From Casetext: Smarter Legal Research

Attias v. Carefirst, Inc.

United States District Court, District of Columbia
Mar 29, 2024
15-cv-882 (CRC) (D.D.C. Mar. 29, 2024)

Opinion

15-cv-882 (CRC)

03-29-2024

CHANTAL ATTIAS, et al., Plaintiffs, v. CAREFIRST, INC., et al., Defendants.


MEMORANDUM OPINION AND ORDER

CHRISTOPHER R. COOPER, UNITED STATES DISTRICT JUDGE.

After Washington, D.C.-area health insurance company CareFirst, Inc. suffered a data breach in 2014, seven policyholders brought this putative class action lawsuit, alleging claims for breach of contract and violations of the Consumer Protection Acts of Maryland and Virginia. Following years of back-and-forth litigation, in 2022, Plaintiffs moved to certify three classes- one for each of those causes of action-under Federal Rule of Civil Procedure 23. In a March 2023 opinion, the Court concluded that Plaintiffs had satisfied the Rule 23(a) prerequisites to class certification and Rule 23(b)(3)'s superiority requirement. At the final step, though, the Court found that Plaintiffs had not carried their burden on the predominance requirement because it was uncertain whether all (or even most) putative class members had suffered a concrete injury under the Supreme Court's then-recent decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021). The Court accordingly denied the motion for class certification without prejudice so Plaintiffs could file a renewed motion addressing this potential impediment. Plaintiffs accepted that invitation two months later by filing the present motion to certify all three classes.

Since then, much has changed. Later last year, the Court partially granted CareFirst's motion for summary judgment and dismissed the claims under both the Maryland and Virginia consumer-protection statutes. By contrast, the Court denied summary judgment on Plaintiffs' breach of contract claim. But, in doing so, the Court found that the named Plaintiffs' recovery on this score was almost certainly cabined to nominal damages because they could not show that the purloined personal data had caused any form of identity theft and because, under D.C. law, mitigation expenses incurred to abate the risk of future fraud do not qualify as actual damages.

That summary-judgment decision has altered the analysis for Plaintiffs' renewed motion for class certification. Namely, the pending motion is now moot as it pertains to the dismissed statutory consumer-protection claims, and the sole question remaining is whether to certify the proposed contract class even though any recovery would almost certainly be limited to nominal damages.

After careful consideration and a hearing on the matter, the Court finds that certification of the proposed contract class is warranted. The standing issue that prevented the Court from certifying the last go around has since dissolved because, as all sides agree, each member of the proposed class has allegedly suffered a concrete injury based on CareFirst's supposed breach of its contractual obligation to safeguard its customers' data-regardless of whether they sustained an additional, tangible injury due to the data breach. And while class-wide recovery may well be limited to nominal damages, the Court finds that this factor alone does not override all other Rule 23 considerations cutting sharply in favor of certification.

I. Background

The Court has described the procedural and legal background across several opinions in this long-running case already, so it provides only a summary of the relevant details here. See Attias v. CareFirst, Inc. (Attias I), 199 F.Supp.3d 193 (D.D.C. 2016); Attias v. CareFirst, Inc. (Attias II), 365 F.Supp.3d 1 (D.D.C. 2019); Attias v. CareFirst, Inc. (Attias III), 518 F.Supp.3d 43 (D.D.C. 2021); Attias v. CareFirst, Inc. (Attias IV), 344 F.R.D. 38 (D.D.C. 2023); Attias v. CareFirst, Inc. (Attias V), No. 15-cv-882 (CRC), 2023 WL 5952052 (D.D.C. Sept. 13, 2023).

Plaintiffs are residents of the District of Columbia, Maryland, and Virginia who were customers and insureds of Defendant CareFirst, Inc., which offers health insurance to more than one million individuals in those States. See Attias IV, 344 F.R.D. at 42. In April 2014, hackers infiltrated CareFirst's internal data system by installing a backdoor to the system using a link in an email designed to resemble one from a company employee distributing a software update. Id. Although CareFirst initially identified this “spear phishing” email as a fake and took some precautionary measures to limit any data exposure, one CareFirst employee followed the link provided in the email, downloaded the hackers' backdoor, and unwittingly gave them access to certain of CareFirst's systems. Id. As a result of the data breach, hackers accessed the following information from individual CareFirst customers: first and last (and sometimes middle) names, subscriber ID numbers, dates of birth, email addresses, and usernames used to log into CareFirst's online member portal. Id. Plaintiffs' complaint initially alleged that hackers also obtained more sensitive personally identifying information, such as social security numbers and credit card numbers, but they later abandoned that unsupported contention. Id. After it learned of the extent of the data breach, in May 2015, CareFirst sent breach notification letters to all affected customers and offered them two free years of credit monitoring and identity-theft protection through Experian's ProtectMylD Alert service. Id. at 42-43.

