Summary
granting writ due to lack of thorough analysis
Summary of this case from State ex rel. W. Virginia-American Water Co. v. WebsterOpinion
No. 21-0095
11-19-2021
Marc E. Williams, Robert L. Massie, Thomas M. Hancock, Nelson Mullins Riley & Scarborough, LLP, Huntington, West Virginia, Attorneys for the Petitioners. Troy N. Giatras, Matthew Stonestreet, The Giatras Law Firm, PLLC, Charleston, West Virginia, Attorneys for the Respondents.
Marc E. Williams, Robert L. Massie, Thomas M. Hancock, Nelson Mullins Riley & Scarborough, LLP, Huntington, West Virginia, Attorneys for the Petitioners.
Troy N. Giatras, Matthew Stonestreet, The Giatras Law Firm, PLLC, Charleston, West Virginia, Attorneys for the Respondents.
Jenkins, Chief Justice: In this original jurisdiction proceeding, petitioners, West Virginia University Hospitals – East, Inc., doing business as Berkeley Medical Center; City Hospital, Inc., doing business as Berkeley Medical Center; and the Charles Town General Hospital, doing business as Jefferson Medical Center (collectively "Hospitals"), seek a writ of prohibition to prohibit the Circuit Court of Jefferson County from enforcing its order granting class certification in the underlying civil action filed by the respondents, Deborah S. Welch ("Ms. Welch") and Eugene A. Roman ("Mr. Roman") (collectively "Welch and Roman"). The underlying suit arose after an employee of Hospitals misappropriated the private information of certain patients from Hospitals’ medical records during the course of performing her authorized job duties. Welch and Roman successfully certified a class of approximately 7,445 individuals, which represented every medical record accessed by the employee during the relevant period of her employment. Hospitals argue that the class representatives lack standing because they have suffered no injury-in-fact from the employee's legitimate access to their confidential records. We agree with respect to Ms. Welch, and, based upon our finding that she has suffered no injury-in-fact, we conclude that she lacks standing to bring the claims asserted in this matter. Hospitals additionally argue that certain prerequisites to class certification were not met in this case. We address this issue only as to Mr. Roman and the subclass of 109 individuals he represents and find that the circuit court failed to provide a thorough analysis of the typicality prerequisite in light of Mr. Roman's circumstances and claims. Accordingly, after considering the briefs and oral arguments of the parties, and the appendix record for this matter, we grant the requested writ and prohibit the circuit court from enforcing its order of December 23, 2020, granting class certification. We remand this case for additional proceedings consistent with this opinion.
I.
FACTUAL AND PROCEDURAL HISTORY
These facts are gleaned primarily from the circuit court's findings of fact contained in its order granting class certification. Angela Roberts ("Ms. Roberts") was hired in February 2014 to work as a registration specialist at the Berkeley Medical Center and the Jefferson Medical Center. Ms. Roberts's duties as a registration specialist involved assisting patients in scheduling their appointments with medical providers at Hospitals, which required her to access the patients’ protected health information that was stored in Hospitals’ electronic record system. Accordingly, Hospitals created a profile for Ms. Roberts giving her limited, role-based access to the patient information necessary for her job duties.
In March of 2016, two years after commencing her employment, Ms. Roberts began a romantic relationship with Ajarhi "Wayne" Roberts ("Mr. Roberts"). Mr. Roberts purportedly convinced Ms. Roberts to use her position as a registration specialist for Hospitals to steal personal information from patient files so that he could use the information in attempting to commit bank and credit card fraud. As related by the circuit court, to obtain this information without being detected by Hospitals, "Ms. Roberts’ modus operandi was to wait until a patient contacted her and then she would legitimately access the patient's records to perform her job duties." (Second emphasis added). While viewing the patient record for the legitimate purposes of her job duties, as she was authorized to do, "she simultaneously ‘cased’ those same records to ascertain whether that patient might also be a lucrative target of her identity theft conspiracy with Mr. Roberts." When she determined that a particular patient was a "lucrative target," she would write down the patient's private information on a slip of paper or print a copy of the patient's driver's license. Ms. Roberts would then provide the private information she stole to Mr. Roberts.
Despite sharing a surname, Ms. Roberts and Mr. Roberts are not related and were never married.
In December 2016, law enforcement officers conducted a search of Mr. Roberts's home; during the search, slips of paper transcribed by Ms. Roberts and printed copies of patients’ driver's licenses were found. Ultimately, private information relating to 113 individuals, including Mr. Roman, was found in Mr. Roberts's home. Ms. Welch's information was not found in Mr. Roberts's home.
Hospitals contend that it was not determined that Ms. Roberts's actions compromised all 113 individuals’ data; instead, stolen utility bills or data illicitly taken from other sources by other persons, which was also found in Mr. Roberts's apartment, could have compromised the data of some individuals. According to Hospitals, ten of the 113 victims have suffered some type of credit card fraud. Eventually, both Ms. Roberts and Mr. Roberts were criminally prosecuted and pled guilty to criminal charges.
After Hospitals became aware of the criminal investigation, they examined every record accessed by Ms. Roberts since the beginning of her relationship with Mr. Roberts. Hospitals determined that, as part of her job duties, Ms. Roberts legitimately accessed the data of approximately 7,445 patients between March 2016, when her relationship with Mr. Roberts began, and January 2017, when Hospitals became aware of Ms. Roberts's misconduct. Hospitals then sent one of two form letters to each of the patients whose records had been accessed by Ms. Roberts. The majority of those individuals received a letter, apparently dated February 23, 2017, advising them that, although
Ms. Roberts initially was suspended by Hospitals, and, ultimately, she was terminated as a result of her illegal conduct.
Some letters were addressed to the parent or guardian of, or to the family member of, the patient.
the criminal investigation is still ongoing, the authorities have confirmed that 113 of the 7,445 individuals are victims of identity theft to date. While you are not one of those individuals whose identity was stolen, and we do not have confirmation that your personal information was taken, we are notifying you in an abundance of caution. This letter is to provide you additional details regarding the incident and to provide you with protective measures and assistance from identity theft experts.
(Emphasis added). In addition, Hospitals advised this group that
To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year. Kroll is a global leader in risk mitigation and response, and its team has extensive experience helping people who have sustained an unintentional exposure of confidential data. Your identity monitoring services include Credit Monitoring, Web Watcher, Fraud Consultation, and Identity Theft Restoration.
Patients whose information was found in Mr. Roberts's apartment received a similar letter, which stated in relevant part,
While the criminal investigation is still ongoing, the authorities have confirmed that 113 of the 7,445 individuals are victims of identity theft to date. Unfortunately, you are one of those individuals, it is our understanding that you have already been made aware of this investigation by the FBI and/or local law enforcement authorities. This letter is sent in follow up, to provide you additional details regarding the incident and to provide you with protective measures and assistance from identity theft experts.
More specifically, the police found copies of drivers’ licenses with photos, 1D cards, Insurance cards, and/or Social Security cards in the possession of the perpetrator, including in some instances copies of documents containing patient signatures. We have confirmed that your name, address, date of birth, Social Security number, drivers’ license number, ID cards and numbers, and other data connecting family members to each other in some instances, was likely compromised. Unfortunately, the former employee had access to this information as part of employment as an Authorization/Prescheduling Coordinator, so criminal conduct could not be detected as part of UH's routine IT/privacy security checks. We have been able to track the former employee's system access and have determined further that the employee, in some instances, viewed physician orders containing diagnoses and other medical information.
....
To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year ....
(Emphasis added).
Thereafter, in February 2019, Ms. Welch, individually and on behalf of all others similarly situated, filed a complaint against Hospitals. In March 2020, an amended complaint was filed that added Mr. Roman as a named plaintiff, also individually and on behalf of all others similarly situated. The amended complaint alleged the following claims: Breach of the Duty of Confidentiality; Unjust Enrichment (by receiving payment from plaintiffs to perform services that included protecting plaintiffs’ sensitive information and failing to protect the same); Negligence (by failing to protect the confidentiality of personal and private information); Breach of Contract, Expressed and Implied (written services contract promised plaintiffs that defendant would only disclose health information when required to do so by law and promised to protect plaintiffs’ sensitive information); Negligent Supervision (by failing to ensure staff, employees, and others having access to customers’ sensitive information received adequate training, experience, and supervision in protecting sensitive information); Negligence (breach of duty of reasonable care in protecting the confidentiality of personal and private information); and Violations of the West Virginia Consumer Code (by failing to provide services to protect sensitive data, yet charging patients for such services).
