Apple and the 38 plaintiffs seeking to hold the company accountable for the growing use of the AirTag as a stalking device (see 2311140041) attended private mediation April 27 and a follow-up mediation session Aug. 31, “and have been in contact with the mediator in between and after those sessions,” said the parties’ joint case management report Friday (docket 3:22-cv-07668) in U.S. District Court for Northern California in San Francisco. The parties haven’t reached a resolution, said the report. The plaintiffs’ “primary concern” in the litigation “is to obtain injunctive relief that remedies the immediate and ongoing risks to safety caused by the AirTag as it currently operates,” it said. But finding solutions “involves working with complex technology not only of the AirTag product but also other Apple products and IP, and even with technology of non-parties,” it said. Because of these “issues of scope,” and “in light of the unique nature of the relief sought,” the plaintiffs sought to begin an early mediation process so that they could begin to evaluate how the safety needs of the class “may best be protected in light of Apple’s existing technology,” it said. Another goal of early mediation was to identify “all stakeholders within Apple’s organization who would need to participate in the development and implementation of changes, and accordingly identify areas of alignment and find achievable solutions in as expeditious a manner as possible,” it said. The report was a forerunner to the case management videoconference that the court scheduled for Jan. 12 at 10 a.m. PST.

Medical transcription company Perry Johnson & Associates waited nearly six months to notify “impacted individuals” of a data breach that occurred March 27-May 2, said a negligence class action Thursday (docket 2:24-cv-00025) in U.S. District Court for Nevada in Las Vegas. Plaintiff Huda Abdaljalil, an Ohio resident, is a patient at a healthcare provider for which PJ&A provides transcription services, it said. In “requesting and maintaining” Abdaljalil’s personally identifiable (PII) and personal health (PHI) information, the defendant didn’t take care of her information, “leading to its exposure as direct result” of its “inadequate data security measures,” the complaint said. The notification Abdaljalil received from PJ&A “put the onus” on her to protect her PII and PHI by urging her to “remain vigilant” and recommending that she “regularly review her financial accounts, report any suspicious or unrecognized activity immediately and monitor her accounts for the next 12 to 24 months,” it said. Since learning of the breach, Abdaljalil has received “multiple dark web monitoring alerts” from her credit monitoring agencies, informing her that her PII and PHI “is on the dark web,” it said. Abdaljalil has had to spend time mitigating risk of future identity theft and fraud, including spending time researching the breach, changing her passwords and freezing her credit with credit bureaus, it said. She has experienced “significant frustration, anxiety, worry, stress, and fear” knowing that hackers accessed her PII and PHI and will likely use it in the future for identity theft, fraud “and other nefarious purposes,” it said. In addition to negligence, Abdaljalil claims unjust enrichment. She seeks compensatory and punitive damages, an order of restitution, injunctive relief, pre- and post-judgment interest and legal costs. PJ&A didn’t comment Friday.

U.S. District Judge Kelley Hodge for Eastern Pennsylvania in Philadelphia granted the FTC and Rite Aid's Sept. 19 joint motion to stay their case for 45 days to give the U.S. Bankruptcy Court time to approve their facial recognition settlement, said Hodge’s signed order Thursday (docket 2:23-cv-05023). The action is stayed until Feb. 2 or until the bankruptcy court approves the settlement, whichever is earlier, said the order. The parties by Feb. 2 will file a motion seeking entry of the settlement, or will otherwise notify the court “of the status of the effort” to seek bankruptcy court approval, it said. The settlement with the FTC bars Rite Aid from using facial recognition technology for surveillance purposes in its stores for five years (see 2312190090). The FTC had alleged that Rite Aid failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology to combat theft in hundreds of its stores.