A month later, in June 2015, Plaintiffs initiated this putative class action and filed an amended complaint in July 2015. Id. at 43. The complaint alleged several causes of action stemming from CareFirst's handling of the data breach, including breach of contract and violations of the Maryland and Virginia Consumer Protection Acts (“MCPA” and “VCPA”). SAC at 18-19; id. ¶¶ 100-16. Along with an increased risk of identity theft, the complaint alleged that Plaintiffs and CareFirst policyholders similarly situated to them “have or will have to spend significant time and money to protect themselves” from the risk of identity theft, including “the cost of responding to the data breach, the cost of acquiring identity theft protection and monitoring, cost of conducting a damage assessment, mitigation costs,” and the like. Id. ¶¶ 1719.

In 2016, the Court dismissed all claims for lack of standing, explaining that Plaintiffs' theory of injury was too speculative. See Attias I, 199 F.Supp.3d at 199-203. The D.C. Circuit reversed. See Attias v. CareFirst, Inc, 865 F.3d 620 (D.C. Cir. 2017). Specifically, the Circuit held that Plaintiffs had pleaded “a substantial risk of identity theft as a result of CareFirst's alleged negligence in the data breach.” Id. at 627-29. Although premised partially on Plaintiffs' allegations that the data breach “exposed customers' social security and credit card numbers,” the Circuit also observed that the theft of members' names, birth dates, email addresses, and subscriber identification information alone created a risk of “‘medical identity theft' in which a fraudster impersonates the victim and obtains medical services in her name.” Id. at 628.

On remand, CareFirst filed a motion to dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). This Court initially concluded that all of the named Plaintiffs save two-Kurt and Connie Tringler of Maryland-had failed to allege “actual damages” necessary for their breach of contract and consumer protection claims and therefore dismissed the complaint as to all Plaintiffs except the Tringlers. Attias III, 365 F.Supp.3d at 8-17, 27. In doing so, the Court held that Plaintiffs' allegations that they had expended resources to mitigate the threat that leaked data may be misused was not cognizable under the D.C. Court of Appeals' decision in Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702, 708 (D.C. 2009). See id. at 13-16. It also rejected Plaintiffs' other theories of actual damages, including that they had lost the benefit of their contractual bargain and suffered emotional harm as a result of the data breach. See id. at 11-17.

Upon Plaintiffs' motion for reconsideration, however, the Court revived those claims as to all Plaintiffs. See Attias III, 518 F.Supp.3d at 51-57. With respect to the breach of contract claim, the Court observed that, though there is some D.C. Court of Appeals authority suggesting that actual damages are required for a prima facie contract claim, other authority, which had not been provided to the Court previously, holds that “‘[e]ven where monetary damages cannot be proved' the prevailing party may be entitled to nominal damages, specific performance, or declaratory relief.” Id. at 52 (quoting Wright v. Allen, 60 A.3d 749, 753 & n.3 (D.C. 2013)). But, once again, the Court rejected Plaintiffs' argument that money spent to mitigate against potential future identity theft or fraud constitute “actual damages” under D.C. law. See id. at 5255. With respect to Plaintiffs' MCPA and VCPA claims, after noting that no court in either Maryland or Virginia had “addressed whether expenses incurred to mitigate the risk of future identity theft qualify as ‘actual damages' absent any actual misuse of the plaintiff's exposed data,” the Court surveyed each State's case law and concluded that, without any binding authority to the contrary from either State, it would treat mitigation expenses as actual damages sufficient to state MCPA and VCPA claims. Id. at 55-57.

Plaintiffs then moved to certify three classes under Federal Rule of Civil Procedure 23. See Attias IV, 344 F.R.D. at 43. First, Plaintiffs sought to certify a Contract Class composed of “all CareFirst members residing in the District of Columbia, Maryland, and Virginia whose personally identifiable information, personal health information, sensitive personal information, and other financial information was breached as a result of the CareFirst data breach.” Id. Second, they also moved to certify two separate classes-the Maryland Consumer Class and Virginia Consumer Class-consisting respectively of Maryland and Virginia CareFirst members whose information was exposed as a result of the data breach. Id.

The Court denied the motion for class certification, without prejudice to renewal, in March 2023. Id. Ticking through the Rule 23(a) factors, the Court found that Plaintiffs satisfied all the prerequisites to class certification: (1) the proposed class of over one million customers far surpassed the numerosity threshold; (2) the case presented several common questions of law and fact, such as whether CareFirst breached an express or implied term of its agreements with its insureds to safeguard their data, that are well suited for class-wide resolution; (3) typicality was easily satisfied because the named Plaintiffs, like all class members, are CareFirst customers whose confidential information was allegedly compromised in the same data breach; (4) there was no reason to question that the named Plaintiffs would be adequate representatives; and (5) to the extent Rule 23 contains an implied ascertainability requirement, it was clearly met because the membership of the class has already been identified by virtue of the data breach notice letters that the company mailed to its customers. See id. at 48-52. Turning to Rule 23(b)(3), the Court also determined that class treatment would be “superior to other available methods for fairly and efficiently adjudicating the controversy” because the low damage estimates made it unlikely that anyone would pursue these claims individually. Id. at 56 (quoting Fed.R.Civ.P. 23(b)(3)).

Yet the motion for class certification hit a snag when it came to the other Rule 23(b)(3) factor: predominance. In particular, the Court had “serious concerns about whether common issues [would] predominate over individual inquires in this case . . . in light of the Supreme Court's recent decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), which held that a risk of future harm standing alone does not constitute a concrete Article III injury in damages actions.” Id. at 42.

