September 19, 2024 – Class Action Defense

By Gerald L. Maatman, Jr., Bernadette Coyne, and Zachary J. McCormack

Duane Morris Takeaways: On September 6, 2024, in Hamm v. Acadia Healthcare Co., Inc., No. 20-CV-1515, 2024 U.S. Dist. LEXIS 160319 (E.D. La. Sept. 6, 2024), Judge Susie Morgan of the U.S. District Court for the Eastern District of Louisiana denied Acadia LaPlace Holdings, LLC and Oschner-Acadia, LLC’s (“Acadia”) motion to decertify Plaintiffs’ Fair Labor Standards Act (“FLSA”) collective action in a suit accusing the hospital operator of failing to pay nurses for interrupted meal breaks. After the Court previously certified the collective action by applying the rigorous standard from Swales v. KLLM Transport Services, LLC, 985 F.3d 430, 441 (5th Cir. 2021), Acadia moved to decertify the collective by claiming the workers are too dissimilar for collective-wide treatment. However, the Court ruled that Acadia’s request to decertify was improper at this late stage in the litigation considering that the Court previously certified the collective action after providing the parties with the opportunity to conduct preliminary discovery and fully brief the issue. This ruling indicates that, although the Fifth Circuit has not ruled on whether a defendant can bring a motion to decertify after certification has been granted, this issue is becoming ripe for appellate review.

Case Background

Acadia is a leading provider of behavioral healthcare services that operates a network of approximately 250 facilities in thirty-eight states and Puerto Rico. Acadia previously employed Plaintiffs Amy Hamm and Joye Wilson as nurses at hospitals it operated in Texas and Louisiana. Hamm, 2024 U.S. Dist. LEXIS 160319, at *3. On May 22, 2020, Plaintiffs filed a complaint alleging Acadia violated the FLSA and Louisiana state law by failing to pay overtime compensation for on-duty meal periods and off-the-clock work. Id. Specifically, the two former workers claimed the hospital operator automatically deducted 30 minutes from the nurses’ paychecks for meal breaks despite constant interruptions and the requirement to remain on call to respond to potential emergencies during the breaks. Id.

On March 7, 2022, Plaintiffs moved for certification of their FLSA claims as a collective action, but prior to hearing Plaintiffs’ motion, the Court found that “limited discovery [was] needed” to evaluate “whether the employees in [the] proposed collective action [were] similarly situated” within the meaning of Section 216(b) of the FLSA. Id. Ultimately, after conducting the limited discovery, the Court partially granted Plaintiffs’ motion to certify, and on July 13, 2022, defined the collective action to include all current and former hourly, non-exempt employees directly involved with patient care — such as nurses, nursing staff, aides and technicians — who worked for Acadia between May 2017 through the date of the dispute’s resolution. Acadia later filed its motion to decertify Plaintiffs’ collective action, arguing that the named and opt-in plaintiffs were not sufficiently similar to be combined into a collective action because of differences between the jobs, meal break experiences, and the claims alleged by the Plaintiffs and the potential opt-in members. Id. at *4.

The Court’s Decision

Until January 2021, district courts within the Fifth Circuit generally applied the test derived from Lusardi v. Xerox Corp., 118 F.R.D. 351 (D.N.J. 1987),during the certification process for FLSA collective actions. The Lusardi test divided the notice and class certification process into two steps. In the first step, referred to as “conditional certification,” the court determined whether the proposed opt-in plaintiffs and the named plaintiffs were similarly situated. Hamm, 2024 U.S. Dist. LEXIS 160319, at *5. The plaintiff’s burden at this step was minimal, and as such, most collective actions are typically certified. Id. The second step, which occurrs at the conclusion of discovery, and was often prompted by a motion to decertify by the defendant, requires a more rigorous determination of whether the named plaintiffs and the opt-in plaintiffs were similarly situated. Id. If not, the named plaintiffs could only bring the lawsuit on their individual behalf, not on behalf of the opt-in plaintiffs. Id. at *6.

The Fifth Circuit rejected the Lusardi approach in Swales, and now district courts within the Fifth Circuit are instructed to “rigorously scrutinize” whether the named plaintiffs and potential opt-in plaintiffs are sufficiently similar to each other at the outset of litigation, before potential opt-in plaintiffs can be notified of the FLSA action. Id. Courts in the Fifth Circuit now identify what facts and legal considerations are material to making the “similarly situated” determination and authorize preliminary discovery accordingly. Id. The Swales decision further directs courts to make the certification decision “as early as possible.” Id.

In Acadia’s motion to decertify, it asked the Court to undertake a post-discovery decertification inquiry reminiscent of the second stage of the Lusardi test. Id. at *9. Specifically, Acadia argued that evidence obtained during the preliminary discovery phase revealed differences between the jobs, meal break experiences, and claims of Plaintiffs and opt-in members, and established that the members of the collective action were not “similarly situated” under Section 216(b). Id. at *10. In response, Plaintiffs argued that Acadia’s motion was moot because the Court already declared Plaintiffs were similarly situated under the rigorous Swales approach, and certified the FLSA collective action. Id. at *11. In its reply, Acadia advanced a proposition that “[a]t the decertification stage, even post-Swales, it is still Plaintiffs’ burden to prove and maintain through the litigation that the collective members are similarly situated.” Id. Acadia argued that using the Swales framework in lieu of the Lusardi two-step process does not mean defendants forfeit their ability to later seek decertification. Id. at *13.

