Charlie v. Rehoboth McKinley Christian Health Care Services

• Court: District Court, D. New Mexico
• Decided: April 11, 2022
• Docket: 1:21-cv-00652
• Status: Unknown

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW MEXICO

ALICIA CHARLIE, LEONA GARCIA LACY, DARRELL TSOSIE, and E.H., a minor, by and through his guardian, GARY HICKS on behalf of themselves and a class of similarly situated individuals,

Plaintiffs,

v. Civ. No. 21-652 SCY/KK

REHOBOTH MCKINLEY CHRISTIAN HEALTH CARE SERVICES,

Defendant.

MEMORANDUM OPINION AND ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO DISMISS1 Plaintiffs bring this putative class action case in the wake of a ransomware cyberattack against Defendant Rehoboth McKinley Christian Health Care Services that exposed patients’ private data to cybercriminals. According to the complaint, the compromised data included personal identifying information of the Plaintiffs and putative class members. This breach allegedly increased the risk of identity fraud for Plaintiffs and putative class members. Plaintiffs claim Defendant was negligent or reckless with the data and, despite knowing of the risk of cyberattacks, Defendant failed to take adequate precautions to guard against that risk. Defendant moves to dismiss, arguing that it had no actionable duty to protect Plaintiffs’ data, that Plaintiffs fail to allege actual damages, and that most of the individual causes of action fail for various

1 Pursuant to 28 U.S.C. § 636(c), the parties consented to the undersigned to conduct all proceedings and to enter an order of judgment. Docs. 10, 11 & 12. other reasons. The Court rejects Defendant’s no-duty argument. At a minimum, it owed Plaintiffs a duty of ordinary care with respect to storing and protecting their private data. Regarding damages, Plaintiffs allege that Defendant’s failure to protect their private information has caused them to devote time to protecting and monitoring their security. Defendant has not argued that recovery

for the value of this lost time is not permitted. Lastly, the Court agrees with Defendant that the complaint does not sufficiently allege a cause of action based on affirmative misrepresentations under the Arizona Consumer Fraud Act, a breach of implied contract, or the intentional tort of intrusion into private affairs. However, Defendant’s remaining arguments directed at Plaintiffs’ various claims are unavailing and so the Court denies the balance of Defendant’s motion to dismiss. BACKGROUND Plaintiffs filed this action in state court on June 4, 2021. Class Action Complaint, Doc. 2 (“Compl.”) at 3. Defendant removed it to federal court on July 15, citing the Class Action

Fairness Act. Doc. 1 at 3. The case concerns a cybersecurity incident through which an unauthorized actor was able to access patient information and data between January 21 and February 5, 2021. Compl. ¶ 41. Defendant learned of the breach on February 16 and began notifying affected individuals on May 19. Id. ¶¶ 39, 45. The complaint brings causes of action for (1) negligence; (2) intrusion upon seclusion/invasion of privacy; (3) negligence per se; (4) breach of implied contract; (5) breach of fiduciary duty; (6) unjust enrichment; (7) violation of the New Mexico Unfair Practices Act; and (8) violation of the Arizona Consumer Fraud Act. The complaint alleges that “[a]s a result of the Data Breach, Plaintiffs and approximately 207,191 Class Members suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the unauthorized access and exfiltration of their sensitive and highly personal information.” Compl. ¶ 2 (footnote omitted). Plaintiffs allege that Defendant inadequately safeguarded their data, failed to provide timely and adequate notice of the breach, and maintained the data “in a reckless matter” so as to be “vulnerable to cyberattacks,” and that

“the mechanism of the cyberattack and potential for improper disclosure . . . was a known risk to Defendant.” Id. ¶¶ 3-4. The complaint alleges Defendant failed to follow: Federal Trade Commission (“FTC”) guidelines to protect customer data, id. ¶¶ 50-58, various industry standards, id. ¶¶ 59-63, and the Health Insurance Portability and Accountability Act (“HIPAA”), id. ¶¶ 64-68. Plaintiffs allege their “identities are now at considerable risk” because data thieves can commit future crimes using the stolen data. Id. ¶¶ 9-10. As a result, Plaintiffs have a “heightened and imminent risk of fraud and identity theft.” Id. ¶ 11. Plaintiffs “must now and in the future closely monitor their financial and medical accounts and information to guard against identity

theft” and “may also incur actual monetary costs.” Id. ¶¶ 11-12. Plaintiff Alicia Charlie “has experienced a substantial increase in suspicious scam phone calls which appear to be placed with the intent to obtain personal information to commit identity theft by way of a social engineering attack.” Id. ¶ 109. “Since being notified of the Data Breach, Plaintiff Alicia Charlie has been monitoring her accounts for fraud and dealing with the impact of the Data Breach at least three times per week.” Id. ¶ 110. “Plaintiff E.H. received a notice letter regarding the unauthorized access and breach of his confidential health information, and consequently his guardian, Gary Hicks, has to expend time and resources dealing with the impact of the Data Breach.” Id. ¶ 111. “Plaintiff Leona Garcia Lacy has begun to receive phishing calls regarding a payday loan . . . .” Id. ¶ 112. She “has spent at least 2 hours per week monitoring her accounts for fraud and dealing with the impact of the Data Breach.” Id. ¶ 113. “Plaintiff Darrell Tsosie received a notice letter regarding the unauthorized access and breach of his confidential health information, and consequently he has to expend time and resources dealing with the impact of the Data Breach.” Id. ¶ 114. All Plaintiffs “anticipate” spending time and money on an ongoing basis, “face

substantial risk of out-of-pocket fraud losses” and being targeted by “future” cybercriminal activity, and “may” incur costs for monitoring services. Id. ¶¶ 115, 119-21. “Plaintiffs and Class Members also suffered a loss of value of their Private Information when it was acquired by cyber thieves in the Data Breach.” Id. ¶ 122. Plaintiffs “live with the anxiety that their Private Information” may be publicly exposed. Id. ¶ 127. Defendant filed this motion to dismiss on August 17, 2021. Doc. 15. Defendant argues that it has no duties under state law, as the state legislature has passed a statute requiring only that companies notify their customers in the event of a data breach, which Defendant did in this case. Further, Defendant argues it has no duty to protect Plaintiffs from the criminal actions of

third-party hackers. Regarding federal statutes, Defendant asserts that the Federal Trade Commission Act (“FTCA”) and HIPAA do not create a private cause of action. Moving past the concept of duty, Defendant argues that all Plaintiffs’ claims should be dismissed because Plaintiffs do not allege actionable damages. Finally, Defendant moves to dismiss multiple counts in the complaint for reasons unique to each claim. Plaintiffs filed a response on September 14, Doc. 22,2 and Defendant filed a reply on October 12, Doc. 28. Briefing is complete and the motion is ready for decision.

