exposures of the same data at issue in this case — cast doubt as to whether plaintiffs could properly satisfy the requirements of commonality, typicality, and predominance.” Id. at *26. The defendant subsequently beat class certification a second time in In Re Blackbaud, Inc. Customer Data Breach Litigation, Case No. 20-CV-2972 (D.S.C. Dec. 30, 2024). The plaintiffs filed a request to move for class certification again based on alternative theories. The court ruled that allowing another attempt at class certification, based on the same record, would be prejudicial to Blackbaud and would not serve judicial efficiency. The court determined that the plaintiffs had not made any additional showing that identifying class members was administratively feasible. Accordingly, the court denied the motion. Attias, et al. v. Carefirst, Inc., 2024 U.S. Dist. LEXIS 57363 (D.D.C. Mar. 29, 2024), is a rare case in which class certification resulted in plaintiffs obtaining a nominal monetary award. Hackers breached a health insurer’s computer systems and accessed PII of its customers. The plaintiffs filed a class action against the health insurer, alleging breach of contract and violations of Consumer Protection Acts in Maryland and Virginia. The court granted summary judgment in favor of the health insurer on the two statutory claims “because plaintiffs failed to show a triable issue of fact on reliance on any misrepresentation, as required under the MCPA, and because CareFirst fell within a statutory exemption of the VCPA for insurance companies regulated by Virginia’s corporation commission.” Id. at *6. By contrast, the court denied summary judgment on the plaintiffs’ breach of contract claim. The plaintiffs moved to certify the breach of contract class pursuant to Rule 23. The court granted certification, finding (1) that all putative class members have Article III standing “because the purported breach of contract is a concrete injury, redressable through nominal damages,” and (2) that the Rule 23 requirements were satisfied, concluding that “there is little doubt that common issues about CareFirst’s purported breach of its implied promise to take reasonable steps to safeguard its customers’ personal information far outstrip any individualized inquiries that may be required.” Id. at *7-11. However, as the court made clear, the “plaintiffs’ recovery is almost certainly limited to nominal damages because they cannot show that they suffered identity theft or tax fraud due to the data breach and because, under D.C. law, mitigation expenses are not actual damages ... Based on the type of information pilfered in the data breach — which included names, birth dates, email addresses, and subscriber identification but not Social Security numbers or any financial information — the court has little doubt that the same will hold true for all other class members.” Id. The plaintiffs thereafter pursued an interlocutory appeal or, alternatively, a motion for reconsideration on the issue of whether mitigation expenses are actual expenses for their breach of contract claim. The court also denied these requests. In Savidge, et al. v. Pharm-Save, Inc. , 2024 WL 1366832 (W.D. Ky. Mar. 29, 2024), an employer fell victim to a phishing scheme perpetrated by cybercriminals who stole 343 W-2 forms of the company’s employees. The employer promptly notified the affected employees of the breach and that, as a result, the criminals may have filed or may try to file fraudulent tax returns in the names of the employees. Two employees, one of whom suffered such a fraudulent tax return, filed a class action against the employer raising claims of negligence and breach of contract, and sought to certify a class of victims of the data breach. The court granted certification. First, it found that the 343 data breach victims at issue satisfied the numerosity requirement. Id. at *22-23. Next, the court found each of the other Rule 23 requirements satisfied as well. As the court explained, “with respect to negligence, common questions include whether Pharm-Save owed a duty to the class members and whether it breached that duty. Whether Pharm-Save’s breach of that duty caused injury to the class members is also a common question, even if there also exist other individualized questions about causation (e.g., whether a class member was a victim of another unrelated data breach that might increase the risk of future harm ... And the fact of damages is a question common to the class, as it is defined herein. This is true even if the specific amount of damages sustained by each individual class member may ultimately vary.” Id. at *30. For these reasons, the court granted class certification. In Vest Monroe, LLC, et al. v. Doe , 2024 Ga. LEXIS 187 (Ga. Sept. 4, 2024), the plaintiff received treatment at a behavioral health and addiction treatment facility. An ex-employee of the facility contacted plaintiff’s counsel of record in a medical malpractice case pending against the facility and provided them with digital copies of documents and recordings that she obtained from her former employer. Id. at *3. After becoming aware of the disclosure of the patient information, the facility discovered that information pertaining to nearly 2,000 patients was compromised. The plaintiff filed a class action complaint against defendants, asserting a number of claims related to the unauthorized disclosure of patient PHI. Plaintiff moved for class certification in March 2022. The
13
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online