TransUnion involved a class-action suit against the namesake credit reporting agency for allegedly violating the Fair Credit Reporting Act (“FCRA”) by, among other things, erroneously including an alert for creditors that class members were linked to a Treasury Department terrorist database. 594 U.S. at 418-22. While TransUnion had distributed this inaccurate credit file for the named plaintiff, Sergio Ramirez, that was not true of the entire class. Rather, the parties had stipulated before trial that of the 8,185 consumers with erroneous designations, only 1,853 had their credit reports disseminated to potential creditors during the class period. Id. at 421. For the 6,332 others, TransUnion maintained internal credit files mistakenly listing them as security threats but never actually disseminated those erroneous reports. Id. at 433. That sizeable segment of the class lacked Article III standing, the Supreme Court held, because those individuals had not suffered a “concrete harm.” Id. at 442. Building on its prior decision in Spokeo Inc. v. Robins, 578 U.S. 330 (2016), the Supreme Court explained that “history and tradition offer a meaningful guide to the types of cases that Article III empowers federal courts to consider.” TransUnion, 594 U.S. at 424 (citation omitted). Following those north stars, it cautioned that the mere violation of a new statutory right is not always enough to gain access to federal court. Instead, courts must “assess whether the alleged injury to the plaintiff has a ‘close relationship' to a harm ‘traditionally' recognized as providing a basis for a lawsuit in American courts. That inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.” Id. (quoting Spokeo, 578 U.S. at 341). Under that inquiry, the Supreme Court concluded that the 6,332 class members whose inaccurate reports were not shared had not suffered a concrete injury under Article III, even though their statutory rights under the FCRA had been violated, because there was no evidence that they “were independently harmed by their exposure to the risk” that the false information about them could have been circulated. Id. at 437.

Though neither party had addressed standing, the Court suspected that the proposed classes may impermissibly sweep in large numbers of uninjured customers who had suffered no tangible injury from the CareFirst data breach and, as a result, flunk TransUnion's test. It first noted that, following TransUnion, some courts had held “that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms”-such as emotional distress caused by the knowledge of the risk of identity theft or expenditure of “money on mitigation measures like credit monitoring services.” Clemens v. ExecuPharm Inc., 48 F.4th 146, 155-56 (3d Cir. 2022). Applying that standard here, the Court found that the named Plaintiffs had demonstrated their standing by providing evidence that they had experienced some “separate concrete harm” beyond the data breach. Attias IV, 344 F.R.D. at 47-48 (quoting TransUnion, 594 U.S. at 436). Some named Plaintiffs had spent “time or money undertaking at least some mitigating measures after the CareFirst breach to prevent potential fraud.” Id. at 47. Others, “although they did not pay for identity theft monitoring services out of pocket, took the time to enroll in the free service offered by CareFirst or spent some amount of time talking with their financial institutions about possible fraud.” Id. That sufficed for Article III standing, even under TransUnion. Yet it was doubtful that the same was true for the entire proposed class, which contained “all CareFirst customers in the District of Columbia, Maryland, and Virginia whose personal information was put at risk in the data breach . . . regardless of whether those customers [had] taken any steps to mitigate their potential exposure to identity or medical fraud.” Id. at 53. A more individualized inquiry may be needed, the Court feared, to suss out which putative class members had spent time or money on mitigation measures in response to the CareFirst data breach. Id. at 53-54. For that reason, the Court could “not conclude that the common issues predominate over individualized inquiries, at least as the class[es] [were] currently defined.” Id. at 55. Because neither party had grappled with standing in their briefing, though, the Court denied the motion without prejudice, permitting Plaintiffs to file a renewed motion for class certification to address these concerns and, if needed, refine their proposed classes. Id. at 57.

With the parties' returning to the drawing board on class certification, the Court moved forward with CareFirst's motion for summary judgment. In a September 2023 opinion, the Court granted summary judgment to CareFirst on the two statutory claims because Plaintiffs failed to show a triable issue of fact on reliance on any misrepresentation, as required under the MCPA, and because CareFirst fell within a statutory exemption of the VCPA for insurance companies regulated by Virginia's corporation commission. See Attias V, 2023 WL 5952052, at *15-21. By contrast, it denied summary judgment on Plaintiffs' common-law breach of contract claim. “Although the evidence on which Plaintiffs rely is thin,” the Court found “that a reasonable jury could conclude that CareFirst breached an implied promise to take reasonable steps to safeguard their personal information.” Id. at *1; see id. at *3-15. It also rejected CareFirst's argument that, even if Plaintiffs had raised a triable issue on liability, the Court should nonetheless dismiss the claim because Plaintiffs cannot show actual damages. Id. at *13-15. While recognizing that “recovery is almost certainly limited to nominal damages,” id. at *15, the Court reiterated its holding in Attias III that, under D.C. law, Plaintiffs are entitled to pursue their contract claim “on the theory that a prevailing party might be eligible for nominal damages, even if actual monetary damages cannot be proved and even if Plaintiffs' costs associated with mitigating the risk of identity theft do not constitute actual damages,” id. at *13. As a result, the case was pared back to one claim: a breach of contract claim that was likely limited to nominal damages.