2 The native pagination in Doc. 22 differs from the pagination in the CM ECF header. The Court’s citations are to the page numbers in the CM ECF header at the top of the page, not the native pagination at the bottom. STANDARD OF REVIEW Federal Rule of Civil Procedure 8 requires that a complaint state “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). Federal Rule of Civil Procedure 12(b)(6) allows a court to dismiss a complaint for failure to state a claim upon which the court can grant relief. “[T]o withstand a Rule 12(b)(6) motion to dismiss,

a complaint must contain enough allegations of fact, taken as true, to state a claim to relief that is plausible on its face.” Khalik v. United Air Lines, 671 F.3d 1188, 1190 (10th Cir. 2012) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). While a complaint does not require detailed factual allegations to survive a Rule 12(b)(6) motion to dismiss, it “requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555. “A claim is facially plausible when the allegations give rise to a reasonable inference that the defendant is liable.” Mayfield v. Bethards, 826 F.3d 1252, 1255 (10th Cir. 2016). The court’s consideration, therefore, is limited to determining whether the complaint states a legally

sufficient claim upon which the court can grant relief. See Sutton v. Utah State Sch. for the Deaf & Blind, 173 F.3d 1226, 1236 (10th Cir. 1999). The court is not required to accept conclusions of law or the asserted application of law to the alleged facts. See Hackford v. Babbitt, 14 F.3d 1457, 1465 (10th Cir. 1994). Nor is the court required to accept as true legal conclusions that are masquerading as factual allegations. Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009). The court must, however, view the plaintiffs’ allegations in the light most favorable to them. Schrock v. Wyeth, Inc., 727 F.3d 1273, 1280 (10th Cir. 2013). DISCUSSION Defendant’s primary argument is that it owed Plaintiffs no duty to protect their information from the criminal acts of third parties over which it had no control. It cites various statutes, all of which it argues impose no duty on it to protect Plaintiffs’ information. The Court disagrees. Regardless of whether any statute explicitly imposed such a duty and regardless of

whether Defendant could control the actions of the criminals who stole Plaintiffs’ property, Defendant had a duty of ordinary care to reasonably protect that property. The Court also rejects Defendant’s argument that Plaintiffs do not sufficiently allege damages because Plaintiffs have alleged they have lost time devoted to addressing security issues since the breach and Defendant has not argued these are incognizable damages under New Mexico law. Further, the Court rejects Defendant’s argument to preclude Plaintiffs from pursuing a theory of negligence per se and finds that Plaintiffs have sufficiently pled causes of action for breach of fiduciary duty, unjust enrichment, the New Mexico Unfair Practices Act, and omissions under the Arizona Consumer Fraud Act (“ACFA”).

The Court, however, agrees with Defendant that Plaintiffs’ claim based on affirmative misrepresentations under the ACFA does not meet the heightened pleading standard for fraud and concurs with Defendant that the breach of implied contract claim and the tort of intrusion into private affairs are not sufficiently pled. I. Statutory duty Defendant’s opening argument is that it “owed no statutory duty to Plaintiffs to prevent their alleged harms.” Doc. 15 at 5. Therefore, Defendant asserts, “[t]his case should be dismissed for failure to state a claim because Plaintiffs are not entitled to recovery under any set of facts, even if proven.” Id. Plaintiffs make clear in their response, however, that they are not bringing a separate cause of action under any statute. See Doc. 22 at 11 (“Plaintiffs don’t even allege that Rehoboth had or violated a general duty to protect Plaintiffs’ data under the New Mexico Data Breach Notification Act, N.M. Stat. Ann. § 57-12C-1, et seq. (2017).”); id. at 13 (“Defendant’s arguments about there being no duties imposed by HIPAA or the FTCA due to the fact that those statutes do not contain private right of actions misses the mark completely. Defendant has no answer for, and does not even cite to, the numerous courts that have allowed negligence and

negligence per se claims to proceed based upon the standards of conduct set forth in both Section 5 of the FTCA and in HIPAA.”). Thus, rather than arguing any statute provides a separate cause of action, the Court understands Plaintiffs’ argument to be that these statutes inform the standard of conduct relevant to their negligence claim.3 To the extent Defendant seeks dismissal of Plaintiffs’ complaint on the basis that Plaintiffs have failed to identify a statutory duty, the Court denies Defendant’s motion. Plaintiffs’ claims are not dependent on the existence of a statutory duty and Defendant makes no argument that any statute preempts, and therefore precludes, the causes of action Plaintiffs do bring.4 II. Negligence Defendant correctly states that, “To state a claim for negligence, plaintiffs must plead and

prove four required elements: (1) duty; (2) breach; (3) causation; (4) damages.” Doc. 15 at 11 (citing Romero v. Giant Stop-N-Go of N.M., Inc., 2009-NMCA-059, ¶ 5, 212 P.3d 408; Zamora v. St. Vincent Hospital, 2014-NMSC-035, ¶ 22, 335 P.3d 1243). Defendant’s first challenge goes

3 Plaintiffs’ negligence per se claim is premised on the FTCA. Compl. ¶¶ 171-78. The Court addresses that claim later in this Opinion. 4 Although Defendant cites and discusses a case in which an Illinois appellate court found that the enactment of a similar data-breach statute occupied the field to the exclusion of any common-law remedies, Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358 (2010), Defendant does not develop an argument that the analogous New Mexico statute preempts or displaces this state’s common-law duty of ordinary care. Doc. 15 at 6-7. to this first element—duty. Plaintiffs correctly assert, “In New Mexico, the current law on duty is that the duty of ordinary care applies unless the defendant can establish a policy reason, unrelated to foreseeability considerations, that compels a limitation on the duty or an exemption from the duty to exercise ordinary care.” Doc. 22 at 11 (citing Rodriguez v. Del Sol Shopping Ctr. Assocs., L.P., 2014-NMSC-014, ¶ 5, 326 P.3d 465, 469). As the New Mexico Court of

Appeals has noted, “Where a ‘duty’ exists, it generally requires that the defendant’s conduct conform to the same standard of care—that of a reasonable person under the same or similar circumstances, usually referred to as the ‘ordinary care’ standard.” Oakey, Est. of Lucero v. May Maple Pharmacy, Inc., 2017-NMCA-054, ¶ 23, 399 P.3d 939, 947. Plaintiffs assert that they identify multiple sources of Defendant’s duty, including: 1) the special relationship that arose when Rehoboth collected and stored the data in its computer property, and shared and used it for commercial gain (Compl. ¶¶ 141, 144); 2) the duty to comply with industry standards (Compl. ¶¶ 143, 149); 3) the duty to use reasonable security measures consistent with the HIPAA standards of care (Compl. ¶ 144); 4) the duty to protect against the foreseeable risk of harm from a data breach (Compl. ¶ 145), and; 5) the duty to employ reasonable security measures under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45. Doc. 22 at 11. The Court concludes Defendant owed Plaintiffs a duty of ordinary care. Whether this duty is informed by the other sources of duty Plaintiffs identify is beyond the scope of the briefs and not a question the Court need resolve in rejecting Defendant’s argument that it owed no duty to Plaintiffs.5

