did not fall within the scope of “medical, surgical, dental, or related functions” as described in the statute. The Fourth Circuit analyzed the plain language of § 233(a), noting that “related functions” should be limited to activities closely tied to medical care. Id. at 258-60. The Fourth Circuit further determined that the breach occurred due to the defendant’s data security practices rather than its provision of medical care, which if found to be an administrative function, not directly related to health care services. The Fourth Circuit opined that § 233(a) was intended to cover damages arising from the provision of health care, and since the plaintiff’s alleged damages resulted from a data breach that occurred well after her treatment ended, it was not directly related to the provision of medical services. Accordingly, the Fourth Circuit vacated and remanded the district court’s ruling. 2. Dispositive Motion Decisions The plaintiffs in Wittmeyer, et al. v. Heartland Alliance For Human Needs & Rights, 2024 U.S. Dist. LEXIS 8803 (N.D. Ill. Jan. 17, 2024), filed a class action alleging negligence, negligence per se, breach of express and implied contract, breach of the Illinois Consumer Fraud Act and Deceptive Business Practices Act claims, and claims for declaratory and injunctive relief in connection with the defendant’s suffering of a data breach that exposed clients’ personally identifiably information (PII) and personal health information (PHI). The defendant (Heartland) filed a motion to dismiss pursuant to Rule 12(b)(6). The court granted that motion in part and denied in part. Heartland is a non-profit, anti-poverty organization that provides healthcare and other services to individuals. Id. at *1. To receive services, individuals provide Heartland with PII such as their names and social security numbers. Id. For those individuals who receive medical services, Heartland also collects and stores PHI, including medical diagnoses and medication records. Id. In January 2022, unauthorized individuals obtained access to the PII and PHI of Heartland’s clients, employees, and independent contractors. Id. In December 2022, the plaintiffs received notice that their PII and PHI were compromised in the data breach. Id. The plaintiffs alleged that they experienced various damages such as increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with the data breach, and, in particular as to plaintiff Appiakorang, that someone fraudulently obtained car insurance in her name. Id. The court granted the defendant’s motion to dismiss the negligence per se, express and implied breach of contract, violation of the ICFA claim, and claims seeking declaratory judgment and injunctive relief. Id. at *7. The court, however, denied Heartland’s motion to dismiss the plaintiffs’ negligence claim. Heartland asserted that it did not owe the plaintiffs a duty to safeguard their personal information. Id. The court disagreed. It determined that it “declines to find, as a matter of law, that Heartland owed no duty to the plaintiff to safeguard their personal information.” Id. The Court granted Heartland’s motion to dismiss the plaintiffs’ negligence per se claim, reasoning that a violation of a statute only constitutes negligence per se “when it is clear that the legislature intended for the act to impose strict liability.” Id. at *3. Since the plaintiffs did not allege that either the Federal Trade Commission Act (FTCA) or Health Insurance Accountability and Portability Act (HIPAA) imposed strict liability, the court granted Heartland’s motion to dismiss. Id. at *4. The court also granted Heartland’s motion to dismiss the plaintiffs’ breach of express and implied contract claims. Id. at *4-6. The court dismissed the plaintiffs’ breach of express contract claim because they failed to allege facts in the complaint to demonstrate that the parties entered into an express contract regarding security measures for the plaintiffs’ PII and PHI. Id. at *4. While the court observed that an implied contract could exist between the parties, because the plaintiffs’ complaint did not contain any allegations that the plaintiffs suffered monetary damages as a result of the data breach, the court dismissed their breach of implied contract claim. Id. at *5-6. Finally, the Court dismissed the plaintiffs’ ICFA and declaratory judgment and injunction “claims.” Id. at *6-7. Under the ICFA, the court opined that the plaintiffs were required to plead facts sufficient to demonstrate the existence of a “real and measurable” loss, and the plaintiffs failed to plausibly plead that they suffered an economic loss. Id. In addition, the court dismissed the plaintiffs’ declaratory judgment and injunction “causes of action,” noting that while they are forms of relief, they are not cognizable, independent causes of action. Id. at *7. For these reasons, the court granted Heartland’s motion to dismiss on all claims except the traditional negligence claim. In a putative class action stemming from a data breach involving defendant NCB Management Services (NCB), In Re NCB Management Services Inc. Data Breach Litigation , 2024 U.S. Dist. LEXIS 163260 (E.D. Penn. Sept. 11, 2024), the plaintiffs alleged that NCB, a debt collection company, failed to adequately protect their personal information, which was compromised during the breach. The plaintiffs, former customers of Bank of America (BOA) and Pathward, N.A. (Pathward), alleged that NCB obtained their personally identifiable information (PII) from the financial institutions to service and collect on their accounts. The plaintiffs asserted that NCB
5
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online