Nine cases from eight districts were transferred to U.S. District Court for Massachusetts in Boston for coordinated or consolidated pretrial proceedings in In Re: MoveIT Customer Data Security Breach Litigation, said conditional transfer order 21 (docket 3083) from the U.S. Judicial Panel on Multidistrict Litigation Monday. Some 166 actions involving Progress Software Corp.’s May data breach have been transferred to the Massachusetts court and assigned to U.S. District Judge Allison Burroughs. Other defendants in the nine cases are Sutter Health, Pension Benefit Information, HealthCare Services, Radius Global Solutions, Aristocrat Technologies and Columbia Banking Systems. The cases all involve questions of fact that are common to the previously transferred actions, said the JPML.

“No legal theory” allows the 38 plaintiff AirTags users “to hold Apple liable for the intentional misuse of its product by third parties,” said Apple’s reply Wednesday (docket 3:22-cv-07668) in U.S. District Court for Northern California in San Francisco in further support of its Oct. 27 motion to dismiss their Oct. 6 first amended complaint (see 2310300030). Though the AirTag’s intended purpose is to find lost items like keys or luggage, “its popularity has soared as the preeminent tool for stalking and abuse due to its efficacy, low price point, and ease of use,” said the plaintiffs’ Nov. 13 opposition to Apple’s motion to dismiss (see 2311140041). But case after case, in any jurisdiction whose law the plaintiffs try to invoke, “establishes that Apple owes no legal duty to individuals with whom it has no relationship to prevent the misuse of its product by others,” said Apple’s reply. Only those third parties “wrongfully misusing” Apple products, not Apple, “can be considered a legal cause” of the plaintiffs’ alleged injuries, it said. Apple also can’t be held liable for statements that it didn’t make, “and that it has no legal duty to correct,” it said. Apple didn’t invade any plaintiff’s “privacy interests,” it said. “Only third parties wrongfully misusing Apple products did,” it said. The plaintiffs “have no other legal basis to sue Apple,” it said. Their opposition “fails to supply the missing legal theory,” it said. Though the plaintiffs’ opposition relies heavily on new assertions not found in the first amended complaint, the complaint should be dismissed with prejudice whether the court “considers those assertions or not,” it said. Either way, the plaintiffs “offer no factual or legal basis to overcome the conclusion” that third parties, not Apple, are responsible for their injuries, it said.

The U.S. Judicial Panel on Multidistrict Litigation added one tagalong action to In Re: MoveIt Customer Data Security Breach Litigation in conditional transfer order 20 (CTO-20) (docket 3083) Thursday, bringing the number of cases to 166 under U.S. District Judge Allison Burroughs for U.S. District Court of Massachusetts in Boston, said the filing. Newman v. American Multi-Cinema (AMC) was transferred from U.S. District court for Kansas in Kansas City. Plaintiff Melanie Newman’s Aug. 17 privacy class action (docket 2:23-cv-2358) alleges AMC failed to properly secure and safeguard her personally identifiable information that was compromised in Progress Software’s MOVEit May file transfer software data breach. Defendant AMC filed a motion Nov. 21 to compel arbitration. Elsewhere in the MDL, defendant Midland States Bank withdrew its notice of opposition to CTO-15 as it relates to Gorman v. Progress Software Corp. (docket 3:23-cv-50397), said a Thursday notice before the JPML, and CTO-19 was finalized Wednesday, transferring three cases to the Boston court. Thursday, the JPML vacated CTO-13 after Everling v. First Merchants Bank (docket 1:23-01287) was dismissed in the Southern District of Indiana following the plaintiff’s notice of voluntary dismissal without prejudice. In a response in opposition (docket 1:23-cv-00738) to EMS Management and Consultants’ motion to stay a case involving the MOVEit breach, plaintiff Samantha O’Neal said Tuesday the defendant is trying to “unnecessarily delay” the case. EMS filed a motion Nov. 9 to stay all pending deadlines in the case until 30 days after the JPML issued a decision on whether to transfer the case to the Massachusetts court. O’Neal “strategically decided to solely focus” her actions on EMS, “intentionally excluding Progress and other commonly named defendants associated with the alleged oversight failure,” said the response. “There is a high likelihood” for cases such as O’Neal’s that are brought solely against customer-facing defendants “to be remanded after the completion of common discovery and motion practice related to Progress,” said the filing. “Considering the strong likelihood that the case will be remanded, imposing a stay on all pending deadlines would unnecessarily delay case progression and responses to pending motions until post-remand,” it said. O’Neal “only stands to be harmed” by the court’s acceptance of EMS’ motion to stay, said the response. If the court grants the motion, O’Neal will be forced to postpone her presentation of arguments “ripe for attention by the District Court” until 30 days after the case has been transferred. As demonstrated in O’Neal’s first amended complaint, “every moment spent diverting the Court’s attention away from the merits of the case increases the risk and probability” that she will suffer “additional instances of actual misuse of her personal identifying information,” it said.