Plaintiff Alexandra Lardis’ claims against Columbia University “materially differ” from those at issue in centralized actions in conditional transfer order (CTO-23) issued Dec. 13 by the Judicial Panel on Multidistrict Litigation in In Re: MoveIt Customer Data Security Breach Litigation, and the CTO should be vacated, said her Wednesday motion (docket 3083) before the panel. Lardis’ case “has nothing to do with the negligence of the defendants in the MOVEit action,” said the motion. Instead, her action (docket 1:23-cv-10241) alleges that defendant Columbia breached its contractual obligations to her and class members regarding its handling of personally identifiable information (PII) including Social Security numbers, dates of birth and first and last names, it said. Lardis alleges Columbia’s conduct violated the university’s written policies regarding maintenance, retention and handling of PII. As of Wednesday, the university “still failed to notify any class members,” or Lardis, of the data breach, “despite it occurring approximately seven months ago,” the motion said. Lardis’ theories of liability require “extremely limited, if any, fact discovery that would overlap with that of the centralized cases,” the motion said, and as a result of factual and legal discrepancies, the case “lacks sufficient commonality with the centralized cases and should not be transferred for pre-trial proceedings.” Lardis’ Nov. 21 action against Columbia, involving the May data breach in Progress Software Corp.'s MOVEit file transfer software, asserts claims of negligence, breach of implied contract and express contract, plus violation of New York Business Law.

All claims against T-Mobile are dismissed following plaintiff Waleed Lashin’s November notice of voluntary dismissal without prejudice (see 2311140040), said a Tuesday text-only order (docket 4:23-cv-00393) from U.S. District Judge David Kays for Western Missouri in Kansas City. Lashin’s June 8 negligence complaint alleged that T-Mobile downplayed the severity of a Feb. 24 data breach and that it didn’t notify customers whose personally identifiable information was exposed until April 28, more than two months after the breach began.

The court should reject the first-to-file rule in a privacy case about a September data breach involving a cyberattack on MGM International’s computer systems, said MGM Resorts International’s brief Tuesday (docket 1:23-cv-20419) in U.S. District Court for New Jersey in Camden. It opposes the plaintiffs’ November emergency motion to preclude all other venues and duplicate litigation. U.S. District Judge Joseph Rodriguez for New Jersey reset deadlines in December for the motion, originally set for Tuesday, to Jan. 16 (see 2312120066). The court should deny Saul and Shirley Lassoff’s first-to-file motion, said MGM, calling it a “baseless attempt to seize control of 13 other putative nationwide class actions pending in the District of Nevada," each alleging similar negligence, breach of contract and unjust enrichment claims against MGM arising from the data breach. The first-to-file rule aims to limit duplicate litigation, “not to incentivize first filers,” said the brief. The rule is “inapposite” where it will neither preserve judicial resources nor enhance “the just and efficient management of the litigation,” it said. The cases against MGM in the District of Nevada “are at least as mature,” if not more so, than the Lassoffs’ case, it said. MGM intends to transfer the Lassoffs’ action to Nevada because the federal court in Las Vegas “provides a more convenient forum in which to efficiently coordinate between and manage multiple pending cases with multiple plaintiffs and counsel of record,” the brief said. Given the location of many witnesses and documents in Nevada, “as well as the total lack of any such evidence in New Jersey,” the convenience offered by trial in Nevada “is sufficient to overcome the first-to-file rule,” it said, citing Ricoh v. Honeywell. All the cases vs. MGM “are in their infancy,” and MGM is of the belief that multiple interested parties in Nevada are working to coordinate the litigation and address the issues that inspire the first-to-file rule, said the brief. “Were those efforts interrupted by an injunction -- particularly without any evidence that these Plaintiffs provided proper notice to the plaintiffs in other actions -- it would undoubtedly lead to ancillary litigation and delay,” it said.

