Hufstetler vs. Upstream Rollco Llc

Case Background

On September 22, 2023, Plaintiff Jeremy Hufstetler, individually, and on behalf of all others similary situated filed a Class action lawsuit in the United States District Court, Alabama Northern (Case number: 2:23cv1265). Magistrate Judge Gray M Borden presided over this case.

Cause

In January and February 2023, a data breach at Upstream RollCo LLC exposed sensitive information, including full names, medical diagnoses, health insurance details, and other protected health information (PHI). Unauthorized access to employee email accounts caused the breach. The company publicly acknowledged the incident on September 15, 2023, notifying affected individuals nearly eight months after the breach. This delay hindered victims’ ability to mitigate identity theft risks and protect their information promptly.

Injuries

The data breach caused significant harm to affected individuals, including emotional distress, anxiety, and fear of data misuse. Representative Plaintiff Jeremy Hufstetler and others faced an imminent risk of identity theft and fraudulent financial or medical claims. Victims reported a loss of intangible property value as their protected health information was compromised and circulated on the dark web. Additionally, they lost valuable time monitoring accounts, disputing fraudulent transactions, and seeking solutions to secure their data.

Damages

The breach resulted in economic and non-economic damages. Victims experienced identity theft, financial loss, and emotional distress. They also incurred out-of-pocket expenses for credit monitoring, legal assistance, and measures to prevent future fraud. The diminished value of stolen protected health information compounded the damages. Furthermore, the breach eroded trust in Upstream RollCo LLC, as the company failed to implement standard data security measures, exposing victims to ongoing identity theft risks.

Key Arguments and Proceedings

Legal representation

  • Plaintiff(s): Jeremy Hufstetler, individually, and on behalf of all others similary situated
    • Counsel for Plaintiff: Jonathan S Mann |  Austin B Whitten |  Hirlye R “Ryan” Lutz III | F Jerome Tapley | Hunter Phares|  Annesley H DeGaris | Alexandra J Calton | Taylor Bartlett | Nicholas A Migliaccio | Jason S Rathod | Brooke Murphy | Daniel Srourian | Tyler J Bean
  • Defendant(s): Upstream RollCo LLC | Upstream Rehabilitation Inc.
    • Counsel for Defendants: James Monagle | Scott S Brown

Claims

The lawsuit alleged negligence, breach of implied contract, and breach of fiduciary duty. Plaintiffs claimed that Upstream RollCo LLC violated federal and state data security laws, including HIPAA and the Federal Trade Commission Act. The class action sought actual, nominal, and consequential damages, as well as injunctive relief to enhance the company’s data security practices. Plaintiffs demanded the deletion of compromised data and the implementation of a comprehensive information security program to prevent future protected health information breaches.

Defense

Upstream RollCo LLC denied the allegations, asserting that it had implemented reasonable security measures to protect PHI and PII. The company argued that the cyberattack exploited unforeseen vulnerabilities despite its compliance with industry standards and legal requirements. It emphasized that the breach resulted from sophisticated cybercriminal tactics beyond its control.

The company maintained that it acted promptly upon discovering the data breach, hiring cybersecurity experts and notifying affected individuals within the timeframe permitted by law. Upstream RollCo LLC highlighted its immediate efforts to contain the breach, upgrade security systems, and provide resources to affected parties. The company argued that delays in notification arose from the complexity of assessing the breach’s full scope. It also contested claims of negligence, asserting that victims suffered no quantifiable harm from the protected health information breach.

Jury Verdict

On January 9, 2024, Upstream RollCo LLC agreed to pay $4.3 million to settle the class action lawsuit arising from the 2023 data breach. The settlement compensated individuals whose protected health information and personally identifiable information were accessed by unauthorized third parties during the January and February 2023 breaches.

Class members received three years of financial account monitoring services and could claim up to $5,000 for documented monetary losses, such as fraudulent charges, identity theft damages, professional fees, and credit-related expenses. Claimants had to provide documentation to secure reimbursement. Those without documented losses were eligible for a pro rata share of the settlement fund, estimated at a minimum of $50 per claimant.

The settlement aimed to address both the financial and emotional impacts of the data breach. By offering comprehensive credit monitoring services, it provided added protection against future identity theft risks.

Court Documents:

Documents are available for purchase upon request at jurimatic@exlitem.com