Plaintiff Susan Allcock requested that U.S. District Judge Allison Burroughs for Massachusetts in Boston schedule a briefing to address her remand motion related to a class action vs. Valley National Bank involving the MOVEit file transfer software data breach, her counsel, Andrew Milz, said in a Tuesday letter (docket 3083) to the court. Allcock opposes inclusion of her negligence class action against Valley National Bank in conditional transfer order 9 (CTO-9), transferring her case to In re: MOVEit Customer Data Security Breach Litigation. Scott Christie, counsel for Valley National Bank, said in a Nov. 22 letter before the court that Milz plans to raise a motion before the court to remand Allcock’s case to New Jersey state court solely on the basis that the jurisdictional amount in controversy does not exceed $5 million, exclusive of interest and costs. Christie noted that two other complaints of named class members, purporting to represent the same nationwide class as Allcock, made representative admissions that the amount in controversy does exceed $5 million. Christie also said Alcock failed to object to the transfer of her case from the District of New Jersey to the MDL despite a pending remand motion in the District of New Jersey that has been “rendered moot" by virtue of MDL Order No. 1. Under those circumstances, "Valley Bank believes that it would be inappropriate for Ms. Allcock to pursue a motion to remand in the MDL before the court" as the motion may unnecessarily “complicate these proceedings.” Allcock's case, removed Oct. 4 from Middlesex County Superior Court in New Jersey to the U.S. District Court for New Jersey in Newark, asserts she and class members are entitled to a “significant amount of monetary damages” related to “actual identity theft” from the compromise of her personally identifiable information in the late May data breach of Progress Software Corp.'s (PSC) MOVEit file transfer software. Her action, which doesn't name PSC as a defendant, claims Valley Bank “failed to implement reasonable data security measures” to protect her PII. Valley Bank’s failure to protect customers’ information “ultimately allowed nefarious third-party hackers to breach the systems housing PII,” alleges her complaint.

New York Attorney General Letitia James (D) warned New Yorkers affected by a data breach at a medical transcription company to “protect themselves and their information from theft and impersonation,” said her office Tuesday. The May breach at Perry Johnson & Associates affected some 9 million patients, including 4 million New Yorkers who are patients of Northwell Health and Crouse Health, James said. Data affected includes Social Security numbers and insurance and clinical information from medical transcription files, James said. She encouraged victims of the breach to monitor their credit reports and consider placing a credit freeze on the reports.

Plaintiff Hanan Elatr Khashoggi is appealing to the 4th U.S. Circuit Court of Appeals the U.S. District Court for Eastern Virginia's Oct. 26 dismissal of her complaint against NSO Group Technologies and Q Cyber Technologies for lack of personal jurisdiction, said her notice of appeal Tuesday (docket 1:23-cv-00779). Khashoggi’s seven-count complaint alleges NSO and Q Cyber infiltrated her phones with spyware that the Saudi and United Arab Emirates governments used to track the movements of her husband, Saudi journalist and human rights activist Jamal Khashoggi, before his October 2018 murder at the Saudi consulate in Istanbul. The court has a responsibility to decide preliminary issues, such as jurisdiction, “before reaching the merits of a claim,” said District Judge Leonie Brinkema’s memorandum opinion. Though plaintiff Khashoggi “presents a compelling description of her loss from the alleged conduct” of NSO and Q Cyber, the court has no choice but to conclude that it doesn’t have personal jurisdiction over the defendants, it said.

Despite the opportunity to amend their original complaint against the American Bar Association for a March 17 data breach that exposed the records of 1.4 million ABA members, plaintiffs Tiffany Troy and Eric Mata still don’t and can’t “plead facts supporting the basic elements of their claims,” said the ABA’s memorandum of law Tuesday (docket 1:23-cv-03053) in U.S. District Court for Eastern New York in Brooklyn in support of its motion to dismiss. The court should dismiss the amended complaint with prejudice under Rule 12(b)(6) because the plaintiffs’ allegations “are fatally deficient and implausible,” said the memorandum. The plaintiffs’ lawsuit depends on the “implausible assertion” that the data breach compromised their personal and financial data and exposed them to a heightened risk of identity theft, it said. But the ABA’s April notice makes clear that the breach didn’t expose “that kind of information," it said. The plaintiffs also don’t establish how the breach “would have caused the implausible damages they allege,” it said. Plaintiffs Troy and Mata immediately answered with a memorandum of law in opposition to the motion to dismiss, in which they argued that they entered into an "implied contract" with the association as dues-paying ABA members and as customers of merchandise on the ABA's online store. They allege the ABA breached that contract by failing to implement policies to secure their personal information, said the memorandum. They further allege that the ABA's disseminated April notice “misrepresented and downplayed the extent of the data breach or of the ancillary harms that could flow from the disclosure of the data,” it said. To the extent that the plaintiffs’ amended complaint is dismissed, that dismissal shouldn’t be with prejudice, and the plaintiffs “should be permitted another opportunity to amend,” it said.