With summary judgment in the rearview, the Court now circles back to the Plaintiffs' renewed motion for class certification. But this return visit only proves the adage that no man ever steps into the same river twice. Since its last foray into certification, the Court's intervening summary-judgment ruling has shifted the analysis in meaningful ways. No longer does the Court have to decide whether the Plaintiffs have standing to vindicate rights under the MCPA and VCPA because those statutory claims have been dismissed and only the breach of contract claim survives. Yet this trimmed set of claims raises new questions: Does the alleged breach of contract alone supply all putative class members with a concrete injury allowing them to pursue their contract claim in federal court? And, if so, should the Court certify a class when recovery will almost certainly be limited to nominal damages? Having considered the parties' briefs and held a hearing on the matter, the Court will answer these questions of first impression.

II. Legal Standards

The party seeking certification of a class under Rule 23 “bears the burden of persuasion, and must show that the putative classes meet the requirements of Rule 23 by a preponderance of the evidence.” Garnett v. Zeilinger, 301 F.Supp.3d 199, 204 (D.D.C. 2018) (Cooper, J.). To meet that burden, the moving party “must first meet the four requirements set forth in Rule 23(a),” which permits class certification only if “(1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class.” Hoyte v. District of Columbia, 325 F.R.D. 485, 489 (D.D.C. 2017) (Cooper, J.) (quoting Fed.R.Civ.P. 23(a)). “Additionally, some courts have imposed an ‘implied' fifth requirement that the class be adequately defined and clearly ascertainable-the purpose of which is to ‘require[] plaintiffs to be able to establish that the general outlines of the membership of the class are determinable at the outset of litigation.'” Id. (quoting Thorpe v. District of Columbia, 303 F.R.D. 120, 139 (D.D.C. 2014)).

In addition to satisfying the Rule 23(a) prerequisites to class certification, the moving party must “then choose a type of class action under Rule 23(b) and meet the requirements of that class type as well.” Id. at 491. Where, as here, a party seeks to certify a class under Rule 23(b)(3), the Court must find that the party has satisfied both predominance and superiority requirements, that is, “that the questions of law or fact common to class members predominate over any questions affecting only individual members” and “that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3).

III. Analysis

A. Standing

The sole impediment to certifying the proposed classes the prior time around was uncertainty over which putative members had Article III standing under TransUnion. That doubt has now dissipated. After summary judgment, the two statutory consumer-protection claims have been clipped from the case, leaving only a breach of contract claim. And on this one remaining claim, both sides agree: Even under TransUnion, all putative class members have Article III standing to pursue a common-law contract claim. See Hearing Tr. at 18-23. Such consensus does not end the inquiry because the Court has an “affirmative obligation to ensure that it is acting within the scope of its jurisdictional authority.” Grand Lodge of Fraternal Order of Policy v. Ashcroft, 185 F.Supp.2d 9, 13 (D.D.C. 2001) (citation omitted). After taking a look for itself, though, the Court concurs that standing is no barrier to certifying the contract class because the purported breach of contract is a concrete injury, redressable through nominal damages.

The law in this domain is, admittedly, somewhat unsettled. Before TransUnion, courts in other jurisdictions had come to conflicting conclusions about whether the breach of a contractual obligation to safeguard data sufficed as a concrete injury for Article III purposes. Those fissures existed even among courts within the same jurisdiction. Compare In re Google Referrer Header Priv. Litig., 465 F.Supp.3d 999, 1010-11 (N.D. Cal. 2020) (finding breach of contract sufficed), with Opperman v. Path, Inc., 84 F.Supp.3d 962, 990-91 (N.D. Cal. 2015) (requiring a tangible injury). In this jurisdiction, the D.C. Circuit embraced the position that a breach of contract is itself a concrete injury in Alston v. Flagstar Bank, FSB, 609 Fed.Appx. 2 (D.C. Cir. 2015). After rejecting the plaintiff's contention that damages incurred during litigation could be an Article III injury, the D.C. Circuit resolved that the plaintiff nonetheless had “standing to pursue [his] breach of contract claim, even though he ha[d] neither suffered nor proved actual damages and could recover only nominal damages at [that] time.” Id. at 3. “Under D.C. law,” the Circuit held, “a breach of contract claim accrues at the moment of breach because ‘[n]ominal damages at least can be recovered immediately upon the happening of the breach.'” Id. (quoting Wright, 60 A.3d at 753). “Thus the injury, for standing purposes, is the breach itself, and nominal damages suffice to state a claim under D.C. contract law.” Id.

Before this case was pared down, neither this Court nor the D.C. Circuit addressed the possibility that a contractual breach itself might constitute a concrete injury capable of sustaining the contract claim-primarily because Plaintiffs never raised this argument and instead relied on various other theories of standing. See, e.g., Attias III, 365 F.Supp.3d at 11-17.

