HOUSTON – A Texas federal judge has dismissed the vast majority of claims from a class action suit against a legal services support company, which alleged that its negligence and other liable actions left it vulnerable to a data breach and then caused the plaintiffs to be the victims of identity theft.
James Logan of Georgia and Nathan Baxter of California first filed suit on Jan. 18, 2022 in the U.S. District Court for the Southern District of Texas versus Marker Group, Inc., of Houston.
(An amended complaint filed on Sept. 2, 2022 added Yusef Harris of Kansas as the third plaintiff to the case.)
U.S. District Court for the Southern District of Texas Judge Drew B. Tipton partially granted and partially denied the defendant’s motion to dismiss the plaintiffs’ amended complaint on July 18 – leaving Harris as the case’s only plaintiff and his only remaining claim as negligence, with the other defendants dismissed without prejudice and Harris’ other claims also dismissed without prejudice.
“Specializing in multi-district litigation involving personal injury claims, Marker Group ‘provides record collection, medical review, data analysis and many other litigation support services to some of the world’s most prestigious defense law firms.’ Marker Group’s services include the use of an online ‘[file transfer protocol] platform system that allows medical records and other personal information and documentation to be uploaded, stored, sorted, and analyzed.’ This platform ‘serves as a centralized location for parties in large litigation matters to manage medical records, plaintiff fact sheets and other discovery materials,” Tipton said.
“Equipped with ‘administrative, physical, and technical safeguards,’ Marker Group promises ‘to ensure the maximum level of control and security” and full compliance with information security laws. Plaintiffs in this case were ‘required to upload their medical, pharmacy and insurance records and other sensitive and confidential information onto the Marker Group portal as a condition of their participation in the MDL[.]’ The information provided ‘included, without limitation, their names, Social Security numbers, dates of birth, and addresses’ along with medical and personal health information.”
On Sept. 3, 2021, Marker Group “noticed ‘suspicious activity’ on its computer network and later determined that files were accessed by an ‘unknown, unauthorized third-party.” That December, Marker Group issued a Notice of Data Breach Letter, advising clients that breached files contained protected health information and personally-identifiable information.
“The notice had barely any information indicating ‘how long these unauthorized third-parties had access to the medical records and other sensitive information[.]’ Plaintiffs allege that as a result of this breach, they ‘experienced fraudulent activity and identity theft…including but not limited to unauthorized loan applications, bank account activity, tax fraud, and unemployment fraud.’ Before becoming aware of the breach, Logan ‘encountered a situation with his treating physician in which it appeared that information unrelated to him had been transmitted to his physician under his name[,]’ an occurrence which he attributes to the data breach,” Tipton stated.
“Also as a result of the breach, Logan ‘received text messages from a medical facility…confirming medical appointments that he did not make for himself.’ For Baxter, the consequences of the breach came in the form of ‘a barrage of phone calls regarding Medicare insurance coverage…relay[ing] information and offers that contradict his current coverage’ as well as ‘unsolicited loan offers which contain his personal information.’ Lastly, following quickly on the heels of the breach, Harris learned that ‘an unauthorized individual opened a line of credit for $1500 in [his] name, using his Social Security number[.]’ Although Harris filed a police report and froze his credit accounts, the fraudulent activity still ‘negatively impacted his credit score.”
The plaintiffs then brought a class action lawsuit against Marker Group alleging seven counts: (1) negligence, (2) breach of implied contract, (3) invasion of privacy, (4) unjust enrichment, (5) breach of confidence, (6) declaratory judgment, and (7) violation of the Confidentiality of Medical Information Act, and also requested declaratory relief.
In response, Marker Group filed a partial motion to dismiss, arguing that the Court lacks subject matter jurisdiction over Logan and Baxter’s claims, that Logan and Baxter failed to show they “suffered any actual injury, such as identity theft,” and failed to establish Article III standing, and that each of the plaintiffs failed to adequately plead a number of their claims.
“Plaintiffs provide no authority supporting their claim that these occurrences constitute an Article III injury. On the contrary, courts have found that similar occurrences, such as ‘the receipt of phishing emails, while perhaps ‘consistent with’ data misuse, does not ‘plausibly suggest’ that any actual misuse of plaintiff’s personal identifying information has occurred.’ Conclusory statements alleging actual incidents of identity theft are insufficient to establish an injury in fact because such injuries require a showing that “the information accessed was actually misused or that there has even been an attempt to use it,” Tipton said.
“Moreover, even if Logan and Baxter’s alleged occurrences could constitute a sufficient injury-in-fact, they would still ‘fail to meet the causation and redressability elements of the standing test.’ Courts in the Fifth Circuit have held that attempted credit card charges, phone solicitations, spam emails and receipt of materials targeting one’s specific medical conditions perpetrated ‘by unknown third parties…fail to account for the sufficient break in causation caused by opportunistic third parties.’ As Marker Group points out, the texts received by Logan could have resulted from a clerical error and the phone calls received by Baxter are not unusual in modern life. Thus, the claimed injuries are not cognizable under Article III for standing purposes. Moreover, ‘to the extent that [such injuries] meet the first prong’ of the standing test, without ‘any quantifiable damage or loss’ alleged, a favorable decision from this Court could not redress the injuries. Thus, the Court finds that Logan and Baxter lack Article III standing as victims of actual identity theft.”
Tipton added that the other qualities which plaintiffs’ claims hinge upon, such as imminent risk of future injury, mitigation efforts and diminution in value are “dependent on entirely speculative, future actions of an unknown third-party,” they are likewise insufficient to confer Article III standing.
Additionally, Tipton found that Marker Group was correct, when it asserted that “the claimed relief cannot prevent any potential future injuries resulting from this data breach, and is, therefore, inappropriate.”
Lastly, Tipton ruled that Harris is the only plaintiff to remain in the case, and his only claim to remain is negligence – while his breach of implied contract, invasion of privacy, unjust enrichment and breach of confidence claims would be dismissed.
“All claims brought on behalf of plaintiffs Logan and Baxter, including Baxter’s CMIA claim, are dismissed without prejudice for lack of subject matter jurisdiction. Harris is the sole remaining plaintiff. As to Harris, his negligence claim remains,” Tipton said.
“However, Harris’s breach of implied contract, invasion of privacy, unjust enrichment, and breach of confidence claims are dismissed without prejudice in their entirety for failure to state a claim. Harris’s first request for declaratory judgment remains, but the second request is dismissed without prejudice. Harris is ordered to file a second amended complaint in conformity with this memorandum opinion and order within 14 calendar days of the date of this order.”
The plaintiff is represented by Jean Sutton Martin of Morgan & Morgan in Tampa, Fla.
The defendants are represented by Richard Haggerty and Amanda Nicole Harvey of Mullen Coughlin, in Devon, Pa. and Grapevine.
U.S. District Court for the Southern District of Texas case 4:22-cv-00174
From the Southeast Texas Record: Reach Courts Reporter Nicholas Malfitano at nick.malfitano@therecordinc.com