Hemphill v. Horne, LLP

CourtDistrict Court, S.D. Mississippi
DecidedMarch 10, 2025
Docket3:24-cv-00074
StatusUnknown

This text of Hemphill v. Horne, LLP (Hemphill v. Horne, LLP) is published on Counsel Stack Legal Research, covering District Court, S.D. Mississippi primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
Hemphill v. Horne, LLP, (S.D. Miss. 2025).

Opinion

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF MISSISSIPPI NORTHERN DIVISION

EBONY HEMPHILL, individually and on behalf PLAINTIFF of all others similarly situated

V. CIVIL ACTION NO. 3:24-CV-74-KHJ-ASH

HORNE, LLP DEFENDANT

TERRY CHIZEK, on behalf of himself individually PLAINTIFF and on behalf of all others similarly situated

V. CIVIL ACTION NO. 3:24-CV-178-KHJ-ASH

ORDER

Before the Court is Defendant Horne, LLP’s [17] Motion to Dismiss Plaintiffs Ebony Hemphill and Terry Chizek’s [28] Second Amended Consolidated Class Action Complaint (Second Amended Complaint). Joint Notice on Corrected Compl. [27] at 1.1 For the reasons stated below, the Court grants Horne’s [17] Motion to Dismiss and dismisses Hemphill and Chizek’s claims without prejudice for lack of standing.

1 Hemphill filed a class action against Horne in February 2024, and Chizek followed suit the next month. Compl. [1]; Complaint, , No. 3:24-CV-178 (S.D. Miss. filed Mar. 27, 2024). In April, the Court consolidated the two class actions, so Hemphill and Chizek filed a [16] Consolidated Class Action Complaint. Order [15]. They have since clerically amended their consolidated complaint twice, and Horne consented to the filing of the now-operative [28] Second Amended Complaint. [27] at 1 (noting that parties agree new complaint does not moot [17] Motion to Dismiss). I. Background This putative class action involves a data breach of Horne’s computer network in 2021, which permitted a hacker to access certain systems containing

Hemphill and Chizek’s personally identifiable information (PII). [28] ¶¶ 2–3; Horne Notice Letter [28-1] at 2. Horne is an accounting firm that serves many business clients, including University of Mississippi Medical Center (UMMC) and Memorial Hospital Gulfport (Memorial). [28] ¶¶ 24–25, 30–31, 33. Hemphill and Chizek received medical services from UMMC and Memorial, respectively. ¶¶ 24–25. As a result, Hemphill and Chizek supplied certain PII—including their Social Security numbers—to their medical providers who, in turn, gave it to Horne. ¶¶ 40,

118, 133.2 From December 8, 2021, to December 13, 2021, a hacker gained access to certain systems in Horne’s network and managed to extract an unknown amount of PII from the network. ¶¶ 42–43. In early 2024, Hemphill and Chizek received letters from Horne notifying them of the 2021 data breach. ¶¶ 119, 134. The letters informed Hemphill and Chizek that “certain information relating to [them] may have been within the

accessed systems, including [their] name[s] and health insurance information and patient account number[s].” [28-1] at 2; [28] ¶¶ 119, 134 (indicating that Hemphill and Chizek received identical letters). But the letters also noted that Horne “was unable to confirm what information within those systems was actually

2 Hemphill also formerly worked for Horne and provided Horne with PII during her employment. [28] ¶ 118. accessed” and had no “evidence to indicate that [Hemphill or Chizek’s] information was subject to actual or attempted misuse” because of the breach. [28-1] at 2. In the summer of 2023, someone tried to access Hemphill’s bank account, and

she had to personally visit the bank to resolve the matter. [28] ¶ 121. After receiving the [28-1] Notice Letter, Hemphill also froze her credit, changed her email passwords, started monitoring her accounts, and consulted with a law firm. ¶¶ 123–24. As for Chizek, at an unspecified time after the breach, an unknown party placed credit-card inquiries on his credit report, which damaged his credit score. ¶ 136. TransUnion also informed him at some point that his private information had been disseminated on the dark web,3 and he later experienced an

increase in spam calls, texts, and emails. ¶¶ 137–38. From these facts, Hemphill and Chizek allege that their “highly sensitive personal information . . . was compromised and unlawfully accessed and extracted during the [d]ata [b]reach.” ¶ 10. For her part, Hemphill states that she “already experienced identity theft” because someone tried to access her account. ¶ 121. And Chizek alleges solely “upon information and belief” that the data breach caused

each of the later negative events he experienced. ¶¶ 136–38. Ultimately, Hemphill and Chizek both allege they suffered the same six injuries from the breach: (1) exposure, theft, and misuse of their PII, ¶¶ 10, 49, 119, 134; (2)

