McFadden, Presiding Judge. For six days in March 2019, John Doe was a patient at Ridgeview Institute Monroe, a private mental health and substance abuse treatment facility. He filed a proposed class action lawsuit against the owner of Ridgeview and others (together, “Ridgeview”), alleging that Ridgeview’s conduct had enabled a former Ridgeview employee to disclose to unauthorized individuals the legally protected records of more than 1,400 Ridgeview patients. The trial court denied Doe’s motion for class certification, and Doe filed this appeal. The trial court held that the proposed class lacked sufficient commonality and typicality to satisfy the requirements of OCGA § 9-11-23 (a) (2) and (3) and so could not proceed as a class action. Doe enumerates that holding as error. We agree, so we reverse. 1. Factual and procedural background. “Plaintiffs have the burden of establishing their right to class certification, and we review the trial court’s decision in certifying or refusing to certify a class action for an abuse of discretion. . . . [W]e will not reverse the factual findings in a trial court’s class certification order unless they are clearly erroneous . . . .” Rite Aid of Ga. v. Peacock, 315 Ga. App. 573, 573 (726 SE2d 577) (2012) (citations and punctuation omitted). The trial court found the following facts in his order denying class certification. Ridgeview is a private hospital that treats individuals with substance abuse and mental health issues. John Doe was hospitalized at Ridgeview. Ridgeview creates and maintains a number of records relating to the hospitalization and treatment of each patient. Those records include the patient’s clinical record as well as documents that reference the patient and his stay, such as housekeeping reports; discharge calendars; and patient census reports, which include information identifying each patient on a hospital floor. Pursuant to its obligations under state and federal law to keep confidential all documents that reference patients in an identifiable way, Ridgeview adopted written privacy policies. These policies limited the access of non-medical staff to private health information, stating that Ridgeview “providers, staff, and others responsible for assessing and treating the patient have full access to medical information. All other [Ridgeview] staff are on a need-to-know basis in order to perform their job function.” The policies also provided that Ridgeview “will not disclose medical information for purposes other than treatment, payment, or healthcare operations except as otherwise permitted or required by law without authorization from the patient.” Ridgeview entered confidentiality agreements with its employees that required them to maintain the confidentiality of patient records and communicated its confidentiality polices to its patients upon their admission. Rhonda Rithmire was Ridgeview’s director of plant operations. Ridgeview allowed Rithmire to automatically forward all of her emails to her personal email account, so she had a personal copy of every record emailed to her and every record that she emailed to someone else. She had substantial access to patient information related to her job responsibilities, including discharge summaries and census reports, which contained the names of patients, their biographical information and admission dates, and the names of their treating physicians. She also had access to information that had no relationship to her job responsibilities, including significant, sensitive medical information. At some point, Rithmire concluded that Ridgeview was behaving wrongfully in a number of circumstances and she collected documents that she believed demonstrated Ridgeview’s wrongdoing. Ridgeview terminated Rithmire for reasons unrelated to confidentiality or her collection of documents. After she was terminated, Rithmire provided 10,000 documents — including documents related to Doe — to an attorney representing a plaintiff in an unrelated wrongful death action against Ridgeview. The documents included the records she had collected as well as emails and documents that had been sent to her personal email under her email forwarding rule. The documents Rithmire gave to the attorney included the private health information of 1,415 adult patients. The types of individual patient information varied widely. The information released about Doe was contained entirely on discharge summaries and census reports; it included his name, room number, patient number, admission date, age, gender, marital status, and treating physician. None of his diagnoses or treatment information was released. The information released about some other patients was much more