Plaintiff Jane Doe brought a privacy class action Tuesday in U.S. District Court for Central Illinois in Rock Island to address Genesis Health System’s “improper practice” of disclosing her confidential information to Meta, and “potentially others,” via “tracking technologies” used on the Genesis website. Information about a person’s physical and mental health “is among the most confidential and sensitive information in our society,” said the complaint (docket 4:23-cv-04209). The “mishandling” of medical information “can have serious consequences,” including discrimination in the workplace or denial of insurance coverage, it said. When Doe and her potential class members used the Genesis website and online platforms, “they thought they were communicating exclusively with their trusted healthcare provider,” it said. “Unbeknownst to them,” Genesis embedded tracking technologies from Facebook, Google and others into its website and online platforms, “surreptitiously forcing” Doe and the class members “to transmit intimate details about their medical treatment to third parties without their consent,” it said. After receiving that information from Genesis, Facebook “processes it, analyzes it, and assimilates it into its own massive datasets, before selling access to this data in the form of targeted advertisements,” said the complaint. Google and other companies “process data in a similar manner and use it to build marketing and other data profiles, allowing for targeted online advertising,” it said. Genesis could have chosen not to use the tracking technologies, or it could have configured them “to limit the information that it communicated to Facebook” and other platforms, but it didn’t, it said. Doe has been a Genesis patient for 30 years, and uses its website to search for doctors and schedule appointments, having last done so in September, it said. By failing to receive the “requisite consent” to disclose Doe’s private information to Facebook and others, Genesis violated its agreements with the plaintiff, its policies and the law, it said. Since using the Genesis website, Doe “has been targeted by online advertisements for prescription medications,” it added. Doe's complaint alleges that Genesis violated Health Insurance Portability and Accountability Act privacy standards, and those of the FTC and the Department of Health and Human Services. She also alleges violations of the Illinois Consumer Fraud and Deceptive Practices Act. She seeks “equitable relief” enjoining Genesis from engaging in the “wrongful conduct” described in her complaint.
Plaintiff Sophie Jani opposes transfer of her privacy class action (docket 3:23-cv-05054) against Patelco Credit Union to In Re: Moveit Customer Data Security Breach Litigation, said her Tuesday notice (docket 3083) before the U.S. Judicial Panel on Multidistrict Litigation. Jani’s case was transferred to U.S. District Court for Massachusetts from U.S. District Court for Northern California as part of conditional transfer order CTO-17.
Caesars Entertainment failed to take proper precautions to keep loyalty program customers’ personally identifiable information (PII) secure when it suffered an Aug. 23 data breach, alleged a Nov. 20 class action (docket 2:23-cv-01919) in U.S. District Court for Nevada in Las Vegas. Caesars filed a form 8-K with the SEC Sept. 7 disclosing it had been the target of a cyberattack and that hackers accessed its computer system that stores customers’ PII, including name; date of birth; passport, Social Security and driver’s license numbers; and financial account information. Plaintiff Vanessa Williams, New Brunswick, New Jersey; Rozalynn Fisher, Fontana, California; Laura Day, Pasadena, Maryland; Saruny Bin, Stockton, California; and Marlene Calzadopaez, Rochester, New York, received notices of the data breach dated from Oct. 13 to Oct. 20, telling them their PII was compromised. The plaintiffs were forced to invest “significant time” monitoring their accounts to detect and reduce the consequences of “likely identity fraud,” the complaint alleges. Plaintiffs assert claims of negligence; breach of implied contract; violations of consumer protection laws of Maryland and New Jersey; violation of the California Unfair Competition Law and New York General Business Law; and unjust enrichment. They seek statutory damages, damages in amounts to be determined by the court or jury, an order of restitution and pre-judgment interest on amounts awarded. A similar negligence suit was filed the previous week in the same court (see 2311160004). The hackers also breached MGM Resorts’ systems (see 2311020036 during the same time frame.
The U.S. Judicial Panel on Multidistrict Litigation transferred six cases involving the MOVEit data breach to U.S. District Court for Massachusetts in Boston, said a clerk’s order (docket 3083) Tuesday. Conditional transfer order 19 (CTO-19) includes Copans v. Sutter Health et al.,Clerc v. Fidelity Life Association,In re: UnitedHealthcare Student Resources Data Security Litigation, Jubran v. United HealthCare Services, Abramowitz vs. United HealthCare and Zaafan v. Umpqua Bank. The tagalong actions, from district courts in Eastern California, Northern Illinois, Minnesota and Western Washington, involve questions of fact common to the actions previously transferred to In re: MOVEit Customer Data Security Breach Litigation under U.S. District Judge Allison Burroughs. Since five cases were transferred Oct. 4, 139 additional actions have been assigned to the court. CTO-18, filed Friday, transferred Liptock v. MasTec, from South Carolina district court, and Evangelista v. National Student Clearinghouse from Eastern Virginia district court, said the order. Monday, Sovos Compliance submitted an opposition to CTO-15 related to Gorman v. Progress Software.
Pro se plaintiff Venton Smith’s motion for separate trials in his lawsuit against over 20 banks, credit reporting agencies and retail companies arising from the 2019 Capital One data breach is "premature,” said U.S. District Judge Araceli Martinez-Olguin in an order Monday (docket 3:23-cv-02804) in U.S. District Court for Northern California in San Francisco. Smith filed his case June 7, claiming his personally identifiable information was exposed in the breach, in which an Amazon Web Services employee stole data affecting about 106 million customers. Judge Martinez-Olguin said since the filing, several defendants have been dismissed and further dismissals are anticipated based on recent notices of settlement. Upon reassignment of the case to Martinez-Olguin on Nov. 9, all pending motions were taken off the calendar and pending motions not resolved by Monday’s order must be re-noticed for hearing, said the order. Last week, Smith filed notices of settlement with Citibank, Macy’s and Best Buy.
