Flagstar Bank Data Breach Not Discovered for Six Months Class Action

This class action brings suit against Flagstar Bankcorp, Inc. and Flagstar Bank, FSB alleging they bear responsibility for the data breach that occurred in the bank’s systems in December 2021. The complaint claimed Flagstar did not implement and maintain security practices adequate to protect the personally identifiable information (PII) it kept in its files.

The class for this action is all California residents to whom Flagstar or its agents sent a Notice of Data Breach letter telling them that their PII was compromised in the data breach.

The data breach took place between December 3 and 4, 2021, but the complaint alleges that Flagstar did not discover it until on or about June 2, 2022 and did not send out notice to the victims until on or about June 16, 2022. The files accessed in the incident contained names, addresses, dates of birth, Social Security numbers, and account or loan numbers, the complaint alleges, and suggests that 1.5 million customers were affected.

The notice did not specify who committed the data breach, how this party gained access to Flagstar’s system, or why it took Flagstar six months to become aware of it, so that the complaint claims the notice was “inadequate and fail[ed] to provide sufficient detail.” However, the complaint blames the data breach on “Flagstar’s inadequate cybersecurity[.]”

Data breaches are harmful to consumers, the complaint alleges, as cybercriminals use stolen information to commit crimes such as credit card fraud, phone or utilities fraud, and bank or financial fraud. Stolen data may be held for a year before it is used, and the complaint cites the LinkedIn data breach, in which information was held for four years before it was used.

The California Consumer Privacy Act (CCPA) gives Californians certain rights with respect to their personal information, including “requesting disclosure of the information collected, the purpose for collecting the information, and any third parties [to] whom the information is sold or disclosed.” The complaint alleges that Flagstar’s Privacy Policy also identify other rights under the CCPA, including “requesting deletion of information, opting out of hav[ing] personal information sold to third parties, and receiving information that identifies any third party that has received personal information.”

The complaint alleges that Flagstar knew or should have known that it was at high risk of a data breach, and should have been on high alert against a cyberattack, because the information it stores is valuable to identity thieves. The complaint asserts, “Flagstar negligently left its computer systems open to attack.”

Even with Settings Off, Apple Collects Consumer Data Class Action

Apple, Inc. claims to respect individuals’ desire to keep their data private, purportedly offering them ways to turn off sharing on their iPads and iPhones. But the complaint for this class action alleges that Apple goes on to collect their information from those devices anyway.

The Nationwide Class for this action is all individuals who, while using an Apple mobile device, had their information tracked or used by Apple after turning off “Allow Apps to Request to Track,” “Share iPad Analytics,” “Share iPhone Analytics,” or any other similar setting on an Apple mobile device that purported to stop Apple from collecting mobile app activity. A similar California Class has also been defined.

The complaint quotes the Apple Privacy Policy as saying, “At Apple, we respect your ability to know, access, correct, transfer, restrict the processing of, and delete your personal data.” It also quotes the similar Apple App Store User Privacy and Data Use page: “The App Store is designed to be a safe and trusted place for users to discover apps created by talented developers around the world. Apps on the App Store are held to a high standard for privacy, security, and content because nothing is more important than maintaining users’ trust.”

Recent Apple advertising continues the privacy theme, for example, with a billboard (depicted on page 8 of the complaint) saying, “Privacy. That’s iPhone.”

The complaint alleges that Apple tells users how to keep their data from being shared, with instructions as to how to turn off “Allow Apps to Request to Track” settings, and also says it will “disable [the sharing of] Device Analytics altogether” if users turn off “Share iPad Analytics” on their iPad or iPhone.

But testing performed by two developers at a software company called Mysk showed that, according to the complaint, even when users follow these instructions, “Apple still records, tracks, collects, and monetizes consumers’ analytics data, including browsing history and activity information.”

The testing also showed, the complaint alleges, “that Apple continues to access consumers’ app usage, app browsing communications, and personal information in its proprietary apps, including the App Store, Apple Music, Apple TV, Books, and Stocks” even when they have turned off these settings.

