American Vision Partners knew its patients’ personally identifiable (PII) and personal health information (PHI) was compromised in a Nov. 14 data breach, but it “inexcusably delayed disclosing and providing notice” of the incident to its victims until February, alleged a class action Tuesday (docket 2:24-cv-00463) in U.S. District Court for Arizona in Phoenix. American Vision determined on Dec. 6 that hackers had compromised its patients' PII and PHI, affecting some 2 million individuals, but only first publicly disclosed the breach to the Department of Health and Human Services on Feb. 6; it then began issuing data breach notices to affected patients, the complaint said. Plaintiffs Ralph Gallegos of El Paso County, Texas, and James Drews of Pinal County, Arizona, received notices dated Feb. 15 from American Vision, informing them their PII and PHI were compromised in the data breach. As a result, both plaintiffs will be forced to invest “significant time” monitoring their accounts to detect and reduce the consequences of “likely identity fraud,” the complaint said. American Vision had numerous statutory, regulatory, contractual and common law duties and obligations to patients to keep their PII and PHI confidential, secure and protected from unauthorized access, the complaint said. The data exposed in the breach -- including Social Security numbers, medical records, and health and insurance data -- indicates plaintiffs and class members have suffered “irreparable harm,” it said. The defendant “failed to use reasonable security procedures" appropriate to the nature of the private information it maintained for the plaintiffs, it said. Causes of action include negligence and negligence per se, breach of implied contract, invasion of privacy, unjust enrichment and violation of the Arizona Consumer Fraud Act, it said. Plaintiffs seek statutory damages, prejudgment interest and an order of restitution. American Vision didn't comment Wednesday.
The plaintiffs have shown injury and have “more than adequately pled" their data breach claims, said their opposition Tuesday (docket 1:23-cv-01168) in U.S. District Court for Colorado in Denver to Dish Network’s motion to dismiss their consolidated complaint in its entirety. The case involves a February 2023 ransomware attack in which the personally identifiable information (PII) of Dish employees and family members was compromised. Dish employees and their family members have suffered financial, reputational and other cognizable injuries, the opposition said. Some plaintiffs’ have experienced actual harm with bank accounts opened illegally in their names, were denied jobs or discovered attempts to apply for unemployment in their names, said the filing. It’s not just “theoretical” that plaintiffs’ PII may be misused by criminals, said the opposition: “It already has been -- and the door is wide open now for all of them to experience increased misuse going forward.” Article III standing requires that plaintiffs’ injuries are fairly traceable to the challenged action of the defendant, it said. Plaintiffs “easily satisfy this standard" by alleging the data breach occurred as a result of Dish’s “misconduct,” allowing cybercriminals to access their private information, including Social Security numbers, and that the stolen data was misused, it said. Without Dish’s “misconduct,” the plaintiffs wouldn’t have been harmed, it said. Dish argued that one injury related to a plaintiff’s debit card number being used for unauthorized charges was insufficient because the consolidated amended complaint didn’t provide details about the purchase or that he provided a particular debit card number. “But so what?” said the opposition, saying it’s unnecessary to allege debit card numbers in a pleading. Dish asserted the plaintiffs haven’t alleged any facts suggesting a future data breach is likely, but it has already been breached once “due to inadequate data security – and it is foreseeable another breach will occur,” the opposition said. Plaintiffs' claim for injunctive relief doesn’t rely solely on past conduct but also relies on protecting their PII still backed up in Dish’s possession, it said. Class members are largely past and current employees of Dish, and the company is obligated, under the Fair Labor Standards Act, to maintain their PII for up to three years, post severance, said the opposition. Without better cybersecurity going forward, class members’ information is “vulnerable to another hack and, if and when it does happen, the results would likely be devastating,” giving plaintiffs standing to seek injunctive relief, it said. Dish concluded it had no duty to protect plaintiffs’ PII, but an employer’s duty to protect employees’ PII has been recognized in circuit courts across the country, it said. Dish argued that a claim for breach fails because it made no representations regarding an agreement to provide data security to plaintiffs, but an express communication regarding the agreement doesn’t need to be made, the opposition said. As a condition of being employed, current and former employees were required to provide their PII to Dish, it said. Dish accepted the PII with the understanding it would take “appropriate steps to safeguard” it; otherwise, plaintiffs would not have provided it, said the filing.
