IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF IOWA EASTERN DIVISION
IVAN BERRY, individually and on No. 24-CV-1036-CJW-KEM behalf of all others similarly situated,
Plaintiff, vs. MEMORANDUM OPINION AND ORDER CRESCENT COMMUNITY HEALTH
CENTER, Defendant. ____________________ This matter is before the Court on Crescent Community Health Center’s (“defendant”) Motion to Dismiss Complaint. (Doc. 16). Ivan Berry (“plaintiff”) filed a resistance (Doc. 20) and defendant filed a reply (Doc. 21). On March 27, 2025, the Court heard oral argument on the motion. (Doc. 23). For the following reasons, the Court grants defendant’s motion. (Doc. 16). I. BACKGROUND1 This action involves an alleged data breach. Plaintiff is an individual who lives in Chicago, Illinois. (Doc. 1, at 4). Defendant is a non-profit organization located in Dubuque, Iowa, who provides healthcare services to the local community. See (id.). On or about December 15, 2023, defendant discovered that hackers had gained access to one of defendant’s email systems (the “hack” or “breach”). (Id., at 1–2). The information held by defendant in its computer systems at the time of the breach included unencrypted information about plaintiff, including his name, address, date of birth, driver’s license number, medical information, social security number, and financial
1 The facts are generally taken from plaintiff’s complaint. (Doc. 1). Of course, these are only allegations at this stage. account information (“PII”). (Id., at 2). After further investigation, defendant determined that the hack occurred several days earlier, likely sometime between December 10 and December 13, 2023. (Id.). Several months later, defendant posted a notice of the breach on its website. (Id.). In relevant part, the notice on defendant’s website stated: The elements of personal information that may have been impacted as a result of this incident varies per individual and potentially included: names, addresses, dates of birth, driver’s license/Government ID numbers, medical information and health insurance information. Additionally, for a limited number of individuals, the impacted information may have also included their Social Security numbers, financial account information, payment card information, passport information, biometric information, IRS pin numbers, and/or usernames and passwords. (Id.). Defendant also sent notification letters to individuals who may have been affected by the breach. (Id.; Doc. 1-1, at 1). Plaintiff received one of the letters. (Id.). The letter plaintiff received stated that plaintiff’s date of birth, Social Security number, medical information, health insurance information, and treatment cost information “may have been impacted” by the breach, but that after a comprehensive review by an outside firm there was no evidence any of plaintiff’s personal information had been or will be misused. (Doc. 1-1, at 1). Plaintiff alleges that he provided his private information to defendant as a condition of receiving medical and healthcare services from defendant and that defendant retained plaintiff’s private information in its system at the time of the data breach. (Doc. 1, at 18). Plaintiff also alleges that his private information was compromised in the breach and stolen by cybercriminals who illegally accessed defendant’s network. (Id.). Plaintiff alleges the breach injured him in several different ways, including lost time mitigating the risk of identity theft and fraud, the cost of credit monitoring, increased spam calls, stress and anxiety, and invasion of privacy. Plaintiff also alleges the breach caused him to suffer a heightened risk of harm because his data could be used to commit fraud or identify theft at any time in the future. (Id., at 14). Throughout his complaint plaintiff also alleges the breach was a result of defendant’s inadequate cybersecurity practices. Plaintiff generally alleges cybersecurity best practices and standards and alleges defendant did not adhere to those practices. As a result, plaintiff brings five claims against defendant on behalf of himself and others similarly situated. First, in Count I plaintiff brings a claim for negligence and negligence per se. (Id., at 23–26). In Count II, plaintiff brings a claim for breach of an implied contract. (Id., at 26–27). Count III alleges a claim for unjust enrichment. (Id., at 28). Count IV asserts a claim for breach of bailment (Id., at 29) and in Count V plaintiff asserts a claim for invasion of privacy (Id., at 29–31). Defendant moves to dismiss all the claims under Federal Rule of Civil Procedure 12(b)(1), and in the alternative, Rule 12(b)(6). (Doc. 16). II. MOTION TO DISMISS UNDER RULE 12(B)(1) Defendant first moves to dismiss plaintiff’s complaint for lack of standing under Federal Rule of Civil Procedure 12(b)(1). A. Rule 12(b)(1) Standard Federal courts may only hear cases that fall within their limited subject matter jurisdiction. N. Cent. F.S., Inc. v. Brown, 951 F. Supp. 1383, 1391–92 (N.D. Iowa 1996). Under Federal Rule of Civil Procedure 12(b)(1), a defendant may move to dismiss a complaint based on a “lack of subject-matter jurisdiction.” The plaintiff bears the burden of proving subject matter jurisdiction by a preponderance of the evidence. V S Ltd. P’ship v. Dep’t of Hous. & Urb. Dev., 235 F.3d 1109, 1112 (8th Cir. 2000) (citation omitted); Thome v. Sayer L. Grp., P.C., 567 F. Supp. 3d 1057, 1063 (N.D. Iowa 2021). A