Welch and Roman seek equitable relief in the form of credit protection and monitoring services, consumer credit insurance, and requiring Hospitals to "establish a specific device encryption security program to protect against the unauthorized disclosure" of confidential patient information. Welch and Roman also seek compensatory damages for credit and identity protection and monitoring for an extended period of years; punitive damages; monetary damages for annoyance, embarrassment, and emotional distress; monetary damages for the permanent lack of security and loss of privacy; restitution for any identity theft, to include costs incurred by the victim to remedy the effects of the theft; and restitution in an amount equal to the difference between the price class members paid in reliance upon defendants’ duty/promise to secure their private information and the actual services provided by defendants to protect that information.
In August 2020, Welch and Roman filed a motion for class certification, wherein they sought to certify a class consisting of "[a]ll West Virginia citizens whose personal information was accessed in the data breach identified by [Hospitals in their] February 23, 2017 correspondence to Deborah Welch." Welch and Roman also sought to certify a subclass of "the 109 West Virginia citizens whose misinformation [sic] was found in Angela Roberts [sic] and her co-conspirator [sic] possession." Hospitals opposed class certification and argued, in relevant part, that both named plaintiffs, Ms. Welch and Mr. Roman, lacked standing to represent the proposed class and subclass. With respect to Ms. Welch, Hospitals argued that, because Ms. Roberts had accessed Ms. Welch's data in the course of her authorized job duties, the data had not been misappropriated. Hospitals also argued that Mr. Roman was not an appropriate class representative because Welch and Roman had failed to establish how Mr. Roman's information had come into Mr. Roberts's possession.
This was the second motion for class certification. An earlier motion filed by Ms. Welch was never ruled upon. Ms. Welch filed her motion for leave to amend her complaint before the circuit court ruled upon her motion for class certification. After the amended complaint was filed adding Mr. Roman as a plaintiff, Welch and Roman filed a second motion for class certification.
Although the data of 113 people was found in Mr. Roberts's apartment, only the 109 who are West Virginia citizens were included in the subclass.
Following briefing and a hearing, the circuit court entered an order dated December 23, 2020, granting class certification. The Circuit Court specifically certified a class that includes "all West Virginia citizens residents [sic] whose personal information was accessed in the data breach identified by the Defendant [Hospitals] in [their] February 23, 2017 data breach notices." The circuit court additionally certified "a subclass of those 109 individuals whose information was found in the possession of Ms. Roberts’[s] accomplice." Finally, the circuit court appointed Ms. Welch and Mr. Roman as class representatives. The instant petition for writ of prohibition, seeking to prevent the circuit court from enforcing its class certification order, followed.
No transcript of the hearing was included in either the appendix record or the supplemental appendix.
II.
STANDARD FOR ISSUANCE OF WRIT
Hospitals argue that a writ of prohibition is appropriate because the circuit court's class certification order is clearly erroneous as a matter of law and petitioners will be irreparably harmed if forced to litigate an improperly certified class action. We have previously recognized that "[A]n order awarding class action standing is ... reviewable, but only by writ of prohibition." Syl. pt. 2, in part, McFoy v. Amerigas, Inc. , 170 W. Va. 526, 295 S.E.2d 16 (1982). With respect to a writ of prohibition, it is well established that "A writ of prohibition will not issue to prevent a simple abuse of discretion by a trial court. It will only issue where the trial court has no jurisdiction or having such jurisdiction exceeds its legitimate powers. W. Va. Code 53-1-1." Syl. pt. 2, State ex rel. Peacher v. Sencindiver , 160 W. Va. 314, 233 S.E.2d 425 (1977). Here, Hospitals claim the circuit court exceeded its legitimate powers.
In determining whether to entertain and issue the writ of prohibition for cases not involving an absence of jurisdiction but only where it is claimed that the lower tribunal exceeded its legitimate powers, this Court will examine five factors: (1) whether the party seeking the writ has no other adequate means, such as direct appeal, to obtain the desired relief; (2) whether the petitioner will be damaged or prejudiced in a way that is not correctable on appeal; (3) whether the lower tribunal's order is clearly erroneous as a matter of law; (4) whether the lower tribunal's order is an oft repeated error or manifests persistent disregard for either procedural or substantive law; and (5) whether the lower tribunal's order raises new and important problems or issues of law of first impression. These factors are general guidelines that serve as a useful starting point for determining whether a discretionary writ of prohibition should issue. Although all five factors need not be satisfied, it is clear that the third factor, the existence of clear error as a matter of law, should be given substantial weight.
Syl. pt. 4, State ex rel. Hoover v. Berger , 199 W. Va. 12, 483 S.E.2d 12 (1996). We will apply these standards to the issues raised by Hospitals.
III.
DISCUSSION
Through their petition for writ of prohibition, Hospitals raise two issues. First, Hospitals argue that the circuit court erred in certifying a class that includes named plaintiffs and others who suffered no injury-in-fact and, therefore, do not have standing to maintain a claim. Hospitals also argue that the circuit court erred by certifying a class when the prerequisites of West Virginia Rule of Civil Procedure 23 were not met. We address these issues in turn.
A. Standing
Hospitals challenge the standing of the named plaintiffs and other members of the class certified by the circuit court. This Court previously has recognized that
Article VIII, Section 6 of the West Virginia Constitution establishes that there must be a justiciable case or controversy—a legal right claimed by one party and denied by another—in order for the circuit court to have subject matter jurisdiction. In part, this means the party asserting a legal right must have standing to assert that right.
State ex rel. Healthport Techs., LLC v. Stucky , 239 W. Va. 239, 242, 800 S.E.2d 506, 509 (2017) (footnote omitted). "This Court has defined standing as [a] party's right to make a legal claim or seek judicial enforcement of a duty or right." Tabata v. Charleston Area Med. Ctr., Inc. , 233 W. Va. 512, 516, 759 S.E.2d 459, 463 (2014) (per curiam) (quotations and citation omitted). We have clarified that "The focus of a standing analysis is not on the validity of the claim but instead is ‘on the appropriateness of a party bringing the questioned controversy to the court.’ " HealthPort , 239 W. Va. at 243, 800 S.E.2d at 510 (quoting Findley v. State Farm Mut. Auto. Ins. Co. , 213 W. Va. 80, 95, 576 S.E.2d 807, 822 (2002) ). "The burden for establishing standing is on the plaintiff." Id. See also Zeyen v. Pocatello/Chubbuck Sch. Dist. No. 25 , 165 Idaho 690, 451 P.3d 25, 32 (2019) ("Those seeking to certify a class must first show that they have standing.").
In a class action lawsuit, standing is analyzed based upon the named plaintiffs or class representatives. See Beck v. McDonald , 848 F.3d 262, 269 (4th Cir. 2017) ("In a class action, we analyze standing based on the allegations of personal injury made by the named plaintiffs."); Zeyen , 451 P.3d at 33 ("For class actions, standing is met ‘if at least one named plaintiff satisfies the requirements of standing against every named defendant.’ " (quoting Tucker v. State , 162 Idaho 11, 394 P.3d 54, 62 (2017) )); Elliot v. Chicago Transit Auth. , No. 1-18-1892, 2019 IL App (1st) 181892-U, ¶ 20, 2019 WL 5296835, *3 (Ill. App. Ct. 2019) ("In assessing standing in a purported class action ... we focus on the named plaintiff's allegations, not the general class she purports to represent."); Rosen v. Cont'l Airlines, Inc. , 430 N.J.Super. 97, 62 A.3d 321, 327 (N.J. Super. Ct. App. Div. 2013) ("It is well established that, in order to bring a class action lawsuit, the named representative must individually have standing to bring their claims."); Heckman v. Williamson Cnty. , 369 S.W.3d 137, 153 (Tex. 2012) ("[N]amed plaintiffs who seek to represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." (quotations and citations omitted)). Cf. 1 William B. Rubenstein, Newberg on Class Actions § 2:1 at 58 (5th edition 2011) (discussing federal law and observing that "In class action cases, the standing inquiry focuses on the class representatives. The class representatives must have individual standing in order to sue." (footnotes omitted)). But see Lucas Subway MidMo, Inc. v. Mandatory Poster Agency, Inc. , 524 S.W.3d 116, 131 (Mo. Ct. App. 2017) ("Only once a class has been certified are standing requirements assessed with reference to the class as a whole, not simply with reference to the individual named plaintiffs." (quotations and citation omitted)).
It has been recognized that
Courts use the phrase "class representatives" interchangeably with the phrase "named plaintiffs" although the two are not necessarily the same. The "named plaintiffs" are those plaintiffs identified individually in the complaint, on whose behalf the case is brought absent class certification; the "class representatives" are those plaintiffs whom class counsel proposes, and a court appoints, to represent the class.
1 William B. Rubenstein, Newberg on Class Actions § 2:1 at 58 n.8 (5th edition 2011). In this case, because the circuit court already has certified the class, we refer to Welch and Roman as class representatives.
