In re HealthEquity,Inc. Data Security Incident Litigation

• Court: District Court, D. Utah
• Decided: March 27, 2025
• Docket: 2:24-cv-00528
• Status: Unknown

Opinion

THE UNITED STATES DISTRICT COURT DISTRICT OF UTAH

KRISTIN HAFOKA, individually and on MEMORANDUM DECISION AND behalf of all others similarly situated, et al. ORDER

Plaintiffs, Case No. 2:24-cv-00528-JNP-DBP v. District Judge Jill N. Parrish HEALTHEQUITY, INC., FURTHER OPERATIONS, LLC and WAGEWORKS, Chief Magistrate Judge Dustin B. Pead INC.,

Defendants.

Before the court is Plaintiffs’ Motion for Expedited Discovery.1 Plaintiffs seek leave to serve “HealthEquity with one interrogatory prior to the parties’ Rule 26(f) conference, to identify a potential additional defendant.”2 As set forth herein the court denies the Motion. This matter involves a putative data breach class action. Plaintiffs are consumers who had their personally identifiable information and or protected health information compromised in a large data breach. “The Data Breach occurred when an unauthorized and unknown hacker accessed Defendants’ SharePoint data repository through the unidentified vendor’s user account with access to the server.”3 Plaintiffs seek to discover the identity of the vendor, which to this point, Plaintiffs have been unable to do via publicly available sources. Plaintiffs want to serve a single interrogatory regarding the vendor’s identity prior to the parties’ Rule 26(f) conference, and request the court require HealthEquity to answer within 15 days of service.

1 ECF No. 47. 2 Motion at 1. 3 Id. at 2. Rule 26(d) provides “A party may not seek discovery from any source before the parties have conferred as required by Rule 26(f), except … when authorized by these rules, by stipulation, or by court order.”4 The traditional sequence of discovery may, however, be altered by the court in the exercise of its broad discretion. The party seeking expedited discovery in

advance of a Rule 26(f) conference bears the burden of showing good cause for departing from the usual discovery procedures.5 Good cause exists “where a party seeks a preliminary injunction ... or where the moving party has asserted claims of infringement and unfair competition.”6 Expedited discovery may also be proper where physical evidence may be consumed or destroyed with the passage of time.7 Plaintiffs argue there is good cause here to grant leave for the discovery because they “need to identify a potential additional defendant with culpability for the Data Breach and Plaintiffs’ and Class Members’ damages.”8 Plaintiffs argue courts routinely allow discovery into the identities of defendants and cite to a number of cases from this district.9 The Interrogatory Plaintiffs seek to serve states:

4 Fed. R. Civ. P. 26(d). 5 See Qwest Commc'ns Int'l, Inc. v. WorldQuest Networks, Inc., 213 F.R.D. 418, 419, 2003 WL 1224148 (D. Colo. 2003); Pod–Ners, LLC v. Northern Feed & Bean of Lucerne, Ltd. Liability Co., 204 F.R.D. 675, 676 (D.Colo.2002); Yokohama Tire Corp. v. Dealers Tire Supply, Inc., 202 F.R.D. 612, 614 (D.Ariz.2001). 6 Qwest, 213 F.R.D. at 419. 7 See Pod-Ners, LLC, 204 F.R.D. at 676. 8 Motion at 3. 9 Plaintiffs cite the following: “Living Scriptures v. Doe(s), No. 1:10CV0182 DB, 2010 WL 4687679, at *1 (D. Utah Nov. 10, 2010) (granting motion for expedited discovery regarding defendants’ identities); see also, e.g. ION Solar, LLC v. Bailey, No. 2:23-CV-00371, 2023 WL 5180143, at *1 (D. Utah Aug. 11, 2023) (good cause for expedited discovery when subpoenas “necessary to facilitate identification and service of the unknown defendants”); Ultradent Prod. Inc. v. Does 1-10, No. 2:23-CV-00135, 2023 WL 2275541, at *1 (D. Utah Feb. 27, 2023) (good cause when expedited discovery is “necessary to identify the defendants in this case”); Purple Innovation, LLC v. Bedmate-U Co., No. 2:22-CV-00620, 2022 WL 13818653, at *1 (D. Utah Oct. 21, 2022) (good cause for expedited discovery when “necessary to identify contract information for the defendants in order to serve them,” and witness declined to provide the information voluntarily); doTERRA Holdings v. AGilgo, No. 2:22-CV-00509, 2022 WL 3908695, at *1 (D. Utah Aug. 30, 2022) (good cause when expedited discovery “is necessary to identify and serve the unknown defendant”); Volkswagen Grp. of Am., v. Doe, No. 2:22-CV-00438, 2022 WL 2702646, at *1 (D. Utah July 12, With regard to the Adverse Security Event resulting in the Data Breach, identify the vendor with user accounts that had access to the online data storage location, as referenced in the Notice. Your response should include the vendor’s name, address, and contact person, and the circumstance, reason, or contractual basis for which that vendor had access. '° Defendants argue Plaintiffs fail to show good cause to veer from normal discovery procedures. Contrary to Plaintiffs’ cited authorities, this case does not involve allegations of infringement, risks of destruction of evidence, or unknown doe defendants. In essence, Plaintiffs are seeking to evaluate whether to add a new party and “expedited discovery is not a tool for Plaintiffs’ to craft an amended complaint against new defendants.”"! The court finds Plaintiffs have failed to meet their burden for the expedited discovery sought here. This is not a case like those relied on by Plaintiffs. Although the court does grant expedited discovery in certain cases, utilizing it to evaluate whether to add a known party is improper. There are not any of the traditional concerns here as evidenced in Plaintiffs’ cases that warrant such expedited discovery. Once the Rule 26(f) scheduling requirements are met, Plaintiffs can seek discovery regarding whether to add an additional party. Accordingly, Plaintiffs’ Motion is DENIED. DATED this 27 March 2025.

Dusiif-B Pyad United Stafes Mapistrate Judge

2022) (good cause when “expedited discovery is necessary to identify and serve the defendant”); Crazy ATV, Inc., 2014 WL 201717, at *2 (good cause when limited discovery needed to identify and serve unknown defendants); 1524948 Albert LTD., 2010 WL 3743907, at *1 (finding good cause for expedited discovery and noting courts “often allow discovery into the identities of defendants”). 10 Plaintiffs’ First Interrogatory to Defendant HealthEquity, Inc. at 5, ECF No. 47-1. Defendants’ Opposition to at 4, ECF No. 49.