Act, and injunctive/declaratory relief under the Declaratory Judgment Act, as well as newly added claims for breach of fiduciary duty and violation of the North Carolina Unfair Trade and Deceptive Trade Practices Act. The defendants sought dismissal on the same grounds, i.e., for the plaintiff’s failure to allege an injury in fact, and in the alternative, for failure to state a claim. Specifically, the defendants alleged the plaintiff failed to cure the deficiencies of his complaint, and that the plaintiff’s new allegations neither established that he suffered an actual injury or that he had a substantial risk of future injury. As in its prior opinion, the court found that the “harm” asserted was too attenuated because “unauthorized attempts on Plaintiff’s accounts are insufficient to constitute a particularized, concrete injury, and Plaintiff’s ‘time spent’ may only constitute a present injury if he can establish a substantial risk of future injury of identity theft.” Id. at *10-20. The court further found that the plaintiff’s purported injury that he lost the ability to invest in the market at advantageous rates was not causally connected to the coding error and his loss in investment opportunity. In sum, the court dismissed the complaint and concluded that the plaintiff failed to cure the deficiencies in the amended complaint and his allegations are insufficient to establish that he suffered a concrete, particularized present injury in fact. In Logan, et al. v. Marker Group, Inc., 2024 U.S. Dist. LEXIS 126653 (S.D. Tex. July 18, 2024), the plaintiffs filed a class action alleging negligence, breach of contract, invasion of privacy, unjust enrichment, breach of confidence, and violation of the California Confidentiality of Medical Information Act (CMIA) against the defendant following a data breach that exposed their PII. The defendant moved to dismiss all counts of the plaintiffs’ complaint except the negligence claim, arguing both that the court lacked jurisdiction over two plaintiffs who had suffered no concrete injury and that the plaintiffs failed to adequately plead their remaining claims. First, the defendant contended that plaintiffs Logan and Baxter lacked standing because they did not demonstrate actual injury from the breach. The defendant argued that claims of future risk and mitigation efforts did not constitute concrete harm and that any damages related to diminution of the value of their PII were unsupported. The court agreed. It found that mitigation efforts cannot “manufacture standing” where the risk of future identity theft is hypothetical and not certainly impending. Id. at *16. As to the remaining plaintiff who had an unauthorized line of credit opened in his name, the defendant argued that the breach of implied contract claim must be dismissed because there was no mutual agreement between the parties, and that the defendant never made specific promises regarding data security. The plaintiffs asserted that an implied contract was formed based on the expectation of reasonable data protection measures, which was supported by the defendant’s website promises. The court found that the plaintiffs failed to establish that the defendant solicited or explicitly agreed to protect personal information beyond what federal law required. In turn, the court dismissed the breach of implied contract claim. The defendant also moved to dismiss the plaintiffs’ invasion of privacy claim, arguing that plaintiffs failed to provide sufficient facts to show intentional intrusion. The court agreed, and found that the plaintiffs had voluntarily provided information, and the claim was based on alleged negligence rather than intentional conduct. Accordingly, the court dismissed the invasion of privacy claim. The defendant further asserted that the plaintiffs’ claim for unjust enrichment should be dismissed because they did not confer any benefit upon them. The plaintiffs argued that their personal information, which the defendant received, was a benefit. The court concluded that the plaintiffs’ claim for unjust enrichment failed due to lack of evidence that they conferred a benefit, and dismissed the claim. In contrast, the defendant argued that the plaintiffs’ breach of confidence claim should be dismissed because it was not recognized under Texas law. The court agreed, and ruled that the plaintiffs failed to present any legal precedent for such a claim in Texas. Finally, the court concluded that the plaintiffs’ request for a declaration regarding the defendant’s current security measures could proceed (along with the negligence claim not at issue in the motion to dismiss), as it addressed an ongoing dispute about the adequacy of security practices. In Roma, et al. v. Prospect Medical Holdings, Inc., 2024 U.S. Dist. LEXIS 138947 (E.D. Penn. Aug. 5, 2024), the defendant, a large medical group with over 18,000 employees and 600,000 members, experienced a significant data breach in early August 2023. The breach involved unauthorized access to its network by a ransomware gang named Rhysida. The exposed data included a wide range of sensitive personal and health information, including Social Security numbers, financial details, medical records, and more. Rhysida claimed responsibility and put the stolen data, amounting to over one terabyte, up for sale on the dark web. The defendant notified the state Attorneys General about the breach two months later. In its notice, the defendant acknowledged the potential compromise of the data of employees and dependents, and offered free credit monitoring and identity protection services. The plaintiffs filed a class action alleging that the breach led to an increased risk of identity theft and fraud, and caused them emotional distress. The plaintiffs also reported various incidents of misuse of their personal information, such as fraudulent charges and unauthorized loans. The plaintiffs asserted that the
7
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online