Nine plaintiffs filed a putative class action Thursday to thwart Google from wiretapping electronic communications on major online tax-filing websites offered by H&R Block, TaxAct and TaxSlayer, among others. Due to Google’s unlawful wiretapping conduct, U.S. consumers “have been involuntarily transmitting their sensitive financial information to Google when they file their taxes online,” alleged the complaint (docket 5:23-cv-04191) in U.S. District Court for Northern California in San Jose. The wiretapping was made possible by Google’s tracking pixel, which is embedded in the JavaScript of online tax preparation websites, said the class action. The tax preparation companies “sent private tax return information to Google through Google Analytics and its embedded tracking pixel, which was installed on their websites,” it said. These pixels “sent massive amounts of user data to Google to improve its ad business and enhance its other business tools,” it said. Disclosing tax-return information without consent is a crime, as is “aiding and abetting the unlawful disclosure of tax-return information,” it said. Inspecting “unlawfully obtained” tax-return information also is a crime, it said. The class action “seeks to certify putative subclasses of residents of various states who used the same websites,” it said. “The complaint alleges violations of state and federal wiretapping laws,” including the California Invasion of Privacy Act, the Federal Wiretap Act, the Florida Security of Communications Act, the Illinois Eavesdropping Act and the Texas Criminal Wiretap Act. Google didn’t comment.

Insurance company Talcott Resolution “negligently assessed and managed the cybersecurity risk posed by its third party service providers” Pension Benefits Information (PBI) and Progress Software Corp. (PSC), alleged a class action Tuesday (docket 1:23-cv-11864) in U.S. District Court for Massachusetts in Boston. Talcott provided the personally identifiable information (PII) of plaintiff Edward Casey, a Texas resident, to PBI and to PSC, which reported on May 31 a vulnerability in its MOVEit Transfer and MOVEit Cloud software that could lead to “escalated privileges and potential unauthorized access to the environment,” said the complaint. PSC launched an investigation, notified MOVEit customers of the issue and provided mitigation steps; it applied additional patches June 9 and June 16 to address other vulnerabilities that were discovered, the complaint said. Russian cyber gang Clop took responsibility for the attack, which began May 27, and began attempts to ransom and exploit data accessed from MOVEit, the complaint said. PBI was one of the companies whose data was “accessed and stolen” by Clop, which included PII of millions of individuals, including Casey and class members, it said. Defendants Talcott, PBI and PSC had “obligations created by contract, industry standards, common law, and representations” made to Casey and class members to keep their PII confidential and to protect them from unauthorized access and disclosure, it said. Due to the data breach, Casey will continue to spend time trying to mitigate the consequences of the breach, including time spent verifying the legitimacy of communications about the breach and self-monitoring his accounts and credit reports to ensure no fraudulent activity has occurred, said the complaint. The plaintiff suffered “imminent and impending injury arising from the present and ongoing risk of fraud, identity theft, and misuse” resulting from his PII “being placed in the hands of cybercriminals.” The defendants should have known the importance of safeguarding Casey’s and class members’ PII, it said. The action claims negligence, negligence per se, breach of third-party beneficiary contract and unjust enrichment, and seeks declaratory and injunctive relief. Casey requests an order requiring defendants to encrypt all data collected through the course of its business; destroy his and class members’ PII; maintain a comprehensive information security program; and “meaningfully educate” class members about threats they face as a result of the breach. He seeks an award of actual, consequential and nominal damages, plus attorneys’ fees and legal costs.

