Johnson v. Yuma Regional Medical Center

• Court: District Court, D. Arizona
• Decided: November 15, 2024
• Docket: 2:22-cv-01061
• Status: Unknown

Opinion

1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA

9 Brittney Johnson, et al., No. CV-22-01061-PHX-SMB

10 Plaintiffs, ORDER

11 v.

12 Yuma Regional Medical Center,

13 Defendant. 14 15 Defendant Yuma Regional Medical Center (“Yuma Regional”) was the target of a 16 ransomware attack that resulted in a data breach. Hackers were able to gain access to and 17 extract patients personally identifiable information (“PII”) and protected health 18 information (“PHI”) of Yuma Regional’s current and former patients. The fifteen named 19 Plaintiffs here represent the individuals who had their information stolen.1 Yuma Regional 20 has filed a Motion to Dismiss (Doc. 74) Plaintiffs’ Consolidated Class Action Complaint 21 (Doc. 68, the “Complaint”). The Parties fully briefed the Motion (Doc. 75 (Plaintiffs’ 22 Response); Doc. 78 (Yuma Regional’s Reply). Yuma Regional requested oral argument 23 (Doc. 74 at 1), which was scheduled for November 25, 2024, but the Court now vacates 24 oral argument, finding it unnecessary (Doc. 79). See LRCiv. 7.2(f). Having reviewed the 25 parties’ briefs and the applicable law, the Court will grant Yuma Regional’s Motion. 26 I. BACKGROUND

27 1 The named Plaintiffs include: Dillan Clarke, Elayne Martinez, Brittney Johnson, Brian Kircher, Juanita Sarabia, Megan Kircher, Donald Banti and Marcia Banti, Ryan Mangum 28 and Tiffany Mangum, Anthony Spano, Carol Ashby, Margaret O’Grady, Mayra Esquivel and her minor son, E. N. (Doc. 68 at 2.) 1 The Court derives the following facts from Plaintiffs’ Complaint. (Doc. 68.) As its 2 name denotes, Yuma Regional is a hospital operating in Yuma, Arizona. (Id. ¶ 24.) Before 3 a patient can receive treatment, Yuma Regional requires its patients to provide their PHI 4 (id. ¶¶ 2 & n.1, 30), which includes “individually identifiable health information” generally 5 relating to an individual’s past, present, and future physical or mental health conditions and 6 provisions of health care, see 45 C.F.R. § 160.103. Yuma Regional maintains this 7 information and records, including patients’ names, social security numbers, financial 8 information, and other medical information on a computer system. (Doc. 68 ¶ 30.) 9 Through its Privacy Policy, Yuma Regional promises to reasonably safeguard its patients’ 10 PHI. (Id. ¶ 31.) The Policy also provides that patients’ confidential information will only 11 be released where authorized by law or when authorized by consent. (Id. ¶¶ 31–34.) Yuma 12 Regional also acknowledges that it has a duty to notify its patients upon discovery of a 13 breach. (Id. ¶ 33.) 14 Beginning on April 21, 2022, cybercriminals breached Yuma Regional’s data 15 security systems, gaining unrestricted access to its files for the next few days. (Id. ¶¶ 1, 16 37–38.) Yuma Regional lost control of its system and the hackers were able to extract 17 highly sensitive files containing data on an estimated 700,000 of its patients. (Id. ¶¶ 2, 18 37–38.) Yuma Regional identified the breach around April 25 and issued a notice at some 19 point thereafter. (Id. ¶¶ 1, 5, 39, 44.) The notice provided assurances that Yuma Regional 20 was strengthening its system, enhancing its protocols, and offering its patients free credit 21 monitoring and identity theft protection services for an unknown duration. (Id. ¶¶ 1, 5, 7 22 39, 44–46.) Yuma Regional also sent the patients, including the named Plaintiffs, letters 23 notifying them of the breach, dated June 9, 2022. (Id. ¶¶ 12–23.) 24 All fifteen named Plaintiffs claim that they suffered a variety of present and future 25 harms, including (1) diminution in the value of personal information; (2) loss of benefit of 26 the bargain and opportunity costs; (3) lost time spent dealing with the breach; (4) anxiety 27 or emotional harm; (5) increased spam emails, texts messages, and phone calls; (6) an 28 increased risk of fraud; and (7) harm from the delay in receiving notice of the breach. (Id. 1 ¶¶ 9, 55–59, 71–73, 82–86, 89, 99–101, 111–14, 123–25, 134–39, 147, 151–54, 163–69, 2 178, 180–82, 190–93, 201, 204–07.) 3 Some of the Plaintiffs also allege to have suffered various specific damages. 4 Plaintiffs Clarke, Johnson, D. Banti, T. Mangum, Spano, Ashby, and Esquivel allege they 5 suffered attempted or actual identity theft or fraud. (Id. ¶¶ 56, 83, 136, 150, 164–165, 179, 6 203.) Plaintiff Sarabia alleges she suffered out-of-pocket losses spent mitigating the effects 7 of the breach. (Id. ¶ 110.) Plaintiff Martinez claims damages for her inability to access 8 medical records and schedule appointments while the system was down. (Id. ¶¶ 68–71.) 9 Plaintiffs Johnson and Spano allege damages from having to freeze their credit. (Id. ¶¶ 85, 10 168.) Finally, Plaintiffs Johnson, Sarabia, T. Magnum, and R. Magnum claim to suffer 11 damages from their information being available on the “dark web.” (Id. ¶¶ 84, 112, 149.) 12 Plaintiffs allege that Yuma Regional’s data security system was inadequate to timely 13 detect the breach and notify its patients leaving them vulnerable to additional harm. (Id. 14 ¶¶ 5–6, 36, 39.) Specifically, Plaintiffs assert that Yuma Regional failed to adhere to Heath 15 Insurance Portability and Accountability Act (“HIPAA”) data security laws and Federal 16 Trade Commission (“FTC’) guidelines. (Id. ¶¶ 237–45.) Plaintiffs bring their Complaint 17 on behalf of all Yuma Regional patients whose PHI was accessed in the data breach under 18 Arizona Rule of Civil Procedure 23(b)(2)–(3). (Id. ¶ 246–60.) 19 Plaintiffs assert five causes of action: (1) negligence; (2) negligence per se; (3) 20 breach of implied contract; (4) unjust enrichment; and (5) violation of the Arizona 21 Consumer Fraud Act (“ACFA”). (Doc. 68 at 48–59.) Yuma Regional now moves to 22 dismiss all claims asserting various arguments, including a failure to plead: (1) cognizable 23 injuries; (2) breach and causation; (3) negligence per se as a standalone cause of action; 24 (4) an implied contact exists or adequate consideration; (5) unjust enrichment; and (6) the 25 specificity required to support the ACFA claim. (Doc. 74.) 26 II. LEGAL STANDARD 27 To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must meet 28 the requirements of Rule 8(a)(2). Rule 8(a)(2) requires a “short and plain statement of the 1 claim showing that the pleader is entitled to relief,” providing “fair notice of what 2 the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 3 544, 555 (2007) (quoting Conley v. Gibson, 355 U.S. 41, 47 (1957)). This exists if the 4 pleader sets forth “factual content that allows the court to draw the reasonable inference 5 that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 6 678 (2009). Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal 7 theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri 8 v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1988). A cognizable legal theory 9 must state a claim to relief that is “plausible on its face.” Iqbal, 556 U.S. at 678 (quoting 10 Twombly, 550 U.S. at 570). Plausibility does not equal “probability,” but requires “more 11 than a sheer possibility that a defendant has acted unlawfully.” Id. The Court views the 12 well-pled factual allegations as true and construes them in the light most favorable to the 13 nonmoving party. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). But legal 14 conclusions couched as factual allegations are not given a presumption of truthfulness, and 15 “conclusory allegations of law and unwarranted inferences are not sufficient to defeat a 16 motion to dismiss.” Pareto v. FDIC, 139 F.3d 696, 699 (9th Cir. 1998). A court ordinarily 17 may not consider evidence outside the pleadings in ruling on a Rule 12(b)(6) motion to 18 dismiss. See United States v. Ritchie, 342 F.3d 903, 907 (9th Cir. 2003). “A court may, 19 however, consider materials—documents attached to the complaint, documents 20 incorporated by reference in the complaint, or matters of judicial notice—without 21 converting the motion to dismiss into a motion for summary judgment.” Id. at 908. 22 III. DISCUSSION 23 A. Negligence 24 Under Arizona law, to state a claim for negligence “a plaintiff must prove: (1) a duty 25 requiring the defendant to conform to a certain standard of care; (2) breach of that standard; 26 (3) a causal connection between the breach and the resulting injury; and (4) actual 27 damages.” CVS Pharmacy, Inc. v. Bostwick ex rel., 494 F.3d 572, 578 (Ariz. 2021) (quoting 28 Quiroz v. ALCOA Inc., 416 P.3d 824, 827–28 (Ariz. 2018)). Yuma Regional seeks 1 dismissal arguing that Plaintiffs’ damages theories fail to allege cognizable losses. (Doc. 2 74 at 9–10.) Yuma Regional also contends that Plaintiffs failed to plead breach of a duty 3 or that their injuries were caused by the breach. (Id. at 16–18.) Plaintiffs respond by 4 arguing they have adequately alleged cognizable harms, breach of a duty, and causation. 5 (Doc. 75 at 10–19.) 6 1. Cognizable Injury 7 To sustain a negligence claim, damages must be “actual and appreciable, 8 non-speculative, and more than merely the threat of future harm.” CDT, Inc. v. Addison, 9 Roberts & Ludwig, C.P.A., P.C., 7 P.3d 979, 982–83 (Ariz. Ct. App. 2000) (cleaned up) 10 (quoting Commercial Union Ins. Co. v. Lewis and Roca, 902 P.2d 1354, 1358, 1360 (Ariz. 11 1995)). Accordingly, the majority view is that general allegations of lost time, continued 12 risk to plaintiffs’ personal data, and the danger of future harms are not cognizable injuries 13 for negligence claims. See Griffey v. Magellan Health Inc. (Griffey I), 562 F. Supp. 3d 34, 14 46 (D. Ariz. 2021); see also Gannon v. Truly Nolen of Am. Inc., No. CV 22-428-TUC-JAS, 15 2023 WL 6536477, at *3 (D. Ariz. Aug. 31, 2023); Quinalty v. FocusIT LLC, No. 16 CV-23-00207-PHX-JJT, 2024 WL 342454, at *4 (D. Ariz. Jan. 30, 2024). The Court 17 addresses each of the alleged injuries in turn. 18 a. Diminution of Value 19 Yuma Regional argues the diminution of value is not a cognizable injury. (Doc. 74 20 at 10–11.) Citing cases like Griffey I, Yuma Regional argues that Plaintiffs alleging that 21 their information may be sold on the “black market” is insufficient to make the requisite 22 showing that a legitimate market exists and impairs their ability to participate in that 23 market. (Id.; Doc. 78 at 7–8.) Plaintiffs respond that the Ninth Circuit in In re Facebook 24 Priv. Litig., 572 F. App’x 494 (9th Cir. 2014) recognized the diminished value of PII as a 25 cognizable injury, thus they have adequately pleaded as much. (Doc. 75 at 11–12.) 26 Yuma Regional is correct that Plaintiffs must do more than merely assert general 27 allegations of diminution of value. Griffey I, 562 F. Supp. 3d at 45. Plaintiffs “must 28 establish both the existence of a market for [their] personal information and an impairment 1 of [their] ability to participate in that market.” Id. (quoting Pruchnicki v. Envision 2 Healthcare Corp. (Pruchnicki I), 439 F. Supp. 3d 1226, 1234 (D. Nev. 2020), aff’d, 845 F. 3 App’x 613 (9th Cir. 2021)). Here, Plaintiffs allege that according to a credit-monitoring 4 service’s blog, PHI is a valuable commodity worth up to $1,000.00 on the “black market,” 5 depending on the type of information. (Doc. 68 ¶ 212–13.) Plaintiffs further allege that 6 cybercriminals increasingly and frequently post and sell stolen private information on the 7 “dark web” and that it could take years to identify PHI theft. (Id. ¶¶ 212–215.) 8 Plaintiffs’ complaints do not give rise to compensable damages. Plaintiffs’ general 9 allegations of purported “black market” value and the blog posts do not establish their 10 information actually lost value and calls for speculation. See, e.g., Pruchnicki v. Envision 11 Healthcare Corp. (Pruchnicki II), 845 F. App’x 613, 614 (9th Cir. 2021) (finding that, 12 although the plaintiff alleged sufficient injury-in-fact to support standing, studies that show 13 personal information may have value in general are insufficient to allege actual lost value). 14 Similarly, the data being available on the “black market” is insufficient and courts have 15 declined to find such a market as legitimate. See Griffey I, 562 F. Supp. 3d at 45; Durgan 16 v. U-Haul Int’l Inc., No. CV-22-01565-PHX-MTL, 2023 WL 7114622, at *3 (D. Ariz. Oct. 17 27, 2023); see also Pruchnicki II, 845 F. App’x at 614 (“‘[M]ere misappropriation of 18 personal information’ does not establish compensable damages.” (citation omitted)). 19 Plaintiffs’ reliance on In re Facebook is misplaced. There, the court concluded that, 20 absent applicable contravening state law, the plaintiffs’ allegations that they were harmed 21 by the dissemination of their data and lost sales value that information was sufficient to 22 plead damages for breach of contract and fraud claims. See 572 F. App’x at 494. The case 23 does not address claims of negligence, nor the damages standard under Arizona law. 24 Further, as the Ninth Circuit later recognized, pleading damages sufficient for standing 25 does not necessarily establish compensable damages. Pruchnicki II, 845 F. App’x 26 at 614–15; see also Doe v. Chao, 540 U.S. 614, 624–25 (2004) (explaining establishing 27 injury-in-fact may open the courthouse door for standing purposes, but it does not 28 1 necessarily create a cause of action of damages absent more than abstract injuries).2 2 The only case Plaintiffs cite relating to diminution of value as the damages for a 3 negligence claim is Smallman v. MGM Resorts Int’l, 638 F. Supp. 3d 1175 (D. Nev. 2022). 