IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA
KAZANDRA BARLETTI, individually, as
natural parent and next friend of A.B. Case No. 2:22-cv-04676-JDW and C.B., minors,
,
v.
CONNEXIN SOFTWARE, INC. d/b/a
OFFICE PRACTICUM,
.
MEMORANDUM The Parties in this data breach class action seek preliminary approval of a proposed settlement of claims under various states’ laws for negligence and breach of contracts to which plaintiffs and class members were intended third party beneficiaries. After reviewing the facts and the proposed agreement, I will grant the Motion and preliminarily certify the class. I. BACKGROUND A. Factual Allegations Connexin Software, Inc. is an electronic medical records custodian that mostly serves pediatric practices. It provides data security to institutional customers who, in turn, store patients’ personally identifying information (PII) and protected health information (PHI). In August 2022, Connexin became aware of a data breach in which sensitive information of its customers (including information about pediatric patients, their parents and guardians, and insurers) was disclosed to unauthorized individuals. The
data security incident led to the unauthorized disclosure of approximately three million individuals. Among those whose information was subject to the breach were Kazandra Barletti and her minor children, Andrew Recchilongo, Bradley Hain and his minor
children, Sharonda Livingston and her minor son, Hailey Jowers, and Ikram Chowdhury (the “Class Reps”). Each named Party received medical services through a pediatric practice that was a Connexin customer. Each received notice from Connexin by mail informing them that their private information was compromised in the data breach.
B. Procedural History Each named Class Rep initiated a class action complaint. On January 12, 2023, I consolidated the cases. On March 30, 2023, I appointed Benjamin Johns and Bart Cohen as plaintiffs’ interim lead counsel and a five-member Plaintiff’s steering committee. On
April 28, 2023, the Class Reps filed a Consolidated Amended Complaint (“CAC”). Connexin moved to dismiss six of the seven counts in the CAC. I granted that motion in part on August 17, 2023. As a result, the only claims remaining in the case are claims for
negligence and breach of contracts to which plaintiffs and class members were intended third party beneficiaries. After extensive discovery, the Parties began settlement discussions. In November 2023, the Parties held a first mediation session, supervised by the Honorable Diane M. Welsh, U.S.M.J. (Ret.). During that mediation, Connexin claimed to be financially vulnerable, with the prospect of a bankruptcy filing on the horizon. After the mediation,
the Class Reps did additional diligence on Connexin’s financial status, including receiving information from Connexin and consulting with financial experts. Subsequent negotiations with Judge Welsh led to the comprehensive proposed settlement
agreement before me now. C. The Settlement The proposed settlement seeks to certify a settlement class consisting of “[a]ll natural persons whose Personal Information was compromised in the Data Security
Incident that Connexin discovered on or around August 26, 2022.” (ECF No. 85-1 at 5.) Pursuant to the terms of the settlement, Connexin will create a total settlement fund of $4,000,000, which provides: (i) compensation to class members; (ii) service awards of $2,500 to each of the named Plaintiffs; (iii) attorneys’ fees up to one-third of the
Settlement Fund’s total value; (iv) reasonable litigation expenses not to exceed $50,000; and (v) claims expenses by an agreed-upon settlement administrator (Epiq Class Action & Claims Solutions, Inc.), not to exceed $992,187.00. Class members will be able to elect
expanded credit monitoring, reimbursement for out-of-pocket expenses, or an alternative cash payment as their compensation. In addition, if approved, the settlement would require Connexin to seek SOC II certification over the next four years in an effort to enhance its internal data protection compliance measures. In exchange, the Class Reps and class members who choose to participate in the settlement will release Connexin from liability for any claims that class members did
bring or could have brought against it for harms related to the Data Security Incident. II. LEGAL STANDARD Review of proposed Rule 23 class settlement typically proceeds in two steps: (1) a
preliminary approval and (2) a subsequent fairness hearing. , 961 F. Supp. 2d 708, 713–14 (E.D. Pa. 2014). Preliminary approval of a proposed class action settlement is left to the discretion of the trial court. , 148 F.3d 283, 317 (3d Cir.