Plaintiff Jane Doe didn't consent to the collection of her personal information, and adequately pled her claims, said her reply brief Monday (docket 2:23-cv-00718) in U.S. District Court for Western Washington in Seattle in opposition to defendant Microsoft’s July 13 motion to dismiss her privacy complaint (see 2307140013). Microsoft’s “misconduct” isn’t disclosed within defendant Qualtrics’ privacy statement, which doesn’t identify Microsoft or the types of data collected by the software company, “thus constituting inadequate disclosure,” the reply said. Doe’s May 15 complaint alleges Microsoft and data analytics firm Qualtrics violated patients’ healthcare privacy rights on the Kaiser Permanente website by intercepting and collecting their personal data. Each of Doe’s claims was sufficiently pled because she has a protected property interest in her personal identifiable information, including medical information, and Microsoft “improperly and without compensation to Plaintiff, obtained that information,” said the reply, saying Article III standing was thus sufficiently alleged; Microsoft obtained Doe’s information in a manner that can identify her. On Qualtrics’ request for judicial notice and notice of incorporation by reference, webpages from its website and a login screen and privacy statement from Kaiser Permanente, Doe said none of the pages is referenced in Doe’s complaint, but defendants ask the court to take judicial notice or deem them incorporated into the complaint by reference. Qualtrics advances “self-serving and unsupported interpretations of the documents” they ask the court to “accept as true and substantively correct,” said a Monday brief. In an “improper attempt to add facts to the record” and deny plaintiffs the opportunity to contest those facts, Qualtrics argues the court can take judicial notice of the content of defendants’ chosen portions of the Qualtrics and Kaiser websites, and an undated sign-in page and privacy statement “mentioned nowhere” in Doe’s complaint “is somehow incorporated into that pleading by reference,” said the reply. Neither exception applies, “let alone permits the Court to accept Defendants’ self-serving interpretations of the putative exhibits for purposes of their motion to dismiss.” Both motions to dismiss should be denied, she said. Microsoft and Qualtrics’ replies in support of their motion to dismiss are due Sept. 11.

A hearing on Meta’s motion to dismiss an ad-targeting lawsuit (see 2305090042) will be via Zoom Wednesday at 2 p.m. PDT, said a text-only order Monday (docket 3:22-cv-03580) in U.S. District Court for Northern California in San Francisco. The "Doe" plaintiffs in the consolidated action allege Pixel tracks patient exchanges about providers, conditions and treatments -- and information exchanged with health insurance companies, pharmacies and prescription drug companies -- for ad targeting.

U.S. District Judge Mark Mastroianni for Massachusetts in Springfield scheduled Oct. 19 oral argument at 1 p.m. EDT in the moot courtroom at Western New England University School of Law in Springfield in the privacy case in which six Android users allege the Massachusetts Department of Public Health unlawfully installed a COVID-19 contact-tracing app on their phones without their knowledge or consent (see 2303220002), said Mastroianni’s electronic order Monday (docket 1:22-cv-11936). Mastroianni, a President Barack Obama appointee in 2013, earned his law degree from the school in 1989, per his court bio. “Counsel should be aware that law students will be in attendance and courtroom technology may be limited,” said the order. Each side will get 30 minutes, and counsel “should be prepared to make comprehensive arguments for the benefit of the law students,” it said.