The story came out in Gizmodo, the complaint alleges, on November 8, 2022, later appearing in other media outlets. “As of the date of filing,” the complaint alleges, “Apple still has not responded to or publicly refuted the reports.”

The complaint points out, “California law prohibits unauthorized recording of confidential communications” and accuses Apple of “knowing and unauthorized recording, copying, taking, use, and tracking of consumers’ communications and activity, and … knowing and unauthorized invasion of consumer privacy.”

Mazda Vehicles Excessive Oil Consumption Class Action

This class action concerns a defect in certain 2021 vehicles made by Mazda Motor of America, Inc. that causes them to consume excessive amounts of oil. The complaint alleges that the valve stem seals are defective and let oil leak into the combustion chamber, causing them to consume too much oil, violating emissions standards, and causing damage to emissions components and engines.

The class for this action is all persons or entities in the US who are current or former owners or lessees whose vehicles are subject to Technical Service Bulletin (TSB) 01—12/21:

  • 2021 Mazda3 (Japan built 2.5T) with VINS lower than JM1BP******403639 (produced before September 14, 2021)
  • 2021 Mazda6 (2.5T) with VINS lower than JM1GL******618910 (produced before September 15, 2021)
  • 2021 CX-30 (2.5T)
  • 2021 CX-5 (2.5T) with VINS lower than JM3KF******472325 (produced before September 14, 2021)
  • 2021 CX-9 (2.5T) with VINS lower than JM3TC******541071 (produced before September 14, 2021)

In addition to this class of plaintiffs, the complaint also asks for the certification of a class of defendants, the Mazda dealerships that the complaint claims are “conspiring with Mazda to hide and conceal a known, dangerous defect.”

What is the evidence of this conspiracy? The complaint quotes a Mazda TSB as saying that the dealer should explain the following to the customer: “A small amount of the engine oil may be leaking into the combustion chamber, causing the oil consumption. Mazda has confirmed this oil leakage … will not cause any immediate engine damage and the vehicle may be safely driven. The warning message and Check Engine light will go off by topping off the engine oil.”

The TSB also promises that “as soon as Mazda identifies the root cause, a complete repair procedure will be announced” and that until then, Mazda will “top off or replace the engine oil at no charge…”

But the complaint alleges that the defect does pose a safety hazard—to the environment, to those in and around the vehicle, and to the vehicle itself, because it generates “prohibited, non-disclosed carbon emissions,” keeps the engine from maintaining the proper level of oil, causes it to consume an unpredictable amount of oil, and “can result in engine failure as well as damage to the vehicles’ emissions components including … catalytic converters.” Engine failure can occur while the vehicles are in motion, causing a risk of accidents or injury.

Dealerships conceal the problem when they sell the vehicles, the complaint alleges, and then “spin it” as required by the TSB when the owner or lessee comes back with low oil.

The complaint claims that Mazda has known about the defect for a long time but has been unwilling or unable to provide the necessary fix for it.

Salud Family Health Data Breach Class Action

Salud Family Health, Inc. offers healthcare services for “medically underserved” people and migrant workers. As a healthcare provider, Salud holds a substantial amount of personally identifiable information (PII) and protected health information (PHI) in its systems. But the complaint for this class action alleges that Salud did not take adequate measures to protect that information, leading to a data breach.

The Nationwide Class for this action is all persons in the US whose PII or PHI was compromised in the data breach disclosed by Salud on or around November 4, 2022. A Colorado Subclass has also been proposed, for those in the above class in Colorado.

In its notice announcing the data breach to the Maine Attorney General, Salud said the exposed data included names, Social Security numbers, driver’s license or state ID numbers, financial account information, credit card numbers, information on medical treatment and diagnoses, health insurance information, and biometric data, among other things. The data breach affected more than 427,000 people, the complaint alleges.

