Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 1 of 42 PageID #:1

IN THE UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF ILLINOIS

EUGENE BURAGA, individually, and on Case No. 1:24-cv-5273

behalf of all others similarly situated,
Plaintiffs, CLASS ACTION COMPLAINT
vs.
JURY TRIAL DEMANDED
CDK GLOBAL, LLC,
Defendant.

Representative Plaintiff alleges as follows:

INTRODUCTION

1. Representative Plaintiff Eugene Buraga (“Representative Plaintiff”) brings this

Class Action Complaint against Defendant CDK Global, LLC (“Defendant” or “CDK”) for its

failure to properly secure and safeguard Representative Plaintiff’s and Class Members’ personally

identifiable information stored within Defendant’s information network, including, without

limitation, full names, addresses, and Social Security numbers, driver’s license numbers, and

financial information (these types of information, inter alia, being thereafter referred to,

collectively, as “personally identifiable information” or “PII”).1

1
Personally identifiable information (“PII”) generally incorporates information that can be
used to distinguish or trace an individual’s identity, either alone or when combined with other
personal or identifying information. 2 C.F.R. § 200.79. At a minimum, it includes all information
that on its face expressly identifies an individual. PII also is generally defined to include certain
identifiers that do not on its face name an individual, but that are considered to be particularly
sensitive and/or valuable if in the wrong hands (for example, Social Security numbers, passport
numbers, driver’s license numbers, financial account numbers, etc.).
1
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 2 of 42 PageID #:2

2. With this action, Representative Plaintiff seeks to hold Defendant responsible for

the harms it caused and will continue to cause Representative Plaintiff and, at least, thousands of

other similarly situated persons in the massive and preventable cyberattack purportedly discovered

by Defendant on June 18, 2024, in which cybercriminals infiltrated Defendant’s inadequately

protected network servers and accessed highly sensitive PII that was being kept unprotected (“Data

Breach”).

3. Defendant acquired, collected, and stored Representative Plaintiff’s and Class

Members’ PII. Therefore, at all relevant times, Defendant knew or should have known that

Representative Plaintiff and Class Members would use Defendant’s services to store and/or share

sensitive data, including highly confidential PII.

4. By obtaining, collecting, using, and deriving a benefit from Representative

Plaintiff’s and Class Members’ PII, Defendant assumed legal and equitable duties to those

individuals. These duties arise from state and federal statutes and regulations, and common law

principles.

5. Defendant disregarded the rights of Representative Plaintiff and Class Members by

intentionally, willfully, recklessly, and/or negligently failing to take and implement adequate and

reasonable measures to ensure that Representative Plaintiff’s and Class Members’ PII was

safeguarded, failing to take available steps to prevent unauthorized disclosure of data and failing

to follow applicable, required and appropriate protocols, policies, and procedures regarding the

encryption of data, even for internal use. As a result, Representative Plaintiff’s and Class

Members’ PII was compromised through disclosure to an unknown and unauthorized third party—

an undoubtedly nefarious third party seeking to profit off this disclosure by defrauding

Representative Plaintiff and Class Members in the future. Representative Plaintiff and Class

2
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 3 of 42 PageID #:3

Members have a continuing interest in ensuring that their information is and remains safe and are

entitled to injunctive and other equitable relief.

JURISDICTION AND VENUE

6. Jurisdiction is proper in this Court under 28 U.S.C. § 1332 (diversity jurisdiction).

Specifically, this Court has subject matter and diversity jurisdiction over this action under 28

U.S.C. § 1332(d) because this is a class action where the amount in controversy exceeds the sum

or value of $5 million, exclusive of interest and costs, there are more than 100 members in the

proposed class, and at least one Class Member is a citizen of a state different from Defendant.

7. Supplemental jurisdiction to adjudicate issues pertaining to state law is proper in

this Court under 28 U.S.C. § 1367.

8. Defendant is headquartered and/or routinely conducts business in the State where

this District is located, has sufficient minimum contacts in this State, has intentionally availed itself

of this jurisdiction by marketing and/or selling products and/or services and/or by accepting and

processing payments for those products and/or services within this State.

9. Venue is proper in this Court under 28 U.S.C. § 1391 because a substantial part of

the events that gave rise to Representative Plaintiff’s claims took place within this District and

Defendant is headquartered and/or does business in this Judicial District.

REPRESENTATIVE PLAINTIFF’S COMMON EXPERIENCES

10. Defendant received highly sensitive PII from Representative Plaintiff in connection

with the services Representative Plaintiff received or requested. As a result, Representative

Plaintiff’s information was among the data an unauthorized third party accessed in the Data

Breach.

3
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 4 of 42 PageID #:4

11. Representative Plaintiff was and is very careful about sharing his PII.

Representative Plaintiff have never knowingly transmitted unencrypted sensitive PII over the

internet or any other unsecured source.

12. Representative Plaintiff stored any documents containing their PII in a safe and

secure location or destroyed the documents. Moreover, Representative Plaintiff diligently chose

unique usernames and passwords for their various online accounts.

13. Representative Plaintiff took reasonable steps to maintain the confidentiality of his

PII and relied on Defendant to keep their PII confidential and securely maintained, to use this

information for employment purposes only, and to make only authorized disclosures of this

information.

14. As a result of the Data Breach, Plaintiff spent time dealing with the consequences

of the Data Breach, which included self-monitoring their accounts and credit reports to ensure no

fraudulent activity had occurred. This time has been lost forever and cannot be recaptured.

15. Representative Plaintiff suffered actual injury in the form of damages to and

diminution in the value of Representative Plaintiff’s PII—a form of intangible property that

Representative Plaintiff entrusted to Defendant, which was compromised in and because of the

Data Breach.

16. Representative Plaintiff suffered lost time, annoyance, interference, and

inconvenience because of the Data Breach and have anxiety and increased concerns for the loss of

privacy, as well as anxiety over the impact of cybercriminals accessing, using, and selling

Representative Plaintiff’s PII.

4
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 5 of 42 PageID #:5

17. Representative Plaintiff suffered imminent and impending injury arising from the

substantially increased risk of fraud, identity theft, and misuse resulting from their PII, in

combination with their names, being placed in the hands of unauthorized third parties/criminals.

18. Representative Plaintiff has a continuing interest in ensuring that Representative

Plaintiff’s PII, which, upon information and belief, remains backed up in Defendant’s possession,

is protected and safeguarded from future breaches.

Plaintiff’s Experiences

19. Plaintiff Buraga, resident of San Francisco California, is a former employee of a

car dealership located in Mirin County, California.
20. As a condition of work, Plaintiff Buraga was required to provide his Private
Information, including his name, address, social security number, and financial information.
21. At the time of the Data Breach, the car dealership utilized Defendant’s services and
system to retained Plaintiff Buraga’s Private Information in its system.
22. Plaintiff Buraga is very careful about sharing his sensitive Private Information.
Plaintiff stores any documents containing his Private Information in a safe and secure location. He
has never knowingly transmitted unencrypted sensitive Private Information over the internet or
any other unsecured source. Plaintiff Buraga would not have entrusted his Private Information to
Defendant had he known of Defendant’s lax data security policies.
23. As a result of the Data Breach, Plaintiff Buraga made reasonable efforts to mitigate
the impact of the Data Breach, including researching and verifying the legitimacy of the Data
Breach, changing passwords and resecuring his own computer network, and contacting companies
regarding suspicious activity on his accounts. Plaintiff Buraga has spent significant time dealing
with the Data Breach—valuable time Plaintiff otherwise would have spent on other activities,
including but not limited to work and/or recreation. This time has been lost forever and cannot be
recaptured.

5
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 6 of 42 PageID #:6

24. The Data Breach has caused Plaintiff Buraga to suffer fear, anxiety, and stress,
which has been compounded by the fact that Defendant has still not fully informed him of key
details about the Data Breach’s occurrence.
25. As a result of the Data Breach, Plaintiff Buraga anticipates spending considerable
time and money on an ongoing basis to try to mitigate and address harms caused by the Data
Breach.
26. As a result of the Data Breach, Plaintiff Buraga is at a present risk and will continue
to be at increased risk of identity theft and fraud for years to come.
27. Plaintiff Buraga has a continuing interest in ensuring that his Private Information,
which, upon information and belief, remains backed up in Defendant’s possession, is protected
and safeguarded from future breaches.
DEFENDANT

28. Defendant is an Illinois corporation with a principal place of business located at

1950 Hassell Road, Hoffman Estates, IL 60619.

29. Defendant is a retail technology and software provider to thousands of car

dealerships across the country.

