`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`FOR THE WESTERN DISTRICT OF WASHINGTON
`
`
`LEO THORBECKE and MARJORITA
`DEAN, individually and on behalf of all
`others similarly situated,
`
`Plaintiff,
`
`v.
`
`
`Case No.
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`MCG HEALTH, LLC, a Washington limited
`liability company,
`
`Defendant.
`
`Plaintiffs Leo Thorbecke and Marjorita Dean (“Plaintiffs”), individually and on behalf of
`
`all others similarly situated, bring this class action against Defendant MCG Health, LLC (“MCG
`
`Health” or “Defendant”) and allege as follows:
`
`JURISDICTION AND VENUE
`
`1.
`
`This Court has subject-matter jurisdiction pursuant to the Class Action Fairness
`
`Act, 28 U.S.C. § 1332(d) because (1) the matter in controversy exceeds the sum or value of
`
`$5,000,000, exclusive of interest and costs, (2) the action is a class action, (3) there are members
`
`of the proposed Class who are diverse from Defendant, and (4) there are more than 100 proposed
`
`Class members. This Court has supplemental jurisdiction over state law claims pursuant to 28
`
`CLASS ACTION COMPLAINT - 1
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 2 of 28
`
`
`
`U.S.C. § 1367 because they form part of the same case or controversy as the claims within the
`
`Court’s original jurisdiction.
`
`2.
`
`This Court has general personal jurisdiction over Defendant because Defendant is
`
`a resident and citizen of this district, Defendant conducts substantial business in this district, and
`
`the events giving rise to Plaintiffs’ claims arise out of Defendant’s contacts with this district.
`
`3.
`
`Venue is proper in this District pursuant to 28 U.S.C. § 1391(b)(1) & (2) because
`
`Defendant is a resident and citizen of this district and a substantial part of the events or omissions
`
`giving rise to Plaintiffs’ claims occurred in this district.
`
`PARTIES
`
`4. Plaintiff Leo Thorbecke is a resident and citizen of Indiana.
`
`5. Plaintiff Marjorita Dean is a resident and citizen of Ohio.
`
`6. Defendant MCG Health, LLC is a Washington limited liability company with its principal
`
`place of business in Seattle, Washington.
`
`7. Defendant MCG Health is a division of Hearst Corporation, a Delaware corporation.
`
`FACTUAL ALLEGATIONS
`
`I. MCG Health
`
`8.
`
`Defendant MCG Health is a Seattle-based software company that “provides patient
`
`care guidelines to health care providers and health plans.”1
`
`9.
`
`A majority of U.S. health plans and nearly 2,600 hospitals utilize Defendant’s
`
`software and are Defendant’s customers.
`
`
`1 https://www.businesswire.com/news/home/20220610005006/en/Notice-Provided-to-
`Individuals-Regarding-MCG-Data-Security-Incident
`
`CLASS ACTION COMPLAINT - 2
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 3 of 28
`
`
`
`10.
`
`Patients and members of Defendant’s customers, like Plaintiffs and Class
`
`members, provided certain Personal Identifying Information (“PII”) and Protected Health
`
`Information (“PHI”) to their healthcare providers which is required as a condition of medical
`
`treatment. Plaintiffs’ and Class members’ PII and PHI was then provided to Defendant.
`
`The affected patient or member data included some or all of the following data elements:
`
`names, Social Security numbers, medical codes, postal addresses, telephone numbers, email
`
`addresses, dates of birth and gender.2
`
`11.
`
`As a large technology company with an acute interest in maintaining the
`
`confidentiality of the PII and PHI entrusted to it, Defendant is well-aware of the numerous data
`
`breaches that have occurred throughout the United States and its responsibility for safeguarding
`
`PII and PHI in its possession.
`
`12.
`
`Defendant represents to patients and members and the public that it possesses
`
`robust security features to protect PII and PHI.
`
`II. The Data Breach
`
`13.
`
`On June 10, 2022, Defendant announced in a press release that it was investigating
`
`a data security incident that it had initially discovered on March 25, 2022. Defendant’s
`
`investigation included assistance of a forensic investigation firm.3
`
`14.
`
`The investigation determined that “an unauthorized party previously obtained
`
`personal information about some patients and members of certain MCG customers. The affected
`
`patient or member data included some or all of the following data elements: names, Social
`
`2 Id.
`3 Id.
`
`
`
`CLASS ACTION COMPLAINT - 3
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 4 of 28
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of
`
`birth and gender.”4
`
`15.
