Farley v. Eye Care Leaders Holdings, LLC

1

KIMBERLY FARLEY, CHAD FORRESTER, and KIMBERLY SANDVIG, on behalf of themselves and all others similarly situated, Plaintiffs, v. EYE CARE LEADERS HOLDINGS, LLC, Defendant.

No. 1:22-CV-468

United States District Court, M.D. North Carolina

January 31, 2023

MEMORANDUM OPINION AND ORDER

Catherine C. Eagles, District Judge.

After receiving notice from their eye care clinics that their personal information had been implicated in a data breach the plaintiffs Kimberly Farley, Chad Forrester, and Kimberly Sandvig began to worry about the future threat of identity theft. Mr. Forrester was soon the victim of a credit card fraud scheme, and Ms. Sandvig's credit score fluctuated dramatically despite no changes in her financial behavior. Believing these and other occurrences to be associated with the breach, the plaintiffs brought this class action lawsuit against the defendant, Eye Care Leaders Holdings, LLC (ECL) the entity that provides medical records platforms and patient management software to the plaintiffs' eye care clinics and whose data was breached.^[1] ECL moves to dismiss this action for lack of subject-matter jurisdiction and failure to state a claim. Because the plaintiffs allege facts sufficient to plausibly establish standing and ECL's remaining arguments are better presented and evaluated on a more developed factual record, the motion will be denied.

I. Overview of Factual Allegations and Causes of Action

ECL provides record-keeping and healthcare software to eye care clinics across the country. Doc. 31 at ¶¶ 25-28. Through its services, ECL maintains and controls sensitive patient information. Id. at ¶¶ 29-31. Patients provide personal health information and identifying information to their clinics and physicians who store and manage that data through ECL. Id. This includes dates of birth, health insurance information, Social Security numbers, and health care information. Id. at ¶¶ 1, 30.

Ms. Farley, Mr. Forrester, and Ms. Sandvig provided their personal information to their eyecare clinics, each of which uses ECL's services. Id. at ¶¶ 17-19, 55-57, 62-64, 73-74. ECL controlled and managed access to the plaintiffs' information on behalf of the eyecare clinics. Id.

In 2021, ECL suffered from at least four data breaches, collectively referred to as “the data breach.” Id. at ¶¶ 1, 3-7. In March 2021, “cybercriminals infiltrated ECL's computer systems and crippled a record-keeping system ECL provided to eye care clinics across the country.” Id. at ¶ 3. During this breach, ECL “permanently lost control” over sensitive patient information. Id. at ¶¶ 38-39. A similar attack happened in April 2021, id. at ¶¶ 4, 41, and in August 2021 a former ECL employee “accessed ECL's systems and patient's Private Information.” Id. at ¶ 6; see also id. at ¶ 42. In December 2021, another breach “exposed substantial amounts of patients' Private Information.” Id. at ¶ 43. The total number of data breach victims is approximately three million. Id. at ¶¶ 2, 45.

The plaintiffs' eyecare clinics notified them of the breach. Id. at ¶¶ 58-59, 65, 75. As a result of the data breach, each plaintiff has spent considerable time and effort monitoring accounts to protect or minimize harm from fraudulent activity. Id. at ¶¶ 61, 68, 82. Mr. Forrester was also “the victim of a credit card fraud scheme that resulted in an unauthorized and fraudulent charge” of about $150 on his credit card. Id. at ¶ 69. Ms. Sandvig's email has been hacked since the data breach, and someone changed her email address. Id. at ¶ 78. Her credit score “plummeted even though she had not changed any of her financial behavior for months,” id. at ¶ 79, she “has been receiving a significantly higher number of spam emails and texts,” and has “received a letter indicating that her” personal information “was recently found on the dark web,” id. at ¶ 80, and she now “spends approximately $28 a month on data protection services.” Id. at ¶ 81.

The plaintiffs bring claims for negligence, invasion of privacy, unjust enrichment, and breach of fiduciary duty. They assert federal jurisdiction under 28 U.S.C. § 1332(d), the Class Action Fairness Act.

