From Casetext: Smarter Legal Research

Gilbert v. Bioplus Specialty Pharm. Servs.

United States District Court, Middle District of Florida
Mar 5, 2024
6:21-cv-2158-RBD-DCI (M.D. Fla. Mar. 5, 2024)

Opinion

6:21-cv-2158-RBD-DCI

03-05-2024

BONNIE GILBERT, DAVID GATZ, WENDY BRYAN, LORI GRADER, DARYL SWANSON, PATRICIA WHITE, ALICIA DUNN, CRYSTAL HULLETT and STEPHEN GABBARD, Plaintiffs, v. BIOPLUS SPECIALTY PHARMACY SERVICES, LLC, Defendant.


REPORT AND RECOMMENDATION

DANIEL C. IRICK UNITED STATES MAGISTRATE JUDGE

This cause comes before the undersigned for consideration without oral argument on the following motion:

MOTION: Plaintiffs' Second Renewed Unopposed Motion for

Preliminary Approval of Class Action Settlement (Doc. 82)

FILED: January 5, 2024

THEREON it is Recommended that the motion be GRANTED in part.

I. Background and Procedural History

In the operative Complaint, Bonnie Gilbert, David Gatz, Wendy Bryan, Lori Grader, Daryl Swanson, Patricia White, Alicia Dunn, Crystal Hullett, and Stephen Gabbard (the named Plaintiffs) bring various claims against BioPlus Specialty Pharmacy Services, LLC (Defendant), including a claim under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), individually and on behalf of those similarly situated. Doc. 60 (the Third Amended Complaint).

The named Plaintiffs allege that Defendant, a national specialty pharmacy, failed to adequately protect sensitive information including names, dates of birth, addresses, and social security numbers. Id. The named Plaintiffs claim that Defendant experienced a data incident between October 25, 2021 and November 11, 2021, during which an unauthorized third party gained access to its network. Id. (the Data Incident).

The parties litigated the case for approximately two years, engaged in discovery, filed dispositive motions, and eventually reached settlement. As such, the parties filed a Joint Notice of Settlement, and the Court administratively closed the case and directed the parties to file a motion for preliminary approval of proposed class settlement. Docs. 64, 65. The named Plaintiffs then filed an Unopposed Motion for Preliminary Approval of Class Settlement. Doc. 68 (the Initial Motion).

On March 3, 2023, the Court granted in part and denied in part Defendant's motion to dismiss. Doc. 59. In doing so, the Court permitted the negligence, breach of implied contract, and declaratory judgement claims to proceed without amendment and granted the named Plaintiffs leave to amend their state consumer protection claims. Id. However, the Court dismissed the negligence per se, breach of fiduciary duty, and breach of express contract claims. Id. The named Plaintiffs subsequently filed the Third Amended Complaint and assert claims for (1) negligence, (2) breach of implied contract, (3) violations FDUTPA, and (4) declaratory judgment. Doc. 60. On April 5, 2023, Defendant filed a motion to dismiss the FDUTPA claim but the parties reached settlement before the Court ruled. Docs. 60, 64.

Upon consideration of the Initial Motion, the undersigned directed the named Plaintiffs to file a supplemental brief to address certain deficiencies or to withdraw the Initial Motion. Doc. 69. Namely, the undersigned found that the named Plaintiffs did not establish Article III standing and did not adequately address the Federal Rule of Civil Procedure 23(a) requirements for class certification. Id. at 5-9. In response, the named Plaintiffs elected to withdraw the Initial Motion and filed the Renewed Unopposed Motion for Preliminary Approval of Class Action Settlement. Doc. 71 (the Renewed Motion). Plaintiffs submitted an Amended Settlement Agreement and other documents in support of the request. Docs. 71-1 to 71-3. On November 29, 2023, the undersigned conducted a hearing on the Renewed Motion because the undersigned again had concerns regarding the apportionment, or lack thereof, of fees and expenses. Doc. 77. Specifically, the Amended Settlement Agreement reflects that one sub-class would pay the approved attorney fees, costs, and expenses while the other sub-class fund would not be reduced by the award. Doc. 71-1.

Generally, the undersigned had concerns about the differential treatment of class members as it related to the injury at issue (i.e., class members whose social security numbers may have been impacted in the Data Incident versus those who did not suffer that potential impact) and the named Plaintiffs' ability to represent the various members' interests. Id. at 6, 7-8.

The named Plaintiffs state that “[f]ollowing the Court's guidance in its September 14, 2023 Order, Plaintiffs and BioPlus agreed to amend the Settlement Agreement to update the Class definition so that it only includes Plaintiffs and Class Members whose Private Information was impacted in the Data Incident.” Id. at 10.

At the conclusion of the hearing, the undersigned directed the parties to file a supplemental memorandum with authority to address the fairness of the fee apportionment along with any impact to the adequacy of the representation. In response, the parties filed an Unopposed Motion to Withdraw Plaintiffs' Renewed Motion for Preliminary Approval of Class Action Settlement and to File an Amended Motion for Preliminary Approval of Class Action Settlement. Doc. 79. The parties moved for withdrawal to modify the proposed class settlement and preliminary approval request to apportion settlement administration costs and fees among all class members “whereby each proposed subclass will be apportioned a proportionate share of the settlement administration fee and expenses and attorneys' fees.” Doc. 79 at 2.

The undersigned granted the request and the named Plaintiffs have filed a Second Renewed Unopposed Motion for Preliminary Approval of Class Action Settlement. Doc. 82 (the Second Renewed Motion).

The matter is ripe for review and, for the reasons stated herein, it is recommended that the Second Renewed Motion be granted in part.

A. The Second Renewed Motion

On April 26, 2023, the parties filed a Notice of Settlement and stated that they have reached a class-wide settlement. Doc. 64. The named Plaintiffs now move for the Court to: (1) certify the settlement class; (2) preliminarily approve the settlement; (3) appoint the proposed class representatives, class counsel, and settlement administrator; (4) approve the proposed form and manner of notice to the class as reasonable; and (5) approve a schedule leading up to a final approval hearing. Doc. 82. The named Plaintiffs have submitted the Second Amended Settlement Agreement and Release (the Second Amended Settlement Agreement), notices of settlement to class members (collectively “the Proposed Notices”), and declarations in support of the request. Docs. 82; 82-1 to 82-3. The named Plaintiffs certify that Defendant does not oppose the Motion. Doc. 82 at 25. Defendant has not filed a response and the time for doing so has elapsed.

B. The Second Amended Settlement Agreement

The parties propose the following “Settlement Class” (the Settlement Class):

all persons whose personal information was impacted in the Data Incident. The Settlement Class specifically excludes: (i) BioPlus and its respective officers and directors; (ii) all Settlement Class Members who timely and validly request exclusion from the Settlement Class; (iii) the Judge and/or magistrate assigned to evaluate the fairness of this settlement; and (iv) any other Person found by a court of competent jurisdiction to be guilty under criminal law of initiating, causing, aiding, or abetting the Data Incident or who pleads nolo contender to any such charge.
Doc. 82-1 at 14.

While the parties define “Settlement Class” in this regard, the class is further divided into two groups. The parties do not call the groups “sub-classes,” but the Second Amended Settlement Agreement provides for two categories of individuals. The parties identify the first group as “Claims-Made Settlement Class Members” or “Non-SSN Class Members” (Non-SSN Class Members) who include:

approximately 218,750 Settlement Class Members whose personal information was impacted in the Data Incident, and whose Social Security numbers were not impacted in the Data Incident. The Claims-Made Settlement Class Members are eligible to submit a claim under the Claims-Made Benefits. Class Representative Crystal Hullett is a Non-SSN Class Member. Non-SSN Class Members comprise approximately 62.65% of the 349,188 total Class Members
Id. at 7.
A separate settlement fund for this group is described as follows:
Settlement benefits. . . available to the Claims-Made Settlement Class Members. The Claims-Made Benefits will be funded by BioPlus in an amount not to exceed $1,175,000, inclusive of (i) all Valid Claims for Settlement benefits made under ¶ 2.1; (ii) 62.65% of the Notice and Settlement Administration Costs (defined below) incurred in the administration of both Claims-Made and Common Fund Benefits, including all taxes owed by the Claims-Made Benefits and Common Fund; and (iii) any attorneys' fees not to exceed 1/3 of the Non-SSN Settlement Fund, and 62.65% of the total costs and expenses incurred by Class Counsel, as approved by the Court.
Id.

The named Plaintiffs explain that through this reversionary fund, Non-SSN Class Members may claim (1) compensation of $25 per hour for up to two hours of time spent dealing with issues related to the Data Incident and (2) reimbursement of documented out of pocket expenses or losses up to $750. Doc. 82 at 6. Following payment of attorney fees and expenses, settlement administration expenses, and claims made by Non-SSN Class Members, any funds remaining under the $1,175,000 cap will revert to Defendant. Id.

The parties then identify the second group as “Common-Fund Settlement Class Members” or “SSN Class Members” (SSN Class Members) who include:

approximately 130,438 Settlement Class Members whose personal information, including Social Security numbers, was impacted in the Data Incident. CommonFund Settlement Class Members are eligible to submit a claim under the Common Fund. Class Representatives Bonnie Gilbert, Wendy Bryan, Patricia White, David Gatz, Lori Grader, Daryl Swanson, Stephen Gabbard, and Alicia Dunn are SSN Class Members. SSN Class Members comprise approximately 37.35% of the total 349,188 Class Members.
Doc. 82-1 at 8-9.