`
`On or about April 22, 2022, MCG notified its affected customers (i.e., healthcare
`
`systems) of the breach. In turn, MCG customers began notifying their patients in June 2022.
`
`16.
`
`Defendant sent a letter to Plaintiffs Dean and Thorbecke dated June 10, 2022,
`
`notifying them of the breach. See Exhibit A and Exhibit B.5
`
`17.
`
`Defendant’s letter also offered two years of free identity protection services to
`
`affected patients and members.
`
`18.
`
`Defendant did not state why it was unable to detect the unauthorized individuals
`
`accessing Defendant’s servers.
`
`19.
`
`Defendant did not state why it waited for nearly three months before notifying
`
`affected patients and members.
`
`20.
`
`Defendant failed to prevent the data breach because it did not adhere to commonly
`
`accepted security standards and failed to detect that its databases were subject to a security
`
`breach.
`
`III.
`
`Injuries to Plaintiffs and the Class
`
`21.
`
`As a direct and proximate result of Defendant’s actions and omissions in failing to
`
`protect Plaintiffs’ PII and PHI, Plaintiffs and the Class have been damaged.
`
`22.
`
`Plaintiffs and the Class have been placed at a substantial risk of harm in the form
`
`of credit fraud or identity theft and have incurred and will likely incur additional damages,
`
`
`
`4 Id.
`5 See also https://www.mcg.com/wp-content/uploads/2022/06/MCG-Website-
`Notice_90273447_1-6.8.22481312.4-004.pdf.
`
`CLASS ACTION COMPLAINT - 4
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 5 of 28
`
`
`
`including spending substantial amounts of time monitoring accounts and records, in order to
`
`prevent and mitigate credit fraud, identity theft, and financial fraud.
`
`23.
`
`In addition to the irreparable damage that may result from the theft of PII and PHI,
`
`identity theft victims must spend numerous hours and their own money repairing the impacts
`
`caused by this breach. After conducting a study, the Department of Justice’s Bureau of Justice
`
`Statistics found that identity theft victims “reported spending an average of about 7 hours clearing
`
`up the issues” and resolving the consequences of fraud in 2014.6
`
`24.
`
`In addition to fraudulent charges and damage to their credit, Plaintiffs and the
`
`Class will spend substantial time and expense (a) monitoring their accounts to identify fraudulent
`
`or suspicious charges; (b) cancelling and reissuing cards; (c) purchasing credit monitoring and
`
`identity theft prevention services; (d) attempting to withdraw funds linked to compromised,
`
`frozen accounts; (e) removing withdrawal and purchase limits on compromised accounts; (f)
`
`communicating with financial institutions to dispute fraudulent charges; (g) resetting automatic
`
`billing instructions and changing passwords; (h) freezing and unfreezing credit bureau account
`
`information; (i) cancelling and re-setting automatic payments as necessary; and (j) paying late
`
`fees and declined payment penalties as a result of failed automatic payments.
`
`25.
`
`Additionally, Plaintiffs and the Class have suffered or are at increased risk of
`
`suffering from, inter alia, the loss of the opportunity to control how their PII and PHI is used, the
`
`diminution in the value and/or use of their PII and PHI entrusted to Defendant, and loss of
`
`privacy.
`
`
`6 U.S. Dep’t of Justice, Victims of Identity Theft, 2014 (Nov. 13, 2017),
`http://www.bjs.gov/content/pub/pdf/vit14.pdf.
`
`CLASS ACTION COMPLAINT - 5
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 6 of 28
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`IV. The Value of Personal Identifying Information
`
`26.
`
`It is well known that PII and PHI, and financial account information in particular,
`
`is an invaluable commodity and a frequent target of hackers.
`
`27.
`
`According to Javelin Strategy & Research, in 2017 alone over 16.7 million
`
`individuals were affected by identity theft, causing $16.8 billion to be stolen.7
`
`28.
`
`People place a high value not only on their PII and PHI, but also on the privacy of
`
`that data. This is because identity theft causes “significant negative financial impact on victims”
`
`as well as severe distress and other strong emotions and physical reactions.8
`
`29.
