Sprouts Data Breach Leads to Another Class Action Lawsuit

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

A proposed nationwide lawsuit seeks Class certification for possibly thousands of Sprouts Farmers Market employees who might have been affected by a data breach last month through a scam e-mail.

Sprouts is a Phoenix, Ariz.-based supermarket chain with about 21,000 employees and 224 stores in 13 states. The payroll department at Sprouts Farmers Market Inc. allegedly fell prey to a “phishing scam,” in which it voluntarily released the 2015 W-2 Wage and Tax Forms of up to 21,000 or more of its 2015 employees.

As a result of the Sprouts data breach, unknown third parties allegedly now possess the personal information of these workers, including Social Security Numbers, full names, addresses and wage tax statements.

Lead plaintiff Julio Hernandez, a former employee of a Sprouts Farmers Market in San Diego, filed the class action lawsuit in California federal court, alleging that the company owed a legal duty to its employees to “maintain, protect, and safeguard their tax information” and breached that obligation by negligently releasing private tax information to a third party who is believed to using the data for illegal purposes.

According to the class action lawsuit, in early March 2016 the payroll department at Sprouts responded to an email request for its current and former employees’ 2015 IRS form W-2’s from an unknown person posing as a senior executive of the company.

Hernandez claims that Sprouts should have known that such a security breach was likely and should have taken adequate precautions to protect their current and former employees’ tax information and social security numbers. He also purports that not only did Sprouts fail to prevent this attack, but have not taken any action to remedy it.

Court documents state that Sprouts issued a letter to affected employees informing them of the data breach and offering a year’s worth of credit monitoring and insurance through Experian ProtectMyID Alert, but Hernandez and other potential Class Members claim that this monitoring service can only inform them of suspicious activity and cannot prevent actual identity theft or fraud.

Hernandez says he was forced to subscribe to a identity theft protection program through Wells Fargo bank for a monthly fee of $12.99.

“Going forward, Plaintiff anticipates spending considerable time in an effort to contain the impact of Defendant’s Data Breach on himself. Plaintiff suffers from an increased risk of future identity theft as a result of Defendant’s actions,” the lawsuit states.

Hernandez is bringing this lawsuit on behalf of himself and all current and former employees of Sprouts whose 2015 W-2s and related information were transmitted to a third party in or around the week of Mar. 14, 2016.

He also seeks to certify a California subclass, claiming specific violations of the California Customer Records Act and other privacy statutes by “unreasonably” delaying relaying to the proposed Class that a security breach occurred until two weeks had passed.

“But for Sprouts’ omissions, [Hernandez] would have taken additional steps to protect his identity and to protect himself from the sort of harm that could flow from Sprouts’ lax security measures,” the complaint says.

The proposed Class is seeking actual and statutory damages, restitution, and disgorgement. They are also asking the Court to award equitable, declaratory relief as well as an injunctive order that mandates Sprouts hire a third party security monitoring firm to conduct regular audits and training on identifying possible future data breaches.

The Sprouts W-2 data breach has also prompted a similar data phishing scam lawsuit filed in Colorado federal court.

Hernandez is represented by Scott B. Cooper and Samantha A. Smith of The Cooper Law Firm, Roger R. Carter of The Carter Law Firm, and Marc H. Phelps of the Phelps Law Group.

The Sprouts W-2 Data Breach Class Action Lawsuit is Julio Hernandez v. Sprouts Farmers Market Inc., Case No. 16-cv-0958 in the U.S. District Court for the Southern District of California.

UPDATE: On July 6, 2016, Sprouts and a plaintiff in a data breach class action lawsuit pending in California federal court asked a judge to put their case on hold while the U.S. Judicial Panel on Multidistrict Litigation considers a request to consolidate it with three similar class action lawsuits.