Where, as here, multiple claims are asserted, plaintiffs must demonstrate that at least one named plaintiff has standing for each claim asserted. See Wofford v. M.J. Edwards & Sons Funeral Home Inc. , 528 S.W.3d 524, 542 (Tenn. Ct. App. 2017) (" ‘[E]ach claim must be analyzed separately, and a claim cannot be asserted on behalf of a class unless at least one named plaintiff has suffered the injury that gives rise to that claim.’ " (quoting Prado–Steiman ex rel. Prado v. Bush , 221 F.3d 1266, 1280 (11th Cir. 2000) )); Andrade v. NAACP of Austin , 345 S.W.3d 1, 14 (Tex. 2011) (" ‘[A] plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought.’ " (quoting Davis v. Fed. Election Comm'n, 554 U.S. 724, 734, 128 S. Ct. 2759, 171 L. Ed. 2d 737 (2008) )). See also TransUnion LLC v. Ramirez , ––– U.S. ––––, 141 S. Ct. 2190, 2208, 210 L. Ed. 2d 568 (2021) ("[S]tanding is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek (for example, injunctive relief and damages)."); 1 Rubenstein, Newberg on Class Actions § 2:5 at 72 ("In a class action suit with multiple claims, at least one named class representative must have standing with respect to each claim." (footnote omitted)). Based upon the foregoing, we now expressly hold that, in order to bring a class action lawsuit, at least one named plaintiff must have standing with respect to each claim asserted, and the burden of establishing standing is on the plaintiff(s).
The elements necessary to establish standing have been set out as follows:
Standing is comprised of three elements: First, the party attempting to establish standing must have suffered an "injury-in-fact"—an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent and not conjectural or hypothetical. Second, there must be a causal connection between the injury and the conduct forming the basis of the lawsuit. Third, it must be likely that the injury will be redressed through a favorable decision of the court.
Syl. pt. 5, Findley v. State Farm Mut. Auto. Ins. Co. , 213 W. Va. 80, 576 S.E.2d 807 (2002). This syllabus point makes clear that all three elements must be present; thus, if one element is absent, there is no standing. We first address Ms. Welch's standing to represent the class of "all West Virginia citizens ... whose personal information was accessed in the data breach identified by the Defendant [Hospitals] in [their] February 23, 2017 data breach notices."
Hospitals argue that Ms. Welch suffered no injury-in-fact and, therefore, fails to meet first element of the standing inquiry. Discussing this first element, we have explained that
In order to have standing to sue, a party must allege an injury in fact, either economic or otherwise, which is the result of the challenged action. To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized. For an injury to be particularized, it must affect the plaintiff in a personal and individual way. To be a concrete injury, it must actually exist. The injury must also be actual or imminent, not conjectural or hypothetical. Injury in fact is easily established when a litigant demonstrates a direct, pocketbook injury.
HealthPort , 239 W. Va. at 243, 800 S.E.2d at 510 (footnotes, quotations, and citations omitted). The injury upon which each of the claims asserted by Welch and Roman is founded is the breach of their confidential information or an invasion of their privacy. Accordingly, in order for Welch to establish an injury-in-fact with respect to these various claims, she must have actually suffered a breach of her confidential information. As Welch and Roman observe, this Court has previously addressed the existence of a breach of the duty of confidentiality in the context of a medical provider and held, "A patient does have a cause of action for the breach of the duty of confidentiality against a treating physician who wrongfully divulges confidential information." Syl. pt. 4, Morris v. Consolidation Coal Co. , 191 W. Va. 426, 446 S.E.2d 648 (1994) (emphasis added). Because Morris was addressing certified questions, and the facts of the case were undeveloped, the Court could not apply the holding to the facts of the case.
Welch and Roman asserted the following claims: (1) Breach of the Duty of Confidentiality; (2) Unjust Enrichment (by receiving payment from plaintiffs to perform services that included protecting plaintiffs’ sensitive information and failing to protect the same); (3) Negligence (by failing to protect the confidentiality of personal and private information); (4) Breach of Contract, Expressed and Implied (written services contract promised plaintiffs that defendant would only disclose health information when required to do so by law and promised to protect plaintiffs’ sensitive information); (5) Negligent Supervision (by failing to ensure staff, employees, and others having access to customers’ sensitive information received adequate training, experience, and supervision in protecting sensitive information); (6) Negligence (breach of duty of reasonable care in protecting the confidentiality of personal and private information); and (7) Violations of the West Virginia Consumer Code (by failing to provide services to protect sensitive data, yet charging patients for such services).
However, in Tabata v. Charleston Area Medical Center ["CAMC"], 233 W. Va. 512, 759 S.E.2d 459, the Court was presented with a factual scenario that allowed for the application of the Morris holding. Tabata addressed whether proposed class members had standing following a hospital data breach that involved a CAMC database containing the personal and medical information of certain CAMC patients being accidentally placed on the Internet. The Court noted that the parties were not aware of any "unauthorized and malicious users attempting to access or actually accessing their information," of any "affected patients having any actual or attempted identity theft," or of any patient suffering "any property injuries or ... any actual economic losses." Tabata , 233 W. Va. at 516, 759 S.E.2d at 463. Nevertheless, the act of placing confidential data on the Internet was a wrongful divulgence as required by Syllabus point 4 of Morris . Thus, the Tabata Court applied the Morris holding and concluded that
Applying our law on standing to the petitioner's breach of confidentiality claim, we find that the petitioners, as patients of CAMC, have a legal interest in having their medical information kept confidential.
In addition, this legal interest is concrete, particularized, and actual. When a medical professional wrongfully violates this right, it is an invasion of the patient's legally protected interest. Therefore, the petitioners and the proposed class members have standing to bring a cause of action for breach of confidentiality against the respondents.
Id. at 517, 759 S.E.2d at 464. The circumstances presented in Tabata are distinguishable from the instant matter, however, because Ms. Roberts's access of patient files was authorized as part of her legitimate job duties.
To the contrary, Welch and Roman argue that Ms. Welch suffered a concrete and particularized claim for breach of confidentiality because her personal data was viewed for a dual purpose. They contend that, from March 1, 2016, through January 17, 2017, when Ms. Roberts examined the personal medical information of each of the 7,445 class members, including Ms. Welch's, she did so not only for Hospitals’ authorized purposes, but also for Mr. Roberts's illicit business. Thus, under the theory urged by Welch and Roman, Ms. Roberts's authorized access of confidential patient information for legitimate hospital purposes became wrongful when she merely considered whether to divulge the data, but engaged in no overt act to actually divulge the information. We reject this argument. Because Ms. Roberts was authorized to access confidential patient data as part of her work duties, her act of viewing Ms. Welch's confidential information as part of her legitimate job duties does not amount to the data being wrongfully divulged as required by Morris . Cf. TransUnion , ––– U.S. at ––––, 141 S. Ct. at 2210, 210 L. Ed. 2d 568 ("The mere presence of an inaccuracy in an internal credit file, if it is not disclosed to a third party, causes no concrete harm. In cases such as these where allegedly inaccurate or misleading information sits in a company database, the plaintiffs’ harm is roughly the same, legally speaking, as if someone wrote a defamatory letter and then stored it in her desk drawer. A letter that is not sent does not harm anyone, no matter how insulting the letter is. So too here.").
Similarly, to the extent that Welch and Roman assert an invasion of privacy claim, such a claim requires an "unreasonable intrusion." "An ‘invasion of privacy’ includes (1) an unreasonable intrusion upon the seclusion of another; (2) an appropriation of another's name or likeness; (3) unreasonable publicity given to another's private life; and (4) publicity that unreasonably places another in a false light before the public." Syl. pt. 8, Crump v. Beckley Newspapers, Inc. , 173 W. Va. 699, 320 S.E.2d 70 (1983). See also Syl. pt. 1, Roach v. Harper , 143 W. Va. 869, 105 S.E.2d 564 (1958) ("The right of privacy, including the right of an individual to be let alone and to keep secret his private communications, conversations and affairs, is a right the unwarranted invasion or violation of which gives rise to a common-law right of action for damages." (emphasis added)). Because Ms. Roberts's access to Ms. Welch's file was authorized as part of her legitimate job duties, such access was not an unreasonable intrusion, and, thus, was not invasion of privacy. See, e.g. , Albanese Confectionery Grp., Inc. v. Cwik , 165 N.E.3d 139 (Ind. Ct. App. 2021) (finding employer did not invade the privacy of employee by remotely resetting employee's personal phone where reset was authorized); Squeri v. Mount Ida Coll. , 954 F.3d 56, 69 (1st Cir. 2020) (finding no invasion of privacy where transfer of students’ "financial and academic information was ‘justified’ because it was authorized under Massachusetts law"); Juge v. Springfield Wellness, L.L.C. , 274 So. 3d 1, 8 (La. Ct. App. 2019) ("[A] defendant's conduct is reasonable and non-actionable, even though it may slightly invade a plaintiff's privacy if the action is properly authorized ....").