`
`People are particularly concerned with protecting the privacy of their financial
`
`account information and social security numbers, which are the “secret sauce” that is “as good as
`
`your DNA to hackers.”9 There are long-term consequences to data breach victims whose social
`
`security numbers are taken and used by hackers. Even if they know their social security numbers
`
`have been accessed, Plaintiffs and Class Members cannot obtain new numbers unless they
`
`become a victim of social security number misuse. Even then, the Social Security Administration
`
`has warned that “a new number probably won’t solve all [] problems … and won’t guarantee … a
`
`fresh start.”10
`
`
`7 Javelin Strategy & Research, Identity Fraud Hits All Time High With 16.7 Million U.S. Victims
`in 2017, According to New Javelin Strategy & Research Study (Feb. 6, 2018),
`https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-us-
`victims-2017-according-new-javelin.
`8 Identity Theft Resource Center, Identity Theft: The Aftermath 2017,
`https://www.ftc.gov/system/files/documents/public_comments/2017/10/00004-141444.pdf.
`9 Cameron Huddleston, How to Protect Your Kids From the Anthem Data Breach, Kiplinger,
`(Feb. 10, 2015), https://www.kiplinger.com/article/credit/T048-C011-S001-how-to-protect-your-
`kids-from-the-anthem-data-brea.html.
`10 Social Security Admin., Identity Theft and Your Social Security Number, at 6-7,
`https://www.ssa.gov/pubs/EN-05-10064.pdf.
`
`CLASS ACTION COMPLAINT - 6
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 7 of 28
`
`
`
`30.
`
`The PII and PHI of minors (like the dependents of many Class Members) can be
`
`used to receive illicit gains through methods such as credit card fraud with newly created
`
`accounts. The fact that a minor’s social security number has not yet been used for financial
`
`purposes actually makes it more valued by hackers rather than less. The “blank slate” credit file of
`
`a child is much less limited than the potentially low credit score of an adult. Social security
`
`numbers that have never been used for financial purposes are uniquely valuable as thieves can
`
`pair them with any name and birthdate. After that happens, thieves can open illicit credit cards or
`
`even sign up for government benefits.11
`
`V.
`
`Industry Standards for Data Security
`
`31.
`
`In light of the numerous high-profile data breaches targeting companies like
`
`Target, Neiman Marcus, eBay, Anthem, Deloitte, and Equifax, Defendant is, or reasonably should
`
`have been, aware of the importance of safeguarding PII and PHI, as well as of the foreseeable
`
`consequences of its systems being breached.
`
`32.
`
`Security standards commonly accepted among businesses that store PII and PHI
`
`using the internet include, without limitation:
`
`a.
`
`b.
`
`c.
`
`d.
`
`e.
`
`Maintaining a secure firewall configuration;
`
`Monitoring for suspicious or irregular traffic to servers;
`
`Monitoring for suspicious credentials used to access servers;
`
`Monitoring for suspicious or irregular activity by known users;
`
`Monitoring for suspicious or unknown users;
`
`
`11 Richard Power, “Child Identity Theft: New Evidence Indicates Identity Thieves are Targeting
`Children for Unused Social Security Numbers,” Carnegie Mellon CyLab,
`https://www.cylab.cmu.edu/_files/pdfs/reports/2011/child-identity-theft.pdf.
`
`CLASS ACTION COMPLAINT - 7
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 8 of 28
`
`
`
`f.
`
`g.
`
`h.
`
`i.
`
`Monitoring for suspicious or irregular server requests;
`
`Monitoring for server requests for PII and PHI;
`
`Monitoring for server requests from VPNs; and
`
`Monitoring for server requests from Tor exit nodes.
`
`33.
`
`The U.S. Federal Trade Commission (“FTC”) publishes guides for businesses for
`
`cybersecurity12 and protection of PII and PHI13 which includes basic security standards applicable
`
`to all types of businesses.
`
`34.
`
`The FTC recommends that businesses:
`
`a.
`
`b.
`
`Identify all connections to the computers where you store sensitive information.
`
`Assess the vulnerability of each connection to commonly known or reasonably
`
`foreseeable attacks.
`
`c.
`
`Do not store sensitive consumer data on any computer with an internet connection
`
`unless it is essential for conducting their business.
`
`d.
`
`Scan computers on their network to identify and profile the operating system and
`
`open network services. If services are not needed, they should be disabled to prevent hacks or
`
`other potential security problems. For example, if email service or an internet connection is not
`
`necessary on a certain computer, a business should consider closing the ports to those services on
`
`that computer to prevent unauthorized access to that machine.
`
`
`12 Start with Security: A Guide for Business, FTC (June 2015),
`https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
`13 Protecting Personal Information: A Guide for Business, FTC (Oct. 2016),
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting
`personalinformation.pdf.
`
`CLASS ACTION COMPLAINT - 8
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 9 of 28
`
`
`
`e.