The “Common Fund” or “SSN Settlement Fund” is defined as:

a non-reversionary common fund to be funded by BioPlus in the amount of $1,025,000, which will be allocated as follows (i) 37.35% of the Notice and Settlement Administration Costs (defined below) incurred in the administration of both Claims-Made and Common Fund Benefits, including all taxes owed by the Claims-Made Benefits and Common Fund; (ii) any attorneys' fees not to exceed 1/3 of the SSN Settlement Fund, and 37.35% of the total costs and expenses incurred by Class Counsel, as approved by the Court; (iii) all Valid Claims for Settlement benefits made under ¶ 2.2.
Id. at 8. The named Plaintiffs explain that the SSN Class Members will be able to claim (1) compensation of $25 per hour for up to three hours of time spent dealing with issues related to the Data Incident; (2) reimbursement of documented out of pocket expenses or losses up to $7,500; and (3) a pro rata distribution of funds remaining in the SSN Settlement Fund (which is projected to be approximately $50 per SSN Class Member). Doc. 82 at 5.

II. Analysis

A. Class Certification

“A class may be certified solely for purposes of settlement where a settlement is reached before a litigated determination of the class certification issue.” Diakos v. HSS Sys., LLC, 137 F.Supp.3d 1300, 1306 (S.D. Fla. 2015) (internal quotation marks omitted). A party seeking to certify a class action - be it contested or not - bears the burden of demonstrating that: 1) the named plaintiffs have standing to raise each class claim, Prado-Steiman ex rel. Prado v. Bush, 221 F.3d 1266, 1279-80 (11th Cir. 2000); 2) the proposed class is adequately defined and clearly ascertainable, Carriuolo v. Gen. Motors, Co., 823 F.3d 977, 984 (11th Cir. 2016); 3) the putative class meets the numerosity, commonality, typicality, and adequacy of representation requirements set forth in Federal Rule of Civil Procedure 23(a), Valley Drug Co. v. Geneva Pharms., Inc., 350 F.3d 1181, 1187-88 (11th Cir. 2003); and 4) the putative class meets at least one of the three requirements set forth in Federal Rule of Civil Procedure 23(b), Pickett v. Iowa Beef Processors, 209 F.3d 1276, 1279 (11th Cir. 2000). The Court has broad discretion in determining whether to certify a class and may do so only after conducting a “rigorous analysis” to ensure that the moving party has satisfied all the necessary requirements for certification. Sacred Heart Health Sys. v. Humana Military Healthcare Servs., 601 F.3d 1159, 1169 (11th Cir. 2010).

1. Standing

The undersigned found that the Initial Motion was inadequate because the named Plaintiffs had not established standing. Doc. 69. The named Plaintiffs have now discussed standing but the understand finds it necessary to say significantly more given the Eleventh Circuit and the Supreme Court's relatively recent activity on the matter in the security breach context. See TransUnion, LLC v. Ramirez, 141 S.Ct. 2190 (2021); Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020); Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir 2021); and Shiyang Huang v. Equifax, Inc., 999 F.3d 1247 (11th Cir. 2021).

To establish Article III standing, a plaintiff must show that: (1) he suffered an injury in fact; (2) the injury at issue is fairly traceable to the defendant's alleged conduct; and (3) the injury is likely to be redressed by a favorable judicial decision. Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016). Of the three criteria for standing, injury in fact is at issue. To meet this requirement, a plaintiff must plausibly and clearly allege an injury that is “concrete” and either “actual or imminent.” Tsao, 986 F.3d at 1332 (quoting Thole v. U.S. Bank N.A., 140 S.Ct. 1615, 1616 (2020); Spokeo, 136 S.Ct. at 1548); see also Muransky, 979 F.3d at 925 (“A plaintiff needs to plead (and later support) an injury that is concrete, particularized, and actual or imminent, rather than conjectural or hypothetical.”) (citation omitted). The Supreme Court has defined a “concrete” injury as one that is “real, and not abstract”-that is, one that “actually exist[s];” and an “actual or imminent” injury as one that is neither “conjectural [n]or hypothetical.” Spokeo, 136 S.Ct. at 1548 (internal quotation marks and citation omitted).

Examples of concrete injuries include physical and monetary harms, as well as “various intangible harms,” such as-of relevance here-the “disclosure of private information.” TransUnion, 141 S.Ct. at 2204 (citations omitted). “Certainly, an economic injury qualifies as a concrete injury.” Debernardis v. IQ Formulations, LLC, 942 F.3d 1076, 1084 (11th Cir. 2019) (citations omitted). “So are identity theft and damages resulting from such theft, see Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012), as well as wasted time, Salcedo v. Hanna, 936 F.3d 1162, 1173 11th Cir. 2019).” Equifax, 999 F.3d at 1262.

Where a plaintiff attempts to satisfy the injury in fact element by relying on future harm, the “threatened injury must be certainly impending.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (internal quotation marks and citation omitted) (emphasis in original). Thus, “[a]llegations of possible future injury are not sufficient.” Id. (internal quotation marks and citation omitted) (emphasis in original); see also TransUnion, 141 S.Ct. at 2213 (noting that “the risk of future harm on its own does not support Article III standing for [a] plaintiff['s] damages claim”). Although this standard does not mandate that a plaintiff demonstrate it is “‘literally certain that the harms [he] identif[ies] will come about,'” it does require, at the very least, “a showing that there is a ‘substantial risk' that the harm will occur.” Tsao, 986 F.3d at 1338-39 (quoting Clapper, 568 U.S. at 414 n.5). If “the hypothetical harm alleged is not ‘certainly impending,'” or if “there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on [himself] to mitigate a perceived risk.” Id. at 1339 (citing Clapper, 568 U.S. at 416; Muransky, 979 F.3d at 933).

Notably, in class actions, the fact that the parties reached a settlement does not absolve district courts from ascertaining whether the named plaintiffs have met their burden on the matter of standing. The standing requirements apply to class actions and “even at the settlement approval stage, as a ‘court is powerless to approve a proposed class settlement if it lacks jurisdiction over the dispute, and federal courts lack jurisdiction if no named plaintiff has standing[.]'” Equifax, 999 F.3d at 1261 (quoting Frankv. Gaos, 139 S.Ct. 1041, 1046 (2019)). “On the other hand, only one named plaintiff must have standing as to any particular claim in order for it to advance.” Id. (citing Wilding v. DNC Servs. Corp., 941 F.3d 1116, 1124-25 (11th Cir. 2019)); see also, Prado-Steiman ex rel Prado v. Bush, 221 F.3d 1266, 1279 (11th Cir. 2000) (“[P]rior to the certification of a class. . . the district court must determine that at least one named class representative has Article III standing to raise each class subclaim.”).

Relevant here because of the FDUTPA claim, the violation of a statutory right to information can-in some contexts-create an injury sufficient to confer standing. See Trichell v. Midland Credit Mgmt., Inc., 964 F.3d 990, 1003-04 (11th Cir. 2020) (discussing applications of the “informational injury” theory of standing); Nicklaw v. Citimortgage, Inc., 839 F.3d 998, 1002 (11th Cir. 2016) (collecting cases); Church v. Accretive Health, Inc., 654 Fed.Appx. 990, 994-95 (11th Cir. 2016) (per curiam). But a “bare procedural violation [of a statute], divorced from any concrete harm,” is not enough to establish standing. Spokeo, 578 U.S. at 341. Rather, a plaintiff must demonstrate that the statutory violation at issue led to actual harm-whether tangible or intangible-or that the violation “posed a material risk of harm to the plaintiff.” Muransky, 979 F.3d at 928.

Further, the named Plaintiffs bring a claim for both injunctive relief and damages (Doc. 60 at 64-68). A plaintiff who seeks injunctive relief to prevent a future harm can satisfy the injuryin-fact requirement by asserting a “risk of future harm” that is “sufficiently imminent and substantial.” Trans Union, 141 S.Ct. at 2210. For a plaintiff seeking damages, “the mere risk of future harm, standing alone, cannot qualify as a concrete harm. . . unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210-11.

Here, the named Plaintiffs assert that standing exists because their sensitive personal information was accessed and exfiltrated in the Data Incident. Doc. 82 at 9 (citing Desue v. 20/20 Eye Care Network, Inc., 2022 WL 796367, at *4 (S.D. Fla. Mar. 15, 2022)). Specifically, the named Plaintiffs claim that during the Data Incident, the unauthorized third party gained access to their private information including names, dates of birth, social security numbers, medical record numbers, current/former health plan member ID numbers, claims information, diagnosis, and prescription medication information (the Private Information). Id. at 3. The named Plaintiffs claim that Defendant failed to adequately protect the Private Information and, in total, Defendant notified approximately 349,188 individuals who were impacted, including 130,438 whose social security numbers were impacted in the breach. Id. As such, the named Plaintiffs contend that they, along with the putative Class Members (collectively, the Class Members), all suffered an alleged injury “akin to an invasion of privacy.” Id. at 10, citing TransUnion, 141 S.Ct. 2190 at 2204.