defendant can either attack the complaint’s asserted jurisdictional basis on its face or the factual basis underlying the pleadings. In a facial attack, the non-moving party receives the same protections as it would defending against a motion brought under Rule 12(b)(6). Osborn v. United States, 918 F.2d 724, 729 n.6 (8th Cir. 1990) (citations omitted). In such cases, the court must “accept as true all factual allegations in the complaint,” Stalley v. Catholic Health Initiatives, 509 F.3d 517, 521 (8th Cir. 2007), and should not dismiss the complaint “unless it appears beyond doubt that the plaintiff can prove no set of facts in support of [their] claim which would entitle [them] to relief.” Osborn, 918 F.2d at 729 n.6 (citation and internal quotation marks omitted). By contrast, “[i]n a factual attack, the court considers matters outside the pleadings, and the non- moving party does not have the benefit of 12(b)(6) safeguards.” Id. (citations omitted). In such cases, “the trial court is free to weigh the evidence and satisfy itself as to the existence of its power to hear the case” and “no presumptive truthfulness attaches to the plaintiff’s allegations[.]” Id. at 730 (quoting Mortensen v. First Fed. Sav. & Loan Ass’n, 549 F.2d 884, 891 (3d Cir. 1977)). Under Article III of the United States Constitution, federal courts have jurisdiction to hear only cases or controversies. Hillesheim v. O.J’s Cafe, Inc., 968 F.3d 866, 868 (8th Cir. 2020) (per curiam). As the Supreme Court reiterated in DaimlerChrysler Corp. v. Cuno: A case in law or equity, Marshall remarked, was a term of limited signification. It was a controversy between parties which had taken a shape for judicial decision. If the judicial power extended to every question under the constitution it would involve almost every subject proper for legislative discussion and decision; if to every question under the laws and treaties of the United States it would involve almost every subject on which the executive could act. The division of power among the branches of government could exist no longer, and the other departments would be swallowed up by the judiciary. 4 Papers of John Marshall 95 (C. Cullen ed. 1984). 547 U.S. 332, 341 (2006) (cleaned up). To establish a controversy, a plaintiff must demonstrate standing—that is, a “personal injury fairly traceable to the defendant’s allegedly unlawful conduct and likely to be redressed by the requested relief”—and a controversy must exist through all stages of the litigation. Id. at 342. The Supreme Court of the United States has established three elements of standing: (1) “the plaintiff must have suffered an injury in fact” which is concrete, particularized, and actual or imminent, not conjectural or hypothetical; (2) “there must be a causal connection between the injury and the conduct complained of;” and (3) “it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992) (cleaned up). An injury is “concrete” when it “actually exist[s].” Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016). B. Discussion 1. Plaintiff’s Tort Claims (Counts I and V) Data breach cases, by their very nature, create unique challenges relating to standing. When an unauthorized user (oftentimes called a hacker) gains access to an organization’s internal network, it is typically because they have used stealthy methods to avoid detection. Before an organization discovers a breach, a hacker may steal information directly from the organization or may simply look around the network without taking anything. Determining what, if anything, the hackers stole can be difficult. In some cases, it is impossible to determine with certainty that information has been stolen until the confidential information appears on the dark web or is misused. This creates difficulties in determining whether an alleged data breach victim can establish an injury. On the one hand, a victim whose information has been stolen should not have to wait until the information has been misused to establish standing just because they could not prove with certainty their information was stolen during a known breach. On the other hand, an organization should not be liable to every person whose information could have been accessed during a breach if the information was never stolen or even viewed. Courts in the Eighth Circuit and around the country have considered the standing issue in data breach cases with increased frequency. The cases that have analyzed standing in data breach cases generally fall on a continuum. At one end of the continuum are cases where a plaintiff alleges their information only may have been stolen, the information has not been misused, and the kind of information that may have been stolen is not the type of information that is usually misused. For example, in Alleruzzo v. SuperValu, Inc. (In re SuperValu, Inc.), 870 F.3d 763 (8th Cir. 2017), a class of plaintiffs sued a grocery store chain after they received notice of two data breaches through the grocery store’s press releases. Id. at 766. The SuperValu hackers allegedly installed malicious software on the grocery store’s network that allowed them to gain access to customers’ “names, credit or debit card account numbers, expiration dates, card verification value (CVV) codes, and personal identification numbers (PINs) [collectively “Card Information].” Id. The grocery store’s press releases stated the breach “‘may have resulted in the