`
`Pay particular attention to the security of their web applications—the software
`
`used to give information to visitors to their websites and to retrieve information from them. Web
`
`applications may be particularly vulnerable to a variety of hack attacks
`
`f.
`
`Use a firewall to protect their computers from hacker attacks while it is connected
`
`to a network, especially the internet.
`
`g.
`
`Determine whether a border firewall should be installed where the business’s
`
`network connects to the internet. A border firewall separates the network from the internet and
`
`may prevent an attacker from gaining access to a computer on the network where sensitive
`
`information is stored. Set access controls—settings that determine which devices and traffic get
`
`through the firewall—to allow only trusted devices with a legitimate business need to access the
`
`network. Since the protection a firewall provides is only as effective as its access controls, they
`
`should be reviewed periodically.
`
`h.
`
`Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye
`
`out for activity from new users, multiple log-in attempts from unknown users or computers, and
`
`higher-than-average traffic at unusual times of the day.
`
`i.
`
`Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large
`
`amounts of data being transmitted from their system to an unknown user. If large amounts of
`
`information are being transmitted from a business’ network, the transmission should be
`
`investigated to make sure it is authorized.
`
`35.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer information, treating the failure to employ reasonable
`
`and appropriate measures to protect against unauthorized access to confidential consumer data as
`
`CLASS ACTION COMPLAINT - 9
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 10 of 28
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act, 15 U.S.C.
`
`§ 45. Orders resulting from these actions further clarify the measures businesses must take to
`
`meet their data security obligations.14
`
`36.
`
`Because Defendant was entrusted with patients and members’ PII and PHI, it had,
`
`and has, a duty to patients and members to keep their PII and PHI secure.
`
`37.
`
`Patients and members, such as Plaintiffs and the Class, reasonably expect that
`
`when they provide PII and PHI to Defendant, it will safeguard their PII and PHI.
`
`38.
`
`Nonetheless, Defendant failed to prevent the data breach discussed below. Had
`
`Defendant properly maintained and adequately protected its systems, it could have prevented the
`
`data breach.
`
`CLASS ALLEGATIONS
`
`39.
`
`Plaintiffs, individually and on behalf of all others, bring this class action pursuant
`
`to Fed. R. Civ. P. 23.
`
`40.
`
`The proposed Class is defined as follows:
`
`Nationwide Class: All persons whose PII and PHI was maintained on Defendant MCG
`
`Health, LLC’s servers that were compromised in the Data Breach.
`
`41.
`
`Plaintiffs reserve the right to modify, change, or expand the definitions of the
`
`proposed Class based upon discovery and further investigation.
`
`42.
`
`Numerosity: The proposed Class is so numerous that joinder of all members is
`
`impracticable. Although the precise number is not yet known to Plaintiffs, Defendant has
`
`
`14 Federal Trade Commission, Privacy and Security Enforcement: Press Releases,
`https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/privacy-
`security-enforcement.
`
`CLASS ACTION COMPLAINT - 10
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 11 of 28
`
`
`
`reported that the number of patients and members affected by the data breach is as high as 1.1
`
`million.15 The Class Members can be readily identified through Defendant’s records.
`
`43.
`
`Commonality: Questions of law or fact common to the Class include, without
`
`limitation:
`
`a.
`
`Whether Defendant owed a duty or duties to Plaintiffs and the Class to exercise
`
`due care in collecting, storing, safeguarding, and obtaining their PII and PHI;
`
`b.
`
`c.
`
`Whether Defendant breached that duty or those duties;
`
`Whether Defendant failed to establish appropriate administrative, technical, and
`
`physical safeguards to ensure the security and confidentiality of records to protect against known
`
`and anticipated threats to security;
`
`d.
`
`Whether the security provided by Defendant was satisfactory to protect customer
`
`information as compared to industry standards;
`
`e.
`
`Whether Defendant misrepresented or failed to provide adequate information to
`
`customers regarding the type of security practices used;
`
`f.
`
`Whether Defendant knew or should have known that it did not employ reasonable
`
`measures to keep Plaintiffs’ and the Class’s PII and PHI secure and prevent loss or misuse of that
`
`PII and PHI;
`
`g.
`
`Whether Defendant acted negligently in connection with the monitoring and
`
`protecting of Plaintiffs’ and Class’s PII and PHI;
`
`h.