4 There, the court reasoned that case law does not require proof of both the availability of a 5 marketplace and impairment to their ability to participate in that market. See Smallman, 6 638 F. Supp. 3d at 1190–91. Yet, the court ultimately found that the plaintiffs alleging that 7 their PII could be bought and sold for identifiable prices on established markets, like those 8 on the “dark web,” was sufficient to plead existence of a market, and because their 9 information was posted on the dark web, it “interfer[ed] with their fiscal autonomy” 10 impairing their ability to participate in the marketplace. Id. at 1191. This Court 11 respectfully disagrees. The case law supports requiring both, availability of the 12 marketplace and impairment in that marketplace. Griffey I, 562 F. Supp. 3d at 46. 13 Plaintiffs here do not allege they cannot sell their data on the “dark web,” nor that they ever 14 have, intend to, or intended to sell on such a market. See, e.g., Quinalty, 2024 WL 342454, 15 at *5. Additionally, Plaintiffs provide no means to measure the value of the damages. See 16 Griffey I, 562 F. Supp. 3d at 46. Thus, Plaintiffs failed to plead a diminution of value. 17 b. Benefit of the Bargain 18 Next, Yuma Regional argues that Plaintiffs merely provide the conclusory 19 allegation that they lost the benefit of the bargain. (Doc. 74 at 11–12.) In response, 20 Plaintiffs claim that Yuma Regional “received more money from Plaintiffs than the benefit 21 conferred upon them given [Yuma Regional’s] inadequate security,” and that they would 22 have paid less knowing their information would be released. (Doc. 75 at 12–13 (citing 23 Doc. 68 ¶¶ 308–312.) Although Plaintiffs’ citation relates to its unjust enrichment claim, 24 2 Most of the other cases that Plaintiffs cite for support are inapposite as they pertain to 25 findings on claims other than negligence, unrelated damages, or standing. See, e.g., In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783, at *14 26 (N.D. Cal. May 27, 2016) (breach of contract); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F. Supp. 3d 1284 (S.D. Cal. 2020) (unfair trade practices); In 27 re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F. Supp. 3d 1284 (S.D. Cal. 2020) (loss of time); In re Mednax Servs., Inc., Customer Data Sec. Breach 28 Litig., 603 F. Supp. 3d 1183, 1204 (S.D. Fla. 2022) (standing); In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 462 (D. Md. 2020) (standing). 1 they argue the Ninth Circuit recognizes damages for lost benefit of the bargain. (Id.) The 2 only case Plaintiffs cite that addresses lost benefit of the bargain damages under a 3 negligence theory is Smallman and is distinguishable. Unlike the plaintiffs in Smallman, 4 Plaintiffs here make no specific allegations that they intended for part of the price they paid 5 for services was to be used to provide adequate security. Cf. Smallman, 638 F. Supp. 3d 6 at 1190. At bottom, Plaintiffs’ allegations are backward-looking speculation and 7 insufficiently pleaded. 8 c. Lost Time and Opportunity Cost 9 Yuma Regional argues that Plaintiffs’ damages allegations under a lost time theory 10 are insufficient for all Plaintiffs except Plaintiff Sarabia because there are no accompanying 11 allegations of out-of-pocket expenses. (Doc. 74 at 12–13.) And even for Plaintiff Sarabia, 12 her allegations are insufficient because she fails to show they are reasonable or necessary. 13 (Id.) Plaintiffs allege that they have spent time addressing and mitigating the effects of the 14 data breach, which are cognizable damages. (Doc. 75 at 13–14.) 15 Yuma Regional is correct. As noted, general allegations of lost time are not 16 cognizable injuries. Griffey I, 562 F. Supp. 3d at 46; see also Corona v. Sony Pictures Ent., 17 Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015) 18 (finding general allegations of lost time are non-cognizable because they are too 19 speculative as opposed to actual expenses incurred); Smallman, 638 F. Supp. 3d at 1192 20 (“[T]angible, out-of-pocket expenses are required in order for lost time spent monitoring 21 credit to be cognizable as damages.” (citation omitted)). Here, Plaintiffs, excluding 22 Plaintiff Sarabia, make general allegations of time spent dealing with verifying the 23 legitimacy of the breach, exploring creditor monitoring and identity theft protections, and 24 self-monitoring accounts without alleging any out-of-pocket expenses or means to measure 25 any damages based on specific amounts of time spent. (See Doc. 68 ¶¶ 9, 54, 57, 67, 72, 26 81, 86, 97, 99, 109, 113, 122, 124, 134, 137, 147, 162, 177, 190, 222.) Thus, these damages 27 are speculative and are not grounds to preclude dismissal. 28 Only Plaintiff Sarabia alleged out-of-pocket expenses for costs she incurred in 1 buying credit monitoring services. (See id. ¶ 110.) Plaintiffs, however, must plead that the 2 costs for credit monitoring services are reasonable and necessary. Griffey I, 562 F. Supp. 3 3d at 46; see also Durgan, 2023 WL 7114622, at *2 (noting recovery of the costs incurred 4 in mitigating the risk of future harm requires the costs to be reasonable and the harm to be 5 imminent, and merely conjectural or hypothetical mitigation efforts are insufficient). 6 Although it may seem that purchasing credit monitoring in response to a breach in 7 circumstances like this case are reasonable, Plaintiff Sarabia does not allege the amount 8 paid, what those services entailed, or any factual basis to infer or evaluate the 9 reasonableness of her purchases in light of the fact that Yuma Regional provided such a 10 service. Therefore, all Plaintiffs’ allegations for lost time are speculative and they failed 11 to state a claim entitling them to damages on this ground. 12 d. Emotional Distress 13 Yuma Regional argues that Plaintiffs’ allegations of emotional distress fail because 14 they do not allege any physical injury or risk of bodily harm resulting from the data breach. 15 (Doc. 74 at 13.) Plaintiffs argue they have sufficiently pleaded substantial risk of future 16 harm due to individually suffering from anxiety and stress. (Doc. 75 at 14.) 17 While it appears that Plaintiffs conceded emotional distress harms other than those 18 occurring in the future, their allegations for future emotional distress fail. The rule in 19 Arizona is that “there can be no recovery for mental disturbance unless physical injury, 20 illness or other physical consequence accompany it, or physical harm develops as a result 21 of the plaintiff’s emotional distress.” Dehart v. Johnson & Johnson, 562 F. Supp. 3d 189, 22 198 (D. Ariz. 2022) (emphases in original) (quoting DeStories v. City of Phoenix, 744 P.2d 23 705, 709 (Ariz. Ct. App. 1987)); see also Amari v. Scottsdale Healthcare Hosps., No. 1 24 CA-CV 17-0443, 2018 WL 2928040, at *4 (Ariz. Ct. App. June 12, 2018) (“[E]motional 25 distress damages are recoverable absent impact if the emotional distress manifests itself 26 physically or results in long-term physical illness or mental disturbance.”). Plaintiffs make 27 no allegations beyond suffering from “anxiety” and “annoyance” to support they suffered 28 from emotional distress. Plaintiffs’ allegations patently fall short of the requisite showing, 1 and therefore they fail to state a claim to such damages. 