Smith v. Triad of Ala., LLC

Decision Date17 March 2017
Docket NumberCASE NO. 1:14-CV-324-WKW [WO]
CourtU.S. District Court — Middle District of Alabama

Before the court is the motion for class certification filed by Plaintiffs Bradley S. Smith, Julie S. McGee, Adam Parker, Sandra W. Hall, and Jack Whittle (collectively, the "Named Plaintiffs"). (Doc. # 68.) The Named Plaintiffs seek to certify a class of individuals whose personal identifying information and protected health information (their "personal information") was compromised by a former employee of Defendant Triad of Alabama, LLC ("Flowers," "Flowers Hospital," or the "Hospital"). The Named Plaintiffs—except for Mr. Smith, as discussed in Part IV.C.3, infra—have carried their burden under Federal Rule of Civil Procedure 23; accordingly, their motion is due to be granted, subject to a few caveats.


Subject-matter jurisdiction is proper under 28 U.S.C. §§ 1331 and 1367, and the parties do not contest personal jurisdiction or venue.


"The class action is 'an exception to the usual rule that litigation is conducted by and on behalf of the individual named parties only.'" Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1432 (2013) (quoting Califano v. Yamasaki, 442 U.S. 682, 700-01 (1979)). To avail himself of this exception, a plaintiff seeking class certification bears the burden of proving that he has satisfied the four Rule 23(a) prerequisites—often shorthanded as numerosity, commonality, typicality, and adequacy—and that the class action will meet one of the three requirements of 23(b). Fed. R. Civ. P. 23(a), (b); see Brown v. Electrolux Home Prods., Inc., 817 F.3d 1225, 1233 (11th Cir. 2016) ("All else being equal, the presumption is against class certification because class actions are an exception to our constitutional tradition of individual litigation."). The burden is one of proof, not pleading, Brown, 817 F.3d at 1233, and requires the district court to undertake a "rigorous analysis" to determine the propriety of certification, Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 161 (1982). Although this rigorous analysis frequently "entail[s] some overlap with the merits of the plaintiff's underlying claim," Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 351 (2011), "the district court can consider the merits 'only' to the extent 'they arerelevant to determining whether the Rule 23 prerequisites for class certification are satisfied,'" Brown, 817 F.3d at 1234 (quoting Amgen Inc. v. Conn. Ret. Plans & Trust Funds, 133 S. Ct. 1184, 1195 (2013)).

The Named Plaintiffs seek certification of a damages class under Rule 23(b)(3). As a result, along with the 23(a) prerequisites, they must also prove "that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Fed. R. Civ. P. 23(b)(3). All of this proof must be made by a preponderance of the evidence.1 Stein v. Monterey Fin. Servs., Inc., No. 2:13-CV-1336-AKK, 2017 WL 412874, at *4 (N.D. Ala. Jan. 31, 2017); In re Delta/AirTran Baggage Fee AntitrustLitig., --- F.R.D. ---, No. CV 1:09-MD-2089-TCB, 2016 WL 3770957, at *21 (N.D. Ga. July 12, 2016).

A. Facts and Procedural History

Flowers Hospital operates a medical laboratory where it tests blood samples taken from hospital patients and so-called "non-hospital" patients from a couple dozen "clinics, nursing homes and physicians" in the surrounding area. In June 2013, the Hospital hired Kamarian Millender to work in the lab as a phlebotomist. Before long, Millender learned that non-hospital patient records—chock full of personal information ranging from birth dates to social security numbers—were kept in unlocked filing cabinets in a back hallway immediately accessible from the lab. (Docs. # 70-1 at 13-162; 70-3 at 7.) To Millender, these filing cabinets were a goldmine.

Demonstrating all the restraint of a child left unattended in a candy shop, Millender made off with a bundle of folders. (Docs. # 70-2 at 10-11; 70-3 at 7.) Millender dug through the personal information in the patient records and, with the help of an accomplice, filed at least 124 fraudulent federal tax returns for tax years 2012 and 2013. This scheme eventually came to light, and on February 25, 2014,the Henry County Sheriff's Office apprehended Millender with fifty-four patient records in hand.3

Later that night, Flowers got word of Millender's arrest and began investigating the heist. An internal audit uncovered five missing daily file folders. (Doc. # 70-2 at 10-11.) Although the contents vary from one file folder to another, each folder typically contains between 100 and 150 patient records; a loss of five daily folders therefore reflects a loss of anywhere from 500 to 750 patient records. Along with these hundreds of stolen records, Flowers received from the IRS and other federal agencies a list of additional identities that may have been stolen by Millender.