The complaint quotes Salud’s website as saying that the company found “suspicious activity in certain computer systems” on September 5, 2022, then began an investigation with third-party experts. The investigation found “that certain data may have been accessed or taken[,]” the website says, according to the complaint, and the company is “reviewing and enhancing [its] policies and procedures to further protect against similar incidents moving forward.”

The complaint alleges that Salud “failed to take appropriate or even the most basic steps to protect the PII/PHI” that it retained on file and prevent it from being exposed.

Once private information has been exposed, the complaint alleges, cybercriminals can sell it on the dark web, sometimes for years afterwards, or even use it to blackmail the persons involved.

Cyberattacks have become increasingly common, the complaint alleges, to the point where the Federal Bureau of Investigation (FBI) and US Secret Service have published warnings. The complaint quotes one report as saying, “Entities like smaller municipalities and hospitals are attractive to ransomware criminals … because they often have lesser IT defenses and a high incentive to regain access to their data quickly.”

“In fact,” the complaint alleges, “according to the cybersecurity firm Mimecast, 90% of healthcare organizations experienced cyberattacks in the past year.”

The individual victims of this data breach, the complaint alleges, must now spend their time monitoring their medical statements, records, credit reports, and financial accounts, change passwords and login information more often, screen phone calls, emails, and other communications more carefully to make sure they do not involve, for example, a spear phishing attack, and pay for credit monitoring and identity theft services.

The complaint claims that the individual victims “will need to maintain these heightened measures for years, and possibly their entire lives, as a result of [Salud’s] conduct.”

SuperC Packaged with Dayquil Ineffective for Flu Class Action

The Procter & Gamble Company owns the Vicks brand, which offers a combination pack of two over-the-counter products: Dayquil and SuperC. But the complaint for this class action takes issue with the combination product, alleging that it leads consumers to think that the SuperC vitamin C product will help with the “Severe Cold & Flu” whose symptoms the Dayquil is intended to address.

Two classes have been defined for this action:

  • The Illinois Class is all persons in Illinois who bought the product during the applicable statute of limitations.
  • The Consumer Fraud Multi-State Class is all persons in Utah, South Dakota, Kansas, Mississippi, Arkansas, Alaska, and North Carolina who bought the product during the applicable statute of limitations.

Studies have shown, the complaint alleges, that consumers believe that vitamin C can help with the symptoms of colds or flu. But the complaint alleges that this is not true: “Though some studies have shown that regularly taking vitamin C supplements may decrease the duration of cold and flu symptoms, consuming this after symptoms appear—[which is when] consumers would seek the Product—has no effect.”

Page 1 of the complaint shows the combination packaging of the two products.

The Dayquil product contains three active ingredients, acetaminophen (for pain relief), dextromethorphan HBr (as a cough medicine), and doxylamine succinate (an antihistamine for sneezing and runny nose). Its front label shows the words, “Severe Cold & Flu,” “Headache, Fever, Sore Throat, Minor Aches & Pains,” “Chest Congestion, Thins & Loosens Mucus,” and “Cough.” According to the complaint, the Food and Drug Administration (FDA) has approved the three ingredients for the treatment of the listed conditions.

The SuperC product has quite a different set of representations. It claims to contain “1000mg vitamin C” as well as “B vitamins” and “Green Tea, Ginseng, Turmeric Extracts,” intended to “Energize + Replenish,” and also said to “Help[] replenish essential vitamins + provide a healthy energy boost.” However, on a different panel of the box, shown on page 3 of the complaint, is a warning: “This Product Is Not Intended to Treat Colds or Flu.”

The complaint alleges that the co-packaging of the vitamin C with the Dayquil misleads consumers to “expect it is intended to be used with the approved OTC combination for the common therapeutic purpose of alleviating cold and flu symptoms.”

According to the complaint, “[t]he FDA considered, but rejected approved OTC combination drugs from adding vitamin C and other vitamins and botanical ingredients touted for prevention and treatment of the common cold, because it concluded that consumers were misled to believe that both components were evaluated and approved for their effectiveness.”

