IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WISCONSIN
KEITH TESKY, MARK TESSMER, KENNETH OLLERMAN, CHRISTOPHER VANGOETHEM, and OPINION and ORDER KAL TESKY, on behalf of themselves and
all others similarly situated, 23-cv-184-jdp
23-cv-187-jdp Plaintiffs, 23-cv-189-jdp v. 23-cv-287-jdp
BONE & JOINT CLINIC, S.C.,
Defendant.
These consolidated proposed class actions arise from a cyberattack on defendant Bone & Joint Clinic, S.C. Plaintiffs allege that the Clinic’s failure to adequately protect its computer network allowed cybercriminals to steal personal information of current and former Clinic patients and employees. On August 9, 2024, the court denied without prejudice Linman’s unopposed motion for preliminary approval of the parties’ proposed settlement and asked the parties to address numerous concerns. Dkt. 35. In response, plaintiffs filed a supplemental brief in with additional materials supporting their motion for preliminary approval of the settlement agreement. Dkt. 38. The court will construe plaintiffs’ supplemental brief as a renewed motion for preliminary approval. The court is persuaded that certification and preliminary approval is appropriate, and the court will also approve the proposed class notice. So, the court will grant plaintiffs’ renewed motion for preliminary approval, direct the parties to send notice to the class members, set a deadline for a motion for final approval, and set a date for a fairness hearing. ANALYSIS A. Class certification Approval of the state-law class certification is governed by Federal Rule of Civil
Procedure 23. There are three requirements for class certification under Rule 23: (1) the class must be clearly defined with objective criteria, Mullins v. Direct Digital, LLC, 795 F.3d 654, 657 (7th Cir. 2015); (2) the class must satisfy the threshold requirements of numerosity, commonality, typicality, and adequacy of representation under Rule 23(a); and (3) the class must meet the requirements of at least one of the types of class actions listed in Rule 23(b). The court concludes that plaintiffs have satisfied each of the relevant Rule 23 requirements: Class definition. The parties’ settlement agreement defines the proposed class as follows:
All current and former patients and employees of Bone & Joint residing in the United States whose Private Information was potentially impacted by the Data Incident and were sent notice of the Data Incident. Dkt. 31-1, at 4. “Data Incident” is defined as “the ransomware attack that occurred on or about January 16, 2023, on [the Clinic]’s systems.” Id. This definition is clear and uses objective criteria. Numerosity. There are 105,094 potential members of the class, which is numerous enough to make joinder impractical. See Fed. R. Civ. P. 23(a). Commonality, typicality, and adequacy of the named plaintiff. The claims in this case turn on whether the Clinic took adequate measures to protect its network from cyberattacks. Common questions of law or fact concerning the Clinic’s policies will resolve the allegations of the entire class. The court sees no apparent conflicts between the named plaintiffs’ interests and those of the rest of the class, and they have claims that are typical of the class. So these requirements are met. Adequacy of class counsel. Class counsel have significant experience litigating and
obtaining settlements for similar class actions. See Fed. R. Civ. P. 23(g)(1); Dkt. 31, ¶¶ 3–9; Dkt. 31-2. The court will approve Raina Borrelli of Strauss Borrelli PLLC, Danielle L. Perry of Mason LLP, and Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert as class counsel. Predominance and Superiority. Plaintiffs contend that this action satisfies Rule 23(b)(3), which requires that the action’s common questions of law or fact predominate over questions that affect only individual members, and that the controversy would best be resolved through a class action. To determine whether common questions predominate, the
court considers (1) the class members’ interests in individually controlling their own claims; (2) the nature and extent of any other litigation about the controversy; (3) the desirability of concentrating the litigation here; and (4) any management challenges that the case may present. Fed. R. Civ. P. 23(b)(3). The main issue in this case is whether the Clinic failed to adequately protect the data on its network. The answer to this question will be the same regardless of the identity of individual class members, so the court concludes that common questions predominate over individual ones. A class action is superior to other methods of adjudicating the case because
the large size of the class (more than 100,000 class members) and the small amount of damages for each class member makes individual lawsuits impractical. See Fed. R. Civ. P. 23(b)(3). B. Preliminary approval The court may grant preliminary approval when the court concludes that it will likely be able to give final approval to the settlement, applying the factors listed in Rule 23(e)(2).
These include the adequacy of relief to the class, the relative fairness of the settlement for each class member, and the reasonableness of the attorney fees. Fed. R. Civ. P. 23(e)(2). The court raised several concerns about the proposed settlement in its previous order: (1) plaintiffs did not provide evidence of minimal diversity as required under 28 U.S.C. § 1332(d); (2) plaintiffs did not provide an estimate of the cost of notice and administration expenses, did not explain how the parties arrived at their settlement figure or estimated pro rata payments, and provided no metric for determining the fairness of the settlement; (3) the plaintiffs did not justify the incentive award for the class representative; (4) plaintiffs did not
explain the proposed method of distributing relief to the class; (5) plaintiffs provided flawed and insufficient information about attorney fees; and (6) the proposed notice and claim forms contained several errors and did not contain information about the version of the form that will be sent via email. The court is satisfied that plaintiffs’ supplemental submission provides sufficient information to address these concerns at the preliminary approval stage. As for the requirement of minimal diversity for subject matter jurisdiction, plaintiffs are required to identify at least one specific class member who is a citizen of a state other than Wisconsin to satisfy the minimal diversity requirement. Dancel v. Groupon, Inc., 940 F.3d 381,
385 (7th Cir. 2019). The parties’ supplemental submissions include a declaration from the Clinic’s counsel that provide a list of the number of individuals in each state that were sent notice that their information was potentially affected by the data breach. Dkt. 39, ¶ 4. Mailing addresses alone are not sufficient to establish that a member of the class has diverse citizenship. In re Sprint Nextel Corp., 593 F.3d 669, 674 (7th Cir. 2010).
Free access — add to your briefcase to read the full text and ask questions with AI
IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WISCONSIN
KEITH TESKY, MARK TESSMER, KENNETH OLLERMAN, CHRISTOPHER VANGOETHEM, and OPINION and ORDER KAL TESKY, on behalf of themselves and
all others similarly situated, 23-cv-184-jdp
23-cv-187-jdp Plaintiffs, 23-cv-189-jdp v. 23-cv-287-jdp
BONE & JOINT CLINIC, S.C.,
Defendant.
These consolidated proposed class actions arise from a cyberattack on defendant Bone & Joint Clinic, S.C. Plaintiffs allege that the Clinic’s failure to adequately protect its computer network allowed cybercriminals to steal personal information of current and former Clinic patients and employees. On August 9, 2024, the court denied without prejudice Linman’s unopposed motion for preliminary approval of the parties’ proposed settlement and asked the parties to address numerous concerns. Dkt. 35. In response, plaintiffs filed a supplemental brief in with additional materials supporting their motion for preliminary approval of the settlement agreement. Dkt. 38. The court will construe plaintiffs’ supplemental brief as a renewed motion for preliminary approval. The court is persuaded that certification and preliminary approval is appropriate, and the court will also approve the proposed class notice. So, the court will grant plaintiffs’ renewed motion for preliminary approval, direct the parties to send notice to the class members, set a deadline for a motion for final approval, and set a date for a fairness hearing. ANALYSIS A. Class certification Approval of the state-law class certification is governed by Federal Rule of Civil
Procedure 23. There are three requirements for class certification under Rule 23: (1) the class must be clearly defined with objective criteria, Mullins v. Direct Digital, LLC, 795 F.3d 654, 657 (7th Cir. 2015); (2) the class must satisfy the threshold requirements of numerosity, commonality, typicality, and adequacy of representation under Rule 23(a); and (3) the class must meet the requirements of at least one of the types of class actions listed in Rule 23(b). The court concludes that plaintiffs have satisfied each of the relevant Rule 23 requirements: Class definition. The parties’ settlement agreement defines the proposed class as follows:
All current and former patients and employees of Bone & Joint residing in the United States whose Private Information was potentially impacted by the Data Incident and were sent notice of the Data Incident. Dkt. 31-1, at 4. “Data Incident” is defined as “the ransomware attack that occurred on or about January 16, 2023, on [the Clinic]’s systems.” Id. This definition is clear and uses objective criteria. Numerosity. There are 105,094 potential members of the class, which is numerous enough to make joinder impractical. See Fed. R. Civ. P. 23(a). Commonality, typicality, and adequacy of the named plaintiff. The claims in this case turn on whether the Clinic took adequate measures to protect its network from cyberattacks. Common questions of law or fact concerning the Clinic’s policies will resolve the allegations of the entire class. The court sees no apparent conflicts between the named plaintiffs’ interests and those of the rest of the class, and they have claims that are typical of the class. So these requirements are met. Adequacy of class counsel. Class counsel have significant experience litigating and
obtaining settlements for similar class actions. See Fed. R. Civ. P. 23(g)(1); Dkt. 31, ¶¶ 3–9; Dkt. 31-2. The court will approve Raina Borrelli of Strauss Borrelli PLLC, Danielle L. Perry of Mason LLP, and Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert as class counsel. Predominance and Superiority. Plaintiffs contend that this action satisfies Rule 23(b)(3), which requires that the action’s common questions of law or fact predominate over questions that affect only individual members, and that the controversy would best be resolved through a class action. To determine whether common questions predominate, the
court considers (1) the class members’ interests in individually controlling their own claims; (2) the nature and extent of any other litigation about the controversy; (3) the desirability of concentrating the litigation here; and (4) any management challenges that the case may present. Fed. R. Civ. P. 23(b)(3). The main issue in this case is whether the Clinic failed to adequately protect the data on its network. The answer to this question will be the same regardless of the identity of individual class members, so the court concludes that common questions predominate over individual ones. A class action is superior to other methods of adjudicating the case because
the large size of the class (more than 100,000 class members) and the small amount of damages for each class member makes individual lawsuits impractical. See Fed. R. Civ. P. 23(b)(3). B. Preliminary approval The court may grant preliminary approval when the court concludes that it will likely be able to give final approval to the settlement, applying the factors listed in Rule 23(e)(2).
These include the adequacy of relief to the class, the relative fairness of the settlement for each class member, and the reasonableness of the attorney fees. Fed. R. Civ. P. 23(e)(2). The court raised several concerns about the proposed settlement in its previous order: (1) plaintiffs did not provide evidence of minimal diversity as required under 28 U.S.C. § 1332(d); (2) plaintiffs did not provide an estimate of the cost of notice and administration expenses, did not explain how the parties arrived at their settlement figure or estimated pro rata payments, and provided no metric for determining the fairness of the settlement; (3) the plaintiffs did not justify the incentive award for the class representative; (4) plaintiffs did not
explain the proposed method of distributing relief to the class; (5) plaintiffs provided flawed and insufficient information about attorney fees; and (6) the proposed notice and claim forms contained several errors and did not contain information about the version of the form that will be sent via email. The court is satisfied that plaintiffs’ supplemental submission provides sufficient information to address these concerns at the preliminary approval stage. As for the requirement of minimal diversity for subject matter jurisdiction, plaintiffs are required to identify at least one specific class member who is a citizen of a state other than Wisconsin to satisfy the minimal diversity requirement. Dancel v. Groupon, Inc., 940 F.3d 381,
385 (7th Cir. 2019). The parties’ supplemental submissions include a declaration from the Clinic’s counsel that provide a list of the number of individuals in each state that were sent notice that their information was potentially affected by the data breach. Dkt. 39, ¶ 4. Mailing addresses alone are not sufficient to establish that a member of the class has diverse citizenship. In re Sprint Nextel Corp., 593 F.3d 669, 674 (7th Cir. 2010). But counsel also asserts that review of defendant’s records shows that multiple proposed class members with addresses in Michigan, Illinois, Florida, Minnesota, Texas, and Arizona have a driver’s license from states outside Wisconsin. Dkt. 39, ¶ 7. The court concludes that this is sufficient to satisfy the minimal
diversity requirement. Under the agreement, the Clinic is to pay $575,000 to establish a common settlement fund, which will be used to pay attorney fees, litigation expenses, an incentive award to plaintiffs, the cost of notice and administrative expenses, and payments to class members. The settlement agreement and plaintiffs’ brief in support of the motion for preliminary approval estimate the following amounts for fees and expenses: • $191,475 for attorney’s fees; • $20,000 for litigation expenses;
• $120,929 for administrative costs; and • $2,000 per representative for named plaintiffs’ incentive awards (for a total of $10,000 in service awards). Dkt. 31-1, at 16; Dkt. 33, at 34–35; Dkt. 38, at 5–6. If the court were to grant the requested expenses, fees, costs and service awards, it would leave $232,596 of the settlement fund for payments to class members. Payments to class members will consist of: (1) compensation for documented out-of-pocket losses up to a total of $5,000 per class member; and (2) a pro rata
cash payment from any remaining funds, which is estimated to be $75 per class member but could be higher or lower depending on what funds remain after all the other distributions. None of the settlement fund will revert to the Clinic. As for the concerns that the court raised about the substantive fairness of the settlement, plaintiffs provided additional information about their estimated administrative costs, how the parties reached the settlement amount, and why they estimate that the pro rata payment to class members will be $75.
The estimated administrative expenses of $120,929 would be approximately 21 percent of the settlement fund. This is a significant portion of the total settlement fund. But it is not disproportionate to the cost that could be expected to mail notice to more than 100,000 individuals, so the court will preliminarily approve the settlement despite the parties’ estimate that a fifth of the settlement will go to the cost of administering notice. The parties’ motion for final approval of the settlement should include detailed information about the administrative expenses that are actually incurred so the court can assess the fairness of the settlement.
Plaintiffs’ supplemental brief explains that the $575,000 common fund proposal was the result of arms-length negotiations and that plaintiffs will receive additional relief in the form of cyber security enhancements to the Clinic’s network, which the Clinic asserts cost approximately $980,000. Dkt. 39, at 6–8. Class counsel assessed this proposal based on other recent settlements in class action data breach cases. Id., at 5–6; Dkt. 38-4, ¶¶ 11, 16–18. The estimate of a $75 pro rata payment to class members who file claims is also based on class counsel’s experience in similar settlements in data breach cases that distributed a common fund to class members with claims for out-of-pocket losses and a pro rata cash
payment. Class counsel explains that, based on counsel’s experience and publicly available information about similar data breach class actions, counsel expects that claims for out-of-pocket losses will be no more than three percent of the total settlement fund. Dkt. 38-4, ¶ 12. Counsel also explains that claims rates in similar cases ranged from “a fraction of a percent to 2.56 [percent] of the Class, though rates trend toward the lower end.” Id. ¶ 13. Class counsel provides a chart of seven recent settlements that provides an overall per person recovery based on the settlement amount and class size. Id., ¶ 17. Of the settlements listed, the settlement in
this case is within the upper half of settlement dollars per person in the class. Past settlements are not necessarily a measure of how many claims class members will make in this case, and plaintiffs do not explain how the settlement administrator will handle distributions if the claims for out-of-pocket losses and lost time payments exceed the available settlement fund. But in the absence of other methods to assess the value of the class members’ claims, it is reasonable to look to past settlements to evaluate the adequacy of the proposed settlement amount and to estimate the projected claim rate for this case. The court concludes that the relief appears to be adequate and to fairly distribute relief
to different members of the class judged by comparison to the example settlements that plaintiffs cite. The parties’ motion for final approval of the settlement should include detailed information about the claims that the settlement administrator receives for the court to assess the fairness of the settlement. As for the incentive award, plaintiffs’ supplemental submissions provide additional details about the named plaintiffs’ role in the case. Each of the named plaintiffs submitted a declaration saying that he “discussed this matter at length on several occasions with my attorneys to assist in the investigation and discovery process before and after this case was