theft’ of Card Information, but it had not yet been determined that ‘any such cardholder data was in fact stolen,’ and, at that point, there was ‘no evidence of any misuse of any such data.’” Id. One plaintiff had a fraudulent charge on a credit card he had used at one of the impacted grocery stores. The rest of the plaintiffs alleged they suffered a threat of future harm because their Card Information was compromised. Id. at 767–69. The Eighth Circuit found none of the plaintiffs had standing except for the plaintiff who experienced a fraudulent charge on his credit card. Id. at 771–72. The court found the plaintiffs sufficiently alleged their information was stolen because they alleged the hackers installed malware that allowed the hackers to harvest Card Information, that defendant’s security practices made that possible, that they “suffered theft” of their Card Information, and that the press releases acknowledged the data breaches “may have resulted in the theft of” Card Information. Id. at 769. The court then found the plaintiffs did not allege their Card Information was misused, but the threat of future harm can create standing if there is a substantial risk a victim will suffer identity theft later. Id. at 770. Crucially, the Card Information that was allegedly stolen did not have any personal identifying information like social security numbers or birth dates that hackers need to commit identity theft in a way that causes injury for standing purposes. Id. The court also cited government reports that show data breaches are unlikely to result in account fraud. Id. at 770–71. Thus, the court found there was no substantial risk of future harm and the plaintiffs (other than the plaintiff who experienced a fraudulent charge on his credit card) lacked standing. Id. at 771. At the other end of the continuum are cases where a plaintiff alleges the theft of personal identifying information, its misuse, and real harm. In Perry v. Bay & Bay Transportation Services, Inc., 650 F. Supp. 3d 743 (D. Minn. 2023), for example, the plaintiff gave defendant his PII which included his name, address, social security information, date of birth, driver’s license, and direct deposit information as part of a job application. Id. at 748. The defendant discovered unauthorized parties hacked its system, accessed files containing PII, and published the PII on the dark web. Id. The defendant notified plaintiff that his PII was compromised in the breach. Id. The plaintiff alleged he spent 3-4 hours a week dealing with the consequences of the data breach and that cyberthieves used his PII to impersonate his bank to scam him out of $500. Id. at 749. The court found plaintiff suffered a concrete injury because the PII had already been fraudulently used, was the type of PII that could be used to perpetuate fraud in the future, and the damage was fairly traceable to the defendant because it was stolen from the defendant and found on the dark web. Id. at 752–53. Many cases also fall somewhere in the middle of the continuum. See, e.g., Mackey v. Belden, Inc., No. 4:21-CV-00149-JAR, 2021 WL 3363174, at *4–6 (E.D. Mo. Aug. 3, 2021) (finding the plaintiff had standing when the plaintiff alleged she received notice that her social security number and bank account information may have been exposed in a data breach and an unauthorized individual attempted to file a tax return on her behalf using her social security number); Coffey v. OK Foods Inc., No. 2:21-CV-02200, 2022 WL 738072, at *3 (W.D. Ark. Mar. 10, 2022) (finding the plaintiff had standing when she alleged her PII, including her social security number, were accessed during a data breach and that she had been notified of several hard credit inquiries for a new line of credit that she did not initiate); Harris v. Mercy Health Network, Inc., No. 4:23-cv- 00195-SHL-SBJ, 2024 WL 5055556, at *4–7 (S.D. Iowa June 26, 2024) (finding the plaintiffs whose social security information, birthdate, and financial account information were allegedly stolen did not have standing to bring tort claims because the complaint failed to sufficiently allege risk of potential harm or costs undertaken to address the risk of future harm). Here, plaintiff’s case also lands somewhere in the middle of the continuum. Plaintiff alleges he has already been injured in several different ways (his “present injuries”), including: 1) loss of time to mitigate risk of identity theft and fraud; 2) cost of credit monitoring; 3) increased spam calls; 4) stress and anxiety; and 5) invasion of privacy. Plaintiff also alleges he is suffering a threat of future imminent harm (his “future injuries”) because his data could be used by criminals to perpetuate identify theft or fraud at any time. Plaintiff concludes hackers accessed his PII, but he does not allege specific facts that definitively show his PII was taken in the breach. As to plaintiff’s allegations of present injuries, courts have found time lost resolving data breach issues can be a present injury. See SuperValu, 870 F.3d at 774 (citing Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016)). Plaintiff’s allegation of lost time is thin. He alleges that he has spent, or will spend time in the future, doing things to remedy the harms from the data breach, including contacting credit bureaus, changing passwords, and checking his financial statements. (Doc. 1, at 16). Plaintiff has not alleged how much time he has spent