Smith, et al. v. Triad of Alabama LLC (JOINT ASSIGN), No. 1:2014cv00324 - Document 78 (M.D. Ala. 2017)

Court Description: MEMORANDUM OPINION AND ORDER: it is ORDERED as follows: 1) The Named Plfs' 68 motion for class certification (Doc. # 68) is GRANTED; 2) The court CERTIFIES under FRCP 23(b)(3) a class, as further set out in order; 3) The court CERTIFIES under FRCP 23(b)(3) two subclasses, as further set out in order; 4) Plfs Julie McGee, Adam Parker, Sandra Hall, and Jack Whittle are APPROVED as class representatives; 5) Plf Bradley Smith is REJECTED as class representative because he is not typical of th e class under FRCP 23(a)(3); 6) Pursuant to FRCP 23(g), the law firm of McCallum, Methvin & Terrell, P.C., is APPOINTED as class counsel; 7) Trial of this matter likely will be BIFURCATED, subject to Rule 23(c)(1)(C); The common elements of all four causes of action, as described above, will be tried collectively, and the elements of causation and damages will be tried individually or collectively, as appropriate; and 8) Pursuant to FRCP 23(c)(2)(B), the parties are ORDERED to submit to this cou rt, on or before 4/14/2017, a class notice plan and forms of notice; If the parties are unable to agree on forms of notice, the parties shall each submit on or before 4/7/2017 their proposed forms, accompanied by a memorandum explaining the party's position, and each party shall respond to the other's proposed notice plan and forms of notice no later than 4/14/2017. Signed by Chief Judge William Keith Watkins on 3/17/2017. (wcl, )

Download PDF
IN THE UNITED STATES DISTRICT COURT FOR THE MIDDLE DISTRICT OF ALABAMA SOUTHERN DIVISION BRADLEY S. SMITH, JULIE S. MCGEE, ADAM PARKER, SANDRA W. HALL, and JACK WHITTLE, Plaintiffs, v. TRIAD OF ALABAMA, LLC, d/b/a FLOWERS HOSPITAL, Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) CASE NO. 1:14-CV-324-WKW [WO] MEMORANDUM OPINION AND ORDER Before the court is the motion for class certification filed by Plaintiffs Bradley S. Smith, Julie S. McGee, Adam Parker, Sandra W. Hall, and Jack Whittle (collectively, the “Named Plaintiffs”). (Doc. # 68.) The Named Plaintiffs seek to certify a class of individuals whose personal identifying information and protected health information (their “personal information”) was compromised by a former employee of Defendant Triad of Alabama, LLC (“Flowers,” “Flowers Hospital,” or the “Hospital”). The Named Plaintiffs—except for Mr. Smith, as discussed in Part IV.C.3, infra—have carried their burden under Federal Rule of Civil Procedure 23; accordingly, their motion is due to be granted, subject to a few caveats. I. JURISDICTION AND VENUE Subject-matter jurisdiction is proper under 28 U.S.C. §§ 1331 and 1367, and the parties do not contest personal jurisdiction or venue. II. STANDARD OF REVIEW “The class action is ‘an exception to the usual rule that litigation is conducted by and on behalf of the individual named parties only.’” Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1432 (2013) (quoting Califano v. Yamasaki, 442 U.S. 682, 700–01 (1979)). To avail himself of this exception, a plaintiff seeking class certification bears the burden of proving that he has satisfied the four Rule 23(a) prerequisites— often shorthanded as numerosity, commonality, typicality, and adequacy—and that the class action will meet one of the three requirements of 23(b). Fed. R. Civ. P. 23(a), (b); see Brown v. Electrolux Home Prods., Inc., 817 F.3d 1225, 1233 (11th Cir. 2016) (“All else being equal, the presumption is against class certification because class actions are an exception to our constitutional tradition of individual litigation.”). The burden is one of proof, not pleading, Brown, 817 F.3d at 1233, and requires the district court to undertake a “rigorous analysis” to determine the propriety of certification, Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 161 (1982). Although this rigorous analysis frequently “entail[s] some overlap with the merits of the plaintiff’s underlying claim,” Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 351 (2011), “the district court can consider the merits ‘only’ to the extent ‘they are 2 relevant to determining whether the Rule 23 prerequisites for class certification are satisfied,’” Brown, 817 F.3d at 1234 (quoting Amgen Inc. v. Conn. Ret. Plans & Trust Funds, 133 S. Ct. 1184, 1195 (2013)). The Named Plaintiffs seek certification of a damages class under Rule 23(b)(3). As a result, along with the 23(a) prerequisites, they must also prove “that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed. R. Civ. P. 23(b)(3). All of this proof must be made by a preponderance of the evidence.1 Stein v. Monterey Fin. Servs., Inc., No. 2:13-CV-1336-AKK, 2017 WL 412874, at *4 (N.D. Ala. Jan. 31, 2017); In re Delta/AirTran Baggage Fee Antitrust 1 Neither the Supreme Court nor the Eleventh Circuit has set an explicit preponderance-ofthe-evidence standard. Most of the circuits to have passed on the question have laid a preponderance burden on the class movant. Brown v. Nucor Corp., 785 F.3d 895, 931 (4th Cir. 2015); Messner v. Northshore Univ. Health Sys., 669 F.3d 802, 811 (7th Cir. 2012); Alaska Elec. Pension Fund v. Flowserve Corp., 572 F.3d 221, 228 (5th Cir. 2009); In re Hydrogen Peroxide Antitrust Litig., 552 F.3d 305, 307 (3d Cir. 2008); Teamsters Local 445 v. Bombardier, Inc., 546 F.3d 196, 202 (2d Cir. 2008). The minority view, championed by the Sixth Circuit, instead reads the “rigorous analysis” language in Falcon as setting an evidentiary standard unique to Rule 23. Gooch v. Life Investors Ins. Co. of Am., 672 F.3d 402, 418 n.8 (6th Cir. 2012). The majority view has it right. Requiring a preponderance falls in line with the Supreme Court’s apparent weighing of the evidence in Wal-Mart, 564 U.S. at 353–59. See Anthony F. Fata, Doomsday Delayed: How the Court’s Party-Neutral Clarification of Class Certification Standards in Wal-Mart v. Dukes Actually Helps Plaintiffs, 62 DePaul L. Rev. 674, 681 (2013) (reading the Wal-Mart Court’s analysis to implicitly apply a preponderance standard). Moreover, the preponderance standard offers well-worn, concrete guideposts to the trial court; a nebulous rigorous-analysis standard could lead to unpredictable decisions that vary from district to district. Accordingly, by performing a “rigorous analysis,” Falcon, 457 U.S. at 161, the court determines whether the Named Plaintiffs have proved compliance with Rule 23 by a preponderance of the evidence. 3 Litig., --- F.R.D. ---, No. CV 1:09-MD-2089-TCB, 2016 WL 3770957, at *21 (N.D. Ga. July 12, 2016). III. BACKGROUND A. Facts and Procedural History Flowers Hospital operates a medical laboratory where it tests blood samples taken from hospital patients and so-called “non-hospital” patients from a couple dozen “clinics, nursing homes and physicians” in the surrounding area. In June 2013, the Hospital hired Kamarian Millender to work in the lab as a phlebotomist. Before long, Millender learned that non-hospital patient records—chock full of personal information ranging from birth dates to social security numbers—were kept in unlocked filing cabinets in a back hallway immediately accessible from the lab. (Docs. # 70-1 at 13–162; 70-3 at 7.) To Millender, these filing cabinets were a goldmine. Demonstrating all the restraint of a child left unattended in a candy shop, Millender made off with a bundle of folders. (Docs. # 70-2 at 10–11; 70-3 at 7.) Millender dug through the personal information in the patient records and, with the help of an accomplice, filed at least 124 fraudulent federal tax returns for tax years 2012 and 2013. This scheme eventually came to light, and on February 25, 2014, All references in this opinion to page numbers are to those pages assigned by CM/ECF as opposed to the page numbers generated by the parties. 2 4 the Henry County Sheriff’s Office apprehended Millender with fifty-four patient records in hand.3 Later that night, Flowers got word of Millender’s arrest and began investigating the heist. An internal audit uncovered five missing daily file folders. (Doc. # 70-2 at 10–11.) Although the contents vary from one file folder to another, each folder typically contains between 100 and 150 patient records; a loss of five daily folders therefore reflects a loss of anywhere from 500 to 750 patient records. Along with these hundreds of stolen records, Flowers received from the IRS and other federal agencies a list of additional identities that may have been stolen by Millender. Recognizing the scope of Millender’s crimes, Flowers took action. Between April 8, 2014, and August 29, 2014, the Hospital sent letters notifying 1,208 nonhospital patients that their personal information may have been compromised. The Hospital maintains that an overabundance of caution led it to draft an overlong mailing list—that the list reflected a healthy respect for HIPAA,4 not the actual extent of the data breach. The Named Plaintiffs urge that, because letters were sent 3 Millender’s accomplice, however, remains on the lam; his identity and whereabouts are as yet unknown. The Health Insurance Portability and Accountability Act. See generally 45 C.F.R. pt. 164 (regulations implementing HIPAA’s privacy protections). 