filed” and made himself “available during mediation as well as through subsequent negotiations during the settlement process, including reviewing the Settlement Agreement.” Dkt. 38-3, at 3, 6, 10, 13, and 17. Each of the named plaintiffs also says that he “spent time reviewing documents, investigation and otherwise assisting my attorneys with this case.” Id., at 3–4, 6–7, 10–11, and 17–18. These assertions that the named plaintiffs expended time and effort on this case are sufficient for the court to preliminarily approve the $2,000 incentive award. As for the method of distribution of relief, plaintiffs submitted a declaration from a
senior vice president of the proposed settlement administrator, Epiq Class Action and Claim Solutions, Inc., that explains how Epiq will distribute payments to class members who submit claims. Dkt. 40, ¶ 25. The declaration explained that class members who submit claim forms “will be given the option of receiving a digital payment (in the form of an ACH, PayPal, or Venmo payment) or a traditional paper check.” Id. Payments will be distributed either within 45 days of the effective date of the settlement or within 30 days of all claim forms being approved and finalized, whichever is later. For any electronic payments that are incomplete or unclaimed, Epiq will mail a paper check. “Any checks returned as undeliverable will be sent to
a third party to perform address lookup services using their extensive databases to identify possible updated addresses.” Id. The court concludes that this distribution method seems reasonable and effective, but the parties’ motion for final approval should specify the date by which they anticipate the distribution process will be complete. As for attorney fees, plaintiffs’ supplemental submission provides information about the current lodestar total, but plaintiffs did not revise their attorney fee request to address the percentage-of-recovery method in this circuit. Instead, plaintiffs contend that the court should consider the value of the non-monetary relief the class has received when assessing the attorney
fee award. Plaintiffs explain that if the value of the Clinic’s investments in cyber-security enhancements is included in the total settlement value, then counsels’ fee request is 13.2 percent of the settlement. Dkt. 38, at 13. Plaintiffs rely on a declaration from the Clinic’s director of information technology to assert that the value of the Clinic’s business practice changes is more than one million dollars. Counsel’s reliance on the nonmonetary benefits to justify their fee petition has multiple problems. The first problem is that the general rule in this circuit is that “fees awarded to class
counsel should not exceed a third or at most a half of the total amount of money going to class members and their counsel.” Pearson v. NBTY, Inc., 772 F.3d 778, 782–83 (7th Cir. 2014). Counsel cite no authority for the view that they may use nonmonetary benefits to justify a larger fee award; they simply assume that they can. Pearson does include a discussion of injunctive relief, but the court concluded that the district court was within its discretion to find that the parties’ proposed injunction provided no benefit to the class. Id. at 786. The court didn’t consider whether or how injunctive relief factors into the reasonableness of a fee request. Other courts have concluded that it is more appropriate to evaluate a fee petition under a
lodestar analysis when the primary benefit is injunctive relief, particularly when counsel fails to provide evidence on the value of that relief. See Kim v. Allison, 8 F.4th 1170, 1180–81 (9th Cir. 2021); Roes, 1-2 v. SFBSC Mgmt., LLC, 944 F.3d 1035, 1055–56 (9th Cir. 2019). This leads to the second problem: plaintiffs’ counsel provided a single declaration from the Clinic’s IT director to qualify the value of nonmonetary relief. If counsel wishes to rely on the value of nonmonetary relief to bolster a fee petition, they will have to do more than provide a bottom-line figure. Yet another problem with the business practice changes is that the settlement agreement
provides no mechanism for a class member to confirm, challenge, or enforce any of the identified changes. This portion of the settlement agreement consists of little more than vague assertions that the Clinic has or will make certain changes without any accountability for the Clinic. All this is to say that the court is skeptical that a fee request of almost $192,000 when the money being distributed to the class is less than $243,000 can be justified in this case based
