Statee., Inc. v. Hammer ex rel. Situated

• Decision Date: 19 November 2021
• Docket Number: No. 21-0095,21-0095
• Citation: 866 S.E.2d 187
• Parties: STATE of West Virginia EX REL. WEST VIRGINIA UNIVERSITY HOSPITALS – EAST, INC., Doing Business as Berkeley Medical Center; City Hospital, Inc., Doing Business as Berkeley Medical Center; and the Charles Town General Hospital, Doing Business as Jefferson Medical Center, Defendants Below, Petitioners v. The Honorable David M. HAMMER, Judge of the Circuit Court of Jefferson County, and Deborah S. Welch and Eugene A. Roman, Individually, and on Behalf of All Others Similarly Situated, Plaintiffs Below, Respondents
• Court: West Virginia Supreme Court

866 S.E.2d 187

STATE of West Virginia EX REL. WEST VIRGINIA UNIVERSITY HOSPITALS – EAST, INC., Doing Business as Berkeley Medical Center; City Hospital, Inc., Doing Business as Berkeley Medical Center; and the Charles Town General Hospital, Doing Business as Jefferson Medical Center, Defendants Below, Petitioners

v.The Honorable David M. HAMMER, Judge of the Circuit Court of Jefferson County, and Deborah S. Welch and Eugene A. Roman, Individually, and on Behalf of All Others Similarly Situated, Plaintiffs Below, Respondents

No. 21-0095

Supreme Court of Appeals of West Virginia.

Submitted: September 28, 2021

Filed: November 19, 2021

Marc E. Williams, Robert L. Massie, Thomas M. Hancock, Nelson Mullins Riley & Scarborough, LLP, Huntington, West Virginia, Attorneys for the Petitioners.

Troy N. Giatras, Matthew Stonestreet, The Giatras Law Firm, PLLC, Charleston, West Virginia, Attorneys for the Respondents.

Jenkins, Chief Justice:

In this original jurisdiction proceeding, petitioners, West Virginia University Hospitals – East, Inc., doing business as Berkeley Medical Center; City Hospital, Inc., doing business as Berkeley Medical Center; and the Charles Town General Hospital, doing business as Jefferson Medical Center (collectively "Hospitals"), seek a writ of prohibition to prohibit the Circuit Court of Jefferson County from enforcing its order granting class certification in the underlying civil action filed by the respondents, Deborah S. Welch ("Ms. Welch") and Eugene A. Roman ("Mr. Roman") (collectively "Welch and Roman"). The underlying suit arose after an employee of Hospitals misappropriated the private information of certain patients from Hospitals’ medical records during the course of performing her authorized job duties. Welch and Roman successfully certified a class of approximately 7,445 individuals, which represented every medical record accessed by the employee during the relevant period of her employment. Hospitals argue that the class representatives lack standing because they have suffered no injury-in-fact from the employee's legitimate access to their confidential records. We agree with respect to Ms. Welch, and, based upon our finding that she has suffered no injury-in-fact, we conclude that she lacks standing to bring the claims asserted in this matter. Hospitals additionally argue that certain prerequisites to class certification were not met in this case. We address this issue only as to Mr. Roman and the subclass of 109 individuals he represents and find that the circuit court failed to provide a thorough analysis of the typicality prerequisite in light of Mr. Roman's circumstances and claims. Accordingly, after considering the briefs and oral arguments of the parties, and the appendix record for this matter, we grant the requested writ and prohibit the circuit court from enforcing its order of December 23, 2020, granting class certification. We remand this case for additional proceedings consistent with this opinion.

I.FACTUAL AND PROCEDURAL HISTORY

These facts are gleaned primarily from the circuit court's findings of fact contained in its order granting class certification. Angela Roberts ("Ms. Roberts") was hired in February 2014 to work as a registration specialist at the Berkeley Medical Center and the Jefferson Medical Center. Ms. Roberts's duties as a registration specialist involved assisting patients in scheduling their appointments with medical providers at Hospitals, which required her to access the patients’ protected health information that was stored in Hospitals’ electronic record system. Accordingly, Hospitals created a profile for Ms. Roberts giving her limited, role-based access to the patient information necessary for her job duties.