The named Plaintiffs also point out that the Court previously found that all Plaintiffs adequately state a claim for breach of implied contract and assert that it is well established that the lost benefit of a bargain is sufficient for standing. Id. at 11, citing Doc. 59; In re Mednax Servs., Inc. Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1205 (S.D. Fla. 2022); Kostka v. Dickey's Barbeque Rests., 2022 WL 16821685, at *4 (N.D. Tex. Oct. 14, 2022).

Upon consideration of the Initial Motion, the undersigned had serious concerns regarding the alleged harm or potential harm because the Eleventh Circuit has found that “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.” Tsao, 986 F.3d at 1344 (finding that the plaintiff did not have standing in that case based on an “increased risk” of identify theft.”). But the parties have since narrowed the Settlement Class.

The undersigned is now satisfied that the named Plaintiffs have standing to proceed at this juncture. Specifically, there are nine named Plaintiffs in this case: Bonnie Gilbert (Gilbert), Wendy Bryan (Bryan), Patricia White (White), David Gatz (Gatz), Crystal Hullet (Hullet), Lori Grader (Grader), Daryl Swanson (Swanson), Stephen Gabbard (Gabbard), and Alicia Dunn (Dunn). Doc. 60. At least one of these individuals has alleged an actual or real injury resulting from the Data Incident. Again, the Court need only find that one named Plaintiff has standing to any particular claim to go forward, and the undersigned finds that exists here. See Equifax, 999 F.3d at 1247 (citations omitted).

To be clear, the undersigned makes no finding as to whether standing existed with respect to the original settlement class discussed in the Initial Motion because the named Plaintiffs did not adequately address the issue.

Namely, Plaintiff Hullett claims that she was Defendant's customer prior to the Data Incident and Defendant required her to provide her Private Information to purchase services and medications. Doc. 60 at 34. Plaintiff Hullett claims that, as a result of the Data Incident, in or about February 2023, she was the “victim of identity theft and fraudulent activity by cybercriminals who made fraudulent purchases online with her debit card for her bank account with MembersCredit Union” and she has “received a significant increase in spam calls that cause nuisance, annoyance, and a loss of time and attention.” Id. at 35.

Plaintiff Dunn also alleges that in October 2021, she “experienced actual identity theft fraud with an unauthorized $30 charge on her debit card for her checking account. As a result, [Plaintiff Dunn] was required to obtain a new debit card, which took about a month to receive and limited her access to her checking account.” Id. at 40. Plaintiff Dunn states that she believes the unauthorized charge is a result of the Data Incident given the proximity in time to the breach. Id.

Further, Plaintiff White alleges that on or about November 30, 2021, she “received a notification from her credit monitoring services through H&R Block that her information appeared on the dark web, where cyber-criminals trade sensitive patient information for use in phone, banking, and health insurance scams.” Id. at 31. Plaintiff Swanson also claims that as a result of the Data Incident she received an increase in spam text messages regarding Medicare and medical insurance that cause nuisance, annoyance, and time loss. Id. at 37-38. Plaintiff Gilbert alleges that she has “received a significant amount of medical-related mail at her home address addressed to an unknown individual named ‘Lynn Yara.'” Id. at 28.

Overall, these named Plaintiffs allege that Defendant entered into implied agreements for the provision of healthcare services and to implement data security to safeguard their Private Information; engaged in unfair acts and practices in violation of FDUTPA resulting in financial injury to the Class Members; and Defendant was required to prevent this foreseeable harm to the Class Members but failed to do so. Id. at 48, 53-54, 59-61. In sum, the named Plaintiffs claim to have suffered out of pocket expenses, financial injury, and the loss of the benefit of the bargain due to the Data Incident. Doc. 60 at 58, 61.

Based on the foregoing, the undersigned finds that at least one of the named Plaintiffs' claims are based on a concrete injury from the actual misuse of the Private Information and, importantly, those allegations are not merely conclusory in nature. This is not a case where the named Plaintiffs allege that a third party simply may have accessed their information in a breach. See e.g., Compare with Holmes v. Vills Tri-County Med. Ctr., Inc., 2023 WL 315019, at *5 (M.D. Fla. Jan. 19, 2023) (finding that the plaintiffs did not allege an injury in fact where the plaintiffs “allege only that private actors ‘may have accessed their information, not that anyone made that information public”).

Instead, the named Plaintiffs contend that the third party gained access, stole the information, and misused it-at least for some of the named Plaintiffs. As one court in this District explained, “[w]hile the Eleventh Circuit did not clarify what constitutes ‘some misuse,' it seemed to acknowledge that specific allegations or evidence of unauthorized charges would meet [the standing] standard.'” Cotter v. Checkers Drive-in Restaurants, Inc., 2021 WL 3773414, at *5 (M.D. Fla. Aug. 25, 2021) (quoting Tsao, 986 F.3d at 1343). The undersigned finds that the named Plaintiffs have alleged this conduct here and recommends that standing to proceed exists.

But what of the other named Plaintiffs who do not allege actual misuse of their Private Information? The allegations go beyond the direct harm from the cybercriminals' use of the Private Information as the named Plaintiffs also rely on a “substantial risk” of harm theory. See Doc. 60 at 17, 19, 24, 26, 50, 52, and 63. Because this is a report and recommendation, the undersigned finds it necessary to address the remaining four named Plaintiffs' alleged injuries and the relevant law.

At the very least, the four remaining named Plaintiffs' alleged injuries are pertinent to adequacy of class representation discussed infra.

When there is no actual injury, an imminent injury must be “certainly impending' as allegations of “possible future injury are not sufficient.” Clapper, 568 U.S. at 409 (emphasis in original) (quoting Whitmore v. Arkansas, 495 U.S. 149 (1990)). The Eleventh Circuit in Tsao explained that “we recently held inMuransky that conclusory allegations of an ‘elevated risk of identity theft'-or, as Tsao puts it, a ‘continuing increased risk' of identity theft-[are] simply not enough' to confer standing.'” 986 F.3d at 1343 (quoting Muransky, 979 F.3d at 933). “[E]vidence of actual misuse is not necessary for a plaintiff to establish standing following a data breach.” Id. at 1343-44 (citing Beck v. McDonald, 848 F.3d 262, 275 (4th Cir. 2017)). “However, without specific evidence of some misuse of class members' data, a named plaintiff's burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was ‘certainly impending'-or that there was a ‘substantial risk' of such harm-will be difficult to meet.” Id. at 1344 (citing Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 n.1 (11th Cir. 2012) (finding that plaintiffs who suffered “actual” identity theft had standing but noting that “speculative” identity theft may not be sufficient to confer standing) (emphasis in original). The court in Tsao also found that if a hypothetical harm alleged is not “certainly impending,” or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to mitigate a perceived risk. Id. at 1338 (quotingMuransky, 979 F.3d at 931).

With respect to Plaintiffs Gatz, Bryan, Gabbard, and Grader, their claims do not appear to stem from the actual misuse of the Private Information but from the substantial risk that the misuse may occur in the future, and the injury is, at least in part, due to their efforts to mitigate the damage from the Data Incident. Specifically, Plaintiffs Bryan and Gatz allege that Defendant offered one year of credit monitoring after the Data Incident, but Plaintiffs Bryan, Gatz, and Gabbard did not accept the offer and instead incurred out of pocket expenses for a different subscription or service. Doc. 60 at 30, 33. Plaintiffs Bryan and Gatz also claim that they spent significant time reviewing personal accounts and information and plan to take additional time-consuming steps to help mitigate the harm. Id. at 30, 34. Plaintiff Gatz further alleges that he took steps to freeze his debit cards and requested that the bank cancel and issue new cards thereby limiting access to bank funds. Id. at 33.

Plaintiff Gabbard claims that he did not accept Defendant's one-year subscription to a credit monitoring service but spent hours reviewing bank statements and credit cards and plans to take additional time-consuming steps toward mitigation. Id. at 39. Plaintiff Grader signed up for Defendant's one-year subscription to the credit monitoring service and spent time doing so, but “has not elected this service to date.” Id. at 36. Plaintiff Grader claims that she has spent time reviewing bank statements and credit cards at “a more frequent interval than she did previously” and “has spent significant time speaking with her bank regarding her concerns about the Data Breach.” Id.

The other named Plaintiffs also allege facts relating to mitigation. See Doc. 60 at 27-41.

So, while Plaintiffs Gabbard, Grader, Gatz, and Bryan do not allege that the third party misused their Private Information, they do claim that they have wasted their time and money trying to mitigate the issue and face a substantial and impending risk of future harm from the “cybercriminals.”