Judges in other circuits tended to agree. Perhaps the most fulsome treatment of the matter came in the form of a concurrence, penned by Sixth Circuit Judge Amul Thapar, in Springer v. Cleveland Clinic Employee Health Plan Total Care, 900 F.3d 284 (6th Cir. 2018). “In discussing standing,” Judge Thapar began, “courts (and litigants) often lose sight of the first principles that animate the doctrine.” Id. at 290 (Thapar, J., concurring). The basic principle undergirding standing doctrine, he reasoned, is to limit the judicial power to “cases” or “controversies” in order to avoid having the federal courts ensnared in pitched political battles over the enforcement of public rights. Id. “In order for a dispute to be a case or controversy, the party bringing the claim must have standing, or, in other words, they must be the appropriate party to file suit,” which is easily satisfied “if a party brings a claim to vindicate their private rights.” Id. (emphasis in original). To determine whether a party is vindicating a private right, he reasoned, courts must “look back to the rights that common law courts allowed private litigants to enforce. And in cases ranging from assault to trespass to slander, there was no question that private litigants could vindicate their rights before a court.” Id. at 291 (citation omitted). “This was true regardless of whether a violation of the private right caused a concrete or particularized harm-the violation alone was enough to justify a judicial remedy.” Id. On this point, one need look no further than the core proclamation of Marbury v. Madison: “[I]t is a general and indisputable rule, that where there is a legal right, there is also a legal remedy by suit or action at law, whenever that right is invaded.” 5 U.S. (1 Cranch) 137, 163 (1803) (quoting 3 Blackstone, Commentaries *23)). A breach of contract alone, Judge Thapar thereby concluded, is a concrete injury under Article III even absent evidence of actual damages. See id. at 292.

Other circuits reached the same result. In Katz v. Pershing, LLC, for example, the First Circuit held that the “invasion of a common-law right (including a right conferred by contract) can constitute an injury sufficient to create standing.” 672 F.3d 64, 72 (1st Cir. 2012). Some circuits took a different tack, however, searching for a tangible harm in addition to the alleged contractual breach while not addressing the possibility that the breach itself could be the injury. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692-96 (7th Cir. 2015).

Then came TransUnion. As discussed above, the decision in TransUnion centered on the maxim “no concrete harm, no standing.” 594 U.S. at 442. But “what makes a harm concrete for purposes of Article III?” Id. at 424. History and tradition supply the answer, the Supreme Court explained:

As a general matter, . . . history and tradition offer a meaningful guide to the types of cases that Article III empowers federal courts to consider. And with respect to the concrete-harm requirement in particular, . . . Spokeo v. Robins indicated that courts should assess whether the alleged injury to the plaintiff has a “close relationship” to a harm “traditionally” recognized as providing a basis for a lawsuit in American courts. That inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury. Spokeo does not require an exact duplicate in American history and tradition. But Spokeo is not an open-ended invitation for federal courts to loosen Article III based on contemporary, evolving beliefs about what kinds of suits should be heard in federal courts. As Spokeo explained, certain harms readily qualify as concrete injuries under Article III. The most obvious are traditional tangible harms, such as physical harms and monetary harms. If a defendant has caused physical or monetary injury to the plaintiff, the plaintiff has suffered a concrete injury in fact under Article III. Various intangible harms can also be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion. And those traditional harms may also include harms specified by the Constitution itself.
Id. at 424-25 (cleaned up). In short, an Article III injury can be based either on tangible harms (such as pocketbook injuries) or certain intangible harms that have some analogue to commonlaw or constitutional injuries that traditionally provided a basis to sue in American courts. This traditional-analogue requirement preserves the proper separation of powers, the Supreme Court explained, by constraining Congress's ability to elevate new injuries and, in turn, drag federal courts into disputes that fall outside their domain and are better left to the political branches. See id. at 422-24.

In TransUnion's wake, the circuits have splintered on whether an alleged breach of contract alone is a concrete injury that can support a lawsuit in federal court. The Fifth Circuit has embraced the position, previously adopted by the D.C. Circuit in Alston, that a contractual breach is all that's required to pursue a contract claim. See Denning v. Bond Pharmacy, Inc., 50 F.4th 445, 451 (5th Cir. 2022). The Seventh Circuit (and possibly the Ninth Circuit) have taken a different view, broadly construing TransUnion for the principle that a pure legal injury is not an injury-in-fact under Article III and requiring some tangible harm resulting from the breach. See Dinerstein v. Google, LLC, 73 F.4th 502, 518-522 (7th Cir. 2023); Perry v. Newsom, 18 F.4th 622, 632 (9th Cir. 2021) (rejecting the analogy to contract law when seeking to enforce a judge's promise to release trial recordings); but see id. at 640 (Ikuta, J., dissenting) (“[T]he breach of a contract or binding promise is an injury traditionally recognized as a violation of a private right, whether or not the injured party suffers economic or other damage.”). Others have recognized the split but, so far, avoided throwing their hats into the ring. See Glennborough Homeowners Ass'n v. U.S. Postal Serv., 21 F.4th 410, 415-16 (6th Cir. 2021) (noting the “breach of a contract between two private parties, standing alone, may suffice as an injury for purposes of constitutional standing” but then commenting it “need not resolve [that] thorny question[] today”); Clemens v. ExecuPharm Inc., 48 F.4th 146, 156 n.6 (3d Cir. 2022) (“Because Clemens has alleged an injury separate and apart from the breach of contract itself, we have no occasion to reach her additional argument that the breach of contract alone is a sufficiently imminent and concrete injury that confers standing for her to raise her contract claims.”); see id. at 1661 (Phipps, J., concurring) (“The claims that Clemens pursues here-for negligence, breach of contract, breach of confidence, and breach of fiduciary duty-are traditional causes of action that were recognized as well suited for judicial resolution at the time of the Constitution's adoption. She therefore has standing.” (footnote omitted)).