30. The true names and capacities of persons or entities, whether individual, corporate,

associate or otherwise, who may be responsible for some of the claims alleged here are currently

unknown to Representative Plaintiffs. Representative Plaintiff will seek leave of court to amend

this Complaint to reflect the true names and capacities of such responsible parties when their

identities become known.

CLASS ACTION ALLEGATIONS

31. Representative Plaintiff brings this action pursuant to the provisions of Rules 23(a),

(b)(2), and (b)(3) of the Federal Rules of Civil Procedure (“F.R.C.P.”) on behalf of Representative

Plaintiff and the following classes/subclass(es) (collectively, the “Class(es)”):

6
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 7 of 42 PageID #:7

Nationwide Class:
“All individuals within the United States of America whose PII was
exposed to unauthorized third parties as a result of the ransomware attack
suffered by Defendant in June 2024.”

32. Excluded from the Classes are the following individuals and/or entities: Defendant

and Defendant’s parents, subsidiaries, affiliates, officers, and directors and any entity in which

Defendant has a controlling interest, all individuals who make a timely election to be excluded

from this proceeding using the correct protocol for opting out, any and all federal, state or local

governments, including but not limited to its departments, agencies, divisions, bureaus, boards,

sections, groups, counsel, and/or subdivisions, and all judges assigned to hear any aspect of this

litigation, as well as their immediate family members.

33. In the alternative, Representative Plaintiff requests additional subclasses as

necessary based on the types of PII that were compromised.

34. Representative Plaintiff reserves the right to amend the above Class definitions or

to propose other subclasses in subsequent pleadings and motions for class certification.

35. This action has been brought and may properly be maintained as a class action

under F.R.C.P. Rule 23 because there is a well-defined community of interest in the litigation and

membership of the proposed Classes is readily ascertainable.

a. Numerosity: A class action is the only available method for the fair
and efficient adjudication of this controversy. The members of the
Plaintiff Classes are so numerous that joinder of all members is
impractical, if not impossible. Representative Plaintiff are informed
and believe and, on that basis, allege that the total number of Class
Members is in the thousands of individuals. Membership in the
Classes will be determined by analysis of Defendant’s records.
b. Commonality: Representative Plaintiff and the Class Members
share a community of interest in that there are numerous common
questions and issues of fact and law which predominate over any
questions and issues solely affecting individual members, including,
but not necessarily limited to:

7
Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 8 of 42 PageID #:8

1) Whether Defendant had a legal duty to Representative Plaintiff

and the Classes to exercise due care in collecting, storing, using
and/or safeguarding their PII;
2) Whether Defendant knew or should have known of the
susceptibility of its data security systems to a data breach;
3) Whether Defendant’s security procedures and practices to
protect its systems were reasonable in light of the measures
recommended by data security experts;
4) Whether Defendant’s failure to implement adequate data
security measures allowed the Data Breach to occur;
5) Whether Defendant failed to comply with its own policies and
applicable laws, regulations and industry standards relating to
data security;
6) Whether Defendant adequately, promptly and accurately
informed Representative Plaintiff and Class Members that their
PII had been compromised;
7) How and when Defendant actually learned of the Data Breach;
8) Whether Defendant’s conduct, including its failure to act,
resulted in or was the proximate cause of the breach of its
systems, resulting in the loss of the PII of Representative
Plaintiff and Class Members;
9) Whether Defendant adequately addressed and fixed the
vulnerabilities which permitted the Data Breach to occur;
10) Whether Defendant engaged in unfair, unlawful or deceptive
practices by failing to safeguard Representative Plaintiff’s and
Class Members’ PII;
11) Whether Representative Plaintiff and Class Members are
entitled to actual and/or statutory damages and/or whether
injunctive, corrective and/or declaratory relief and/or an
accounting is/are appropriate as a result of Defendant’s
wrongful conduct;
12) Whether Representative Plaintiff and Class Members are
entitled to restitution as a result of Defendant’s wrongful
conduct.
c. Typicality: Representative Plaintiff’s claims are typical of the
claims of the Plaintiff Classes. Representative Plaintiff and all
members of the Plaintiff Classes sustained damages arising out of
and caused by Defendant’s common course of conduct in violation
of law, as alleged herein.
d. Adequacy of Representation: Representative Plaintiff in this class
action is adequate representatives of each of the Plaintiff Classes in
that Representative Plaintiff have the same interest in the litigation

8
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 9 of 42 PageID #:9

of this case as the Class Members, are committed to the vigorous

prosecution of this case and have retained competent counsel who
are experienced in conducting litigation of this nature.
Representative Plaintiff is not subject to any individual defenses
unique from those conceivably applicable to other Class Members
or the classes in their entirety. Representative Plaintiff anticipates
no management difficulties in this litigation.
e. Superiority of Class Action: The damages suffered by individual
Class Members are significant but may be small relative to each
member's enormous expense of individual litigation. This makes or
may make it impractical for members of the Plaintiff Class to seek
redress individually for the wrongful conduct alleged herein. Even
if Class Members could afford such individual litigation, the court
system could not. Should separate actions be brought or be required
to be brought by each individual member of the Plaintiff Class, the
resulting multiplicity of lawsuits would cause undue hardship and
expense for the Court and the litigants. The prosecution of separate
actions would also create a risk of inconsistent rulings which might
be dispositive of the interests of other Class Members who are not
parties to the adjudications and/or may substantially impede their
ability to protect their interests adequately. Individualized litigation
increases the delay and expense to all parties and to the court system,
presented by the case's complex legal and factual issues. By contrast,
the class action device presents far fewer management difficulties
and provides the benefits of single adjudication, economy of scale
and comprehensive supervision by a single court.

36. Class certification is proper because the questions raised by this Complaint are of

common or general interest affecting numerous persons, so it is impracticable to bring all Class

Members before the Court.

37. This class action is also appropriate for certification because Defendant has acted

or refused to act on grounds generally applicable to Class Members, thereby requiring the Court’s

imposition of uniform relief to ensure compatible standards of conduct toward the Class Members

and making final injunctive relief appropriate concerning the Classes in their entireties.

Defendant’s policies and practices challenged herein apply to and affect Class Members uniformly.

Representative Plaintiff’s challenge of these policies and procedures hinges on Defendant’s

conduct concerning the Classes in their entirety, not on facts or law applicable only to

Representative Plaintiff.

9
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 10 of 42 PageID #:10

38. Unless a Class-wide injunction is issued, Defendant may continue failing to secure

Class Members’ PII properly, and Defendant may continue to act unlawfully, as set forth in this

Complaint.

39. Further, Defendant has acted or refused to act on grounds generally applicable to

the Classes and, accordingly, final injunctive or corresponding declaratory relief with regard to the

Class Members as a whole is appropriate under F.R.C.P. Rule 23(b)(2).

COMMON FACTUAL ALLEGATIONS

The Data Breach

40. Defendant provides clients in the auto industry a digital platform that handles all

aspects of a car dealership’s operation, including financing, payroll, support and service, inventory,

and back office operations.

41. Defendant was hit with multiple cyberattacks on June 18 and June 19, 2024, causing

Defendant to shut down its systems, phones, and applications and leaving clients to operate their

businesses.

42. During the Data Breach, one or more unauthorized third parties accessed Class

Members’ sensitive data including, but not limited to full names, dates of birth, and social security

numbers. Representative Plaintiff was among the individuals whose data was accessed in the Data

Breach.

Defendant Collected/Stored Representative Plaintiff’s and Class Members’ PII

43. Defendant acquired, collected, stored, and assured reasonable security over

Representative Plaintiff’s and Class Members’ PII.

44. As a condition of its relationships with Representative Plaintiff and Class Members,

Defendant required that Representative Plaintiff and Class Members entrust Defendant with highly

10
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 11 of 42 PageID #:11

sensitive and confidential PII. Defendant, in turn, stored that information on Defendant’s system

that was ultimately affected by the Data Breach.