The undersigned finds that this is sufficient at this stage of litigation to show standing. In doing so, the undersigned finds the Eleventh Circuit's following discussion in Equifax to be especially instructive:

Plaintiffs alleged that ‘hackers obtained at least 146.6 million names, 146.6 million dates of birth, 145.5 million Social Security numbers, 99 million addresses, 17.6 million driver's license numbers, 209,000 credit card numbers, and 97,500 tax identification numbers.' With this information, Plaintiffs alleged that “identity
thieves can create fake identities, fraudulently obtain loans and tax refunds, and destroy a consumer's credit-worthiness.” Plaintiffs also alleged they “remain subject to a pervasive, substantial and imminent risk of identity theft and fraud” due to the “highly-sensitive nature of the information stolen,” and that they spent time, money, or effort dealing with the breach. Given the colossal amount of sensitive data stolen, including Social Security numbers, names, and dates of birth, and the unequivocal damage that can be done with this type of data, we have no hesitation in holding that Plaintiffs adequately alleged that they face a “material” and “substantial” risk of identity theft that satisfies the concreteness and actual-or-imminent elements. See Muransky, 979 F.3d at 927; Clapper, 568 U.S. at 414 n.5, 133 S.Ct. at 1150 n.5.
The actual identity theft already suffered by some Plaintiffs further demonstrates the risk of identity theft all Plaintiffs face-though actual identity theft is by no means required when there is a sufficient risk of identity theft. Here, dozens of Plaintiffs allege they have already had their identities stolen and thus suffered injuries in many different ways. Specifically, those who suffered identity theft had numerous unauthorized charges and accounts made in their name; incurred specific numerical drops in their credit scores; had their ability to obtain loans affected; purchased credit monitoring; and spent time, money, and effort trying to mitigate their injuries, including disputing fraudulent activity, filing police reports, and otherwise dealing with identity theft. There is no dispute that these Plaintiffs' allegations of identity theft and resulting damages “constitute[] an injury in fact under the law.” Resnick, 693 F.3d at 1323. As such, the allegations of some Plaintiffs that they have suffered injuries resulting from actual identity theft support the sufficiency of all Plaintiffs' allegations that they face a risk of identity theft. Indeed, in Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), our Court recently recognized that “some allegations of actual misuse or actual access to personal data' support Article III standing for ‘a data breach based on an increased risk of theft or misuse.” Id. at 1340 (collecting cases); see also, e.g., McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 301-02 (2d Cir. 2021) (“[C]ourts have been more likely to conclude that plaintiffs have established a substantial risk of future injury where they can show that at least some part of the compromised dataset has been misused.”) (collecting cases).
Beyond the sufficient risk of identity theft and resulting injuries, a vast number of Plaintiffs who have not yet suffered identity theft also allege they have spent time, money, and effort mitigating the risk of identity theft. Their efforts include purchasing credit freezes, monitoring their financial accounts, and purchasing credit monitoring, among other things. As explained above, because the risk of harm here is a sufficient injury, the allegations of mitigation injuries made by these Plaintiffs are also sufficient. See Muransky, 979 F.3d at 931 (“[A]ny assertion of wasted time and effort necessarily rises or falls along with this Court's determination of whether the risk posed . . . is itself a concrete harm.”).
999 F.3d at 1262-63.

The same conclusion applies here. Similar to the plaintiffs in Equifax, the named Plaintiffs allege that (1) an unauthorized third party obtained access to the private information including social security numbers, names, dates, of birth, etc.; (2) the “cybercriminals” can use the information-and have-for identify theft, financial fraud, and health care fraud; (3) the named Plaintiffs face a substantial increase risk of fraud as a result of the Data Incident; and (4) the named Plaintiffs spent money and time addressing the exposure of their Private Information. As in Equifax, the undersigned finds that these allegations are sufficient to demonstrate that the named Plaintiffs face a “material” and “substantial” risk of identify theft that satisfies the concreteness and “actual-or-imminent elements.” Since the future harm is “certainly impending,” the undersigned recommends that the named Plaintiffs did not manufacture standing by inflicting harm on themselves through their mitigation efforts.

In sum, the undersigned recommends that at least one named Plaintiff has demonstrated a concrete harm based on the actual misuse of the Private Information and, even if the alleged injury is based on future events, at least one named Plaintiff has demonstrated that a future harm is certainly impending. Accordingly, the undersigned recommends that standing exists for settlement purposes.

2. Adequately Defined and Clearly Ascertainable

“‘[A] plaintiff seeking to represent a proposed class must establish that the proposed class is ‘adequately defined and clearly ascertainable.'” Carriuolo v. GM Co., 823 F.3d 977, 984 (11th Cir. 2016) (quoting Little v. T-Moble USA, Inc., 691 F.3d 1302, 1304 (11th Cir. 2012); see also, Holmes v. Wca Mgmt. Co., L.P., 2021 WL 7627742 (M.D. Fla. May 3, 2021), report and recommendation adopted by, 2021 U.S. Dist. LEXIS 90692 (M.D. Fla. May 12, 2021) (considering whether the proposed class is adequately defined and clearly ascertainable upon a motion for preliminary approval of class action settlement). “An identifiable class exists if its members can be ascertained by reference to objective criteria.” Riffle v. Convergent Outsourcing, Inc., 311 F.R.D. 677, 680 (M.D. Fla. 2015).

Here, the Settlement Class includes “all persons whose personal information was impacted in the Data Incident.” Doc. 82-14 The parties identify the Class Members (divided as SSN and Non-SSN Class Members) as the individuals Defendant notified of the Data Incident. See Doc. 82 at 4. The named Plaintiffs allege that the Class Members consist of the approximately 350,000 current and former patients and customers and cites to the United States Department of Health and Human Services Office for Civil Rights' website for the report of the breach. Doc. 60 at 2. As such, the parties have already identified the Class Members-approximately 130,438 in the SSN Class and 218,759 from the Non-SSN Class. Further, the named Plaintiffs state that the notice will be disseminated to all persons who fall within the definition of the Settlement Class and whose names and addresses can be identified with reasonable effort from Defendant's records, and through databases tracking nationwide addresses and address changes. Doc. 82 at 23. Plus, the Settlement Administrator will administer the settlement website. Id.

The named Plaintiffs state in the Second Renewed Motion that the Settlement Class is defined as “all persons who were notified that their information may have been impacted in the Data Incident.” Doc. 82 at 4 (emphasis added). It seems that this is a clerical error because the Settlement Class has been narrowed in the operative Second Amended Settlement Agreement. Doc. 82-1.

Based on the foregoing, the undersigned finds that the Settlement Class contains sufficient criteria to allow an individual to determine whether they are a Class Member. The parties used objective criteria to describe the class and not subjective or vague terms. The undersigned, therefore, recommends that the Settlement Class is adequately defined and clearly ascertainable.

3. Rule 23 (a)

i. Numerosity

Under Rule 23(a)(1), a plaintiff must show that the settlement class is so numerous that joinder is impracticable. See Rule 23(a)(1). The Eleventh Circuit has held that the numerosity requirement is “a generally low hurdle” and “less than twenty-one is inadequate [and] more than forty [is] adequate....” Vega v. T-Mobile USA, Inc., 564 F.3d 1256, 1267 (11th Cir. 2009) (citations omitted).

Here, there are approximately 350,000 Class Members-130,438 in the SSN Class and 218,759 from the Non-SSN Class. Accordingly, the undersigned recommends that, preliminarily and for settlement purposes only, the Settlement Class meets the numerosity requirement of Rule 23(a)(1).

ii. Commonality

Rule 23(a)(2) requires a plaintiff to show that “there are questions of law or fact common to the class.” Fed.R.Civ.P. 23(a)(2). “Commonality requires the plaintiff to demonstrate that the class members ‘have suffered the same injury ....'” Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 350, 131 S.Ct. 2541, 2551 (2011) (quoting Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 157 (1982)). The claims must depend on a common contention of which “its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke.” Id. at 350. The Supreme Court has found that, for the purposes of Rule 23(a)(2), a single common question of law or fact is sufficient. Id. at 359. Although the exact claim or statutory violation need not be the same for all class members, “there [must] be at least one issue whose resolution will affect all or a significant number of the putative class members.” Bussey v. Macon Cty. Greyhound Park, Inc., 562 Fed.Appx. 782, 788 (11th Cir. 2014) (per curiam) (citation omitted).

Here, the named Plaintiffs have identified common questions of law or fact that satisfy the commonality requirement. The named Plaintiffs and the putative Class Members' claims are all based on the contention that Defendant's security did not protect the Class Members' Private Information. The named Plaintiffs contend, and the undersigned agrees at least at this juncture, that resolution of whether the “security environment” was adequate does not vary amongst the Class Members. Doc. 82 at 13. Importantly, as the named Plaintiffs emphasize, the class definition has been narrowed to those individuals who had their Private Information impacted in the Data Incident. Id.

Overall, all Class Members were notified of the Data Incident and the named Plaintiffs contend that Defendant breached an implied contract, FDUTPA, and acted with negligence. Doc. 60. So, the common questions of law are whether Defendant (1) violated FDUTPA, (2) entered into an implied contract and subsequently breached the agreements, and (3) failed to prevent this foreseeable harm.

Resolving these issues will affect all Class Members and, therefore, the undersigned recommends that Rule 23(a)(2)'s commonality requirement is satisfied for settlement purposes.

iii. Typicality

Rule 23(a)(3) requires that the named Plaintiffs' claims be typical of the claims of the Settlement Class. Fed.R.Civ.P. 23(a)(3). The Eleventh Circuit has found that the typicality requirement “measures whether a sufficient nexus exists between the claims of the named representative and those of the class at large.” Hines v. Widnall, 334 F.3d 1253, 1256 (11th Cir. 2003). “A sufficient nexus is established if the claims or defenses of the class and the class representative arise from the same event or pattern or practice and are based on the same legal theory.” Kornberg v. Carnival Cruise Lines, Inc., 741 F.2d 1332, 1337 (11th Cir. 1984).

