In re Arthur J. Gallagher Data Breach Litig.
| Decision Date | 28 September 2022 |
| Docket Number | 22-cv-137 |
| Parties | In re Arthur J. Gallagher Data Breach Ligation |
| Court | U.S. District Court — Northern District of Illinois |
In 2020, insurance brokers Defendants Arthur J. Gallagher (AJG) and Gallagher Basset Services (GBS) experienced a cybersecurity attack to their internal systems. After receiving notices of the data breach from Defendants Plaintiffs- former clients and employees-claim injuries under common law, consumer protection statutes, and data notification statutes. Plaintiffs bring putative class actions seeking to represent a nationwide class and state subclasses. Defendants move to dismiss the two complaints in this consolidated case. [2] [4]. For the reasons explained below, this Court grants in part and denies in part Defendants' motions.
This Court accepts as true the following facts from the consolidated amended complaint (CC) and the May complaint (MC).[1] See Wagner v. Teva Pharm. USA Inc., 840 F.3d 355, 358 (7th Cir. 2016). Because Plaintiffs' complaints contain similar allegations and concern similar claims, this Court will sometimes cite to one complaint for a proposition that applies to all Plaintiffs. Unless otherwise indicated, citations to docket numbers refer to filings in the master case, case number 21-cv-4506.
Plaintiffs John Parsons, Adrian Villalobos, Christopher Caswell, Robert Davie, Peter Horning, Julia Kroll, Amanda Marr, Brent McDonald, Jonathan Mitchell, Jason Myers, John Owens, Alan Wellikoff, Chandra Wilson, Arda Yeremian, Tracey Block, and Leslie May claim that Defendants injured them by failing to secure and safeguard their personally identifiable information and/or protected health information. See generally CC; MC. Defendant AJG is a leading insurance brokerage, risk management, and HR & benefits company. CC ¶ 2. AJG's global group of companies and partners includes Defendant GBS, a third-party administrator and claims manager. Id. ¶ 3.
Plaintiffs allege that, from June 3 to September 26, 2020, an unknown party accessed certain segments of AJG's network, including segments at GBS, during a ransomware event (the Data Breach). Id. ¶ 5. During the Data Breach, the attacker accessed records containing the personal information of more than three million individuals. Id. ¶ 6. On or around September 26, 2020, Defendants detected the ransomware event. Id. ¶ 7. Around June 30, 2021, Defendants began notifying some class members and various states' Attorneys General of the Data Breach. Id. ¶¶ 8, 9.
Plaintiffs claim the Data Breach resulted from Defendants' failure to properly secure and safeguard their personally identifiable information (PII), including names, social security numbers, tax ID numbers, driver's licenses, passport or other government identification numbers, dates of birth, usernames and passwords, employee ID numbers, financial or credit card information, and/or electronic signatures. Id. ¶ 1. Plaintiffs also claim that Defendants failed to safeguard their protected health information (PHI), such as medical records or account numbers and biometric information. Id. Plaintiffs allege that the Data Breach has resulted in the unencrypted PII and PHI of Plaintiffs and class members ending up for sale on the “dark web as that is the modus operandi of hackers.” Id. ¶ 59. Plaintiffs assert that Defendants should have implemented better measures that prevent and detect ransomware attacks. Id. ¶ 62.
Plaintiff Parsons worked for AJG in Louisiana from January 1996 through April 1999. Id. ¶ 96. Parsons trusted his PII and PHI to AJG, who retained Plaintiffs name and social security number in its system during the time of the Data Breach. Id. ¶ 97. Parsons received notice of the Data Breach on July 18, 2021; the notice stated that Parsons' name and social security number were among the information accessed or acquired during the Data Breach. Id. ¶ 99. As a result, Parsons spent time verifying the legitimacy of the Data Breach notice and self-monitoring his accounts. Id. ¶ 100. Parsons experienced a “substantial increase” in suspicious calls, emails, and text messages which he believes is related to the Data Breach. Id. ¶ 106.
Plaintiff Villalobos worked for Prolacta Bioscience in California from September 2015 to August 2019. Id. ¶ 108. In connection with his employment, Villalobos entrusted his PHI and/or PII to Defendants, “possibly through a third-party that provided human resources services to Prolacta.” Id. ¶ 109. Villalobos received Defendants' notice of the Data Breach in August 2021; the notice stated that his name, medical diagnosis, medical treatment information, and medical claim information were accessed or acquired during the Data Breach. Id. ¶ 111.
