Dusterhoft v. OneTouchPoint Corp.

1

RICHARD DUSTERHOFT, et al, Plaintiffs, v. ONETOUCHPOINT CORP, Defendant.

No. 22-cv-0882-bhl

United States District Court, E.D. Wisconsin

September 23, 2024

ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS

BRETT H. LUDWIG, UNITED STATES DISTRICT JUDGE

This putative class action stems from an April 2022 data breach in which hackers gained access to Defendant OneTouchPoint Corp. (OneTouchPoint)'s computer systems. Plaintiffs have filed fifteen lawsuits against OneTouchPoint, alleging that their personal information was exposed as a result of the data breach. In a September 29, 2022 order, the Court consolidated the actions and appointed interim co-lead counsel, who, with OneTouchPoint's consent, filed a Consolidated and Amended Class Action Complaint (Consolidated Complaint). (See ECF Nos. 12 & 15.) After the parties spent more than a year attempting a settlement, on November 20, 2023, OneTouchPoint filed a motion to dismiss, contending that Plaintiffs lack standing to pursue their claims and, even if they have standing, they fail to state actionable claims. (ECF Nos. 55 & 55-1.)

The Court will grant OneTouchPoint's motion but only in part. With respect to standing, the Court is skeptical that all of the named Plaintiffs have in fact suffered sufficiently concrete injuries to support standing, but under binding Seventh Circuit law, the Consolidated Complaint sufficiently alleges injury at the pleading stage for all but one Plaintiff (Dusterhoft). The Court agrees with OneTouchPoint however, that Plaintiffs' claims for injunctive and declaratory relief are unlikely to be redressed by a favorable decision and that portion of the motion to dismiss will be granted. The Court also agrees with OneTouchPoint that Plaintiffs have failed to support at least some of their substantive claims with plausible factual allegations sufficient to maintain those claims, and those claims will be dismissed. Plaintiffs have adequately alleged several of their other claims, however, and OneTouchPoint's motion will be denied as to those causes of action, which include their common-law claims for negligence, negligence per se, and unjust enrichment, as well as statutory claims under Wisconsin, Georgia, and South Carolina law.

BACKGROUND^[1]

This litigation arises from an April 27, 2022 data breach at OneTouchPoint. (ECF No. 15 ¶5.) OneTouchPoint is a mailing and printing services vendor in the healthcare sector. (Id. ¶2.) Plaintiffs include patients of OneTouchPoint's clients whose personal information was compromised in the data breach, along with two former OneTouchPoint employees whose information was similarly compromised. (Id. ¶¶43, 208, 278.) Plaintiffs' proposed class includes the approximately 2.6 million individuals whose personal information was exposed during the breach. (Id. ¶¶1, 22.)

OneTouchPoint is a Delaware corporation headquartered in Hartland Wisconsin. (Id. ¶33.) It provides services including brand management, marketing, printing, and supply chain logistics to healthcare providers. (Id. ¶37.) In order to provide its services, OneTouchPoint requires its clients to provide information about their patients, including personally identifiable information (PII) and personal health information (PHI). (Id. ¶¶1, 3.) The information OneTouchPoint collects and maintains includes names, addresses, Social Security numbers (SSNs), member IDs, dates of birth, health insurance information, and other medical information provided during health assessments. (Id. ¶¶3, 39.)

On April 28, 2022, OneTouchPoint detected encrypted files on some of its computer systems. (Id. ¶4.) A subsequent investigation revealed that an unauthorized party had accessed some of its servers on April 27, 2022. (Id. ¶5.) Less than six weeks later, on June 3 2022, OneTouchPoint provided written notice of the breach to its clients. (Id. ¶6.) The notice letter stated that “the impacted systems contained information related to individuals provided by [OneTouchPoint's] customers,” but OneTouchPoint could not confirm what personal information was accessed by the perpetrator. (Id. ¶7.) OneTouchPoint initially reported that the breach impacted 1,073,316 individuals' data, but that number later rose to more than 2.6 million. (Id. ¶9.) The affected individuals include patients of nearly 40 health insurance companies and healthcare service providers. (Id. ¶60.)

The scope of information compromised in the breach included names, member IDs, and information provided during health assessments including dates and descriptions of service, diagnosis codes, medications, medical recommendations, and other medical information. (Id. ¶10.) At least one OneTouchPoint client reported that SSNs were also exposed by the breach. (Id. ¶59.) In July 2022, OneTouchPoint began to provide written notice to individuals whose data was compromised in the breach. (Id. ¶54.)