4 5 to all patients whose records could not be located, the 1,208 names on the mailing list illustrate the maximal extent of Millender’s theft. On May 5, 2014, Plaintiffs Bradley Smith and Julie McGee filed a class-action complaint against Flowers, alleging violation of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq., negligence, and invasion of privacy. A month and a half later, the complaint was amended to name three additional Plaintiffs— Adam Parker, Sandra Hall, and Jack Whittle, rounding out the five Named Plaintiffs—and to add claims for negligence per se and breach of contract. A second amended complaint followed on September 30, 2014, and Flowers moved to dismiss two weeks later. After the parties fully briefed the motion (Docs. # 27, 29, 30), the court inquired sua sponte into the Named Plaintiffs’ standing and ordered further briefing on the issue (Doc. # 32). Once the parties weighed in (Docs. # 33, 34, 37, 38), the Magistrate Judge issued a Report and Recommendation finding standing, dismissing the invasion-of-privacy claim, and otherwise denying Flowers’s motion to dismiss (Doc. # 39). The Recommendation was adopted over Flowers’s objection, and the matter proceeded to discovery on the question of class certification. (Doc. # 41.) On August 29, 2016, the Named Plaintiffs moved to certify a class action under Federal Rule of Civil Procedure 23(b)(3).5 (Doc. # 68.) The Named Plaintiffs only seek certification of their state-law claims; their motion for class certification makes no mention of the FCRA claim. (See Doc. # 69 at 14–22.) The court has 5 6 That motion has been fully briefed by the parties, and is before the court today. (Docs. # 69, 70, 72, 73, 74, 75, 76, 77.) B. The Class Definition The Named Plaintiffs seek to certify the following class (the “putative class”): All persons whose personal identifying information (PII) or protected health information (PHI) was stolen from Flowers Hospital by Kamarian Millender and/or his accomplices. Excluded from the Class are the (i) owners, officers, directors, employees, agents and/or representatives of Defendant and its parent entities, subsidiaries, affiliates, successors, and/or or [sic] assigns, and (ii) the Court, Court personnel, and members of their immediate families. (Doc. # 69 at 4–5.) C. The Named Plaintiffs Because Rule 23 looks to the relation between the Named Plaintiffs and the putative class, each Plaintiff’s experience in the data breach warrants a brief summary. Of particular note is the Notice of Privacy Practices (“NPP,” or the “Notice”), a document that Flowers sent to all patients admitted to the hospital. (See Doc. # 70-14.) The Named Plaintiffs base their claim for breach of express contract on the Notice, asserting that the NPP “constitutes a binding contract setting forth Flowers Hospital’s obligation to maintain [patient] confidentiality.” (Doc. # 69 at given thought to declining jurisdiction under 28 U.S.C. § 1367(c)(2), but for now will retain supplemental jurisdiction. 7 18.) Accordingly, receipt of the Notice is relevant to whether each Plaintiff satisfies Rule 23.6 1. Bradley Smith Bradley Smith had blood drawn at West Main Medical, a physician’s office in Dothan, around September 2013. Although Flowers’s laboratory commonly tested blood samples taken by local clinics, there is no evidence in the record that the lab did blood work for West Main. Moreover, Patti Hatcher, the Hospital’s Compliance and Privacy Officer at the time of the data breach, testified by affidavit that Mr. Smith “had not been a reference lab patient, and therefore had no records in the filing cabinets from which Millender stole records.” (Doc. # 74-1 at 3.) Mr. Smith has also received care at Flowers Hospital, but has not been a patient there since the 1990s. In the spring of 2014, Mr. Smith learned from the IRS that a fraudulent tax return had been filed in his name. Mr. Smith claims that he incurred accounting expenses and suffered emotional distress as a result of the identity theft. He did not receive the NPP. For clarity’s sake, it should be emphasized that the NPP is different from the data breach notification letters sent by Flowers. The former is the basis of Plaintiffs’ express-contract claim; the latter is the HIPAA-mandated notification sent by Flowers to non-hospital patients whose records may have been compromised by Millender. 6 8 2. Julie S. McGee Julie McGee had blood drawn in 2012 by Flowers and on January 7, 2014, by Dr. James Butler, a Flowers affiliate; she was also admitted to Flowers as a hospital patient on November 29, 2007. The Hospital has controverted this testimony: In her affidavit, Ms. Hatcher claims that Ms. McGee “had not been a reference lab patient, and therefore had no records in the filing cabinets from which Millender stole records.” (Doc. # 74-1 at 3.) In April 2014, the McGees’ tax preparer informed Ms. McGee’s husband that the IRS rejected the couple’s 2013 tax return after determining that Ms. McGee’s Social Security number had been used to file an earlier tax return. Ms. McGee, an hourly employee, had to take a day off work to get her financial ducks in a row after the identity theft. Her debit card was compromised eight months later, but Ms. McGee does not claim any out-of-pocket expenses resulting from the fraudulent charges. Ms. McGee previously had fraudulent purchases charged to her debit card around 2010, but otherwise has not been a victim of identity theft. Ms. McGee received a copy of the NPP, but did not receive a notification letter from Flowers after the data breach. 9 3. Adam Parker In 2013, Mr. Parker had blood drawn at Allsouth Urgent Care in Dothan. His blood sample was tested at Flowers. Other than the blood testing in 2013, Mr. Parker had not been a patient at Flowers since roughly 2010. Mr. Parker learned in February 2014 that a fraudulent tax return for tax year 2013 had been filed in his name. Alarmed by the theft of his identity, Mr. Parker met with the IRS and the Dothan Police Department and ultimately purchased credit monitoring from Equifax in April or May of 2014. Mr. Parker’s tax return was delayed, without interest, until the summer of 2014. (Docs. # 73-9 at 22, 24; 77-2.) Other than the fraudulent tax return, Mr. Parker has never been a victim of identity theft. Mr. Parker did not receive the NPP, but did receive the data breach notification letter. 4. Sandra Hall 7 Ms. Hall was treated at Flowers Hospital in March 2013 and had lab work done there sometime between 2013 and 2015. In April 2014, Mr. Hall learned that a fraudulent tax return had been filed using Ms. Hall’s Social Security number. Ms. 7 Sandra Hall passed away after this suit was filed. Her husband, Michael Hall, presumably will be substituted for Ms. Hall as a plaintiff, but no suggestion of death or motion to substitute has yet been filed. Despite Ms. Hall’s death, Mr. Hall will be able to maintain her causes of action upon his substitution. Ala. Code § 6-5-462; see also King v. Nat’l Spa & Pool Inst., Inc., 607 So. 2d 1241, 1246 (Ala. 1992) (“[W]e hold that the survival statute, Ala. Code § 6-5-462, means exactly what its plain language states, that ‘all personal claims upon which an action has been filed . . . survive in favor of and against personal representatives.’”) (emphasis and alteration in original). 10 Hall received the NPP and a data breach notification letter from Flowers. The parties dispute the amount of damages suffered by Ms. Hall as a result of her delayed tax return (compare Doc. # 69 at 13 with Doc. # 72 at 13)—a merits question that need not be decided before certifying the class. See Brown, 817 F.3d at 1234 (forbidding inquiry into a merits issue unless the issue is “relevant to determining whether the Rule 23 prerequisites for class certification are satisfied”) (citation omitted). 5. Jack Whittle While suffering a bout of pneumonia, Mr. Whittle was admitted to Flowers Hospital in July 2013. He had blood drawn “several times” on follow-up visits with Dr. Harris, his Flowers-affiliated primary care physician, but is not sure when these visits took place. (Doc. # 73-6 at 6–8.) Although Mr. Whittle knows that his blood was not tested at Dr. Harris’s office, he does not know where or when that blood was tested. When he tried to file his 2013 taxes, Mr. Whittle learned from his accountant that a tax return had already been filed in his name. Later trips to the IRS office in Dothan revealed that these fraudulent returns had been filed using Mr. Whittle’s Social Security number. Flowers sent Mr. Whittle a notification letter, warning him that his personal information was likely compromised by Millender, but now claims that Mr. Whittle’s lab records were left undisturbed. Mr. Whittle had never before been a victim of identity theft, and received the NPP from Flowers. 