on a percentage-of-recovery analysis. Counsels’ fees would be more than 44 percent of the payment going to the class plus fees to counsel, which is at the upper range that has been allowed in this circuit. Plaintiffs’ counsel says that their fee request can also be justified under a lodestar approach. But the claimed fees of more than $158,000 is somewhat surprising in a case that didn’t proceed past the preliminary pretrial conference and in which plaintiffs didn’t file a single substantive motion before moving for preliminary approval of the settlement. The proposed attorney fees are not so far outside the realm of reasonableness that they require denial of preliminary approval. But class counsel’s motion for attorney fees should
address these concerns and must comply with the court’s procedures for fee petitions, which require that counsel provide proper documentation for fee requests, including contemporaneous logs with separate entries for the hours spent on specific tasks. Attachment to Dkt. 18, at 39. Counsel’s motion should address potential concerns about duplication of effort, failure to delegate, and excessive hourly rates as well as duplication of expenses, including mediation fees. See Schlacher v. Law Offices of Phillip J. Rotche & Associates, P.C., 574 F.3d 852, 858–59 (7th Cir. 2009) (affirming fee reduction for duplicative work and partners’ failure to delegate appropriate tasks to associates and paralegals). The declarations of plaintiffs’
counsel show that no fewer than ten attorneys and six paralegals from multiple law firms were assigned to this case and that five of the attorneys billed at rates of $700 an hour or more. C. Notice Rule 23(c)(2) requires that notice sent to class members must plainly state the nature of the action, the definition of class, the issues in the case, that class members have the option
to appear through an attorney, that class members have the option to be excluded from the class settlement (and how they can exercise that option), and the binding effect of judgment on members who are not excluded. The court raised concerns about the proposed email notice that will be sent to class members and about several errors or inaccurate statements in the claim form and notice. The court is satisfied that plaintiffs’ revised submissions addressed these concerns. Plaintiffs have provided the subject line and content of the email notice, both of which appear reasonable. The revised notice also corrects the typo in the estimated pro rata payment in the
claim form, removes the reference to lost time payments, and corrects the misleading definition of the class in the notice. In addition, the Clinic has complied with 28 U.S.C. § 1715(b)’s requirement that counsel give notice of the class settlement to certain state and federal officials. Dkt. 33. D. Deadlines and fairness hearing Epiq may have until July 17, 2025, to disseminate notice to the class, after which class members will have 60 days to opt out of the Rule 23 class or file objections and 90 days to file claims. The settlement administrator will have until September 25, 2025, to provide a list of
objections and exclusions to the court and the parties and will have November 5, 2025, to provide a list of initially approved and rejected claims to the parties. The parties may have until December 1, 2025, to file a motion for final approval addressing the factors in Rule 23(e)(2). Class counsel may have until December 1, 2025, to file a motion for attorney fees; defendant may have until December 8, 2025, to respond. The court will hold a fairness hearing on January 7, 2026, at 10:00 am.
ORDER IT IS ORDERED that:
1. The following class is certified under Federal Rule of Civil Procedure 23: “All current and former patients and employees of Bone & Joint residing in the United States whose Private Information was potentially impacted by the Data Incident and were sent notice of the Data Incident.” 2. The court approves Raina Borrelli of Strauss Borrelli PLLC, Danielle L. Perry of Mason LLP, and Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert as class counsel. 3. Plaintiffs’ renewed motion for preliminary approval of the settlement, Dkt. 38, is GRANTED. 4. The claims administrator may have until July 17, 2025, to send out the class notices, giving members 60 days to opt out of the class or file an objection and 90 days to file a claim. 5. The parties may have until December 1, 2025, to file a motion for final approval and a motion for fees and costs. 6. The court will hold a fairness hearing on January 7, 2026, at 10:00 am. Entered July 3, 2025. BY THE COURT:
/s/ ________________________________________ JAMES D. PETERSON District Judge