Communications Litigation Today was a service of Warren Communications News.
Uptick in 'Spam Calls'

Class Action Tags Fraudulent Bank Charge to Emmanuel College Data Breach

February 26, 2024 by Rebecca Day|Top News

Since an April data breach at Emmanuel College in Boston, Sopiya Shrestha has experienced an uptick in spam calls concerning fraudulent communications, said her negligence class action Thursday (docket 1:24-cv-10434) against the school's trustees in U.S. District Court for Massachusetts in Boston.

Shrestha received a letter from Emmanuel Jan. 31 saying her personally identifiable (PII) and personal health information (PHI) had been accessed in an April 27 data breach. A notice on the Maine attorney general office’s website said the breach, which affected 89,064 individuals, was discovered Jan. 16. Information acquired included financial account and credit card numbers and associated security and access codes, passwords and personal identification numbers.

Since the data breach, Shrestha, a Boston resident, has experienced an uptake in spam calls concerning fraudulent applications/solicitations for insurance, communications about her credit score or Federal Housing Administration loans, and communications from her “bank,” the complaint said. Also, it said, an unauthorized charge of $750 appeared on her bank account statement.

Since receiving word of the data breach, Shrestha regularly monitors her credit and identity for fraudulent activity, the complaint said. She is “made uncomfortable because her personal information and all of her health information is out there,” it said.

Rather than offering credit monitoring services to Shrestha after discovering the breach, Emmanuel directed her “to be vigilant and to take certain steps to protect her PHI/PII and otherwise mitigate her damages,” the complaint said. The plaintiff heeded those warnings and spent time dealing with the breach's consequences, including verifying the legitimacy of the notice and self-monitoring her accounts and credit reports for fraudulent activity.

Shrestha suffered lost time, annoyance, interference and inconvenience because of the breach and anxiety over the impact of cybercriminals accessing, using and selling her PII and PHI, the complaint said. She suffered actual injury in the form of damages to and diminution of the value of her personal information, it said. Emmanuel data breach victims face “multiple years of ongoing identity theft and financial fraud,” it said.

The college “disregarded the rights” of Shrestha and class members by negligently failing to take adequate measures to ensure that its network servers were protected against unauthorized intrusions and failing to disclose it didn’t have adequate security protocols and training practices in place to safeguard their PII and PHI, the complaint said. Emmanuel also disregarded their rights by concealing the breach for “an unreasonable duration of time” and failed to provide “prompt and accurate notice” of the breach, it said.

In addition to negligence and negligence per se, Shrestha asserts breach of confidence, implied contract, implied covenant of good faith and fair dealing and fiduciary duty, plus unjust enrichment. She seeks actual, nominal and consequential damages; orders requiring the college to cease unlawful activities described, to encrypt all data collected through the course of business, and to implement a comprehensive information security program. She also seeks prejudgment interest and attorneys’ fees and costs.