Plaintiff Jamie Garcia “deliberately chose to file” in Indiana state court a negligence lawsuit against Maximus Health Services (docket 1:23-cv-02129) “for convenience purposes,” and because Maximus was the sole party she dealt with involving Progress Software Corp.'s MOVEit software data breach, said her Tuesday brief (docket 3083) in support of her motion to vacate conditional transfer order 22 (CTO-22) before the Judicial Panel on Multidistrict Litigation. Maximus “failed to adequately secure and upgrade its data systems,” and although the health services company detected the attack on May 30, it didn’t properly notify Garcia and waited over two months before informing the public on Aug. 11, the brief said. Maximus removed Garcia’s Nov. 15 case to U.S. District Court for Southern Indiana from Superior Court of Marion County, on Nov. 27, and it filed a notice of potential tagalong actions Dec. 4 including her case. On Dec. 8, the JPML issued CTO-22 and will consider whether consolidation of her case is appropriate in U.S. District Court for Massachusetts in Boston. Garcia asserts she “timely filed” a motion to remand the case to Superior Court of Marion, and it remains pending before U.S. District Judge Patrick Hanlon for Southern Indiana in Indianapolis, who has been “fully briefed,” said the filing. Maximus’ primary argument for federal jurisdiction “is to suggest that a non-party to the state-court action creates jurisdiction in the Federal court”; Garcia disagrees.

Plaintiff-appellee John Doe's counsel in the privacy appeal brought by Cedars-Sinai Health System (see 2305260047) on Thursday submitted to the 9th U.S. Circuit Court of Appeals as supplemental authority the 8th Circuit’s decision in John Doe v. BJC Health System (docket 23-1107). Cedars-Sinai’s appeal seeks to reverse the district court’s order remanding the case to state court where it originated. BJC Health System, like Byrd’s case before the 9th Circuit, “involves a defendant’s improper removal of a case based upon the federal officer removal statute,” said counsel Rachele Byrd of Wolf Haldenstein in her letter Friday (docket 23-55466) to the 9th Circuit clerk. The plaintiffs in BJC Health System allege that when they visited BJC’s online patient portal to access electronic health records, BJC shared their protected health information with third-party marketing services in violation of state privacy laws, it said. The 8th Circuit, “in a comprehensive and carefully reasoned opinion,” affirmed the district court’s order remanding the action back to state court, said the letter. The 8th Circuit held that a party acts under a federal officer, within the meaning of the federal officer removal statute, only when it performs a basic governmental task, it said. That task involves a delegation of legal authority from a federal entity, it said. In other words, the party acts on the government’s behalf, and does the business of the federal government and not merely its own, it said. The 8th Circuit held that the design of private websites is not, and has never been, a basic governmental task, said the letter. When BJC created and operated an online portal for its patients, it wasn’t doing the federal government’s business but rather its own, it said. That BJC received a federal subsidy when it created its private website is an “insufficient” basis for removing a case under the federal officer removal statute, it said.

U.S. District Judge for Southern Florida Roy Altman in Miami signed an order Friday (docket 1:23-cv-23993) dismissing without prejudice a Video Privacy Protection Act class action against Chegg. Plaintiff Michael Foulkes voluntarily dismissed the case against Chegg without prejudice Thursday (see 2312290004). Foulkes alleged in his Oct. 19 complaint that the educational services company tracked his video viewing history while he was on its website and then shared that history with Facebook.

23andMe filed a memorandum of law in support of a motion before the U.S. Judicial Panel on Multidistrict Litigation Friday to transfer and consolidate 31 class actions, and others subsequently filed, involving similar facts or claims around an October data breach (see 23102500360). The genetic testing company announced Oct. 6 that it was hacked, compromising the names, gender, date of birth, genetic ancestry results, profile photos and geographical location of some customers who "recycled login credentials" with usernames and passwords that a threat actor may have accessed. The first action involving the incident, Santana et al v. 23andMe, was filed Oct. 9 in the U.S. District Court for Northern California in San Francisco, and 28 more followed there; two others were filed in the Northern District of Illinois: Gill v. 23andMe (8:23−cv−02387) and Bacus v. 23andMe (docket 1:23-cv-16828), said the memorandum (docket 3:23-cv-05464). On Nov. 30, Judge Edward Chen issued an order relating cases, finding 22 actions in the Northern District of California are related to the Santana action, said the memorandum. The last action, Rivers v. 23andMe Holding Co., was filed Dec. 15. The defendant expects additional lawsuits involving the same alleged security breach “given the ongoing filing of putative class actions over the last two-and-a-half months." Transfer is necessary to conserve court resources, reduce duplicative discovery and avoid inconsistent rulings if the actions proceed separately, the memorandum said.