sensitive and included peer-reviewed medical files, diagnoses, and medical procedures. Of the 1,415 patients whose information was disclosed, 527 had more information revealed than Doe. The attorney who received the documents from Rithmire made them available to individuals in his law firm and disseminated some of them to expert witnesses and attorneys involved in another wrongful death case. When Ridgeview learned of Rithmire’s disclosures, it sent form letters to the affected patients. The letters broadly identified the type of information that had been disclosed, and at times, was over inclusive in that some patients were incorrectly told that their social security numbers had been revealed, and many patients were incorrectly told that their “treatment information” had been revealed “which may include treating physicians medical procedures, prescriptions, lab, and/or test results.” All of the letters advised the patients to “remain vigilant” in protecting their personal information and to “report any suspicious activity to the credit bureaus.” Doe’s letter stated that the disclosure exposed his “name, date of birth, treatment information, treating or referring physician or facility, and patient ID.” The receipt of this letter caused Doe significant anxiety and mental distress. Doe filed a putative class action complaint against Vest Monroe, LLC, the owner of Ridgeview; US HealthVest, LLC, of which Vest Monroe is a wholly owned subsidiary; and Amy Alexander, the CEO of Ridgeview. He alleged breach of an express and an implied contract; unjust enrichment; negligence; negligence per se; negligent misrepresentation; common law invasion of privacy; breach of confidentiality and confidential relations; and violation of Georgia’s Uniform Deceptive Trade Practices Act.[1] He sought damages, injunctive relief, and attorney fees. Doe moved for class certification. He sought to certify as the class: All persons who were adult patients of Ridgeview Institute Monroe (“RIM”) and whose clinical records containing their protected health information were improperly disclosed to third parties without their consent or authorization in the incident described in the notice posted on RIM’s website (titled “A Notice to Our Patients”), attached as Exhibit “A” to Plaintiff’s Second Amended Class Complaint. The trial court denied class certification. It did not address each of the counts in Doe’s complaint separately, but ruled generally that Doe had not satisfied the requirements for pursuing a class action. Doe filed this appeal. 2. Analysis. “[Doe has] the burden of establishing [his] right to class certification in the trial court, and we review the trial court’s decision in certifying a class action for abuse of discretion.” Doctors Hosp. Surgery Center v. Webb, 307 Ga. App. 44, 45 (704 SE2d 185) (2010). “When necessary, we look to federal as well as Georgia case law for guidance concerning the propriety of a class certification.” Rite Aid of Ga., 315 Ga. App. at 574 (1) (citation omitted). See also GeorgiaPacific Consumer Products v. Ratner, 295 Ga. 524, 526 n. 3 (1) (762 SE2d 419) (2014) (“Many provisions of OCGA § 9-11-23 were borrowed from Federal Rule of Civil Procedure 23, and for this reason, when Georgia courts interpret and apply OCGA § 9-11-23, they commonly look to decisions of the federal courts interpreting and applying Rule 23.”). In Georgia, a class may be certified for class action litigation upon a finding that: (1) The class is so numerous that joinder of all members is impracticable; (2) There are questions of law or fact common to the class; (3) The claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) The representative parties will fairly and adequately protect the interests of the class. OCGA § 91123 (a). “If the plaintiff can satisfy the numerosity, commonality, typicality, and adequacy of representation factors of OCGA § 91123 (a), [he] must then satisfy at least one of the three requirements of OCGA § 91123 (b). . . .” Bowden v. Medical Ctr., 309 Ga. 188, 193194 (1) (b) (845 SE2d 555) (2020). Those requirements are that (1) the prosecution of separate actions would create a risk of inconsistent adjudications or would impair other parties’ ability to protect their interests; (2) the defendant has acted or refused to act on grounds generally applicable to the class, thereby making appropriate final injunctive relief or declaratory relief with respect to the whole class; or (3) questions of law or fact common to members of the class predominate over any questions affecting only individual members, and a class action is superior to other available methods for the fair and efficient adjudication of the controversy American Debt Foundation v. Hodzic, 312 Ga. App. 806, 808 (720 SE2d 283) (2011) (citations and punctuation omitted). The trial court held that Doe had not satisfied all four of the threshold requirements set out at OCGA § 9-11-23 (a). The court held that Doe had established numerosity and that Doe and his counsel were “not inadequate.” But he held that Doe had not established that there are sufficient questions of law or fact common to the class or that his claims are typical of the claims of the class. Doe, the court found, is not truly representative of the claims of some of the proposed class members because his claims are fundamentally different than theirs. The court did not reach Doe’s assertion that he had satisfied the requirements of OCGA § 9-11-23 (b) (3). (a) Commonality. Doe argues that the trial court abused his discretion in holding that he had not established commonality. We agree. “To demonstrate commonality, the plaintiffs’ ‘claims must depend on a common contention’ of such a nature that it is capable of classwide resolution — which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke.’” Young v. Nationwide Mut. Ins. Co., 693 F3d 532, 542 (II) (B) (2) (b) (6th Cir. 2012) (quoting WalMart Stores v. Dukes, 564 U. S. 338, 350 (II) (A) (131 SCt 2541, 180 LE2d 374) (2011)) (punctuation omitted). A plaintiff must meet a “relatively low bar” to establish commonality. Baker v. State Farm Mut. Auto. Ins. Co., 2114197, 2022 WL 3452469, at *3 (IV) (11th Cir. Aug. 18, 2022). “[F]or purposes of Rule 23 (a) (2) even a single common question will do.” Dukes, 564 U. S. at 359 (II) (C) (citations and punctuation omitted).”[T]he focus of the commonality inquiry is not on the strength of each plaintiff’s claim, but instead is on whether the defendant’s conduct was common as to all of the class members.” Rodriguez v. Nat. City Bank, 726 F3d 372, 382 (III) (B) (3d Cir. 2013) (citations and punctuation omitted). The trial court held that Doe failed to demonstrate commonality for two reasons, both focused on the nature of the disclosed documents. First, the court noted, Rithmire was entitled to receive some of the records she disclosed but she was not entitled to receive others. Second, the court noted, some of the proposed class members had aspects of their clinical file — including diagnosis, treatment, and privileged communications — disclosed while others had only biographical information and the fact of their hospitalization disclosed. The trial court’s first reason does not defeat commonality. Doe alleges that Ridgeview’s policies and practices allowed Rithmire to access all of the records, whether or not she was entitled to do so. And those policies and practices, according to Doe, ultimately enabled Rithmire to turn over, without the patients’ consent, all of the documents to the attorney in the wrongful death case. For example, Ridgeview allowed Rithmire to send all records — even if she was not entitled to access them — to her personal email. And it failed to ensure that the documents were removed from her personal email account and personal devices once Rithmire was terminated. Whether Rithmire rightfully or wrongfully accessed the documents, it is undisputed that she was not authorized to disclose them to the attorney. Nor does the second reason defeat commonality. The trial court held that all of the information Rithmire disclosed was protected by Georgia and federal law.[2] But the court nonetheless concluded that because some proposed class members had their clinical files disclosed while others had only biographical information and the fact of their hospitalization disclosed, Doe had not shown commonality. That plaintiffs had different kinds of documents disclosed does not defeat commonality. In spite of the differences in the kinds of documents and the different laws that may have protected them, a common question of fact central to the validity of each class member’s claim is whether Ridgeview’s policies and procedures enabled Rithmire to disclose, without the class members’ consent, documents — all of which were protected by law — containing information identifying them as patients of a psychiatric and drug-treatment facility. In other words, Doe alleges that Ridgeview’s “conduct was common as to all of the class members.” Rodriguez, 726 F3d at 382 (III) (B) (citations and punctuation omitted). [T]he principal requirement of WalMart[, 564 U. S. at 338,] is merely a single common contention that enables the class action to generate common answers apt to drive the resolution of the litigation. These common answers may indeed relate to the injurious effects experienced by the class members, but they may also relate to the defendant’s