`
`Whether Defendant’s conduct was intentional, willful, or negligent;
`
`
`15 https://www.hipaajournal.com/data-theft-incidents-reported-at-choice-health-mcg-health-
`goodman-campbell-brain-and-spine/
`
`CLASS ACTION COMPLAINT - 11
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 12 of 28
`
`
`
`i.
`
`j.
`
`Whether Defendant violated any and all statutes and/or common law listed herein;
`
`Whether the Class suffered damages as a result of Defendant’s conduct, omissions,
`
`or misrepresentations; and
`
`k.
`
`Whether the Class is entitled to injunctive, declarative, and monetary relief as a
`
`result of Defendant’s conduct.
`
`44.
`
`Typicality: The claims or defenses of Plaintiffs are typical of the claims or defenses
`
`of the Class. Class members were injured and suffered damages in substantially the same manner
`
`as Plaintiffs, Class members have the same claims against Defendant relating to the same course
`
`of conduct, and Class members are entitled to relief under the same legal theories asserted by
`
`Plaintiffs.
`
`45.
`
`Adequacy: Plaintiffs will fairly and adequately protect the interests of the proposed
`
`Class and has no interests antagonistic to those of the proposed Class. Plaintiffs have retained
`
`counsel experienced in the prosecution of complex class actions including, but not limited to,
`
`data breaches.
`
`46.
`
`Predominance: Questions of law or fact common to proposed Class members
`
`predominate over any questions affecting only individual members. Common questions such as
`
`whether Defendant owed a duty to Plaintiffs and the Class and whether Defendant breached its
`
`duties predominate over individual questions such as measurement of economic damages.
`
`47.
`
`Superiority: A class action is superior to other available methods for the fair and
`
`efficient adjudication of these claims because individual joinder of the claims of the Class is
`
`impracticable. Many members of the Class are without the financial resources necessary to
`
`pursue this matter. Even if some members of the Class could afford to litigate their claims
`
`CLASS ACTION COMPLAINT - 12
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 13 of 28
`
`
`
`separately, such a result would be unduly burdensome to the courts in which the individualized
`
`cases would proceed. Individual litigation increases the time and expense of resolving a common
`
`dispute concerning Defendant’s actions toward an entire group of individuals. Class action
`
`procedures allow for far fewer management difficulties in matters of this type and provide the
`
`unique benefits of unitary adjudication, economies of scale, and comprehensive supervision over
`
`the entire controversy by a single judge in a single court.
`
`48. Manageability: Plaintiffs are unaware of any difficulties that are likely to be
`
`encountered in the management of this action that would preclude its maintenance as a class
`
`action.
`
`49.
`
`The Class may be certified pursuant to Rule 23(b)(2) because Defendant has acted
`
`on grounds generally applicable to the Class, thereby making final injunctive relief and
`
`corresponding declaratory relief appropriate with respect to the claims raised by the Class.
`
`50.
`
`The Class may also be certified pursuant to Rule 23(b)(3) because questions of law
`
`and fact common to the Class will predominate over questions affecting individual members, and
`
`a class action is superior to other methods for fairly and efficiently adjudicating the controversy
`
`and causes of action described in this Complaint.
`
`51.
`
`Particular issues under Rule 23(c)(4) are appropriate for certification because such
`
`claims present particular, common issues, the resolution of which would advance the disposition
`
`of this matter and the parties’ interests therein.
`
`//
`
`//
`
`//
`
`CLASS ACTION COMPLAINT - 13
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 14 of 28
`
`
`
`CAUSES OF ACTION
`
`COUNT I
`NEGLIGENCE
`(on behalf of the Class)
`
`Plaintiffs hereby incorporate by reference all preceding paragraphs as though fully
`
`52.
`
`set forth herein.
`
`53.
`
`Defendant owed a duty of care to Plaintiffs and Class members to use reasonable
`
`means to secure and safeguard the entrusted PII and PHI, to prevent its unauthorized access and
`
`disclosure, to guard it from theft, and to detect any attempted or actual breach of its systems.
`
`These common law duties existed because Plaintiffs and Class members were the foreseeable and
`
`probable victims of any inadequate security practices. In fact, not only was it foreseeable that
`
`Plaintiffs and Class members would be harmed by the failure to protect their PII and PHI because
`
`hackers routinely attempt to steal such information and use it for nefarious purposes, Defendant
`
`knew that it was more likely than not Plaintiffs and Class members would be harmed by such
`
`exposure of their PII and PHI.
`
`54.