Taking stock, the Court thinks the Fifth Circuit has the better reading of TransUnion. TransUnion held that the violation of a new statutory right is not necessarily a concrete injury-in-fact under Article III, but that holding should not be taken out of context. At the same time, the Supreme Court also made clear that the alleged injury need not be tangible, as American courts from time immemorial have allowed parties to vindicate certain intangible common-law and constitutional rights. The touchstone of the Article III standing inquiry, then, is not whether the harm is tangible but “whether the alleged injury to the plaintiff has a ‘close relationship' to a harm ‘traditionally' recognized as providing a basis for a lawsuit in American courts.” 594 U.S. at 525 (quoting Spokeo, 578 U.S. at 341). No analogue is even required here, however, because American courts dating back to the Founding have permitted plaintiffs to bring suit based on the exact injury Plaintiffs have alleged: a breach of contract. That was true regardless of whether the plaintiff incurred actual damages or, as here, sought to recover only nominal damages. All the same, the breach of a contractual obligation to perform some duty has always been understood as a concrete injury that enables the aggrieved contracting party to proceed in an American court.

Another case from the same Term as TransUnion proves the point. In Uzuegbunam v. Preczewski, the Supreme Court held that nominal damages suffice for redressability purposes because American courts always have recognized that plaintiffs may pursue constitutional or common-law causes of action even when their only redress is the symbolic award of nominal relief. 141 S.Ct. 792 (2021). “[E]very violation imports damage,” Justice Joseph Story wrote, so “[t]he law tolerates no farther inquiry than whether there has been the violation of a right.” Id. at 799 (quoting Webb v. Portland Mfg. Co., 29 F. Cas. 506, 508-509 (No. 17,322) (CC Me. 1838). Contemporary jurists agreed, proclaiming that “[t]he principle that every injury legally imports damage [is] decisively settled.” Id. (quoting Parker v. Griswold, 17 Conn. *288, *304-06 (1845)). That core principle applied to “every legal injury” cognizable at common law- including, of course, breach of contract. Id. at 798 (emphasis in original) (citing Dods v. Evans, 15 C.B.N.S. 621, 624, 627, 143 Eng. Rep. 929, 930-931 (C.P. 1864), which awarded nominal damages for a breach of contract). Uzuegbunam may have been trained on redressability, but its analysis applies with equal force here: History shows that parties long have been able to sue in Anglo-American courts based on an alleged contractual breach, regardless of whether they have suffered actual damages as a result. TransUnion's test is therefore satisfied here.

The Seventh Circuit in Dinerstein reached the opposite result because, in part, it read the Supreme Court's decision in Thole v. U.S. Bank N.A., 140 S.Ct. 1615 (2020), to foreclose the possibility that a breach of contract, absent some ensuing tangible harm, can satisfy Article III's injury-in-fact requirement. 73 F.4th at 520-21. That reasoning stretches Thole's limited holding too far, however. Thole dealt with a distinct issue of when participants in a defined-benefit plan can sue for an alleged breach of duties of loyalty and prudence under the Employee Retirement Income Security Act (“ERISA”), 88 Stat. 829, as amended, 29 U.S.C. § 1001 et seq. Facing that specific question, the Supreme Court held that the beneficiaries there lacked standing based on the theory that their retirement plan was, in their view, mismanaging assets because an actual breach of their entitlements under the plan would not occur until they did not receive required payments and the increased risk that the plan-and, in turn, the employers who are on the hook for any shortfalls-would be unable to pay their future benefits was too speculative for standing purposes. See 140 S.Ct. at 1619-22. That is far removed from the situation here, where Plaintiffs are suing at common law for an alleged breach of contract that already occurred.

Indeed, six Justices in Thole indicated that an actual breach of contract would suffice for Article III standing purposes. Concurring in the judgment, Justices Thomas and Gorsuch tracked Judge Thapar's framework, resolving that they “need only recognize that the private rights that were allegedly violated do not belong to petitioners under ERISA or any contract” but suggesting that the analysis would be different if the retirement plan had breached some contractual duty owed to the beneficiaries. Id. at 1623 (Thomas & Gorsuch, JJ., concurring). Going further, four dissenters wrote: “[I]t is well settled that breach of a contract to act diligently and skillfully provides a ground of action in federal court. It is also undisputed that a breach of contract always creates a right of action, even when no financial harm was caused. Petitioners would thus have standing[.]” Id. at 1630 (Sotomayor, Ginsburg, Breyer & Kagan, JJ., dissenting) (cleaned up). Thole accordingly did not resolve that a breach of contract, absent actual damages, is not a concrete injury. See Marks v. United States, 430 U.S. 188, 193 (1977) (holding that, in a fractured opinion, the narrowest ground controls). Rather, counting heads, the case lends more support to the opposite position.