Here, the named Plaintiffs and putative Class Members' claims involve Defendant's alleged failure to protect Private Information and every named or putative Class Member received notice of the Data Incident. The named Plaintiffs argue, and the undersigned agrees, that there is a nexus between the Non-SSN Class Representatives' claims and the other Non-SSN Class Members' claims as each includes the same Private Information that was impacted in the Data Incident. Doc. 82 at 14. Likewise, the undersigned is persuaded for settlement purposes that the same nexus exists between the SSN Class Representatives' claims and SSN Class Members' claims. Id.

Based on the foregoing, the undersigned recommends that the Settlement Class meets the typicality requirement of Rule 23(a)(3).

iv. Adequacy

Rule 23(a)(4) requires that “the representative parties. . . fairly and adequately protect the interests of the class.” Fed.R.Civ.P. 23(a)(4). The Supreme Court has stated that the “adequacy inquiry under Rule 23(a)(4) serves to uncover conflicts of interest between named parties and the class they seek to represent.” Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 625 (1997) (citations omitted). The adequacy requirement, therefore, “encompasses two separate inquiries: 1) whether any substantial conflicts of interest exist between the representatives and the class; and 2) whether the representatives will adequately prosecute the action.” Valley Drug Co. v. Geneva Pharms., Inc., 350 F.3d 1181, 1189 (11th Cir. 2003) (citations omitted). Also, regarding adequacy of representation, Rule 23(g)(1)(A) requires that the Court consider the following in determining the appointment of class counsel:

(i) the work counsel has done in identifying or investigating potential claims in the action;
(ii) counsel's experience in handling class actions, other complex litigation, and the types of claims asserted in the action;
(iii) counsel's knowledge of the applicable law; and
(iv) the resources that counsel will commit to representing the class

The Court may also consider “any other matter pertinent to counsel's ability to fairly and adequately represent the interests of the class ....” Fed.R.Civ.P. 23(g)(1)(B).

The named Plaintiffs represent that they have no conflicts of interest with the Class Members, and they will adequately represent their interests. Doc. 82 at 15. Upon consideration of the Initial Motion, the undersigned noted that it was not clear if the named Plaintiffs consist of both Non-SSN Class Members and SSN Class Members or if they fall into only one of the groups. Doc. 69 at 7. The named Plaintiffs clarify that Plaintiff Hullet, as a class representative, is a Non-SSN Class Member and can adequately represent the Non-SSN Class. Doc. 82 at 15. Also, Plaintiffs Gilbert, Bryan, While Gatz, Grader, Swanson, Gabbard and Dunn are SSN Class Members and can represent the SSN Class. Id.

Further, the parties have addressed the undersigned's concerns regarding the ability to adequately represent the Non-SSN Members if that group was responsible for 100% of the fees and costs under the Amended Settlement Agreement. The Second Amended Settlement Agreement now reflects an apportionment so that both sub-classes share in the payment for fees and costs. Doc. 82-1.

Since the parties have narrowed the Settlement Class and the undersigned is satisfied that standing exists even for the named Plaintiffs who claim a significant risk of harm and the fee structure has been amended, the undersigned agrees that there is no evidence of any conflicts of interest between the named Plaintiffs and the putative Class Members. The undersigned recommends that adequacy of representation for the named Plaintiffs exists for purposes of settlement.

The undersigned recommends that the same holds true with respect to class counsel. The parties define “Class Counsel” as John A. Yanchunis of Morgan & Morgan; Terence R. Coates and Dylan J. Gould of Markovits, Stock & DeMarco, LLC; Nicholas A. Migliaccio of Migliaccio & Rathod, LLP; Joseph M. Lyon of The Lyon Firm, LLC; J. Gerard Stranch, IV, of Stranch, Jennings & Garvey, PLLC; Gary E. Mason of Mason LLP; and M. Anderson Berry and Gregory Haroutunian of Clayeo C. Arnold, A Professional Corporation. Doc. 82-1 at 8.

Attorney Coates has submitted a declaration regarding his and his firm's experience with “complex cases including class actions.” Doc. 82-2 at 6. Attorney Coates cites to several cases where courts have recognized this experience and states that he is currently participating as counsel in “over 70 data breach and data privacy cases pending around the country[.]” Id. at 4-6.

While the parties have not submitted declarations on behalf of the other attorneys or firms listed as “Class Counsel,” Attorney Coates attests to the fact that his co-counsel have “significant experience litigating data breach class actions for plaintiffs[.]” Id. at 10. Attorney Coates has listed the websites for co-counsel's biographies. Id. at 10-11.

Based on the foregoing, the undersigned recommends at this juncture the “Class Counsel” have significant experience in class actions and breach of data cases and would adequately represent the class.

4. Rule 23(b)(3) Requirements

i. Predominance

Rule 23(b)(3) requires a finding that questions of law or fact common to class members predominate over any questions affecting only individual members. The “predominance inquiry tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation.” Amchem Prods., Inc., 521 U.S. at 623. A court must carefully scrutinize the relationship between common and individual questions in a case. Tyson Foods, Inc. v. Bouaphakeo, 136 S.Ct. 1036, 1045 (2016). An individual question requires evidence that is different from one class member to another, but a common question can be resolved by the same evidence for each class member, or the issue can be proven by generalized, class-wide proof. Id. In reviewing predominance, a court determines whether the common issues are more prevalent or important than the individual issues. Id. If the central issues are common to the class and predominate, then the predominance inquiry is satisfied. Id.

Here, the undersigned recommends the core common issues of law that surround the remaining claims predominate for purposes of settlement over individual questions associated with the resolution of this case. The central issue is whether Defendant violated FDUTPA, breached an implied contract, and engaged in negligent behavior by its failure to protect the Private Information from unauthorized access during the Data Incident. Pursuant to the revised Settlement Class, the parties now assert that all Non-SSN Class Members and SSN Class Members had their respective Private Information impacted in the Data Incident. Doc. 82-1 at 14. Defendant's alleged action or inaction is the same for every Class Member's claim. There are also common factual and legal questions with respect to whether the named Plaintiffs and putative Class Members suffered loss or a significant risk of harm because of Defendant's actions.

There is no evidence to suggest thus far that individual issues would predominate in this action. Accordingly, the undersigned recommends that, preliminarily and for settlement purposes only, common issues predominate.

ii. Superiority

Under Rule 23(b)(3), a plaintiff must also show that “a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3). “The inquiry into whether the class action is the superior method for a particular case focuses on increased efficiency.” Agan v. Katzman & Korr, P.A., 222 F.R.D. 692, 700 (S.D. Fla. 2004) (internal quotations and citations omitted).

The named Plaintiffs contend that the Second Amended Settlement Agreement provides all Class Members with relief and a well-defined administrative procedure to ensure due process. Doc. 82 at 17. The undersigned agrees assuming the revisions to the Proposed Notices are made as discussed infra. Also, considering the size of the Settlement Class the parties have identified, a class action is far more efficient in resolving this dispute compared to a number of individual cases being filed based on the same or similar facts and legal arguments. Further, it seems since the Settlement Class is based on the individuals who received notice from Defendant that their Private Information was impacted, the contact information for the Class Members is known. Accordingly, it would follow that the management of the class settlement would not pose difficulties. Moreover, there is no evidence that anyone has brought an individual case involving the same set of facts and legal issues, and there is no evidence that the putative Class Members would have a strong interest in controlling the prosecution of their individual claims.

Accordingly, the undersigned recommends that the superiority requirement is satisfied.

5. Summary

Considering the foregoing, the undersigned recommends that the class as defined in the Second Amended Settlement Agreement be conditionally certified for settlement purposes. Additionally, the undersigned recommends that the named Plaintiffs be appointed as class representatives and that the named Plaintiffs' counsel be appointed as class counsel.

B. Preliminary Approval of Settlement

The named Plaintiffs contend that the settlement warrants preliminary approval. “The claims, issues, or defenses of a . . . class proposed to be certified for purposes of settlement . . . may be settled . . . only with the court's approval.” Fed.R.Civ.P. 23(e). “Although class action settlements should be reviewed with deference to the strong judicial policy favoring settlement, the court must not approve a settlement merely because the parties agree to its terms.” Palmer v. Dynamic Recovery Solutions, Inc., 2016 WL 2348704, at *3 (May 4, 2016). However, if the proposed settlement falls within the “range of possible approval,” then the settlement should be preliminarily approved. Fresco v. Auto Data Direct, Inc., 2007 WL 2330895, at *4 (S.D. Fla. May 14, 2007) (quoting Horton v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 855 F.Supp. 825, 827 (E.D. N.C. 1994)).

At this stage, a court will determine whether the proposed settlement is “fair, adequate and reasonable and is not the product of collusion between the parties.” Bennett v. Behring Corp., 737 F.2d 982, 986 (11th Cir. 1984); see also Nolan v. Integrated Real Estate Processing, 2009 WL 10670779, at *6 (M.D. Fla. Sept. 9, 2009) (“[T]he Court must make a preliminary finding that the proposed settlement is sufficiently fair, reasonable, and adequate on its face to warrant presentation to the class members.”).

