he level of risk is growing for
`
`anyone whose information is stolen in a data breach.”17 Javelin Strategy & Research, a leading
`
`provider of quantitative and qualitative research, notes that “[t]he theft of SSNs places consumers
`
`at a substantial risk of fraud.”18 Moreover, there is a high likelihood that significant identity fraud
`
`and/or identity theft has not yet been discovered or reported. There is also a high probability that
`
`criminals who now possess Class Members’ PII have not yet used the information, but will do so
`
`at a later date or re-sell it.
`
`
`16 Data Breach Victims More Likely To Suffer Identity Fraud, INSURANCE INFORMATION INSTITUTE
`BLOG (February 23, 2012), http://www.iii.org/insuranceindustryblog/?p=267.
`17 Susan Ladika, Study: Data Breaches Pose A Greater Risk, CREDITCARDS.COM (July 23, 2014),
`http://www.creditcards.com/credit-card-news/data-breach-id-theft-risk-increase-study-1282.php.
`18 THE CONSUMER DATA INSECURITY REPORT: EXAMINING THE DATA BREACH- IDENTITY FRAUD
`PARADIGM IN FOUR MAJOR METROPOLITAN AREAS, http://www.nclnet.org/datainsecurity_report.
`10
`
`
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 11 of 24
`
`57.
`
`The average cost per customer PII record was $180, based on a study by IBM and
`
`the Ponemon Institute.19 Indeed, data breaches and identity theft have a crippling effect on
`
`individuals and detrimentally impact the entire economy as a whole.
`
`58.
`
`As a result of the Data Breach, Plaintiff and Class Members have already suffered
`
`damages, including, but not limited to, non-payment of wages, imminent threat of identity theft,
`
`loss of privacy and the value of personal information, and deprivation of the benefit of the bargain.
`
`59.
`
`Defendants have failed to provide adequate compensation to Class Members
`
`harmed by their negligence and for the injury caused to Plaintiff and Class Members.
`
`CLASS ACTION ALLEGATIONS
`
`60.
`
`Pursuant to Fed. R. Civ. P. 23, Plaintiff also brings this action against Defendants
`
`as a class action on behalf of a Class of all hourly employees of Beth Israel (“Beth Israel Class”).
`
`61.
`
`Pursuant to Fed. R. Civ. P. 23, Plaintiff also brings this action against UKG as a
`
`class action on behalf of a Class of all individuals whose PII was compromised as a result of the
`
`Data Breach announced by UKG on or about December 11, 2021 (“National Class”).
`
`62.
`
`Plaintiff reserves the right to amend the above definition(s), or to propose other or
`
`additional classes, in subsequent pleadings and/or motions for class certification.
`
`63.
`
`Excluded from the Class are Defendants; any parent, subsidiary, or affiliate of
`
`Defendants; any entity in which Defendants have or had a controlling interest, or which Defendants
`
`otherwise controls or controlled; and any legal representative, predecessor, successor, or assignee
`
`of Defendants.
`
`
`19 See Abi Tyas Tunggal, What Is The Cost of a Data Breach in 2021?, UPGUARD (Sept. 21, 2021),
`https://www.upguard.com/blog/cost-of-data-breach.
`11
`
`
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 12 of 24
`
`64.
`
`This action satisfies the requirements for a class action under F.R.C.P. 23(a)(1) -
`
`(a)(4), including requirements of numerosity, commonality, typicality, and adequacy of
`
`representation.
`
`65.
`
`This action satisfies the requirements for a class action under Rule 23(a)(1).
`
`Plaintiff believes that the proposed Class as described above consists of more than 8 million
`
`employees can be identified through Defendants’ records, though the exact number and identities
`
`of Class Members are currently unknown. The Class is therefore so numerous that joinder of all
`
`members, whether otherwise required or permitted, is impracticable.
`
`66.
`
`This action satisfies the requirements for a class action under Rule 23(a)(2).
`
`Common questions of fact and law exist for each cause of action and predominate over questions
`
`affecting only individual Class Members. Common questions include, but are not limited to, the
`
`following:
`
`a.
`
`
`b.
`
`c.
`
`d.
`
`e.
`
`f.
`
`Whether and to what extent Defendants had a duty to protect Class
`Members’ PII;
`
`Whether Defendants breached their duty to protect Class Members’ PII;
`
`Whether Defendants disclosed Class Members’ PII;
`
`Whether Defendants’ conduct was negligent;
`
`Whether Plaintiff and Class Members are entitled to damages; and
`
`Whether Defendants’ disclosure intruded upon the privacy of Plaintiff and
`Class Members.
`This action satisfies the requirements for a class action under Rule 23(a)(3). The
`
`67.
