OPINION *
Debt collectors violate the Fair Debt Collection Practices Act (FDCPA), 15 U.S.C. § 1692f(8), when they send consumers envelopes showing certain quick reference (QR) codes. DiNaples v. MRS BPO, LLC, 934 F.3d 275 (3d Cir. 2019). In this case, Healthcare Revenue Recovery Group (HRRG) sent Alejandro Morales a debt collection letter in an envelope showing a barcode. Morales sued, but the District Court dismissed his case, holding he lacked standing under the FDCPA. We will reverse and remand.
I
We begin with a brief description of the mailing at issue. A smartphone could scan the envelopes barcode to reveal an “Internal Reference Number” (IRN)—UM###2—and the first ten characters of Moraless street address. The letter listed Moraless account numbers with HRRG and his creditor—but all of that was hidden.
Morales filed a class action, claiming the letter violated the FDCPA. After discovery, the District Court dismissed his complaint. It decided Morales lacked standing because he lacked a concrete injury in fact. App. 12–15. After we decided DiNaples, Morales filed a motion for reconsideration. The District Court denied it, reasoning that the DiNaples disclosure and this disclosure were different. App. 20–23.
Morales appealed.
1
He challenges the District Courts order dismissing his complaint for lack of standing, its order denying his motion to reconsider or amend, and its order denying his discovery request for every putative class members account documents.
II 2
The FDCPA bans “unfair or unconscionable” debt collection. 15 U.S.C. § 1692f. Specifically, the FDCPA protects consumers by ensuring letters arrive in plain envelopes: it prohibits “[u]sing any language or symbol, other than the debt collectors address, on any envelope when” sending mail. § 1692f(8). So HRRG broke the law when it placed a barcode on the envelope. But not all transgressions create standing—procedural gaffes that cause no “concrete” injury fall short of Article IIIs requirements. Spokeo, Inc. v. Robins, 578 U.S. 330, 136 S. Ct. 1540, 1549, 194 L.Ed.2d 635 (2016); see also Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992).
Intangible harms like privacy abuses can be concrete. Spokeo, 136 S. Ct. at 1549. When determining whether an intangible, statutory harm is concrete, courts look to common law analogies and Congresss judgment. Id. If a statutory harm is concrete, no “additional harm beyond the one Congress has identified” is required. Id.; accord DiNaples, 934 F.3d at 279.
The District Court determined HRRGs disclosure did not reveal protected information because multiple debtors could share one IRN. App. 12–13, 22–23 & n.2. So it held Morales did not have a concrete injury. App. 14–15, 21–24.
Morales challenges this ruling and relies on three of our cases. In Douglass v. Convergent Outsourcing, we held that an envelope listing the debtors account number with the collection company violated the FDCPA because the information “could be used to expose [the debtors] financial predicament.” 765 F.3d 299, 303–04 (3d Cir. 2014). In St. Pierre v. Retrieval-Masters Creditors Bureau, Inc., we reiterated that disclosing an account number on an envelope creates standing. 898 F.3d 351, 355, 357–58 (3d Cir. 2018). And in DiNaples, an envelopes QR code contained the “internal reference number associated with DiNapless account” at the debt collection agency. 934 F.3d at 278. The injury was concrete—and “closely related to” common law privacy torts—because the QR code made protected information “accessible to the public.” Id. at 280 (quoting St. Pierre, 898 F.3d at 358). No more was needed. Id.
In this appeal, we must decide whether this IRN (UM###2) is protected like the DiNaples account number (LU4.###1813.3683994). See 934 F.3d at 278. To answer this question, we turn to the record. We begin by acknowledging, as HRRG argues, that others may “potentially” share Moraless IRN. See Dist. Ct. Dkt. No. 135-4, at 8–9, 12. Even so, the IRNs uses reveal its disclosure was a concrete injury.
HRRGs representative first explained that the company software generated IRNs to link incoming debt collection requests with debtor information in a database. Id. at 11–12. The IRN was key to processing undeliverable mail. See id. at 17, 19. Workers scanned the returned envelopes’ barcodes, and when a barcode matched a database record, HRRG knew it could no longer reach the debtor at that address. See id. And the IRN could enable public access to the account. A phone call to HRRG with the IRN and a second piece of information, like a birthdate, allowed account access. Id. at 14. HRRGs website also allowed anyone with the IRN and information visible on the envelope, together with an email address, to update some of the debtors contact information. Id. at 16.
In sum, just as the QR code in DiNaples might disclose the debtors financial predicament, so too could Moraless barcode. In both cases, the numbers are only assigned to debtors. See id. at 10–11; DiNaples, 934 F.3d at 278–80. And the IRN enabled identification in at least three ways. In essence, the IRN is “a piece of information capable of identifying [Morales] as a debtor,” so its disclosure was a concrete harm. Douglass, 765 F.3d at 306.
3
III
HRRG makes three arguments to the contrary: IRNs are not account numbers; Morales did not know how to use IRNs to unlock private data; and material risk of harm was absent. These arguments fall flat. Account numbers are but one type of protected information. And Morales did not need to know how to use IRNs to access accounts. Nor did he need to show an increased risk of harm. Just as disclosing the “meaningless string of numbers and letters” in Douglass was a concrete harm, 765 F.3d at 305–06, so too here.
HRRG also offers two district court cases in support. HRRG Br. 21; see also App. 22 (citing Est. of Caruso v. Fin. Recoveries, 2017 WL 2704088, at *6 (D.N.J. June 22, 2017) and Anenkova v. Van Ru Credit Corp., 201 F. Supp. 3d 631, 637 (E.D. Pa. 2016)). But the envelopes in those cases did not disclose protected information. See Caruso, 2017 WL 2704088, at *6; Anenkova, 201 F. Supp. 3d at 637.
Finally, HRRG urges us to distinguish In re Horizon Healthcare Services Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017). There, a data breach revealed information like addresses and birthdays. Id. at 630. HRRG claims the barcodes data is different from the personal information in Horizon because the IRN is “meaningless on its face” and not “private information.” HRRG Br. 17. But the IRN is private information, so Horizon supports our conclusion. Disclosing “personal information” is a concrete injury. Horizon, 846 F.3d at 629; accord St. Pierre, 898 F.3d at 357.
* * *
The envelopes barcode disclosed Moraless protected information, which caused a concrete injury in fact under the FDCPA. So we will reverse the District Courts order dismissing Moraless action for lack of standing and its order denying Moraless motion to reconsider. We will also affirm the District Courts discovery order and remand the case for further proceedings.
FOOTNOTES
1
. HRRG claims the appeal was untimely. But the timeliness clock runs from the orders entry—not its signature date. FED. R. APP. P. 4(a)(1)(A). So the appeal is timely.
3
. After lengthy discovery, Morales requested account information for the entire potential class. If he had access to all that information, he might disprove HRRGs shared IRN theory. But standing does not require uniqueness, and the District Court decided the request was “unreasonably cumulative and untimely.” App. 9. We agree and find no abuse of discretion. See In re Orthopedic Bone Screw Prod. Liab. Litig., 264 F.3d 344, 365 (3d Cir. 2001).
HARDIMAN, Circuit Judge.