on this, or how much time he expects he will have to spend on it in the future. Although it is certainly possible plaintiff will spend time monitoring his credit more than he normally would due to this breach, his assertion that this is the case sounds conclusory, not factual. Still, the Court finds plaintiff has plausibly alleged a lost time injury, if barely so. Courts have also found that costs of credit monitoring are cognizable injuries. See In re Netgain Tech., LLC, No. 21-cv-1210 (SRN/LIB), 2022 WL 1810606, at *14 (D. Minn. June 2, 2022) (collecting cases). Here, plaintiff alleges that the cost of credit and identify theft monitoring can cost $200 or more per year. (Doc. 1, at 17). Plaintiff, however, has not alleged that he purchased credit monitoring protection. At best, he alleges that it is something he could buy in the future. Even though credit monitoring costs can be an injury, plaintiff has not alleged he was injured by paying credit monitoring costs here. Plaintiff alleges he experienced “a significant increase in spam calls” after the data breach. (Doc. 1, at 18). He provides no further facts about the subject matter of the calls, or assertions that the callers used his PII during the calls. Courts in the Eighth Circuit have also found increased spam phone calls can qualify as an injury in a data breach case. Baldwin v. Nat’l W. Life Ins. Co., No. 2:21-CV-04066-WJE, 2021 WL 4206736, at *4 (W.D. Mo. Sept. 15, 2021); Rodriguez v. Mena Hospital Comm., No. 2:23-cv-2002, 2023 WL 7198441, at *6 (W.D. Ark. Nov. 1, 2023). The Court agrees increased spam phone calls and emails can be an injury in certain situations and the Court finds plaintiff has alleged an increase in spam calls here. Plaintiff has not alleged facts, however, that would allow the inference to be drawn that the spam calls he received has anything to do with the date breach. Plaintiff has not alleged that his phone number was included in the data breach, nor has he alleged facts that would tend to show that his phone number was stolen from defendant as opposed to some other source. Unfortunately, the public is subject to many spam calls. Absent some fact alleged about these spam calls that would link them to the data breach, it is pure speculation that the calls are tied in any way to the data breach. To establish an injury in fact, a plaintiff must allege that the injury is “concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560. Plaintiff has also alleged stress, anxiety, and loss of privacy as injuries in fact. Courts in the Eighth Circuit have found stress and anxiety and invasion of privacy can be concrete injuries in data breach cases. See In re Pawn Am. Consumer Data Breach Litig., Case No. 21-CV-2554 (PJS/JFD), 2022 WL 3159874, at *4 (D. Minn. Aug. 8, 2022). As for future injury, plaintiff alleges that because his PII was taken, he “suffered imminent and impending injury from the substantially increased risk of fraud, identity theft, and misuse resulting from his Private Information.” (Doc. 1, at 18). Cases on both ends of the continuum agree PII like the type that was alleged to have been stolen here—social security numbers, date of birth, etc.—is the type of PII that can create a threat of imminent harm when it is obtained in a data breach. See SuperValu, 870 F.3d at 770 (finding “[t]he type of data compromised in a breach can effectively determine the potential harm that can result” and indicating stolen “social security numbers, birth dates, or driver’s license numbers” might cause imminent harm); Perry, 650 F. Supp. 3d at 751 (“[H]ere the compromised PI included information such as social security numbers, which could ostensibly result in opening unauthorized accounts.”). Information like social security numbers and birth dates make it more likely that the PII will be used for fraud. Unlike SuperValu, this case involves the type of PII that makes it easier to engage in fraud such that the Court finds there is an imminent future threat that constitutes an injury. Thus, plaintiff has alleged a future injury and some present injuries. Although plaintiff has alleged some actual and future injuries, the issue is plaintiff has not alleged facts showing those injuries are fairly traceable to defendant’s conduct. Wilson v. J.B. Hunt Transp., Inc., No. 5:21-CV-5194, 2022 WL 20273042, at *6 (W.D. Ark. Oct. 6, 2022) (“In other words, it is not enough for [plaintiffs] to simply allege they suffered actual injuries related to the misuse of their PII. They must also allege facts to plausibly show that these injuries are ‘fairy traceable’ to [defendant’s] acts or omissions.”). To find plaintiff has standing based on these alleged facts would be akin to granting standing to any plaintiff any time they allege a data breach where it was possible that the hackers may have accessed their PII, without a showing the hackers actually viewed, let alone took or used, the PII. This strikes the Court as conjectural or hypothetical injury, not real and concrete injury. Even if plaintiff sufficiently alleged his information was accessed during the breach, plaintiff has not alleged facts showing the information was accessed due to defendant’s acts or omissions.2 Specifically, there are no facts that defendant’s conduct caused the data breach. Plaintiff alleges best practices and minimum standards that are recommended to prevent data breaches by various groups. See, e.g., (Doc. 1, at 13).