2 e. Spam 3 Yuma Regional argues that Plaintiffs purported injuries from receiving unsolicited 4 spam emails, messages, and calls do not constitute a cognizable injury. (Doc. 74 at 13–14.) 5 Plaintiffs rebut that the injury is cognizable because their self-monitoring and purchasing 6 additional credit monitoring is sufficient to show harm. (Doc. 75 at 14.) On its own, 7 “receiving spam or mass mail does not constitute an injury.” Jackson v. Loews Hotels, 8 Inc., No. ED CV 18-827-DMG (JCx), 2019 WL 6721637, at *4 (C.D. Cal. July 24, 2019). 9 Plaintiffs cite In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 10 WL 6763548, at *8 (D. Ariz. Dec. 20, 2017) for support. (Doc. 75 at 14.) That case, 11 however, supports the proposition that “[a] person whose legally protected interests have 12 been endangered by the tortious conduct of another is entitled to recover for expenditures 13 reasonably made or harm suffered in a reasonable effort to avert the harm threatened.” See 14 In re Banner Health, 2017 WL 6763548, at *8 (citation omitted). See also Durgan, 2023 15 WL 7114622, at *2 (noting merely conjectural or hypothetical mitigation efforts are 16 insufficient, the expenditures must be reasonable and for imminent harms). As noted, only 17 Plaintiff Sarabia alleged she purchased credit monitoring services “to mitigate the 18 consequences” of the breach. (Doc. 68 ¶ 110.) Now, Plaintiffs seemingly impute that 19 purchase on to every Plaintiff, and then assert in their Response for the first time that the 20 expenditure was reasonable. (Doc. 75 at 14.) There is no connection between credit 21 monitoring services and how those services avert spam or phishing or what those 22 expenditures entailed. The threat averted is that of fraud and identity theft, not the 23 “annoyance” experienced in receiving spam. As such, Plaintiffs spam allegations fail. 24 f. Risk of Fraud 25 Yuma Regional argues that Plaintiffs allegations that they have been injured “arising 26 from the imminent and substantial risk of fraud, identity theft, and misuse resulting from” 27 the breach are not cognizable harms because they are speculative future harms. (Doc. 74 28 at 14.) Yuma Regional further contends that even for the Plaintiffs alleging to have 1 suffered from attempted or actual identity theft fail because those circumstances merely 2 refer to attempts of thwarted fraud without actual losses. (Id.; Doc. 78 at 8–9.) Plaintiffs 3 respond that their allegations that the hackers extracted Plaintiffs’ highly sensitive 4 information, including their social security numbers, health insurance information, and 5 medical information, pose a creditable threat of harm to sustain damages given the nature 6 of the information extracted. (Doc. 75 at 14–15.) 7 “Threats of future harm, on their own, are not cognizable negligence injuries.” 8 Griffey I, 562 F. Supp. 3d at 46 (citing CDT, 7 P.3d at 982–83); Quinalty, 2024 WL 342454, 9 at *5. Therefore, the Court focuses on Plaintiffs who alleged attempted or actual identity 10 theft—Plaintiffs Clarke, Johnson, D. Banti, T. Mangum, Spano, Ashby, and Esquivel. (See 11 Doc. 68 ¶¶ 56, 83, 136, 149–50, 162, 164–65, 179, 203.) 12 Plaintiff Clarke alleges she suffered from identity theft because after the breach her 13 personal debit card was compromised and she was unable to use it, and that her bank 14 contacted her about an unauthorized device accessing her account. (Id. ¶ 56.) Even 15 construing this allegation in Plaintiff Clarke’s favor, when it is not clear if the unknown 16 fraudster actually accessed the account or just attempted to gain access triggering the bank 17 to contact her, she makes no allegations that her debit card was actually used or that she 18 incurred any out-of-pocket expenses to establish an actual injury. See, e.g., Griffey v. 19 Magellan Health Inc. (Griffey II), No. CV-20-01282-PHX-MTL, 2022 WL 1811165, at *4 20 (D. Ariz. June 2, 2022) (finding that, absent allegations of out-of-pocket expenses or of 21 actual misuse, allegations having to replace a debit card and asserting plaintiff’s efforts 22 responding to unsuccessful attempts of misuse are nothing more than allegations of lost 23 time and increased risk of future harm and non-cognizable). 24 Plaintiff Johnson alleges she suffered from fraud and identity theft because after the 25 breach a creditor bill was noted as unpaid even though it had been paid and her credit score 26 lowered as a result of the bill being sent to collections. (Doc. 68 ¶ 85.) She also alleges 27 that she immediately froze her accounts to mitigate the effects of the breach. (Id. ¶¶ 83.) 28 Plaintiff Johnson does not make even a vague attempt to connect the bill to the breach or 1 that the bill reflected amounts that she did not initially occur on her own. On these sparce 2 facts, the allegations seem to reflect an accounting issue independent of the breach. Further, 3 Plaintiff Johnson does not allege in freezing her accounts, she incurred any out-of-pocket 4 expenses, and instead she appears to have proactively frozen her accounts without suffering 5 harms from any misuse. See Griffey II, 2022 WL 1811165, at *4. Therefore, she has not 6 alleged a cognizable harm resulting from identity theft. 7 Plaintiff D. Banti alleges that he suffered from identity theft because after the 8 breach, he was contacted by his bank alerting him of suspicious activity caused by an 9 unauthorized person on his debit card. (Doc. 68 ¶ 136.)3 On these facts, an alert of 10 suspicious activity causing harm is purely speculative. See, e.g., I.C. v. Zynga, Inc., 600 F. 11 Supp. 3d 1034, 1052 (N.D. Cal. 2022) (finding attempts to commit identity theft without 12 those attempts succeeding are insufficient to support damages even for standing purposes). 13 Absent from D. Banti’s allegations are any indication the suspicious activity resulted in 14 any charges or any form of harm other than possibly lost time in responding to the bank’s 15 notice. Therefore, his alleged harm here is not cognizable. 16 Plaintiff T. Magnum alleges that she suffered from identity theft and/or fraud 17 because after the breach she was notified that her information was on the “dark web” and 18 that she had to dispute a medical bill that she received for a February 2022 procedure for 19 which she did not owe money. (Doc. 68 ¶ 149–50.)4 As previously stated, allegations that 20 Plaintiff’s information is on the “dark web” are insufficient. See, e.g., Quinalty, 2024 WL 21 342454, at *5. The medical bill relates to a procedure occurring before the breach. On 22 these limited facts, there is no indication that Plaintiff T. Magnum did not incur those 23 medical expenses. Nor does she allege, assuming she did not incur those expenses, that 24 she remains liable to pay or actually paid the bill after she disputed it. Therefore, her 25 allegations failed to plead a cognizable harm.