Plaintiff Michael Meza is an Arizona resident and former OneTouchPoint employee. (Id. ¶¶24, 208.) He provided personal information to OneTouchPoint pursuant to his employment. (Id. ¶209.) In an August 26, 2022 letter, OneTouchPoint informed Meza that his personal information, including his name, SSN, and driver's license number, had been exposed in the breach. (Id. ¶210.) The letter advised him to “remain vigilant against incidents of identity theft and fraud by reviewing [his] account statements and monitoring free credit reports for suspicious activity.” (Id.) OneTouchPoint offered Meza twelve months of complimentary credit monitoring and identity protection services through Equifax. (Id.) As a result of the breach, Meza has spent approximately two to three hours updating passwords and credits cards and anticipates spending more time and money to mitigate the effects of the data breach. (Id. ¶¶214, 217.)

Plaintiff Michael Meeks is a Georgia resident whose health insurance provider is Humana, a OneTouchPoint client. (Id. ¶¶25, 218.) Meeks provided personal information to Humana and Humana provided that information to OneTouchPoint. (Id. ¶219.) In a July 27, 2022 letter, OneTouchPoint informed Meeks that his personal information, including his name, member ID, and information he may have provided during a health assessment, had been exposed in the breach. (Id. ¶220.) Meeks was advised by OneTouchPoint to protect against fraud and identity theft but was not offered any complimentary credit monitoring. (Id.) Following the data breach, Meeks has experienced unauthorized charges from a credit company for a loan he did not apply for, as well as several bank notifications regarding loan payments for fraudulent loans. (Id. ¶224.) Meeks's credit score has also dropped 99 points following the breach and he has been informed that his SSN has been associated with an individual's employment at a hospital where Meeks has never worked. (Id.) Meeks has also noticed an increase in spam calls and texts following the breach. (Id.) He has spent several hours combating these issues and anticipates spending more time and money combatting the effects of the breach. (Id. ¶¶224, 227.)

Plaintiff Marcie Strickland is a Georgia resident whose health insurance provider is CareSource, a OneTouchPoint client. (Id. ¶¶26, 228.) Strickland provided personal information to CareSource and CareSource provided that information to OneTouchPoint. (Id. ¶229.) In a July 2022 letter, OneTouchPoint informed Strickland that her personal information, including her name, date of birth, address, member ID, and other medical information, had been exposed in the breach. (Id. ¶230.) Following the data breach, Strickland has experienced dozens of unauthorized credit inquiries that have impacted her ability to secure a home loan. (Id. ¶234.) She has also received an increase in spam calls, leading her to change her phone number. (Id.) Strickland has spent several hours responding to these incidents and anticipates spending more time and money combatting the effects of the breach. (Id. ¶¶234, 237.)

Plaintiff Richard Dusterhoft is a Minnesota resident who receives health insurance from Humana through Medicare. (Id. ¶¶28, 238.) Dusterhoft provided personal information to Humana and Humana provided that information to OneTouchPoint. (Id. ¶239.) In a July 27, 2022 letter, OneTouchPoint informed Dusterhoft that his personal information, including his name, member ID, and information he may have provided during a health assessment, had been exposed in the breach. (Id. ¶240.) Dusterhoft was advised by OneTouchPoint to protect against fraud and identity theft but was not offered any complimentary credit monitoring. (Id.) Following the data breach, Dusterhoft has received an increase in spam calls. (Id. ¶244.) Dusterhoft anticipates spending considerable time and money mitigating the effects of the breach. (Id. ¶247.)

Plaintiff Robin Guertin is a South Carolina resident whose health insurance provider is Humana. (Id. ¶¶29, 248.) Guertin provided personal information to Humana and Humana provided that information to OneTouchPoint. (Id. ¶249.) In a July 27, 2022 letter, OneTouchPoint informed Guertin that her personal information, including her name, member ID, and information she may have provided during a health assessment, had been exposed in the breach. (Id. ¶250.) Guertin was advised by OneTouchPoint to protect against fraud and identity theft but was not offered any complimentary credit monitoring. (Id.) As a result of the breach, Guertin has spent time carefully reviewing her accounts for fraudulent activity and anticipates spending more time and money to mitigate the effects of the data breach. (Id. ¶¶254, 257.)

Plaintiff Shira Haid is a Wisconsin resident whose health insurance provider is Common Ground Healthcare Cooperative (Common Ground), a OneTouchPoint...