Dobson v. SimonMed Imaging LLC

• Court: District Court, D. Arizona
• Decided: August 22, 2025
• Docket: 2:25-cv-00527
• Status: Unknown

Opinion

1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA 8

Star Do bson, ) No. CV-25-00527-PHX-SPL ) 9 ) No. CV-25-00548-PHX-SPL (cons.) 10 Plaintiff, ) No. CV-25-00601-PHX-SPL (cons.) vs. ) 11 ) ORDER ) SimonMed Imaging LLC, ) 12 ) 13 Defendant. ) ) 14 )

15 Before the Court is Defendant SimonMed Imaging, LLC’s (“SimonMed’s”) Motion 16 to Dismiss (Doc. 17), Plaintiff’s Response (Doc. 19), and Defendant’s Reply (Doc. 22). 17 The Court now rules as follows.1 18 I. BACKGROUND 19 This is a putative class action lawsuit brought pursuant to the Class Action Fairness 20 Act (“CAFA”), 28 U.S.C. § 1332(d)(2). (Doc. 13 ¶ 19). Plaintiff Star Dobson, as well as 21 consolidated plaintiffs Andree Guest, Albert Dumas, Rosemary Hamermaster, and other 22 putative class members (collectively, “Plaintiffs”) are current and former patients at 23 Defendant SimonMed, a healthcare provider that employs approximately 200 radiologists 24 across 11 states. (Id. ¶¶ 27–28). SimonMed collects and electronically files private 25 information from its patients, including names, dates of birth, addresses, passport 26

27 1 Because it would not assist in resolution of the instant issues, the Court finds the pending motion is suitable for decision without oral argument. See LRCiv. 7.2(f); Fed. R. 28 Civ. P. 78(b); Partridge v. Reich, 141 F.3d 920, 926 (9th Cir. 1998). 1 information, and Social Security numbers. (Id. ¶¶ 30, 35, 53–54). In February 2025, 2 SimonMed fell victim to a data breach (the “Data Breach”) from the ransomware group 3 Medusa, who claimed to have exfiltrated over 200 gigabytes of data from their systems, 4 including files that contained patients’ and employees’ full names, dates of birth, mailing 5 addresses, telephone numbers, email addresses, driver’s licenses, diagnostic images, 6 passports, identification cards, Social Security numbers, health insurance details, medical 7 records, payroll information, corporate emails, and more. (Id. ¶ 35). 8 The putative plaintiffs allege that SimonMed “did not use reasonable security 9 procedures and practices appropriate to the nature of the sensitive information they were 10 maintaining,” and that the Data Breach was therefore preventable. (Id. ¶¶ 40, 44). 11 Furthermore, they allege that they believe the stolen information has been sold on the dark 12 web since the Data Breach occurred. (Id. ¶ 42). Plaintiffs also allege a number of 13 individualized injuries they believe to be related to the Data Breach. Plaintiff Andree Guest 14 “received notice that data related to her 401K account had been accessed and was required 15 to reset her passwords.” (Id. ¶ 174). Plaintiff Albert Dumas received two unauthorized 16 inquiries to his credit report. (Id. ¶ 185). Rosemary Hamermaster “experienced suspicious 17 spam communications using Private Information compromised in the Data Breach.” (Id. ¶ 18 196). 19 Plaintiffs’ Consolidated Class Action Complaint asserts claims for (1) negligence 20 (id. ¶¶ 215–49), (2) negligence per se (id. ¶¶ 250–64), (3) breach of implied contract (id. 21 ¶¶ 265–84), (4) breach of fiduciary duty (id. ¶¶ 285–93), and (5) unjust enrichment (id. ¶¶ 22 294–306). The proposed class consists of “[a]ll individuals residing in the United States 23 whose Private Information was accessed and/or acquired by an unauthorized party as a 24 result of the data breach that occurred at Defendant.” (Id. ¶ 201). 