`
`Defendant’s duties to use reasonable security measures also arose as a result of the
`
`special relationship that existed between Defendant, on the one hand, and Plaintiffs and Class
`
`members, on the other hand. The special relationship arose because Plaintiffs and Class members
`
`entrusted Defendant with their PII and PHI, Defendant accepted and held the PII and PHI, and
`
`Defendant represented that the PII and PHI would be kept secure pursuant to its data security
`
`policies. Defendant alone could have ensured that its data security systems and practices were
`
`sufficient to prevent or minimize the data breach.
`
`CLASS ACTION COMPLAINT - 14
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 15 of 28
`
`
`
`55.
`
`Defendant’s duties to use reasonable data security measures also arose under
`
`Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45, which prohibits
`
`“unfair . . . practices in or affecting commerce,” including, as interpreted and enforced by the
`
`FTC, the unfair practice of failing to use reasonable measures to protect PII and PHI. Various
`
`FTC publications and data security breach orders further form the basis of Defendant’s duties. In
`
`addition, individual states have enacted statutes based upon the FTC Act that also created a duty.
`
`56.
`
`57.
`
`Defendant’s violations of Section 5 of the FTC Act constitute negligence per se.
`
`Defendant breached the aforementioned duties when it failed to use security
`
`practices that would protect the PII and PHI provided to it by Plaintiffs and Class members, thus
`
`resulting in unauthorized third-party access to the Plaintiffs’ and Class members’ PII and PHI.
`
`58.
`
`Defendant further breached the aforementioned duties by failing to design, adopt,
`
`implement, control, manage, monitor, update, and audit its processes, controls, policies,
`
`procedures, and protocols to comply with the applicable laws and safeguard and protect Plaintiffs’
`
`and Class members’ PII and PHI within its possession, custody, and control.
`
`59.
`
`As a direct and proximate cause of failing to use appropriate security practices,
`
`Plaintiffs’ and Class members’ PII and PHI was disseminated and made available to unauthorized
`
`third parties.
`
`60.
`
`Defendant admitted that Plaintiffs’ and Class members’ PII and PHI was
`
`wrongfully disclosed as a result of the breach.
`
`61.
`
`The breach caused direct and substantial damages to Plaintiffs and Class members,
`
`as well as the possibility of future and imminent harm through the dissemination of their PII and
`
`PHI and the greatly enhanced risk of credit fraud or identity theft.
`
`CLASS ACTION COMPLAINT - 15
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 16 of 28
`
`
`
`62.
`
`By engaging in the forgoing acts and omissions, Defendant committed the
`
`common law tort of negligence. For all the reasons stated above, Defendant’s conduct was
`
`negligent and departed from reasonable standards of care including by, but not limited to: failing
`
`to adequately protect the PII and PHI; failing to conduct regular security audits; and failing to
`
`provide adequate and appropriate supervision of persons having access to Plaintiffs’ and Class
`
`members’ PII and PHI.
`
`63.
`
`But for Defendant’s wrongful and negligent breach of its duties owed to Plaintiffs
`
`and the Class, their PII and PHI would not have been compromised.
`
`64.
`
`Neither Plaintiffs nor the Class contributed to the breach or subsequent misuse of
`
`their PII and PHI as described in this Complaint. As a direct and proximate result of Defendant’s
`
`actions and inactions, Plaintiffs and the Class have been put at an increased risk of credit fraud or
`
`identity theft, and Defendant has an obligation to mitigate damages by providing adequate credit
`
`and identity monitoring services. Defendant is liable to Plaintiffs and the Class for the reasonable
`
`costs of future credit and identity monitoring services for a reasonable period of time,
`
`substantially in excess of one year. Defendant is also liable to Plaintiffs and the Class to the extent
`
`that they have directly sustained damages as a result of identity theft or other unauthorized use of
`
`their PII and PHI, including the amount of time Plaintiffs and the Class have spent and will
`
`continue to spend as a result of Defendant’s negligence. Defendant is also liable to Plaintiffs and
`
`the Class to the extent their PII and PHI has been diminished in value because Plaintiffs and the
`
`Class no longer control their PII and PHI and to whom it is disseminated.
`
`//
`
`//
`
`CLASS ACTION COMPLAINT - 16
`
`
`
`
`
`TOUSLEY BRAIN STEPHENS PLLC
`1200 Fifth Avenue, Suite 1700
`Seattle, Washington 98101
`TEL. 206.682.5600 • FAX 206.682.2992
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`
`
`Case 2:22-cv-00870 Document 1 Filed 06/21/22 Page 17 of 28
`
`
`
`COUNT II
`INVASION OF PRIVACY
`(on behalf of