11 IV. DISCUSSION Class certification hinges on the relation between the Named Plaintiffs, the putative class, and the evidence that each Plaintiff (whether named or a putative class member) must adduce to prevail on the claims to be certified. See Fed. R. Civ. P. 23. Having already examined the Named Plaintiffs and the putative class, the court turns to the claims to be certified before moving on to the legal standards governing class certification. A. The Claims 1. Breach of Implied Contract Alabama law imposes on physicians an “implied contract of confidentiality” that may be breached by “the unauthorized release of medical records.” Crippen v. Charter Southland Hosp., Inc., 534 So. 2d 286, 288 (Ala. 1988) (citing Horne v. Patton, 287 So. 2d 824, 831–32 (Ala. 1973)). To prevail on this claim, the Named Plaintiffs must prove an unauthorized disclosure by Flowers of confidential “information acquired during the physician-patient relationship.” Mull v. String, 448 So. 2d 952, 953 (Ala. 1984). And, because the limited case law does not clearly extend this implied contract to healthcare providers rather than just physicians, the Named Plaintiffs likely would also have to prove that Flowers stood in a physician- 12 patient relationship with the non-hospital patients.8 See Hollander v. Nichols, 19 So. 3d 184, 190–92 (Ala. 2009); Crippen, 534 So. 2d at 288; Mull, 448 So. 2d at 953; Horne, 287 So. 2d at 831–32. To that effect, the Named Plaintiffs intend to offer evidence that (1) a physician-patient role existed between Flowers and the nonhospital patients, and (2) the putative class’s personal information was compromised in the data breach. Alabama law generally will not imply a contract if an express contract already deals with the same subject matter. Vardaman v. Florence City Bd. of Educ., 544 So. 2d 962, 965 (Ala. 1989). Accordingly, if the NPP constitutes a valid contract, the implied-contract claim is available only to those putative class members who did not receive the NPP. As detailed below, this divergence between the implied and express contract claims requires certification of two subclasses of Plaintiffs. See Fed. R. Civ. P. 23(c)(5). 2. Breach of Express Contract The Named Plaintiffs claim that a contract of confidentiality arose from the NPP and was breached by Millender’s theft of the patient records. To recover for this alleged breach, the Named Plaintiffs must prove the following four elements: “(1) a valid contract binding the parties; (2) the plaintiff’s performance under the 8 As discussed in Part III.A., supra, non-hospital patients are those individuals, receiving treatment from a third party, who had blood (or other samples) sent by that third party to be tested by Flowers in the Hospital’s reference lab. 13 contract; (3) the defendant’s nonperformance; and (4) resulting damages.” Shaffer v. Regions Fin. Corp., 29 So. 3d 872, 880 (Ala. 2009). The Named Plaintiffs intend to prove this claim by offering a copy of the NPP and evidence of the data breach. 3. Negligence A prima facie case of negligence under Alabama law requires proof of four elements: “(1) a duty to a foreseeable plaintiff; (2) a breach of that duty; (3) proximate causation and (4) damage or injury.” Albert v. Hsu, 602 So. 2d 895, 897 (Ala. 1992). The Named Plaintiffs argue that duty, breach, and causation are all susceptible to common proof—specifically, that “Flowers Hospital breached the applicable standard of care by failing to safeguard their PII or PHI,” proximately causing the putative class’s personal information to be compromised. (Doc. # 69 at 21.) Proof of damages, on the other hand, will require some individualized inquiry. 4. Negligence Per Se A plaintiff may recover for negligence per se under Alabama law if he proves (1) that the statute the defendant is charged with violating was enacted to protect a class of persons to which the plaintiff belonged; (2) that the plaintiff’s injury was the kind of injury contemplated by the statute; (3) that the defendant violated the statute; and (4) that the defendant’s violation of the statute proximately caused the plaintiff’s injury. Cook’s Pest Control, Inc. v. Rebar, 28 So. 3d 716, 726 (Ala. 2009). The Named Plaintiffs argue that they can establish Flowers’s negligence per se by class-wide 14 proof of HIPAA’s requirements and Flowers’s failure to safeguard the putative class’s personal information. B. Adequacy of Definition and Ascertainability of Class Members Beyond compliance with Rule 23, the Eleventh Circuit requires class movants under section (b)(3) to demonstrate “that the proposed class [is] ‘adequately defined and clearly ascertainable.’” Little v. T-Mobile USA, Inc., 691 F.3d 1302, 1304 (11th Cir. 2012) (quoting DeBremaecker v. Short, 433 F.2d 733, 734 (5th Cir. 1970)). Flowers argues unpersuasively that the putative class fails these threshold tests. Flowers maintains that the putative class is inadequately defined because the class is broad enough to “include[ ] class members [who] do not have Article III standing.” (Doc. # 72 at 19.) Class members, Flowers continues, lack standing if their identities were “merely stolen” rather than affirmatively “misused.” (Doc. # 72 at 19.) The court has already rejected this argument. (Docs. # 39 at 14–21 (report and recommendation); 41 at 2–4 (adopting report and recommendation).) And while the Hospital was invited to “reassert its standing challenge on the evidence” (Doc. # 41 at 4), the lack of merits discovery to date makes inappropriate a final decision on standing at this time. Cf. Carriuolo v. Gen. Motors Co., 823 F.3d 977, 988 (11th Cir. 2016) (“[T]he certification of a class is always provisional in nature until the final resolution of the case.”); Fed. R. Civ. P. 23(c)(1)(C) (authorizing the “alter[ation] or amend[ment]” of a class-certification order at any time “before final 15 judgment”). Accordingly, the court finds that the putative class is adequately defined. A class is clearly ascertainable if there is some “administratively feasible method by which class members can be identified.” Karhu v. Vital Pharm., Inc., 621 F. App’x 945, 947 (11th Cir. 2015). This identification process should turn on objective criteria, be “manageable,” and be devoid of “much, if any, individual inquiry.” Bussey v. Macon Cty. Greyhound Park, Inc., 562 F. App’x 782, 787 (11th Cir. 2014) (citation omitted). Flowers marshals two principal arguments against ascertainability but, again, neither convinces. First, the Hospital claims that the putative class cannot be ascertained until Plaintiffs prove that each patient record was actually stolen rather than misplaced by the Hospital. (Doc. # 72 at 23–24.) Such a stance paints the Hospital as an institution whose sloppiness is matched only by its bad luck. It asks the court to assume that the missing records were misplaced by happenstance, and that by happenstance their loss was uncovered only on investigation of Millender’s theft. Second, working from the assumption that the class will be limited to those “whose identities were actually misused,” the Hospital argues that looking into the actual misuse of putative class members’ personal information would require an individualized examination of each class member. (Doc. # 72 at 24); see Bussey, 562 F. App’x at 787 (tying ascertainability to a relative lack of individual inquiry). 16 But Flowers’s actual-misuse requirement remains unpersuasive. The Eleventh Circuit has not required such a showing to prove standing, and the court will not impose that requirement today. As a result, the Hospital’s concerns about individualized inquiries are misplaced and irrelevant. The putative class is both adequately defined and clearly ascertainable, so the focus turns to Rule 23. C. Rule 23(a) Prerequisites The Named Plaintiffs shoulder the burden of proving that the putative class satisfies Rule 23(a)’s four prerequisites. Brown, 817 F.3d at 1233. They have met this burden of proof, as discussed further below. 