25 II. LEGAL STANDARDS 26 To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain “a 27 short and plain statement of the claim showing that the pleader is entitled to relief” so that 28 the defendant is given fair notice of the claim and the grounds upon which it rests. Bell Atl. 1 Corp. v. Twombly, 550 U.S. 544, 555 (2007) (quoting Fed. R. Civ. P. 8(a)(2)). A court may 2 dismiss a complaint for failure to state a claim under Rule 12(b)(6) for two reasons: (1) 3 lack of a cognizable legal theory, or (2) insufficient facts alleged under a cognizable legal 4 theory. Balistreri v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1990). When 5 deciding a motion to dismiss, all allegations of material fact in the complaint are taken as 6 true and construed in the light most favorable to the nonmoving party. Cousins v. Lockyer, 7 568 F.3d 1063, 1067 (9th Cir. 2009). 8 III. ANALYSIS 9 A. Negligence 10 “To establish a claim for negligence, a plaintiff must prove four elements: (1) a duty 11 requiring the defendant to conform to a certain standard of care; (2) a breach by the 12 defendant of that standard; (3) a causal connection between the defendant’s conduct and 13 the resulting injury; and (4) actual damages.” Gipson v. Kasey, 150 P.3d 228, 230 (Ariz. 14 2007). In its Motion to Dismiss, SimonMed argues that (1) Plaintiffs have not adequately 15 alleged a duty of care, (2) Plaintiffs have not claimed an actual, cognizable injury resulting 16 from any breach, and (3) Plaintiffs’ allegations of causation are conclusory and insufficient. 17 (Doc. 17 at 6–11). 18 Plaintiffs make two arguments to support their claim that SimonMed had a duty to 19 protect their private information: (1) because of the special provider-patient relationship, 20 which may give rise to a duty in tort, and (2) because of a common-law duty based on the 21 “public policy of preventing wrongful disclosures of Private Information and identity 22 theft.” (Doc. 19 at 11–12); see Quinalty v. FocusIT LLC, No. CV-23-00207-PHX-JJT, 23 2024 WL 342454, at *3 (D. Ariz. Jan. 30, 2024) (“In Arizona, several special relationships 24 can give rise to a duty, including relationships based on contract, familial relations, or 25 conduct undertaken by the defendant.”); see also Cal-Am Props. Inc. v. Edais Eng’g Inc., 26 509 P.3d 386, 389 (Ariz. 2022) (“Special relationships that give rise to a duty in negligence 27 include legally recognized common law relationships and those formed by contract, 28 familial relationship, or joint undertaking.”). 1 SimonMed asserts a slightly different argument with respect to duty, arguing that 2 Plaintiffs’ claims are premised not on a special relationship or public policy considerations, 3 but on SimonMed voluntarily undertaking the responsibility to store their private data. 4 (Doc. 17 at 6); see Quinalty, 2024 WL 342454, at *3. If so, as SimonMed argues, their 5 negligence claim must fail, because Arizona requires a showing of physical harm to support 6 a claim based on negligent undertaking. (Doc. 17 at 6). SimonMed is correct that if 7 Plaintiffs are alleging a duty of care based on SimonMed voluntarily undertaking the 8 responsibility to protect their private information, that claim must fail, as they have not 9 alleged any physical harm caused by SimonMed’s negligence. See Cal-Am Props. Inc. v. 10 Edais Eng’g Inc., 253 Ariz. 78, 83 (2022). 11 Regarding the physician-patient special relationship, SimonMed argues that 12 Plaintiffs have not cited “any Arizona authority extending a purported physician-patient 13 duty to the data breach context.” (Doc. 22 at 2). This argument is somewhat persuasive. As 14 the Arizona Court of Appeals has explained, “[t]he physician-patient relationship . . . 15 creates a presumption that physicians will marshal information in their possession, 16 pertinent to a patient’s health, to protect the patient from that risk of harm.” Doe I by & 17 through Fleming & Curti, PLC v. Lenzner Med. Servs., LLC, 570 P.3d 977, 992 (Ariz. Ct. 18 App. 2025) (Eckerstrom, J., dissenting). The question here, then, is whether SimonMed, in 19 the course of its physician-patient relationship with its customers, had a duty to protect 20 those patients from the risk of harm suffered, i.e., that their personal information was 21 exposed in a data breach.2 As observed in another recent medical data breach class action 22 in this District, “it is unclear how a physician’s Hippocratic Oath covers a hospital’s data 23 security and Plaintiffs are not suing the physicians.” Johnson v. Yuma Reg’l Med. Ctr., No. 24 CV-22-01061-PHX-SMB, 2025 WL 2337120, at *3 (D. Ariz. Aug. 13, 2025) (hereafter 25 “Johnson II”). In other words, even if the relationship between SimonMed and Plaintiffs is