Welch and Roman additionally argue that standing in a data breach case does not require actual identity theft. However, we find the cases upon which they rely are factually distinguishable from the instant matter, because Ms. Roberts's access to Ms. Welch's confidential data was an authorized function of her legitimate job duties, whereas the cases relied upon by Welch and Roman involve unauthorized access to confidential data. See Attias v. Carefirst, Inc. , 865 F.3d 620, 623 (D.C. Cir. 2017) ("[A]n unknown intruder breached twenty-two CareFirst computers and reached a database containing its customers’ personal information."); Galaria v. Nationwide Mut. Ins. Co. , 663 F. App'x 384, 385 (6th Cir. 2016) (hackers breached Nationwide Mutual Insurance Company's computer network and stole the personal information of plaintiffs and 1.1 million others); Remijas v. Neiman Marcus Grp., LLC , 794 F.3d 688 (7th Cir. 2015) (involving an attack by hackers who stole the credit card numbers of Neiman Marcus customers); Anderson v. Hannaford Bros. Co. , 659 F.3d 151 (1st Cir. 2011) (electronic payment processing system of national grocery chain was breached by hackers who stole up to 4.2 million credit and debit card numbers, expiration dates, and security codes); Sackin v. TransPerfect Glob., Inc. , 278 F. Supp. 3d 739, 746 (S.D.N.Y. 2017) (employee's response to phishing email resulted in cyber-criminals obtaining plaintiffs’ personally identifiable information ("PII"), and "[c]omplaint allege[d] that Defendant divulged information " and that the PII "was provided directly to cybercriminals " (emphasis added)).
Based upon the foregoing analysis, we find that Ms. Welch has not suffered an injury-in-fact arising from a breach of her confidential information or invasion of her privacy and, therefore, she lacks standing to assert those claims against Hospitals. Because Ms. Welch lacks standing, the circuit court erred as a matter of law in certifying the class of plaintiffs she represents. See , e.g., Rosen, 62 A.3d at 327 ("It is well established that, in order to bring a class action lawsuit, the named representative must individually have standing to bring their claims."); Wofford , 528 S.W.3d at 542 ("[A] claim cannot be asserted on behalf of a class unless at least one named plaintiff has suffered the injury that gives rise to that claim." (quotations and citation omitted)). Accordingly, we grant the requested writ and prohibit the circuit court from enforcing that portion of its order of December 23, 2020, granting class certification to "all West Virginia citizens residents [sic] whose personal information was accessed in the data breach identified by the Defendant [Hospitals] in [their] February 23, 2017 data breach notices."
To the extent that it is undisputed that confidential information pertaining to Mr. Roman was found in Mr. Roberts's apartment, we are unable to conclude that he has suffered no injury-in-fact. Therefore, we find no error of law that would entitle Hospitals to a writ of prohibition as to Mr. Roman's standing. See Syl. pt. 4, State ex rel. Hoover v. Berger , 199 W. Va. 12, 483 S.E.2d 12 (acknowledging that the existence of clear error as a matter of law should be given substantial weight in determining whether to issue a writ of prohibition). We next consider whether the circuit court properly certified the subclass Mr. Roman represents in accordance with the prerequisites to class certification set out in Rule 23 of the West Virginia Rules of Civil Procedure.
B. Class Certification Prerequisites
Because we already have concluded that Ms. Welch lacked standing, we address class certification only as to Mr. Roman and the subclass he represents, which was defined by the circuit court as "those 109 individuals whose information was found in the possession of Ms. Roberts’[s] accomplice." Class certification is governed by Rule 23 of the West Virginia Rules of Civil Procedure. It is well established that,
The portions of Rule 23 that are relevant to the instant matter provide:
(a) Prerequisites to a Class Action. — One or more members of a class may sue or be sued as representative parties on behalf of all only if (1) the class is so numerous that joinder of all members is impracticable, (2) there are questions of law or fact common to the class, (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class, and (4) the representative parties will fairly and adequately protect the interests of the class.
(b) Class Actions Maintainable. — An action may be maintained as a class action if the prerequisites of subdivision (a) are satisfied, and in addition:
....
(3) The court finds that the questions of law or fact common to the members of the class predominate over any questions affecting only individual members, and that a class action is superior to other available methods for the fair and efficient adjudication of the controversy. The matters pertinent to the findings include: (A) the interest of members of the class in individually controlling the prosecution or defense of separate actions; (B) the extent and nature of any litigation concerning the controversy already commenced by or against members of the class; (C) the desirability or undesirability of concentrating the litigation of the claims in the particular forum; (D) the difficulties likely to be encountered in the management of a class action.
W. Va. R. Civ. P. 23(a) & (b).
Before certifying a class under Rule 23 of the West Virginia Rules of Civil Procedure [2017], a circuit court must determine that the party seeking class certification has satisfied all four prerequisites contained in Rule 23(a) —numerosity, commonality, typicality, and adequacy of representation—and has satisfied one of the three subdivisions of Rule 23(b). As long as these prerequisites to class certification are met, a case should be allowed to proceed on behalf of the class proposed by the party.
Syl. pt. 8, In re W. Va. Rezulin Litig. , 214 W. Va. 52, 585 S.E.2d 52 (2003). We have further recognized that " ‘Whether the requisites for a class action exist rests within the sound discretion of the trial court.’ Syllabus Point 5, Mitchem v. Melton , 167 W. Va. 21, 277 S.E.2d 895 (1981)." Syl. pt. 5, State ex rel. Surnaik Holdings of W. Va., LLC v. Bedell , 244 W. Va. 248, 852 S.E.2d 748 (2020) (additional quotations and citation omitted). However,
"A class action may only be certified if the trial court is satisfied, after a thorough analysis , that the prerequisites of Rule 23(a) of the West Virginia Rules of Civil Procedure have been satisfied." Syl. Pt. 8 (in part), State ex rel. Chemtall Inc. v. Madden , 216 W. Va. 443, 607 S.E.2d 772 (2004) (italics added).
Syl. pt. 1, State ex rel. W. Va. Univ. Hosps., Inc. v. Gaujot , 242 W. Va. 54, 829 S.E.2d 54 (2019). And, while " ‘doubtful case[s] should be resolved in favor of allowing class certification[,]’ ... [t]hat does not mean ... that certification determinations are perfunctory." Gaujot , 242 W. Va. at 62, 829 S.E.2d at 62 (quoting Rezulin Litig. , 214 W. Va. at 65, 585 S.E.2d at 65 ). Indeed, we have cautioned that
"[F]ailure to conduct a thorough analysis ... amounts to clear error." Chemtall , 216 W. Va. at 454, 607 S.E.2d at 783. It is also an abuse of discretion. Brown v. Nucor Corp. , 785 F.3d 895, 902 (4th Cir. 2015) ("A district court abuses its discretion when it materially misapplies the requirements of Rule 23."). The circuit court must approach certification decisions in a conscientious, careful, and methodical fashion.
Gaujot , 242 W. Va. at 62, 829 S.E.2d at 62.
Additionally, Mr. Roman had the burden of establishing that class certification was justified.
"The party who seeks to establish the propriety of a class action has the burden of proving that the prerequisites of Rule 23 of the West Virginia Rules of Civil Procedure have been satisfied." Syllabus Point 6, Jefferson County Board of Education v. Jefferson County Education Association , 183 W. Va. 15, 393 S.E.2d 653 (1990).
Syl. pt. 4, Rezulin Litig. , 214 W. Va. 52, 585 S.E.2d 52. See also Surnaik Holdings , 244 W. Va. at 256, 852 S.E.2d at 756 ("The party who proposes certification bears the burden of proving that certification is warranted."). Finally, when, as in this case, there is a subclass, the subclass must independently meet the Rule 23 criteria.
"[W]hen subclasses are requested by the moving party or ordered by the court, it is generally settled that each subclass must independently satisfy class action criteria[.]" Alba Conte, Esq. and Herbert B. Newberg, Esq., Newberg on Class Actions , § 3:9, pp. 267-268 (4th ed. 2002) (footnote omitted). See also , Johnson v. American Credit Co. of Georgia , 581 F.2d 526, 532 (5th Cir. 1978) (declaring that "[a] subclass ... must independently meet all of Rule 23 ’s requirements for maintenance of a class action" citing 7A C. Wright & A. Miller, Federal Practice and Procedure : Civil § 1790, at 191-92 (1972) ); Bates v. United Parcel Service , 204 F.R.D. 440, 443 (N.D. Cal. 2001) [(]stating that "[i]f the court divides the class into subclasses under Rule 23(c)(4)(B), then ‘each subclass must independently meet the requirements for the maintenance of a class action’ " (citation omitted)[)];
Betts v. Reliable Collection Agency, Ltd. , 659 F.2d 1000, 1005 (9th Cir. 1981) (recognizing that "each subclass must independently meet the requirements of Rule 23 for the maintenance of a class action").