2 The Court is skeptical plaintiff sufficiently alleged the hackers accessed his PII. Plaintiff alleges that he received a letter informing him that some personal information “may have been impacted” during the hack and “for a limited number” of individuals the impacted information “may have also included” more sensitive information like social security numbers. (Doc. 1, at 2). Plaintiff then concludes his “Private Information was compromised in the Data Breach and stolen by cybercriminals who illegally accessed Defendant’s network for the specific purpose of targeting Private Information.” In SuperValu, the Court found the grocery store’s notice, combined with allegations that plaintiffs “suffered theft,” defendant’s practices “made possible the theft,” and that the hackers had installed malware on defendant’s system was enough to allege the PII was taken. 870 F.3d at 769. Although the Court finds plaintiff’s allegations to be thin and conclusory, under SuperValu they likely sufficiently allege the hackers accessed his PII. Plaintiff then concludes that defendant did not follow these practices because a breach occurred. (Id., at 13–14). In other words, plaintiff asserts that the breach itself shows defendant failed to act reasonably to protect the PII. That is all he alleges. This is an ipso facto argument. It does not follow that a data breach means defendant was at fault. Companies may employ the most state-of-the-art practices and standards and yet hackers are still able to breach the protective measures. Simply because a breach occurred does not mean that it necessarily follows that defendant did anything wrong. Plaintiff does not point to any of defendant’s specific practices that allowed a hacker to access its system. A statement that defendant’s actions must have caused harm because harm resulted is an insufficient conclusion not based on any factual allegations. The same is true for plaintiff’s allegations that defendant did not timely notify plaintiff of the breach. Plaintiff concludes that because it took defendant too long to discover the breach and too long to notify plaintiff of the breach, defendant had inadequate security measures. (Id., at 3). These are conclusory allegations, not factual allegations. Conclusory allegations hold no weight in the analysis of a motion to dismiss. In short, plaintiff failed to allege any facts, including “the nature of any assertedly reasonable, appropriate, obligatory, sufficient and/or adequate action [defendant] failed to take” to support his conclusory allegations. See Anderson v. Kimpton Hotel & Rest. Grp., LLC, Case No. 19-cv-01860-MMC, 2019 WL 3753308, at *4 (N.D. Cal. Aug. 8, 2019). Thus, because plaintiff’s injuries are not fairly traceable to defendant’s conduct, he does not have standing to pursue his tort claims (Counts I and V). 2. Plaintiff’s Contract Claims (Counts II, III, and IV) Plaintiff’s complaint also asserts claims for breach of implied contract (Count II), unjust enrichment (Count III), and breach of bailment (Count IV).3
3 Bailments are a unique beast that are a “meld of contract and tort law[.]” In re Estate of Martin, No. 11-0690, 2012 WL 1431490, at *4 (Iowa Ct. App. Apr. 25, 2012). “A bailment The requirements to establish standing for contract related claims in data breach cases are distinct from the requirements for tort claims. Kuhns v. Scottrade, Inc., 868 F.3d 711, 716 (8th Cir. 2017); see also Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (8th Cir. 2016); Harris, 2024 WL 5055556 at *8. In Kuhns, the Eighth Circuit explained that “a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.” 868 F.3d at 716 (quoting GameStop, Inc., 833 F.3d 909). The Court found plaintiff’s allegations that he paid fees defendant was contractually obligated to use for security purposes, but that defendant breached its obligations when it failed to provide adequate security, were enough to establish standing for plaintiff’s contract and contract related claims. Id. Here, plaintiff’s allegations of an implied contract are limited. He alleges he conferred a monetary benefit on defendant when he gave defendant his private information. (Doc. 1, at 27). In exchange, plaintiff alleges defendant implicitly agreed that it would protect and secure the private information, which did not happen. (Id.). In short, plaintiff alleges he did not receive a benefit in return for the benefit he conferred on defendant. (Id.). Regardless of the merits of plaintiff’s breach of contract claim, plaintiff’s allegations support his standing on his breach of contract and related claims. See Harris, 2024 WL 5055556 at *8. The merits of the contract claims are discussed below.