II. Analysis

A. Standing

ECL contends that the plaintiffs' complaint should be dismissed because they fail to allege facts that plausibly show they have standing to sue. Doc. 36 at 7-17. This is a facial challenge to standing, so all well-pleaded facts in the complaint are accepted as true and construed in the light most favorable to the plaintiffs. See Wikimedia Found. v. Nat'l Sec. Agency, 857 F.3d 193, 208 (4th Cir. 2017).

“The doctrine of standing is an integral component of the case or controversy requirement” of federal jurisdiction. Miller v. Brown, 462 F.3d 312, 316 (4th Cir. 2006). “The party invoking federal jurisdiction bears the burden of establishing” standing. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). The party “must demonstrate standing for each claim” and “for each form of relief” it seeks. TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2208 (2021).

Standing under Article III has three elements: (1) “the plaintiff must have suffered an injury in fact,” (2) the injury must be “fairly traceable” to the defendant, and (3) “it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Lujan, 504 U.S. at 560-61 (cleaned up).

Injury in fact is the “invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560 (cleaned up). “For an injury to be particularized, it must affect the plaintiff in a personal and individual way.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016) (cleaned up). “A concrete injury must be de facto; that is, it must actually exist.” Id. at 340 (cleaned up). “[I]ntangible harms can also be concrete.” TransUnion, 141 S.Ct. at 2204 (discussing how reputational harms, disclosure of private information, and abridgement of free speech qualify as concrete harms). Two recent Fourth Circuit cases provide helpful guidance in evaluating injury and traceability in a data breach case.

In Beck v. McDonald, the court considered two consolidated appeals brought by plaintiffs who sued a medical center after two data breaches compromised their personal information. 848 F.3d 262, 266-67 (4th Cir. 2017). In one underlying case, a laptop computer containing unencrypted patient information was either lost or stolen. Id. at 267. In the other, “four boxes of pathology reports headed for long-term storage” and containing personal information “had been misplaced or stolen.” Id. at 268. In both cases, the plaintiffs alleged injury in fact based on an increased risk of identity theft, and the district court dismissed the claims for lack of standing. Id. at 267-69.

The Fourth Circuit affirmed, agreeing that the harms alleged were too speculative to establish standing because they required the court to engage with and credit an “attenuated chain of possibilities.” Id. at 275 (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 410 (2013)). To find harm, the court would have to assume “that the thief targeted the stolen items for the personal information they contained” and that the thief would “then select, from thousands of others, the personal information of the named plaintiffs and attempt successfully to use that information to steal their identities.” Beck, 848 F.3d at 275. This chain of possibilities was not sufficient to confer standing, especially since there was no indication that the information had been stolen for the purpose of identity theft or that any plaintiff was the victim of identity theft. Id.

The next year, the Fourth Circuit considered Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc, involving three optometrist-plaintiffs whose personal information was allegedly stolen when thieves stole data from the defendant, the National Board of Examiners in Optometry, Inc. 892 F.3d 613, 616 (4th Cir. 2018). Despite allegations that after the data breach unauthorized persons opened credit cards in the plaintiffs' names, that their identities had thus been stolen, and that they had spent time and money on mitigation, the district court dismissed the claims for lack of standing. Id. at 617-18.

The Fourth Circuit distinguished the case from Beck and reversed, explaining that “[i]n Beck, the plaintiffs alleged only a threat of future injury in the data breach context where a laptop and boxes” containing personal information “had been stolen, but the information contained therein had not been misused.” Id. at 621-22. In contrast, the plaintiffs in Hutton “allege[d] that they ha[d] already suffered actual harm in the form of identity theft and credit card fraud.” Id. at 622. They had thus “been concretely injured by the data breach” because someone used or attempted to use their information to open credit cards without their knowledge. Id. Unlike in Beck, this harm was not speculative and was sufficient to allege injury in fact. Id.

The plaintiffs' cases are more like Hutton than Beck. Unlike in Beck where a laptop was either stolen or lost and four boxes of pathology reports were missing, Beck, 848 F.3d at 267-69, 274-75 thieves here targeted personal information in a series of massive and deliberate acts, giving rise to an easy inference that the thieves intended to misuse the personal information they stole. There may be many reasons unrelated to identity theft why someone might steal a laptop, such as obtaining the laptop itself, and it is not uncommon for old boxes of documents to be lost or misplaced. But one is hard pressed to think of a reason why data thieves would engage in a large-scale and sophisticated operation to steal electronic data...