State of W. Va. ex rel. Chemtall Inc. v. Madden , 216 W. Va. 443, 456, 607 S.E.2d 772, 785 (2004).
Hospitals have not challenged numerosity, so that factor will not be addressed. Their challenge to commonality does not address Mr. Roman particularly. Instead, it is framed in the context of the entire class of 7,445 patients whose records were viewed by Ms. Roberts during the relevant timeframe. Thus, the issue of commonality, as framed in Hospitals’ brief, has been effectively resolved by our determination above that the class represented by Ms. Welch was improperly certified due to her lack of standing. The remaining two factors challenged by Hospitals are typicality and predominance. We find that the propriety of issuing a writ of prohibition is resolved by the typicality factor. Therefore, we address only that issue.
With respect to typicality, this Court has held:
The "typicality" requirement of Rule 23(a)(3) of the West Virginia Rules of Civil Procedure [2017] requires that the "claims or defenses of the representative parties [be] typical of the claims or defenses of the class." A representative party's claim or defense is typical if it arises from the same event or practice or course of conduct that gives rise to the claims of other class members, and if his or her claims are based on the same legal theory. Rule 23(a)(3) only requires that the class representatives’ claims be typical of the other class members’ claims, not that the claims be identical. When the claim arises out of the same legal or remedial theory, the presence of factual variations is normally not sufficient to preclude class action treatment.
Syl. pt. 12, Rezulin Litig. , 214 W. Va. 52, 585 S.E.2d 52. In finding that typicality was met in this case, the circuit court concluded:
86. In this case, all of the class members’ claims arise from the same or similar alleged breach of privacy from the same employee of Defendant.
87. Each named Plaintiff shares identical legal theories with the proposed class, which exceeds the typicality requirement.
88. The harm suffered by the named Plaintiffs may "differ in degree from that suffered by other members of the class so long as the harm suffered is of the same type. " In re West Virginia Rezulin Litigation , 214 W. Va. at 68, 585 S.E.2d at 68 (quoting Boggs v. Divested Atomic Corp. , 141 F.R.D. 58, 65 (S.D. Ohio 1991) ). (Emphasis in original).
89. The class representatives in this case share identical claims with the other class members.
90. Ms. Welch and Mr. Roman are victims of the Defendants[,] and they were subjected to the same and repeated medical information breaching conduct, by the very same third-party employee as the rest of the putative class members.
91. Ms. Welch and Mr. Roman seek the very same claims and bring forth the same legal theories as the rest of the class[,] so it is easily confirmed that these claims are sufficiently typical to satisfy the typicality component.
92. It is also clear that the Defendants present defenses that support typicality. If the Defendant is correct that none of the putative class members hold WVCCPA [Consumer Credit and Protection Act] claims based on misrepresentations, then that defense would be true for the entire proposed class.
93. The fact that the defenses are typical further supports that the typicality threshold is met.
94. Here, Ms. Welch and Mr. Roman bring identical claims[,] and the Defendants bring typical defenses to these claims. Thus, it is clear the typicality requirement is satisfied.
95. Thus, in this case, the Court FINDS and CONCLUDES that the claims of the named Plaintiffs are of the same type, if not identical, as the claims of the putative class members.
96. Based on the foregoing, the Court further CONCLUDES that the claims of
the named Plaintiffs are typical of the putative class and Rule 23(a)(3) is satisfied.
Here, the claims asserted by Mr. Roman, which he also brings on behalf of the subclass, purportedly arise from the same incident, that being Ms. Roberts's alleged theft of the plaintiff's confidential information and providing the same to Mr. Roberts. However, Hospitals argued to the circuit court, as well as to this Court, that Mr. Roman failed to carry his burden to establish that his claims are typical of these claims. In this regard, Hospitals have argued that no evidence has been produced indicating how Mr. Roman's information came into the possession of Mr. Roberts. Hospitals argue that such evidence is necessary because Mr. Roman does not recall receiving a letter from Hospitals alerting him that there had been a breach when this letter was a key allegation in the amended complaint. In fact, Mr. Roman stated in his deposition that he learned of the data breach from law enforcement officers when he reported irregularities in one of his credit accounts that he noticed while making an online payment. He also testified that he never called Hospitals to schedule an appointment. Rather, he arrived at the hospital and provided his information in person to an individual who he did not believe to be Ms. Roberts. The lack of evidence establishing that Ms. Roberts actually accessed Mr. Roman's information calls into question whether his claims are, in fact, typical of the class he has been appointed by the circuit court to represent. Yet the circuit court failed to address this issue in finding typicality. It has been observed that,
The claims asserted by Mr. Roman are breach of the duty of confidentiality; unjust enrichment; negligence; breach of contract, expressed and implied; negligent supervision; and violations of the West Virginia Consumer Code.
At one point in his deposition, Mr. Roman stated, "The one time that I did see her [Ms. Roberts] in the courtroom she definitely was not the person that --- that I had given the information to previously."
Since courts cannot assess whether an individual is sufficiently similar to the class as a whole without knowing something about both the individual and the class, courts must consider the attributes of the proposed representatives, the class as a whole, and the similarity between the proposed representatives and the class. This investigation properly focuses on the similarity of the legal theory and legal claims; the similarity of the individual circumstances on which those theories and claims are based; and the extent to which the proposed representative may face significant unique or atypical defenses to his/her claims.
Louis J. Palmer, Jr., and Robin Jean Davis, Litigation Handbook on West Virginia Rules of Civil Procedure , § 23(a), at 632 (5th ed. 2017) (footnote omitted). Due to the absence of any consideration by the circuit court of Mr. Roman's individual circumstances as they relate to the claims he asserts, we find the circuit court's order fails to provide the "thorough analysis" required by Chemtall and Gaujot . In reaching this conclusion, we are mindful that
"When a circuit court is evaluating a motion for class certification under Rule 23 of the West Virginia Rules of Civil Procedure [2017], the dispositive question is not whether the plaintiff has stated a cause of action or will prevail on the merits, but rather whether the requirements of Rule 23 have been met." Syl. Pt. 7, In re W. Va. Rezulin Litig. , 214 W. Va. 52, 585 S.E.2d 52 (2003).
Syl. pt. 4, Gaujot , 242 W. Va. 54, 829 S.E.2d 54. However, we have recognized that, "Determining whether the requirements of Rule 23 of the West Virginia Rules of Civil Procedure [2017] have been met often involves, by necessity, some ‘coincidental’ consideration of the merits. Gariety v. Grant Thornton, LLP , 368 F.3d 356, 366 (4th Cir. 2004)." Syl. pt. 5, Gaujot , 242 W. Va. 54, 829 S.E.2d 54. Accordingly, to the extent that questions related to Ms. Roberts's access to Mr. Roman's information goes to the merits of his claims,
"Merits questions may be considered to the extent—but only to the extent—that they are relevant to determining whether the Rule 23 prerequisites for class certification are satisfied." Amgen Inc. v. Connecticut Ret. Plans & Tr. Funds , 568 U.S. 455, 466, 133 S. Ct. 1184, 1195, 185 L. Ed. 2d 308 (2013).
Syl. pt. 7, Gaujot , 242 W. Va. 54, 829 S.E.2d 54. Moreover, "When consideration of questions of merit is essential to a thorough analysis of whether the prerequisites of Rule 23 of the West Virginia Rules of Civil Procedure [2017] for class certification are satisfied, failing to undertake such consideration is clear error and an abuse of discretion." Syl. pt. 8, id.
Typicality is one of the factors that must be found in order to certify a class. See Syl. pt. 8, in part, Rezulin Litig. , 214 W. Va. 52, 585 S.E.2d 52 ("Before certifying a class under Rule 23 of the West Virginia Rules of Civil Procedure [2017], a circuit court must determine that the party seeking class certification has satisfied all four prerequisites contained in Rule 23(a) —numerosity, commonality, typicality, and adequacy of representation ...."). Because the circuit court failed to thoroughly analyze typicality with respect to Mr. Roman's individual circumstances as they relate to the claims he asserts and the class he represents, we grant the requested writ and prohibit the circuit court from enforcing that portion of its order of December 23, 2020, granting class certification to "a subclass of those 109 individuals whose information was found in the possession of Ms. Roberts’[s] accomplice."
