NOT PRECEDENTIAL

UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT ____________

No. 20-1827 ____________

ALEJANDRO MORALES, On behalf of himself and those similarly situated, Appellant

v.

HEALTHCARE REVENUE RECOVERY GROUP, LLC; JOHN DOES 1 TO 10

____________

On Appeal from the United States District Court for the District of New Jersey (D.C. No. 2-15-cv-08401) District Judge: Honorable Esther Salas ____________

Argued on March 23, 2021

Before: HARDIMAN, GREENAWAY, JR., and BIBAS, Circuit Judges.

(Filed: July 6, 2021)

Yongmoon Kim [argued] Philip D. Stern KIM LAW FIRM LLC 411 Hackensack Avenue Suite 701 Hackensack, NJ 07601 Counsel for Appellant

Sean X. Kelly Christian M. Scheuerman [argued] Jonathan R. Stuckel Marks O’Neill O’Brien Doherty & Kelly 535 Rt. 38 East, Suite 501 Cherry Hill, NJ 08002 Counsel for Appellee

___________

OPINION* ____________

HARDIMAN, Circuit Judge.

Debt collectors violate the Fair Debt Collection Practices Act (FDCPA), 15 U.S.C.

§ 1692f(8), when they send consumers envelopes showing certain quick reference (QR)

codes. DiNaples v. MRS BPO, LLC,

(3d Cir. 2019). In this case, Healthcare

Revenue Recovery Group (HRRG) sent Alejandro Morales a debt collection letter in an

envelope showing a barcode. Morales sued, but the District Court dismissed his case,

holding he lacked standing under the FDCPA. We will reverse and remand.

I

We begin with a brief description of the mailing at issue. A smartphone could scan

the envelope’s barcode to reveal an “Internal Reference Number” (IRN)—UM###2—and

the first ten characters of Morales’s street address. The letter listed Morales’s account

numbers with HRRG and his creditor—but all of that was hidden.

Morales filed a class action, claiming the letter violated the FDCPA. After

discovery, the District Court dismissed his complaint. It decided Morales lacked standing

because he lacked a concrete injury in fact. App. 12–15. After we decided DiNaples,

* This disposition is not an opinion of the full Court and pursuant to I.O.P. 5.7 does not constitute binding precedent. 2 Morales filed a motion for reconsideration. The District Court denied it, reasoning that

the DiNaples disclosure and this disclosure were different. App. 20–23.

Morales appealed.1 He challenges the District Court’s order dismissing his

complaint for lack of standing, its order denying his motion to reconsider or amend, and

its order denying his discovery request for every putative class member’s account

documents.

II2

The FDCPA bans “unfair or unconscionable” debt collection. 15 U.S.C. § 1692f.

Specifically, the FDCPA protects consumers by ensuring letters arrive in plain envelopes:

it prohibits “[u]sing any language or symbol, other than the debt collector’s address, on

any envelope when” sending mail. § 1692f(8). So HRRG broke the law when it placed a

barcode on the envelope. But not all transgressions create standing—procedural gaffes

that cause no “concrete” injury fall short of Article III’s requirements. Spokeo, Inc. v.

Robins,

(2016); see also Lujan v. Defenders of Wildlife,

, 560–61 (1992).

Intangible harms like privacy abuses can be concrete. Spokeo,

.

When determining whether an intangible, statutory harm is concrete, courts look to

common law analogies and Congress’s judgment.

If a statutory harm is concrete, no

1 HRRG claims the appeal was untimely. But the timeliness clock runs from the order’s entry—not its signature date. FED. R. APP. P. 4(a)(1)(A). So the appeal is timely. 2 We have jurisdiction over the appeal to determine if Morales has standing. See DiNaples,

n.2. 3 “additional harm beyond the one Congress has identified” is required. Id.; accord

DiNaples,

.

The District Court determined HRRG’s disclosure did not reveal protected

information because multiple debtors could share one IRN. App. 12–13, 22–23 & n.2. So

it held Morales did not have a concrete injury. App. 14–15, 21–24.

Morales challenges this ruling and relies on three of our cases. In Douglass v.