26 3 Plaintiffs’ Complaint alleges that both D. Banti and M. Banti suffered from identity theft, however, they only allege specific facts related to D. Banti. (Id.) Therefore, the Court only 27 addresses his factual allegations. 4 Plaintiffs’ Complaint alleges that both T. Magnum and R. Magnum suffered from identity 28 theft, however, they only allege specific facts related to T. Magnum. (Id.) Therefore, the Court only addresses her factual allegations. 1 Plaintiff Spano alleges that he suffered from identity theft after the breach because 2 he detected unfamiliar and unauthorized transactions on two of his credit cards, including 3 fraudulent charges at a store leading him to close the account, and that he received notice 4 from a credit reporting company that someone was attempting to change the mailing 5 address on his accounts. (Doc. 68 ¶ 164–65.) He also spent time monitoring his accounts 6 and filed a police report regarding the fraud he experienced. (Id. ¶ 162.) Plaintiff Spano’s 7 allegation appear to carry more weight than his co-Plaintiffs’, however, he also fails to 8 allege that the actual misuse of this information resulted in cognizable damages. He does 9 not allege that he was required to or did pay the unauthorized transactions or had any 10 out-of-pocket expenses. Plaintiff Spano’s allegations are nothing more than damages 11 resulting from time lost and are not cognizable.5 12 Plaintiff Ashby alleges that that she suffered from identity theft because she was 13 alerted by the Internal Revenue Service that someone tried to file a fraudulent tax return 14 using her information and spent time mitigating the consequences of that attempted filing. 15 (Doc. 68 ¶ 179.) Notably, Plaintiff Ashby’s allegation of identity theft is the only allegation 16 among all Plaintiffs that does not specifically indicate the events giving rise to the alleged 17 injury occurred after the breach. She does not allege any details pertaining to this alleged 18 fraudulent filing other than that she was notified of the attempt, or that she incurred 19 expenses responding to the attempt. At most, Plaintiff Ashby alleges delay in receipt of 20 tax refund monies (see Doc. 68 ¶ 212), but does not indicate how long that delay was or if 21 it impacted the amount refunded in anyway. Plaintiff Ashby’s allegations are absent any 22 facts to elevate them beyond insufficient general and conclusory allegations. Therefore, 23 her allegation of identity theft giving rise to cognizable damages fail. 24 Plaintiff Esquivel alleges that she suffered from identity theft and/or fraud because 25 after the breach someone attempted to log into her federal student loan account (FAFSA) 26 5 Like Plaintiff Johnson, Plaintiff Sparo also alleges that the fact that he froze his credit 27 supports that he alleged cognizable damages. (Id. ¶ 168.) Freezing credit here is untethered from the unauthorized transactions and it is not clear from the alleged facts whether he 28 froze his credit before or after those transactions. But even so, Plaintiff Sparo fails to allege any expenses or actual damages stemming from instituting the credit freeze. 1 and spent time investigating how to preclude unauthorized attempts to log into her account. 2 (Doc. 68 ¶ 202–3.) Again, lost time is not cognizable here. Plaintiff Esquivel does not 3 allege that she incurred any expenses due to the attempted log in, nor does she allege it 4 impacted her ability obtain any student aid she desired. Therefore, her alleged identity 5 theft is purely speculative and insufficient to plead a cognizable injury. 6 g. Delay in Notice 7 Yuma Regional argues that Plaintiffs’ allegations that the two-month delay in notice 8 gives rise to cognizable damages fails because they do not allege any incremental harm 9 caused by the delay and not the breach itself. (Doc. 74 at 14.) Plaintiffs rebut that the 10 delay exacerbated the harms alleged and is sufficient to create cognizable damages. (Doc. 11 75 at 15–16.) As discussed, however, those harms do not give rise to cognizable damages 12 to whatever extent those harms stem from the delay and not the breach. The parties do not 13 cite any case law related to unreasonable delays under a negligence claim or Arizona law. 14 See, e.g., Griffey I, 562 F. Supp. 3d at 56–67 (reporting requirements under Virginia statute 15 to the Virginia Attorney General); In re MCG Health Data Sec. Issue Litig., CASE NO. 16 2:22-CV-849-RSM-DWC, 2023 WL 3057428, at *5 (W.D. Wash. Mar. 27, 2023) (breach 17 of contract); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F. 18 Supp. 3d 1284, 1300 (S.D. Cal. 2020) (California Consumer Records Act); In re Sony 19 Gaming Networks, 996 F. Supp. 2d 942, 1010 (S.D. Cal 2014) (California Database Breach 20 Act). To the extent any of these cases are instructive, the standard generally imposes a 21 reasonableness requirement and require plaintiffs to allege incremental harm beyond the 22 breach. See, e.g., In re Solara, 613 F. Supp. 3d at 1300. Here, there are no incremental 23 harms, therefore no harms to exacerbate the effect through delay. Thus, Plaintiffs fail to 24 allege that the delay in notice brought on cognizable injuries. 25 After considering all the alleged injuries, Plaintiffs have failed to plead cognizable 26 damages to support their negligence claim.6

27 6 Plaintiff Martinez also alleges that after the breach she was unable to access her test records or schedule appointments. (Id. ¶ 68.) She also alleges that she has received spam 28 emails for appointments she did not schedule. (Id. ¶ 70.) As the Court has previously reasoned for the other Plaintiffs, these are insufficient allegations of harm. 1 2. Causation 2 Causation is generally a question of fact for the jury. Cramer v. Starr, 11, 375 P.3d 3 69, 76 (Ariz. 2016). But at the pleading stage, plaintiffs must adequately allege causation 4 for the case to proceed. Lexmark Int’l, Inc. v. Static Control Components, Inc., 572 U.S. 5 118, 134 (2014). “[T]o prove proximate cause, a ‘[p]laintiff need only present probable 6 facts from which the causal relationship reasonably may be inferred.’” Pompeneo v. Verde 7 Valley Guidance Clinic, 249 P.3d 1112, 1114 (Ariz. Ct. App. 2011) (quoting Robertson v. 8 Sixpence Inns of Am., Inc., 789 F.2d 1040, 1047 (Ariz. 1990)). 