5 Later in this Opinion, the Court will address Plaintiffs’ assertion that the FTCA defines the duty Defendant owed for purposes of a negligence per se cause of action. The Court also recognizes that, in New Mexico, statutes, regulations, and court rules can be relevant in determining what standard of care is applicable for purpose of a negligence action. Oakey, 2017-NMCA-054, ¶ 26 (stating in a case alleging professional negligence “statutes, regulations, and court rules imposing requirements on professionals are relevant to the determination of the standard of care required by the circumstances and whether it has been met, even if they do not necessarily suffice to establish a standard of care or provide a cause of action for their violation”); see also Spencer v. “‘Duty’ is a requirement imposed by law to conform one’s conduct to a certain ‘standard of care.’ The existence of a duty is a question of policy to be determined by the court as a matter of law ‘with reference to legal precedent, statutes, and other principles comprising the law.’” Oakey, Est. of Lucero v. May Maple Pharmacy, Inc., 2017-NMCA-054, ¶ 22, 399 P.3d 939, 946. “In contrast to the question whether the defendant has a legal duty, determined by the court as a

matter of law, questions concerning whether the defendant has exercised proper care in the performance of a legal duty are factual issues.” Id. ¶ 24. As the Restatement (Third) of Torts states: There are two different legal doctrines for withholding liability: no-duty rules and scope-of-liability doctrines (often called “proximate cause”). An important difference between them is that no-duty rules are matters of law decided by the courts, while the defendant’s scope of liability is a question of fact for the factfinder. Restatement (Third) of Torts: Liability for Physical and Emotional Harm § 7, comment a (2010).6

Barber, 2013-NMSC-010, ¶¶ 4, 14-15, 299 P.3d 388, 392, 394 (finding in professional malpractice case that, although New Mexico Rules of Professional Conduct do not themselves give rise to a cause of action against a lawyer, they “become relevant when ascertaining the scope of the duty owed by the attorney to the personal representative and how a breach of that duty may have harmed the statutory beneficiary”). However, whether a jury, in determining the applicable standard of care and any breach of duty, should consider any of the statutes Plaintiffs cite is not a question currently before the Court. 6 The vocabulary used to express these concepts differs throughout court opinions and other sources. For example, the New Mexico Supreme Court referred to these concepts using the phrases “scope of ordinary care” (i.e., breach—the factual question) and “scope of duty” (i.e., duty—the legal question). Rodriguez v. Del Sol Shopping Ctr. Assocs., L.P., 2014-NMSC-014, ¶ 16, 326 P.3d 465, 471. It is otherwise clear this opinion adopts the Restatement’s approach: This distinction is more than semantic, because to be concerned about the scope of ordinary care is to be concerned about whether a defendant’s conduct was reasonable—a breach of duty analysis. Restatement (Third) of Torts, supra, § 7 cmt. i (discussing the mistake that courts sometimes make when they “inaptly express” a determination that there was no breach of duty as a matter of law in The Court begins its analysis by distinguishing between legal concepts the parties raised that are appropriate to address at the motion to dismiss stage because they involve legal questions (like whether a duty exists) and those not appropriately resolved at the motion to dismiss stage because they involve factual questions (like whether a duty was breached). As Defendant recognizes, foreseeability is not a consideration in the present motion to dismiss. See

Doc. 15 at 13 (“Whether such a data breach was foreseeable is irrelevant to the issue [of duty] after Rodriguez was decided.”). Plaintiffs point out that they allege foreseeability in their complaint. Doc. 22 at 12 (“[I]t is still good law in New Mexico that court[s] ‘have consistently relied on the principle of foreseeability, along with policy concerns, to determine whether a defendant owed a duty to a particular plaintiff or class of plaintiffs.’ Here, Plaintiffs allege that the data breach was foreseeable . . . .” (quoting Herrera v. Quality Pontiac, 2003-NMSC-018, ¶ 20, 73 P.3d 181, 190; and citing Compl. ¶ 145)). The Court views the parties’ references to foreseeability as a recognition of issues that may arise at the summary judgment stage (when the Court might be faced with the question of whether any reasonable jury could find foreseeability)

or at trial. The question of foreseeability, however, is not of concern in the present motion to dismiss.

terms of no duty). On the other hand, concerns about the scope of duty require a judge to articulate policy considerations when modifying the duty of ordinary care or exempting a class of defendants from the duty of ordinary care in a class of cases. Id. The Court concludes Defendant owed Plaintiffs a duty and therefore rejects the argument Defendant made in its motion to dismiss: as a matter of law, it owed Plaintiffs no duty to protect them from the criminal acts of a third party. As a result, the Court need not presently consider precisely where to draw the line between what a court must do as a matter of law (“focus on policy considerations when determining the scope . . . of a duty of care,” Rodriguez, 2014- NMSC-014, ¶ 19) and what a court must leave to the factfinder (determining scope of liability, Restatement (Third) of Torts: Liability for Physical and Emotional Harm § 7, comment a (2010)). As a matter of law, the Court recognizes the common-law duty of ordinary care for purposes of this lawsuit. “Every person has a duty to exercise ordinary care for the safety of the person and the property of others.” UJI 13-1604 NMRA. The New Mexico Supreme Court held in Rodriguez v. Del Sol Shopping Center Associates, L.P. that: “The duty of ordinary care applies unless the [defendant] can establish a policy reason, unrelated to foreseeability considerations,

that compels a limitation on the duty or an exemption from the duty to exercise ordinary care.” 2014-NMSC-014, ¶ 5, 326 P.3d 465, 469. The court also “overrule[d] prior cases insofar as they conflict with this opinion’s clarification of the appropriate duty analysis in New Mexico.” Id. ¶ 3. Defendant nonetheless argues that a negligence cause of action cannot lie because Defendant had no duty to protect Plaintiffs from the harm caused by the criminal actions of the data hackers. Doc. 15 at 11-12. Defendant reasons, “no duty exists because Rehoboth has no control over the individuals in possession of the stolen patient information.” Doc. 15 at 13. However, the 2002 New Mexico Court of Appeals case Defendant cites in support of its argument that it could not control the actions of third-party hackers, and so owed no duty to

protect Plaintiffs from such actions, cannot withstand Rodriguez and its progeny. In Grover v. Stechel, a stabbing victim sued the parent of her adult assailant for negligence. 2002-NMCA-049, ¶ 2, 45 P.3d 80, 82. As Defendant points out, Grover did state that, “In order to create a duty based on a special relationship, the relationship must include the right or ability to control another’s conduct.” Id. ¶ 12. Defendant, however, fails to acknowledge that Grover premised its decision on considerations of foreseeability that the New Mexico Supreme Court abandoned in Rodriguez. In analyzing whether the criminal conduct of a third party could serve as the predicate for a negligence action, the Grover court asked whether that criminal conduct was foreseeable. 2002-NMCA-049, ¶ 17 (noting the Restatement (Second) of Torts on which it relied “requires that the criminal conduct of a third party be a foreseeable result of an act or omission. As stated above, neither the provision of financial support nor the failure to withdraw financial support upon hearing about David’s conduct renders the injury to Plaintiff a foreseeable, direct consequence of providing support to David.”); id. ¶ 16 (“What is lacking is foreseeability. Without foreseeability, there can be no duty.”).