45. By obtaining, collecting, and storing Representative Plaintiff’s and Class Members’

PII, Defendant assumed legal and equitable duties over the PII and knew or should have known

that it was thereafter responsible for protecting Representative Plaintiff’s and Class Members’ PII

from unauthorized disclosure.

46. Representative Plaintiff and Class Members have taken reasonable steps to

maintain their PII’s confidentiality. Representative Plaintiff and Class Members relied on

Defendant to keep their PII confidential and securely maintained, to use this information for

business and healthcare purposes only, and to make only authorized disclosures of this

information.

47. Defendant could have prevented the Data Breach, which began as early as June

2024, by properly securing and encrypting and/or more securely encrypting its servers, generally,

as well as Representative Plaintiff’s and Class Members’ PII.

48. Defendant’s negligence in safeguarding Representative Plaintiff’s and Class

Members’ PII is exacerbated by repeated warnings and alerts directed at protecting and securing

sensitive data, as evidenced by the trending data breach attacks in recent years.

49. Data breaches such as the one experienced by Defendant have become so notorious

that the Federal Bureau of Investigation (“FBI”) and the U.S. Secret Service have issued a warning

to potential targets so they are aware of, can prepare for, and hopefully ward off a potential attack.

50. Due to the high-profile nature of these breaches and other breaches of its kind,

Defendant was and/or certainly should have been on notice and aware of such attacks occurring in

11
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 12 of 42 PageID #:12

the healthcare industry and, therefore, should have assumed and adequately performed the duty of

preparing for such an imminent attack.

51. And yet, despite the prevalence of public announcements of data breaches and data

security compromises, Defendant failed to take appropriate steps to protect Representative

Plaintiff’s and Class Members’ PII from being compromised.

Defendant Had a Duty to Protect the Stolen Information

52. In failing to adequately secure Representative Plaintiff’s and Class Members’

sensitive data, Defendant breached duties it owed Representative Plaintiff and Class Members

under statutory and common law. Moreover, Representative Plaintiff and Class Members

surrendered their highly sensitive personal data to Defendant under the implied condition that

Defendant would keep it private and secure. Accordingly, Defendant also had an implied duty to

safeguard their data, independent of any statute.

53. Defendant was also prohibited by the Federal Trade Commission Act (the “FTC

Act”) (15 U.S.C. § 45) from engaging in “unfair or deceptive acts or practices in or affecting

commerce.” The Federal Trade Commission (the “FTC”) has concluded that a company’s failure

to maintain reasonable and appropriate data security for consumers’ sensitive personal information

is an “unfair practice” in violation of the FTC Act. See, e.g., FTC v. Wyndham Worldwide Corp.,

799 F.3d 236 (3d Cir. 2015).

54. According to the FTC, the need for data security should be factored into all business

decision-making. To that end, the FTC has issued numerous guidelines identifying best data

security practices that businesses, such as Defendant, should employ to protect against the

unlawful exposure of PII.

12
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 13 of 42 PageID #:13

55. In 2016, the FTC updated its publication, Protecting Personal Information: A

Guide for Business, which established guidelines for fundamental data security principles and

practices for business. The guidelines explain that companies should:

a. protect the sensitive consumer information that they keep;

b. properly dispose of PII that is no longer needed;

c. encrypt information stored on computer networks;

d. understand their network’s vulnerabilities; and

e. implement policies to correct security problems.

56. The guidelines also recommend that businesses watch for large amounts of data

being transmitted from the system and have a response plan ready in the event of a breach.

57. The FTC recommends that companies not maintain information longer than is

necessary for authorization of a transaction, limit access to sensitive data, require complex

passwords to be used on networks, use industry-tested methods for security, monitor for suspicious

activity on the network and verify that third-party service providers have implemented reasonable

security measures.

58. The FTC has brought enforcement actions against businesses for failing to protect

consumer data adequately and reasonably, treating the failure to employ reasonable and

appropriate measures to protect against unauthorized access to confidential consumer data as an

unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15

U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take

to meet their data security obligations.

13
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 14 of 42 PageID #:14

59. Defendant’s failure to employ reasonable and appropriate measures to protect

against unauthorized access to consumers’ PII constitutes an unfair act or practice prohibited by

Section 5 of the FTCA, 15 U.S.C. § 45.

60. In addition to its obligations under federal and state laws, Defendant owed a duty

to Representative Plaintiff and Class Members to exercise reasonable care in obtaining, retaining,

securing, safeguarding, deleting, and protecting the PII in Defendant’s possession from being

compromised, lost, stolen, accessed, and misused by unauthorized persons. Defendant owed a duty

to Representative Plaintiff and Class Members to provide reasonable security, including

consistency with industry standards and requirements, and to ensure that its computer systems,

networks, and protocols adequately protected Representative Plaintiff’s and Class Members’ PII.

61. Defendant owed a duty to Representative Plaintiff and Class Members to design,

maintain, and test its computer systems, servers, and networks to ensure that all PII in its

possession was adequately secured and protected.

62. Defendant owed a duty to Representative Plaintiff and Class Members to create and

implement reasonable data security practices and procedures to protect all PII in its possession,

including not sharing information with other entities who maintain sub-standard data security

systems.

63. Defendant owed a duty to Representative Plaintiff and Class Members to

implement processes that would immediately detect a breach of its data security systems in a timely

manner.

64. Defendant owed a duty to Representative Plaintiff and Class Members to act upon

data security warnings and alerts in a timely fashion.

14
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 15 of 42 PageID #:15

65. Defendant owed a duty to Representative Plaintiff and Class Members to disclose

if its computer systems and data security practices were inadequate to safeguard individuals’ PII

from theft, because such an inadequacy would be a material fact in the decision to entrust this PII

to Defendant.

66. Defendant owed a duty of care to Representative Plaintiff and Class Members

because they were foreseeable and probable victims of any inadequate data security practices.

67. Defendant owed a duty to Representative Plaintiff and Class Members to encrypt

and/or more reliably encrypt Representative Plaintiff’s and Class Members’ PII and monitor user

behavior and activity to identify possible threats.

The Sensitive Information Stolen in the Data Breach is Highly Valuable

68. It is well known that PII, including Social Security numbers and health records in

particular, is a valuable commodity and a frequent, intentional target of cybercriminals. Companies

that collect such information, including Defendant, are well aware of the risk of being targeted by

cybercriminals.

69. Individuals place a high value not only on their PII but also on the privacy of that

data. Identity theft causes severe negative consequences to its victims, as well as severe distress

and hours of lost time trying to fight the impact of identity theft.

70. While the greater efficiency of electronic health records translates to cost savings

for providers, it also comes with the risk of privacy breaches. PII is a valuable commodity for

which a “cyber black market” exists where criminals openly post stolen Social Security numbers

and other personal information on several underground internet websites. Unsurprisingly, the

healthcare industry is at high risk and is acutely affected by cyberattacks, like the Data Breach

here.

15
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 16 of 42 PageID #:16

71. The high value of PII to criminals is evidenced by the prices they will pay for it

through the dark web. For example, personal information can be sold at a price ranging from $40

to $200, and bank details have a price range of $50 to $200.2 Experian reports that a stolen credit

or debit card number can sell for $5 to $110 on the dark web.3 Criminals can also purchase access

to entire company data breaches from $999 to $4,995.4

72. Between 2005 and 2019, at least 249 million people were affected by healthcare

data breaches.5 Indeed, during 2019 alone, over 41 million healthcare records were exposed,

stolen, or unlawfully disclosed in 505 data breaches.6 In short, these sorts of data breaches are

increasingly common, especially among healthcare systems, which account for 30.03 percent of

overall health data breaches, according to cybersecurity firm Tenable.7

73. These criminal activities have and will result in devastating financial and personal

losses to Representative Plaintiff and Class Members. For example, it is believed that certain PII

compromised in the 2017 Experian data breach was being used three years later by identity thieves

to apply for COVID-19-related benefits in Oklahoma. Such fraud will be an omnipresent threat

for Representative Plaintiff and Class Members for the rest of their lives. They will need to remain

constantly vigilant.