1998). “The fair, reasonable and adequate standard is lowered, and the court is required to determine whether the proposed settlement discloses grounds to doubt its fairness or other obvious deficiencies. . . .” 961 F. Supp. 2d at 714 (quotation omitted). Nevertheless, “preliminary approval is not simply a judicial ‘rubber stamp’ of the
parties’ agreement.” Rather, it is “based on an examination of whether the proposed settlement is ‘likely’ to be approved under Rule 23(e)(2).” , No. CV 19-2820-KSM, 2020 WL 7711409, at *10 (E.D. Pa. Dec. 28, 2020)
(citing Fed. R. Civ. P. 23(e)(1)(B)(i)). Where settlement precedes class certification, a court may preliminarily certify the class for purposes of providing notice. , 775 F.3d at 581-82; , 521 U.S. 591, 620-22 (1997)). Certification at this stage is not final. , 269 F.R.D. 468, 476 (E.D. Pa. 2010) (citing , 55 F.3d
768, 786 (3d Cir. 1995)). “Final certification of the class is determined by the court at the same time as the court rules on whether the final settlement agreement is to be approved.” .
III. DISCUSSION A. Class Certification To succeed on a class certification motion, a plaintiff must satisfy all four requirements of Rule 23(a) and at least one subsection of Rule 23(b).
, 265 F.3d 178, 183 (3d Cir. 2001). Rule 23(a) requires a showing of: (1) numerosity; (2) commonality; (3) typicality; and (4) adequacy. Fed. R. Civ. P. 23(a). If a plaintiff satisfies these four requirements, he must meet at least one subsection of Rule 23(b). In this case, the Class Reps seek certification pursuant to Rule 23(b)(3). Rule
23(b)(3) contains two explicit requirements: predominance and superiority , 727 F.3d 300, 305 (3d Cir. 2013). As part of a preliminary approval motion, courts can conduct a “less rigorous analysis” than the final approval stage requires.
, No. 15-MD-2654, 2016 WL 1359725, at * 4 (E.D. Pa. Apr. 6, 2016). 1. Rule 23(a) factors a. Numerosity
To satisfy the numerosity requirement, a plaintiff must show that the proposed class is so numerous that joinder of all members is impracticable. This generally requires more than 40 class members. , 837 F.3d 238, 249-50 (3d Cir. 2016). With roughly three million affected individuals, the Class Reps have
shown that joinder is not practicable. b. Commonality The commonality requirement requires a plaintiff to demonstrate that “there are questions of law or fact common to the class.” Fed. R. Civ. P. 23(a)(2). Commonality does
not require the perfect identity of questions of law or fact among all class members. , 802 F.3d 469, 486 (3d Cir. 2015). Instead, a plaintiff seeking class certification must demonstrate that his claims “depend upon a common
contention,” the resolution of which “will resolve an issue that is central to the validity of each one of the claims in one stroke.” , 564 U.S. 338, 350 (2011). There can be legal and factual differences among the class members if the defendant subjected them all to the same harmful conduct. The commonality bar is not
a high one. , 726 F.3d 372, 382 (3d Cir. 2013). “[F]or purposes of Rule 23(a)(2), even a single common question will do.” , 564 U.S. at 359. The Class Reps have cleared this low bar. Were the class members to proceed as individual plaintiffs, each would have to demonstrate (1) that Connexin had owed a duty
of care to protect their confidential health information; (2) that Connexin’s negligent acts or omissions were a proximate cause of the data breach that disclosed their information; and (3) that they were intended third-party beneficiaries to a contract
between Connexin and a pediatric practice. c. Typicality The typicality factor aids a court in determining whether “maintenance of a class action is economical and whether the named plaintiff’s claim and the class claims are so
interrelated that the interest of the class members will be fairly and adequately protected in their absence.” , 687 F.3d 583, 594 (3d. Cir. 2012) (citation omitted). A class can meet this requirement when the representatives’ claims “arise from the same alleged wrongful conduct” as do the class’s claims.
, 391 F.3d 516, 532 (3d Cir. 2004). To determine whether a named plaintiff is so different as to prevent a finding of typicality, a court must address three distinct concerns: “(1) the claims of the class representative must be the same as
those of the class in terms of both (a) the legal theory advanced and (b) the factual circumstances underlying that theory; (2) the class representative must not be subject to a defense that is both inapplicable to many members of the class and likely to become a major focus of the litigation; and (3) the interests and incentives of the representative must be sufficiently aligned with those of the class.” , 687 F.3d at 598. The Third Circuit has set a “low threshold” for typicality, such that even “relatively pronounced
factual differences will generally not preclude a finding of typicality where there is a strong similarity of legal theories or where the claim arises from the same practice or course of conduct.” , 821 F.3d at 428 (quotes omitted).
The Class Reps satisfy the typicality requirement. Each named plaintiff suffered unauthorized disclosure of their sensitive information, an identical harm to all class members. No unique defense applies only to the Class Reps. Finally, the Class Reps’ interests are sufficiently aligned with the class members’ interests because all seek state
law remedies for harm resulting from the data security incident. d. Adequacy This final 23(a) factor considers both the plaintiff’s and counsel’s adequacy to represent the class. “Whether adequacy has been satisfied ‘depends on two factors: (a)
the plaintiff’s attorney must be qualified, experienced, and generally able to conduct the proposed litigation, and (b) the plaintiff must not have interests antagonistic to those of the class.’” ., 638 F. Supp. 2d 461, 477 (E.D. Pa. 2009) (quoting
, 490 F.3d 293, 313 (3d Cir. 2007)). “The second factor ‘seeks to uncover conflicts of interest between named parties and the class they seek to represent.’” (quoting , 391 F.3d at 532). I see nothing to call into question the adequacy of class representatives. They assert the same claims as class members and are not antagonistic to other members.
They have participated in the case, including providing written discovery and sitting for depositions. I also conclude that their counsel satisfies the adequacy threshold. Class counsel has extensive experience prosecuting class actions, and at least one other judge
in this district has found class counsel adequate. , No. 23- cv-2288-KSM, 2023 WL 4630674, at *2 (E.D. Pa. July 18, 2023) (“Mr. Johns, specifically, has almost 20 years of experience with complex class action cases and . . . has been appointed Lead Counsel in [this district] no less than three times.”).
2. Rule 23(b) factors a. Predominance Predominance requires a court to find “questions of law or fact common to class members predominate over any questions affecting only individual members.” Fed. R. Civ.
P. 23(b)(3). “When one or more of the central issues in the action are common to the class and can be said to predominate, the action may be considered proper under Rule 23(b)(3) even though other important matters will have to be tried separately, such as damages or some affirmative defenses peculiar to some individual class members.”
, 577 U.S. 442 (2016) (internal quotation marks omitted). The predominance requirement “does not require a plaintiff seeking class certification to prove that each element of her claim is susceptible to classwide proof.”
, 568 U.S. 455, 469 (2013) (internal quotes omitted). Nevertheless, “[t]o assess whether predominance is met at the class certification stage, a district court must determine whether the essential elements of the claims brought by the
putative class are ‘capable of proof at trial through evidence that is common to the class rather than individual to its members.’” , 885 F.3d 186, 195 (3d Cir. 2018) (quoting , 552 F.3d 305, 311-12 (3d Cir.
2009)). Although plaintiffs bring claims for violations of various states’ laws requiring that a data custodian adequately protect users’ sensitive information, all claims share questions of law and fact that predominate. For instance, whether Connexin owed class
members a duty to safeguard their information, whether the defendant breached such a duty, and whether the defendant’s conduct was the proximate cause of the harm are common questions that predominate over individual inquiries. Accordingly, the predominance inquiry is satisfied for this action.
b. Superiority The superiority analysis calls for a determination that a class action is the best method of achieving a “fair and efficient adjudication of the controversy.”
., 259 F.3d 154 (3d Cir. 2001), (Oct. 16, 2001) (citing Fed. R. Civ. P. 23(b)(3)). This requires a “balance, in terms of fairness and efficiency, [of] the merits of a class action against those of ‘alternative available methods’ of adjudication.” , 83 F.3d 610, 632 (3d Cir. 1996) (citation omitted). In determining whether a class action is the superior method to adjudicate a controversy, courts should consider: “(A) the class members’ interests in
individually controlling the prosecution or defense of separate actions; (B) the extent and nature of any litigation concerning the controversy already begun by or against class members; (C) the desirability or undesirability of concentrating the litigation of the
claims in the particular forum; and (D) the likely difficulties in managing a class action.” Fed. R. Civ. P. 23(b)(3)(A)-(D). In considering a motion to certify a class for settlement purposes only, a court need not consider the likely difficulties with managing the class through trial. , 521 U.S. at 620.
As applied to the proposed class, these factors weigh in favor of class litigation. The number of class members, the common interest of class members, and the prevalence of common questions of law and fact make class action a more efficient vehicle for resolving these claims.
B. Settlement Approval 1. Rule 23(e) factors “In evaluating a class action settlement under Rule 23(e), a district court determines whether the settlement is fundamentally fair, reasonable, and adequate.”
, 609 F.3d 590, 592 (3d Cir. 2010) (citing Fed. R. Civ. P. 23(e)). In making this determination, district courts consider whether: (A) the class representatives and class counsel have adequately represented the class; (B) the proposal was negotiated at arm’s length; (C) the relief provided for the class is adequate, taking into account: (i) the costs, risks, and delay of trial and appeal; (ii) the effectiveness of any proposed method of distributing relief to the class, including the method of processing class- member claims; (iii) the terms of any proposed award of attorney’s fees, including timing of payment; and (iv) any agreement required to be identified under Rule 23(e)(3); and (D) the proposal treats class members equitably relative to each other.
Fed. R. Civ. P. 23(e)(2). a. Adequate representation This factor focuses “on the actual performance of counsel acting on behalf of the class.” Fed. R. Civ. P. 23 Advisory Committee Notes (Dec. 1, 2018). Plaintiffs’ counsel (including the Interim Lead Counsel and the members of the Steering Committee) expended considerable time and effort on this case, engaged in extensive discovery, prepared the Class Reps for deposition, and held multiple rounds of mediation with Judge Welsh. Counsel evaluated the strengths and weaknesses of the claims and defenses and examined Connexin’s claims about its financial condition before reaching the proposed settlement agreement. Thus, this factor weighs in favor of preliminary approval. b. Arm’s-length negotiation The parties agreed to settle this case after multiple mediation sessions with Judge Welsh, a respected mediator. “[T]he participation of an independent mediator in settlement negotiations virtually [e]nsures that the negotiations were conducted at arm’s length and without collusion between the parties.” ., No. 15-2460, 2016 WL 4766079, at *6 (E.D. Pa. Sept.
13, 2016) (citation and quotation omitted). This factor weighs in favor of preliminary approval. c. Adequacy of relief
i. Costs, risks, and delay of trial This factor balances the “relief that the settlement is expected to provide to class members” against “the cost and risk involved in pursuing a litigated outcome.” Fed. R. Civ. P. 23 Advisory Committee Notes (Dec. 1, 2018). The Class Reps acknowledge the
risks of proceeding with their claims through the course of litigation, noting that complex data breach actions are an underdeveloped legal discipline and that proceeding with this case would incur considerable time and expenses. In addition, the relief takes into account the risk that Connexin’s financial weakness would have led to a
bankruptcy filing in the absence of a settlement. Such a filing would have left class members as unsecured creditors with unliquidated claims, meaning that they likely would not have recovered much, if anything, as part of a reorganization or liquidation.
ii. The proposed method of distributing relief Under this factor, the court “scrutinize[s] the method of claims processing to ensure that it facilitates filing legitimate claims. . . [and] should be alert to whether the claims process is unduly demanding.” Fed. R. Civ. P. 23 Advisory Committee Notes (Dec. 1, 2018). The proposed settlement agreement provides individual notice to more than 2.8 million class members who originally received notice that the data breach included
their information. The notice goes by the same means that Connexin used to notify them about the data breach. In addition, the settlement provides class members with a straight-forward claims process that offers them a choice of relief.