The U.S. Judicial Panel for Multidistrict Litigation will be reviewing additional tagalong actions in MOVEit Customer Data Security Breach Litigation potentially for "years to come,” said plaintiff Bruce Bailey Friday in his consolidated reply (docket 3083) in further support of a motion for centralization and transfer of related actions to the U.S. District Court in Minnesota. Since Bailey filed his initial motion to transfer, there are now 44 related actions and tagalongs representing 11 federal district courts, said the reply. Ten named defendants in the litigation, arising out of a data breach involving Progress Software Corp.’s MOVEit file transfer software, represent insurance companies, banks, educational institutions, and governmental entities who are alleged to use MOVEit. The software is also used under license by defendant Pension Benefit Information. Not all parties agree with transfer and consolidation. Johns Hopkins University and Johns Hopkins Health System filed responses in opposition to consolidation this month (see 230807006), saying Bailey’s motion to transfer said the “purportedly related actions” before the panel should be transferred and centralized because they all involve defendants PSC and PBI, but five actions were filed July 7-19 against the Johns Hopkins defendants in U.S. District Court for Maryland, “all asserting claims against the Johns Hopkins Defendants regarding the loss of data in their possession in a data breach"; three of those cases name PSC, but not PBI, they noted. Bailey acknowledged not all parties agree with transfer and consolidation but said no party to a related action contests that all related actions “are centrally related to the May 2023 hack and exfiltration of data from the MOVEit file transfer software.” The JPML focuses on “whether or not one or more issues of fact overlap, which all of the Related Actions here clearly do,” Bailey said. On the Illinois Department of Innovation and Technology’s argument that it possesses “additional legal and factual defenses not available to the corporate defendants” and seeks an assessment of the litigation’s merits that’s beyond the panel’s authority, Bailey said: “Any judge assigned to this MDL is perfectly capable of deciding motions that will be able to dispositively address the Illinois Department of Innovation and Technology’s position as a Defendant.” In addition to being a central location, the District of Minnesota “has one of the least congested dockets in the country,” and U.S. District Judge Katherine Menendez has the first-filed action, the reply said.

Genworth Financial supports plaintiff Bruce Bailey’s motion to transfer related actions to the MOVEit Customer Data Security Breach Litigation (see 2307120053), said its response brief (docket 3083) Tuesday before the U.S. Judicial Panel on Multidistrict Litigation. Genworth used Progress Software Corp.’s (PSC) MOVEit secure file transfer software, which allegedly had vulnerabilities that allowed an unauthorized third-party to access data from numerous companies such as Pension Benefit Information (PBI). “As an attenuated result of that chain of events, because PBI had data from Genworth subsidiaries in order to provide PBI’s contracted-for services, Genworth now finds itself a defendant in a few putative class actions subject to transfer in this already sprawling docket of roughly four dozen total cases,” said the response. If actions against Genworth “advance past dismissal,” centralized proceedings “will be essential to efficiency, especially by avoiding conflicting class action proceedings,” it said. “There is no basis for holding Genworth liable for vulnerabilities created and sold by PSC and used, not by Genworth, but by PBI, a vendor providing services to Genworth subsidiaries,” it said. If there's a wrongdoer aside from the unauthorized third party who accessed MOVEit, “it will be revealed through discovery and proceedings centered on the work and conduct of PSC and PBI." PSC and PBI are co-defendants with Genworth in one action, in addition to being co-defendants in many other cases where defendants, like Genworth, “are one or more steps removed from the software at issue,” it said. “Given the numerous complaints already pending around the country brought by many different plaintiffs’ lawyers against PSC, PBI, and a hodgepodge of other defendants, there would be no good or remotely efficient way to handle these cases without Multidistrict Litigation,” it said.

Plaintiffs in six negligence lawsuits against Intellihartx (ITx) moved to consolidate their related actions and appoint co-lead class counsel, said a Monday memorandum (docket 3:23-cv-1224) in U.S. District Court for Northern Ohio in Toledo. The related actions arise from a cyberattack on ITx’ computer network beginning around Jan. 30, resulting in the compromise of plaintiffs’ personally identifiable information, including names, addresses, medical billing and insurance information, diagnoses, medication and Social Security numbers, said the memorandum. Plaintiffs raise legal questions that ITx breached the same or similar common law and statutory duties and seek the same remedies and compensation, it said. They propose as interim co-lead counsel Mason Barney of Siri & Glimstad, Gary Klinger of Milberg Coleman, and William Federman of Federman & Sherwood, “nationally recognized as leaders in data breach litigation.” The related cases are Perrone v. Intellihartx, Kelly v. Intellihartx, Cabrales v. Intellihartx, Timmons v. Intellihartx, McDavitt v. Intellihartx and Terwilliger v. Intellihartx.