1. Numerosity Rule 23(a)(1) requires class movants to prove that their proposed class “is so numerous that joinder of all members is impracticable.” Fed. R. Civ. P. 23(a)(1). This numerosity requirement does not lend itself to a bright-line rule. Cox v. Am. Cast Iron Pipe Co., 784 F.2d 1546, 1553 (11th Cir. 1986). But the Eleventh Circuit has given its blessing to a rule of thumb: A class of more than forty generally passes muster, and a class of less than twenty-one generally does not. Id. However, because Rule 23(a)(1) looks to the impracticability of joinder, these numbers vary from case to case. Compare Kilgo v. Bowman Transp., Inc., 789 F.2d 859, 878 (11th Cir. 1986) (affirming 31-member class) with Crawford v. W. Elec. Co., 614 F.2d 1300, 1305 17 (5th Cir. 1980)9 (“We certainly cannot say that a class of 34 satisfies the numerosity requirements as a matter of law.”). The Named Plaintiffs claim that, in light of the 1,208 missing lab records and Millender’s 124 fraudulent tax returns, numerosity “cannot be credibly disputed.” (Doc. # 69 at 25.) But Flowers, in a return to its chorus of “actual misuse,” does just that. The Hospital claims that “only twenty-five individuals could have been victimized by Millender.” (Doc. # 72 at 27.) This number is doubly flawed. First, it excludes the ninety-nine tax returns filed in 2012, instead counting only the twenty-five returns filed in 2013. Flowers argues that, because Millender began work in June 2012—after the April 15 tax deadline—he could not have used the Hospital’s records to file any 2012 returns. This assumes that Millender, while trampling over patient-privacy and tax-fraud laws, was stopped in his tracks by the filing deadline. Though creative, the complete lack of supporting evidence dooms this speculative argument. Second, the Hospital presumes that the only Flowers patients with a cause of action are those who can prove that Millender stole their personal information. But the Hospital’s lax security and the resulting data breach could give rise to a cause of action even without proof of Millender’s role. After all, Millender acted with an accomplice who is still on the loose and could be using class 9 Precedent from the former Fifth Circuit binds the court if the decision was handed down before the close of business on September 30, 1981. Bonner v. City of Prichard, 661 F.2d 1206, 1207 (11th Cir. 1981). 18 members’ personal information to file more tax returns; victims of the accomplice’s tax fraud have the same cause of action as do Millender’s victims. Flowers’s argument therefore does not persuade. To be clear, the Named Plaintiffs have not shown exactly how many putative class members were affected by the data breach. But they have proved that the class will most likely number in the hundreds, making it big enough that joinder would be impracticable. And even assuming, arguendo, that the class is limited to the seventythree victims identified in Millender’s plea agreement, the Named Plaintiffs have easily satisfied the numerosity requirement. 2. Commonality The 23(a)(2) commonality prong “requires the plaintiff to demonstrate that the class members ‘have suffered the same injury.’” Wal-Mart, 564 U.S. at 349–50 (quoting Falcon, 457 U.S. at 157). This requirement is not satisfied by alleging that the putative class members “all suffered a violation of the same provision of law.” Id. at 350. Rather, “[t]heir claims must depend upon a common contention,” and the common contention “must be of such a nature that it is capable of classwide resolution—which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke.” Id. Although commonality overlaps with predominance, Rule 23(a)(2) sets a much lower standard than Rule 23(b)(3). Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 19 623–24 (1997) (recognizing that “the predominance criterion is far more demanding” than commonality); Jackson v. Motel 6 Multipurpose, Inc., 130 F.3d 999, 1005 (11th Cir. 1997) (“The predominance inquiry . . . is far more demanding than Rule 23(a)’s commonality requirement.”) (citation and internal quotation marks omitted). Although Flowers does not contest commonality, its concession does not relieve the court of its duty to verify the Named Plaintiffs’ compliance with Rule 23. Falcon, 457 U.S. at 160 (“[A]ctual, not presumed, conformance with Rule 23(a) remains . . . indispensable.”). Accordingly, the commonality spotlight moves to the Named Plaintiffs’ four causes of action. Plaintiffs’ claim for breach of express contract hinges on an alleged form contract entered into by certain members of the putative class. The effect and terms of the purported contract are common points sufficient to carry the first claim past Rule 23(a)(2). See Kleiner v. First Nat’l Bank of Atlanta, 97 F.R.D. 683, 692 (N.D. Ga. 1983) (“[C]laims arising from interpretations of a form contract appear to present the classic case for treatment as a class action.”). The implied-contract claim similarly passes muster, as the alleged formation and breach of the contract arise from common facts—namely, Millender’s records heist and the relationship between Flowers and the putative class members. As for the negligence and negligence per se claims, Flowers’s duty to the putative class members stems from a common fact 20 (the performance of blood tests in the laboratory); Millender’s heist, which allegedly breached that duty, provides a further common point. In light of the low bar set by Rule 23(a)(2), this is enough for the Named Plaintiffs to prove commonality. 3. Typicality In Rule 23(a)(3), the Named Plaintiffs hit their first speed bump. “Typicality measures whether a sufficient nexus exists between the claims of the named representatives and those of the class at large.” Vega v. T-Mobile USA, Inc., 564 F.3d 1256, 1275 (11th Cir. 2009) (quoting Busby v. JRHBW Realty, Inc., 513 F.3d 1314, 1322 (11th Cir. 2008)) (alteration omitted). Although typicality and commonality are closely related, typicality focuses less on the class in its entirety and more on the relationship between the class and the representative plaintiffs. “[T]raditionally, commonality refers to the group characteristics of the class as a whole, while typicality refers to the individual characteristics of the named plaintiff in relation to the class.” Id. (citing Piazza v. Ebsco Indus., Inc., 273 F.3d 1341, 1346 (11th Cir. 2001)) (alteration and internal quotation marks omitted). “A class representative must possess the same interest and suffer the same injury as the class members in order to be typical under Rule 23(a)(3).” Murray v. Auslander, 244 F.3d 807, 811 (11th Cir. 2001) (citing Prado-Steiman v. Bush, 221 F.3d 1266, 1279 (11th Cir. 2000)). A putative class will clear the typicality hurdle “if the claims or defenses of the class and the class representative arise from the same event or pattern or 21 practice and are based on the same legal theory.” Kornberg v. Carnival Cruise Lines, Inc., 741 F.2d 1332, 1337 (11th Cir. 1984). Flowers raises three objections to typicality, but only the third objection withstands scrutiny. First, the Hospital reasserts its argument on standing, see Part IV.B, supra, which remains unconvincing. Second, it claims that “divergent” claims for damages preclude typicality. (Doc. # 72 at 25.) But damages that vary from one class member to the next do not necessarily make for an atypical class. See Kornberg, 741 F.2d at 1337 (holding that disparate damages claims did not make a class atypical where “[t]he cause of action ar[o]se[ ] from a single event and there [wa]s no variation in legal theory”). Rather, so long as the Named Plaintiffs and putative class members “have an interest in prevailing on similar legal claims,” a “difference[ ] in the amount of damages claimed” will not defeat typicality. Wright v. Circuit City Stores, Inc., 201 F.R.D. 526, 543 (N.D. Ala. 2001). Such is the case here: From the Named Plaintiffs to the putative class members, every Plaintiff in this case seeks redress for the theft of their personal information in the data breach. Although the class members’ damages are not identical, the facts and legal theories shared by their claims suffice to show typicality. With its third objection, Flowers hits paydirt. The Hospital attacks the typicality of Mr. Smith and Ms. McGee, claiming that their personal information was not compromised in the data breach. (Doc. # 72 at 29–30.) As proof, the 22 Hospital offers testimony that neither Mr. Smith nor Ms. McGee had been patients at the Flowers laboratory and that, therefore, the two Plaintiffs “had no records in the filing cabinets from which Millender stole records.” (Doc. # 74-1 at 3.) If so, then both Plaintiffs would lack a cause of action against Flowers and be atypical of the putative class. Because certification depends on the answer to this factual question, the court considers whether Mr. Smith and Ms. McGee have carried their burden of proving typicality. Brown, 817 F.3d at 1237 (“A district court must decide all questions of fact and law that bear on the propriety of class certification.”) (citing Comcast, 133 S. Ct. at 1432) (internal quotation marks omitted). Mr. Smith has failed to prove that he had been a patient of the Flowers reference lab. His supporting evidence shows that he was a patient at West Main Medical, but nothing in the record establishes any connection between West Main and Flowers. (See Doc. # 73-7 at 20–21.) This scant evidentiary showing falls short of the preponderance standard, especially in the face of Ms. Hatcher’s testimony that Mr. Smith was never a patient at the reference lab. (Doc. # 74-1 at 3.) Ms. McGee, however, presents a more compelling case. Ms. McGee has adduced evidence that she had blood drawn by a Flowers-affiliated doctor on January 7, 2014, and at Flowers itself in 2012. (Docs. # 70-9 at 4–5; 73-12 at 10.) Ms. McGee was also a patient at Flowers Hospital in 2007. In response, the Hospital offers Ms. Hatcher’s affidavit as proof that Ms. McGee was never a lab patient. 