iii. Terms of proposed attorney’s fees The proposed attorneys’ fees for this case are one third of the $4,000,000 proposed settlement fund. Courts in the Third Circuit have identified contingent fee requests of this magnitude as “squarely within the range of awards found to be
reasonable[].” , No. 18-03934, 2023 WL 2643201 at *3, n.5 (E.D. Pa. Mar. 24, 2023); , , No. 10-1044, 2011 WL 4018205, at *10 (E.D. Pa. Sept. 9, 2011). d. Whether the proposal treats class members equitably relative to each other Under the proposed settlement agreement, class members can choose from
three available options for relief: credit monitoring and insurance services; reimbursement for actual out-of-pocket losses resulting from the data breach; or an alternative cash payment. Only the option for reimbursement would yield variation in the amount actually paid to class members. Those who elect either credit monitoring or
the alternative cash payment will receive an award identical to all other class members who select that option. Because the proposed settlement treats class members equitably relative to each other, this factor weighs in favor of preliminary approval.
2. The , , and factors Third Circuit has prescribed factors to evaluate the fairness of a proposed settlement in addition to those established in Rule 23(e)(2). , 629 F.3d 333 (3d Cir. 2010) (listing factors from , 521 F.2d 153
(3d Cir. 1975) and , 148 F.3d 283 (3d Cir. 1998)); , 708 F.3d 163 (3d Cir. 2013). In , the Third Circuit articulated nine factors for courts to consider, some of which were later incorporated into Rule 23 of the Federal Rules of Civil Procedure.
, 521 F.2d at 157 Fed. R. Civ. P. 23. The factors that require my analysis in this case include (a) the reaction of the class to the settlement; (b) the stage of the proceedings and the amount of discovery completed; (c) the ability of the defendants to
withstand a greater judgment; and (d) the range of reasonableness of the settlement fund in light of the best possible recovery and the attendant risks of litigation. Under the Third Circuit’s rulings in and , I must also consider (e) whether class or subclass members are accorded the right to opt out of the settlement and (f)
the degree of direct benefit to the class. a. The reaction of the class to the settlement This factor gauges “whether members of the class support the settlement.”
, 148 F.3d at 318. Because the Class Reps seek only provisional approval of the proposed settlement and preliminary class certification, I cannot assess the reaction of the class to the settlement at this time. However, the proposed settlement provides
adequate time for class members to offer objections and does not create a minimum number of objectors to render the settlement ineffective. b. The stage of the proceedings and the amount of discovery completed This factor “captures the degree of case development that class counsel have accomplished prior to settlement. Through this lens, courts can determine whether
counsel had an adequate appreciation of the merits of the case before negotiating.” , 617 F. Supp. 2d 336, 342 (3d Cir. 2007) (cleaned up). The Class Reps have engaged in fulsome formal discovery as well as a settlement-related exchange of financial information. Plaintiffs’ counsel acquired tens
of thousands of pages of documents through discovery and deposed seven witnesses. Based on the ample record created in advance of mediation sessions, I am convinced that the parties entered negotiations with a comprehensive understanding of the merits
of this case and agreed to the settlement with a full understanding of Connexin’s financial position. This factor weighs in favor of approval. c. The ability of the defendants to withstand a greater judgment A court must consider whether the proposed settlement offer is significantly below the threshold a defendant could withstand. , 264 F.3d 201, 240 (3d Cir. 2001). Still, even where a defendant has the practical ability to pay greater amounts than the settlement agreement provides, courts will regularly approve the proposed settlement. , , 80 F. Supp. 3d 626,
645 (E.D. Pa. 2015). Connexin has argued that it cannot withstand a judgment greater than the one that the proposed settlement provides. And Class Reps have done due diligence to confirm that fact. In these circumstances, even if the settlement fund is less
than might be awarded from the class trying the case to a favorable verdict, the guarantee of a settlement that Connexin can pay, and the avoidance of bankruptcy proceedings, weighs in favor of approval. d. The range of reasonableness of the settlement fund in light of the best possible recovery and the attendant risks of litigation These factors “evaluate whether the settlement represents a good value for a weak case or a poor value for a strong case. The factors test two sides of the same coin: reasonableness in light of the best possible recovery and reasonableness in light of the
risks the parties would face if the case went to trial.” , 391 F.3d at 538. In assessing the value of a case, a lawyer must consider three things: (i) the odds of proving liability; (ii) the likelihood of different amounts of damages; and (iii) the collectability of any award. In this case, the path to liability is far from certain, the
amount of damages is uncertain, and it would be hard (if not impossible) to collect a larger award from Connexin, given its financial position. So, while there have been examples of data breach settlements for more money than this one ( ,
, No. CV 19-6019, 2023 WL 6690705 (E.D. Pa. Oct 12, 2023)), this settlement is reasonable, given the risks that the Class Reps faced in securing and collecting on a larger judgment, or any judgment at all.