Since Grover, the New Mexico Supreme Court has clarified that foreseeability is a question for the finder of fact. Rodriguez, 2014-NMSC-014, ¶ 14 (relying on Restatement (Third) of Torts, and concluding that although foreseeability is a consideration for the fact-finder at trial, “it is relevant to the breach of duty question[] usually reserved for the jury”). As Rodriguez makes clear, “Courts should not engage in weighing evidence to determine whether a duty of care exists or should be expanded or contracted—weighing evidence is the providence of the jury; instead, courts should focus on policy considerations when determining the scope or existence of a duty of care.” Id. ¶ 19. The question of “the foreseeability of risk of injury from a third person” is for a jury, not for a court to determine as a matter of law—unless no reasonable

juror could disagree. Id. ¶¶ 14, 24. Defendant recognizes Rodriguez and agrees that the Court should not consider foreseeability in deciding its motion to dismiss. Doc. 15 at 13 (“Whether such a data breach was foreseeable is irrelevant to the issue after Rodriguez was decided.”). Because Grover relied on an outdated application of foreseeability, it is not persuasive on this point. Indeed, the application of Grover that Defendant advances would have led to a different outcome in Rodriguez. Rodriguez involved consolidated cases in which a truck crashed through the front glass of a shopping center in Santa Fe, killing three people and seriously injuring several others. 2014-NMSC-014, ¶ 2. The plaintiffs alleged that the shopping center negligently contributed to the accident by, among other things, failing to adequately post signage; failing to install speed bumps; failing to erect barriers that would have protected buildings, employees, and visitors from errant vehicles; or failing to use other traffic control methods in the parking lot. Id. The district courts found the accident was not foreseeable as a matter of law, and thus no duty existed. Id. The court of appeals affirmed. However, it rejected the trial courts’ foreseeability

analysis and instead found that “Defendants had no duty to protect Plaintiffs inside the building from criminally reckless drivers.” Id. ¶ 3 (internal quotation marks omitted). The New Mexico Supreme Court rejected both approaches. It declared that, in New Mexico, “a duty of ordinary care under the circumstances includ[es] the duty to exercise ordinary care to prevent harmful conduct from a third person, even if the third person’s conduct is intentional.” Id. ¶ 5 (citation omitted). Common to the defendant shopping center in Rodriguez, the defendant mother of the assailant in Grover, and Defendant here, is that none of them could control the actions of the third parties who directly caused the harms alleged. Thus, applying Defendant’s reasoning to Rodriguez would lead to a result different from the one the New

Mexico Supreme Court reached. A District of New Mexico case decided since Rodriguez supports the conclusion that Defendant’s argument is not one that should be resolved on a motion to dismiss. Lilley v. CVS Health involved a shooting and carjacking that occurred close to midnight in an Albuquerque CVS store parking lot. No. 17cv515 KG/JHR, 2019 WL 1396415, at *1 (D.N.M. Mar. 27, 2019). The plaintiff asserted that CVS acted in a negligent manner by breaching “a duty to use reasonable efforts to make the Location, which includes the parking lot, safe for business patrons by providing enough security to protect Plaintiff against the foreseeable acts of third persons.” Id. (quoting complaint). The district court found that CVS owed the plaintiff a duty of ordinary care. Id. at *2. The district court relied on Rodriguez in noting, “Although the breach of duty and proximate causation issues are normally reserved for the jury, ‘[a] court may still decide whether a defendant did or did not breach the duty of ordinary care as a matter of law, or that the breach of duty did not legally cause the damages alleged in the case.’” Id. at *3 (quoting Rodriguez, 2014-NMSC-014, ¶ 24) (alterations in original). “In that situation, the court must ‘conclude[]

that no reasonable jury could decide the breach of duty or legal cause questions except one way.’” Id. (quoting Rodriguez, 2014-NMSC-014, ¶ 24) (alterations in original). In denying the plaintiff’s motion for summary judgment, the district court stated, “The breach of duty question properly constitutes a factual question for the jury to decide, thereby making a grant of summary judgment inappropriate.” Id. at *4. Just as the criminal act of a third party did not preclude the Lilley plaintiff’s claim, the criminal act of a third party here does not, as a matter of law, preclude Plaintiffs’ negligence claim. Having concluded that Defendant owed a duty to Plaintiffs, the Court next turns to Defendant’s argument that Plaintiffs’ causes of action are precluded because they fail to state a

claim for damages. Because this is an overarching argument that applies not just to Plaintiffs’ negligence claim, but to all of Plaintiffs’ causes of actions, the Court analyzes this argument below, in a separate section. III. Damages Defendant moves to dismiss all counts of the complaint because Plaintiffs “fail[] to allege any facts to show they incurred actual damages.” Doc. 15 at 10 (emphasis added). Defendant correctly points out that damages may not be awarded in New Mexico based on speculation. Id. at 9-10. “An award of damages predicated upon conjecture, guess, surmise or speculation is improper. A party seeking to recover damages has the burden of proving the existence of injuries and resulting damage with reasonable certainty.” Sanchez v. Martinez, 1982-NMCA-168, ¶¶ 19- 20, 653 P.2d 897, 902-03 (citations omitted). Certainly, some allegations of the complaint are speculative. For example, Plaintiffs allege they “have been placed at an imminent, immediate and continuing increased risk of harm from fraud and identity theft.” Compl. ¶ 117 (emphasis added). They allege that they “face

substantial risk of out-of-pocket fraud losses” in the future. Id. ¶ 119 (emphasis added). “Plaintiffs anticipate spending considerable time and money” to mitigate the harms caused by the data breach. Id. ¶ 115 (emphasis added). Plaintiffs “face substantial risk of being targeted for future phishing, data intrusion, and other illegal schemes.” Id. ¶ 120 (emphasis added). Plaintiffs “may also incur out-of-pocket costs for protective measures.” Id. ¶ 121 (emphasis added). However, Plaintiffs also allege a variety of non-speculative damages. Plaintiffs allege that, after the data breach, they spent increased time dealing with spam calls and monitoring their credit for suspicious activity. Compl. ¶¶ 109-14. Plaintiffs further allege they “suffered a loss of value of their Private Information,” id. ¶ 122, and have experienced anxiety and emotional

distress because of the increased risk of having their data misused, id. ¶¶ 124-25. Defendant does not argue that these types of damages are not compensable. Instead, Defendant’s first argument is that they are not sufficiently pleaded. Doc. 15 at 10 (“There are no facts as to what was done and why.”). In the next sentence, however, Defendant points out that “Plaintiffs allege Leona Garcia Lacy has begun to receive phishing calls and has spent at least two hours per week monitoring accounts for fraud.” Id. (citing Compl. ¶ 112-13). This statement about who received the phishing calls and how much time this person then spent monitoring her accounts for fraud is sufficient to place Defendant on fair notice of Plaintiffs’ claim and the grounds upon which it rests. See Burnett v. Mortg. Elec. Registration Sys., Inc., 706 F.3d 1231, 1235 (10th Cir. 2013) (“Although specific facts are not necessary to comply with Rule 8(a)(2), the complaint must give the defendant fair notice of what the claim is and the grounds upon which it rests.”) (internal citations and quotations omitted). Defendant’s second argument is one of causation: “There are no facts to suggest those [phishing] calls are related to this data security incident.” Doc. 15 at 10. Plaintiffs’ statement that