Recognizing the scope of Millender's crimes, Flowers took action. Between April 8, 2014, and August 29, 2014, the Hospital sent letters notifying 1,208 non-hospital patients that their personal information may have been compromised. The Hospital maintains that an overabundance of caution led it to draft an overlong mailing list—that the list reflected a healthy respect for HIPAA,4 not the actual extent of the data breach. The Named Plaintiffs urge that, because letters were sentto all patients whose records could not be located, the 1,208 names on the mailing list illustrate the maximal extent of Millender's theft.

On May 5, 2014, Plaintiffs Bradley Smith and Julie McGee filed a class-action complaint against Flowers, alleging violation of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq., negligence, and invasion of privacy. A month and a half later, the complaint was amended to name three additional PlaintiffsAdam Parker, Sandra Hall, and Jack Whittle, rounding out the five Named Plaintiffs—and to add claims for negligence per se and breach of contract. A second amended complaint followed on September 30, 2014, and Flowers moved to dismiss two weeks later. After the parties fully briefed the motion (Docs. # 27, 29, 30), the court inquired sua sponte into the Named Plaintiffs' standing and ordered further briefing on the issue (Doc. # 32). Once the parties weighed in (Docs. # 33, 34, 37, 38), the Magistrate Judge issued a Report and Recommendation finding standing, dismissing the invasion-of-privacy claim, and otherwise denying Flowers's motion to dismiss (Doc. # 39). The Recommendation was adopted over Flowers's objection, and the matter proceeded to discovery on the question of class certification. (Doc. # 41.) On August 29, 2016, the Named Plaintiffs moved to certify a class action under Federal Rule of Civil Procedure 23(b)(3).5 (Doc. # 68.)That motion has been fully briefed by the parties, and is before the court today. (Docs. # 69, 70, 72, 73, 74, 75, 76, 77.)

B. The Class Definition

The Named Plaintiffs seek to certify the following class (the "putative class"):

All persons whose personal identifying information (PII) or protected health information (PHI) was stolen from Flowers Hospital by Kamarian Millender and/or his accomplices. Excluded from the Class are the (i) owners, officers, directors, employees, agents and/or representatives of Defendant and its parent entities, subsidiaries, affiliates, successors, and/or or [sic] assigns, and (ii) the Court, Court personnel, and members of their immediate families.

(Doc. # 69 at 4-5.)

C. The Named Plaintiffs

Because Rule 23 looks to the relation between the Named Plaintiffs and the putative class, each Plaintiff's experience in the data breach warrants a brief summary. Of particular note is the Notice of Privacy Practices ("NPP," or the "Notice"), a document that Flowers sent to all patients admitted to the hospital. (See Doc. # 70-14.) The Named Plaintiffs base their claim for breach of express contract on the Notice, asserting that the NPP "constitutes a binding contract setting forth Flowers Hospital's obligation to maintain [patient] confidentiality." (Doc. # 69 at18.) Accordingly, receipt of the Notice is relevant to whether each Plaintiff satisfies Rule 23.6

1. Bradley Smith

Bradley Smith had blood drawn at West Main Medical, a physician's office in Dothan, around September 2013. Although Flowers's laboratory commonly tested blood samples taken by local clinics, there is no evidence in the record that the lab did blood work for West Main. Moreover, Patti Hatcher, the Hospital's Compliance and Privacy Officer at the time of the data breach, testified by affidavit that Mr. Smith "had not been a reference lab patient, and therefore had no records in the filing cabinets from which Millender stole records." (Doc. # 74-1 at 3.) Mr. Smith has also received care at Flowers Hospital, but has not been a patient there since the 1990s.

In the spring of 2014, Mr. Smith learned from the IRS that a fraudulent tax return had been filed in his name. Mr. Smith claims that he incurred accounting expenses and suffered emotional distress as a result of the identity theft. He did not receive the NPP.

2. Julie S. McGee

Julie McGee had blood drawn in 2012 by Flowers and on January 7, 2014, by Dr. James Butler, a Flowers affiliate; she was also admitted to Flowers as a hospital patient on November 29, 2007. The Hospital has controverted this testimony: In her affidavit, Ms. Hatcher claims that Ms. McGee "had not been a reference lab patient, and therefore had no records in the filing cabinets from which Millender stole records." (Doc. # 74-1 at 3.)

In April 2014, the McGees' tax preparer...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT