IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND
ILANA ABRAHAM, individually : and on behalf of all others similarly situated :
v. : Civil Action No. DKC 25-3479
: ST. MARY’S HOSPITAL OF ST. MARY’S COUNTY, INC. :
MEMORANDUM OPINION Presently pending and ready for resolution in this data privacy putative class action are the motion to transfer venue filed by St. Mary’s Hospital of St. Mary’s County, Inc. (“Defendant” or “SMH”), (ECF No. 10), and the motion to remand filed by Ilana Abraham (“Plaintiff”), (ECF No. 16). The issues have been briefed, and the court now rules, no hearing being deemed necessary. Local Rule 105.6. For the following reasons, the motion to remand will be granted and the motion to transfer venue will be denied as moot. I. Background A. Factual Background Plaintiff Ilana Abraham was a patient of Defendant SMH, which is a full-service hospital located in Leonardtown, Maryland. (ECF No. 6 ¶¶ 6, 13). She alleges upon information and belief that SMH “regularly collects and stores a wide variety of [personal information (‘PI’)] from its customers and prospective customers,” (id. ¶ 8), including “patient name, social security number, driver’s license numbers, dates of birth, treating physician, dates of service, medication information, insurance information and treatment and/or diagnostic information,” (id. ¶ 9). As a patient, Ms. Abraham “entrusted [SMH] with her PI.” (Id. ¶ 13).
That PI “was stored on SMH’s computer network and/or its related cloud-based network, which may or may not have been hosted or administered by a third-party [information technology (‘IT’)] vendor.” (Id. ¶ 15). Plaintiff does not identify the IT vendor in her complaint, but an exhibit attached to the complaint suggests that this IT vendor was Oracle Health, (ECF No. 13, at 30), and SMH likewise indicates in its removal notice that the IT vendor was Oracle Health, (ECF No. 1 ¶ 1). Upon information and belief, Plaintiff states that “SMH maintained complete authority to research, select, and retain its third-party IT vendors.” (ECF No. 6 ¶ 29).
Last year, Ms. Abraham received a notice from SMH dated August 1, 2025, informing her that there had been a security breach of a computer network containing her PI (“Data Breach”). (Id. ¶¶ 16, 166; see also ECF No. 13, at 30).1 In the Data Breach notice, SMH indicated that the security breach occurred at Oracle Health
1 The Data Breach notice attached as an exhibit to the complaint is considered part of the complaint. Fed.R.Civ.P. 10(c) (“A copy of a written instrument that is an exhibit to a pleading is a part of the pleading for all purposes.”). 2 sometime between January 22, 2025, and March 15, 2025, when Oracle Health informed SMH of the Data Breach. (ECF No. 13, at 30). Although SMH’s own network was not affected, it offered Ms. Abraham “a 12-month membership of Experian’s IdentityWorksSM Credit 3B free
of charge,” which “helps detect possible misuse of [an individual’s] personal information and provides identity protection services.” (Id.). Despite SMH’s representations in the notice, Ms. Abraham alleges that SMH “suffered from a breach in their computer network security or a third party’s computer network security,” (ECF No. 6 ¶ 17 (emphasis added)), and that “the integrity of SMH’s entire computer network, or the integrity of the third-party’s computer network, was compromised,” (id. ¶ 24 (emphasis added)). She further alleges various deficiencies in the notice: SMH did not disclose the actions taken by the unauthorized actor while it had access to the network, who the
unauthorized actor was, what the specific failure in the network security architecture was, what measures have since been taken to secure the network, or why the notice itself was delayed. (Id. ¶¶ 19–23). Ms. Abraham alleges upon information and belief that SMH did not adequately prioritize cybersecurity and patient privacy. (Id. ¶ 14). On this front, she offers various other allegations upon information and belief, too. She believes that SMH “had been well 3 aware of the risk posed to its records,” “had access to numerous resources to provide awareness of . . . and to prepare defenses against [cyber] attacks,” “failed to leverage” such resources,
“failed to adequately train its employees on cybersecurity[,] and failed to maintain reasonable computer security safeguards and protocols to protect PI in its possession.” (Id. ¶¶ 37, 40–42, 44). She believes that SMH, as a result, “had no effective means to prevent, detect, stop, or mitigate breaches of its, or the third-party’s, computer systems.” (Id. ¶ 43). Ms. Abraham alleges that, due to the Data Breach, her PI “was accessed and disclosed in an unauthorized manner,” (id. ¶ 18), along with that of “most, if not all, of SMH’s patients,” (id. ¶ 26), the “vast majority” of whom are allegedly Maryland residents, (id. ¶ 34). She offers a litany of harms that she and other SMH patients “will sustain[] or have sustained” due to the Data Breach. (Id. ¶¶ 45–64). As for herself in particular, Ms. Abraham “became
severely stressed and suffered anxiety, including physical manifestations,” because of the Data Breach. (Id. ¶ 48). Upon information and belief, she also alleges that “the compromised PI of current and former patients remains in the hands of criminal actors.” (Id. ¶ 28).
4 B. Procedural Background On September 22, 2025, Plaintiff filed a class action complaint against Defendant in the Circuit Court for St. Mary’s County, Maryland, seeking monetary, injunctive, and declaratory
relief. (ECF Nos. 1 ¶ 1; 6). She brings three counts—negligence (Count I), violation of the Maryland Personal Information Privacy Act (“PIPA”), Md. Code Ann., Com. Law §§ 14-3503 to -3504 (West) (Count II), and violation of the Maryland Consumer Protection Act (“MCPA”), id. § 13-301 (Count III)—on behalf of herself and a class of “[a]ll persons whose Personal Information was maintained by SMH and accessed or acquired without authorizing during the [Data Breach].”2 (ECF No. 6 ¶ 69). She believes the class contains over 10,000 individuals. (Id. ¶ 72). Defendant removed the action to this court on October 22, 2025, (ECF No. 1), asserting the Class Action Fairness Act of 2005 (“CAFA”), 28 U.S.C. § 1332(d), as the basis for subject matter
jurisdiction, (ECF No. 1 ¶ 5). In its removal notice, Defendant contends that Plaintiff’s class action complaint meets CAFA’s requirements that there be at least minimal diversity, 100 class members, and an amount in controversy of $5,000,000. (Id.).
2 Although Plaintiff repeatedly notes breaches of duties by SMH’s third-party IT vendor in Count I, the third-party IT vendor is not named as a defendant. 5 Plaintiff’s is not the only class action complaint filed in relation to the Data Breach. As of November 2025, thirty-two such class actions had been consolidated before Chief Judge Beth
Phillips in the United States District Court for the Western District of Missouri, where Oracle Health is headquartered. (ECF No. 11, at 2 (citing In re Cerner/Oracle Data Breach Litig., No. 25-cv-259 (W.D.Mo.)); id. at 5). On December 15, 2025, in fact, this court granted a joint motion to transfer venue to the Western District of Missouri in another case arising out of the Data Breach. See Order Granting Joint Motion to Transfer, Tice v. Cerner Corp., No. 25-cv-3907-DKC (D.Md. Dec. 15, 2025), ECF No. 12. Defendant believes this case belongs there, too. On November 3, 2025, Defendant moved to transfer venue to the Western District of Missouri. (ECF No. 10). Plaintiff opposed the transfer motion
on November 17, 2025, (ECF No. 15), and Defendant replied on December 12, 2025, (ECF No. 19). Separately, Plaintiff moved to remand the action to state court on November 18, 2025, arguing that this court lacks subject matter jurisdiction over her complaint due to Article III standing and CAFA deficiencies. (ECF No. 16). In the alternative, she requests jurisdictional discovery. (Id. at 11–12). Defendant
6 opposed the remand motion on December 12, 2025, (ECF No. 20), and Plaintiff replied on January 5, 2026, (ECF No. 21). II. Analysis A. Order of Motions As a threshold matter, the parties disagree about the order
in which the pending motions should be analyzed. Defendant believes its transfer motion should take priority, (ECF No. 20, at 2–3), whereas Plaintiff contends that her remand motion should be decided first, (ECF No. 21, at 9–10). Defendant analogizes the consolidated action in Missouri to a multi-district litigation (“MDL”) and relies on cases in which courts have exercised their discretion not to rule on a remand motion before the MDL panel issues a transfer order. (ECF No. 20, at 2–3); see, e.g., Yearwood v. Johnson & Johnson, Inc., No. 12-cv-1374-RDB, 2012 WL 2520865, at *3 (D.Md. June 27, 2012) (“[T]he Judicial Panel on Multidistrict Litigation has held that a district court judge can ‘either wait
for a transfer order without ruling on a motion to remand, or to rule on the motion before a transfer order has been issued.’” (quoting Moore v. Wyeth-Ayerst Lab’ys, 236 F.Supp.2d 509, 511 (D.Md. 2002))). Although Defendant’s various district court cases in the MDL context imply that courts have the discretion to permit transfer before deciding a remand motion attacking subject matter jurisdiction, the United States Court of Appeals for the Fourth 7 Circuit has instructed that “without [subject matter jurisdiction], a court can only decide that it does not have jurisdiction.” Burrell v. Bayer Corp., 918 F.3d 372, 379 (4th Cir. 2019) (emphasis added) (quoting United States v. Wilson, 699 F.3d
789, 793 (4th Cir. 2012)). Unsurprisingly, then, courts in this circuit generally decide remand motions attacking subject matter jurisdiction before motions to transfer venue. See, e.g., Nat’l Equip. Dealers, LLC v. IROCK Crushers LLC, --- F.Supp.3d ----, 2025 WL 1503932, at *2 (M.D.N.C. May 27, 2025) (Agee, J.) (“[W]hen faced with a motion to remand and other pending motions, ‘a court must first assess the motion to remand and may only consider [the other motions] if the court determines it has subject matter jurisdiction over the action.’” (second alteration in original) (quoting Smallwood v. Builders Mut. Ins. Co., No. 23-cv-67, 2024 WL 844868, at *5 (E.D.Va. Feb. 28, 2024))); Cox v. Air Methods Corp., No. 17-cv-4610, 2018 WL 2437056, at *1 (S.D.W.Va. May 30, 2018); Bailey v. Ford Motor Co., No. 06-cv-61, 2006 WL 3456698, at
*1 (S.D.W.Va. Nov. 30, 2006). In light of Fourth Circuit guidance and the order of operations adopted by other courts in this circuit, the court will consider the motion to remand for lack of subject matter jurisdiction first. “If at any time before final judgment it appears that the district court lacks subject matter jurisdiction” over a removed 8 case, the district court must remand the case to state court. 28 U.S.C. § 1447(c). Federal courts “must strictly construe removal jurisdiction” and remand “[if] federal jurisdiction is doubtful.” Mayor & City Council of Balt. v. BP P.L.C., 31 F.4th 178, 197 (4th Cir. 2022) (quoting Mulcahey v. Columbia Organic Chems. Co., 29
F.3d 148, 151 (4th Cir. 1994)). The removing party “bears the burden of demonstrating that removal is proper and that the federal court has subject matter jurisdiction.” IROCK Crushers, 2025 WL 1503932, at *2 (citing Mulcahey, 29 F.3d at 151). At this time, Plaintiff moves to remand on two grounds: (1) lack of Article III standing, (ECF No. 16, at 3–8), and (2) inadequate amount in controversy under CAFA, (id. at 9–11).3 Plaintiff is correct as to Article III standing, so the court need not reach her CAFA argument. Plaintiff’s motion to remand will be granted. B. Plaintiff Lacks Standing Article III standing “is a threshold, jurisdictional issue.” Cent. Wesleyan Coll. v. W.R. Grace & Co., 6 F.3d 177, 188 (4th Cir.
3 Plaintiff also moves to remand on the basis of CAFA’s local controversy exception and discretionary exception. (ECF No. 16, 11–16). The applicability of these exceptions hinges on the geographic composition of the class, 28 U.S.C. § 1332(d)(3), (4), currently known only to Defendant, so jurisdictional discovery would be necessary before determining whether the exceptions apply. Because the standing deficiency supplies an independent basis to remand the case, the court need not permit jurisdictional discovery and reach the applicability of CAFA’s local controversy and discretionary exceptions. 9 1993). The standing requirement consists of three elements: “(1) an injury in fact that is concrete, particularized, and actual or imminent; (2) a sufficient causal connection between the injury
and the conduct complained of; and (3) a likelihood that the injury will be redressed by a favorable decision.” Straubmuller v. Jetblue Airways Corp., No. 23-cv-384-DKC, 2023 WL 5671615, at *2 (D.Md. Sep. 1, 2023) (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 157–58 (2014)). The fact that a suit is a class action “adds nothing to the question of standing, for even named plaintiffs who represent a class ‘must . . . personally have been injured.’” Lewis v. Casey, 518 U.S. 343, 357 (1996) (quoting Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 40 n.20 (1976)). It is insufficient that an “injury has been suffered by other, unidentified members of the class to which [the plaintiff] belong[s] and which they purport to represent.” Id. (quoting Simon, 426 U.S. at 40 n.20). Additionally, there must be standing for each individual claim for relief. Friends of the Earth, Inc.
v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 185 (2000). Plaintiff’s remand motion focuses on the injury-in-fact element, so Defendant finds itself in the unusual position of attempting to persuade the court that Plaintiff has alleged a cognizable injury. To demonstrate injury-in-fact when challenged by a plaintiff on a remand motion, a defendant “must show that 10 [the plaintiff] suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” See Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016) (quoting Lujan v. Defs. Of Wildlife, 504 U.S. 555, 560 (1992)). Although a “‘threatened
rather than actual injury can satisfy Article III standing requirements,’ . . . not all threatened injuries constitute an injury-in-fact.” Beck v. McDonald, 848 F.3d 262, 271 (4th Cir. 2017) (quoting Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000) (en banc)). The threatened injury must be “imminent,” which requires more than an “‘objectively reasonable likelihood’ that it will someday come to pass.” Holmes v. Elephant Ins. Co., 156 F.4th 413, 429 (4th Cir. 2025) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 410 (2013)). Rather, there must be “a substantial risk” that the harm will happen “in the near future.” Id. at 429 & n.19 (quoting Murthy v. Missouri, 603 U.S. 43, 58 (2024)).
The Fourth Circuit has recently developed a considerable body of case law on Article III standing in the context of data breaches. In Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the Fourth Circuit concluded that a plaintiff fails to “establish Article III standing based on the harm from the increased risk of future identity theft and the cost of measures to protect against 11 it.” Id. at 266–67. “[M]ere theft” of PI, in other words, is insufficient. Id. at 275. The following year, the Fourth Circuit decided Hutton v. Nat’l Bd. of Exam’rs in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018), in which the court determined that the
plaintiffs did have standing because they alleged actual misuse of their PI—to wit, unauthorized credit cards taken out in their names and an eleven-point drop in the credit score of one plaintiff— beyond mere theft, id. at 622. Such actual misuse cleared the Article III standing bar because it substantiated, “[a]t a minimum, . . . an imminent threat of injury,” and because the injury was thus not speculative, the mitigating costs incurred to protect against future identity theft likewise constituted an injury-in- fact. Id. The dividing line between Beck and Hutton, then, is whether actual misuse of the PI is alleged. See, e.g., Capiau v. Ascendum Mach., Inc., No. 24-cv-142, 2024 WL 3747191, at *4
(W.D.N.C. Aug. 9, 2024) (“Actual misuse is the keystone of Article III injury in Fourth Circuit data breach case law.” (collecting cases)).4
4 Defendant cites to Tice v. Cerner Corp., No. 25-cv-03907- DKC (D.Md.), a case that was transferred upon joint motion, and contends that the allegations are similar. That case was filed in this court (not removed), also named Oracle Health as a defendant, no party challenged standing, and the complaint alleged that the personal information “has already been misused, evidenced by the significant increase in spam texts and phone calls using his personal information that he has received since the Data Breach.” Complaint ¶ 45, Tice, No. 25-cv-3907-DKC (D.Md. Dec. 15, 2025), 12 Plaintiff provides a laundry list of harms in her complaint, but Defendant, relying solely on Plaintiff’s allegations, fails to show that any one of them suffices for standing. To begin,
Plaintiff adopts the pleading convention that “[she] and class members will sustain, or have sustained,” the following harms: direct and indirect negative impacts on health and welfare; emotional distress; increased risk of emotional distress, mental pain and suffering; PI theft; publication of their PI to the Dark Web; damages to and diminished value of their PI; loss of the opportunity to control how their PI is used; continued risk of exposure of their PI to bad actors; impairment of their credit scores; and time and costs spent on efforts to mitigate misuse of their PI, including monitoring and restricting compromised accounts, enrolling in and using credit monitoring services, purchasing additional computer security, and dealing with frozen
or flagged assets and credit. (ECF No. 6 ¶¶ 46–47, 49–64). Construing removal jurisdiction strictly, the court can only glean from these vague and undifferentiated allegations that Plaintiff may suffer any number of these harms in the future. Absent concrete facts pertaining to actual events, it is simply too much of a stretch to say that Plaintiff herself has suffered any of
ECF No. 1. Whether that suffices for standing is now a matter for the transferee court. 13 these harms. Likewise, her allegations are also devoid of any mention of actual misuse of her own particular PI. Defendant offers no other evidence that actual misuse of Plaintiff’s PI has occurred.5 Therefore, any injury Plaintiff may suffer is “too speculative for Article III purposes.” Beck, 848 F.3d at 271 (quoting Lujan, 504 U.S. at 564 n.2).
Although Defendant does not raise it, there is language in Beck suggesting that even absent actual misuse of the plaintiff’s PI, there might be standing if “the data thief intentionally targeted the personal information compromised in the data breaches.” Beck, 848 F.3d at 274 (citing Galaria v. Nationwide Mut. Ins. Co., 663 F.App’x 384, 386 (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 632 (7th Cir. 2007)); see also Stamat v. Grandizio Wilkins Little & Matthews, LLP, No.
22-cv-747-SAG, 2022 WL 3919685, at *6 (D.Md. Aug. 31, 2022) (explaining that “[a]ctual misuse of data[] . . . is not strictly
5 Defendant takes issue with Plaintiff’s assertions in her remand motion that she has not alleged an injury-in-fact, despite the numerous allegations of harm, and accuses her of “denying or misrepresenting the contents of her own [c]omplaint” to avoid federal jurisdiction. (ECF No. 20, at 3–5). There is an important difference between an injury, which is “an invasion of a legally protected interest,” and an injury-in-fact, which further requires that the injury be “concrete and particularized.” Baehr v. Creig Northrop Team, P.C., 953 F.3d 244, 252 (4th Cir. 2020) (quoting Lujan, 504 U.S. at 560). Not all injuries are injuries-in-fact. 14 required to establish standing in the data breach context . . . where the [PI] was the specific target of the attack” (citation modified)). Here, Plaintiff’s allegations are hazy on the precise
manner in which the Data Breach occurred and what the specific target of the attack was. (See ECF No. 6 ¶¶ 17, 19, 27 (alleging that an “unauthorized actor” breached the computer network of Defendant or its IT vendor, and the data on such network, including Plaintiff’s PI, “was copied, downloaded and exfiltrated by criminal actors”)). And the Fourth Circuit last year cast considerable doubt on that language from Beck, anyway. In Holmes v. Elephant Insurance Co., 156 F.4th 413 (4th Cir. 2025), the court noted that several other circuits “identify the targeted nature of an attack . . . as [a] factor[] in favor of standing,” but rejected that logic because none of those circuits “explained how a data breach presents a substantial risk that any one piece of personal information will be misused in the future,” id. at 432. Rather,
those circuits appear to have erroneously embraced a requirement of “only a reasonable probability of harm,” a lower threshold rejected by the Supreme Court in Clapper. Id. (citing Clapper, 568 U.S. at 432–33, 441 (Breyer, J., dissenting)). In light of the “tight[] boundary” the Fourth Circuit “has drawn . . . when it comes to future harms,” id., standing cannot rest on oblique,
15 unparticularized allegations regarding the possibly targeted nature of the Data Breach. Finally, Plaintiff alleges just two harms that she has already
sustained: (1) economic loss and (2) severe stress and anxiety. (ECF No. 6 ¶¶ 45, 48). Defendant cannot rely on Plaintiff’s conclusory allegation of economic loss, devoid of factual content, to satisfy its burden of demonstrating standing. Nor do Plaintiff’s stress and anxiety support jurisdiction; “bare assertions of emotional injury” are insufficient to confer Article III standing. Beck, 848 F.3d at 273 (citing Doe v. Chao, 540 U.S. 614, 617, 624–25 (2004)); see also Stamat, 2022 WL 3919685, at *7 (rejecting Plaintiff’s allegations of emotional distress and anxiety as a basis for standing). As the Fourth Circuit recently explained, a contrary rule would mean that plaintiffs could “manufacture standing” at will because “plaintiff[s] can freely
allege emotional distress in every case with little fear of disproof.” Holmes, 156 F.4th at 434 (quoting Clapper, 568 U.S. at 402). Defendant cites just one case in its favor, an unpublished opinion in the Northern District of Texas. (ECF No. 20, at 4 (citing Order at 11, Ethridge-Delucca v. Sabre GLBL Inc., No. 24- cv-3262 (N.D.Tex. Dec. 2, 2025), ECF No. 19). Fourth Circuit precedent prevails.
16 In short, Defendant fails to discharge its burden of demonstrating Article III standing in response to Plaintiff’s remand motion. Because Plaintiff’s motion to remand is
meritorious, Defendant’s motion to transfer venue to the Western District of Missouri is moot. C. Section 1447(c) Costs and Expenses 28 U.S.C. § 1447(c) provides that “[a]n order remanding the case may require payment of just costs and any actual expenses, including attorney fees, incurred as a result of the removal.” Plaintiff requests that the court award her such costs, expenses, and fees, (ECF No. 16, at 16–17), which Defendant opposes, (ECF No. 20, at 14). “Absent unusual circumstances, courts may award attorney’s fees under § 1447(c) only where the removing party lacked an objectively reasonable basis for seeking removal. Conversely, when an objectively reasonable basis exists, fees should be denied.” Martin v. Franklin Cap. Corp., 546 U.S. 132, 141 (2005) (citing Hornbuckle v. State Farm Lloyds, 385 F.3d 538, 541 (5th Cir. 2004); Valdes v. Wal-Mart Stores, Inc., 199 F.3d 290,
293 (5th Cir. 2000)). Whether to award such fees is a decision “committed to the court’s sound discretion.” Beusterian v. Icon Clinical Rsch., 517 F.App’x 198, 199 (4th Cir. 2013). Plaintiff’s arguments focus on CAFA, not standing. She contends that Defendant’s removal was objectively unreasonable 17 because it “offered no estimate or supporting evidence that the amount in controversy in this case exceeds $5 million,” nor did it offer “evidence of the class members’ citizenship, despite
possessing the records to do so.” (ECF No. 16, at 17). In line with the latter argument, she also characterizes the removal as “fundamentally flawed because of the Maryland-centric nature of the parties, claims, controversy and class composition.” (Id.). Defendant responds that it was reasonable to remove under CAFA because Plaintiff’s proposed class is subsumed within the proposed nationwide class in the Western District of Missouri, and CAFA’s aims of promoting efficiency and avoiding gamesmanship counseled against parallel litigation in this case. (ECF No. 20, at 11–14). The court did not reach the parties’ arguments regarding CAFA in its analysis. That being said, Defendant marshals adequate support in its papers to demonstrate that it had an objectively
reasonable basis for removal. First, it was reasonable to believe that the amount in controversy in this case exceeds $5 million. Various courts have held that it is permissible in a data breach case to multiply the monthly cost of a credit-monitoring service by a reasonable number of months and the total number of class members to reach the total amount in controversy. Castillo v. Berry Bros Gen. Contractors Inc., No. 24-cv-1723, 2025 WL 1062091, at *2 (W.D.La. Apr. 8, 2025) ($29.95/month TransUnion fee for ten 18 years of credit monitoring across 6,210 class members equals more than $22 million); Morales v. Conifer Revenue Cycle Sols., LLC, No. 23-cv-1987, 2023 WL 5236729, at *3 (C.D.Cal. Aug. 15, 2023)
($84.80 for two months of credit monitoring and identity theft protection across 120,000 class members equals more than $10 million); see also Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273, 278 (S.D.N.Y. 2008) (request for credit- monitoring costs for every class member for “an indeterminate period beyond one year . . . could readily exceed $5 million”). Here, Defendant argues that a $29.95/month Experian credit- monitoring subscription for a period of two years across 10,000 class members, for a total of over $7 million, suffices. (ECF No. 20, at 7). Regardless of whether that is ultimately persuasive, it is reasonable based on the case law. Second, Plaintiff’s contention that Defendant’s failure to
provide citizenship data of the proposed class renders removal objectively unreasonable misses the mark. Plaintiff does not argue that her case lacks minimal diversity under 28 U.S.C. § 1332(d)(2), so the issue of the class’s geographic composition arises only in relation to CAFA’s exceptions. It was reasonable for Defendant to wait and see if Plaintiff would invoke those exceptions. When Plaintiff did so, it was likewise reasonable for Defendant to hold off on supplying the data of the class’s geographic composition, 19 which might require substantial resources, unless and until the court ordered jurisdictional discovery, either here or in the Western District of Missouri.
Finally, Defendant offers adequate support that CAFA supports removal, even when one or more elements of CAFA jurisdiction is doubtful, if the proposed class is subsumed into another pending federal class action. See Simon v. Marriott Int’l, Inc., Nos. 19- cv-2879-PWG, 19-cv-1792-PWG, 2019 WL 4573415, at *4 (D.Md. Sep. 20, 2019); Sanders v. Kia Am. Inc., No. 23-cv-486, 2023 WL 3974966, at *5–6 (C.D.Cal. June 13, 2023); In re Kitec Plumbing Sys. Prods. Liab. Litig., No. 10-cv-1193, 2010 WL 11618052, at *6 (N.D.Tex. Aug. 23, 2010).6 Of course, whether that proposition is correct need not be decided. What matters is that Defendant had a sufficiently colorable basis to believe that the class members are already represented in the proposed class in the Western District
of Missouri regarding the same underlying data breach, such that the policies of CAFA might support federal jurisdiction over Plaintiff’s putative class action. Defendant had an objectively reasonable basis to remove this action under CAFA. Plaintiff does not argue that Defendant lacked
6 Even if such flexibility does exist with regard to CAFA jurisdiction, the principles and policies undergirding Article III standing are entirely different and cannot be so stretched to find jurisdiction where it is otherwise doubtful. 20 an objectively reasonable basis to believe she had Article III standing, so the court will not consider that as a possible ground to award fees. Plaintiff’s request for costs, expenses, and fees
will be denied. III. Conclusion For the foregoing reasons, Plaintiff’s motion to remand will be granted, Plaintiff’s request for costs, expenses, and fees will be denied, and Defendant’s motion to transfer venue will be denied as moot. A separate order will follow.
/s/ DEBORAH K. CHASANOW United States District Judge