Ms. Lacy “has begun” to receive phishing calls, however, indicates that those phishing calls started after the data breach, indicating a temporal connection between the data breach and the phishing calls. Again, this is enough to place Defendant on fair notice of Plaintiffs’ claims and the grounds upon which they rest. Whether Plaintiffs can prove causation is a question of fact to be addressed at a later stage. Defendant’s third argument is that Plaintiffs have failed to “allege any incident of fraud or even attempted fraud.” Doc. 15 at 10. Although Plaintiffs have not alleged that they have been defrauded, in asserting that the breach led to increased phishing attempts, Plaintiffs have alleged that the breach led to attempted fraud. And, regardless of whether the data breach has led to

actual fraud, Plaintiffs allege the breach has caused them to expend time monitoring their data and Defendant does not argue that this expenditure of time is not compensable.7 IV. Other individual causes of action A. Negligence per se As the New Mexico Court of Appeals stated in Oakey, Est. of Lucero v. May Maple Pharmacy, Inc.: To support a claim for negligence per se (distinct from a negligence claim), “the regulation or statute at issue must specify a duty that is distinguishable from the

7 Because Defendant does not brief whether the loss of time addressing issues caused by the data breach or the loss of value of Plaintiffs’ private data itself are cognizable harms under New Mexico law, the Court likewise declines to address these issues. ordinary standard of care[,]” rather than “impose general duties[.]” Thompson, 2012-NMCA-014, ¶¶ 32-33, 268 P.3d 57; see Heath v. La Mariana Apartments, 2008-NMSC-017, ¶ 21, 143 N.M. 657, 180 P.3d 664 (explaining that, to support a claim for negligence per se, a statute or regulation must “contain a specific standard of care that does not merely repeat the common law standard”).

2017-NMCA-054, ¶ 21, 399 P.3d 939, 946. Plaintiffs’ negligence per se claim is based on their allegations that Defendant violated the Federal Trade Commission Act (“FTCA”). Compl. ¶¶ 171-78. Defendant argues that a negligence per se claim based on the FTCA is not available to Plaintiffs because Plaintiffs do not assert a private right of action. Doc. 15 at 16-17. Plaintiffs do not dispute Defendant’s contention that the FTCA does not permit a private right of action. Doc. 22 at 25. They argue, however, that they may base a negligence per se claim on the FTCA despite this. Id. Defendant has not addressed Plaintiffs’ argument that, even though the FTCA provides no private right of action, it may still define the scope of duty that serves as the basis for a negligence per se claim. Instead, in reply, Defendant asserts that “New Mexico does not recognize a claim for negligence per se separate from negligence.” Doc. 28 at 8. Even if this is true, however, Defendant provides no reason why Plaintiffs cannot allege both theories of recovery at this stage of the litigation. Next, Defendant argues Plaintiffs’ allegations do not state a claim because the FTCA applies to deceptive practices and Plaintiffs do not allege deceptive acts. Doc. 15 at 9. Defendant is correct that “Section 5 of the FTCA prohibits ‘deceptive acts or practices in or affecting commerce.’” Id. (quoting FTC v. Cyberspace.com, LLC, 453 F.3d 1196, 1199 (9th Cir. 2006); FTCA § 5(a)(1), 15 U.S.C. § 45(a)). But that is not all the FTCA prohibits. It outlaws “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1) (emphasis added). The statute’s use of the disjunctive indicates that its reach is not limited to deception—it may also cover practices that are unfair but not necessarily deceptive. Nor do Defendant’s cited cases say otherwise. FTC v. Cyberspace.com, LLC indicates that the Federal Trade Commission chose to proceed under the “deceptive” prong of the statute. 453 F.3d at 1199 (“Based on its belief that the solicitations were deceptive in violation of Section 5 of the Federal Trade Commission Act (‘FTCA’), the Federal Trade Commission (‘FTC’) sought an injunction and consumer redress . . . .”). Cyberspace neither holds nor implies that the

FTCA does not also cover unfair practices. Defendant’s second citation is to Veridian Credit Union v. Eddie Bauer, LLC, which dismissed the FTCA negligence per se claim arising under Washington state law on grounds not related to deceptiveness and without considering deceptiveness as an element at all. 295 F. Supp. 3d 1140, 1158-59 (W.D. Wash. 2017). Moreover, this case indicated that, although the statute could not serve as the foundation for a negligence per se cause of action under Washington law, it possibly could have under Iowa law. Id. at 1151. By concluding that the existence of a negligence per se cause of action that is not based on a deceptiveness allegation can turn on which state law is applied, Veridian Credit Union undermines, rather than supports, Defendant’s

contention that deceptiveness is a prerequisite to a negligence per se action based on failure to comply with the FTCA. Defendant’s third citation is to Community Bank of Trenton v. Schnuck Markets, Inc., which acknowledges that the FTCA prohibits “Unfair or deceptive acts” and, like Veridian Credit Union, dismisses on grounds unrelated to whether the element of “deception” was missing from the allegations in the complaint. 210 F. Supp. 3d 1022, 1041 (S.D. Ill. 2016) (emphasis added). Countering the cases Defendant cites, Plaintiffs cite to numerous cases in which federal courts did not discuss deceptiveness and which nonetheless sustained a negligence per se cause of action under the FTCA. Doc. 22 at 13-14 & 13 n.3. Finally, the Court observes that “deception” is a concept inherently at odds with a negligence per se cause of action, as it implies a level of intentionality above mere negligence. For all these reasons, the Court rejects Defendant’s argument that an allegation of deception is required to state a claim to a negligence per se action based on violations of the FTCA. B. Breach of fiduciary duty

Defendant moves to dismiss Plaintiffs’ claim for breach of fiduciary duty. Doc. 15 at 19. Defendant acknowledges that “[t]he physician-patient relationship has been recognized as a relationship where a fiduciary duty exists.” Id. But, Defendant asserts, “no New Mexico law was located analyzing whether a hospital owes a fiduciary duty to its patients to assure their information was not accessed via a cyber-attack.” Id. “In the absence of other law on point,” Defendant argues that the claim should be analyzed with reference to the Data Breach Notification Act (“DBNA”), which it asserts does not impose a fiduciary duty on Defendant. Id. Defendant argues that the DBNA “provides the scope of the duty [Defendant] owed with regard to the complained of data breach, and the prescribed remedy for the same.” Doc. 15 at 5. And, Defendant continues, “[t]he Data Breach Notification Act imposes no duty on Rehoboth to

provide any protections to Plaintiffs or any putative class member beyond this notice.” Id. at 7. According to Defendant, the only duty the Act imposes is the duty “to notify the affected individuals of the breach. It does not extend to protecting the affected individuals from harm caused by the breaching third party.” Id. The Court disagrees. In addition to the notice provisions Defendant correctly recognizes, the DBNA requires: “A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.” NMSA § 57-12c-4. The Act further provides for enforcement by the attorney general. Id. § 57-12c-11. Plaintiffs allege Defendant did not implement and maintain reasonable security procedures and practices.8 Compl. ¶¶ 69-71. Thus, reference to the DBNA appears to harm, rather than support Defendant’s position. To the extent Defendant contends the DBNA supports its position, however, the Court notes that whether the DBNA even applies is not clear. “The provisions of the Data Breach Notification

Act shall not apply to a person subject to . . . the federal Health Insurance Portability and Accountability Act of 1996.” NMSA § 57-12C-8. The complaint alleges that Defendant is subject to HIPAA and that Defendant violated the federal regulations implemented for data security under HIPAA. Compl. ¶¶ 50, 64-68 (citing, inter alia, 45 C.F.R. § 164.306). Thus, Defendant’s argument that the DBNA demonstrates a lack of fiduciary duty also fails because Defendant has not established that the DBNA applies. The Court therefore rejects the fiduciary duty argument Defendant sets forth in its motion to dismiss. C. Unjust enrichment Defendant moves to dismiss the unjust enrichment claim, arguing that “Plaintiffs have not alleged that they personally paid anything to Defendant.” Doc. 15 at 20. This is incorrect.