26 2 SimonMed is not a physician itself, but rather “a healthcare provider that employs 27 approximately 200 radiologists across 11 states.” (Doc. 13 ¶ 2). 28 1 the kind of special relationship giving rise to a duty of care, it is unclear whether the type 2 of harm alleged here is the type of risk a party in that special relationship has a duty to 3 protect against. 4 Plaintiffs seek to bolster their claim by arguing that HIPAA and the Federal Trade 5 Commission Act (“FTCA”) provide an “additional source of Defendant’s liability” as 6 references to the relevant standard of care. (Id. at 12). “[P]ublic policy, through state and 7 federal statutes, can be a source of duty.” Quinalty, 2024 WL 342454, at *4. However, 8 Arizona courts have been clear that both HIPAA and FTCA “have their own enforcement 9 mechanisms and were not intended to provide a private right of action.” Gannon v. Truly 10 Nolen of Am. Inc., No. CV 22-428-TUC-JAS, 2023 WL 6536477, at *2 (D. Ariz. Aug. 31, 11 2023). Plaintiffs’ argument that their claim is not brought under HIPAA or the FTCA, but 12 rather that the statutes help define the duty of care, fares no better. See Skinner v. Tel-Drug, 13 Inc., No. CV1600236TUCJGZBGM, 2017 WL 1076376, at *3 (D. Ariz. Jan. 27, 2017), 14 report and recommendation adopted, No. CV1600236TUCJGZBGM, 2017 WL 1075029 15 (D. Ariz. Mar. 22, 2017) (rejecting a plaintiff’s argument that “he is not making an 16 independent HIPAA claim, but rather is relying on HIPAA to ‘evidence the duty of care 17 owed by Defendant with respect to the privacy of Plaintiff’s medical records.’”). Here, 18 Plaintiffs argue that SimonMed failed to comply with HIPAA guidelines and the FTCA. 19 (See Doc. 13 ¶¶ 94–116). Couching such allegations within the more generalized language 20 of “industry standards,” “public policy,” and “a duty imposed by statute” is irrelevant: at 21 bottom, Plaintiffs are trying to argue that SimonMed had an obligation to comply with the 22 privacy guidelines contained within HIPAA and the FTCA. The source of such obligations 23 are the statutes themselves. To the extent that Plaintiffs believe SimonMed violated those 24 statutes, there is no private right of action for Plaintiffs to enforce them.3 Accordingly, this 25 3 Furthermore, with respect to the FTCA, Arizona generally follows the Restatement 26 (Second) of Torts, see, e.g., Quinalty, 2024 WL 342454, at *4, which requires that when a 27 standard of conduct is provided by a statute, “the purpose of the statute must be to protect (1) a class of persons that includes the person whose interest is invaded and (2) the 28 particular interest which the plaintiff alleges has been invaded.” In re MCG Health Data 1 attempted backdoor argument does not bolster their negligence claim. 2 Ultimately, the Court does not find that Plaintiffs’ allegations in the Complaint are 3 sufficient to establish a duty of care to protect Plaintiffs from the kind of harm suffered as 4 a result of this data breach. However, given that leave to amend should be liberally granted, 5 Plaintiffs will be given an opportunity to cure their Complaint through the allegation of 6 other facts. See Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). Because Plaintiff has 7 not adequately alleged a duty of care, the Court will not evaluate Defendant’s arguments 8 regarding the elements of breach, causation, or damages at this juncture. 