The National Association of Attorneys General requested “immediate action” from Facebook and Instagram for the “dramatic increase in user account takeovers and lockouts” on the social media platforms, said their Tuesday letter to Meta Platforms Chief Legal Officer Jennifer Newstead. The letter came on the same day both platforms experienced disruptions when users weren’t able to log in to their accounts for over two hours. Meta issued a cursory tweet on X Tuesday acknowledging the outage but not giving a reason for it: “We know some people were having trouble accessing our apps earlier. Apologies for any inconvenience this may have caused, and thank you for your patience while our teams worked quickly to resolve!” The Tuesday letter, signed by 41 AGs, cited a “dramatic and persistent spike in complaints in recent years concerning account takeovers that is not only alarming for our constituents but also a substantial drain on our office resources.” In account takeovers, threat actors compromise Facebook and Instagram user accounts and change passwords so the rightful owner can’t access the account, the AGs said. The hackers can then “usurp personal information, read private messages, scam contacts, post publicly, and take other nefarious actions,” the letter said. There’s risk of financial harm to those users who use Facebook Marketplace for their business and those who have credit cards tied to their accounts, it said, referencing complaints of hackers “fraudulently charging thousands of dollars to stored credit cards.” In 2019, the New York Attorney General’s office received 73 account takeover complaints on Meta platforms; the number rose to 783 last year, and in January alone, the office received 128 complaints, it said. “While we may not be completely certain of any connection, we note that the increase in complaints occurred around the same time Meta announced a massive layoff of around 11,000 employees in November 2022, which reportedly focused on the 'security and privacy and integrity sector,'” the letter said. The AGs urged Meta to “substantially increase its investment in account takeover mitigation tactics, as well as responding to users whose accounts were taken over.” The AGs “refuse to operate as the customer service representatives of your company,” it said, saying “proper investment in response and mitigation is mandatory." In addition, they requested materials on the number of account takeovers over the past five years; suspected causes of the increase in account takeovers; safeguards in place to prevent account takeovers; current policies and procedures related to Meta’s response to account takeovers; and staffing related to safeguarding the platforms against account takeovers and responding to complaints. A Meta spokesperson emailed Wednesday: "Scammers use every platform available to them and constantly adapt to evade enforcement. We invest heavily in our trained enforcement and review teams and have specialized detection tools to identify compromised accounts and other fraudulent activity." Meta regularly shares tips and tools people can use "to protect themselves, provide a means to report potential violations, work with law enforcement and take legal action," she said. AGs from Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming signed the letter.
Dagyana Ortiz-Nieves and Alternative for Kids seek the dismissal without prejudice of their verified complaint against Liberty Mobile of Puerto Rico, said their notice Tuesday (docket 3:23-cv-01613) in U.S. District Court for Puerto Rico in San Juan. The Dec. 18 SIM swap complaint alleged that four Liberty employees accessed Ortiz-Nieves’ account without her authorization about 30 times between December 2020 and June 2022 and repeatedly failed to safeguard her personally identifiable information and customer proprietary network information (see 2312190061). Ortiz-Nieves is president of Alternative for Kids, a daycare center in Bayamon, Puerto Rico.
The 9th U.S. Circuit Court of Appeals is considering for an upcoming oral argument calendar in San Francisco in July or August the appeal of six Chrome users against Google, said a text-only docket entry Monday (docket 22-16993). The six plaintiff-appellants seek to reverse a December 2022 district court order granting summary judgment for Google in a class action that alleged Google improperly collects the personal information of users who opt not to sync their browsers to their Google accounts (see 2212290037).