Although we find it unnecessary to address Hospitals’ challenge to the circuit court's analysis of the predominance factor of Rule 23(b)(3), we note that, after the briefing for class certification had been completed below, this Court announced a new holding addressing predominance in Syllabus point 7 of State ex rel. Surnaik Holdings of West Virginia, LLC v. Bedell , 244 W. Va. 248, 852 S.E.2d 748 (2020) :
When a class action certification is being sought pursuant to West Virginia Rule of Civil Procedure 23(b)(3), a class action may be certified only if the circuit court is satisfied, after a thorough analysis, that the predominance and superiority prerequisites of Rule 23(b)(3) have been satisfied. The thorough analysis of the predominance requirement of West Virginia Rule of Civil Procedure 23(b)(3) includes (1) identifying the parties’ claims and defenses and their respective elements; (2) determining whether these issues are common questions or individual questions by analyzing how each party will prove them at trial; and (3) determining whether the common questions predominate. In addition, circuit courts should assess predominance with its overarching purpose in mind—namely, ensuring that a class action would achieve economies of time, effort, and expense, and promote uniformity of decision as to persons similarly situated, without sacrificing procedural fairness or bringing about other undesirable results. This analysis must be placed in the written record of the case by including it in the circuit court's order regarding class certification.
Should the circuit court be asked to reconsider class certification on remand, it should carefully apply this standard in assessing the predominance requisite to class certification.
IV.
CONCLUSION
For the reasons stated in the body of this opinion, we grant the requested writ and prohibit the circuit court from enforcing its order of December 23, 2020, granting class certification. We remand this case for additional proceedings consistent with this opinion.
Writ Granted.
JUSTICE HUTCHISON and JUSTICE WOOTON dissent and reserve the right to file dissenting opinions.
Justice Hutchison, dissenting, and joined by Justice Wooton :
I dissent because neither the record nor the law support the issuance of a writ of prohibition.
Because of the proliferation of data breaches, the law is rapidly evolving on the question of whether plaintiffs, whose data has been stolen, have sufficiently pleaded an injury-in-fact. As one federal judge noted, "[t]here are only two types of companies left in the United States, according to data security experts: ‘those that have been hacked and those that don't know they've been hacked.’ " Storm v. Paytime, Inc. , 90 F. Supp. 3d 359, 360 (M.D. Pa. 2015).
The majority opinion has done a disservice to the people of West Virginia and impaired their ability to pursue relief when their data is stolen from a hospital's computer system by a hospital employee. The majority opinion's factual conclusions in support of their legal conclusions set this State apart from just about every other jurisdiction in the nation that has addressed the issue of data breaches.
First, I am troubled that the majority opinion sidestepped the 1,642-page record and, instead, cherry-picked a handful of facts "primarily from the circuit court's findings of fact contained in its order granting class certification." The majority opinion focuses on the notion asserted by West Virginia University Hospitals—East, Inc. ("WVU Hospitals"), that Angela Roberts ("Angela") "legitimately accessed" the data of approximately 7,445 patients in the last 8 months of 2016. Looking at the facts through the hospital's rosy lens, the opinion paints a picture of a blameless hospital victimized by a lone employee.
––– W.Va. at ––––, 866 S.E.2d at 192.
The majority opinion recites, but then artfully dodges, Angela's admission that she looked at every patient's account with a dual purpose : legitimate work and to steal data for her boyfriend, Wayne Roberts ("Wayne"). Angela as an employee was an agent of her master and employer, WVU Hospitals; thus, everything Angela did she did in the position of the hospital. In her deposition, Angela admitted that the patient files she "looked at every day were all ... potential victims." Angela said that even though she "looked at everybody's records for the legitimate purpose, the business purpose," she was also "looking at those records at the same time for an illegitimate purpose and that is to take names and addresses and Social Security numbers for Wayne[.]" When Angela looked at a patient's computer record, she always asked herself if the patient "had enough information on their accounts" and, if so, she would "get their info ... for Wayne."
By sidestepping the facts as they are in the record, the majority opinion misses that Angela designed her movements to conceal her criminal activity. Angela was successful because WVU Hospitals carelessly created and operated a system that permitted her to steal patient data at will. Angela admitted she did not access patient accounts "willy nilly," "this account here, that account there." Angela said she stole the information from "accounts that I was legitimately in for whatever reason," and she did so to avoid raising suspicion by WVU Hospitals, "[s]o if they saw ... you would see where I scheduled something for that patient or a note from me that I, you know, did something on that account." Most importantly, Angela never thought she would get caught because "nobody was watching me closely enough to know that I was doing anything other than my job." The hospital's failure to monitor its employees’ conduct is apparent by the hospital's admission it only became aware of the data breach when it learned of the FBI's investigation of Angela and Wayne.
Angela testified in her deposition that her supervisors never monitored her work. Angela said, despite working in an open cubicle, that no one was ever looking over her shoulder. The only time Angela saw or spoke to a supervisor was when Angela left her cubicle and went to her supervisor's office.
Simply put: Angela testified that she reviewed patient records with both "a [legitimate] business and a Wayne's business ... need of looking at all that material[.]" Angela started out looking at each patient's file with a legitimate purpose; she ended by scribbling down the patient's private data or printing out copies of their driver's license or Social Security card. She then gave that information to Wayne, knowing he used it for a criminal purpose. Every one of the 7,445 people, whose patient records were undisputedly accessed by Angela, can say their personal data was invaded for a wrongful purpose and that they were harmed, in part because of Angela's criminal conduct, but also because WVU Hospitals did nothing to stop Angela. The record shows that, if the police had not executed a search warrant on Wayne's apartment (for a wholly unrelated case) and found the yellow scraps of paper with Angela's handwriting of patient data, she never would have been stopped. Angela testified that WVU Hospital's management system was so slipshod that she suspected her other coworkers in nearby cubicles were probably also stealing data, and that no one would have found out. Second, even if we accept the majority opinion's view of the facts as correct, it does not support its legal conclusion. The majority opinion contends that Angela was "legitimately" looking at patient files when she took the patient's private information, and then draws the conclusion that the patients never suffered an injury-in-fact sufficient to confer standing to bring a class action suit. I think, if you asked the patients whether they feel they suffered an "injury" such as embarrassment, fear of identity theft, or the cost of paying for identity theft protection, they would offer a different answer.
What is more, I think the record supports a finding that patients suffered an injury-in-fact caused by WVU Hospital's carelessness. Angela opened up a patient's file for a legitimate purpose, but before she closed it, she searched the file to steal the patient's identity and WVU Hospitals did nothing to prevent her from doing so. Angela walked out of the hospital with notes and printouts from patient files which she gave to Wayne so he could engage in various felonies. Let's be clear: what Angela and Wayne did was sufficient to warrant a 36-count federal indictment. For instance, the indictment alleged that Wayne and Angela:
The record contains evidence from Wayne's plea hearing, and also contains references to Angela's meetings with her probation officer. However, the record is otherwise unclear as to what charges Angela and Wayne pleaded guilty to or were otherwise convicted of.
Devised a scheme and artifice to defraud a financial institution, through which [Wayne] intended to obtain approximately $8,000 from Wells Fargo.
It was a part of the scheme and artifice that the defendant Angela ... would access WVU Medicine University Healthcare's patient database to obtain names, dates of birth, Social Security numbers, addresses, and driver's license numbers. ...
On or about June 27, 2016, in Berkeley County, ... the defendants [Wayne] and [Angela] did knowingly execute such scheme and artifice ... by accessing WVU Medicine University Healthcare's patient database and obtaining the name, date of birth, Social Security number, address, driver's license number, and a copy of [the] driver's license of the fourth person known to the Grand Jury and transferring that information to the defendant [Wayne] who then used that information to obtain a Wells Fargo Visa Signature Card with an $8,000 line of credit ... in the name of the fourth person known to the Grand Jury[.]
That indictment is pretty clear, and it repeats the same scheme for 35 other counts for conspiracy to commit identity theft, production of false identity documents (namely Social Security cards), aggravated identity theft, and bank fraud.
With that federal indictment in mind, juxtapose the criminal case with the majority opinion. On the one hand, Angela's actions were so significant, and caused so much harm to patients at WVU Hospitals, that a federal prosecutor saw fit to pursue a 36-count indictment and to use the evidence of Angela's theft of data from the hospital to support a criminal conviction. On the other hand, on the same evidence, the majority opinion concludes Angela's theft of data was "legitimate" and so insignificant that those same patients did not suffer an "injury in fact" sufficient to file a class action lawsuit for damages. This conclusion is wrong. The plaintiffs allege WVU Hospitals was careless with how it managed its patient files, failed to follow basic security procedures like conducting surveillance of its employees, and failed to encrypt information or otherwise safeguard files against wrongful activity. Angela took advantage of the hospital's carelessness. She stole patient data and gave it to a co-conspirator to commit identity theft. Something is wrong with our society when our courts say an act can support a criminal conviction beyond a reasonable doubt yet cannot support a civil claim for damages by a preponderance of the evidence.