23 (Doc. # 74-1 at 3.) In view of each party’s evidence, the court finds that Ms. McGee has satisfied her burden of proof and is typical of the putative class under Rule 23(a)(3). Ms. McGee has credibly testified that she had her blood tested by Flowers or its affiliates in 2012 and 2014. While Flowers has controverted this testimony by way of Ms. Hatcher’s affidavit, it raises the court’s eyebrows to see that the affidavit—signed four months after Ms. McGee’s deposition—fails to account for the doctors’ visits detailed by Ms. McGee. Absent such an explanation or corroborating medical records, Ms. Hatcher’s affidavit presents an incomplete rebuttal of Ms. McGee’s testimony. Accordingly, because Ms. McGee has proven her typicality by a preponderance of the evidence, she may continue in her role as a representative plaintiff; Mr. Smith, who has not met his burden of proof, cannot so continue. 10 The Hospital also takes issue with Mr. Whittle’s inclusion in the class.11 Although Mr. Whittle received a notification letter after the data breach, Flowers now claims a later investigation of its records found that Mr. Whittle’s files remained intact. (Doc. # 69 at 38.) But Mr. Whittle has introduced proof that tends to show Because Mr. Smith may not proceed as a representative Plaintiff, the collective term “Named Plaintiffs” hereinafter refers only to the four remaining representative Plaintiffs: Ms. McGee, Ms. Hall, Mr. Parker, and Mr. Whittle. 10 11 Although Flowers styles this argument as one related to causation, it works from the same premise as the typicality arguments against Mr. Smith and Ms. McGee and therefore is best addressed as such. 24 that his records were at least compromised, if not actually carried off by Millender: Mr. Whittle was a non-hospital patient, whose records were left unsecured in Millender’s thieving grounds, and who suffered from identity theft for the first time in his life shortly after his interaction with Flowers. And the court hesitates to give too much weight to the Hospital’s change in position, given its self-serving nature and post-litigation timing. Accordingly, Mr. Whittle is typical of the class and may continue in his representative role.12 Similarly, although not squarely addressed by the parties, the mutually exclusive nature of the implied and express breach-of-contract claims bears on the typicality of the Named Plaintiffs. Because Alabama law will not imply a contract that deals with the subject matter of an express contract, Vardaman, 544 So. 2d at 965, if the NPP forms a valid contract, then the NPP recipients cannot have an implied contract with Flowers. Thus, the Named Plaintiffs who received the NPP— Ms. McGee, Ms. Hall, and Mr. Whittle—are atypical of putative class members who did not receive the Notice; similarly, the non-recipient Named Plaintiff—Mr. Parker—is atypical of the class members who received the NPP. To handle the discrepancies between the implied and express contractual claims, the putative class Once again, it should be noted that the class certification decision may be altered or amended at any time until final judgment. Fed. R. Civ. P. 23(c)(1)(C). If merits discovery unearths evidence that proves Mr. Whittle’s atypicality—or any other flaw in the class or the Named Plaintiffs—Flowers can move to decertify the class or to remove him as a class representative. 12 25 will be divided into two subclasses. See Fed. R. Civ. P. 23(c)(5) (authorizing use of subclasses “[w]hen appropriate”). The first, the “express-contract subclass,” will consist of NPP recipients. The second, the “implied-contract subclass,” will consist of non-recipients. 4. Adequacy Rule 24(a)(4) mandates that “the representative parties . . . fairly and adequately protect the interests of the class.” The adequacy prong, like commonality and typicality, serves to protect the silent class members whose rights will be adjudicated in absentia. The adequacy-of-representation requirement “tend[s] to merge” with the commonality and typicality criteria of Rule 23(a), which “serve as guideposts for determining whether maintenance of a class action is economical and whether the named plaintiff’s claim and the class claim are so interrelated that the interests of the class members will be fairly and adequately protected in their absence.” Amchem Prods., Inc., 521 U.S. at 626 n.20 (quoting Falcon, 457 U.S. at 157 n.13). The Eleventh Circuit reads Rule 23(a)(4) to “encompass[ ] two separate inquiries: (1) whether any substantial conflicts of interest exist between the representatives and the class; and (2) whether the representatives will adequately prosecute the action.” Valley Drug Co. v. Geneva Pharm., Inc., 350 F.3d 1181, 1189 (11th Cir. 2003) (quoting In re HealthSouth Corp. Sec. Litig., 213 F.R.D. 447, 460–61 (N.D. Ala. 2003)). 26 The living Named Plaintiffs have signed declarations that they are free from any known conflicts of interest and committed to prosecuting the class action. (Docs. # 70-17; 70-18; 70-19.) Moreover, the class definition excludes those with a financial stake in Flowers and its parent entities, further reducing the likelihood of a conflict of interest. (Doc. # 69 at 4–5.) As pointed out by Plaintiffs’ counsel, the Named Plaintiffs’ willingness to attend depositions and provide discovery demonstrates that they will adequately prosecute the class action. Plaintiffs’ counsel’s history of class-action work also helps show that the unnamed class members’ interests will be adequately protected. (See generally Doc. # 70-20.) Flowers argues that Mr. Smith and Ms. McGee are atypical and hence unable to adequately represent the putative class. But having found that the Named Plaintiffs other than Mr. Smith have proved 23(a)(3) typicality, the court finds that these four Plaintiffs meet 23(a)(4)’s adequacy requirement as well. These four Plaintiffs have therefore satisfied Rule 23(a), and the analysis turns to Rule 23(b)(3). D. Rule 23(b)(3) Conditions “Framed for situations in which ‘class-action treatment is not as clearly called for’ as it is in Rule 23(b)(1) and (b)(2) situations, Rule 23(b)(3) permits certification where class suit ‘may nevertheless be convenient and desirable.’” Amchem Prods., Inc., 521 U.S. at 615 (citation omitted). Because it allows class actions to be maintained in less traditional contexts, Rule 23 imposes heightened requirements on 27 class movants who wish to proceed under section (b)(3). Along with the 23(a) prerequisites, a movant under 23(b)(3) must make two additional showings: (1) “that the questions of law or fact common to class members predominate over any questions affecting only individual members,” a condition referred to as predominance; and (2) “that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy,” also referred to as superiority. Fed. R. Civ. P. 23(b)(3). Predominance and superiority are addressed in turn. 1. Predominance The predominance inquiry requires a claim-by-claim analysis of the Named Plaintiffs’ four causes of action. Rutstein v. Avis Rent-A-Car Sys., Inc., 211 F.3d 1228, 1234 (11th Cir. 2000) (citing McCarthy v. Kleindienst, 741 F.2d 1406, 1412 (D.C. Cir. 1984)). The analysis “take[s] into account ‘the claims, defenses, relevant facts, and applicable substantive law’ to assess the degree to which resolution of the classwide issues will further each individual class member’s claim against the defendant.” Klay v. Humana, Inc., 382 F.3d 1241, 1254 (11th Cir. 2004), abrogated in part on other grounds, Bridge v. Phoenix Bond & Indemnity Co., 553 U.S. 639 (2008) (internal citation omitted) (quoting Castano v. Am. Tobacco Co., 84 F.3d 734, 744 (5th Cir. 1996)). Rule 23(b)(3) does not require “that all questions of fact or law be common, but” rather requires “only that some questions are common and that they predominate over individual questions.” Id. (quoting In re Theragenics Corp. 28 Secs. Litig., 205 F.R.D. 687, 697 (N.D. Ga. 2002)); see also Amgen Inc., 133 S. Ct. at 1196 (“Rule 23(b)(3), however, does not require a plaintiff seeking class certification to prove that each element of her claim is susceptible to classwide proof. What the rule does require is that common questions predominate over any questions affecting only individual class members.”) (emphasis in original) (alterations and internal quotation marks omitted). “An individual question is one where members of a proposed class will need to present evidence that varies from member to member, while a common question is one where the same evidence will suffice for each member to make a prima facie showing or the issue is susceptible to generalized, class-wide proof.” Tyson Foods, Inc. v. Bouaphakeo, 136 S. Ct. 1036, 1045 (2016) (alteration, citation, and internal quotation marks omitted). “[P]redominance is a qualitative rather than a quantitative concept” that “is not determined simply by counting noses.” Brown, 817 F.3d at 1239 (quoting Parko v. Shell Oil Co., 739 F.3d 1083, 1085 (7th Cir. 2014)). “Whether an issue predominates can only be determined after considering what value the resolution of the class-wide issue will have in each class member’s underlying cause of action.” Rutstein, 211 F.3d at 1234. “When one or more of the central issues in the action are common to the class and can be said to predominate, the action may be considered proper under Rule 23(b)(3) even though other important matters will have to be tried separately, such as damages or some affirmative defenses peculiar 29 to some individual class members.” Bouaphakeo, 136 S. Ct. at 1045. The court therefore analyzes each cause of action qualitatively to determine the value of classwide resolution of the component issues. a. Breach of Implied Contract To prevail on their implied-contract claim, the Named Plaintiffs must show that (1) a physician-patient relationship existed between Flowers and the putative class members, and (2) that the data breach constituted an unauthorized disclosure of their personal information. Crippen, 287 So. 2d at 832. The Named Plaintiffs likely will have to prove causation and damages, as in other breach-of-contract claims, but the scarce case law on the physician’s implied contract of confidentiality does not impose such a requirement.13 See Reynolds Metals Co. v. Hill, 825 So. 2d 100, 105 (Ala. 2002) (citing State Farm Fire & Cas. Co. v. Slade, 747 So. 2d 293, 303 (Ala. 1999)). The first two elements—the relationship and the disclosure—are easily resolved on a class-wide basis. Under Alabama law, a physician-patient relationship It makes no sense that Alabama law would require a lesser showing for litigants claiming breach of an implied contract than it requires for litigants claiming breach of an express contract. Regardless, when called to apply state law, this court must “take the state law as [it] find[s] it.” Castilleja v. S. Pac. Co., 406 F.2d 669, 675 (5th Cir. 1969). The parties did not directly address this question, so the court proceeds under the assumption that causation and damages are elements of the implied contract of confidentiality. If further analysis belies this assumption, the court would still reach the same result: Without having to prove causation and damages, the impliedcontract claim is wholly susceptible to common proof, and therefore the predominance criterion would still be met. 13 30 arises where a “patient knowingly seeks the assistance of a physician and the physician knowingly accepts him as a patient.” Wilson v. Athens-Limestone Hosp., 894 So. 2d 630, 634 (Ala. 2004) (quoting Wilson v. Teng, 786 So. 2d 485, 499 (Ala. 2000)). Each member of the putative class can prove this relationship element by offering the same evidence, namely, their registration as a Flowers patient. See Bouaphakeo, 136 S. Ct. at 1045 (defining a common question as one that can be proved as to each class member by the same evidence); (Doc. # 70-2 at 4 (detailing the registration of non-hospital patients).) The Hospital claims that a contract may not be implied absent a meeting of the parties’ minds and that, as a result, an inquiry into the creation of an implied contract would turn on individualized facts like the class members’ mental states and interactions with Flowers. This argument fails to account for the unique nature of the implied contract of confidentiality between physicians and patients. Rather than a meeting of the minds, this implied contract arises from the parties’ relationship, Wilson, 894 So. 2d at 634; because all the putative class members share a relationship with Flowers, the formation of the implied contract does not present an individualized question. Similarly, establishing the disclosure element requires only generalized proof of the circumstances surrounding Millender’s heist—proof that would be identical for all class members. Flowers voices a strident objection to predominance, pointing to the individualized nature of the causation and damages elements. This objection fails, 31 and its failure will be discussed in depth at the end of the predominance section, in Part IV.D.1.e.14 But before reaching the shortcomings of Flowers’s anti- predominance argument, the common issues that predominate in each of the four causes of action must be examined. Minor individualized issues do not defeat predominance where the common issues are at the crux of the action to be certified. Rutstein, 211 F.3d at 1234; accord In re Inter-Op Hip Prosthesis Liability Litig., 204 F.R.D. 330, 345 (N.D. Ohio 2001) (“[C]ommon issues need only predominate, not outnumber individual issues.”) (emphasis added). Here, the relationship and disclosure elements are so crucial to the implied-contract claim that they predominate. The two elements go to the heart of the implied-contract claim: whether a contract existed in the first place and whether that contract was breached. The extent to which Flowers was obliged to protect patient records, and whether it breached that obligation, are the predominant issues in this case—answering these questions one way or another will effectively decide the parties’ dispute. Causation and damages, while also necessary for a finding of liability, will not feature so prominently in the resolution of this matter. Thus, because the relationship and disclosure elements are the key points of All four causes of action require proof of causation and damages, and Flowers does not limit its argument to one cause of action or another. To avoid redundancy, the court will analyze causation and damages wholesale at the end of the predominance section rather than working through these elements piecemeal as they pertain to each cause of action. 14 32 contention, resolution of the common elements “will so advance the litigation that they may fairly be said to predominate.” In re School Asbestos Litig., 789 F.2d 996, 1010 (3d Cir. 1986). The implied-contract claim therefore passes the predominance criterion. b. Breach of Express Contract To establish a prima facie case for breach of express contract, the Named Plaintiffs must prove that there was a valid contract, that they performed under the contract, that Flowers failed to perform, and that they suffered damages as a result. Shaffer, 29 So. 3d at 880. In support of the express-contract claim, the Named Plaintiffs will offer evidence of the alleged contract (the NPP) and evidence of the data breach. As with the implied-contract claim, the questions of contract formation and breach take center stage; if these turn out to be common questions, the predominance requirement is met. This appears to be the case: The NPP is a standard, form document, identical copies of which were signed by each member of the expresscontract subclass. See Kleiner, 97 F.R.D. at 692 (highlighting the propriety of class treatment of disputes over form contracts). The alleged contract’s validity and effect, therefore, can be determined on the face of the NPP and, perhaps, by looking to Flowers’s actions in delivering and performing under the NPP. This would be enough to make contract formation a common question. And, as with the other 33 claims, the question of breach turns on Millender’s records heist, an undeniably common question. Flowers denies predominance on the grounds that the contract’s validity will turn on individualized proof. The Hospital attacks with several tacks: First, it grouses that “Plaintiffs have yet to identify what provision of what contract was supposedly breached.” (Doc. # 72 at 32.) Not only does this complaint misrepresent the Named Plaintiffs’ argument, which identifies both the putative contract and the manner in which it was breached (see Doc. # 69 at 16), its focus on the merits of the Named Plaintiffs’ claim takes it outside of the scope of the certification inquiry. See Brown, 817 F.3d at 1234. Second, the Hospital argues that certification of a breach-of-contract claim is inappropriate where the formation of that contract is disputed. (Doc. # 72 at 33.) Flowers offers no legal support for this assertion, and the court’s own research has failed to corroborate this claim. Indeed, breach-of-contract actions are routinely certified despite disputes over the contract’s terms or validity,15 and form contracts like the NPP remain peculiarly suitable to class treatment. E.g., Sacred Heart Health Sys., Inc. v. Humana Military Healthcare Serv., Inc., 601 F.3d 1159, 1171 (11th Cir. See, e.g., Torres-Vallejo v. Creativexteriors, Inc., --- F. Supp. 3d ---, 2016 WL 7155840 (D. Colo. Nov. 23, 2016); In re Scotts EZ Seed Litig., 304 F.R.D. 397 (S.D.N.Y. 2015); Ham v. Swift Transp. Co., 275 F.R.D. 475 (W.D. Tenn. 2011); Dupler v. Costco Wholesale Corp., 249 F.R.D. 29 (E.D.N.Y. 2008). 