In March of 2016, two years after commencing her employment, Ms. Roberts began a romantic relationship with Ajarhi "Wayne" Roberts ("Mr. Roberts").¹ Mr. Roberts purportedly convinced Ms. Roberts to use her position as a registration specialist for Hospitals to steal personal information from patient files so that he could use the information in attempting to commit bank and credit card fraud. As related by the circuit court, to obtain this information without being detected by Hospitals, "Ms. Roberts’ modus operandi was to wait until a patient contacted her and then she would legitimately access the patient's records to perform her job duties." (Second emphasis added). While viewing the patient record for the legitimate purposes of her job duties, as she was authorized to do, "she simultaneously ‘cased’ those same records to ascertain whether that patient might also be a lucrative target of her identity theft conspiracy with Mr. Roberts." When she determined that a particular patient was a "lucrative target," she would write down the patient's private information on a slip of paper or print a copy of the patient's driver's license. Ms. Roberts would then provide the private information she stole to Mr. Roberts.

In December 2016, law enforcement officers conducted a search of Mr. Roberts's home; during the search, slips of paper transcribed by Ms. Roberts and printed copies of patients’ driver's licenses were found. Ultimately, private information relating to 113 individuals, including Mr. Roman, was found in Mr. Roberts's home.² Ms. Welch's information was not found in Mr. Roberts's home.

After Hospitals became aware of the criminal investigation, they examined every record accessed by Ms. Roberts since the beginning of her relationship with Mr. Roberts. Hospitals determined that, as part of her job duties, Ms. Roberts legitimately accessed the data of approximately 7,445 patients between March 2016, when her relationship with Mr. Roberts began, and January 2017, when Hospitals became aware of Ms. Roberts's misconduct.³ Hospitals then sent one of two form letters to each of the patients⁴ whose records had been accessed by Ms. Roberts. The majority of those individuals received a letter, apparently dated February 23, 2017, advising them that, although

the criminal investigation is still ongoing, the authorities have confirmed that 113 of the 7,445 individuals are victims of identity theft to date. While you are not one of those individuals whose identity was stolen, and we do not have confirmation that your personal information was taken, we are notifying you in an abundance of caution. This letter is to provide you additional details regarding the incident and to provide you with protective measures and assistance from identity theft experts.

(Emphasis added). In addition, Hospitals advised this group that

To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year. Kroll is a global leader in risk mitigation and response, and its team has extensive experience helping people who have sustained an unintentional exposure of confidential data. Your identity monitoring services include Credit Monitoring, Web Watcher, Fraud Consultation, and Identity Theft Restoration.

Patients whose information was found in Mr. Roberts's apartment received a similar letter, which stated in relevant part,

While the criminal investigation is still ongoing, the authorities have confirmed that 113 of the 7,445 individuals are victims of identity theft to date. Unfortunately, you are one of those individuals, it is our understanding that you have already been made aware of this investigation by the FBI and/or local law enforcement authorities. This letter is sent in follow up, to provide you additional details regarding the incident and to provide you with protective measures and assistance from identity theft experts.

More specifically, the police found copies of drivers’ licenses with photos, 1D cards, Insurance cards, and/or Social Security cards in the possession of the perpetrator, including in some instances copies of documents containing patient signatures. We have confirmed that your name, address, date of birth, Social Security number, drivers’ license number, ID cards and numbers, and other data connecting family members to each other in some instances, was likely compromised. Unfortunately, the former employee had access to this information as part of employment as an Authorization/Prescheduling Coordinator, so criminal conduct could not be detected as part of UH's routine IT/privacy security checks. We have been able to track the former employee's system access and have determined further that the employee, in some instances, viewed physician orders containing diagnoses and other medical information.

....

To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year ....

(Emphasis added).

Thereafter, in February 2019, Ms. Welch, individually and on behalf of all others similarly situated, filed a complaint against Hospitals. In March 2020, an amended complaint was filed that added Mr. Roman as a named plaintiff, also individually and on behalf of all others similarly situated. The amended complaint alleged the following claims: Breach of the Duty of Confidentiality; Unjust Enrichment (by receiving payment from plaintiffs to perform services that included protecting plaintiffs’ sensitive information and failing to protect the same); Negligence (by failing to protect the confidentiality of personal and private information); Breach of Contract, Expressed and Implied (written services contract promised plaintiffs that defendant would only disclose health information when required to do so by law and promised to protect plaintiffs’ sensitive information); Negligent Supervision (by failing to ensure staff, employees, and others having access to customers’ sensitive information received adequate training, experience, and supervision in protecting sensitive information); Negligence (breach of duty of reasonable care in protecting the confidentiality of...