e. Whether class or subclass members are accorded the right to opt out of the settlement The proposed notice to class members includes clear means to opt out of the settlement agreement, providing a sixty-day window from the date of notice to make such an election. This, coupled with Rule 23’s requirement that notice permit class members to opt out of the settlement, weighs in favor of approval.
f. The degree of direct benefits provided to the class Class members are the direct beneficiaries of the proposed settlement. A claimant receives that benefit through his or her choice of either credit monitoring and insurance or a cash payment. Also, the settlement fund is non-reversionary, so class
members will reap the full benefit of the settlement regardless of how many make claims. This factor weighs in favor of approving the settlement. C. Notice Under Rule 23, “[t]he court must direct notice in a reasonable manner to all class
members who would be bound by the proposal.” Fed. R. Civ. P. 23(e)(1)(B). The notice must state, in plain, understandable language, the following information: the nature of the action; (ii) the definition of the class certified; (iii) the class claims, issues, or defenses; (iv) that a class member may enter an appearance through an attorney if the member so desires; (v) that the court will exclude from the class any member who requests exclusion; (vi) the time and manner for requesting exclusion; and (vii) the binding effect of a class judgment on members under Rule 23(c)(3).” Fed. R. Civ. P. 23(c)(2)(B). The Parties propose to send a short form notice, consisting of a postcard, to every person who received notice of the data breach from Connexin. They
will then make available on a website and via publication a long form notice that contains more detail, and they will provide a claim form on the website. Because the short form notice is the one that class members will receive first, I focus my analysis on that
document. I conclude that the short form notice satisfies Rule 23(c). , it describes the nature of the action. On this point, I note that this is not the clearest explanation I have seen. But read as a whole, the short form notice explains that it comes from a court as part of settlement and informs the recipient that it is a product
of a settlement resulting from a data breach incident at Connexin. It might be better if the notice included a reference to the causes of action or if it used the word “lawsuit,” but on the whole, it provides class members with the information that they need. , it defines the class. , it describes, in broad strokes, the class claims as the
claims that arise out of a “data security incident.” (ECF No. 85-3 at Ex. C.) Again, the notice could do a better job of this, but on the whole, it gives readers the necessary information. , it references class members having an attorney appear on their
behalf. , it addresses opt-out options and timing. , and finally, it discloses the binding impact that will come from a failure to opt out. Having concluded that the short form notice satisfies Rule 26(c), I can then turn to the long form notice, which supplements the short form notice. To that end, I do not rely on the long form notice to fill gaps in the short form notice. But I do think it’s important that the long form notice supplements the brevity of the short form notice so
that class members can easily gather more information if they want it. I also note that other judges in this District have approved similar notice programs. , No. CV 22-2917, 2024 WL 22075, at *9 (E.D. Pa. Jan. 2, 2024);
, 291 F.R.D. 93 (E.D. Pa. 2013). Ultimately, I conclude that the notice program satisfies Rule 23 and will provide class members with direct, reasonable notice to give them the opportunity to evaluate their rights in this case. IV. CONCLUSION
I will preliminarily approve the settlement and provisionally certify the class for the purpose of settlement. An appropriate Order follows. BY THE COURT:
JOSHUA D. WOLSON, J.
March 13, 2024