15 34 2010) (“It is the form contract, executed under like conditions by all class members, that best facilitates class treatment.”); Allapattah Servs., Inc. v. Exxon Corp., 333 F.3d 1248, 1260–61 (11th Cir. 2003), aff’d, 545 U.S. 546 (2005). Moreover, absent allegations of fraud or ambiguity that are not urged in this case, the parol evidence rule would limit the court’s analysis to the four corners of the NPP—thereby rendering inadmissible a great swath of individualized evidence. Ala. Elec. Coop., Inc. v. Bailey’s Constr. Co., 950 So. 2d 280, 287 (Ala. 2006) (citing Envtl. Sys., Inc. v. Rexham Corp., 624 So. 2d 1379, 1381 (Ala. 1993)) . And third, the Hospital claims that the factual question of whether a class member received the NPP precludes predominance. (Doc. # 72 at 33–34.) Division of the putative class into the implied-contract and express-contract subclasses solves this problem: Every member of the express-contract subclass received the NPP, thereby obviating the need for an individualized inquiry into the class members’ receipt of the Notice. Accordingly, the questions of contract formation and breach are common issues. As with the implied-contract claim, these common issues are so central to the claim that they predominate without outnumbering the individualized issues of causation and damages. c. Negligence To recover on their negligence claim, the Named Plaintiffs must prove the familiar elements of duty, breach, causation, and damages. Albert, 602 So. 2d at 35 897. Plaintiffs can establish duty by proving they were non-hospital patients at Flowers, breach by proof of Millender’s records theft, and damages by showing the variegated expenses incurred in responding to the exposure of their personal information. Causation poses a trickier hurdle, but may be proved circumstantially. See Resnick v. AvMed, Inc., 693 F.3d 1317, 1326–27 (11th Cir. 2012); Caroline C. Cease, Giving Out Your Number: A Look at the Current State of Data Breach Litigation, 66 Ala. L. Rev. 395 (2014). The questions of duty and breach—like the questions of the existence and breach of a contract—are common issues susceptible to proof on a class-wide basis. Although negligence classes are not commonly certified, this case does not present the sort of variations in state law or in operative facts that tend to defeat predominance. E.g., Amchem Prods., Inc., 521 U.S. at 624 (declining to find predominance due, in part, to “[d]ifferences in state law”); Kirkpatrick v. J.C. Bradford & Co., 827 F.2d 718, 725 (11th Cir. 1987) (holding that variations in state law precluded class certification); Lienhart v. Dryvit Sys., Inc., 255 F.3d 138, 149 (4th Cir. 2001) (reversing district court’s finding of predominance, in part because liability hinged on individual interactions between the defendant and various class members); accord In re Tri-State Crematory Litig., 215 F.R.D. 660, 695 (N.D. Ga. 2003) (certifying negligence class where the applicable law and operative facts were 36 largely uniform). Rather, each class member was a non-hospital patient16 at Flowers, each class member alleges injury as a result of Millender’s records heist, and each class member suffered the same general type of damages; moreover, each class member is an Alabama resident suing under Alabama law. These common issues are pivotal to the resolution of the litigation, and therefore predominate despite individualized questions of causation and damages. Accord Sterling v. Velsicol Chem. Corp., 855 F.2d 1188, 1197 (9th Cir. 1988) (emphasizing that tort actions arising from “a single course of conduct” are well suited for class resolution). d. Negligence Per Se To recover for negligence per se, the Named Plaintiffs must prove that Flowers violated a statute, that the statute aimed to protect a class to which Plaintiffs belong, that they suffered the sort of injury contemplated by the statute, and that their injury was proximately caused by Flowers’s violation of the law. See Cook’s Pest Control, Inc., 28 So. 3d at 726. The Named Plaintiffs claim that the Hospital violated HIPAA; they plan to prove Flowers’s negligence per se by introducing evidence of HIPAA’s requirements and of the data breach. This common evidence would suffice to show all but the damages element of negligence per se. And, while damages will involve some individualized inquiry, that alone will not derail class certification. Klay, 382 F.3d at 1259 (“[T]he presence of individualized damages does not prevent 16 See supra Part III.A; see also supra note 8. 37 a finding that the common issues in the case predominate.”) (quoting Allapattah Servs., Inc., 333 F.3d at 1261). Flowers’s alleged statutory violation sits at the forefront of the negligence per se analysis; common questions therefore predominate as to all four of the Named Plaintiffs’ causes of action. e. A Note on Causation and Damages As mentioned above, Flowers mounts an attack on predominance on the basis of the individualized nature of causation and damages. The strength of the Hospital’s arguments warrants extended discussion. Starting with the question of damages, it is hornbook law that individualized damages do not preclude class certification. Klay, 382 F.3d at 1259; In re School Asbestos Litig., 789 F.2d at 1010 (“[I]t [is not] a disqualification that damages must be assessed on an individual basis.”). Such a rule jibes with the purpose of Rule 23: The policy at the very core of the class action mechanism is to overcome the problem that small recoveries do not provide the incentive for any individual to bring a solo action prosecuting his or her rights. A class action solves this problem by aggregating the relatively paltry potential recoveries into something worth someone’s (usually an attorney’s) labor. Amchem Prods., 521 U.S. at 617 (quoting Mace v. Van Ru Credit Corp., 109 F.3d 338, 344 (7th Cir. 1997)). “It would drive a stake through the heart of the class action device, in cases in which damages were sought rather than an injunction or a declaratory judgment, to require that every member of the class have identical damages.” Butler v. Sears, Roebuck & Co., 727 F.3d 796, 801 (7th Cir. 2013). To 38 be sure, there are “extreme cases in which computation of each individual’s damages will be so complex, fact-specific, and difficult that the burden on the court system would be simply intolerable.” Klay, 382 F.3d at 1260. But “such cases rarely, if ever, come along.” Id. Otherwise, absent “significant individualized questions going to liability,” the lack of identical damages will not preclude certification under Rule 23(b)(3). Id. The Named Plaintiffs claim “myriad . . . different expenses, costs, fees, penalties, lost opportunities, loss of time, mileage costs, lost wages, professional fees, general frustration, and other inconveniences.” (Doc. # 72 at 42.) Resolving these claims for damages will require a series of proceedings in which each class member can put on his or her case for damages; Flowers, too, would be given a chance to rebut these claims. But the burden of corralling this run of mini-trials shrinks in comparison to the burden of conducting a full-blown trial on every issue contained in every cause of action, for every class member. Individualized damages do not sink the putative class. Causation is a tougher question. But when framed in the context of the putative class action as a whole, the individual issues surrounding causation fade into the background of the larger dispute. Because the questions of causation in this case are bound up in the questions of damages, and because causation plays only a 39 minor role in the larger controversy, common questions predominate in this class action. Flowers rightly argues that proving causation will entail an inquiry into each class member’s financial history. The Eleventh Circuit has accepted circumstantial proof of the causal connection between identity theft and a data breach, but requires “a nexus between the two instances beyond allegations of time and sequence.” Resnick, 693 F.3d at 1326–28. Proving this nexus may require a review of any prior thefts of each class member’s identity.17 See id. Similarly, Flowers argues that the high rate of tax fraud in the Middle District of Alabama justifies individual inquiry into each class member to ensure that their identity was stolen by Millender or his accomplice, rather than some other fraudster. Such facts are bound up in the same findings necessary to support the class members’ claims for damages. The Named Plaintiffs already have to show that they incurred damages as a result of delayed or 17 Resnick modelled its analysis on an unpublished Ninth Circuit opinion, Stollenwerk v. Tri-West Health Care Alliance, 254 F. App’x 664 (2007). 693 F.3d at 1326–27. In Stollenwerk, the Ninth Circuit held that a data-breach plaintiff had established causation where he alleged that he gave the defendant his personal information, that his identity was stolen six weeks after a breach of the defendant’s database, and that he had not previously been a victim of identity theft. 