9 B. Negligence Per Se 10 As many Arizona courts have reiterated, negligence per se is not a standalone cause 11 of action, but rather a doctrine under which plaintiffs may establish the duty and breach 12 elements of a negligence claim based on violation of a statute. See, e.g., Johnson v. Yuma 13 Reg’l Med. Ctr., 769 F. Supp. 3d 936, 954 (D. Ariz. 2024) (“Johnson I”); Griffey v. 14 Magellan Health Inc., 562 F. Supp. 3d 34, 47 (D. Ariz. 2021). The Court will therefore 15 dismiss the negligence per se claim with prejudice to the extent that it is brought as a 16 standalone cause of action. 17 C. Breach of Implied Contract 18 Contracts may be express or implied. See Barmat v. John & Jane Doe Partners A- 19 D, 747 P.2d 1218, 1220–21 (Ariz. 1987). “Plaintiffs carry the burden to prove existence of 20 a contract, its breach, and the resulting damages.” Johnson II, 2025 WL 2337120, at *4 21 (citing Thomas v. Montelucia Villas, LLC, 302 P.3d 617, 621 (Ariz. 2013)). Here, Plaintiffs 22 argue that they paid money to Defendant in exchange for medical services, and as a 23 condition of receiving those services, they were required to deliver their private 24 Sec. Issue Litig., No. 2:22-CV-849-RSM-DWC, 2023 WL 3057428, at *3 (W.D. Wash. 25 Mar. 27, 2023), report and recommendation adopted, No. 2:22-CV-849-RSM-DWC, 2023 WL 4131746 (W.D. Wash. June 22, 2023). The primary purpose of the FTCA is to protect 26 consumers from unfair trade practices, and it is therefore not designed to protect the class 27 of persons that includes Plaintiffs or the data security interest they allege has been invaded. See id. Plaintiffs’ FTCA arguments are particularly inapposite for this reason. 28 1 information to Defendant. (Doc. 13 ¶ 266). Plaintiffs contend that they “would not have 2 paid for Defendant’s medical services, or would have paid less for them, had they known 3 that Defendant’s data security practices were substandard.” (Id.). They specifically allege 4 that “Defendant promised to provide confidentiality and adequate security for their data 5 through its applicable privacy policy and through other disclosures in compliance with 6 statutory privacy requirements.” (Id. ¶ 57). 7 Defendants argue that there cannot be an implied contract where there was an 8 express contract, and that Plaintiffs’ own complaint alleges that Defendant “expressly” 9 promised Plaintiffs that it would only disclose their private information under limited 10 circumstances. (Doc. 17 at 12). Furthermore, it argues that Plaintiffs’ allegations cannot 11 support a breach of implied contract claim because “SimonMed is already required to 12 comply with [pre-existing legal] obligations notwithstanding any alleged contract.” (Doc. 13 22 at 10). 14 In Johnson II, the court adopted this “pre-existing legal obligations” argument, 15 noting that the plaintiffs did not “plead any facts that support a contractual duty to prevent 16 a data breach all together or that Yuma Regional promised to do anything beyond what it 17 was already obligated to do under HIPAA or the FTCA.” Johnson II, 2025 WL 2337120, 18 at *4. Here, the Notice of Privacy Practices Plaintiffs rely on in their Complaint states that 19 “We are required by law to maintain the privacy and security of your protected health 20 information,” but there is no allegation that Defendant made any additional promises to, 21 e.g., use additional “commercially reasonable” precautions to safeguard Plaintiffs’ 22 ignoration. Cf. Durgan v. U-Haul Int’l Inc., No. CV-22-01565-PHX-MTL, 2023 WL 23 7114622, at *4 (D. Ariz. Oct. 27, 2023) (adequately alleging a breach of implied contract 24 where defendant represented that it would use “commercially reasonable physical, 25 managerial, and technical safeguards to preserve the integrity and security” of plaintiffs’ 26 information); see also In re Banner Health Data Breach Litig., No. CV-16-02696-PHX- 27 SRB, 2017 WL 6763548, at *3 (D. Ariz. Dec. 20, 2017) (“Under Arizona law, ‘the 28 performance or promise to do something that a party is already legally obligated to do is 1 not valid consideration for a contract.’” (citation omitted)). 