As CPW has covered, healthcare data breaches are on the rise (and are likely to continue to do so in light of the rise in telehealth in 2020).  Despite the recent proliferation of data breach litigation, case law hasn’t caught up—you can count on your hands the number of times any court, state or federal, has decided whether to certify a data breach class action.

A New York federal court added itself to this shortlist just last week, denying plaintiffs’ motion for certification of a damages class (but certifying the injunctive class, in a long-running data breach class action where hackers breached Excellus Health Plan’s records.  The court in Fero v. Excellus Health Plan, Inc., 2020 U.S. Dist. LEXIS 219375 (W.D.N.Y. Nov. 23, 2020) gave the health insurer/provider a lot to be thankful for (and just in time for the Thanksgiving holiday), but it wasn’t all gravy: the court did certify the plaintiff’s class seeking injunctive relief.  This case offers a roadmap for how defendants in data breach litigation can defeat class certification in federal court—or at least defeat certification of a damages class—and is likely to impact other cases in this growing area.  So sit up, tuck in your turkey gut, and read on.

First, some background.  Let’s start with the (alleged) facts: Excellus is the primary healthcare provider in upstate New York.  Per the complaint, in late 2013, hackers infiltrated Excellus’s cybersecurity systems, acquired high-level access to Defendants’ computer networks, and gained access to the personally identifiable information (“PII”) and protected health information (“PHI”) of approximately 10 million individuals.  These hackers, Plaintiffs allege, “operated in” Excellus’s computer networks “with impunity” for at least nine months.  After the breach was discovered and disclosed, Plaintiffs (consisting of individuals whose personal info was on Excellus’s computer network during the data breach) filed a putative class action complaint.  Plaintiffs asserted a host of claims against Excellus and other defendants—negligence, negligence per se, breach of contract and of the implied covenant of good faith and fair dealing, and unjust enrichment—alleging (among other things) that Defendants failed to provide promised cybersecurity protections regarding the security of their PII and PHI.

Now, onto some procedure (stay with us).  To get certified, every federal class action must satisfy not only the four prerequisites of Federal Rule of Civil Procedure 23(a), but also one of the three scenarios set forth Rule 23(b).  In determining whether to certify a class, a district court first assesses whether the putative class meets Rule 23(a)’s prerequisites: (1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation.  IF (and only if) the class meets all these requirements, the court will then assess whether one of the scenarios set forth in Rule 23(b) is satisfied.  Class certification matters as it raises the stakes in litigation and can lead to damages awards (or settlements) and big payouts for class counsel.

Back to the case at hand.  Plaintiffs in Fero sought certification for the majority of their proposed classes, seeking monetary damages, under Rule 23(b)(3).  Under this rule, a class seeking damages can be certified if (in addition to meeting the Rule 23(a) criteria), the plaintiffs establish both predominance (i.e., that questions common to class members predominate over questions affecting individual ones) and superiority (i.e., that the class action is the best way to litigate the case).  Plaintiffs also tried to certify a class seeking only injunctive relief (in the form of enhanced security measures) under Rule 23(b)(2).  This one provides that an injunction-only class may be certified if (in addition to meeting the Rule 23(a) thresholds), the defendant “acted or refused to act on grounds that apply generally to the class.”

How did things shake out for Plaintiffs in Fero?  Well, they lost on the damages class, but still came away with an injunctive class.  Across the board, the court agreed with Defendants that no damages class could be certified consistent with federal class action requirements—in a decisive win on that front for Defendants.  However, the court did certify a class for injunctive relief under Rule 23(b)(2), in a mix bag composite result that likely left neither side totally satisfied.

It came down to a lack of predominance for the damages class.  As noted in Fero, the Second Circuit has previously found that while “the presence of individual defenses does not by its terms preclude class certification,” a failure by plaintiffs to offer a “reliable means of collectively determining how many class members’ claims are time-barred,” counsels against class certification.  Plaintiffs were trying to certify classes bringing claims under various New York laws and for breach of contract and unjust enrichment under the laws of various states.  But the court agreed with Defendants that a lot of these claims were barred on their face by the applicable statute of limitations.  So the court found that statute of limitations issues (i.e., whether individual class members’ claims were time-barred) would predominate over common class issues, prohibiting certification of these classes.

The Court also found an additional, independent reason to reject the certification of the proposed class seeking damages class under New York General Business Law (“GBL”) Section 349.  For this one, individualized issues of causation overwhelmed the common questions of fact and law and thus also failed Rule 23(b)(3)’s predominance test.  The Court held that “Plaintiffs have not demonstrated that causation can be ascertained on a classwide basis in this case.”  This was because, the Court explained, Plaintiffs’ argument ignores a key step in the causal chain—a link between the allegedly deceptive conduct and the putative damages class members.  New York law clearly requires that “in order to have been injured by the defendant’s deceptive act, a plaintiff must have been personally misled or deceived.”  Many plaintiffs, however, never had any contact with defendant (as they had health insurance provided from their employer), which made the link between the alleged deception and the alleged injury “too attenuated” and requiring “too much individualized analysis.”  Again, it came down to predominance.

However, the court certified Plaintiffs’ proposed injunctive relief class against Excellus only (Plaintiffs didn’t seek certification of this class against any of the other named Defendants).  Although hid in a footnote, the difference, seemingly, came down to the purported lack of a predominance requirement for injunctive classes.  The court stated: “Importantly, there is no predominance requirement with respect to a Rule 23(b)(2) class. . . . Accordingly, the predominance issues that prevent certification of the proposed GBL § 349 Damages Class do not pose a similar problem with respect to the proposed GBL § 349 Injunctive Relief Class.”

The Court instead focused on ascertainability of the injunctive relief class, which boiled down to three fundamental questions: (1) was an individual’s PII and/or PHI stored on Excellus’s systems during the alleged data breach timeframe; (2) was that individual included in Excellus’s list of Impacted Individuals; and (3) does that individual’s PII and/or PHI still reside on Excellus’s systems?  In doing so, the Court rejected Defendants’ argument that Plaintiffs do not have standing to seek injunctive relief in this case, but limited this class to those who still have personal info on Excellus’s systems.  According to the Court (depending on discovery) it was possible a trier of fact could conclude the members of the proposed injunctive relief class, which is limited to individuals whose PII and/or PHI is currently stored on Excellus’s computer networks, continue to be at risk. (Whether Excellus could moot this class by no longer storing the PII and PHI of these individuals remains an open question, it seems.)

So there you have it.  Another day, another development in the ever-changing landscape of data privacy litigation.  It’s a success for companies defending class actions that implicate individual damages issues, but it’s also a reminder not to forget about that injunctive class.  While that class is limited (and this one may not survive after further discovery), plaintiffs’ lawyers who lose on damages certification might try to squeeze out big attorneys’ fees from an injunctive class.  So focus on the bigger risk (damages classes generally equal more $$, for obvious reasons) and take the win when it comes, but don’t sleep on that injunctive class either.