The complaint alleges that combining the cold and flu remedy with the vitamin C product is therefore misleading.

Act Dry Mouth Lozenges Lower pH Than Teeth Class Action

Chattem, Inc. makes Act Soothing Mint dry mouth lozenges. Lozenges of this type are often useful to consumer suffering from dry mouth, or xerostomia, but the complaint for this class action alleges that these may be harmful, because they have a pH below the level of tooth enamel or root dentin and may therefore erode teeth.

Two classes have been defined for this action:

  • The Illinois Class is all persons in Illinois who bought the product during the applicable statute of limitations.
  • The Consumer Fraud Multi-State Class is all persons in Utah, North Dakota, Kansas, Mississippi, Arkansas, Alaska, Wyoming, and South Carolina who bought the product during the applicable statute of limitations.

Page 1 of the complaint shows an image of the product packaging, with the words “Dry Mouth Lozenges” prominently placed on the front label. Other representations on the package are “Soothes Dry Mouth” and “Moisturizes Mouth Tissue.”

Saliva benefits teeth by helping to prevent cavities and tooth erosion, the complaint alleges, and also by neutralizing acids in the mouth, clearing them when the person swallows, and providing calcium and phosphate ions.

Dry mouth, or xerostomia, which ends or lessens the production of saliva in the mouth, is a condition the complaint alleges afflicts 25% of the population. The complaint alleges, “Estimates are that 63% of the 200 most common medications have a xerogenic effect, resulting in reduced salivary flow rates.” According to the complaint, other common causes are autoimmune illnesses, head and neck irradiation, and systemic cancer therapy, and it may occur more frequently as people age and take more medications.

Products like the Act lozenges are intended to relieve dry mouth, the complaint alleges, “increasing comfort and preventing dental erosion and caries.” “However,” the complaint claims, “it is essential these products do not have pH values below the critical pH of enamel or root dentin, the pH below which tooth structure begins to erode.”

What is this pH? The complaint claims it is between 6 and 6.9. According to the complaint, articles in dental journals have addressed this concern and “concluded such products should be formulated to have an acidity level of about 6.7 pH or higher, to avoid contributing to demineralization, dental erosion, sensitivity, and caries.”

What is the pH of the Act product? The complaint claims, “Laboratory testing based on titratable acidity using a pH meter, pH indicator and gravimetric analysis concluded the Product’s pH of 5.72 was below the critical pH of tooth enamel and root dentin.”

The complaint therefore claims it is misleading to market the product to people with dry mouth because it could have a bad effect on their oral health.

Progressive Direct “Projected Sold Adjustments” Idaho Class Action

To determine the actual cash value (ACV) of vehicles that are totaled, Progressive Direct Insurance Company uses a third-party vendor, Mitchell International, Inc. But the complaint for this Idaho class action alleges that Progressive “systematically thumbs the scale” in its own favor by applying Projected Sold Adjustments to Mitchell’s valuations, in order to make smaller payouts to its insureds.

The class for this action is all persons who made a first-party claim on an insurance policy issued by Progressive Direct to a resident of Idaho who, from the earliest time allowable through the date the class certification order is entered in this case, received a payout for the total loss of a covered vehicle, where the payout was based on a valuation report prepared by Mitchell and the ACV was lowered based on Projected Sold Adjustments to the prices of comparable vehicles used to determine the ACV.

Mitchell prepares its valuation reports, the complaint alleges, by finding comparable vehicles in the totaled vehicle’s geographic area, then adjusts their prices based on things like mileage, options, and equipment. Then, Progressive has Mitchell apply a Projected Sold Adjustment that the complaint alleges pushes down the base values of the comparable vehicles used to calculate the ACV.