The Seventh Circuit also relied on Professor Andrew Hessick's warning that the logic of Spokeo (and, by extension, TransUnion) suggests “a plaintiff should not have standing to sue for breach of contract if the breach does not result in some additional factual harm.” 73 F.4th at 519 (quoting F. Andrew Hessick, Standing and Contracts, 89 Geo. Wash.L.Rev. 298, 313 (2021)). Relying on Professor Hessick for this point is somewhat ironic considering he has criticized Spokeo and TransUnion on the ground that they were predicated on a misunderstanding of Article Ill's standing requirement. See generally F. Andrew Hessick, Standing, Injury in Fact, and Private Rights, 93 Cornell L. Rev. 275 (2008)). But, as is often the case, dissenting voices are “not the best source of legal advice on how to comply with the majority opinion.” Students for Fair Admissions, Inc. v. President & Fellows of Harvard Coll., 600 U.S. 181, 230 (2023). Professor Hessick's sense of Spokeo's spirit overlooks TransUnion's specific directive that courts turn to history to discern what was “‘traditionally' recognized as providing a basis for a lawsuit in American courts.” 594 U.S. at 525 (quoting Spokeo, 578 U.S. at 341). As other scholars have noted, the longstanding rule in America is that plaintiffs can pursue breach of contract claims without any evidence of damages because the breach itself unlocks the courthouse doors. See, e.g., Erwin Chemerinsky, What's Standing After TransUnion LLC v. Ramirez, 96 N.Y.U. L. Rev. 269, 273 (2021) (“Many different types of harms have been deemed sufficient to meet the injury requirement.... For example, injury to rights recognized at common law-property, contracts, and torts-always have been regarded as sufficient for standing purposes.”). That conclusion ends the inquiry.

The Court therefore finds that all putative class members have standing to pursue their breach of contract claim-thereby settling the one issue that prevented the Court from certifying the proposed class in the previous outing.

B. Class Certification

With the standing issue resolved in their favor, the Court finds that Plaintiffs have carried their burden of proving that certification of the proposed contract class is warranted.

To repeat, in its prior opinion, the Court concluded that Plaintiffs had satisfied all of the Rule 23(a) prerequisites for all three proposed classes, including the contract one, and met its burden under rule 23(b)(3) of showing that a class action is the superior mechanism for resolving this sprawling controversy. See Attias IV, 344 F.R.D. at 48-52, 56-57. The only impediment was the predominance requirement and, more precisely, the Court's concerns that individualized inquiries may be needed to prove each putative class member's standing to proceed in federal court. See id. at 52-56. But such concerns have gone by the wayside now that the claims have been whittled down to a contract claim for which, as discussed above, every putative class member has a concrete injury from the alleged breach of contract itself. With that issue resolved, there is little doubt that common issues about CareFirst's purported breach of its implied promise to take reasonable steps to safeguard its customers' personal information far outstrip any individualized inquiries that may be required. Predominance is thus moved squarely into Plaintiffs' column, completing their case on the Rule 23 criteria.

There is, of course, one other notable difference from the last time the Court addressed this matter: Whereas the Court previously confronted the possibility of certifying three different classes, with actual damages available for the MCPA and VCPA claims, Plaintiffs are now left with only a contract claim that offers slim prospects for meaningful monetary recovery. For the named Plaintiffs, the Court has held that their “recovery is almost certainly limited to nominal damages” because they cannot show that they suffered identity theft or tax fraud due to the data breach and because, under D.C. law, mitigation expenses are not actual damages. See Attias V, 2023 WL 5952052, at *13-15. Based on the type of information pilfered in the data breach- which included names, birth dates, email addresses, and subscriber identification but not Social Security numbers or any financial information-the Court has little doubt that the same will hold true for all other class members. See id. at *2. The question, then, is whether it makes sense to certify the contract class when nominal damages are likely the only form of recompense on the table. The Court finds that, in this case, it does.

Certification of classes for nominal damages is routine in the constitutional-tort sphere. See, e.g., Cummings v. Connell, 402 F.3d 936, 945-46 (9th Cir. 2005). Though some courts have balked at the prospect of certifying a class for nominal damages in the commercial arena, see, e.g., Brazil v. Dole Packaged Foods, LLC, No. 12-cv-01831-LHK, 2014 WL 5794873, at *14 (N.D. Cal. Nov. 6, 2014), there is no hard-and-fast rule requiring such an outcome. Other courts have certified commercial classes when nominal damages can be determined on a classwide basis. See, e.g., Opperman v. Path, Inc., No. 13-cv-00453-JST, 2016 WL 3844326, at *15-16 (N.D. Cal. July 15, 2016) (citing cases). That makes sense. Aggregating smaller claims that are not worthwhile to pursue individually is class action's raison d'etre. Consistent with that purpose, there is “no lower boundary” to the cash value of claims that can be bundled in a class action, as “courts have held that even de minimis claims may be brought as Rule 23(b)(3) class actions if all of the other requirements are met.” 2 Newberg and Rubenstein on Class Actions § 4:65 (6th ed.) (citing, among other cases, Mace v. Van Ru Credit Corp., 109 F.3d 338, 344 (7th Cir. 1997), certifying a class containing Fair Debt Collection Practices Act claims of $0.28 per member)); accord Abels v. JBC Legal Group, P.C., 227 F.R.D. 541, 546 (N.D. Cal. 2005) (“[D]e minimis recovery is not a ground for refusing certification.”). If anything, the fact that the entire class will likely be limited to nominal damages will streamline proceedings by dispensing with the need for individualized damage calculations.