Generally, courts rely on three factors to determine if a plaintiff sufficiently pleaded an injury-in-fact from the threat of future identity theft. The first factor hinges on the intention of the third party who gained access to the personal information. Courts are more likely to find standing where the third party had a criminal motive. The second factor looks to the type of information stolen; some information (like Social Security numbers, driver's licenses, or birthdates) is more useful for identity theft than other information. The third factor turns on whether there is some proof the compromised, personal information was actually misused. Mitchell J. Surface, Civil Procedure-Article III Cause-in-Fact Standing: Do Data Breach Victims Have Standing Before Compromised Data Is Misused? , 43 Am. J. Trial Advoc. 503, 506 (2020).
Another journal summarized the approach taken by federal courts thusly:
Data breach litigation has given rise to new questions, like whether claims may proceed against hacked companies in the absence of fraudulent account activity or actual identity theft affecting those whose information was lost. Courts have recognized a distinction between cases involving actual fraud or identity theft – or, at least, signs of a malicious hack – and cases not involving misuse, as where a thief may have broken into a car and grabbed a laptop without realizing what it contained. Plaintiffs in the first category, who suffered economic loss or were subject to intentional data theft, have been deemed to have standing to sue the hacked company for negligence and other alleged violations. In the second category, plaintiffs whose information was merely exposed, but never exploited, often find themselves out of luck.
Jordan Elias, Course Correction-Data Breach As Invasion of Privacy , 69 Baylor L. Rev. 574, 575 (2017) (emphasis added).
Applied to this case, it appears that the plaintiffs can establish an injury in fact. First, we know from Angela's deposition and the proceedings in federal court that Angela trolled through the hospital's files with the intent of stealing patient data to use in an identity-theft scheme with Wayne. Second, the information stolen – addresses, birthdates, Social Security numbers and driver's licenses – was of great use in Angela's and Wayne's fraud scheme. And third, the compromised personal information was, in fact, misused. On this record, the plaintiffs clearly established an injury-in-fact.
The majority opinion has wrongly conflated how the data was stolen with whether the victims of those thefts were injured. In a run-of-the-mill data breach, financial information is stolen by an outside "hacker" who engages in fraud or identity theft. This case is different because there was no outside hacker; here, the hacker actually worked for the hospital and stole the data one file at a time. However, just because the data was stolen by someone who legitimately had access to the data does not alter the fact that the plaintiffs were injured.
In my review of how federal courts handle the injury-in-fact question, every single appellate circuit court focused on the actual impact of the theft on the victim, not whether the thief was "authorized" to commit the theft. Further, a majority of federal circuits have found an injury-in-fact exists where there is a heightened risk of identity theft subsequent to a data breach. The United States Court of Appeals for the Fourth Circuit has issued two cases on computer data theft demonstrating a proper analysis of the injury-in-fact question. In Beck v. McDonald , 848 F.3d 262, 267-76 (4th Cir. 2017), the court concluded a Veterans Administration hospital laptop, stolen from the backseat of a car, which contained veterans’ personal information and medical records did not confer injury-in-fact standing, because the plaintiffs produced no evidence the information had been accessed or misused. Because the plaintiffs filed the lawsuit three to four years after the laptop was stolen, the court found no substantial risk that the plaintiffs were going to fall victim to identity fraud or theft. However, a year later, in Hutton v. National Board of Examiners in Optometry, Inc ., 892 F.3d 613, 622 (4th Cir. 2018), the court distinguished Beck because the plaintiffs offered evidence that they had already suffered actual harm – some plaintiffs could show credit cards were fraudulently issued using stolen data – and found that the evidence supported finding the injury-in-fact requirement had been met.
The circuits finding an injury in fact arising from a heightened risk of identity theft subsequent to a data breach include the D.C. Circuit (In re: U.S. Office of Pers. Mgmt. Data Sec. Breach Litig ., 928 F.3d 42, 55-56 (D.C. Cir. 2019) (holding that identity theft constitutes a concrete and particularized injury because the victim is subject to a substantial risk of future fraud and identity theft); Attias v. Carefirst, Inc ., 865 F.3d 620, 629 (D.C. Cir. 2017) ("[A] substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken."); Third Circuit (In re Horizon Healthcare Serv. Inc. Data Breach Litig ., 846 F.3d 625, 641 (3d Cir. 2017) (noting the injury-in-fact requirement is not insurmountable, thus finding a violation of the Fair Credit Reporting Act by not protecting personal data constituted a clear de facto injury, and noting unauthorized disclosures of legally protected personal information have long been seen as injurious); In re Nickelodeon Consumer Privacy Litig ., 827 F.3d 262, 274 (3d Cir. 2016) ("The purported injury here is clearly particularized, as each plaintiff complains about the disclosure of information relating to his or her online behavior."); In re Google Inc. Cookie Placement Consumer Privacy Litig ., 806 F.3d 125, 134-35 (3d Cir. 2015) ("Consequently, and contrary to the contentions of the defendants, a plaintiff need not show actual monetary loss for purposes of injury in fact.")); Sixth Circuit (Galaria v. Nationwide Mut. Ins. Co ., 663 F. App'x 384, 388 (6th Cir. 2016) (finding injury-in-fact where plaintiffs’ personal information was stolen but not yet misused because it is likely the information will be misused)); Seventh Circuit (Dieffenbach v. Barnes & Noble, Inc ., 887 F.3d 826, 828 (7th Cir. 2018) (finding injury-in-fact because the victims’ data was stolen and they had the opportunity to prove damages); Lewert v. P.F. Chang's China Bistro, Inc ., 819 F.3d 963, 969 (7th Cir. 2016) (finding that some injuries plaintiffs claimed were enough to find standing); Remijas v. Neiman Marcus Group, LLC , 794 F.3d 688, 696 (7th Cir. 2015) ("The injuries associated with resolving fraudulent charges and protecting oneself against future identity theft ... are sufficient to satisfy the first requirement of Article III standing.")); Ninth Circuit (In re Zappos.com, Inc. , 888 F.3d 1020, 1028-29 (9th Cir. 2018) (finding injury-in-fact where the plaintiffs alleged a credible threat of real and immediate harm stemming from the theft of personal information--although Social Security numbers were not included in the data breach--because there was a substantial risk the hackers would commit identity fraud or theft); Krottner v. Starbucks Corp ., 628 F.3d 1139, 1143 (9th Cir. 2010) ("Were Plaintiffs-Appellants’ allegations more conjectural or hypothetical ... we would find the threat far less credible.")); and Eleventh Circuit (Resnick v. AvMed, Inc ., 693 F.3d 1317, 1323 (11th Cir. 2012) (finding injury-in-fact where defendants’ laptops were stolen containing the plaintiffs’ personal information that was misused)). But see Whalen v. Michaels Stores, Inc ., 689 F. App'x 89, 91 (2d Cir. 2017) (finding that standing requires a future injury be certainly impending rather than simply speculative, and that because the plaintiff's personal identification information--date of birth or Social Security number--was not stolen and the plaintiff had not expended any time or effort monitoring her credit, there was no injury or threat of future injury); In re SuperValu, Inc ., 870 F.3d 763, 768 (8th Cir. 2017) (holding plaintiffs’ injury must affect the plaintiff in a personal and individual way, and that stolen credit card information that had not yet been misused is too speculative to qualify as a substantial risk of identity theft); Katz v. Pershing, LLC , 672 F.3d 64, 80 (1st Cir. 2012) (finding no injury-in-fact to satisfy the Article III standing requirement because plaintiffs’ personal information was not shown to have actually been stolen, only that the defendant did not have proper security measures in place to protect the data, increasing their vulnerability to hackers and future identity fraud).
Ultimately, I think the "majority rule" regarding whether a plaintiff has an injury-in-fact resulting from data theft can be distilled down to this guide found in Khan v. Children's National Health System , 188 F. Supp. 3d 524, 532 (D. Md. 2016) :
in the data breach context, plaintiffs have properly alleged an injury in fact arising from increased risk of identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs' personal data to engage in identity fraud.
