A luxury eyewear conglomerate that operates a network of vision facilities allegedly invaded consumer privacy when it failed to protect sensitive data following a breach, according to a customer who filed a proposed class action in an Ohio federal court.
Luxottica of America Inc., which produces and licenses products under brands including Ray-Ban and Oakley, also operates a network of retail locations that provide optometry and vision services. Luxottica allegedly breached its obligations to customers and acted negligently when it failed to safeguard its computer systems and data, according to the lawsuit filed Nov. 10 in the U.S. District Court for the Southern District of Ohio.
Michael Doyle, a Connecticut resident, received a letter in late October informing him of the breach, according to the complaint. He had obtained an annual vision exam and bought new prescription glasses from a retail location operated by Luxottica, providing his Social Security number, insurance information, and medical history in the process, he alleged.
An “unauthorized individual” may have gained access to customer data on Aug. 5 through an online scheduling application used by eyecare providers, Luxottica said in a breach notification letter to Doyle cited in the complaint. The company learned of an issue with its scheduling application on Aug. 9 and “immediately began” an internal investigation, the letter said.
Information compromised in the breach includes health insurance information, medical information, and other sensitive data that puts consumers at risk of identity theft and fraud, Doyle alleged.
Luxottica notified federal law enforcement of the breach and implemented additional access restrictions on its patient scheduling platform, according to a website it created following the breach. Social Security numbers and credit card numbers were impacted in “a limited number of cases,” Luxottica said.
“At this time, Luxottica has no reason to believe that any patient information contained in the appointment application has been misused,” the company said on its website.
Causes of Action: Invasion of privacy, negligence and negligence per se, breach of express and implied contract, breach of fiduciary duty, willful and negligent violation of the Fair Credit Reporting Act, violation of the Connecticut Unfair Trade Practices Act.
Relief: Damages, certification of the class action, disgorgement of wrongfully attained revenues, payment of at least three years of credit monitoring services, enjoinment from engaging in wrongful conduct.
Potential Class Size: Unknown.
Response: Luxottica didn’t immediately respond to a request for comment.
Attorneys: Ronald S. Weiss represents Doyle.
The case is: Doyle v. Luxottica of America, S.D. Ohio, No. 1:20-cv-908, complaint 11/10/20.