`
`claims asserted by Plaintiff are typical of the claims of the members of the Class she seeks to
`
`represent because, among other things, Plaintiff and Class Members sustained similar injuries as a
`
`
`
`12
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 13 of 24
`
`result of Defendants’ uniform wrongful conduct; Defendants owed the same duty to each class
`
`member; and Class Members’ legal claims arise from the same conduct by Defendants.
`
`68.
`
`This action satisfies the requirements for a class action under Rule 23(a)(4).
`
`Plaintiff will fairly and adequately represent and protect the interests of the Class. Plaintiff has no
`
`interests conflicting with the interests of Class Members. Plaintiff’s Counsel are competent and
`
`experienced in data breach class action litigation.
`
`69.
`
`Defendants have acted, or refused to act, on grounds generally applicable to the
`
`Class, thereby making appropriate final injunctive relief or equitable relief with respect to the Class
`
`as a whole.
`
`70.
`
`A class action is superior to other available methods for the fair and efficient
`
`adjudication of this controversy because Class Members number in the hundreds or thousands and
`
`individual joinder is impracticable. Trial of Plaintiff’s and Class Members’ claims is manageable.
`
`Unless the Class is certified, Defendants will remain free to continue to engage in the wrongful
`
`conduct alleged herein without consequence.
`
`71.
`
`The prosecution of separate actions by individual Class Members would create a
`
`risk of establishing incompatible standards of conduct for Defendants.
`
`72.
`
`Defendants’ wrongful actions, inactions, and omissions are generally applicable to
`
`the Class as a whole and, therefore, Plaintiff also seeks equitable remedies for the Class.
`
`73.
`
`Defendants’ systemic policies and practices also make injunctive relief for the Class
`
`appropriate.
`
`74.
`
`Absent a class action, Defendants will retain the benefits of its wrongdoing despite its
`
`serious violations of the law and infliction of economic damages, injury, and harm on Plaintiffs and
`
`Class Members.
`
`
`
`13
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 14 of 24
`
`CAUSES OF ACTION
`
`FIRST CAUSE OF ACTION
`Against Defendant Beth Israel On Behalf Of Plaintiff And The Beth Israel Class
`(Violation Of The Massachusetts Wage Act)
`
`75.
`
`Plaintiff re-alleges and incorporates by reference all preceding factual allegations
`
`
`
`as though fully set forth herein.
`
`76.
`
`Beth Israel has been and continues to be an “employer” of Plaintiff and the Beth
`
`Israel Class within the meaning of the Massachusetts Wage Act (M.G.L. c. 149).
`
`77.
`
`Plaintiff and the Beth Israel Class Members were “employees” of Beth Israel within
`
`the meaning of Massachusetts Wage Act (M.G.L. c. 149).
`
`78.
`
`Beth Israel employed Plaintiff and the Beth Israel Class Members, suffering or
`
`permitting them to work within the meaning of Massachusetts Wage Act (M.G.L. c. 149).
`
`79.
`
`Beth Israel failed to pay regular wages owed to Plaintiff and the Beth Israel Class
`
`Members on a timely basis for the work which they did for Beth Israel, and that Beth Israel did so
`
`willfully, in violation of the Massachusetts Wage Act (M.G.L. c. 149).
`
`80.
`
`As the result of the Beth Israel’s violations of Massachusetts law set forth above,
`
`Plaintiff and the Beth Israel Class Members have incurred damages in an amount to be determined
`
`at trial, along with liquidated damages, attorneys’ fees and costs of litigation.
`
`81.
`
`All prerequisites and conditions precedent necessary to seek the remedies sought in
`
`this action have been satisfied, including the administrative notice requirement to the
`
`Massachusetts Attorney General.
`
`SECOND CAUSE OF ACTION
`Against All Defendants On Behalf of The Beth Israel Class
`And Against UKG On Behalf Of The National Class
`(Negligence)
`
`Plaintiff re-alleges and incorporates by reference all preceding factual allegations
`
`82.
`
`
`
`14
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 15 of 24
`
`as though fully set forth herein.
`
`83.
`
`Defendants owed a duty to Plaintiff and to the Class to exercise reasonable care in
`
`obtaining, securing, safeguarding, properly disposing of and protecting Plaintiffs and Class
`
`Members’ sensitive information within its control from being compromised by or being accessed
`
`by unauthorized third parties. This duty included, among other things, maintaining adequate
`
`control over its computer systems and network so as to prevent unauthorized access thereof.
`
`84.
`
`Defendants had full knowledge of the sensitivity of PII and the types of harm that
`
`Plaintiff and Class Members could and would suffer if the PII were compromised.
`
`85.
`
`Defendants had a duty to exercise reasonable care to avoid foreseeable harm in its
`
`retention of Plaintiff’s and Class Member’s PII.