denotes delivery of personalty by one person . . . to another . . . for a specific purpose beneficial to bailee or bailor or both, upon a contract, express or implied, that the conditions shall be faithfully executed . . ..” Id. “Generally, ‘the bailment contract is governed by the same rules of law that govern other contracts.’” Id. (quoting 8A Am. Jur. 2d Bailments § 29, at 553 (2009)). Thus, even though bailment actions have similarities to tort actions, the Court will treat the bailment action as a contract action here. III. MOTION TO DISMISS UNDER RULE 12(B)(6) Defendant alternatively moves to dismiss plaintiff’s complaint for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). (Doc. 16). The Court has already found plaintiff does not have standing to pursue his tort claims, so the Court will only discuss the contract related claims here. A. Rule 12(b)(6) Standard A complaint filed in federal court must contain a “short and plain statement of the claim showing that the pleader is entitled to relief[.]” Fed. R. Civ. P. 8(a)(2). Rule 8 does not require “detailed factual allegations.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). Nevertheless, it “demands more than an unadorned, the-defendant- unlawfully-harmed-me accusation.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A complaint that relies on “naked assertion[s]” devoid of “further factual enhancement,” “labels and conclusions,” or “a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555, 557. Before filing an answer, a defendant may move to dismiss a complaint for “failure to state a claim upon which relief can be granted” under Federal Rule of Civil Procedure 12(b)(6). To survive a motion to dismiss under Rule 12(b)(6), “a complaint must contain sufficient factual matter . . . to ‘state a claim to relief that is plausible on its face.’” Iqbal, 556 U.S. at 678 (further citation omitted). “[W]hen ruling on a defendant’s motion to dismiss, a judge must accept as true all of the factual allegations contained in the complaint.” Erickson v. Pardus, 551 U.S. 89, 94 (2007). “The Court must also grant all reasonable inferences from the pleadings in favor of the nonmoving party.” Hotchkiss v. Cedar Rapids Cmty. Sch. Dist., No. 23- CV-33-CJW-MAR, 2023 WL 6163487, at *2 (N.D. Iowa Sept. 21, 2023) (quotations and citation omitted). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. Plausibility is not equivalent to probability, but it is something “more than a sheer possibility that a defendant has acted unlawfully.” Id. “The question . . . is not whether [a plaintiff] might at some later stage be able to prove [its claims]; the question is whether [a plaintiff] has adequately asserted facts (as contrasted with naked legal conclusions) to support his claims.” Whitney v. Guys, Inc., 700 F.3d 1118, 1129 (8th Cir. 2012). “When ruling on a motion to dismiss under Rule 12(b)(6), the court is limited in what it may consider.” Hotchkiss, 2023 WL 6163487, at *3. The court may not consider matters outside the pleadings when ruling on a motion to dismiss. BJC Health Sys. v. Columbia Cas. Co., 348 F.3d 685, 687 (8th Cir. 2003). “Documents [that are] necessarily embraced by the complaint” are not considered outside the pleading. Ashanti v. City of Golden Valley, 666 F.3d 1148, 1151 (8th Cir. 2012). A document is necessarily embraced by the pleadings if its “contents are alleged in a complaint and [its] authenticity no party questions, [even if the documents] are not physically attached to the pleading.” Id. B. Discussion The Court has already found plaintiff does not have standing on his tort claims, but he does on his contract and contract related claims. The Court will thus evaluate plaintiff’s breach of contract and contract related claims under Rule 12(b)(6). 1. Breach of Implied Contract Plaintiff next brings a claim for breach of implied contract. To prevail on a breach of contract claim under Iowa law, a plaintiff must show: (1) the existence of a contract; (2) the terms and conditions of the contract; (3) that it has performed all the terms and conditions required under the contract; (4) the defendant’s breach of the contract in some particular way; and (5) that plaintiff has suffered damages as a result of the breach. Molo Oil Co. v. River City Ford Truck Sales, Inc., 578 N.W.2d 222, 224 (Iowa 1998). “[T]he contract terms must be sufficiently definite for the court to determine the duty of each party and the conditions of performance.” Royal Indem. Co. v. Factory Mut. Ins. Co., 786 N.W.2d 839, 846 (Iowa 2010). Further, a contract can be expressed in words or implied from conduct. Ringland-Johnson-Crowley