2
Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, Oct.
16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-
dark-web-how-much-it-costs/ (last accessed July 24, 2023).
3
Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec.
6, 2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
personal-information-is-selling-for-on-the-dark-web/ (last accessed July 24, 2023).
4
In the Dark, VPNOverview, 2019, available at:
https://vpnoverview.com/privacy/anonymous-browsing/in-the-dark/ (last accessed July 24, 2023).
5
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7349636/#B5-healthcare-08-00133/ (last
accessed July 24, 2023).
6
https://www.hipaajournal.com/december-2019-healthcare-data-breach-report/ (last accessed
July 24, 2023).
7
https://www.tenable.com/blog/healthcare-security-ransomware-plays-a-prominent-role-in-
covid-19-era-breaches/ (last accessed July 24, 2023).
16
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 17 of 42 PageID #:17

74. The FTC defines identity theft as “a fraud committed or attempted using the

identifying information of another person without authority.” The FTC describes “identifying

information” as “any name or number that may be used, alone or in conjunction with any other

information, to identify a specific person,” including, among other things, “[n]ame, Social Security

number, date of birth, official State or government-issued driver’s license or identification number,

alien registration number, government passport number, employer or taxpayer identification

number.”

75. Identity thieves can use PII, such as that of Representative Plaintiff and Class

Members which Defendant failed to keep secure, to perpetrate various crimes that harm victims.

For instance, identity thieves may commit various types of government fraud such as immigration

fraud, obtaining a driver’s license or identification card in the victim’s name but with another’s

picture, using the victim’s information to obtain government benefits, or filing a fraudulent tax

return using the victim’s information to obtain a fraudulent refund.

76. The ramifications of Defendant’s failure to secure Representative Plaintiff’s and

Class Members’ PII are long-lasting and severe. Once PII is stolen, particularly identification

numbers, fraudulent use of that information and damage to victims may continue for years. Indeed,

the PII of Representative Plaintiff and Class Members was taken by hackers to engage in identity

theft or to sell it to other criminals who will purchase the PII for that purpose. The fraudulent

activity resulting from the Data Breach may not come to light for years.

77. Individuals, like Representative Plaintiff and Class Members, are particularly

concerned with protecting the privacy of their Social Security numbers, which are the key to

stealing any person’s identity and are likened to accessing DNA for hacker’s purposes.

17
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 18 of 42 PageID #:18

78. Data breach victims suffer long-term consequences when their Social Security

numbers are taken and used by hackers. Even if they know their Social Security numbers are being

misused, Representative Plaintiff and Class Members cannot obtain new numbers unless they

become victims of Social Security misuse.

79. The Social Security Administration has warned that “a new number probably won’t

solve all your problems. This is because other governmental agencies (such as the IRS and state

motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will

have records under your old number. Along with other personal information, credit reporting

companies use the number to identify your credit record. So, using a new number won’t guarantee

you a fresh start. This is especially true if your other personal information, such as your name and

address, remains the same.”8

80. There may be a time lag between when harm occurs versus when it is discovered,

and also between when PII is stolen and when it is used. According to the U.S. Government

Accountability Office (“GAO”), which conducted a study regarding data breaches:

[L]aw enforcement officials told us that in some cases, stolen data may be held for
up to a year or more before being used to commit identity theft. Further, once stolen
data have been sold or posted on the Web, fraudulent use of that information may
continue for years. As a result, studies that attempt to measure the harm resulting
from data breaches cannot necessarily rule out all future harm.9

81. And data breaches are preventable.10 As Lucy Thompson wrote in the DATA

BREACH AND ENCRYPTION HANDBOOK, “[i]n almost all cases, the data breaches that occurred could

have been prevented by proper planning and the correct design and implementation of appropriate

8
Identity Theft and Your Social Security Number, SSA, No. 05-10064 (July 2021),
https://www.ssa.gov/pubs/EN-05-10064.pdf (last visited Apr. 18, 2023).
9
Report to Congressional Requesters, GAO, at 29 (June 2007), available at:
http://www.gao.gov/new.items/d07737.pdf (last accessed July 24, 2023).
10
Lucy L. Thompson, “Despite the Alarming Trends, Data Breaches Are Preventable,” in
DATA BREACH AND ENCRYPTION HANDBOOK (Lucy Thompson, ed., 2012)
18
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 19 of 42 PageID #:19

security solutions.”11 She added that “[o]rganizations that collect, use, store, and share sensitive

personal data must accept responsibility for protecting the information and ensuring that it is not

compromised….”12

82. Most of the reported data breaches are a result of lax security and the failure to

create or enforce appropriate security policies, rules, and procedures. Appropriate information

security controls, including encryption, must be implemented and enforced rigorously and

disciplined so that a data breach never occurs.13

83. Here, Defendant knew of the importance of safeguarding PII and of the foreseeable

consequences that would occur if Representative Plaintiff’s and Class Members’ PII was stolen,

including the significant costs that would be placed on Representative Plaintiff and Class Members

because of a breach of this magnitude. As detailed above, Defendant knew or should have known

that the development and use of such protocols was necessary to fulfill its statutory and common

law duties to Representative Plaintiff and Class Members. Therefore, its failure to do so is

intentional, willful, reckless, and/or grossly negligent.

84. Defendant disregarded the rights of Representative Plaintiff and Class Members by,

inter alia: (i) intentionally, willfully, recklessly and/or negligently failing to take adequate and

reasonable measures to ensure that its network servers were protected against unauthorized

intrusions, (ii) failing to disclose that it did not have adequate security protocols and training

practices in place to safeguard Representative Plaintiff’s and Class Members’ PII, (iii) failing to

take standard and reasonably available steps to prevent the Data Breach, (iv) concealing the

existence and extent of the Data Breach for an unreasonable duration of time, and (v) failing to

11
Id. at 17.
12
Id. at 28.
13
Id.

19
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 20 of 42 PageID #:20

provide Representative Plaintiff and Class Members prompt and accurate notice of the Data

Breach.

CAUSES OF ACTION
COUNT ONE
Negligence
(On behalf of the Nationwide Class)

85. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

86. At all times herein relevant, Defendant owed Representative Plaintiff and Class

Members a duty of care, inter alia, to act with reasonable care to secure and safeguard their PII

and to use commercially reasonable methods to do so. Defendant took on this obligation upon

accepting and storing Representative Plaintiff’s and Class Members’ PII on its computer systems

and networks.

87. Among these duties, Defendant was expected:

a. to exercise reasonable care in obtaining, retaining, securing, safeguarding,

deleting and protecting the PII in its possession;
b. to protect Representative Plaintiff’s and Class Members’ PII using
reasonable and adequate security procedures and systems that were/are
compliant with industry-standard practices;
c. to implement processes to detect the Data Breach quickly and to act on
warnings about data breaches timely; and
d. to promptly notify Representative Plaintiff and Class Members of any data
breach, security incident or intrusion that affected or may have affected their
PII.

88. Defendant knew or should have known that the PII was private and confidential

and should be protected as private and confidential and, thus, Defendant owed a duty of care to

not subject Representative Plaintiff and Class Members to an unreasonable risk of harm because

they were foreseeable and probable victims of any inadequate security practices.

20
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 21 of 42 PageID #:21

89. Defendant knew or should have known of the risks inherent in collecting and

storing PII, the vulnerabilities of its data security systems and the importance of adequate security.

Defendant knew or should have known about numerous well-publicized data breaches.

90. Defendant knew or should have known that its data systems and networks did not

adequately safeguard Representative Plaintiff’s and Class Members’ PII.

91. Only Defendant was in the position to ensure that its systems and protocols were

sufficient to protect the PII that Representative Plaintiff and Class Members had entrusted to it.

92. Defendant breached its duties to Representative Plaintiff and Class Members by

failing to provide fair, reasonable, or adequate computer systems and data security practices to

safeguard their PII.

93. Because Defendant knew that a breach of its systems could damage numerous

individuals, including Representative Plaintiff and Class Members, Defendant had a duty to

adequately protect its data systems and the PII stored thereon.

94. Representative Plaintiff’s and Class Members’ willingness to entrust Defendant

with their PII was predicated on the understanding that Defendant would take adequate security

precautions. Moreover, only Defendant could protect its systems and the PII it stored on them from

attack. Thus, Defendant had a special relationship with Representative Plaintiff and Class

Members.

95. Defendant also had independent duties under state and federal laws that required

Defendant to reasonably safeguard Representative Plaintiff’s and Class Members’ PII and

promptly notify them about the Data Breach. These “independent duties” are untethered to any

contract between Defendant, Representative Plaintiffs, and/or the remaining Class Members.