The plaintiffs in a class action alleging violations of the Illinois Biometric Information Privacy Act (BIPA) class action knew that a “parallel and identical” action was pending in the district but decided to seek individual remedies for the same alleged conduct, said defendants Food 4 Less Midwest and Kroger in a memorandum of law Nov. 17 (docket 1:23-cv-15345) in U.S. District Court for Northern Illinois in Chicago in support of their motion to dismiss. The parallel case, Maetean Johnson v. Ralphs Grocery Company d/b/a Food 4 Less Midwest, and The Kroger Co. subsumes the 10 plaintiffs’ action in Garmon vs. Ralphs Grocery, d/b/a Food 4 Less, and Kroger, filed last month, as the plaintiffs in the Garmon case are putative class members of the Johnson litigation, said the memorandum. The issues in both actions are the same: whether employees in Illinois can recover from the defendants for alleged BIPA violations arising from their use of timeclocks while working for Food 4 Less stores within the statutory period, said the filing. Litigating the case before two different judges in the same district would waste judicial resources and potentially render conflicting rulings, it said. The complaint should be dismissed, or alternatively, the instant action should be stayed until Johnson is resolved, it said.

Caesars Entertainment failed to take proper precautions to keep loyalty program customers’ personally identifiable information (PII) secure when it suffered an Aug. 23 data breach, alleged a Nov. 20 class action (docket 2:23-cv-01919) in U.S. District Court for Nevada in Las Vegas. Caesars filed a form 8-K with the SEC Sept. 7 disclosing it had been the target of a cyberattack and that hackers accessed its computer system that stores customers’ PII, including name; date of birth; passport, Social Security and driver’s license numbers; and financial account information. Plaintiff Vanessa Williams, New Brunswick, New Jersey; Rozalynn Fisher, Fontana, California; Laura Day, Pasadena, Maryland; Saruny Bin, Stockton, California; and Marlene Calzadopaez, Rochester, New York, received notices of the data breach dated from Oct. 13 to Oct. 20, telling them their PII was compromised. The plaintiffs were forced to invest “significant time” monitoring their accounts to detect and reduce the consequences of “likely identity fraud,” the complaint alleges. Plaintiffs assert claims of negligence; breach of implied contract; violations of consumer protection laws of Maryland and New Jersey; violation of the California Unfair Competition Law and New York General Business Law; and unjust enrichment. They seek statutory damages, damages in amounts to be determined by the court or jury, an order of restitution and pre-judgment interest on amounts awarded. A similar negligence suit was filed the previous week in the same court (see 2311160004). The hackers also breached MGM Resorts’ systems (see 2311020036 during the same time frame.

Plaintiff Jane Doe brought a privacy class action Tuesday in U.S. District Court for Central Illinois in Rock Island to address Genesis Health System’s “improper practice” of disclosing her confidential information to Meta, and “potentially others,” via “tracking technologies” used on the Genesis website. Information about a person’s physical and mental health “is among the most confidential and sensitive information in our society,” said the complaint (docket 4:23-cv-04209). The “mishandling” of medical information “can have serious consequences,” including discrimination in the workplace or denial of insurance coverage, it said. When Doe and her potential class members used the Genesis website and online platforms, “they thought they were communicating exclusively with their trusted healthcare provider,” it said. “Unbeknownst to them,” Genesis embedded tracking technologies from Facebook, Google and others into its website and online platforms, “surreptitiously forcing” Doe and the class members “to transmit intimate details about their medical treatment to third parties without their consent,” it said. After receiving that information from Genesis, Facebook “processes it, analyzes it, and assimilates it into its own massive datasets, before selling access to this data in the form of targeted advertisements,” said the complaint. Google and other companies “process data in a similar manner and use it to build marketing and other data profiles, allowing for targeted online advertising,” it said. Genesis could have chosen not to use the tracking technologies, or it could have configured them “to limit the information that it communicated to Facebook” and other platforms, but it didn’t, it said. Doe has been a Genesis patient for 30 years, and uses its website to search for doctors and schedule appointments, having last done so in September, it said. By failing to receive the “requisite consent” to disclose Doe’s private information to Facebook and others, Genesis violated its agreements with the plaintiff, its policies and the law, it said. Since using the Genesis website, Doe “has been targeted by online advertisements for prescription medications,” it added. Doe's complaint alleges that Genesis violated Health Insurance Portability and Accountability Act privacy standards, and those of the FTC and the Department of Health and Human Services. She also alleges violations of the Illinois Consumer Fraud and Deceptive Practices Act. She seeks “equitable relief” enjoining Genesis from engaging in the “wrongful conduct” described in her complaint.