The only explanation given of this adjustment, the complaint claims, is a statement on the valuation report’s last page saying that it is applied to “reflect consumer purchasing behavior (negotiating a different price than the listed price).” But the complaint alleges that this Projected Sold Adjustment is arbitrary, not based on real data, and “contrary to the used car industry’s market pricing and inventory management practices[.]”

The plaintiff in this case, Seiyid ElAmin, was involved in an accident on October 19, 2021. He made a claim to Progressive, which had Mitchell prepare a valuation report.

Mitchell came up with three comparable vehicles, the complaint claims, to which it applied Projected Sold Adjustments of $673, $776, and $621, respectively.

The complaint alleges that Progressive Direct “provides no data specific to the comparable vehicles or any explanation of industry practices in its valuation reports to support any Projected Sold Adjustment, much less the specific downward adjustments” in the report for ElAmin’s vehicle.

Negotiation is no longer the norm in the market for used vehicles, the complaint alleges. “Instead,” the complaint claims, “car dealerships use sophisticated pricing software … and now appraise vehicles before acquiring them to price them to market and do not negotiate from that price.” If a vehicle was in fact advertised at a higher price to allow room for negotiation, the complaint alleges, customers would simply go to a different dealership that advertised lower prices.

Antech Diagnostics Fingerprints and Handprints Illinois BIPA Class Action

The complaint for this class action describes Antech Diagnostics, Inc. as “a veterinary diagnostic and lab testing facility” in Illinois. According to the complaint, Antech requires employees to scan their fingerprints or handprints for timekeeping purposes. However, the complaint brings suit against Antech and Vicar Operating, Inc. (which does business as VIPA), alleging the companies do not fulfill the requirements of the Illinois Biometric Information Privacy Act (BIPA) before collecting, storing, and using biometrics.

The class for this action is all persons who had their fingerprints or handprints collected, captured, received, otherwise obtained, or disclosed by Antech while they were in Illinois.

When workers scan their fingers or hands, their biometrics go to Antech’s database and, the complaint claims, “broadcast through Antech’s software and web-based data collection and storage system.” However, the complaint alleges that taking and storing biometrics present greater risks to the subjects than ordinary types of identification or personal information.

For example, the complaint alleges, if the number for an ID badge or a credit card is stolen, the person can cancel the badge or credit card and get another, with a different number. But if a handprint or fingerprint is stolen, the person cannot get another finger or hand that produces a different print. BIPA attempts to provide some basic guidelines for the collection, storage, and use of biometrics.

Biometrics include things like fingerprints, hand scans, facial geometry scans, voiceprints, and retina and iris scans.

Under BIPA, private businesses that wish to collect, store, or use biometrics must do certain things:

  • They must tell the subject in writing that their biometrics are being collected or stored.
  • They must tell the subject in writing of the specific purpose and length of time for which the biometrics are being collected, stored, or used.
  • They must receive a written release from the subject.
  • Before they disclose or disseminate the information to others, they must obtain consent from the subject.
  • They must maintain a publicly-available retention schedule and guidelines for permanently destroying the biometrics.

The complaint alleges that the companies have not done these things.

Also the complaint alleges that Antech does not give subjects full information about the storage and use of their biometrics. “Upon information and belief,” it says, Antech also does not tell its employees “that it discloses their fingerprint data to at least one out-of-state third-party vendor” or “that it discloses their fingerprint data to other, currently unknown third parties, which host the biometric data in their data centers.”

Finally, the complaint alleges that Antech does not have a publicly-available retention schedule and does not follow BIPA’s requirement to destroy the biometrics “when the initial purpose for collecting or obtaining such data has been satisfied or within three years of the employee’s last interaction with each company.”

The sole cause of action in the complaint is violation of BIPA.

Dollar General Charges Higher Prices at Register New York Class Action

Dollar General Corporation (DGC) offers dollar stores that sell to low- and middle-income consumers, selling goods at lower prices. However, the complaint for this class action alleges that DGC, along with related companies Dolgen New York, LLC (which does business as Dolgen) and Dolgencrop of Texas, Inc., misleads New York consumers by posting one price at shelves holding its goods and then charging them a higher price when they bring the goods up to the register.