254 F. App’x at 667. Approving Stollenwerk’s reasoning, the Eleventh Circuit in Resnick held that circumstantial proof required something more than “a mere temporal connection,” and that the plaintiffs had carried that burden. 693 F.3d at 1327. Flowers reads Resnick to impose a three-part test mirroring the Stollenwerk analysis. But Resnick did not hold that causation in a data-breach case can only be proved circumstantially if those three factors are satisfied; rather, it held only that the plaintiffs had succeeded in showing something more than a temporal connection, as required. Id. at 1327–28. Although such a test may be a useful analytical tool, to the extent it can be gleaned from Resnick it is non-binding (if persuasive) dicta. See Bryan A. Garner, William H. Pryor, Jr., et al., The Law of Judicial Precedent 69–72 (2016). 40 rejected tax returns and/or their mitigation efforts. It is little more for them also to show that they have not previously had their identities stolen. The sort of proof necessary for causation is the sort of proof necessary for damages; the evidence supporting the two issues is so interwoven as to justify their likely joint resolution in bifurcated mini-trials. Under these facts, just as individualized damages will not preclude certification, neither should the mirror-image question of causation. See Bouaphakeo, 136 S. Ct. at 1045 (approving of class treatment where, “even though other important matters will have to be tried separately,” “one or more of the central issues . . . are common to the class”). More importantly, causation is at best a background issue in this dispute. Predominance is not a matter of “counting noses.” Brown, 817 F.3d at 1239 (quoting Parko, 739 F.3d at 1085). Instead, the criterion is satisfied where the most important questions in the litigation are common in nature. Id.; see also Rutstein, 211 F.3d at 1236 (reasoning that the greater importance of individual issues, relative to the common issues, barred predominance). This is the case here. At root, this dispute stems from two questions: Did the Hospital have a duty, whether sounding in contract or tort, to protect the putative class members’ personal information? And, if so, did the Hospital breach that duty when Millender made off with the patient records? Causation and damages, while also necessary for a finding of liability, orbit around these two central questions. Resolving the common questions of contractual 41 or tort-based duty and breach “will be of great value in the ultimate resolution of each class member’s underlying cause of action.” In re Tri-State Crematory Litig., 215 F.R.D. at 695. Although individualized questions of causation and damages may persist, they do not derail the predominance of the common questions. 2. Superiority Finally, a 23(b)(3) class may only be certified if “a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed. R. Civ. P. 23(b)(3). Rule 23 directs that the superiority analysis should take into account “the class members’ interests in individually controlling the prosecution or defense of separate actions,” “the extent and nature of any litigation concerning the controversy already begun by or against class members,” “the desirability or undesirability of concentrating the litigation of the claims in the particular forum,” and “the likely difficulties in managing a class action.” Fed. R. Civ. P. 23(b)(3)(A)– (D). The Named Plaintiffs meet this requirement. All four factors contemplated by Rule 23(b)(3) go in favor of class certification. Common issues predominate in the class members’ claims and, owing to the relatively low damages, one class member’s recovery will not preclude the recovery of another. See Klay, 382 F.3d at 1269 (explaining that a higher degree of predominance makes class resolution all the more superior). Accordingly, the class members have only a minor interest, if any, in controlling the prosecution of the 42 action. Fed. R. Civ. P. 23(b)(3)(A). The court has not been made aware of any other litigation concerning the Flowers Hospital data breach, and concentrating this dispute in a single forum will help bring the matter to a uniform conclusion that neither prejudices nor privileges Flowers or particular class members. Id. 23(b)(3)(B), (C). And because each class member lives in Alabama and has an address on file with Flowers, the difficulties in managing the class should be minimal. Id. 23(b)(3)(D); see Roper v. Consurve, Inc., 578 F.2d 1106, 1115 (5th Cir. 1978) (characterizing as “peculiarly manageable” a class of plaintiffs that all “live[d] in one state” and whose addresses were kept on file by the defendant). Moreover, the non-hospital patients injured in the data breach likely could not, or would not, seek redress unless certified as a class. Cf. Klay, 382 F.3d at 1269 (focusing the superiority inquiry on “the relative advantages of a class action suit over whatever other forms of litigation might be realistically available to the plaintiffs”) (emphasis added) (citing In re Managed Care Litig., 209 F.R.D. 678, 692 (S.D. Fla. 2002)). As best the court can tell, no class member suffered more than a few thousand dollars in damages. Many a lawyer would scoff at such a low dollar amount, leaving the class members with few avenues to seek recovery from Flowers. See Roper, 578 F.2d at 1114 (finding that 23(b)(3) superiority was satisfied where “[t]he alleged statutory wrong may go unchallenged because the costs of proof exceed the likely recovery”). Not only is the class device superior to the other 43 available methods to decide this controversy, it may be the only way for the class members to see any recovery at all. The Named Plaintiffs have therefore satisfied Rule 23(b)(3), and their motion for class certification is due to be granted. V. CONCLUSION The Named Plaintiffs have succeeded in proving their entitlement to class certification under Rule 23(b)(3). Subject to later alteration, see Fed. R. Civ. P. 23(c)(1)(C), trial of this case will be bifurcated into two phases. In the first phase, the collective questions of duty and breach will be put to a jury. If Plaintiffs prevail, the intermingled questions of causation and damages will then be tried on an individual basis. Accordingly, it is ORDERED as follows: 1. The Named Plaintiffs’ motion for class certification (Doc. # 68) is GRANTED; 2. The court CERTIFIES under Federal Rule of Civil Procedure 23(b)(3) a class with the following definition: All non-hospital patients of Flowers Hospital, as defined above, whose personal identifying information or protected health information was stolen from Flowers Hospital by Kamarian Millender and/or his accomplice(s). Excluded from the class are the (i) owners, officers, directors, employees, agents and/or representatives of Defendant and its parent entities, subsidiaries, affiliates, successors, and/or assigns, and (ii) the court, court personnel, and members of their immediate families. 44 3. The court CERTIFIES under Federal Rule of Civil Procedure 23(b)(3) two subclasses with the following definitions: a. As to Plaintiffs’ claim for breach of implied contract: All persons who are members of the class described in Paragraph 2, above, who did not receive the NPP during the course of their interactions with Flowers Hospital. b. As to Plaintiffs’ claim for breach of express contract: All persons who are members of the class described in Paragraph 2, above, who received the NPP during the course of their interactions with Flowers Hospital. 4. Plaintiffs Julie McGee, Adam Parker, Sandra Hall, and Jack Whittle are APPROVED as class representatives; 5. Plaintiff Bradley Smith is REJECTED as class representative because he is not typical of the class under Federal Rule of Civil Procedure 23(a)(3); 6. Pursuant to Federal Rule of Civil Procedure 23(g), the law firm of McCallum, Methvin & Terrell, P.C., is APPOINTED as class counsel; 7. Trial of this matter likely will be BIFURCATED, subject to Rule 23(c)(1)(C). The common elements of all four causes of action, as described above, will be tried collectively, and the elements of causation and damages will be tried individually or collectively, as appropriate; and 8. Pursuant to Federal Rule of Civil Procedure 23(c)(2)(B), the parties are ORDERED to submit to this court, on or before April 14, 2017, a class notice plan 45 and forms of notice. If the parties are unable to agree on forms of notice, the parties shall each submit on or before April 7, 2017 their proposed forms, accompanied by a memorandum explaining the party's position, and each party shall respond to the other's proposed notice plan and forms of notice no later than April 14, 2017. DONE this 17th day of March, 2017. /s/ W. Keith Watkins CHIEF UNITED STATES DISTRICT JUDGE 46

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.