The Feb. 27 decision in the Northern District of California in Massel v. Successfulmatch.com (docket 23-cv-02389) provides supplemental authority to support Indira Falcon’s opposition to TelevisaUnivision Digital’s motion to compel her claims to arbitration, said Falcon’s notice Friday (docket 8:23-cv-02340) in U.S. District Court for Middle Florida in Tampa. Falcon’s class action alleges TelevisaUnivision knowingly violated the Video Privacy Protection Act by embedding the Meta Pixel tool on its website to track users’ video viewing history and then reporting that history to Facebook (see 2310170001). Falcon’s opposition contends that TelevisaUnivision failed to give her and her class members proper “inquiry notice” of its terms and arbitration provision. The judge in Massel found that because the defendant’s links to its terms didn’t appear in a contrasting color, the court must conclude that they weren’t reasonably conspicuous enough to put Massel on notice of the terms and that the plaintiff therefore can’t be said to have assented to them, said Falcon’s notice. “This conclusion is bolstered by the fact that other links on the signup page appear in all capital letters,” while the links to the service agreement and privacy policy are in “title case,” it said. These distinctions “may seem picayune,” but website operators “have ultimate control over their design decisions,” it said. Nothing requires them to present terms as “subtle hyperlinks” to separate pages instead of requiring users to scroll through the actual terms before signing up, it said.
Publishers Clearing House (PCH) seeks the dismissal of James Camoras’ Dec. 15 class action under Utah’s Notice of Intent to Sell Nonpublic Personal Information Act (NISNPIA) because the statute “explicitly forbids” class actions, said PCH’s motion Friday (docket 4:23-cv-00118) in U.S. District Court for Utah in St. George. Camoras bought a tripod and a book from PCH in December 2022 and February 2023, and he alleges that PCH didn’t notify him that it discloses customers' private purchase information to third parties (see 2312180014). Without Camoras’ class claims, the court doesn’t have jurisdiction over the plaintiff's individual claim, as it’s not sufficient to meet the amount in controversy required by statute, said PCH’s motion. He also has failed to allege the “essential elements” of a claim under NISNPIA, it said. Even if the court did have jurisdiction over this matter, the complaint fails to allege that PCH itself “maintains an office in Utah, which is a required element under NISNPIA,” it said. The complaint also fails to adequately allege that PCH disclosed Camoras’ nonpublic personal information to any third party, it said.
Plaintiffs in two privacy lawsuits vs. Forward Bank voluntarily dismissed their cases without prejudice, said a notice (docket 3:23-cv-00844) Friday in U.S. District Court for Western Wisconsin in Madison. The negligence actions, bought by Matthew Hamilton and Ethan Rohland (docket 3:23-cv-00852), asserted Forward Bank handled their personally identifiable information in a reckless manner during a September data breach (see 2312110012).
Jessica Carey, who sued Comcast and Citrix in January involving the cloud platform provider’s October data breach (see 2401030066), filed a notice of voluntary dismissal without prejudice Friday (docket 0:24-cv-60008) in U.S. District Court for Southern Florida in Fort Lauderdale. Carey’s negligence class action was one of a dozen named in a January motion before the Judicial Panel on Multidistrict Litigation for transfer to the Eastern District of Pennsylvania in Philadelphia for coordinated or consolidated pretrial proceedings (see 2401120011). Carey's negligence suit alleges she was required to give Comcast her personal information as a condition of receiving internet service, and she has since suffered emotional distress and lost time associated with mitigating the breach's impact.
Sellers International, the parent company of Quimbee, a website tailored to law students, seeks the dismissal of Isaac Shapiro’s Jan. 4 Video Privacy Protection Act class action for failure to state a claim on which relief may be granted, said its motion Thursday (docket 4:24-cv-00079) in U.S. District Court for Northern California in Oakland. Shapiro alleges Sellers knowingly disclosed his personally identifiable information (PII), including a record of case brief videos he watched on the Quimbee website, without his consent (see 2401110045). He alleges that Quimbee installed the HubSpot tracking code on its website, which tracks and records visitors’ private video consumption. But the plaintiff’s complaint “lacks crucial allegations” to bring a VPPA claim against Quimbee, said the defendant’s memorandum of points and authorities in support of its motion to dismiss. Shapiro fails to allege Quimbee is a videotape service provider under the VPPA, “or that an ordinary person would be able to glean video viewing history from the information allegedly shared with HubSpot,” it said. Quimbee also didn’t disclose any PII, as HubSpot “is merely the tool that Quimbee uses to collect information about Quimbee’s own customers, exclusively for Quimbee’s own use,” it said. If the VPPA is interpreted in the manner that Shapiro “advocates,” the VPPA violates due process and the First Amendment, it said. Shapiro’s California Invasion of Privacy Act claim also fails because Quimbee didn’t “aid or abet its software vendor,” and Shapiro has failed to allege that HubSpot violated the CIPA, it said.