21
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 22 of 42 PageID #:22

96. Defendant breached its general duty of care to Representative Plaintiff and Class

Members in, but not necessarily limited to, the following ways:

a. by failing to provide fair, reasonable and/or adequate computer systems and

data security practices to safeguard Representative Plaintiff’s and Class
Members’ PII;
b. by failing to timely and accurately disclose that Representative Plaintiff’s
and Class Members’ PII had been improperly acquired or accessed;
c. by failing to adequately protect and safeguard PII by knowingly
disregarding standard information security principles, despite obvious risks
and by allowing unmonitored and unrestricted access to unsecured PII;
d. by failing to provide adequate supervision and oversight of the PII with
which it was and is entrusted, in spite of the known risk and foreseeable
likelihood of breach and misuse, which permitted an unknown third party
to gather Representative Plaintiff’s and Class Members’ PII, misuse the PII
and intentionally disclose it to others without consent;
e. by failing to adequately train its employees not to store PII longer than
absolutely necessary;
f. by failing to consistently enforce security policies aimed at protecting
Representative Plaintiff’s and Class Members’ PII;
g. by failing to implement processes to quickly detect data breaches, security
incidents or intrusions; and
h. by failing to encrypt Representative Plaintiff’s and Class Members’ PII and
monitor user behavior and activity in order to identify possible threats.

97. Defendant’s willful failure to abide by these duties was wrongful, reckless and/or

grossly negligent in light of the foreseeable risks and known threats.

98. As a proximate and foreseeable result of Defendant’s grossly negligent conduct,

Representative Plaintiff and Class Members have suffered damages and are at imminent risk of

additional harm and damages (as alleged above).

99. The law further imposes an affirmative duty on Defendant to timely disclose the

unauthorized access and theft of the PII to Representative Plaintiff and Class Members so that they

could and/or still can take appropriate measures to mitigate damages, protect against adverse

consequences, and thwart future misuse of their PII.

22
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 23 of 42 PageID #:23

100. Defendant breached its duty to notify Representative Plaintiff and Class Members

of the unauthorized access after learning of the Data Breach to notify Representative Plaintiff and

Class Members and then by failing and continuing to fail to provide Representative Plaintiff and

Class Members sufficient information regarding the breach. To date, Defendant has not provided

sufficient information to Representative Plaintiff and Class Members regarding the extent of the

unauthorized access and continues to breach its disclosure obligations to Representative Plaintiff

and Class Members.

101. Further, explicitly failing to provide timely and clear notification of the Data Breach

to Representative Plaintiff and Class Members, Defendant prevented Representative Plaintiff and

Class Members from taking meaningful, proactive steps to secure their PII and access their medical

records and histories.

102. There is a close causal connection between Defendant’s failure to implement

security measures to protect Representative Plaintiff’s and Class Members’ PII and the harm (or

risk of imminent harm suffered) by Representative Plaintiff and Class Members. Representative

Plaintiff’s and Class Members’ PII was accessed as the proximate result of Defendant’s failure to

exercise reasonable care in safeguarding such PII by adopting, implementing and maintaining

appropriate security measures.

103. Defendant’s wrongful actions, inactions, and omissions constituted (and continue

to constitute) common law negligence.

104. The damages Representative Plaintiff and Class Members have suffered (as alleged

above) and will continue to suffer were and are the direct and proximate result of Defendant’s

grossly negligent conduct.

23
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 24 of 42 PageID #:24

105. Additionally, 15 U.S.C. § 45 (FTC Act, Section 5) prohibits “unfair […] practices

in or affecting commerce,” including, as interpreted and enforced by the FTC, the unfair act or

practice by businesses, such as Defendant, of failing to use reasonable measures to protect PII. The

FTC publications and orders described above also form part of the basis of Defendant’s duty in

this regard.

106. Defendant violated 15 U.S.C. § 45 by failing to use reasonable measures to protect

PII and by not complying with applicable industry standards, as described in detail herein.

Defendant’s conduct was particularly unreasonable given the nature and amount of PII it obtained

and stored and the foreseeable consequences of the immense damages that would result to

Representative Plaintiff and Class Members.

107. Defendant’s violation of 15 U.S.C. § 45 constitutes negligence per se.

108. As a direct and proximate result of Defendant’s negligence and negligence per se,

Representative Plaintiff and Class Members have suffered and will continue to suffer injury,

including but not limited to: (i) actual identity theft, (ii) the loss of the opportunity of how their

PII is used, (iii) the compromise, publication, and/or theft of their PII, (iv) out-of-pocket expenses

associated with the prevention, detection and recovery from identity theft, tax fraud, and/or

unauthorized use of their PII, (v) lost opportunity costs associated with effort expended and the

loss of productivity addressing and attempting to mitigate the actual and future consequences of

the Data Breach, including but not limited to efforts spent researching how to prevent, detect,

contest, and recover from embarrassment and identity theft, (vi) lost continuity in relation to their

healthcare, (vii) the continued risk to their PII, which may remain in Defendant’s possession and

is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate

and adequate measures to protect Representative Plaintiff’s and Class Members’ PII in its

24
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 25 of 42 PageID #:25

continued possession, and (viii) future costs in terms of time, effort, and money that will be

expended to prevent, detect, contest, and repair the impact of the PII compromised as a result of

the Data Breach for the remainder of the lives of Representative Plaintiff and Class Members.

109. As a direct and proximate result of Defendant’s negligence and negligence per se,

Representative Plaintiff and Class Members have suffered and will continue to suffer other forms

of injury and/or harm, including but not limited to anxiety, emotional distress, loss of privacy, and

other economic and non-economic losses.

110. Additionally, as a direct and proximate result of Defendant’s negligence and

negligence per se, Representative Plaintiff and Class Members have suffered and will continue to

suffer the continued risks of exposure of their PII, which remains in Defendant’s possession and

is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate

and adequate measures to protect PII in its continued possession.

COUNT TWO
Negligence Per Se
(On behalf of the Nationwide Class)

111. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

112. Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 prohibits

companies such as Defendant from “using any unfair method of competition or unfair or deceptive

act or practice in or affecting commerce,” including failing to use reasonable measures to protect

PII. In addition to the FTC Act, the agency also enforces other federal laws relating to consumers’

privacy and security. The FTC publications and orders described above also form part of the basis

of Defendant’s duty in this regard.

25
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 26 of 42 PageID #:26

113. In addition to the FTC rules and regulations and state law, other states and

jurisdictions where victims of the Data Breach are located require that Defendant protect PII from

unauthorized access and disclosure and timely notify the victim of a data breach.

114. Defendant violated FTC rules and regulations obligating companies to use

reasonable measures to protect PII by failing to comply with applicable industry standards and by

unduly delaying reasonable notice of the actual breach. Defendant’s conduct was particularly

unreasonable given the nature and amount of PII it obtained and stored and the foreseeable

consequences of a Data Breach and the exposure of Representative Plaintiff’s and Class members’

highly sensitive PII.

115. Each of Defendant’s statutory violations of Section 5 of the FTC Act and other

applicable statutes, rules and regulations, constitute negligence per se.

116. Representative Plaintiff and Class Members are within the category of persons the

FTC Act were intended to protect.

117. The harm that occurred because of the Data Breach described herein is the type of

harm the FTC Act was intended to guard against.

118. As a direct and proximate result of Defendant’s negligence per se, Representative

Plaintiff and Class Members have been damaged as described herein, continue to suffer injuries as

detailed above, are subject to the continued risk of exposure of their PII in Defendant’s possession

and are entitled to damages in an amount to be proven at trial.

COUNT THREE
Breach of Confidence
(On behalf of the Nationwide Class)

119. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

26
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 27 of 42 PageID #:27

120. During Representative Plaintiff’s and Class Members’ interactions with Defendant,

Defendant was fully aware of the confidential nature of the PII that Representative Plaintiff and

Class Members provided to it.

121. As alleged herein and above, Defendant’s relationship with Representative Plaintiff

and Class Members was governed by promises and expectations that Representative Plaintiff and

Class Members’ PII would be collected, stored, and protected in confidence, and would not be

accessed by, acquired by, appropriated by, disclosed to, encumbered by, exfiltrated by, released

to, stolen by, used by, and/or viewed by unauthorized third parties.