Applying the Khan rule to this case, the majority opinion should have found that the plaintiffs properly alleged an injury in fact arising from an increased risk of identity theft. The plaintiffs put forth evidence of actual examples where the data stolen by Angela was used to steal the identity of some of the plaintiffs. Moreover, they offered clear evidence their files were examined and their personal data was taken for the purpose of engaging in identity fraud. Hence, all of the members of the class, including the class representatives, have properly alleged an injury in fact sufficient to permit the class action to proceed. Thus, I must conclude the majority erred in holding otherwise.
A third problem with the majority opinion is its focus on named-plaintiff Deborah Welch's "standing." The authorities cited by the majority opinion are pretty clear that "[i]n class actions, as in all suits in federal court , plaintiffs must have standing in order to sue." 1 William B. Rubenstein, Newberg on Class Actions § 2:1 (5th edition 2011) (emphasis added). The problem with the majority opinion's reasoning is that this case was filed in West Virginia state court and not in federal court. The West Virginia Constitution does not have a standing requirement like that found in Article III of the United States Constitution. As the leading treatise on class actions says, "the Article III requirements that apply to cases brought in federal court do not apply in state court." Id. at n.1. Hence, I would caution future courts that the majority's opinion's holding that "at least one named plaintiff must have standing with respect to each claim asserted" is built on shifting sands.
That said, the majority opinion concludes that class representative Deborah Welch does not have standing because she did not prove to the majority that she sustained a "breach" of her confidential information or an invasion of privacy caused by "an unreasonable intrusion" upon her seclusion. Syl. pt. 8, Crump v. Beckley Newspapers, Inc. , 173 W. Va. 699, 320 S.E.2d 70 (1983). Angela spent her first 30 seconds "legitimately accessing" Ms. Welch's file, but she spent the remainder of the time illegitimately accessing the file. Nevertheless, the majority opinion deems Angela's entire access to the file a "reasonable" intrusion. The logical theme of the majority's opinion is that if you start to do something with good intentions, then it doesn't matter what you do later. That's akin to finding that, if a nurse walks into a room to administer medicine to a patient but then walks out of the room with an article of the patient's property, the patient would have no claim against the hospital because the nurse was "authorized" by the hospital to be in the room.
To reach its decision on standing, the majority opinion also weaves and twists to avoid the holding in Tabata v. Charleston Area Medical Center , 233 W. Va. 512, 759 S.E.2d 459 (2014). There, the hospital accidentally put patient data in a computer file that could be accessed from the internet. An employee was doing his or her authorized and legitimate job and just made a mistake. There was no proof anyone saw the data and no proof anyone used the data for a nefarious purpose. Still, because the patients’ private data was exposed in a such a way that strangers could access it, this Court said the hospital could face liability for invading patients’ privacy. In this case, the hospital opened its patient data up for employees to scroll through in a way that looked legitimate, but the employee could, at the same time, copy and use the data for an illegitimate, nefarious purpose. And did. The plaintiffs in Tabata had a cause of action when it was not clear anyone ever saw or illicitly used the data; here, the plaintiffs can't pursue a class action despite someone seeing the data, stealing the data, and using the data to steal patients’ identities. The holdings in Tabata and this case cannot be reconciled.
Fourth, the majority opinion avoids discussing the variety of claims asserted in the plaintiffs’ amended complaint including breach of the duty of confidentiality; unjust enrichment; negligence; breach of contract; negligent supervision; and violations of the Consumer Credit and Protection Act. The majority opinion lumps all of these claims into one and determines that all of them require proof WVU Hospitals permitted a "breach" of patients’ confidential information by an outsider. Then, having declared that no breach occurred because Angela's access was "legitimate," the majority opinion finds the plaintiffs cannot support any of these causes of action. However, when we examine each of these causes of action alone, it becomes clear that the plaintiffs can make out a prima facie case (which, for purposes of class action status, is far more than is required). For instance, the plaintiffs allege that WVU Hospitals negligently supervised Angela.
In a claim for negligent supervision it is the employer's wrongful act rather than the employee's wrongful act that is at issue. The focus is upon whether the employer owed a duty of care to the plaintiff and breached that duty by allowing an employee to engage in negligent, reckless, or intentional tortious conduct.
C.C. v. Harrison Cty. Bd. of Educ ., 859 S.E.2d 762, 786 (W. Va. 2021) (Hutchison, J., concurring, in part, and dissenting in part) (cleaned up). The evidence of record sets out sufficient facts that a jury could say that WVU Hospitals had a duty to protect the plaintiffs’ data but breached that duty by allowing Angela, as part of her job, to engage in identity theft and other tortious conduct. The fact that Angela was, in part, legitimately in every patient's file does not vitiate the fact that she eventually searched those files for data to steal, and that WVU Hospitals failed to stop her from doing so. WVU Hospitals can be liable for negligent supervision despite the fact that Angela acted intentionally, criminally, or outside the scope of her employment. "[L]iability for negligent supervision arises when the employer permits an employee to act ‘outside the scope of his employment’ and causes injury to another." Id. at 787 (citing Restatement (Second) of Torts § 317 (1965) ). The same analyses apply to the other causes of action in the amended complaint, and on remand the plaintiffs and circuit court should do precisely that.
Fifth, while the majority opinion finds that Ms. Welch does not have standing to represent a class action , the opinion fails to acknowledge that Ms. Welch still has standing to assert her individual claims. Moreover, so can the other 7,445 patients whose data was improperly accessed. See W. Va. Code § 55-2-18 (tolling any statute of limitation from date of an order dismissing an action). Because of the majority opinion, she, along with the thousands of other individuals, can file individual lawsuits that can be grouped together by the circuit court under West Virginia Rule of Civil Procedure 42 (allowing for consolidation of actions). WVU Hospitals can pay its lawyers to file answers to 7,445 lawsuits. And, as to damages, if the circuit court concludes the hospital's conduct was egregious, a jury can award punitive damages against WVU Hospitals for permitting Angela to view 7,445 patient files without supervision. See Perrine v. E.I. du Pont de Nemours & Co ., 225 W. Va. 482, 553, 694 S.E.2d 815, 886 (2010) ("[I]t is within the trial court's discretion to consider other relevant aggravating and mitigating evidence" when assessing punitive damages); Syl. pt. 3, Garnes v. Fleming Landfill, Inc ., 186 W. Va. 656, 413 S.E.2d 897 (1991) (in an award of punitive damages, juries may consider "how long the defendant continued in his actions" and "how often" similar conduct has occurred).
Sixth, I am perplexed that the majority opinion concludes that Eugene Roman is not a "typical" representative of the class. The record shows that Mr. Roman is the perfect representative because he was a direct victim of Angela and Wayne's scheme. Earlier in my dissent, I quoted from a 36-count federal indictment charging Angela and Wayne. The count that I cited, Count 33, identified "the fourth person known to the Grand Jury" whose personal information was stolen from the hospital and used to open a Wells Fargo credit card. That "fourth person" is Mr. Roman.
At Wayne's plea hearing in federal court, an FBI special agent testified that Count 33 involved Angela improperly accessing Mr. Roman's data, not once, but twice. The FBI agent testified to Angela "accessing Mr. Roman's patient profile at WVU Medicine in Berkeley County, West Virginia on June 27 and July 26, 2016," and that "Angela [did] then provide that information to [Wayne] at some point," information Wayne used to illegally apply for a Wells Fargo Credit card in Mr. Roman's name. Upon questioning by the federal judge, Wayne agreed that the FBI agent's testimony was "substantially correct" and "accurately reflect[ed]" his involvement. Stated simply, the record in this case shows Angela accessed Mr. Roman's information, delivered that information to Wayne, and he used that information to commit fraud and identity theft. Accordingly, Mr. Roman is the perfect representative for the class.
Chief Justice Walker recently said that extraordinary remedies like writs of prohibition
are reserved for "really extraordinary causes." As we have explained, a writ of prohibition will not issue to prevent a simple abuse of discretion by a trial court. It will only issue where the trial court has no jurisdiction or having such jurisdiction exceeds its legitimate powers.
State ex rel. Vanderra Res., LLC v. Hummel , 242 W. Va. 35, 40, 829 S.E.2d 35, 40 (2019). She further found that writs of prohibition "are not available in routine circumstances." Id. The majority opinion in this case declares that " ‘[w]hether the requisites for a class action exist rests within the sound discretion of the trial court.’ Syllabus Point 5, Mitchem v. Melton, 167 W. Va. 21, 277 S.E.2d 895 (1981)." Yet, as the majority opinion demonstrates, this Court is willing to override the discretion of trial courts, in routine circumstances, to grant a writ of prohibition. I do not believe the majority opinion reflects a proper use of judicial power.
––– W.Va. at ––––, 866 S.E.2d at 200.
In summary, I do not believe the record or the law supports the issuance of a writ of prohibition in this case. I therefore respectfully dissent. Further, I am authorized to state that Justice Wooton joins in this dissent.