Alejandro Morales v. Healthcare Revenue Recovery Gr

NOT PRECEDENTIAL UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT ____________ No. 20-1827 ____________ ALEJANDRO MORALES, On behalf of himself and those similarly situated, Appellant v. HEALTHCARE REVENUE RECOVERY GROUP, LLC; JOHN DOES 1 TO 10 ____________ On Appeal from the United States District Court for the District of New Jersey (D.C. No. 2-15-cv-08401) District Judge: Honorable Esther Salas ____________ Argued on March 23, 2021 Before: HARDIMAN, GREENAWAY, JR., and BIBAS, Circuit Judges. (Filed: July 6, 2021) Yongmoon Kim [argued] Philip D. Stern KIM LAW FIRM LLC 411 Hackensack Avenue Suite 701 Hackensack, NJ 07601 Counsel for Appellant Sean X. Kelly Christian M. Scheuerman [argued] Jonathan R. Stuckel Marks O’Neill O’Brien Doherty & Kelly 535 Rt. 38 East, Suite 501 Cherry Hill, NJ 08002 Counsel for Appellee ___________ OPINION* ____________ HARDIMAN, Circuit Judge. Debt collectors violate the Fair Debt Collection Practices Act (FDCPA), 15 U.S.C. § 1692f(8), when they send consumers envelopes showing certain quick reference (QR) codes. DiNaples v. MRS BPO, LLC, 934 F.3d 275 (3d Cir. 2019). In this case, Healthcare Revenue Recovery Group (HRRG) sent Alejandro Morales a debt collection letter in an envelope showing a barcode. Morales sued, but the District Court dismissed his case, holding he lacked standing under the FDCPA. We will reverse and remand. I We begin with a brief description of the mailing at issue. A smartphone could scan the envelope’s barcode to reveal an “Internal Reference Number” (IRN)—UM###2—and the first ten characters of Morales’s street address. The letter listed Morales’s account numbers with HRRG and his creditor—but all of that was hidden. Morales filed a class action, claiming the letter violated the FDCPA. After discovery, the District Court dismissed his complaint. It decided Morales lacked standing because he lacked a concrete injury in fact. App. 12–15. After we decided DiNaples, * This disposition is not an opinion of the full Court and pursuant to I.O.P. 5.7 does not constitute binding precedent. 2 Morales filed a motion for reconsideration. The District Court denied it, reasoning that the DiNaples disclosure and this disclosure were different. App. 20–23. Morales appealed.1 He challenges the District Court’s order dismissing his complaint for lack of standing, its order denying his motion to reconsider or amend, and its order denying his discovery request for every putative class member’s account documents. II2 The FDCPA bans “unfair or unconscionable” debt collection. 15 U.S.C. § 1692f. Specifically, the FDCPA protects consumers by ensuring letters arrive in plain envelopes: it prohibits “[u]sing any language or symbol, other than the debt collector’s address, on any envelope when” sending mail. § 1692f(8). So HRRG broke the law when it placed a barcode on the envelope. But not all transgressions create standing—procedural gaffes that cause no “concrete” injury fall short of Article III’s requirements. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016); see also Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). Intangible harms like privacy abuses can be concrete. Spokeo, 136 S. Ct. at 1549. When determining whether an intangible, statutory harm is concrete, courts look to common law analogies and Congress’s judgment. Id. If a statutory harm is concrete, no 1 HRRG claims the appeal was untimely. But the timeliness clock runs from the order’s entry—not its signature date. FED. R. APP. P. 4(a)(1)(A). So the appeal is timely. 2 We have jurisdiction over the appeal to determine if Morales has standing. See DiNaples, 934 F.3d at 278 n.2. 3 “additional harm beyond the one Congress has identified” is required. Id.; accord DiNaples, 934 F.3d at 279. The District Court determined HRRG’s disclosure did not reveal protected information because multiple debtors could share one IRN. App. 12–13, 22–23 & n.2. So it held Morales did not have a concrete injury. App. 14–15, 21–24. Morales challenges this ruling and relies on three of our cases. In Douglass v. Convergent Outsourcing, we held that an envelope listing the debtor’s account number with the collection company violated the FDCPA because the information “could be used to expose [the debtor’s] financial predicament.” 765 F.3d 299, 303–04 (3d Cir. 2014). In St. Pierre v. Retrieval-Masters Creditors Bureau, Inc., we reiterated that disclosing an account number on an envelope creates standing. 