122. Representative Plaintiff and Class Members provided their respective PII to

Defendant with the explicit and implicit understandings that Defendant would protect and not

permit the PII to be accessed by, acquired by, appropriated by, disclosed to, encumbered by,

exfiltrated by, released to, stolen by, used by, and/or viewed by unauthorized third parties.

123. Representative Plaintiff and Class Members also provided their PII to Defendant

with the explicit and implicit understanding that Defendant would take precautions to protect their

PII from unauthorized access, acquisition, appropriation, disclosure, encumbrance, exfiltration,

release, theft, use, and/or viewing, such as following basic principles of protecting its networks

and data systems.

124. Defendant voluntarily received, in confidence, Representative Plaintiff’s and Class

Members’ PII with the understanding that the PII would not be accessed by, acquired by,

appropriated by, disclosed to, encumbered by, exfiltrated by, released to, stolen by, used by, and/or

viewed by the public or any unauthorized third parties.

125. Due to Defendant’s failure to prevent, detect and avoid the Data Breach from

occurring by, inter alia, not following best information security practices to secure Representative

27
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 28 of 42 PageID #:28

Plaintiff’s and Class Members’ PII, Representative Plaintiff’s and Class Members’ PII was

accessed by, acquired by, appropriated by, disclosed to, encumbered by, exfiltrated by, released

to, stolen by, used by, and/or viewed by unauthorized third parties beyond Representative

Plaintiff’s and Class Members’ confidence and without their express permission.

126. As a direct and proximate cause of Defendant’s actions and/or omissions,

Representative Plaintiff and Class Members have suffered damages, as alleged herein.

127. But for Defendant’s failure to maintain and protect Representative Plaintiff’s and

Class Members’ PII in violation of the parties’ understanding of confidence, their PII would not

have been accessed by, acquired by, appropriated by, disclosed to, encumbered by, exfiltrated by,

released to, stolen by, used by, and/or viewed by unauthorized third parties. The Data Breach was

the direct and legal cause of the misuse of Representative Plaintiff’s and Class Members’ PII and

the resulting damages.

128. The injury and harm Representative Plaintiff and Class Members suffered and will

continue to suffer was the reasonably foreseeable result of Defendant’s unauthorized misuse of

Representative Plaintiff’s and Class Members’ PII. Defendant knew its data systems and protocols

for accepting and securing Representative Plaintiff’s and Class Members’ PII had security and

other vulnerabilities that placed Representative Plaintiff’s and Class Members’ PII in jeopardy.

129. As a direct and proximate result of Defendant’s breaches of confidence,

Representative Plaintiff and Class Members have suffered and will continue to suffer injury, as

alleged herein, including but not limited to: (i) actual identity theft, (ii) the compromise,

publication, and/or theft of their PII, (iii) out-of-pocket expenses associated with the prevention,

detection and recovery from identity theft and/or unauthorized use of their PII, (iv) lost opportunity

costs associated with effort expended and the loss of productivity addressing and attempting to

28
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 29 of 42 PageID #:29

mitigate the actual and future consequences of the Data Breach, including but not limited to efforts

spent researching how to prevent, detect, contest, and recover from identity theft, (v) the continued

risk to their PII, which remains in Defendant’s possession and is subject to further unauthorized

disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect

Class Members’ PII in its continued possession, (vi) future costs in terms of time, effort, and

money that will be expended as result of the Data Breach for the remainder of the lives of

Representative Plaintiff and Class Members, (vii) the diminished value of Representative

Plaintiff’s and Class Members’ PII, and (viii) the diminished value of Defendant’s services for

which Representative Plaintiff and Class Members paid and received.

COUNT FOUR
Breach of Implied Contract
(On behalf of the Nationwide Class)

130. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

131. Through their course of conduct, Defendant, Representative Plaintiff and Class

Members entered into implied contracts for Defendant to implement data security adequate to

safeguard and protect the privacy of Representative Plaintiff’s and Class Members’ PII.

132. Defendant required Representative Plaintiff and Class Members to provide and

entrust their PII as a condition of obtaining Defendant’s services.

133. Defendant solicited and invited Representative Plaintiff and Class Members to

provide their PII as part of Defendant’s regular business practices. Representative Plaintiff and

Class Members accepted Defendant’s offers and provided their PII to Defendant.

134. As a condition of being Defendant’s direct patients, Representative Plaintiff and

Class Members provided and entrusted their PII to Defendant. In so doing, Representative Plaintiff

and Class Members entered into implied contracts with Defendant by which Defendant agreed to

29
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 30 of 42 PageID #:30

safeguard and protect such non-public information, to keep such information secure and

confidential and to timely and accurately notify Representative Plaintiff and Class Members if

their data had been breached and compromised or stolen.

135. A meeting of the minds occurred when Representative Plaintiff and Class Members

agreed to, and did, provide their PII to Defendant, in exchange for, amongst other things, the

protection of their PII.

136. Representative Plaintiff and Class Members fully performed their obligations under

the implied contracts with Defendant.

137. Defendant breached the implied contracts it made with Representative Plaintiff and

Class Members by failing to safeguard and protect their PII and by failing to provide timely and

accurate notice to them that their PII was compromised because of the Data Breach.

As a direct and proximate result of Defendant’s above-described breach of implied

contract, Representative Plaintiff and Class Members have suffered and will continue to suffer: (i)

ongoing, imminent and impending threat of identity theft crimes, fraud, and abuse, resulting in

monetary loss and economic harm, (ii) actual identity theft crimes, fraud, and abuse, resulting in

monetary loss and economic harm, (iii) loss of the confidentiality of the stolen confidential data,

(iv) the illegal sale of the compromised data on the dark web, (v) lost work time, and (vi) other

economic and non-economic harm.

COUNT FIVE
Breach of the Implied Covenant of Good Faith and Fair Dealing
(On behalf of the Nationwide Class)

138. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

30
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 31 of 42 PageID #:31

139. Every contract in the State of Illinois and State of California has an implied

covenant of good faith and fair dealing. This implied covenant is an independent duty and may

be breached even when there is no breach of a contract’s actual and/or express terms.

140. Representative Plaintiff and Class Members have complied with and performed all

conditions of their contracts with Defendant.

141. Defendant breached the implied covenant of good faith and fair dealing by failing

to maintain adequate computer systems and data security practices to safeguard PII, failing to

timely and accurately disclose the Data Breach to Representative Plaintiff and Class Members,

and continued acceptance of PII and storage of other personal information after Defendant knew

or should have known of the security vulnerabilities of the systems that were exploited in the Data

Breach.

142. Defendant acted in bad faith and/or with malicious motive in denying

Representative Plaintiff and Class Members the full benefit of their bargains as originally intended

by the parties, thereby causing them injury in an amount to be determined at trial.

COUNT SIX
Breach of Fiduciary Duty
(On behalf of the Nationwide Class)

143. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

144. In light of the special relationship between Defendant and Representative Plaintiff

and Class Members, whereby Defendant became the guardian of Representative Plaintiff’s and

Class Members’ PII, Defendant became a fiduciary by its undertaking and guardianship of the PII

to act primarily for Representative Plaintiff and Class Members, (i) for the safeguarding of

Representative Plaintiff’s and Class Members’ PII, (ii) to timely notify Representative Plaintiff

31
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 32 of 42 PageID #:32

and Class Members of a data breach and disclosure, and (iii) to maintain complete and accurate

records of what information (and where) Defendant did has and continues to store.

145. Defendant has a fiduciary duty to act for the benefit of Representative Plaintiff and

Class Members upon matters within the scope of its relationship with its customers’ patients and

former patients—in particular, to keep their PII secure.

146. Defendant breached its fiduciary duties to Representative Plaintiff and Class

Members by failing to diligently discover, investigate, and give notice of the Data Breach in a

reasonable and practicable period of time.

147. Defendant breached its fiduciary duties to Representative Plaintiff and Class

Members by failing to encrypt and otherwise protect the integrity of the systems containing

Representative Plaintiff’s and Class Members’ PII.

148. Defendant breached its fiduciary duties to Representative Plaintiff and Class

Members by failing to timely notify and/or warn Representative Plaintiff and Class Members of

the Data Breach.

149. Defendant breached its fiduciary duties to Representative Plaintiff and Class

Members by otherwise failing to safeguard Representative Plaintiff’s and Class Members’ PII.