Plaintiff Caswell worked for Saddle Creek Logistics Services from 2016 to December 2020. Id. ¶ 119. In connection with that employment and a workers compensation claim, Caswell entrusted his PII and/or PHI to Defendants. Id. ¶ 120. Caswell's notice of the Data Breach stated that his “personal information” was among the information accessed or acquired during the Data Breach. Id. ¶ 122.
Plaintiff Davie worked for Whirlpool Corporation in California from August 1998 to October 2008 and entrusted his PII and/or PHI to GBS as the third-party administrator for Whirlpool's workers compensation claims. Id. ¶¶ 130-31. The notice Davie received stated that his name, social security number, medical record number, medical diagnosis, medical treatment information, health insurance information, and medical claim information were accessed or acquired during the Data Breach. Id. ¶ 133. Davie also received a letter from Whirlpool stating that some of his employee information had been impacted during a ransomware attack affecting GBS. Id. Davie claims that, as a result of the Data Breach, he experienced an increase in suspicious phone calls and emails and purchased “Robokiller” for $4.99 per month from approximately July through September 2021 to address this problem. Id. ¶ 134.
Davie also experienced a decline in his credit score that he believes is, at least in part, due to a “hard inquiry” by ADT on his credit report; because Davie has not used ADT's services, he believes this unauthorized inquiry is related to the Data Breach. Id. ¶ 135.
From 2001 to 2003 and 2014 to 2019, Plaintiff Horning worked for the Pinellas County Sheriff's Office in Florida; from 2003 to 2014, Plaintiff worked for the Gulf Port Police Department, also in Florida. Id. ¶ 143. In connection with his employments, Horning entrusted his PII and PHI to Defendants, “possibly through Defendant's provision of workers' compensation insurance to either the Pinellas County Sheriffs Office or the Gulf Port Police Department or both.” Id. ¶ 144. Horning received notice of the Data Breach around September 14, 2021, which stated that his name, medical diagnosis, and medical claim information was accessed or acquired. Id. ¶ 146. Horning has experienced a “substantial increase” in suspicious calls, emails, and text messages and believes these events are related to the Data Breach. Id. ¶ 153.
Plaintiff Kroll worked for the Glenbard School District in Illinois from August to November 2018 and entrusted her PII and/or PHI to Defendants, likely through the Suburban School Cooperative Insurance Pool. Id. ¶¶ 155-56. The notice Kroll received about the Data Breach stated that her name and medical claim information was accessed or acquired. Id. ¶ 158. Since the Data Breach, Kroll has experienced fraudulent charges on her credit card and an increase in suspicious calls and emails. Id. ¶ 159. The fraudulent charge made Kroll unable to purchase furniture. Id. Even now, Kroll experiences difficulties when she uses her credit card to make larger purchases. Id.
Plaintiff Marr worked for Omni Hotels and Resorts in California from 2013 to 2019, and in connection with that employment, entrusted her PII and/or PHI to Defendants. Id. ¶ 168. Marr received notice of the Data Breach around July 21, 2021, and the notice informed her that her name, social security number, medical diagnosis, medical treatment information, medication information, health insurance information, and medical claim information were accessed or acquired during the Data Breach. Id. ¶ 170. Marr believes that, as a result of the Data Breach, a criminal used her identity to apply for unemployment benefits sometime during the summer of 2020. Id. ¶ 172. In addition, Marr has experienced an increase in scam emails and phone calls and a notice from “gotpwned.com” indicating that she needed to change her email passwords. Id. ¶ 173.
Plaintiff McDonald worked for Labor Finders in California from September 2018 through January 2019 and entrusted his PII and PHI to Defendants, possibly through Defendants' provision of workers' compensation insurance to Labor Finders. Id. ¶¶ 180-81. A July 21, 2021 notice informed McDonald that the Data Breach compromised his name, social security number, medical diagnosis, medical treatment information, and medical claim information. Id. ¶ 183. Since the Data Breach, McDonald experienced fraud and identify theft, which has led him being charged late fees by his bank, utility companies, and his landlord, id. ¶¶ 191-92.
Plaintiff Mitchell worked for Circle Home, Inc. in Massachusetts from May 2012 to present. Id. ¶ 198. Mitchell entrusted his PII and PHI to Defendants, possibly through their provision of workers' compensation insurance to Plaintiff's employer. Id. ¶ 200. He also received notice that his name and social security number were compromised during the Data Breach, and claims to have experienced a “substantial...
To continue reading
Request your trial