The complaint alleges that “Plaintiffs and Class Members conferred a monetary benefit on Defendant, by paying Defendant money for healthcare services.” Compl. ¶ 212. Defendant argues that this is a conclusory allegation. Doc. 15 at 20. The Court rejects this argument. The allegation that Plaintiffs paid Defendant money is a factual allegation, not a conclusion. Defendant’s motion to dismiss Plaintiffs’ unjust enrichment claim is premised on its contention that Plaintiffs have not paid anything to Defendant. Id. The facts in Plaintiffs’ complaint, which

8 Plaintiffs do not, however, assert a private right of action under this statute. The Court therefore does not consider whether a private right of action under the statute exists. must be taken as true at this stage, are that they paid Defendant money for healthcare services, a portion of which was to have been used for data security measures to secure Plaintiffs’ data. Compl. ¶ 212. This contention is sufficient to defeat Defendant’s argument that Plaintiffs have failed to allege a payment. D. New Mexico Unfair Practices Act

To bring a claim under the New Mexico Unfair Practices Act (“UPA”), the plaintiff must show that: (1) the defendant made a statement that was either false or misleading; (2) the false or misleading representation was knowingly made in connection with the sale of goods or services in the regular course of the defendant’s business; and (3) the representation was of the type that may, tends to, or does deceive or mislead any person. Vigil v. Taintor, 2020-NMCA-037, ¶ 22, 472 P.3d 1220, 1229-30. Defendant moves to dismiss this count, arguing that the complaint includes no allegations that Defendant made “false or misleading” statements, and that the heightened pleading requirement in Rule 9(b) applies to this claim. Doc. 15 at 21. Rule 9(b) requires that, “In alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions

of a person’s mind may be alleged generally.” Fed. R. Civ. P. 9(b). To satisfy this standard, the complaint must, at a minimum, “set forth the time, place and contents of the false representation, the identity of the party making the false statements and the consequences thereof.” Schwartz v. Celestial Seasonings, Inc., 124 F.3d 1246, 1252 (10th Cir. 1997). Plaintiffs’ position as to whether the heightened pleading standing of Rule 9(b) applies to UPA claims is unclear. Plaintiffs did not dispute, in their response, Defendant’s assertion that the UPA claim requires a heightened pleading standard. In fact, a portion of Plaintiffs’ response brief could be interpreted as agreeing that a heightened pleading standard applies. Plaintiffs cite Begay v. Medicus Healthcare Sols., LLC, No. 15cv500 JCH/SCY, 2015 WL 13650107, at *7 (D.N.M. Nov. 18, 2015), and in a parenthetical, describe this case as holding that “allegations that hospital falsely represented that its physicians would have unrestricted medical licenses and undergo thorough background checks were sufficient to state a claim for violation of the UPA under heightened federal pleading standards.” Doc. 22 at 30-31

(emphasis added). Although an argument could be made that this language refers to heightened pleading standards under Rule 9(b), the Court interprets Plaintiffs’ statement to mean “heightened federal pleading standards” under Iqbal and Twombly as they stand in contrast to state-court pleading standards. This is because the Begay court relies on Iqbal and Twombly to describe the pleading standard that applies but makes no reference at all to Rule 9(b). Thus, although Plaintiffs do not challenge Defendant’s contention that a heightened pleading standard applies to UPA claims, the Court does not read Plaintiffs’ response as affirmatively agreeing with Defendant that such a heightened standard applies. And, although the Court will not make arguments for a party, it has an independent duty to apply the correct

pleading standard to a claim on a motion to dismiss. See Koch v. U.S., Dep’t of Interior, 47 F.3d 1015, 1018 (10th Cir. 1995) (“it is well-settled that a court is not bound by stipulations of the parties as to questions of law” (internal quotation marks omitted)); Zia Shadows, L.L.C. v. City of Las Cruces, 829 F.3d 1232, 1242 (10th Cir. 2016) (to defer to the parties’ incorrect legal arguments “would effectively require the court to commit legal error”); Issa v. Comp USA, 354 F.3d 1174, 1178 (10th Cir. 2003) (“[E]ven if a plaintiff does not file a response to a motion to dismiss for failure to state a claim, the district court must still examine the allegations in the plaintiff’s complaint and determine whether the plaintiff has stated a claim upon which relief can be granted.”). In support of its assertion that the heightened pleading standard applies to New Mexico UPA claims, Defendant cites a 2009 case from the Ninth Circuit that dealt with California’s consumer protection statutes. Doc. 15 at 21. Defendant’s cited case, Kearns v. Ford Motor Co., 567 F.3d 1120, 1124-25 (9th Cir. 2009), does not contain any reasoning for its conclusions. Kearns merely cites and relies on a prior Ninth Circuit case applying Rule 9(b) to the state

statutes in question. 567 F.3d 1120, 1124-25 (citing Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1102 (9th Cir. 2003)). For its part, Vess explained that “[i]n cases where fraud is not a necessary element of a claim, a plaintiff may choose nonetheless to allege in the complaint that the defendant has engaged in fraudulent conduct.” 317 F.3d at 1103. If a plaintiff elects that route, then Rule 9(b) applies. Id. But if a plaintiff avoids making averments of fraud, Rule 8 applies. Id. Therefore, even if the Court were to apply Defendant’s Ninth Circuit authority to this case, that authority does not mandate that Rule 9(b) apply to cases that fall short of alleging fraud. Vess, 317 F.3d at 1105-06 (application of Rule 9(b) not proper where, “[i]n some of his non-conspiracy allegations against Novartis, Vess neither mentions the word ‘fraud,’ nor alleges

facts that would necessarily constitute fraud”). Notably, Defendant cited to no state or federal case that has applied a heightened pleading standard to New Mexico UPA claims. Moreover, cases in this District have rejected the argument that the fraud pleading standard in Rule 9(b) applies to claims under the UPA. Skyline Potato Co. v. Tan-O-On Mktg., Inc., 879 F. Supp. 2d 1228, 1271 (D.N.M. 2012); Woodard v. Fidelity Nat’l Title Ins. Co., No. 06-1170, 2007 WL 5173415, at *6 (D.N.M. Dec. 4, 2007). The Court will follow these cases. Although the UPA shares some common ground with fraud, a cause of action for fraud requires more than a cause of action under the UPA. Fraud requires (1) a misrepresentation (2) that the defendant knows is false (3) made with intent to deceive and induce reliance and (4) that the plaintiff in fact relied upon. UJI 13-1633 NMRA. Unlike a cause of action for fraud, the UPA requires neither inducement nor reliance. In other words, the UPA does not require that a defendant act to induce reliance in the plaintiff or that a plaintiff prove he in fact relied on the misrepresentation—only that the misrepresentation was of the kind a person would be deceived by. Therefore, the UPA encompasses conduct that might

fall short of fraud. Here, Plaintiffs allege Defendant knowingly made a misleading statement in connection with the sale of its services and that statement was the type that might mislead any person.9 Plaintiffs allege that “[Defendant] provides each of its customers with a HIPAA compliant notice that explains how they handle customers’ sensitive and confidential information” and that “[Defendant] represents to the public and its customers, via its website, that it will safeguard and protect any confidential health and other personal information provided to it.” Compl. ¶¶ 32-33. According to the complaint, “[Defendant], upon information and belief, promises to, among other things: keep customers’ protected health information (PHI) private; inform customers of its

legal duties and comply with laws protecting customers’ health information; only use and release customers’ health information for approved reasons; provide adequate notice to customers if their Private Information is disclosed without authorization and adhere to the terms outlined in the Privacy Notice.” Id. ¶ 34. Plaintiffs assert these statements were false or misleading in that Defendant “[m]isrepresent[ed] that it would protect the privacy and confidentiality of . . . Private Information,” “[m]isrepresent[ed] that it would comply with common law and statutory duties,”

9 Defendant does not individually address each statement Plaintiffs claim serves as a predicate to a UPA claim and so neither does the Court. Compl. ¶ 227(a)-(i). and “[m]isrepresent[ed] that certain sensitive Personal Information was not accessed during the Data Breach, when it was.” Id. ¶ 227(d), (e), (g). Thus, Plaintiffs allege that, in connection with providing its services, Defendant knowingly made false or misleading statements that it would protect private information and then, when a third party accessed the information because it did not protect it, lied about it being accessed. Taken as true and applying the less specific pleading

requirement under Rule 8, the Court finds these allegations sufficient to state a claim under the UPA. E. Arizona Consumer Fraud Act Defendant moves to dismiss the allegations under the Arizona Consumer Fraud Act (“ACFA”) under Rule 9(b). Doc. 15 at 22-23. Unlike the NM UPA, the Arizona Consumer Fraud Act is a fraud statute. Thus, courts appear to agree that Rule 9(b) applies to claims asserted under this statute in federal court. E.g., Schellenbach v. GoDaddy.com LLC, No. 16cv746, 2017 WL 192920, at *4 (D. Ariz. Jan. 18, 2017). As summarized above, the complaint’s allegations of misrepresentations are stated generally. But, under a heightened pleading standard, “a complaint must set forth the time, place

and contents of the false representation, the identity of the party making the false statements and the consequences thereof.” Schwartz v. Celestial Seasonings, Inc., 124 F.3d 1246, 1252 (10th Cir. 1997). General allegations of a promise, such as, “RMCHCS, upon information and belief, promises to, among other things: keep customers’ protected health information (PHI) private,” Compl. ¶ 34, do not set forth the time, place, or specific contents of the promise. Moreover, when the complaint does get more specific—such as describing language from Defendant’s website—it does not actually contain the promises referred to in the general allegations (such as a promise that Defendant complies with industry standards or fulfills a statutory or common law duty to reasonably protect Plaintiffs’ data). Cf. Compl. ¶ 33. The website, as quoted in the complaint, represents only that Defendant employs “Health Information Management professionals” responsible for protection of patients’ data. Id. But there is no allegation in the complaint that Defendant does not employ such persons with such responsibilities. As set forth in the section above addressing Plaintiffs’ New Mexico UPA claims,

Plaintiffs do make general allegations about misrepresentations Defendant made. The complaint, however, does not contain specific allegations that would satisfy Rule 9(b): the time, place, or specific contents of the promise. Nor do they support a conclusion that Defendant’s false or misleading statements were fraudulent, rather than simply negligent, knowing, or reckless. Nor do Plaintiffs allege specific actions Defendant did or did not take to protect their private information that were so obviously expected and necessary that Defendant’s choice to do, or not do, certain things amounted to fraud. In short, the affirmative representations Plaintiffs allege to support an ACFA claim fail to satisfy Rule 9’s heightened pleading standard for claims of fraud. This does not end the analysis, however, as Plaintiffs argue that their fraud-by-omission

claims enjoy a more relaxed pleading standard and assert that the allegations in paragraphs 227(h) and (i) are such claims. Doc. 22 at 31 (“‘[A] plaintiff in a fraud-by-omission suit faces a slightly more relaxed burden, due to the fraud-by-omission plaintiff’s inherent inability to specify the time, place, and specific content of an omission in quite as precise a manner.’” (quoting Schellenbach, 2017 WL 192920, at *2)). Even under a more relaxed standard, however, Plaintiffs must describe “the particular information that should have been disclosed, the reason the information should have been disclosed, the person who should have disclosed it, and the approximate time or circumstances in which the information should have been disclosed.” Martinez v. Nash Finch Co., 886 F. Supp. 2d 1212, 1216 (D. Colo. 2012); see also S2 Automation LLC v. Micron Tech., Inc., 281 F.R.D. 487, 495 (D.N.M. 2012) (“As Professor James Moore has stated in the context of ‘cases concerning fraudulent misrepresentation and omission of facts,’ the plaintiff must plead to satisfy rule 9(b) ‘the type of facts omitted, where the omitted facts should have been stated, and the way in which the omitted facts made the representations misleading.’” (quoting 2 J. Moore, Moore’s Federal Practice § 9.03[1][b], at 9-18

(3d ed. 2011)). In paragraph 227(i) Plaintiffs allege Defendant violated the ACFA by: “Omitting, suppressing, and concealing the material fact that [Defendant] did not comply with common law and statutory duties pertaining to the security and privacy of Plaintiff and Arizona Subclass members’ Private Information, including duties imposed by the FTC Act, 15 U.S.C. § 45, the GLBA, 15 U.S.C. § 6801, et seq., HIPAA, 42 U.S.C. § 1320d, and COPPA, 15 U.S.C. §§ 6501- 05.” Compl. ¶ 227(i). In paragraphs 50 to 68 of their complaint, Plaintiffs allege what Defendant was required to do to comply with its duties. Id. ¶¶ 50-68. In paragraph 51, Plaintiffs allege they had a “reasonable expectation” and there was a “mutual understanding that Defendant would

comply with its obligations to keep such information confidential and secure from unauthorized access.” Id. ¶ 51. Despite this mutual understanding, Plaintiffs allege, Defendant did not comply with its duties and then concealed the fact that it did not comply with its duties. Id. ¶ 227(i). As such, Plaintiffs describe why the information should have been disclosed. These allegations also make clear when Defendant should have disclosed it would not adequately protect Plaintiffs’ private information—before Plaintiffs provided that information. In short, Plaintiffs’ complaint specifically describes what they allege Defendant should have disclosed, why Defendant should have disclosed it, and when Defendant should have disclosed it. Therefore, the Court denies Defendant’s motion to dismiss Plaintiffs’ ACFA omission claims. F. Breach of implied contract Defendant moves to dismiss the breach of implied contract claim (Fourth Count), arguing that it is insufficiently pled as to the named Plaintiffs because many paragraphs contain allegations about the “class members” and not Plaintiffs themselves. Doc. 15 at 17. Defendant argues that the complaint does not expressly state that the Plaintiffs are patients/customers of