2 Because Plaintiffs have not alleged that Defendant made any promises beyond what 3 they were already legally obligated to do, this claim will be dismissed with leave to amend. 4 D. Breach of Fiduciary Duty 5 Defendant argues that this claim should be dismissed because “Plaintiffs did not 6 adequately plead a fiduciary relationship.” (Doc. 17 at 13). This Court agrees, and it adopts 7 much of the reasoning in the recent Johnson II decision. See Johnson II, 2025 WL 2337120, 8 at *5 (“It is not clear how a hospital’s collection of data establishes a confidential 9 relationship with its customers or patients to establish a fiduciary duty.”). The existence of 10 a commercial relationship between SimonMed and its customers is not sufficient to 11 establish a fiduciary duty, and there are no other facts in the pleading to suggest that 12 Defendant agreed to serve as a fiduciary. Cook v. Orkin Exterminating Co., 258 P.3d 149, 13 152 (Ariz. Ct. App. 2011) (“Generally, commercial transactions do not create a fiduciary 14 relationship unless one party agrees to serve in a fiduciary capacity.). While it is “not 15 abundantly clear to the Court” how these deficiencies will be remedied, in the interest of 16 justice, this claim will nonetheless be dismissed with leave to amend. See Johnson I, 769 17 F. Supp. 3d at 959. 18 E. Unjust Enrichment 19 Plaintiffs assert a claim for unjust enrichment in the alternative to their breach of 20 implied contract claim. (Doc. 13 ¶ 295). To state a claim for unjust enrichment under 21 Arizona law, a party must allege: “(1) an enrichment, (2) an impoverishment, (3) a 22 connection between the enrichment and the impoverishment, (4) the absence of 23 justification for the enrichment and the impoverishment, and (5) the absence of a remedy 24 provided at law.” Span v. Maricopa Cnty. Treasurer, 437 P.3d 881, 886 (Ariz. Ct. App. 25 2019). “[T]o determine whether unjust enrichment has occurred, courts view the parties’ 26 obligations to one another in view of the larger context of their transaction.” Johnson II, 27 2025 WL 2337120, at *6. 28 Here, Plaintiffs allege that as part of their transaction with Defendant for medical 1 | services, Defendant “should have had their Private Information protected with adequate 2| data security.” (Doc. 13 § 296). Like in Johnson IU, “[a]t bottom, Plaintiffs’ allegations are 3| the [defendant] spent the money on its security systems, albeit those systems were 4| inadequate to prevent the breach. [Defendant’s] ineffective use of the funds does not provide a plausible basis to find it retained some benefit to Plaintiffs’ detriment.” Johnson 6| Il, 2025 WL 2337120, at *7. Accordingly, the claim will be dismissed without prejudice. 7 IV. CONCLUSION 8 When granting a motion to dismiss, a court is generally required to grant a plaintiff 9| leave to amend. See Fed. R. Civ. P. 15(a)(2). Plaintiffs therefore will be granted leave to 10 | amend their Complaint as to all claims except for negligence per se (which is not a 11 | standalone cause of action). 12 Accordingly, 13 IT IS ORDERED that Defendant’s Motion to Dismiss (Doc. 17) is granted as 14| follows: Plaintiffs’ claims for Negligence (Count I), Breach of Implied Contract (Count 15 | IID), Breach of Fiduciary Duty (Count IV), and Unjust Enrichment (Count V) are dismissed without prejudice and with leave to amend. Plaintiffs’ claim for Negligence Per Se 17 | (Count ID is dismissed with prejudice. Plaintiffs shall have until September 19, 2025 to 18 | file an amended complaint in accordance with Rule 15.1 of the Local Rules of Civil 19 | Procedure. Plaintiffs are warned that failure to file an amended complaint will result in the 90 | dismissal of this action. 21 Dated this 21st day of August, 2025. 22 23 Ae 24 United States District Ladue 25 26 27 28