Ultimately, Judge Morgan ruled that Acadia’s motion to decertify came too late and that “to allow such a motion would be a waste of judicial resources.” Id. The Court reasoned that once certified under the Swales framework, after an opportunity to conduct preliminary discovery and fully brief the issues, there is no justification for a motion to decertify. Id. Although the Fifth Circuit has not yet ruled on whether a defendant may bring a motion to decertify after the initial certification of an FLSA collective action under the Swales framework, Judge Morgan opined that the Swales decision was not intended to allow this. Id. at *14.

Implications For Employers

The Hamm ruling provides guidance to employers with operations in the Fifth Circuit as to how a court will treat a motion to decertify filed after the court has granted certification utilizing the Swales standard. Moving forward, employers in the Fifth Circuit should aim to break up a proposed collective action during the fact-intensive certification process conducted towards the beginning of the litigation. Courts are unlikely to require plaintiffs to maintain, throughout the litigation, that collective members are similarly situated. Corporate counsel should take note that “conditional certification” remains non-existent in the Fifth Circuit, and once a court considers all available evidence to grant Section 216(b) certification, it is unlikely to revisit the issue.

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman, special counsel Justin Donoho, and associate Ryan Garippo with their analysis of a major settlement in the data breach class action space, and what it signifies for trends in this area as well as data security best practices for companies.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.

Episode Transcript

Jerry Maatman: Thank you, loyal blog readers for joining us for this week’s installment of our podcast series called the Class Action Weekly Wire. I’m joined today by my colleagues, Justin and Ryan, and the topic of the day is one of the most significant data breach class action settlements of 2024. Welcome, Justin and Ryan.

Justin Donoho: Hi, Jerry, thank you for having me.

Ryan Garippo: Thanks, Jerry. Happy to be here.

Jerry: So specifically, what we wanted to do was talk about the ins and outs of the $65 million class action settlement announced in a data breach lawsuit entitled Doe v. Lehigh Valley Health Network. Justin, can you set the stage for our listeners and readers about what this case is about and why it’s significant?

Justin: Yes, Jerry. In this case the plaintiffs are cancer patients. They filed a class action against Pennsylvania, based healthcare company, Lehigh Valley Health Network, for its alleged failure to protect their nude photographs taken during their cancer treatments from cybercriminals who hacked into the company servers, stole the photographs, and leaked them to the public in February 2023. The plaintiffs brought claims for negligence, breach of fiduciary duty, publicity of private matters, and other claims. The plaintiffs also sought punitive damages based on their assertion that, despite being told by the criminal hackers that the nude photos and other sensitive data would be released publicly if a ransom were not paid, the health system declined to take any action, and therefore allegedly made a knowing, reckless, and willful decision of their own to allow the criminal hackers to post their nude images on the internet.

Jerry: Most data breach class actions involve infiltration of systems involving social security information, payroll data, and like. Very unusual that would include photographs, let alone photographs of patients receiving treatment. Ryan, what were some of the particulars of the settlement agreement that plaintiffs’ counsel and defense counsel for the defendant had negotiated to get this case resolved?

Ryan: Well, Jerry, the breach affected over a 135,000 patients and employees, more than 600 of whom had their medical images posted online. So the class members will receive payouts ranging from $50 to $70,000. But the higher amounts going to those who actually had their new photos published on the internet, and the lower amounts being for those who suffered a less invasive invasion of their personal information. And, as you’ve mentioned overall, the company will pay a total of $65 million to sell those claims.

Jerry: So our Class Action Review tracks settlements in all substantive areas, including data breach, and over the last 36 months, anecdotally, data breach class actions just keep getting bigger and bigger and bigger. And this is a manifestation of that trend. How do you believe this will impact the price or the going rate of data breach class action settlements going forward in Corporate America?

Ryan: Well, Jerry, I think it’s only likely to go up. The Duane Morris Class Action Review analyzed the largest data breach settlements, and in 2023 plaintiffs secured about $515 million dollars in total for the top 10 settlements. The largest settlement being $350 million in the In Re T-Mobile Customer Data Security Breach Litigation, which accounted for the majority of that number, and the next largest settlement was $49.5 million in the In Re Blackbaud Inc. Customer Data Security Breach Litigation as well. So, this is settlement is very large for a data breach class action settlement overall, and healthcare institutions continue to be a favorite target for the plaintiffs’ bar in the cybersecurity space.

Justin: Thank you, Ryan. This settlement looks like it will likely be one of the largest data breach class action settlements in 2024 for sure. This case also continues the massive growth of data breach litigation in general over the past few years. Cybercrime is on the rise – companies need to likewise raise their own levels of data security practices to mitigate risks associated with these types of incidents. In fact, a number of data security practices including involvement of Board of Directors data encryption and password reset policies were included in some level of detail in this settlement as measures the healthcare company agreed to adopt in addition to paying out all that money to the plaintiffs. These are types of data security measures all companies should consider as they design and work to continuously improve their cybersecurity programs.

Jerry: Well, thanks so much, Justin and Ryan, for your analysis of this settlement and its implications for Corporate America. The newest edition, the 2025 Duane Morris Class Action Review, will come out in the first week of January of 2025, and my prediction would be this particular settlement certainly going to be on that top 10 list. Well, thank you loyal blog readers and listeners for tuning into this week’s installment of the Class Action Weekly Wire, and thank you, Justin and Ryan, for providing your thought leadership.

Ryan: Thanks, Jerry, and thank you to the listeners.

Justin: Thank you, Jerry. Thanks everyone.