Defendant, and that “[i]t is not sufficient to allege that some other putative class member may be able to allege facts to support a claim.” Id. at 17-18. Defendant is correct that the complaint contains no explicit allegation in the Fourth Count that the named Plaintiffs were patients of Defendant and several paragraphs in the Fourth Count refer to just “Class Members” rather than “Plaintiffs and Class Members.” See Compl. ¶¶ 181, 184, 187, 188. In response, Plaintiffs point out that “Paragraph 140 expressly alleges that ‘Defendant required customers, including Plaintiffs and Class Members, to submit non-public Private Information in the ordinary course of rendering healthcare services’” and that paragraph 179 incorporates this language into the Fourth Count. Doc. 22 at 25-26. They also cite to the second paragraph of the Fourth Count (paragraph 180) which alleges “Plaintiffs and Class Members

provided their Private Information to RMCHCS in exchange for Defendant’s services.” Id. at 26. Regarding consideration, Plaintiffs reference paragraph 184 in the Fourth Count which alleges, “Class Members who paid money to Defendant reasonably believed and expected that Defendant would use part of those funds to obtain adequate data security.” Compl. ¶ 184. Although Plaintiffs reference only “Class Members” rather than “Plaintiffs and Class Members” in paragraph 184, Plaintiffs point out that they are also Class Members and so assert this paragraph alleges that the named Plaintiffs “paid money for adequate data security.” Doc. 22 at 26. The Court rejects Plaintiffs’ argument that their reference to just “Class Members” effectively is a reference to both Plaintiffs and class members. Throughout the complaint, Plaintiffs treat the class members and the named Plaintiffs as distinct entities, and only class members are included in the allegations in paragraphs 181, 184, 187, 188. Moreover, the Supreme Court has held: But the fact that these petitioners share attributes common to persons who may have been excluded from residence in the town is an insufficient predicate for the conclusion that petitioners themselves have been excluded, or that the respondents’ assertedly illegal actions have violated their rights. Petitioners must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent. Warth v. Seldin, 422 U.S. 490, 502 (1975). This authority undermines Plaintiffs’ argument that they can successfully allege the named Plaintiffs are class members, make a series of general allegations pertaining to class members, and then assert that what applies to class members must also apply to them. As Defendant points out, there are no factual allegations pertaining to consideration paid by named Plaintiffs in the Fourth Count, or in any of the preceding factual allegations in the complaint. There is an allegation after the Fourth Count—in paragraph 212—that “Plaintiffs and Class Members conferred a monetary benefit on Defendant, by paying Defendant money for healthcare services, a portion of which was to have been used for data security measures to secure Plaintiffs’ and Class Members’ PII and PHI, and by providing Defendant with their valuable PII and PHI.” But because this allegation comes after the implied breach of contract claim, it is not incorporated by reference in the Fourth Count (nor do Plaintiffs argue in their brief that this paragraph should be read as supporting the Fourth Count). Because the Fourth Count does not adequately allege the named Plaintiffs themselves paid consideration to Defendant, the Court dismisses this count without prejudice. Because the Court dismisses this count without prejudice and Plaintiffs may seek to cure these deficiencies through an amendment, the Court will also address Defendant’s remaining arguments. The Court disagrees with Defendant’s argument that the Fourth Count fails to state a claim even if the named Plaintiffs are paying customers and patients of Defendant. Defendant argues that “Plaintiffs do not allege that Rehoboth promised to protect them from the criminal acts of a third party.” Doc. 15 at 18. This is true. Numerous courts, however, have found that when the provider of goods or services requires a purchaser to furnish private information as a

prerequisite to providing the goods or service, an implied contract to protect that private information is formed. See In re Arby’s Rest. Grp. Inc. Litig., No. 17cv514, 2018 WL 2128441, at *16 (N.D. Ga. Mar. 5, 2018) (agreeing that “data security is at the core of the modern commercial transaction, as understood by both the consumers and retailer” and collecting cases); Castillo v. Seagate Tech., LLC, No. 16cv1958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) (“While Seagate made no explicit promises as to the ongoing protection of personal information, it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently.”); In re Solara Med. Supplies,

LLC Customer Data Sec. Breach Litig., No. 19cv2284, 2020 WL 2214152, at *5 (S.D. Cal. May 7, 2020) (finding allegations sufficient to state an implied contract for the same reasons as the existence of an express contract). Defendant also argues that “to the extent Plaintiffs provided information to Rehoboth, Plaintiffs did not provide their information to Rehoboth for the purpose of keeping that information secure.” Doc. 15 at 18. This is also true. Defendant, however, cites no authority in support of the notion that, to state a claim, Plaintiffs must have viewed Defendant as a data storage facility. The service Defendant offered was not secure data storage. Instead, Defendant offered healthcare services. Nonetheless, the above cases indicates that, when a defendant requires a plaintiff to provide private information as part of the deal to exchange services for money, an implied contract to protect that private information is formed. Thus, although the Court agrees with Defendant that, in not alleging they provided consideration in exchange for Defendant’s services, Plaintiffs have failed to state a claim, the Court rejects Defendant’s remaining arguments related to the viability of this cause of action.

Therefore, the Court dismisses the Fourth Count without prejudice because an amendment to cure the pleading defects related to consideration would not be futile. G. Intrusion into private affairs Defendant moves to dismiss the intentional tort of “intrusion into private affairs.” Doc. 15 at 14-15. The parties agree that New Mexico has very little case law regarding this tort, but that it is a cause of action against “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns.” Doc. 22 at 21-22 (quoting Restatement (Second) of Torts § 652B (1997)). In response, Plaintiffs cite the numerous provisions of their complaint that allege intentional conduct, but these allegations are simply conclusions. Compl. ¶ 160 (“By

intentionally failing to keep Plaintiffs’ and Class Members’ Private Information safe, and by intentionally misusing and/or disclosing said information to unauthorized parties for unauthorized use, Defendant intentionally invaded Plaintiffs’ and Class Members’ privacy”); id. ¶ 161 (“Defendant knew that an ordinary person in Plaintiffs’ or a Class Member’s position would consider Defendant’s intentional actions highly offensive and objectionable”); id. ¶ 164 (“Defendant invaded Plaintiffs and Class Members’ right to privacy and intruded into Plaintiffs’ and Class Members’ private life by intentionally misusing and/or disclosing their Private Information without their informed, voluntary, affirmative and clear consent.”). None of these allegations have supporting facts that could render the accusation of “intentional conduct” a plausible one. By contrast, in the only case Plaintiffs cite on the subject, the court found the data-breach claims stated a cause of action for an intentional tort when an employee intentionally sent an email containing private data to hackers (either on purpose or with reckless disregard as to who the email was sent to). McKenzie v. Allconnect, Inc., 369 F. Supp. 3d 810, 819 (E.D. Ky. 2019). There are no such allegations in this case. Allegations that Defendant was negligent by failing to properly protect the security of Plaintiffs’ data, Compl. 4 70-71, do not elevate allegations of intentional conduct to the level necessary to survive a motion to dismiss. The Court therefore dismisses the Second Count of the complaint. CONCLUSION The Court DENIES IN PART and GRANTS IN PART Defendant’s Motion to Dismiss (Doc. 15). The Court DISMISSES the Second, Fourth, and Eighth (insofar as it is based on affirmative misrepresentations) Counts of the Class Action Complaint without prejudice. Because the Court did not find that an amendment would be futile, Plaintiffs shall have until May 2, 2022 to file an amended complaint.

OY STEVEN C. YARBROU UNITED STAFES MAGISTRAT A DGE