Three plaintiffs in two more privacy complaints against Johns Hopkins University and the Johns Hopkins Health System oppose plaintiff Bruce Bailey’s motion for centralization and transfer of related actions to MOVEit Customer Data Security Breach Litigation (see 2307120053), said their Monday response (docket 3083) before the U.S. Judicial Panel on Multidistrict Litigation. Plaintiffs Pamela Hunter (1:23-cv-01826), and Maria Gregory and Ayomiposi Asaolu (docket 1:23-cv-01854) filed cases that name only the Hopkins entities, while Bailey seeks to move the cases “away from the region where the parties and most of the witnesses are located” to the district of Minnesota and to consolidate them with the 33 “and counting” other cases against numerous defendants not named in the Hopkins plaintiffs’ complaints, said the motion. On July 5, Bailey filed an action against Progress Software Corp. (PSC) and Pension Benefit Information, then filed a motion the following day to consolidate and transfer nine other actions that named the same defendants into a single proceeding before the U.S. District Court for Minnesota (see 2307120053). The Hopkins plaintiffs initiated their actions in July for a data breach that involved sensitive health information for patients of Johns Hopkins hospitals and medical providers. A third case that named only Johns Hopkins entities as defendants, Schaffer v. the Johns Hopkins University (docket 1:23-cv-02099), was filed Thursday in U.S. District Court for Maryland in Baltimore, said the motion. Three additional cases filed in the district of Maryland name PSC and the Hopkins plaintiffs but name only the Hopkins defendants “because they have no privity” with PSC “and did not believe them to be the responsible entities for the Data Breach that occurred on Johns Hopkins server(s),” the motion said. Shortly after the filing of the three cases that name both the Hopkins defendants and PSC -- Truesdale v. PSC (docket 1:23-cv-01913), Pulignani v. PSC (docket 1:23-cv-01912) and Doe v. PSC (1:23-cv-01923) -- Doe filed a notice of related action as to the Hunter and Gregory cases, seeking to bring those cases into that action, the response said. At the time of submission, Bailey or others have designated at least 33 complaints as “’related to this action, and there may be more yet lingering in federal and state courts,” it said. The actions for which Bailey seeks consolidation involve breaches of data for seven named defendants other than PSC, “ranging from banks to life insurance companies to state agencies,” it said; several, such as the Hopkins plaintiffs, don’t name PSC.

Plaintiff Julie Jones seeks to remand her June 1 California Invasion of Privacy Act class action against Tonal Systems to California Superior Court where it originated before Tonal removed it July 7 to U.S. District Court for Southern California in San Diego, said her memorandum of points and authorities Friday (docket 3:23-cv-01267) in support of her remand motion. Jones alleges Tonal, a maker of smart home fitness equipment, uses third parties' software to “secretly wiretap and eavesdrop on the private conversations of users of the chat features on Tonal’s website in real time” (see 2307110047). Her claims “almost certainly fall” within the “home state controversy exception” of the Class Action Fairness Act (CAFA) and should be remanded to state court for that reason, said her memorandum. In the alternative, to help the court and the parties determine whether the Southern District of California may exercise jurisdiction over Jones’ claims, the court should permit her “to engage in expedited jurisdictional discovery for this purpose,” it said. The CAFA’s exception says a district court should decline to exercise jurisdiction where two-thirds or more of the members of all proposed plaintiff classes, plus the primary defendants, are citizens of the state in which the action was originally filed, it said. Tonal is “unquestionably” a citizen of California, where it’s headquartered, said the memorandum. In all likelihood, the vast majority of class members used the Tonal website’s chat feature “from their homes in California, where the vast majority likely intend to remain indefinitely and are therefore domiciled,” it said. The complaint therefore supports a finding that, “at a minimum,” two-thirds of the proposed class members are citizens of California and the exception to CAFA jurisdiction applies, it said. If the court seeks a more satisfactory showing of how many class members there were and where they were located by the date of the filing of the complaint, “limited discovery on this jurisdictional topic is appropriate,” it said.