injurious conduct. Even a single common question will do. In re Deepwater Horizon, 739 F3d 790, 811 (IV) (A) (5th Cir. 2014) (citations and punctuation omitted). Although the differences in the kinds of documents disclosed may differentiate the plaintiffs’ damages, “no matter how individualized the issue of damages may be, determination of damages may be reserved for individual treatment with the question of liability tried as a class action.” Glazer v. Whirlpool Corp., 722 F3d 838, 854 (III) (B) (3) (b) (6th Cir. 2013) (citations and punctuation omitted). “[T]he legal requirement that class members have all suffered the same injury can be satisfied by an instance of the defendant’s injurious conduct, even when the resulting injurious effects — the damages — are diverse.” In re Deepwater Horizon, 739 F3d at 810-811 (IV) (A) (punctuation omitted). Cf. Doctors Hosp. Surgery Center, 307 Ga. App. at 47-48 (2) (holding that plaintiff failed to satisfy OCGA § 91123 (b) (3), which requires that common questions predominate over individual questions, because the plaintiffs’ claim as pled included “highly personalized injuries including anxiety [and] emotional distress”). Doe has met the “low hurdle” of proving commonality under OCGA § 9-11-23 (a) (2). Williams v. Mohawk Indus., 568 F3d 1350, 1356 (III) (A) (11th Cir. 2009). (b) Typicality. Doe argues that the trial court abused his discretion in holding that Doe had not established typicality. We agree. The typicality requirement of OCGA § 91123 (a) (3) is satisfied upon a showing that the defendant committed the same unlawful acts in the same method against an entire class. Thus, typicality measures whether a sufficient nexus exists between the claims of the named representatives and those of the class at large. A sufficient nexus is established if the claims or defenses of the class and the class representatives arise from the same event or pattern or practice and are based on the same legal theory. Brenntag Mid South v. Smart, 308 Ga. App. 899, 904 (2) (a) (iii) (710 SE2d 569) (2011) (citations and punctuation omitted). “The typicality test centers on whether other members have the same or similar injury, whether the action is based on conduct which is not unique to the named class plaintiffs, and whether other class members have been injured by the same course of conduct. This test is not demanding . . . .” Atlanta Postal Credit Union v. Holiday, 367 Ga. App. 168, 182 (2) (c) (885 SE2d 196) (2023) (citation and punctuation omitted). The trial court held that Doe failed to satisfy the typicality requirement for one of the same reasons that the court found a lack of commonality: “the claims of Doe do not represent the claims of all of the proposed class members because some of them have had clinical information revealed where he has not.” And for the same reason we disagree with this holding on commonality, we disagree with this holding on typicality. Doe, like all of the proposed class members, allegedly was injured by Ridgeview’s policies and procedures that enabled Rithmire to disclose, without his consent, his legally protected documents containing information identifying him as a patient of a Ridgeview. The asserted claims of both Doe and the putative class arise from the same alleged events and are based on the same legal theories. Doe has established a sufficient nexus between his claims and the claims of the class, Brenntag Mid South, 308 Ga. App. at 904 (2) (a) (iii), and the undemanding typicality requirement of OCGA § 91123 (a) (3) has been satisfied. To the extent the trial court ruled that Doe had not shown adequacy under OCGA § 9-11-23 (a) (4), he based that ruling on the same rationale and such ruling is likewise reversed. Judgment reversed. Barnes, P. J. and McFadden concur. Brown, J. dissents. Brown, Judge, dissenting. I respectfully dissent because I would conclude that the trial court did not abuse its discretion in finding that Doe failed to carry his burden of establishing commonality. See, e.g., Rite Aid of Ga. v. Peacock, 315 Ga. App. 573, 578 (1) (a) (ii) (726 SE2d 577) (2012) (reversing trial court’s certification of class action and noting that “cases [involving the unauthorized disclosure of medical information] are bound to turn on individual rather than common questions”); Doctors Hosp. Surgery Center v. Webb, 307 Ga. App. 44, 48 (1) (704 SE2d 185) (2010) (“The qualitative analysis necessary to show liability for injuries such as . . . anxiety[ ] and emotional distress demonstrates that common questions vital to proving causation must be answered on a highly individualized basis.”). Accordingly, I would affirm the trial court’s decision to deny class certification.