U.S. District Judge Josephine Staton for Central California in Los Angeles ordered Mandry Technology Solutions to show cause by Friday why plaintiff Dana Hughes’ privacy complaint against the company shouldn’t be remanded to Los Angeles County Superior Court because its diversity jurisdiction’s $75,000 amount-in-controversy requirement isn’t satisfied, said the judge’s Nov. 16 order (docket 2:23-cv-09502). Hughes alleges that Mandry, a supplier of IT, cybersecurity and cloud strategy enterprise services, “secretly installed” spyware on its website from third party Lead Forensics (see 2311120003). She alleges the spyware allows Mandry to “de-anonymize every anonymous visitor to the site” so that it knows each visitor's name, face, location, email and browsing history. Mandry attempts to meet its $75,000 burden “in large part by pointing to the cost of complying with an injunction,” should the court impose one in Hughes’ favor, said the judge’s order. But Mandry fails to allege any facts that allow the court “to determine whether the cost of complying with an injunction would actually push the amount in controversy over $75,000,” it said. Mandry also provides no information about the amount owed to Hughes in damages, “thereby making it impossible to know whether those damages, in combination with the costs of injunction compliance, easily surpass $75,000, as Mandry claims, it said.
EMS Management & Consultants moved to dismiss plaintiff Samantha O’Neal’s privacy complaint for lack of subject-matter jurisdiction and failure to state a claim on which relief may be granted, in a Thursday motion (docket 1:23-cv-00738) in U.S. District Court for Middle North Carolina. O’Neal’s fraud case involving the May MOVEit file transfer software data breach alleges EMS had a duty to protect her personally identifiable information and should have known “through readily available and accessible information about potential threats for the unauthorized exfiltration and misuse of such information.” O’Neal’s case was part of conditional transfer order 10 for transfer to In Re: MOVEit Customer Data Security Breach Litigation in U.S. District Court for Massachusetts, but O’Neal opposed the transfer in a Nov. 3 notice before the U.S. Panel on Multidistrict Litigation (see 2311060016).
Mandry Technology Solutions moved for dismissal of plaintiff Dana Hughes’ privacy complaint, partly on grounds that she’s a “serial filer of cookie-cutter lawsuits,” according to Mandry’s memorandum of points and authorities Thursday (docket 2:23-cv-09502) in U.S. District Court for Central California in Los Angeles in support of its motion to dismiss. Hughes alleges Mandry, a supplier of IT, cybersecurity and cloud strategy enterprise services, “secretly installed” spyware on its website from third-party Lead Forensics (see 2311120003). The spyware allows Mandry to “de-anonymize every anonymous visitor to the site” so that it knows each visitor's name, face, location, email and browsing history, her complaint said. But Hughes “alleges nothing about when she visited” Mandry’s website or what she did when she was there, according to the memorandum. She also doesn’t allege that Lead Forensics identified her, and alleges “no harm whatsoever,” because she has none, it said. The case is one of six that Hughes and her counsel, Robert Tauler of Tauler Smith in Los Angeles, have filed in the past two months alleging use of visitor identification software, it said. Each of the complaints pleads “near verbatim allegations arising from a website operator’s alleged collection of innocuous information” that asserts claims of an “unlawful computer hack,” said the memorandum. The complaints merely swap in “different defendants and websites,” it said. Hughes’ “cut-and-paste job belies the lack of merit to her claims,” it added. “Litigation tactics aside,” Hughes’ claims “fail for multiple reasons,” said the memorandum. “As a threshold matter,” Mandry isn’t subject to personal jurisdiction in California, it said. The complaint also should be dismissed under Federal Rule of Civil Procedure 12(b)(5) for insufficient service of process, it said. Her claims also fail on the merits, it said. She alleges “no tangible harm” under the California Comprehensive Computer Access and Fraud Act, plus she hasn’t alleged an “access” or “hack” in violation of the statute, it said. Her request for punitive damages also must be dismissed because she makes “no attempt to plead relief to punitive damages with particularity, as the law requires,” it said.
U.S. District Judge Paul Crotty for Southern New York in Manhattan dismissed a fraud case against toy maker Squishable arising from a 2022 data breach, said his order of dismissal Wednesday (docket 1:23-cv-3660). Squishable and plaintiff Christine Borovoy said this month that they were negotiating a settlement in the suit (see 2310060049), which asserted negligence, breach of contract, invasion of privacy and unjust enrichment claims. Crotty dismissed the case without prejudice and costs to either party, subject to reopening if the settlement isn’t consummated within 30 days.
Plaintiffs Saul and Shirley Lassoff asked the court for permission to file an emergency motion to preclude all other venues and duplicate litigation vs. defendant MGM Resorts International only and to issue a proposed first-to-file preclusion order in their negligence class action stemming from a September data breach, said their Wednesday letter (docket 1:23-cv-20419) to U.S. District Judge Joseph Rodriguez for New Jersey in Camden. The preclusion order requests that remaining cases involving the cyberattack on the hospitality company’s systems in September be transferred to Camden. The plaintiffs’ amended complaint added New Jersey, New York and Las Vegas MGM customers as potential class members in the action against MGM Resorts International and removed Caesars Entertainment, following the dismissal of Caesars without prejudice from the case this month (see 2310100027). The Lassoffs assert claims of breach of fiduciary duty and negligence.