150. As a direct and proximate result of Defendant’s breaches of its fiduciary duties,

Representative Plaintiff and Class Members have suffered and will continue to suffer injury,

including but not limited to: (i) actual identity theft, (ii) the compromise, publication, and/or theft

of their PII, (iii) out-of-pocket expenses associated with the prevention, detection, and recovery

from identity theft and/or unauthorized use of their PII, (iv) lost opportunity costs associated with

effort expended and the loss of productivity addressing and attempting to mitigate the actual and

future consequences of the Data Breach, including but not limited to efforts spent researching how

32
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 33 of 42 PageID #:33

to prevent, contest, and recover from identity theft, (v) the continued risk to their PII, which

remains in Defendant’s possession and is subject to further unauthorized disclosures so long as

Defendant fails to undertake appropriate and adequate measures to protect the PII in its continued

possession, (vi) future costs in terms of time, effort, and money that will be expended as result of

the Data Breach for the remainder of the lives of Representative Plaintiff and Class Members, and

(vii) the diminished value of Defendant’s services they received.

151. As a direct and proximate result of Defendant’s breach of its fiduciary duties,

Representative Plaintiff and Class Members have suffered and will continue to suffer other forms

of injury and/or harm, and other economic and non-economic losses.

COUNT SEVEN
Unjust Enrichment
(On behalf of the Nationwide Class)

152. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

153. Upon information and belief, Defendant funds its data-security measures entirely

from its general revenue, including payments made by or on behalf of Representative Plaintiff and

Class Members.

154. As such, a portion of the payments made by or on behalf of Representative Plaintiff

and Class Members is to be used to provide a reasonable level of data security, and the amount of

each payment allocated to data security is known to Defendant.

155. Representative Plaintiff and Class Members conferred a monetary benefit to

Defendant. Specifically, they purchased goods and services from Defendant and/or its agents and

provided Defendant with their PII. In exchange, Representative Plaintiff and Class Members

should have received from Defendant the goods and services that were the subject of the

transaction and have their PII protected with adequate data security.

33
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 34 of 42 PageID #:34

156. Defendant knew that Representative Plaintiff and Class Members conferred a

benefit which Defendant accepted. Defendant profited from these transactions and used the PII of

Representative Plaintiff and Class Members for business purposes.

157. Defendant enriched itself by saving the costs it reasonably should have expended

in data-security measures to secure Representative Plaintiff’s and Class Members’ PII. Instead of

providing a reasonable level of security that would have prevented the hacking incident, Defendant

instead calculated to increase its own profits at the expense of Representative Plaintiff and Class

Members by utilizing cheaper, ineffective security measures. On the other hand, Representative

Plaintiff and Class Members suffered as a direct and proximate result of Defendant’s decision to

prioritize its profits over the requisite security.

158. Under the principles of equity and good conscience, Defendant should not be

permitted to retain the money belonging to Representative Plaintiff and Class Members, because

Defendant failed to implement appropriate data management and security measures mandated by

industry standards.

159. Defendant failed to secure Representative Plaintiff’s and Class Members’ PII and,

therefore, did not provide full compensation for the benefit of Representative Plaintiff and Class

Members.

160. Defendant acquired the PII through inequitable means in that it failed to disclose

the inadequate security practices previously alleged.

161. If Representative Plaintiff and Class Members knew that Defendant had not

reasonably secured their PII, they would not have agreed to provide their PII to Defendant.

162. Representative Plaintiff and Class Members have no remedy at law.

34
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 35 of 42 PageID #:35

163. As a direct and proximate result of Defendant’s conduct, Representative Plaintiff

and Class Members have suffered and will continue to suffer injury, including but not limited to:

(i) actual identity theft, (ii) the loss of opportunity to determine how their PII is used, (iii) the

compromise, publication, and/or theft of their PII, (iv) out-of-pocket expenses associated with the

prevention, detection, and recovery from identity theft, and/or unauthorized use of their PII, (v)

lost opportunity costs associated with efforts expended and the loss of productivity addressing and

attempting to mitigate the actual and future consequences of the Data Breach, including but not

limited to efforts spent researching how to prevent, detect, contest, and recover from identity theft,

(vi) the continued risk to their PII, which remains in Defendant’s possession and is subject to

further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate

measures to protect PII in its continued possession, and (vii) future costs in terms of time, effort

and money that will be expended to prevent, detect, contest, and repair the impact of the PII

compromised as a result of the Data Breach for the remainder of the lives of Representative

Plaintiff and Class Members.

164. As a direct and proximate result of Defendant’s conduct, Representative Plaintiff

and Class Members have suffered and will continue to suffer other forms of injury and/or harm.

165. Defendant should be compelled to disgorge into a common fund or constructive

trust, for the benefit of Representative Plaintiff and Class Members, proceeds that it unjustly

received from them. In the alternative, Defendant should be compelled to refund the amounts that

Representative Plaintiff and Class Members overpaid for Defendant’s services.

35
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 36 of 42 PageID #:36

COUNT EIGHT
Declaratory Judgment
(On behalf of the Nationwide Class)

166. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

167. Under the Declaratory Judgment Act, 28 U.S.C. § 2201, et seq., this Court is

authorized to enter a judgment declaring the rights and legal relations of the parties and grant

further necessary relief. Further, the Court has broad authority to restrain acts, such as here, that

are tortious and violate the terms of the federal and state statutes described in this Complaint.

168. An actual controversy has arisen after the Data Breach regarding Representative

Plaintiff’s and Class Members’ PII and whether Defendant is currently maintaining data security

measures adequate to protect Representative Plaintiff and Class Members from further data

breaches that compromise their PII. Representative Plaintiff allege that Defendant’s data security

measures remain inadequate. Defendant publicly denies these allegations. Furthermore,

Representative Plaintiff continue to suffer injury due to the compromise of their PII and remain at

imminent risk that further compromises of their PII will occur in the future. It is unknown what

specific measures and changes Defendant has undertaken in response to the Data Breach.

169. Representative Plaintiff and the Classes have an ongoing, actionable dispute arising

out of Defendant’s inadequate security measures, including: (i) Defendant’s failure to encrypt

Representative Plaintiff’s and Class Members’ PII, including Social Security numbers, while

storing it in an Internet-accessible environment, and (ii) Defendant’s failure to delete PII it has no

reasonable need to maintain in an Internet-accessible environment, including the Social Security

numbers of Representative Plaintiffs.

170. Pursuant to its authority under the Declaratory Judgment Act, this Court should

enter a judgment declaring, among other things, the following:

36
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 37 of 42 PageID #:37

a. Defendant owes a legal duty to secure the PII of Representative Plaintiff

and Class Members;

b. Defendant continues to breach this legal duty by failing to employ

reasonable measures to secure consumers’ PII;

c. Defendant’s ongoing breaches of its legal duty continue to cause

Representative Plaintiff harm.

171. This Court should also issue corresponding prospective injunctive relief requiring

Defendant to employ adequate security protocols consistent with law, industry, and government

regulatory standards to protect consumers’ PII. Specifically, this injunction should, among other

things, direct Defendant to:

a. engage third-party auditors, consistent with industry standards, to test its

systems for weakness and upgrade any such weakness found;

b. audit, test and train its data security personnel regarding any new or
modified procedures and how to respond to a data breach;

c. regularly test its systems for security vulnerabilities, consistent with

industry standards; and

d. implement an education and training program for appropriate employees

regarding cybersecurity.

172. If an injunction is not issued, Representative Plaintiff will suffer irreparable injury,

and lack an adequate legal remedy, in the event of another data breach at Defendant. The risk of

another such breach is real, immediate, and substantial. If another breach at Defendant occurs,

Representative Plaintiff will not have an adequate remedy at law because many of the resulting

injuries are not readily quantified and they will be forced to bring multiple lawsuits to rectify the

same conduct.

173. The hardship to Representative Plaintiffs, if an injunction is not issued, exceeds the

hardship to Defendant if an injunction is issued. Representative Plaintiff will likely be subjected

37
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 38 of 42 PageID #:38

to substantial identity theft and other damage. On the other hand, the cost to Defendant of

complying with an injunction by employing reasonable prospective data security measures is

relatively minimal, and Defendant has a pre-existing legal obligation to use such measures.