Convergent Outsourcing, we held that an envelope listing the debtor’s account number

with the collection company violated the FDCPA because the information “could be used

to expose [the debtor’s] financial predicament.”

, 303–04 (3d Cir. 2014). In

St. Pierre v. Retrieval-Masters Creditors Bureau, Inc., we reiterated that disclosing an

account number on an envelope creates standing.

, 357–58 (3d Cir.

2018). And in DiNaples, an envelope’s QR code contained the “internal reference

number associated with DiNaples’s account” at the debt collection agency.

. The injury was concrete—and “closely related to” common law privacy torts—

because the QR code made protected information “accessible to the public.”

at 280

(quoting St. Pierre,

). No more was needed.

In this appeal, we must decide whether this IRN (UM###2) is protected like the

DiNaples account number (LU4.###1813.3683994). See

. To answer this

question, we turn to the record. We begin by acknowledging, as HRRG argues, that

others may “potentially” share Morales’s IRN. See Dist. Ct. Dkt. No. 135-4, at 8–9, 12.

Even so, the IRN’s uses reveal its disclosure was a concrete injury.

4 HRRG’s representative first explained that the company software generated IRNs

to link incoming debt collection requests with debtor information in a database.

at 11–

12. The IRN was key to processing undeliverable mail. See id. at 17, 19. Workers

scanned the returned envelopes’ barcodes, and when a barcode matched a database

record, HRRG knew it could no longer reach the debtor at that address. See id. And the

IRN could enable public access to the account. A phone call to HRRG with the IRN and a

second piece of information, like a birthdate, allowed account access. Id. at 14. HRRG’s

website also allowed anyone with the IRN and information visible on the envelope,

together with an email address, to update some of the debtor’s contact information. Id. at

16.

In sum, just as the QR code in DiNaples might disclose the debtor’s financial

predicament, so too could Morales’s barcode. In both cases, the numbers are only

assigned to debtors. See id. at 10–11; DiNaples, 934 F.3d at 278–80. And the IRN

enabled identification in at least three ways. In essence, the IRN is “a piece of

information capable of identifying [Morales] as a debtor,” so its disclosure was a concrete

harm. Douglass,

.3

3 After lengthy discovery, Morales requested account information for the entire potential class. If he had access to all that information, he might disprove HRRG’s shared IRN theory. But standing does not require uniqueness, and the District Court decided the request was “unreasonably cumulative and untimely.” App. 9. We agree and find no abuse of discretion. See In re Orthopedic Bone Screw Prod. Liab. Litig.,

, 365 (3d Cir. 2001). 5 III

HRRG makes three arguments to the contrary: IRNs are not account numbers;

Morales did not know how to use IRNs to unlock private data; and material risk of harm

was absent. These arguments fall flat. Account numbers are but one type of protected

information. And Morales did not need to know how to use IRNs to access accounts. Nor

did he need to show an increased risk of harm. Just as disclosing the “meaningless string

of numbers and letters” in Douglass was a concrete harm, 765 F.3d at 305–06, so too

here.

HRRG also offers two district court cases in support. HRRG Br. 21; see also App.

22 (citing Est. of Caruso v. Fin. Recoveries,

, at *6 (D.N.J. June 22,

2017) and Anenkova v. Van Ru Credit Corp.,

(E.D. Pa. 2016)).

But the envelopes in those cases did not disclose protected information. See Caruso,

, at *6; Anenkova,

.

Finally, HRRG urges us to distinguish In re Horizon Healthcare Services Data

Breach Litigation,

(3d Cir. 2017). There, a data breach revealed

information like addresses and birthdays.

. HRRG claims the barcode’s data is

different from the personal information in Horizon because the IRN is “meaningless on

its face” and not “private information.” HRRG Br. 17. But the IRN is private information,

so Horizon supports our conclusion. Disclosing “personal information” is a concrete

injury. Horizon,

; accord St. Pierre,

.

6 * * *

The envelope’s barcode disclosed Morales’s protected information, which caused

a concrete injury in fact under the FDCPA. So we will reverse the District Court’s order

dismissing Morales’s action for lack of standing and its order denying Morales’s motion

to reconsider. We will also affirm the District Court’s discovery order and remand the

case for further proceedings.

7