9 Yuma Regional argues that, even assuming Plaintiffs have adequately pleaded 10 cognizable damages, they fail to establish the harms were caused by the breach because 11 they are temporal only. (Doc. 74 at 16–18.) Plaintiffs respond that they have created a 12 plausible inference of causation because they allege their PII and PHI were extracted from 13 the breach and used for spamming purposes, filing fraudulent tax returns, accessing their 14 accounts, and posted on the “dark web.” 15 Although these injuries are not cognizable, Plaintiffs are correct that there is at least 16 a plausible inference of causation. See, e.g., Stollenwerk v. Tri-W. Health Care All., 254 17 F. App’x 664, 668 (9th Cir. 2007) (finding where a plaintiff pleaded that he actively took 18 steps to protect his information and there were no other known thefts of his information, 19 the plaintiff had adequately created a logical relationship between the theft of a computer 20 and identity theft); see also Griffey I, 562 F. Supp. 3d at 44–45 (finding that where personal 21 information was stolen directly in a data breach, the causal link is not just plausible but 22 certain because for the plausible link in Stollenwerk, the court assumed the information 23 could be extracted from the computer). Here, the allegations discussed herein certainly 24 give rise to the plausibility that the breach caused the injuries. 25 3. Breach of Duty 26 Yuma Regional argues that Plaintiffs failed to allege breach of a duty owed to them 27 because general allegations that it did not comport to “industry standards” is insufficient. 28 (Doc. 74 at 16–17.) Plaintiffs contend that their allegations that Yuma Regional failed to 1 adequately train its employees, failed to upgrade its security system to industry standards, 2 and that Yuma Regional kept unencrypted personal data in an unsecured environment with 3 knowledge of the prevalence of cyber-attacks and industry practices. (Doc. 75 at 17.) 4 Regarding Plaintiffs’ negligence claim, in their Complaint they allege Yuma 5 Regional owed a duty and breached that duty because it “failed to adequately safeguard 6 their PHI in accordance with state-of-the-art industry practices.” (See Doc. 68 7 ¶¶ 262–264.) Plaintiffs repeatedly invoke said “industry practices.” (See id. ¶¶ 8, 43, 225.) 8 Plaintiffs do not describe what those practices entail, and presume that because the breach 9 occurred, Yuma Regional’s system was not up to par. As pleaded, Plaintiffs’ allegations 10 rely on speculation that, had Yuma Regional used the industry standards, the breach would 11 not have occurred. See Quinalty, 2024 WL 342454, at *4 (finding mere allegations of 12 industry standards insufficient to plead a duty owed). These allegations are conclusory and 13 employ circular reasoning. Plaintiffs’ allegations that Yuma Regional “kept the 14 unencrypted personal data or Plaintiffs and Class Members in an unsecured 15 internet-accessible environment” do not appear in the Complaint. (See Doc. 68 ¶¶ 36–39, 16 42–43, 228–33, 235.) This argument appears couched in Plaintiffs’ presumed conclusion 17 that because the breach happened, it must be true Yuma Regional’s system is insecure. 18 (See Doc. 68 ¶¶ 36–39, 42–43, 228–33, 235.) As such, these allegations are insufficiently 19 pleaded to establish breach of a duty, whatever that duty may have been. 20 4. Negligence Per Se 21 Yuma Regional argues that negligence per se is not a standalone cause of action, 22 and Plaintiffs cannot otherwise rely on negligence per se to establish the duty element of 23 negligence. (Doc. 74 at 18.) Plaintiffs respond in arguing that Yuma Regional violated its 24 own privacy policy, as well as HIPAA and the FTC Act (the “FTCA”), therefore 25 negligence per se applies. (Doc. 75 at 19–20 (citing Doc. 68 ¶¶ 31–33, 270–287.) 26 Yuma Regional is correct. “Negligence per se is not a cause of action separate from 27 common law negligence. It is a doctrine under which a plaintiff can establish the duty and 28 breach elements of a negligence claim based on a violation of a statute that supplies the 1 relevant duty of care.” Craten v. Foster Poultry Farms Inc., 305 F. Supp. 3d 1051, 1054 2 n.2 (D. Ariz. 2018). “[V]iolation of a statute establishes the elements of duty and breach, 3 requiring the plaintiff to prove only proximate cause and damages.” Resolution Trust Corp. 4 v. Dean, 854 F. Supp. 626 (D. Ariz. 1994). Plaintiffs do not dispute that neither HIPAA 5 nor the FTCA provide a private right of action. See Gannon, 2023 WL 6536477, at *2. To 6 the extent Plaintiffs do not bring suit in direct violation of the statute but relies on them for 7 evidence that a duty was established, both acts provide their own enforcement mechanisms 8 and do not create a private right of action nor provide evidence of a duty. See id. (collecting 9 cases). Accordingly, the Court will dismiss Plaintiffs’ negligence per se claim with 10 prejudice to the extent it is a standalone cause of action. Griffey I, 562 F. Supp. 3d at 47. 11 B. Implied Contract 12 Contracts may be express or implied. Barmat v. John & Jane Doe Partners A-D, 13 747 P.2d 1218, 1220–21 (Ariz. 1987) (“The distinction between an express contract and 14 one implied in fact is that in the former the undertaking is made by words written or spoken, 15 while in the latter conduct rather than words conveys the necessary assent and 16 undertakings.”). Plaintiffs carry the burden to prove existence of a contract, its breach, and 17 the resulting damages. Thomas v. Montelucia Villas, LLC, 302 P.3d 617, 621 (Ariz. 2013). 18 A valid contract requires “offer, acceptance of the offer, consideration, sufficient 19 specification of terms so that the obligations involved can be ascertained, and the parties 20 must have intended to be bound by the agreement.” Day v. LSI Corp., 174 F. Supp. 3d 21 1130, 1153 (D. Ariz. 2016) (citations omitted). 22 Yuma Regional argues that its privacy policy does not provide sufficient 23 specification of terms to establish an implied contract. (Doc. 74 at 18–20.) Yuma Regional 24 further argues that Plaintiffs failed to adequately plead consideration because they do not 25 allege that they relied on Yuma Regional’s privacy policy before they received treatment 26 and Yuma Regional was already had a pre-existing legal duty to provide protection to 27 Plaintiffs’ information. (Id.; Doc. 78 at 11–12.) Plaintiffs argue that Yuma Regional 28 advertises through its privacy policy that it is “committed to protecting the confidentiality 1 [its patients’] medical information,” and that patients have a right to “expect that treatment 2 records are confidential” absent consent. (Doc. 75 at 20 (citing Doc. 68 ¶¶ 33–34.) 3 According to Plaintiffs, when they entrusted their information to Yuma Regional, they had 4 an expectation that it would remain confidential. (Id.) Plaintiffs further argue that Yuma 5 Regional’s assurances that they could expect their information to remain confidential 6 establishes contractual duties beyond those imposed by law. (Id.)7 7 Yuma Regional is correct in part. Plaintiffs do allege the privacy policy exists, that 8 is undisputed. And it is undisputed that the policy provides that Yuma Regional will 9 maintain safeguards to protect patients’ information and that it will notify patients upon 10 discovering a breach. (See Doc. 74 at 6.) Yuma Regional’s policy providing for the 11 possibility of a breach does not negate its commitment to safeguard patients’ information. 12 See, e.g., Durgan, 2023 WL 7114622, at *4 (finding a privacy policy provided adequate 13 terms under similar circumstances). But even if these terms are sufficient, Plaintiffs do not 14 allege that they read or relied on the privacy policy before entering a business relationship 15 with Yuma Regional to establish valid consideration. See Durgan, 2023 WL 7114622, 16 at *4 (finding a privacy policy could not provide the basis for reliance to support 17 consideration where plaintiffs never read or relied on the policy before entering a business 18 relationship with the defendant). Plaintiffs’ allegations are merely conclusory. Further, 19 the privacy policy providing that patients could expect their information to remain 20 confidential does not necessarily promise an outcome that a breach would not occur. As 21 such, Plaintiffs have failed to articulate how Yuma Regional’s promises exceed 22 pre-existing legal obligations. See In re Banner Health, 2017 WL 6763548, at *3 (noting 23 the performance of a promise to do something a party is already legally obligated to do 24 does not provide adequate consideration). Therefore, Plaintiffs failed to state an implied 25 contract claim.8

26 7 The Court notes that Plaintiffs provide the following citation: “Dearing v. Magellan Health, Inc., No. CV 2020-013648, 2021 WL 7186207, at *4 (Ariz. May 6, 2021).” (Id. 27 at 21.) The Court, however, cannot locate that case, nor does the citation provide effective means to locate it. Therefore, the Court declines address arguments related to the case. 28 8 Plaintiffs also allege a breach of the covenant of good faith and fair dealing. (Doc. 68 ¶¶ 297–305.) Arizona law implies a covenant of good faith and fair dealing in every 1 C. Unjust Enrichment 2 Under Arizona law, “[u]njust enrichment occurs when one party has and retains 3 money or benefits that in justice and equity belong to another.” Loiselle v. Cosas Mgmt. 4 Group, LLC, 228 P.3d 943, 946 (Ariz. Ct. App. 2010). A party must allege: “(1) an 5 enrichment, (2) an impoverishment, (3) a connection between the enrichment and the 6 impoverishment, (4) the absence of justification for the enrichment and the 7 impoverishment, and (5) the absence of a remedy provided at law.” Span v. Maricopa 8 Cnty. Treasurer, 437 P.3d 881, 886 (Ariz. Ct. App. 2019). 9 Plaintiffs allege that because Yuma regional failed to provide adequate data security 10 practices and retained a portion of monies Plaintiffs spent in the transactions that cover the 11 expenses of said practices, Yuma Regional was unjustly enriched. (Doc. 68 ¶¶ 306–312.) 12 Yuma Regional argues Plaintiffs’ allegations fall short of stating a claim because they fail 13 to allege an amount they paid in connection with and for the security practices, and 14 otherwise fail to specify why the practices deployed were inadequate. (Doc. 74 at 20–21.) 15 Plaintiffs rebut that they have adequately alleged Yuma Regional failed to adhere to 16 specific industry practices, like encrypting information, disposing of unneeded data, and 17 updating or patching software to sustain their unjust enrichment claim. (Doc. 75 at 21–22 18 (citing Doc. 68 ¶¶ 36, 42–43, 225, 237–45).) Plaintiffs further argue that unjust enrichment 19 is only unavailable if they already received the benefit of the bargain, in which they argue 20 they have not. (Id.) Yuma Regional replies that Plaintiffs specific industry practices are 21 conclusory and assume that because the breach occurred, the practices were not in place. 22 (Doc. 78 at 12–13.) Yuma Regional further contends that allegations that Plaintiffs paid 23 for “treatment services” does not mean that because a breach occurred, Plaintiffs did not 24 receive the services for which they paid. (Id.) 25 Yuma Regional is correct. First, Plaintiffs do not allege any specifics to decern the 26 contract. Wells Fargo Bank v. Ariz. Laborers, Teamsters & Cement Masons Local No. 395 27 Pension Trust Fund, 38 P.3d 12, 28 (Ariz. 2002) (en banc). However, because the Court concludes Plaintiffs have not adequately alleged an enforceable promise here, Yuma 28 Regional could not have breached the implied covenant of good faith and fair dealing. See In re Banner Health, 2017 WL 6763548, at *5. 1 amount they paid that would go towards security practices and is based on speculation that 2 Yuma Regional recovers those costs by building them into the provision of medical 3 treatment. Plaintiffs also do not specify to whom they paid other than through a vague 4 reference to them “confer[ing] a monetary benefit upon [Yuma Regional] in the form of 5 monies paid for treatment services.” (Doc. 68 ¶ 308 (emphasis added).); see Griffey II, 6 2022 WL 1811185, at *6 (finding alleging that plaintiffs paid for health services that the 7 defendant sold does not specify to whom those payments were made and are insufficient 8 to support an unjust enrichment claim). Assuming payment for treatment services includes 9 payments earmarked for security of the data, that assumption requires further speculation 10 that Yuma Regional did not use that money to safeguard their data and retained some 11 benefit. Second, Plaintiffs’ “specific industry practices” argument assumes in a conclusory 12 fashion, for example, that because the breach occurred the information must not have been 13 encrypted. The Court has already rejected such circular reasoning. Finally, for this same 14 reason, the allegation that Plaintiffs have not yet received the benefit of their bargain is 15 inadequate. Even though Yuma Regional assured its patients that it would safeguard their 16 information, which is not reasonably a promise to an impenetrable system, and the fact that 17 a breach occurred, does not show Yuma Regional did not provide the safeguards promised. 18 Plaintiffs’ proof is in the pudding approach all the while asserting vague, speculative, and 19 conclusory allegations uttered as fact to show their predetermined conclusion is exactly 20 that—a mere conclusion lacking sufficient facts. See, e.g., Feins v. Goldwater Bank NA, 21 No. CV-22-00932-PHX-JJT, 2022 WL 17552440, at *7 (D. Ariz. Dec. 9, 2022) (finding 22 “a data breach does not by itself demonstrate an inadequate data security infrastructure”); 23 Griffey I, 562 F. Supp. 3d at 49 (rejecting unjust enrichment allegations because plaintiffs 24 failed to explain why the defendant’s security system was inadequate). 