`
`86.
`
`Defendants owed a duty of care to Plaintiff and members of the Class to provide
`
`security, consistent with industry standards, to ensure that its computer systems adequately
`
`protected the sensitive information of the patients in its facilities and networks.
`
`87.
`
`Defendants breached their duty of care by failing to secure and safeguard the PII of
`
`Plaintiff and Class Members. Defendants failed to use reasonable measures to protect Class
`
`Members’ PII. Defendants negligently stored and/or maintained its servers and systems.
`
`88.
`
`It was foreseeable that Defendants’ failure to use reasonable measures to protect
`
`Plaintiff’s and Class Members’ PII would result in injury to Plaintiff and other Class Members.
`
`Further, the breach of security, unauthorized access, and resulting injury to Plaintiff and Class
`
`Members were reasonably foreseeable.
`
`89.
`
`It was foreseeable that Defendants knew or should have known that its failure to
`
`exercise adequate care in safeguarding and protecting Plaintiff’s and Class Members’ PII would
`
`result in its release and disclosure to unauthorized third parties who, in turn, wrongfully used such
`
`
`
`15
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 16 of 24
`
`PII or disseminated it for wrongful use.
`
`90.
`
`Therefore, it was foreseeable to Defendants that the failure to adequately safeguard
`
`PII would result in one or more of the following injuries to Plaintiff and Class Members: an
`
`imminent threat of identity theft, delay or error in payment of wages, necessary mitigation
`
`expenses, loss of privacy and the value of personal information, deprivation of the benefit of the
`
`bargain, ongoing and imminent impending threat of identity theft crimes, fraud and abuse,
`
`resulting in monetary loss and economic harm; actual identity theft crimes, fraud, and abuse,
`
`resulting in monetary loss and economic harm; loss of confidentiality of the stolen confidential
`
`data; expenses and/or time spent on credit monitoring and identity theft insurance; time spent
`
`scrutinizing bank statements, credit card statements, and credit reports; expenses and/or time spent
`
`initiating fraud alerts, decreased credit scores and ratings; and other economic and non-economic
`
`harm.
`
`91.
`
`But for Defendants’ negligent and wrongful breach of its responsibilities and duties
`
`owed to Plaintiff and Class Members, the PII of Plaintiff and Class Members would not have been
`
`compromised.
`
`92.
`
`Had Defendants not failed to implement and maintain adequate security measures
`
`to protect the PII of its employees, Plaintiff’s and Class Members’ PII would not have been
`
`exposed to unauthorized access and they would not have suffered any harm.
`
`93.
`
`As a direct and proximate result of Defendants’ above-described wrongful actions,
`
`inactions, and omissions, the resulting Data Breach, and the unauthorized release and disclosure
`
`of PII, Plaintiff and Class Members have incurred, and will continue to incur, the above-referenced
`
`damages, and other actual injury and harm.
`
`94.
`
`Defendants’ wrongful actions, inactions, and omissions constituted (and continues
`
`
`
`16
`
`
`
`Case 1:22-cv-11168-ADB Document 1 Filed 07/20/22 Page 17 of 24
`
`to constitute) common law negligence.
`
`95.
`
`Plaintiff and the Class seek damages, injunctive relief, and other and further relief
`
`as the Court may deem just and proper.
`
`THIRD CAUSE OF ACTION
`Against All Defendants On Behalf of The Beth Israel Class
`And Against UKG On Behalf Of The National Class
`(Intrusion Upon Seclusion/Invasion Of Privacy)
`
`96.
`
`Plaintiff re-alleges and incorporates by reference all paragraphs above as if
`
`
`
`fully set forth herein.
`
`97.
`
`The State of Massachusetts recognizes the right against “unreasonable, substantial
`
`or serious interference” with an individual’s privacy. M.G.L.A. 214 § 1B.
`
`98.
`
`Plaintiff and the Class Members had a reasonable expectation of privacy in the PII
`
`Defendants mishandled.
`
`99.
`
`By intentionally failing to keep Plaintiff’s and the Class Members’ PII safe, and by
`
`intentionally misusing and/or disclosing said information to unauthorized parties for unauthorized
`
`use, Defendants intentionally invaded Plaintiffs’ and Class Members’ privacy by intrusion.
`
`100. Defendants knew that ordinary persons in Plaintiff’s or the Class Members’
`
`positions would consider this an invasion of privacy and Defendants’ intentional actions highly
`
`offensive and objectionable.
`
`101. Defendants invaded Plaintiff’s and the Class Members’ right to privacy and
`
`intruded into Plaintiff’s and the Class Members’ private affairs by intentionally misusing and/or
`
`disclosing t