Co. v. First Cent. Serv. Corp., 255 N.W.2d 149, 152 (Iowa 1977). In the Eighth Circuit, to successfully bring a breach of implied contract claim in a data breach case, a plaintiff must also allege “that the defendant promised to protect the specific piece of data the plaintiffs assert was accessed” and “even if the implied contract covers the specific data, the plaintiff must allege something beyond a mere implicit promise to protect it from unauthorized use or comply with data security laws. Harris, 2024 WL 5055556 at *11 (citing GameStop, Inc., 833 F.3d at 911 and Kuhns, 868 F.3d at 717). “In other words, the plaintiff must identify the actions (e.g., security measures or procedures) the defendant could have employed to prevent the breach.” Id. (citing Kuhns, 868 F.3d at 717). “The implied premise that because data was hacked [defendant’s] protections must have been inadequate is a naked assertion devoid of further factual enhancement that cannot survive a motion to dismiss.” Kuhns, 868 F.3d at 717– 18 (internal quotations and alteration omitted). As discussed, plaintiff alleges he conferred a monetary benefit on defendant when he gave defendant his private information. (Doc. 1, at 27). Plaintiff’s allegation is not entirely clear, but the Court understands plaintiff to allege he provided defendant with money and his PII in exchange for medical services. Implicit in the agreement was that defendant would protect and secure his PII. (Id.). In short, plaintiff alleges he did not receive a benefit in return for the benefit he conferred on defendant. (Id.). Plaintiff’s complaint fails to state a breach of implied contract. First, plaintiff does not allege sufficiently definite contract terms defendant breached. See Royal Indem. Co, 786 N.W.2d at 846. As the basis of its breach of implied contract claim plaintiff generally alleges that “defendant made promises and representations to Plaintiff . . . that their Private Information would be kept safe and confidential, and that the privacy of that information would be maintained.” (Doc. 1, at 5). Plaintiff also alleges that defendant “implicitly agreed to” provide adequate data security in exchange for plaintiff turning over his PII. (Id., at 27). These allegations say nothing about the terms of the contract or what defendant would do to protect the PII. Indeed, plaintiff’s allegations do not allege anything beyond a mere implicit promise to protect the data from unauthorized use or to comply with data security laws, which is insufficient. Kuhns, 868 F.3d at 717; see also Konchar v. Pins, 989 N.W.2d 150, 158 (Iowa 2023) (“For a contract to be enforceable, its ‘terms must be sufficiently definite for the court to determine the duty of each party and the conditions of performance.’”) (quoting Royal Indem. Co, 786 N.W.2d at 846). Further, plaintiff does not allege how defendant breached the implied contract. Plaintiff’s allegations that the data breach is evidence defendant failed to properly protect the PII amount to nothing more than a claim that defendant’s protections must have been inadequate because there was a hack. Under Kuhns, this is insufficient. Kuhns, 868 F.3d at 717–18. Plaintiff also alleges some best practices institutions should implement to protect PII and minimum recommended standards to protect PII. (Doc. 1, at 13–14). Plaintiff, however, does not allege which specific best practices and minimum standards defendant failed to implement, which failure caused the breach, or which additional feature would have prevented the breach. The same can be said for plaintiff’s claim that defendant’s delay in notification means there were inadequate procedures in place. Plaintiff’s allegations are conclusory, simply stating that because there was a delay, there must have been something wrong. Also, plaintiff’s allegations that defendant violated HIPAA and the Iowa Code do not bolster plaintiff’s allegations either. The regulations involve basic data protection principles, including the importance of implementing policies to prevent data breaches, but plaintiff’s reliance on HIPAA and the Iowa Code do nothing to show that defendant had inadequate security practices. Thus, plaintiff’s allegations are insufficient to support a claim for breach of implied contract in the data breach context and the Court grants defendant’s motion to dismiss plaintiff’s breach of implied contract. 