25 D. ACFA 26 Plaintiffs allege that Yuma Regional violated ACFA, see Ariz. Rev. Stat. 27 § 44-1522(A), by using deceptive acts or practices and fraudulently withheld material facts 28 in connection with the sale of medical services. (Doc. 68 ¶ 313–323.) Yuma Regional 1 argues dismissal is appropriate because (1) Plaintiffs failed to satisfy Federal Rule of Civil 2 Procedure 9(b)’s particularity requirements by asserting boilerplate elements of the claim; 3 and (2) Plaintiffs failed to articulate the specific omissions they allegedly relied upon or 4 that reliance was possible. (Doc. 74 at 21–22; Doc. 78 at 15–16.) Plaintiffs reassert many 5 of their arguments used to justify other claims, e.g., they explained how Yuma Regional 6 failed to safeguard their information by alleging (1) an untimely notification; (2) 7 inadequate employee training; (3) use of outdated software; (4) compliance with HIPAA 8 and the FTCA; and (5) maintenance of the system, data, and use of encryption were 9 inadequate. (Doc. 75 at 23–24.) Plaintiffs further argue that they relied on the absence of 10 disclosed material related to Yuma Regional’s security systems, and had it disclosed the 11 details, they would not have provided their information. (Id.) 12 Under the ACFA, it is unlawful for any person to use or employ “any deception, 13 deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, 14 or concealment, suppression or omission of any material fact with intent that others rely on 15 such concealment, suppression or omission, in connection with the sale or advertisement 16 of any merchandise.” Ariz. Rev. Stat. § 44-1522(A). To state a claim under the ACFA, “a 17 plaintiff must show (1) a false promise or misrepresentation made in connection with the 18 sale or advertisement of ‘merchandise,’ and (2) consequent and proximate injury resulting 19 from the misrepresentation.” Watts v. Medicis Pharmaceutical Corp., 365 P.3d 944, 953 20 (Ariz. 2016) (citing Kuehn v. Stanley, 91 P.3d 346, 351 (Ariz. Ct. App. 2004)). 21 “It is established law that Rule 9(b)’s particularity requirement applies to state law 22 causes of action relating to fraud when asserted in federal court.” Irving Firemen’s Relief 23 & Ret. Fund v. Uber Techs., Inc., 998 F.3d 397, 404 (9th Cir. 2021) (citation omitted). To 24 satisfy this standard, plaintiffs “must ‘identify the who, what, when, where, and how of the 25 misconduct charged, as well as what is false or misleading about the purportedly fraudulent 26 statement, and why it is false.’” Depot, Inc. v. Caring for Montanans, Inc., 915 F.3d 643, 27 668 (9th Cir. 2019) (citation omitted). Plaintiffs filing a ACFA fraud-by-omission claim, 28 however, faces a slightly more relaxed burden, due to the fraud-by-omission plaintiff’s 1 inherent inability to specify the time, place, and specific content of an omission in quite as 2 precise a manner.” Griffey I, 562 F. Supp. 3d at 53–54. Plaintiffs, however, must articulate 3 the “how.” Griffey I, 562 F. Supp. 3d at 54. Plaintiffs can show reliance on an omission 4 by showing that had the information been disclosed, they would have been aware of it and 5 behaved differently. In re Ariz. Theranos, Inc., Litig., 256 F. Supp. 3d 1009, 1028 (D. Ariz. 6 2017), on reconsideration in part, No. 2:16-CV-2138-HRH, 2017 WL 4337340 (D. Ariz. 7 Sept. 29, 2017) (noting plaintiffs must describe the content of the omission and provide 8 representative examples that they relied on to make their alleged uninformed purchased). 9 “Injury occurs when the consumer relies on the misrepresentation, even though reliance 10 need not be reasonable.” Correa v. Pecos Valley Dev. Corp., 617 P.2d 767, 771 (Ariz. Ct. 11 App. 1980). 12 Plaintiffs’ allegations for the “how” are insufficient. A material omission “must be 13 logically related to the transaction in which it occurs and rationally significant to the parties 14 in view of the nature and circumstances of the transaction.” Haisch v. Allstate Ins. Co., 5 15 P.3d 940, 945 (Ariz. Ct. App. 2000). There are two issues here. First, the omission of the 16 details underlying Yuma Regional’s security system, the inadequacy of which Plaintiffs 17 claim are material, are not logically related to the transaction because Plaintiffs do not 18 allege that they were aware of or read the privacy policy. In other words, on these facts, it 19 is not possible to establish reliance absent some indication of awareness of the policy 20 claimed to be omitting facts at the time the reliance allegedly occurred. See Kuehn, 91 21 P.3d at 352 (holding reliance was not possible because the plaintiffs became aware of the 22 alleged misrepresentation after the transaction at issue). Second, Plaintiffs fail to establish 23 whether the privacy policy is false or misleading. Plaintiffs essentially call for the Court 24 to speculate that, had Yuma Regional disclosed the specific or technical details of its 25 security apparatus, that Plaintiffs would appreciate those details and would base their 26 decision to receive medical care on the adequacy of that information. Yuma Regional 27 made no absolute guarantee against rogue actors’ ability to penetrate its system and extract 28 information. Plaintiffs’ allegations that the system and the response Yuma Regional did 1 deploy was insufficient is conclusory without factual support. Therefore, the Court will 2 dismiss Plaintiffs’ ACFA claim. 3 E. Leave to Amend 4 Federal Rule of Civil Procedure 15(a) requires that leave to amend be “freely give[n] 5 when justice so requires.” Leave to amend should not be denied unless “the proposed 6 amendment either lacks merit or would not serve any purpose because to grant it would be 7 futile in saving the plaintiff’s suit.” Universal Mortg. Co. v. Prudential Ins. Co., 799 F.2d 8 458, 459 (9th Cir. 1986). Therefore, “a district court should grant leave to amend even if 9 no request to amend the pleading was made, unless it determines that the pleading could 10 not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 11 1127 (9th Cir. 2000) (cleaned up). 12 While Plaintiffs have not requested leave to amend, Yuma Regional has not argued 13 that it would be prejudiced if Plaintiffs amend their claims. Aside from Plaintiffs’ 14 negligence pro se claim, their negligence, implied contract, unjust enrichment, and ACFA 15 claims are dismissed as not pleaded with the necessary facts to state a claim. How Plaintiffs 16 may cure those deficiencies is not abundantly clear to the Court. But because Plaintiffs 17 could remedy the deficiencies identified, it is inappropriate for the Court to dismiss them 18 with prejudice at this time. Thus, leave to amend shall be granted on the negligence, unjust 19 enrichment, implied contract, and ACFA claims. 20 IV. CONCLUSION 21 Accordingly, 22 IT IS ORDERED granting Defendant Yuma Regional Medical Center’s Motion 23 to Dismiss Plaintiffs’ Consolidated Class Action Complaint (Doc. 74). Yuma Regional’s 24 Motion as to all claims is granted for failure to state a claim, with leave to amend (Doc. 68 25 Counts 1, 3 through 5), except for Plaintiffs’ negligence per se claim, which are dismissed 26 with prejudice (Doc. 68 Count 2). 27 IT IS FURTHER ORDERED that Plaintiffs shall file a Second Amended 28 Complaint, if they so choose, no later than 30 days after this Order is filed. 1 IT IS FURTHER ORDERED that, if Plaintiffs fail to file an amended complaint 2|| within 30 days of the date of this Order, the Clerk of the Court shall enter judgment 3 || dismissing this entire case without prejudice. 4 IT IS FURTHER ORDERED vacating the oral argument scheduled for 5 || November 25, 2024 (Doc. 79). 6 Dated this 14th day of November, 2024. 7 Se . ~P 8 SO —_

9 Gnvted States District ude. 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

- 24 -