In determining the fairness, adequacy, and reasonableness of a class settlement, the Eleventh Circuit has outlined several factors a court must consider: 1) the likelihood of success at trial; 2) the range of possible recovery; 3) the range of possible recovery at which a settlement is fair, adequate, and reasonable; 4) the anticipated complexity, expense, and duration of litigation; 5) the opposition to the settlement; and 6) the stage of proceedings at which the settlement was achieved. Faught v. Am. Home Shield Corp., 668 F.3d 1233, 1240 (11th Cir. 2011).

These factors are not exhaustive, however, and the Court may also consider other factors such as the burdensomeness of the claims procedure, the treatment of the class representative, the terms of settlement in similar cases, the attorney fee award, and the scope of the release. Palmer v. Dynamic Recovery Sol., LLC, 2016 WL 2348704, at *2 (M.D. Fla. May 4, 2016).

1. Likelihood of Success at Trial

The named Plaintiffs provide that they have come to an agreement regarding a potential settlement after engaging in an arms-length negotiation. Doc. 82 at 18. According to the Second Amended Settlement Agreement, Defendant denies any wrongdoing. Doc. 82-1 at 5; see also, Doc. 82-1 at 61, 63, 66, 69. While the named Plaintiffs are confident in the merits of their claims, they recognize that “continued litigation against Defendant poses significant risks that make recovery for the Settlement Class uncertain.” Doc. 82 at 19. As such, while the parties have agreed to the preliminary settlement, there appears to be disputed issues that must be resolved in the named Plaintiffs and putative Class Members' favor to prevail at trial.

Considering that Defendant maintains that it is not liable, the undersigned finds that it is not preliminarily certain that the named Plaintiffs and the putative Class Members would prevail at trial and, therefore, the settlement appears fair.

2. The Range of Possible Recovery

“[T]he ‘likelihood of success' and ‘range of possible recovery' are overlapping issues that are to be addressed by the Court in determining the fairness of a settlement.” Harvey v. Hammel & Kaplan Co., LLC, 2020 WL 7138568, at *6 (M.D. Fla. Dec. 7, 2020) (citing Bennett, 737 F.3d at 986). “Whether under Rule 23(e)(2)(C) or the Bennett factors, it is not the value or nature of the settlement relief alone that is decisive, but whether that relief is reasonable when compared with the relief “plaintiffs would likely recover if successful, appropriately discounted for the risk of not prevailing.” Id. (quoting Krell v. Prudential Ins. Co. of Am., 148 F.3d 283, 322 (3rd Cir. 1998). "

Here, the named Plaintiffs claim in part that Defendant has violated FDUTPA. To state a claim for damages under FDUTPA, a consumer must establish three elements: (1) a deceptive act or unfair practice, (2) causation, and (3) actual damages. Dolphin v. WCI Communities, Inc., 715 F.3d 1243, 1250 (11th Cir. 2013) (citing Rollins, Inc. v. Butland, 951 So.2d 860, 869 (Fla. 2d DCA 2006)). “In the context of FDUTPA, ‘actual damages' are defined as ‘the difference in market value of the product or service in the condition in which it was delivered and its market value in the condition in which it should have been delivered according to the contract of the parties.'” Coronacide, LLC v. Wellness Matrix Grp., Inc., 2021 WL 4307488, at *9 (M.D. Fla. Sept. 22, 2021) (quoting Rodriguez v. Recovery Performance & Marine, LLC, 38 So.3d 178, 180 (Fla. 3rd DCA 2010)). The named Plaintiffs also bring claims for implied breach of contract and negligence. Doc. 60."

The named Plaintiffs seek actual damages as relief. Doc. 60 at 68. The Non-SSN reversionary settlement fund (Claims-Made Benefits) will be in an amount not to exceed $1,175,000, and the SSN settlement fund (Common-Fund Benefits) is a non-reversionary fund in the amount of $1,025,000. Doc. 82-1 at 7, 8. The named Plaintiffs explain that the SSN Class Members can claim documented losses up to $7,500.00 and Non-SSN Class Members have the ability to claim documented losses up to $750.00. Doc. 82 at 20. Also, the named Plaintiffs state that all Class Members are entitled to compensation for time spent dealing with the consequences of the Data Incident, and SSN Class Members are entitled to pro rata payments-approximately $50 each. Id., citing Doc. 82-2.

Given the risks associated with the case, these amounts appear to be fair. If the case is not settled, there exists the potential for the litigation to continue and Defendant could prevail on the merits. The undersigned finds that the settlement offers a reasonable amount of relief without delay.

3. The Complexity, Expense, and Duration of Continued Litigation

On November 23, 2022, the Court entered the Amended Case Management and Scheduling Order. Doc. 52. On March 17, 2023, the named Plaintiffs filed the Third Amended Complaint. Doc. 60. On April 5, 2023, Defendant filed an Amended Motion to Dismiss but before the Court could resolve the motion the parties filed a notice of settlement. Docs. 63, 64. The named Plaintiffs state that the parties engaged in mediation and reached a settlement in principle. Doc. 82 at 4. Also, the parties engaged in informal discovery for settlement purposes including the production of information about the Data Incident, the number of individuals impacted, the notice program, and the response. Id. at 21; Doc. 82-2 at 9.

Based on the foregoing, if the Court does not approve the settlement, the case would likely proceed with discovery and the possibility of dispositive motions and trial. As such, there is no doubt that continued litigation would be lengthy. Indeed, the named Plaintiffs assert, without opposition, that data breach litigation is often difficult, complex, and expensive. Doc. 82 at 21.

Upon due consideration, the undersigned recommends that this factor weighs in favor of finding the settlement to be fair, adequate, and reasonable.

4. The Opposition to Settlement

While the parties have agreed to the settlement, it is too soon to determine whether there is any opposition since notice has not been sent to the Class Members. There is no evidence regarding opposition at this stage of the case. See Doc. 82 at 21. Therefore, the undersigned recommends that this factor does not carry any significant weight at this point in the proceedings.

5. The Stage at which Settlement was Achieved

Even though the parties reached settlement at a fairly early stage of the proceedings, their settlement was reached “after several months of negotiation and exchanges of Rule 408 discovery.” Doc. 82-2 at 8. The named Plaintiffs assert that through receipt of the informal discovery they were able to evaluate the potential for damages on a class wide basis. Id. at 9. Accordingly, the named Plaintiffs claim that they have sufficient information to evaluate their claims and negotiate in a fair manner. Doc. 82 at 21.

The undersigned finds that this factor weighs in favor of finding the settlement to be fair, adequate, and reasonable. See Preman v. Pollo Operations, Inc., 2018 WL 3151673, at *10 (M.D. Fla. Apr. 12, 2018) (approving a preliminary settlement at “an early stage of the proceedings” that was a “result of intensive arms-length negotiations between experienced attorneys who are familiar with class action litigation....”) (internal quotations omitted)

6. Other Provision in the Agreement-Fee, Expenses, and Costs

The parties provided in the Amended Settlement Agreement that the Non-SSN settlement fund would pay the approved attorney fees, costs, and expenses and the SSN settlement fund would not be reduced by the award. Doc. 71-1 at 16-19. After the undersigned conducted a hearing on the fairness of the fee appropriation, the parties withdrew the Renewed Motion to modify the proposed class settlement to apportion the administration costs, fees, and expenses among both SSN and Non-SSN Class Members. Doc. 79.

The modification is as follows:

Claims-Made Benefits” or “Non-SSN Settlement Fund” means the Settlement benefits (as described below) available to the Claims-Made Settlement Class
Members. The Claims-Made Benefits will be funded by BioPlus in an amount not to exceed $1,175,000, inclusive of (i) all Valid Claims for Settlement benefits made under ¶ 2.1; (ii) 62.65% of the Notice and Settlement Administration Costs (defined below) incurred in the administration of both Claims-Made and Common Fund Benefits, including all taxes owed by the Claims-Made Benefits and Common Fund; and (iii) any attorneys' fees not to exceed 1/3 of the Non-SSN Settlement Fund, and 62.65% of the total costs and expenses incurred by Class Counsel, as approved by the Court.
Common Fund” or “SSN Settlement Fund” means a nonreversionary common fund to be funded by BioPlus in the amount of $1,025,000, which will be allocated as follows (i) 37.35% of the Notice and Settlement Administration Costs (defined below) incurred in the administration of both Claims-Made and Common Fund Benefits, including all taxes owed by the Claims-Made Benefits and Common Fund; (ii) any attorneys' fees not to exceed 1/3 of the SSN Settlement Fund, and 37.35% of the total costs and expenses incurred by Class Counsel, as approved by the Court; (iii) all Valid Claims for Settlement benefits made under ¶ 2.2.
Doc. 82-1 at 7, 8.