3 “The dark web is an area of the internet accessible only by using an encryption tool. It provides anonymity and privacy online, and perhaps consequently, frequently attracts those with criminal intentions.” , 88 F.4th 1141, 1142 n.1 (5th Cir. 2023) (citing Gareth Owen & Nick Savage, Glob. Comm’n on Internet Governance, 1 (2015)). exposure to substantial and imminent risk of identity theft, ¶¶ 107, 130, 145; (3) lost time and increased anxiety from undertaking mitigation efforts, ¶¶ 128, 143; (4) lost privacy, ¶ 101; (5) lost benefit of a bargain with Horne, ¶ 100; and (6)

diminished value of their PII, ¶¶ 127, 142. Resp. Opp’n Mot. Dismiss [22] at 9–15. Horne now moves to dismiss the [28] Second Amended Complaint for lack of subject-matter jurisdiction and failure to state a claim. Mem. Supp. Mot. Dismiss [18] at 1–2. It first argues that Hemphill and Chizek lack standing to sue because they have not established the first two elements of standing: an injury in fact and a causal connection between an injury and Horne’s conduct. In the alternative,

Horne contends that Hemphill and Chizek have failed to establish Horne’s duty to protect them from the hacker’s criminal actions. at 2. II. Standard A. Rule 12(b)(1) Parties may challenge a district court’s subject-matter jurisdiction over a case by filing a motion under Federal Rule of Civil Procedure 12(b)(1). A federal court’s

subject-matter jurisdiction only extends to “Cases” and “Controversies.” , 603 U.S. 43, 56 (2024) (quoting U.S. Const. art. III, § 2, cl. 1). A “case or controversy exists only when at least one plaintiff establishes . . . standing to sue.” at 57 (cleaned up). Since Article III standing is a jurisdictional issue, courts consider challenges to a plaintiff’s standing under Rule 12(b)(1). , 783 F.3d 244, 250–51 (5th Cir. 2015). The plaintiff always bears the burden of establishing standing. , 95 F.4th 212, 216 (5th Cir. 2024) (per curiam). A Rule 12(b)(1) motion may either facially challenge the complaint’s

jurisdictional allegations or present evidence challenging the jurisdictional facts underlying the complaint. , 778 F.3d 502, 504 (5th Cir. 2015); , 804 F. App’x 260, 262–64 (5th Cir. 2020) (per curiam) (explaining facial and factual Rule 12(b)(1) motions). Thus, a court may find that it lacks subject-matter jurisdiction based on “(1) the complaint alone; (2) the complaint supplemented by undisputed facts evidenced in the record; or (3) the complaint supplemented by

undisputed facts plus the court’s resolution of disputed facts.” , 110 F.4th 782, 786 (5th Cir. 2024) (cleaned up). When considering a facial challenge, courts examine “the sufficiency of the [well-pleaded, factual] allegations in the complaint because they are presumed to be true.” , 837 F.3d 523, 533 (5th Cir. 2016) (cleaned up); , 960 F.3d 253, 256 (5th Cir. 2020). In

Free access — add to your briefcase to read the full text and ask questions with AI

Related

Johnson v. Sawyer
47 F.3d 716 (Fifth Circuit, 1995)
Herrmann Holdings Ltd. v. Lucent Technologies Inc.
302 F.3d 552 (Fifth Circuit, 2002)
Bell Atlantic Corp. v. Twombly
550 U.S. 544 (Supreme Court, 2007)
Ashcroft v. Iqbal
556 U.S. 662 (Supreme Court, 2009)
Fernando Jacquez v. R.K. Procunier
801 F.2d 789 (Fifth Circuit, 1986)
Reilly Ex Rel. Pluemacher v. Ceridian Corp.
664 F.3d 38 (Third Circuit, 2011)
Clapper v. Amnesty International USA
133 S. Ct. 1138 (Supreme Court, 2013)
Christopher Crane v. Jeh Johnson
783 F.3d 244 (Fifth Circuit, 2015)
William Lee v. Verizon Communications, Inc.
837 F.3d 523 (Fifth Circuit, 2016)
Bank of Louisiana v. F.D.I.C.
919 F.3d 916 (Fifth Circuit, 2019)
In re Zappos.com, Inc.
108 F. Supp. 3d 949 (D. Nevada, 2015)
L & F Homes & Development, L.L.C. v. City of Gulfport
538 F. App'x 395 (Fifth Circuit, 2013)
Tyler v. Hennepin County
598 U.S. 631 (Supreme Court, 2023)

Cite This Page — Counsel Stack

Bluebook (online)
Hemphill v. Horne, LLP, Counsel Stack Legal Research, https://law.counselstack.com/opinion/hemphill-v-horne-llp-mssd-2025.