2. Unjust Enrichment Plaintiff also brings a claim against defendant for unjust enrichment as an alternative to his breach of implied contractual duty claim. (Id., at 28). “Unjust enrichment is an equitable claim that arises when the plaintiff proves that ‘the defendant received a benefit that in equity belongs to the plaintiff.’” Behm v. City of Cedar Rapids, 922 N.W.2d 524, 577 (Iowa 2019) (quoting Slade v. M.L.E. Inv. Co., 566 N.W.2d 503, 506 (Iowa 1997)). Unjust enrichment includes three elements of recovery: “(1) defendant was enriched by the receipt of a benefit; (2) the enrichment was at the expense of the plaintiff; and (3) it is unjust to allow the defendant to retain the benefit under the circumstances.” State ex rel. Palmer v. Unisys Corp., 637 N.W.2d 142, 154–55 (Iowa 2001). As part of the analysis for unjust enrichment claims in data breach cases, the Eighth Circuit has also considered whether a plaintiff alleged the specific portion of plaintiff’s contribution that went toward data protection, or that defendant provided protection for paying customers that it did not provide to non-paying customers. See GameStop, Inc., 833 F.3d at 912. This factor is intended to make sure a defendant is not disgorged of a benefit it received for services it performed, but only for the benefit it received for services it did not provide. Here, there are no allegations about a specific portion of plaintiff’s contribution that went towards data protection. Plaintiff only alleges that he paid defendant in exchange for medical and healthcare services. (Doc. 1, at 28). Plaintiff does not allege that he did not receive medical or healthcare services. Plaintiff also does not allege that defendant provided protection for paying customers that it did not provide to non-paying customers. Conversely, plaintiff did not allege that he paid more for services than others who did not have to provide their PII as a condition of receiving services. In short, there are no allegations that a specific amount of his payment was used for data protection services that he did not receive. Plaintiff makes a single allegation that his damages are the difference in value between the value of services with reasonable data privacy and the services without reasonable data privacy. This sole allegation, however, is an allegation about damages calculation. It is not an allegation that he paid more or that defendant provided different privacy services based on how much customers paid. Thus, plaintiff fails to state a claim for unjust enrichment and the Court grants defendant’s motion on that claim. 3. Breach of Bailment Plaintiff also brings a claim for breach of bailment. Under Iowa law, a “bailment is created upon delivery of property by one party— the bailor, to another party—the bailee for a specific purpose, beneficial to either or both, upon a contract, express or implied, that the conditions shall be faithfully executed and the property returned to the bailor.” Gosiger, Inc. v. Elliott Aviation, Inc., No. 4:13- cv-00477, 2015 WL 11070982, at *6 (S.D. Iowa Mar. 17, 2015) (citing Farmers Butter Dairy Coop. v. Farm Bureau Mut. Ins. Co., 196 N.W.2d 533, 536 (Iowa 1972)). “A bailment denotes delivery of personalty by one person . . . to another . . . for a specific purpose beneficial to bailee or bailor or both, upon a contract, express or implied, that the conditions shall be faithfully executed . . ..” In re Estate of Martin, 2012 WL 1431490, at *4. A bailment is based upon a contract, either express or implied. For the same reasons the Court granted defendant’s motion to dismiss plaintiff’s breach of implied contract claim, it also grants plaintiff’s breach of bailment claim. Specifically, plaintiff does not allege sufficiently definite terms of the bailment contract defendant breached. Plaintiff only generally alleges there was an “implied understanding” that defendant would care for the PII. These allegations say nothing about the specific terms of the contract or what defendant will do to protect the PII. Also, plaintiff does not allege how defendant breached the implied contract other than by stating generally that defendant did not implement reasonable cybersecurity safeguards. Under Eighth Circuit caselaw, this is not enough. Thus, the Court grants defendant’s motion to dismiss plaintiff's Breach of Bailment claim (Count IV) under Rule 12(b)(6). IV. CONCLUSION For these reasons, defendant’s motion to dismiss under Rule 12(b)(1) is granted as to plaintiff’s tort claims (Counts I and V). Defendant’s motion is also granted under Rule 12(b)(6) on plaintiff’s breach of contract, unjust enrichment, and breach of bailment claims (Counts II, HI, and IV). Plaintiff's complaint is dismissed without prejudice. IT IS SO ORDERED this 2nd day of May, 2025. Le C.J. Williams, Chief Judge United States District Court Northern District of Iowa