898 F.3d 351, 355, 357–58 (3d Cir. 2018). And in DiNaples, an envelope’s QR code contained the “internal reference number associated with DiNaples’s account” at the debt collection agency. 934 F.3d at 278. The injury was concrete—and “closely related to” common law privacy torts— because the QR code made protected information “accessible to the public.” Id. at 280 (quoting St. Pierre, 898 F.3d at 358). No more was needed. Id. In this appeal, we must decide whether this IRN (UM###2) is protected like the DiNaples account number (LU4.###1813.3683994). See 934 F.3d at 278. To answer this question, we turn to the record. We begin by acknowledging, as HRRG argues, that others may “potentially” share Morales’s IRN. See Dist. Ct. Dkt. No. 135-4, at 8–9, 12. Even so, the IRN’s uses reveal its disclosure was a concrete injury. 4 HRRG’s representative first explained that the company software generated IRNs to link incoming debt collection requests with debtor information in a database. Id. at 11– 12. The IRN was key to processing undeliverable mail. See id. at 17, 19. Workers scanned the returned envelopes’ barcodes, and when a barcode matched a database record, HRRG knew it could no longer reach the debtor at that address. See id. And the IRN could enable public access to the account. A phone call to HRRG with the IRN and a second piece of information, like a birthdate, allowed account access. Id. at 14. HRRG’s website also allowed anyone with the IRN and information visible on the envelope, together with an email address, to update some of the debtor’s contact information. Id. at 16. In sum, just as the QR code in DiNaples might disclose the debtor’s financial predicament, so too could Morales’s barcode. In both cases, the numbers are only assigned to debtors. See id. at 10–11; DiNaples, 934 F.3d at 278–80. And the IRN enabled identification in at least three ways. In essence, the IRN is “a piece of information capable of identifying [Morales] as a debtor,” so its disclosure was a concrete harm. Douglass, 765 F.3d at 306.3 3 After lengthy discovery, Morales requested account information for the entire potential class. If he had access to all that information, he might disprove HRRG’s shared IRN theory. But standing does not require uniqueness, and the District Court decided the request was “unreasonably cumulative and untimely.” App. 9. We agree and find no abuse of discretion. See In re Orthopedic Bone Screw Prod. Liab. Litig., 264 F.3d 344, 365 (3d Cir. 2001). 5 III HRRG makes three arguments to the contrary: IRNs are not account numbers; Morales did not know how to use IRNs to unlock private data; and material risk of harm was absent. These arguments fall flat. Account numbers are but one type of protected information. And Morales did not need to know how to use IRNs to access accounts. Nor did he need to show an increased risk of harm. Just as disclosing the “meaningless string of numbers and letters” in Douglass was a concrete harm, 765 F.3d at 305–06, so too here. HRRG also offers two district court cases in support. HRRG Br. 21; see also App. 22 (citing Est. of Caruso v. Fin. Recoveries, 2017 WL 2704088, at *6 (D.N.J. June 22, 2017) and Anenkova v. Van Ru Credit Corp., 201 F. Supp. 3d 631, 637 (E.D. Pa. 2016)). But the envelopes in those cases did not disclose protected information. See Caruso, 2017 WL 2704088, at *6; Anenkova, 201 F. Supp. 3d at 637. Finally, HRRG urges us to distinguish In re Horizon Healthcare Services Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017). There, a data breach revealed information like addresses and birthdays. Id. at 630. HRRG claims the barcode’s data is different from the personal information in Horizon because the IRN is “meaningless on its face” and not “private information.” HRRG Br. 17. But the IRN is private information, so Horizon supports our conclusion. Disclosing “personal information” is a concrete injury. Horizon, 846 F.3d at 629; accord St. Pierre, 898 F.3d at 357. 6 * * * The envelope’s barcode disclosed Morales’s protected information, which caused a concrete injury in fact under the FDCPA. So we will reverse the District Court’s order dismissing Morales’s action for lack of standing and its order denying Morales’s motion to reconsider. We will also affirm the District Court’s discovery order and remand the case for further proceedings. 7