To be sure, the Court cannot entirely rule out the possibility that there may be some class members who believe they suffered financial harms (other than mitigation expenses) stemming from the CareFirst data breach and have not yet had their day in court to prove actual damages. That contingent is likely vanishingly small, however. Because the data breach occurred back in 2014, this hypothetical group would have to believe that they suffered some form of fraud due to the CareFirst data breach but, for whatever reason, have slept on their rights for a decade. That may be an avenue available under the “class tolling” doctrine. See Am. Pipe & Constr. Co. v. Utah, 414 U.S. 538, 554 (1974) (“[T]he commencement of a class action suspends the applicable statute of limitations as to all asserted members of the class who would have been parties had the suit been permitted to continue as a class action.”). Yet the Court doubts it's a route that many would have chosen to pursue here. And, to the extent there are any such individuals who wish to make their case on actual damages, they face a tall task. Discovery has shown that the attackers (fortunately) did not gain access to the most sensitive personally identifying information. That fact all but precluded the named Plaintiffs from tracing any identity theft they suffered back to the CareFirst data breach, see Attias V, 2023 WL 5952052, at *13-15, and that outcome would almost surely be the same for all other putative class members.

The Court is thus skeptical that other class members will come forward and assert actual damages. That distinguishes this case from others where courts have refused to certify a class for nominal or otherwise de minimis class-wide damages at the risk of foreclosing broad swaths of plaintiffs from pursuing much more valuable individual cases. See, e.g., Zimmerman v. Zwicker & Assocs., P.C., No. 09-cv-3905 (RMB/JS), 2011 WL 65912, *5 (D.N.J. 2011). But, to the extent there are class members who wish to pursue actual damages, the Court can address that matter down the road via proper notification protocols, opt-out provisions, and the creation of subclasses if need be.

Because the class is easily ascertainable and CareFirst has most of the relevant contact information in hand, the Court also concludes that this is not a case in which administrative costs will necessarily swamp the value of any future recovery.

For now, the Court need only resolve that, under Federal Rule of Civil Procedure 23, a class action is the appropriate vehicle for the more than one million CareFirst customers whose information was accessed in the 2014 data breach to pursue their remaining breach of contract claim. Having done so, the Court will certify a contract class comprised of “all persons who reside in the District of Columbia, the State of Maryland and the Commonwealth of Virginia and have purchased and/or possessed health insurance from Carefirst, Inc., Group Hospitalization and Medical Services, Inc., Carefirst of Maryland, Inc., and/or Carefirst BlueChoice and whose personally identifiable information, personal health information, sensitive personal information, and/or financial information was breached as a result of the data breach announced on or about May 20, 2015.” Mot. for Class Cert. at 10.

As a final note, CareFirst raised in its opposition the prospect that Plaintiffs Andreas Kotzur and Curt Tringler may be improperly included in this action because “none of their personal information was accessed in this data breach” since “only those members who signed up for CareFirst's online portal were affected.” See Opp'n at 4 n.3. Viewed through the prism of standing, the Court is unpersuaded because it already found that all named Plaintiffs (including these two) have standing because each expended resources attempting to mitigate a credible threat of future identity theft. See Attias IV, 344 F.R.D. at 47. But if it is true that these two Plaintiffs' information was not compromised in the data breach, they would fall outside of the certified contract class. Because the parties did not address this issue in depth and it is disconnected from the present certification issue, however, the Court will deal with the matter down the line if it becomes necessary.

IV. Conclusion

For these reasons, it is hereby

ORDERED that [Dkt. No. 102] Plaintiffs' Renewed Motion for Class Certification is GRANTED in part and DENIED as moot in part. It is further

ORDERED that the parties meet and confer and, by April 26, 2024, file a joint status report indicating the need for further proceedings in the case.

SO ORDERED.


Summaries of

Attias v. Carefirst, Inc.

United States District Court, District of Columbia
Mar 29, 2024
15-cv-882 (CRC) (D.D.C. Mar. 29, 2024)
Case details for

Attias v. Carefirst, Inc.

Case Details

Full title:CHANTAL ATTIAS, et al., Plaintiffs, v. CAREFIRST, INC., et al., Defendants.

Court:United States District Court, District of Columbia

Date published: Mar 29, 2024

Citations

15-cv-882 (CRC) (D.D.C. Mar. 29, 2024)

Citing Cases

Lewis v. U.S. Parole Comm'n

Although the D.C. Circuit has not yet articulated a precise standard of proof, the emerging consensus in this…

Gila River Indian Cmty. v. Becerra

,” the court finds that Plaintiffs have established the remaining two elements of standing. Attias v.…