The class for this action is all consumes who, at any time on or after January 23, 2020, paid more for merchandise than the advertised price shown on the shelf at a Dollar General store in New York.

Dollar General generally offers inexpensive items, normally for less than $10, aimed at consumers with modest incomes. The complaint alleges, “The company’s core customers earn around $40,000 a year or below, $20,000 below the median income. Dollar General looks to build stores in rural areas where a big box retailer or grocery stores is not within 15 or 20 miles. Around 75% of Dollar General stores are in towns with 20,000 or fewer people.” The company owns around 555 stores in New York.

One of the plaintiffs in this case, Joseph Wolf, noticed differences in prices in the summer of 2022 at his Dollar General store in White Lake, New York, the complaint alleges, with one price posted on the shelves where goods are displayed and a different price charged to him at the register. The complaint alleges Wolf also noticed that, when there was a difference in the two prices, the higher price was the price he was charged.

According to the complaint, twice in September 2022, he saw Clover Valley 2% lactose free milk advertised at the shelves at $4.15, yet both times when he went to pay for the milk, he was charged $4.25. A few months later, in December, the complaint claims, he saw Land o’ Lakes Low Fat Vanilla Yogurt advertised at the shelves at a price of three for $2.00, yet when he took three to the register, he was charged $2.25.

This class action is not the first time that the company has been accused of charging higher prices at the register. Two other lawsuits about stores in other locations were filed by consumers, one in Monmouth County, New Jersey on October 10, 2022 and another in Lorain County, Ohio on October 11, 2022. According to the complaint, Ohio’s Attorney General also filed an action making similar allegations on or around November 1, 2022.

Upper Peninsula Power Company Data Breach Class Action

Upper Peninsula Power Company (UPPC) is a private utility company based in Michigan which recently experienced a data breach. The complaint for this class action alleges the data breach could have been prevented if UPPC had taken the proper steps to protect the personally identifiable information (PII) it held in its systems. It blames UPPC for the exposure of customer information.

The class for this action is all individuals living in the US whose PII was accessed or acquired by an unauthorized party as a result of the data breach announced by UPPC on or around November 23, 2022.

Those who want to get energy from UPPC are required to provide it with certain private information. “By obtaining, collecting using, and deriving a benefit from the PII…,” the complaint alleges, UPPC “assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.”

Nevertheless, unknown parties intruded into UPPC’s systems on or about June 23, 2022, the complaint alleges.

On or around November 23, 2022, UPPC sent out a Notice of Data Event letter to notify the individual victims, which the complaint quotes as saying, “After a thorough investigation, [UPPC] discovered that a limited amount of information may have been accessed by an unauthorized party in connection with this event. [UPPC] has taken steps to address the event and remains committed to protecting information in our care.”

The complaint faults UPPC for the lack of specifics: “Omitted from the Notice Letter were the date that [UPPC] discovered the Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, why it took over five months from the day of the Data Breach to inform impacted individuals that their information was involved, and the remedial measures undertaken to ensure such a breach does not occur again.”

The complaint alleges that the information stolen included names and Social Security numbers for around 39,000 individuals.

According to the complaint, data breaches can be prevented. The complaint sets forth several lists of recommended measures, put out by the US Government, the US Cybersecurity & Infrastructure Security Agency, and the Microsoft Threat Protection Intelligence Team. UPPC failed to take at least one of these measures, the complaint alleges, and also failed to comply with Federal Trade Commission information security guidelines and industry standards, leaving itself vulnerable to a data breach.

Because of the many high-profile data breaches that have occurred in recent years, the complaint claims, UPPC knew or should have known that its systems might be targeted. UPPC also knew or should have known, the complaint says, “of the foreseeable consequences that would occur if [UPPC’s] data security system was breached, including, specifically, the significant costs that would be imposed” on those whose information could be compromised in the event of such a breach.