Upon due consideration, the undersigned finds that the amount is reasonable for the purpose of preliminarily approving the settlement. Considering the time and effort class counsel will expend in this case and the skill necessary to litigate a data breach case, the fee agreement appears fair at this juncture. Notably, “[t]he Eleventh Circuit has acknowledged that the most common fee awards fall between 20% to 30% of the fund, suggesting an award of 25% of the fund as a benchmark and an award of 50% as the upper limit.” Roll v. Enhanced Recovery, 2023 WL 2919839, at *1 (M.D. Fla. Jan. 5, 2023), report and recommendation adopted by, 2023 WL 2535081 (M.D. Fla. Mar. 16, 2023); see also Precision Roofing of N. Fla. Inc. v. Centerstate Bank, 2023 U.S. Dist. LEXIS 61612, at *20 (M.D. Fla. Apr. 6, 2023), report and recommendation adopted by, 2023 U.S. Dist. LEXIS 108398 (M.D. Fla. June 20, 2023) (finding at the preliminary approval stage that a settlement provision allowing class counsel to request up to 33.33% of the value of the settlement, plus reasonable costs incurred, to be paid from the settlement fund to be reasonable) (citing Nelson v. Mead Johnson & Johnson Co., 484 Fed.Appx. 429, 435 (11th Cir. 2012) (per curiam) (finding 25% of the common settlement fund is a reasonable fee award in common fund cases); Tweedie v. Waste Pro of Fla., Inc., 2021 WL 3500844, at *10 (M.D. Fla. May 4, 2021), report and recommendation adopted by, 2021 WL 3418197 (M.D. Fla. Aug, 5, 2021) (finding award of attorney fees not to exceed one-third of the settlement fund plus costs fair, adequate, and reasonable for purposes of preliminary approval of proposed settlement; collecting cases).

Since the named Plaintiffs will file a separate motion for fees and costs prior to the final approval hearing (See Doc. 82 at 7), the undersigned finds that the agreed anticipated apportionment for attorney fees, expenses, and costs are reasonable at this stage of the proceedings.

7. Summary

Upon review, the undersigned overall finds that these factors weigh in favor of a determination that the proposed settlement is fair, reasonable, and not the product of any collusion. Accordingly, the undersigned recommends that the settlement should be preliminarily approved.

C. Adequacy of Class Notice

The named Plaintiffs request that the Court approve the Proposed Notices and manner of notice to the class as reasonable. Doc. 82. Since the named Plaintiffs have met the requirement for certifying a class for settlement purposes, the undersigned will address the adequacy of the Proposed Notices. Doc. 82-1 at 60-76. Federal Rule of Civil Procedure 23(c)(2) requires that the notice to all class members shall be as “best [as] practicable under the circumstances, including individual notice to all members who can be identified through reasonable effort.” Mills v. Am. Online, Inc., 202 F.R.D. 297, 305 (M.D. Fla. 2001) (citing Fed.R.Civ.P. 23(c)(2)(B)). When reviewing the settlement for preliminary approval, the Court must “review and approve the proposed form of notice to the class ” Family Med. Pharmacy v. Holdings, 2016 WL 7320885, at *5 (S.D. Ala. Dec. 14, 2016) (citing Figueroa v. Sharper Image Corp., 517 F.Supp.2d 1292, 1299 (S.D. Fla. 2007)).

The undersigned notes that the parties amended the Proposed Notices to reflect the revised fee structure. 82-1 at 61, 63, 74.

The named Plaintiffs have attached the Proposed Notices to the Motion, and the proposed method of distribution to the class is set forth in the Second Amended Settlement Agreement. Doc. 71-1 at 37-40, 60-76. Rule 23(c)(2)(B) requires that class notice contain the following:

(i) The nature of the action;
(ii) The definition of the class certified;
(iii) The class claims, issues, or defenses;
(iv) That a class member may enter an appearance through an attorney if the member so desires;
(v) That the court will exclude from the class any member who requests exclusion; and
(vi) The binding effect of a class judgment on members under Rule 23(c)(3).

The undersigned finds that there are a few of issues with the Proposed Notices. First, the named Plaintiffs do not explain the nature of the proposed notices within the Second Renewed Motion (see Doc. 82 at 6-7), but the Second Amended Settlement Agreement reveals that there are three variations-two Short Form Notices (the Short Form Notices) and the Long Form Notice (the Long Form Notice). Doc. 82-1 at 10, 15, 61-78

1. Long Form Notice

First, starting with the Long Form Notice, the parties' definition of the class is either erroneous or at least confusing. The Long Form Notice includes the following language:

• The Settlement Class consists of two groups - those who were notified that their Social Security numbers were potentially accessed in the Data Incident (“SSN Class Members”), and those who were notified that their Social Security numbers were not involved in the Data Incident (“Non-SSN Class Members”). The available Settlement benefits depend upon which group you are in.
Doc. 82-1 at 66 (emphasis added).

However, the Second Amended Settlement Agreement defines the “Common-Fund Settlement Class Members” or “SSN Class Members” to include:

approximately 130,438 Settlement Class Members whose personal information, including Social Security numbers, was impacted in the Data Incident. CommonFund Settlement Class Members are eligible to submit a claim under the Common Fund. Class Representatives Bonnie Gilbert, Wendy Bryan, Patricia White, David Gatz, Lori Grader, Daryl Swanson, Stephen Gabbard, and Alicia Dunn are SSN Class Members.
Id. at 8-9. (emphasis added). As such, the two descriptions do not appear consistent.

Likewise, the parties include in the Long Form the following language:

• You are included in this Settlement as a Settlement Class Member if you were notified that your PII/PHI may have been impacted in the Data Incident.
Id. at 66 (emphasis added); see also id. at 69 (“You are a Settlement Class Member if you were notified that your personal information may have been impacted by the Data Incident.”); Id. at 70 (“You are included in the Settlement if you were notified of the Data Incident.”). But the “Settlement Class” is defined as “all person whose personal information was impacted in the Data Incident.” Id. at 14 (emphasis added).

The undersigned recognizes that Defendant's original notice of the Data Incident may have been distributed to those individuals whose social security numbers or “PII/PHI” were potentially accessed or may have been impacted in the Data Incident, but the revised definition of the “two groups” has changed over the course of litigation and has since been narrowed. The undersigned finds that the language should reflect the current definition of the Settlement Class. Also, while the Long Form Notice speaks of the “two groups,” the parties do not include a clear definition of the “Settlement Class” as stated in the Second Amended Settlement Agreement. See id. at 6576.

The parties include the following in the Long Form Notice: “You are included in the Settlement if you were notified of the Data Incident.” Doc. 82-1 at 70. The undersigned finds that if this is the parties' attempt to define the class, it is not clearly stated and not necessarily consistent with the definition of the Settlement Class found within the Second Amended Settlement Agreement.

Accordingly, the undersigned recommends that the parties be directed to revise the Long Form Notice to reflect the definition of the “Settlement Class” with a clearer explanation of who currently falls into the “two groups.”

Second, the named Plaintiffs fail to mention that the Long Form Notice must include the class issues and defenses. See Doc. 82 at 24. This omission is possibly due to the fact that the information is not included in the Long Form Notice. Even though the Long From Notice has a subsection entitled “What is this case about?”, there is no mention of the claims. See Doc. 82-1 at 65-76. Instead, the parties describe in the Long Form Notice how the class action lawsuit arose and that the named Plaintiffs allege that the Data Incident resulted in the unauthorized access by a third party to the data stored on Defendant's network. The parties do not identify in the Long Form Notice that the claims are based on FDUTPA, breach of contract, and negligence under Florida law. See id.

The undersigned is unaware of any authority that relieves the parties from full compliance with the rule even though settlement has been reached. See Holmes, 2021 WL 7627742, at *10 (M.D. Fla. May 3, 2021), report and recommendation adopted by, 2021 U.S. Dist. LEXIS 90692 (M.D. Fla. May 12, 2021) (finding that, upon consideration of a joint motion for preliminary approval of class action settlement, that the proposed notice contained all of the Rule 23(c)(2)(B) requirements including identifying class claims, issues, or defenses); Stewart v. Fla. Cmty. Law Grp., 2019 WL 4248075, at *6-7 (M.D. Fla. Aug. 26, 2019), report and recommendation adopted by, 2019 U.S. Dist. LEXIS 152055 (M.D. Fla. Sept. 6, 2019) (same).

The parties state in the Long Form Notice that “BioPlus disagrees with Plaintiffs' claims and denies any wrongdoing.” Doc. 82-1 at 60. To the extent this statement can be construed to adequately identify the “defenses” at issue in the class action under Rule 23(b)(2)(B), the named Plaintiffs still do not address this issue and, therefore, the Second Renewed Motion is deficient in this regard. Either way, the undersigned recommends that named the parties' description of the claims is insufficient.

Third, the parties do not clearly and concisely state in the Long Form Notice that the Court will exclude from the class any member who requests exclusion. See Doc. 71-1 at 71. The Long Form Notice provides how the member may submit the request, but it does not explain the Court's role. See id. As such, the undersigned finds that the language does not comply with the requirement.

While the undersigned is not persuaded that the Long Form Notice satisfies Rule 23(c)(2)(B)'s class definition or class issues/claims requirement, the remainder of the document appears adequate. Namely, the parties state in the Long Form Notice why the individual is receiving notice; give an outline of the terms of the Second Amended Settlement Agreement as well as the process for objections; explain that the Settlement Class Members are permitted to opt out or be excluded from the settlement and outline deadlines and procedures for doing so; state that the Class Member must submit a claim form to receive settlement benefits; warn that if the Class Member does nothing, the Class Member gives up the right to sue, and will be bound by the settlement if the Court approves it; explain how the settlement funds will be distributed; state that if the individual stays in the settlement, then the individual will not be able to sue Defendant; provide the name and address for class counsel, defense counsel; and identify the Court and case name. Doc. 82-1 at 65-76.

