2:22-cv-00882
E.D. Wis.Sep 23, 2024Background
- This consolidated class action arises from an April 2022 data breach at OneTouchPoint Corp., a healthcare services vendor, exposing personal and health information of roughly 2.6 million individuals.
- Plaintiffs are patients of OneTouchPoint’s healthcare clients and several former employees whose information was compromised; multiple lawsuits were consolidated in the Eastern District of Wisconsin.
- OneTouchPoint detected a breach in late April 2022 and provided notice to clients and impacted individuals over subsequent months.
- Plaintiffs allege harms such as actual fraud/identity theft, time and effort spent mitigating risk, and diminution in value of private information.
- Defendant moved to dismiss for lack of standing and failure to state actionable claims, challenging both federal jurisdiction and the sufficiency of state and common law claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing for damages (injury-in-fact) | Sufficient injury due to mitigation efforts and risk of ID theft | No concrete injury for some plaintiffs; future risk isn’t enough | Standing for all but Dusterhoft, based on mitigation efforts and actual fraud/alleged harm |
| Standing for injunctive/declaratory relief | Ongoing risk and need for data protection policy changes | No likely redress; future harm is speculative | No standing: injuries too speculative, relief wouldn’t redress past breach |
| Common-law Negligence claims | OneTouchPoint owed duty to safeguard data, breached it, and caused injury | No plausible allegations of causation or compensable damages | Sufficient pleading for negligence and negligence per se; causal link plausible at pleading |
| Fiduciary duty & third-party beneficiary claims | Relationship (or contracts) imposed special duties toward plaintiffs | No direct relationship or contracts for plaintiffs’ benefit | No plausible fiduciary or third-party beneficiary relationship; claims dismissed |
| Unjust enrichment | Plaintiffs conferred monetary benefit via healthcare payments/data | No direct payments; benefits too attenuated or speculative | Sufficient for all but Meza & Crosby (employees only) |
| Claims under various state consumer laws | Statutes provide remedies for delayed notice/fraudulent representations | No private causes of action or plaintiffs aren’t covered by statutes | Only some statutory claims survive: Wisconsin (negligent release—most plaintiffs), Georgia FBPA (Meeks), SC Data Breach Act (Guertin) |
Key Cases Cited
- Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015) (data breach plaintiffs can show standing through mitigation efforts and actual identity theft)
- Lewert v. P.F. Chang’s China Bistro, 819 F.3d 963 (7th Cir. 2016) (time/effort to prevent fraud post-breach can constitute injury-in-fact for standing)
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (standing requires concrete and particularized injury)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for pleading under Rule 8)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (plausible factual inferences are required at the pleading stage)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (self-inflicted costs based on speculative future harm do not establish standing)
- Lujan v. Defs. of Wildlife, 504 U.S. 555 (1992) (three-part test for standing: injury-in-fact, traceability, redressability)
- Cheatham v. ADT Corp., 161 F. Supp. 3d 815 (D. Ariz. 2016) (Arizona Consumer Fraud Act requires misrepresentation in sale/advertisement context)