174. Issuance of the requested injunction will satisfy the public interest. On the contrary,

such an injunction would benefit the public by preventing another data breach at Defendant, thus

eliminating the additional injuries that would result to Representative Plaintiff and others whose

confidential information would be further compromised.

COUNT NINE
Violation of the California Consumer Privacy Act - Cal. Civ. Code § 1798.150(a)
(On behalf of the California Class)

175. Each and every allegation of Paragraphs 1 – 84 is incorporated in this Count with

the same force and effect as though fully set forth herein.

176. The California Consumer Privacy Act (“CCPA”), Cal. Civ. Code § 1798.150(a),

creates a private cause of action for violations of the CCPA. Section 1798.150(a) specifically

provides:

Any consumer whose nonencrypted and nonredacted personal information, as

defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section
1798.81.5, is subject to an unauthorized access and exfiltration, theft, or
disclosure as a result of the business’s violation of the duty to implement and
maintain reasonable security procedures and practices appropriate to the nature of
the information to protect the personal information may institute a civil action for
any of the following:

(A) To recover damages in an amount not less than one hundred dollars
($100) and not greater than seven hundred and fifty ($750) per consumer
per incident or actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

177. Defendant is a “business” under § 1798.140(b) in that it is a corporation organized

for profit or financial benefit of its shareholders or other owners, with gross revenue in excess of

38
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 39 of 42 PageID #:39

$25 million.

178. Representative Plaintiff and Class Members are covered “consumers” under §

1798.140(g) in that they are natural persons who are California residents.

179. The personal information of Representative Plaintiff and Class Members at issue in

this lawsuit constitutes “personal information” under § 1798.150(a) and 1798.81.5, in that the

personal information EP collects and which was impacted by the cybersecurity attack includes an

individual’s first name or first initial and the individual’s last name in combination with one or

more of the following data elements, with either the name or the data elements not encrypted or

redacted: (i) Social security number; (ii) Driver’s license number; and (iii) account number or

credit or debit card number, in combination with any required security code, access code, or

password that would permit access to an individual’s financial account.

180. Defendant knew or should have known that its computer systems and data security

practices were inadequate to safeguard the Plaintiff’s and class members’ personal information

and that the risk of a data breach or theft was highly likely. Defendant failed to implement and

maintain reasonable security procedures and practices appropriate to the nature of the information

to protect the personal information of Representative Plaintiff and Class Members. Specifically,

Defendant subjected Representative Plaintiff’s and Class Members’ nonencrypted and

nonredacted personal information to an unauthorized access and exfiltration, theft, or disclosure

as a result of the Defendant’s violation of the duty to implement and maintain reasonable security

procedures and practices appropriate to the nature of the information, as described herein.

181. As a direct and proximate result of Defendant’s violation of its duty, the

unauthorized access and exfiltration, theft, or disclosure of Representative Plaintiff’s and Class

Members’ personal information included exfiltration, theft, or disclosure through Defendant’s

servers, systems, and website, and/or the dark web, where hackers further disclosed Defendant’s

customers’ and their employees’ personal information.

182. As a direct and proximate result of Defendant’s acts, Representative Plaintiff and

Class Members were injured and lost money or property, the loss of Representative Plaintiff’s and

39
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 40 of 42 PageID #:40

Class Members’ legally protected interest in the confidentiality and privacy of their personal

information, stress, fear, and anxiety, nominal damages, and additional losses described above.

183. Section 1798.150(b) specifically provides that “[n]o [prefiling] notice shall be

required prior to an individual consumer initiating an action solely for actual pecuniary damages.”

Accordingly, Representative Plaintiff and Class Members by way of this complaint seek actual

pecuniary damages suffered as a result of EP’s violations described herein. Representative

Plaintiff has issued and/or will issue a notice of these alleged violations pursuant to § 1798.150(b)

and intends to amend this complaint to seek statutory damages and injunctive relief upon

expiration of the 30-day cure period pursuant to § 1798(a)(1)(A)-(B), (a)(2), and (b).
RELIEF SOUGHT

WHEREFORE, Representative Plaintiffs, on behalf of themselves and each member of

the proposed National Class, respectfully request that the Court enter judgment in their favor and

for the following specific relief against Defendant as follows:

1. That the Court declare, adjudge, and decree that this action is a proper class action

and certify each of the proposed classes and/or any other appropriate subclasses under F.R.C.P.

Rule 23 (b)(1), (b)(2), and/or (b)(3), including the appointment of Representative Plaintiff’s

counsel as Class Counsel;

2. For an award of damages, including actual, nominal, and consequential damages,

as allowed by law in an amount to be determined;

3. That the Court enjoin Defendant, ordering it to cease and desist from similar

unlawful activities;

4. For equitable relief enjoining Defendant from engaging in the wrongful conduct

complained of herein pertaining to the misuse and/or disclosure of Representative Plaintiff’s and

40
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 41 of 42 PageID #:41

Class Members’ PII, and from refusing to issue prompt, complete, and accurate disclosures to

Representative Plaintiff and Class Members;

5. For injunctive relief requested by Representative Plaintiffs, including but not

limited to injunctive and other equitable relief as is necessary to protect the interests of

Representative Plaintiff and Class Members, including but not limited to an Order:

a. prohibiting Defendant from engaging in the wrongful and unlawful acts

described herein;
b. requiring Defendant to protect, including through encryption, all data
collected through the course of business in accordance with all applicable
regulations, industry standards and federal, state or local laws;
c. requiring Defendant to delete and purge Representative Plaintiff’s and Class
Members’ PII unless Defendant can provide to the Court reasonable
justification for the retention and use of such information when weighed
against the privacy interests of Representative Plaintiff and Class Members;
d. requiring Defendant to implement and maintain a comprehensive
Information Security Program designed to protect the confidentiality and
integrity of Representative Plaintiff’s and Class Members’ PII;
e. requiring Defendant to engage independent third-party security auditors and
internal personnel to run automated security monitoring, simulated attacks,
penetration tests, and audits on Defendant’s systems on a periodic basis;
f. prohibiting Defendant from maintaining Representative Plaintiff’s and
Class Members’ PII on a cloud-based database;
g. requiring Defendant to segment data by creating firewalls and access
controls so that, if one area of Defendant’s network is compromised,
hackers cannot gain access to other portions of Defendant’s systems;
h. requiring Defendant to conduct regular database scanning and securing
checks;
i. requiring Defendant to establish an information security training program
that includes at least annual information security training for all employees,
with additional training to be provided as appropriate based upon the
employees’ respective responsibilities with handling PII, as well as
protecting the PII of Representative Plaintiff and Class Members;
j. requiring Defendant to implement a system of tests to assess its respective
employees’ knowledge of the education programs discussed in the
preceding subparagraphs, as well as randomly and periodically testing
employees’ compliance with Defendant’s policies, programs and systems
for protecting personal identifying information;
k. requiring Defendant to implement, maintain, review and revise as necessary
a threat management program to monitor Defendant’s networks for internal

41
 Case: 1:24-cv-05273 Document #: 1 Filed: 06/24/24 Page 42 of 42 PageID #:42

and external threats appropriately, and assess whether monitoring tools are
properly configured, tested and updated;
l. requiring Defendant to meaningfully educate all Class Members about the
threats they face as a result of the loss of their confidential PII to third
parties, as well as the steps affected individuals must take to protect
themselves.

6. For prejudgment interest on all amounts awarded, at the prevailing legal rate;

7. For an award of attorney's fees, costs, and litigation expenses, as allowed by law;

8. For all other Orders, findings and determinations identified and sought in this

Complaint.

JURY DEMAND

Representative Plaintiff, individually and on behalf of the Plaintiff Class(es) and/or

Subclass(es), hereby demands a trial by jury for all issues triable by jury.

Dated: June 24, 2024 By: /s/ Matthew J. Langley

Matthew J. Langley
David S. Almeida
ALMEIDA LAW GROUP LLC
849 W. Webster Avenue
Chicago, Illinois 60614
t: 312-576-3024
[email protected]
[email protected]
Daniel Srourian, Esq.*
SROURIAN LAW FIRM, P.C.
3435 Wilshire Blvd., Suite 1710
Los Angeles, California 90010
Telephone: (213) 474-3800
Facsimile: (213) 471-4160
Email: [email protected]

Counsel for Representative Plaintiff and the

Proposed Class(es)
*Pro Hac Vice Forthcoming

42