Based on the foregoing, the undersigned recommends that the Court direct the parties to revise the Long Form Notice to provide an accurate definition of the Settlement Class along with a description of the SSN and Non-SSN groups, and an adequate description of the nature of the causes of action with specific claims. The undersigned otherwise recommends that the content and method of the Long Form Notice be approved.

2. Short Form Notices

Turning to the Short Form Notices, the undersigned also finds deficiencies pursuant to Rule 23(c)(2)(B). The parties do not define the class certified in any manner (i.e., they do not even include the deficient language found in the Long Form Notice) and the notices suffer the same problem regarding the nature of the action, the class claims, and statement regarding Court exclusion. See Doc. 82-1 at 60-64.

Further, while the Long Form Notice covers the issue of hiring personal representation (Doc. 82-1 at 73-74), the Short Form Notices fail to state that a class member may enter an appearance through an attorney if the Class Member so desires. It appears that the parties attempt in the Short Form Notice to cover this topic by referring the Class Member to the Long Form Notice on the settlement website (See Doc. 82-1 at 61, 63), but the undersigned is not aware of any authority (nor have the named Plaintiffs cited to any) that suggests that deficiencies in a notice that will be sent to the Class Members can be cured by notice on a settlement website. Absent such authority, the undersigned finds that the Short Form Notices are deficient and, therefore, should not be approved in their current form.

The parties refer the Class Members to a settlement website to submit a claim, learn a summary of rights and instructions on how to be excluded from the settlement and to object to the settlement. Doc. 82-1 at 61, 64. The parties also direct the Class Members to the settlement website or a phone number for additional information, including a copy of the Second Amended Settlement Agreement, Long Form Notice, Claim Form, Class Counsel's Application for Attorney Fees and Expenses, and other documents. Id.

Additionally, the undersigned finds that the Short Form Notice is misleading with respect to the amount of money in the Non-SSN settlement fund. Specifically, the parties state in the Short Form Notice that goes to the Non-SSN Class Members: Non-SSN Class Members, like yourself, are able to submit a Claim for the settlement benefits described above from a $1,175,000 Non-SSN Settlement Fund. Doc. 82-1 at 63. For the SSN Class Members, the parties state: “There are also Class Members who did not have their Social Security Numbers impacted in the Data Incident. They have the ability to submit a Claim against a separate $1,175,000 reversionary settlement fund i.e., the Non-SSN Settlement Fund.” Id. at 61. The parties, however, provide in the Second Amended Settlement Agreement that the Non-SSN Settlement Fund will be funded in an amount not to exceed $1,175,000 (Doc. 82-1 at 7) which leaves open the possibility that the fund will not equal $1,175,000. The undersigned finds that the Short Form Notices should mirror the language in the Second Amended Settlement Agreement.

The parties appropriately specify in the Long Form Notice that “[t]he Settlement provides for up to $1,175,000 in benefits for the Non-SSN Class Members, and a $1,025,000 non-reversionary common fund for the SSN Class Members. The total potential value of this Settlement is capped at $2,200,000.” Doc. 82-1 at 70.

Based on the foregoing, the undersigned recommends that the Short Form Notices should be revised in accordance with this report.

3. Distribution

Even though the undersigned finds that the Long and Short Form Notices are deficient, the method of distribution seems adequate. The parties provide in the Second Amended Settlement Agreement that prior to the dissemination of the Notice, the Settlement Administrator shall establish the settlement website, which will include the Short Form Notices, the Long Form Notice, the Claims Forms, the Preliminary Approval Order, and the Second Amended Settlement Agreement. Doc. 82-1 at 34.

The parties specify that the Short Form Notices will be sent within 45 days after the entry of the Preliminary Approval Order, and the Settlement Administrator will provide notice to the Settlement Class via mail to the postal address or, if possible, email. Id. at 34. The Amended Settlement Agreement also reflects that the Settlement Administrator will “run the postal addresses of Settlement Class Members through the United States Postal Service (‘USPS') National Change of Address database to update any change of address on file with the USPS[.]” Id. at 34-35. If a Short Form Notice is returned with a new address, the Settlement Administrator will resend the Short Form Notice to the forwarding address. Id. at 35. If the Short Form Notice is returned as “no longer valid” (i.e., return to sender), the Settlement Administrator will perform a standard skip trace to obtain the current address. Id. at 35-36.

Upon due consideration, the undersigned finds that the proposed manner of providing notice outlined in the Second Amended Settlement Agreement is reasonably calculated to apprise the Class Members of the action and settlement. Moreover, the undersigned finds no issues with the proposed claim forms. Doc. 82-1 at 50-59.

4. Summary

Based on the foregoing, the undersigned recommends that the Court direct the parties to revise the Short and Long Form Notices in compliance with this report to provide an accurate class definition and adequate description of the nature of the causes of action with specific claims. Also, the undersigned recommends that the Court direct the parties to revise the Short Form Notices to state that a Class Member may enter an appearance through an attorney if the Class Member so desires and to provide an accurate description of the amount of money in the funds.

The undersigned recommends that the content of the Short and Long Form Notices, the claims forms, and method of distribution be otherwise approved.

D. Fairness Hearing

The named Plaintiffs request that the Court set a final approval hearing. Doc. 82 at 2. Final approval of class actions is a two-step process that includes (1) preliminary approval and (2) a subsequent fairness hearing. O'Connor v. Worthington PJ, Inc. 2017 WL 6762436, at *3 (M.D. Fla. Dec. 13, 2017) (citing, Holman v. Student Loan Xpress, Inc., 2009 WL 4015573, at *4 (M.D. Fla. Nov. 19, 2009)). The named Plaintiffs have adequately demonstrated that the settlement should be preliminarily approved with the exception of the recommended revisions to the Short and Long Form Notices. If the Court adopts this Report and Recommendation, then the undersigned anticipates that the Court will schedule the hearing on a date and time that the Court deems appropriate.

E. Final Approval Schedule

The named Plaintiffs have incorporated a “Settlement Timeline” in the Second Amended Settlement Agreement. Doc. 82-1 at 77-78. Upon review, the proposed schedule appears to be reasonable, and the undersigned recommends that the Court adopt the timeline.

F. Settlement Administrator

The named Plaintiffs also request that the Court appoint the proposed settlement administrator. Doc. 82 at 22. Often, parties settling a class action hire a settlement administrator to oversee the claiming process. See e.g., Whitehead v. Advance Stores Co., 2017 WL 2404922 (M.D. Fla. Jan. 9, 2017) (appointment and confirming the responsibilities of a settlement administrator). The named Plaintiffs attach the declaration of Scott M. Fenwich-Senior Director of Kroll Settlement Administration, LLC (Kroll)-who outlines Kroll's experience in class action matters, Kroll's anticipated service in this case as the settlement administrator, and the approximate administration costs. Doc. 82-3. The named Plaintiffs represent that the parties have agreed that “Kroll shall act as Settlement Administrator.” Doc. 82 at 22. The Second Amended Settlement Agreement reflects that “Settlement Administrator” means Kroll; a company experienced in administering class action claims. Doc. 82-1 at 14.

Upon due consideration, the undersigned recommends that Kroll be appointed as settlement administrator.

III. Conclusion

Based on the foregoing, the undersigned RECOMMENDS that the Court:

1. GRANT in part the Second Renewed Motion (Doc. 82) to the extent that:

a. the class be preliminarily certified for settlement purposes;
b. the settlement be preliminarily approved as fair, reasonable, and adequate;
c. the named Plaintiffs be appointed as class representatives;
d. the named Plaintiffs' counsel be appointed as class counsel;
e. Kroll be appointed as settlement administrator;
f. the Proposed Notices be approved for distribution provided the parties amend in accordance with this report;
g. deadlines be set and a final approval hearing and briefing be scheduled as the Court deems appropriate; and

2. DENY without prejudice the remainder of the Second Renewed Motion (Doc. 82).

NOTICE TO PARTIES

The party has fourteen days from the date the party is served a copy of this report to file written objections to this report's proposed findings and recommendations or to seek an extension of the fourteen-day deadline to file written objections. 28 U.S.C. § 636(b)(1)(C). A party's failure to serve and file written objections waives that party's right to challenge on appeal any unobjected-to factual finding or legal conclusion the district judge adopts from the Report and Recommendation. See 11th Cir. R. 3-1; 28 U.S.C. § 636(b)(1).


Summaries of

Gilbert v. Bioplus Specialty Pharm. Servs.

United States District Court, Middle District of Florida
Mar 5, 2024
6:21-cv-2158-RBD-DCI (M.D. Fla. Mar. 5, 2024)
Case details for

Gilbert v. Bioplus Specialty Pharm. Servs.

Case Details

Full title:BONNIE GILBERT, DAVID GATZ, WENDY BRYAN, LORI GRADER, DARYL SWANSON…

Court:United States District Court, Middle District of Florida

Date published: Mar 5, 2024

Citations

6:21-cv-2158-RBD-DCI (M.D. Fla. Mar. 5, 2024)