Johnson v. Yuma Regional Medical Center

• Court: District Court, D. Arizona
• Decided: August 13, 2025
• Docket: 2:22-cv-01061
• Status: Unknown

Opinion

1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA

9 Brittney Johnson, No. CV-22-01061-PHX-SMB

10 Plaintiff, ORDER

11 v.

12 Yuma Regional Medical Center,

13 Defendant. 14 15 This lawsuit arises out of a ransomware attack on Defendant Yuma Regional 16 Medical Center’s (“Yuma Regional”)1 data storage systems resulting in a breach and the 17 hackers gaining access to its patients’ sensitive information. The fourteen Named Plaintiffs 18 here represent individuals who had their information stolen. Following the Court’s 19 dismissal of the Consolidated Class Action Complaint (Doc. 81; Doc. 68), Plaintiffs filed 20 their First Amended Consolidated Class Action Complaint (“FAC”) (Doc. 83). Yuma 21 Regional now moves to dismiss all claims asserted in the FAC (Doc. 90) for failure to state 22 a claim under Federal Rule of Civil Procedure 12(b)(6). The parties have fully briefed the 23 Motion to Dismiss (Doc. 92 (Plaintiffs’ Response); Doc. 94 (Yuma Regional’s Reply.) 24 Yuma Regional requested oral argument (Doc. 83 at 1), the Court, however, finds it 25 unnecessary and resolve the Motion without oral argument. See LRCiv 7.2(f). Having 26 reviewed the parties’ briefs and the applicable law, the Court will grant Yuma Regional’s 27 1 Defendant notes that it now operates under the name “Onvida Health,” however, 28 continues to refer to itself under its prior name. (Doc. 90 at 6 n.1.) The Court will do the same. 1 Motion in part. 2 I. BACKGROUND 3 The Court derives the following allegations as pleaded in Plaintiffs’ FAC. (See 4 generally Doc. 83.) Plaintiffs are a collection of current and former patients that received 5 medical care from Yuma Regional, a hospital in Yuma, Arizona. To receive treatment, 6 Plaintiffs were required to disclose various types of personal and confidential medical 7 information. Yuma Regional maintains that information within its systems. In April 2022, 8 cybercriminals breached Yuma Regional’s data security systems, gaining unrestricted 9 access to its files for the next few days. Hackers were able to extract highly sensitive files 10 containing data on an estimated 700,000 of its patients. Four days after the breach, Yuma 11 Regional identified the hackers had gained access. In the weeks that followed, the Named 12 Plaintiffs received a notice letter, dated June 9, 2022, from Yuma Regional. The notice 13 provided assurances that Yuma Regional was strengthening its system, enhancing its 14 protocols, and offering its patients free credit monitoring and identity theft protection 15 services for an unknown duration. After the breach, some of the Plaintiffs received word 16 that their information wound up on the dark web. Plaintiffs’ class action lawsuit followed. 17 This Court previously dismissed Plaintiffs initial Complaint with leave to amend. 18 (See Doc. 81.) Plaintiffs filed their FAC shortly thereafter. (Doc. 83.) Plaintiffs’ FAC 19 asserts claims for (1) Negligence; (2) Breach of Implied Contract/Implied Duty of Good 20 Faith and Fair Dealing; (3) Unjust Enrichment; (4) Breach of Fiduciary Duty; and (5) 21 Consumer Fraud, Ariz. Rev. Stat. § 44-1521. 22 II. LEGAL STANDARD 23 To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must meet 24 the requirements of Rule 8(a)(2). Rule 8(a)(2) requires a “short and plain statement of the 25 claim showing that the pleader is entitled to relief,” providing “fair notice of what 26 the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 27 544, 555 (2007) (quoting Conley v. Gibson, 355 U.S. 41, 47 (1957)). This exists if the 28 pleader sets forth “factual content that allows the court to draw the reasonable inference 1 that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 2 678 (2009). Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal 3 theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri 4 v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1988). A cognizable legal theory 5 must state a claim to relief that is “plausible on its face.” Iqbal, 556 U.S. at 678 (quoting 6 Twombly, 550 U.S. at 570). Plausibility does not equal “probability,” but requires “more 7 than a sheer possibility that a defendant has acted unlawfully.” Id. The Court views the 8 well-pled factual allegations as true and construes them in the light most favorable to the 9 nonmoving party. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). But legal 10 conclusions couched as factual allegations are not given a presumption of truthfulness, and 11 “conclusory allegations of law and unwarranted inferences are not sufficient to defeat a 12 motion to dismiss.” Pareto v. FDIC, 139 F.3d 696, 699 (9th Cir. 1998). 13 III. DISCUSSION 14 A. Negligence 15 Under Arizona law, to state a claim for negligence “a plaintiff must prove: (1) a duty 16 requiring the defendant to conform to a certain standard of care; (2) breach of that standard; 17 (3) a causal connection between the breach and the resulting injury; and (4) actual 18 damages.” CVS Pharmacy, Inc. v. Bostwick ex rel., 494 F.3d 572, 578 (Ariz. 2021) 19 (quoting Quiroz v. ALCOA Inc., 416 P.3d 824, 827–28 (Ariz. 2018)). Yuma Regional 20 moves to dismiss Plaintiffs’ negligence claim, arguing they failed to (1) establish a legal 21 duty exists; (2) demonstrate a breached of the duty of care owed to Plaintiffs, and (2) 22 adequately plead cognizable damages. (Doc. 90 at 9, 11.) 23 1. Duty 24 In Arizona, a plaintiff bears the burden of establishing a duty exists. Quiroz, 416 25 P.3d at 838. As a legal matter, “the issue of duty involves generalizations about categories 26 of cases.” Gipson v. Kasey, 150 P.3d 228, 230 (Ariz. 2007). A duty is an “obligation, 27 recognized by law, which requires the defendant to conform to a particular standard of 28 conduct.” Id. Absent some duty, there can be no negligence action. Id. Duties are based 1 either on special relationships recognized by the common law or on relationships shaped 2 by public policy. Perez v. Circle K Convenience Stores, Inc., 564 P.3d 623, 627 (Ariz. 3 2025). Special relationships also include those based on contract, familial relations, or 4 conduct undertaken by the defendant. Cal-Am Props. Inc. v. Edais Eng’g Inc., 509 P.3d 5 386, 389 (Ariz. 2022). 6 Generally, a court determines whether a legal duty exists before considering the 7 case-specific facts and irrespective of whether a defendant’s conduct creates an 8 unreasonable risk of harm for foreseeable plaintiffs. Quiroz, 416 P.3d at 828–29 (noting 9 foreseeability remains relevant to breach and causation). But a court may consider 10 case-specific facts to determine “whether a special relationship existed between the 11 plaintiff and defendant, and if so, whether the risk of harm alleged to have injured plaintiff 12 arose within that relationship.” Perez, 564 P.3d at 628–30 (noting the purpose of 13 examining case-specific facts is to determine the “when and where” the alleged risk of 14 harm arose). Similarly, whether a defendant assumed a duty based on its conduct 15 necessitates a fact-specific inquiry. Dabush v. Seacret Direct LLC, 478 P.3d 695, 703 16 (Ariz. 2021) (noting the existence and extent of an assumed duty is generally a question of 17 fact). “A duty may be assumed expressly or by conduct.” Id. But that duty “is limited to 18 the extent of the specific undertaking.” Id. 19 Plaintiffs allege that Yuma Regional owes a legal duty to safeguard and protect their 20 information from unauthorized access or disclosure based on an “assumed responsibility” 21 and under “common law” and assert that the Federal Trade Commission Act (“FTCA”), 15 22 U.S.C. § 45, HIPAA regulations, a physician’s Hippocratic Oath, Arizona Revised Statute 23 § 12-2292(A), and Yuma Regional’s policies support or provide such legal duties. (Doc. 24 83 ¶¶ 215–22, 228.) Yuma Regional argues none of these provide a basis to establish it 25 owed a legal duty to Plaintiffs. (Doc. 90 at 9–11; Doc. 94 at 10–11.) Plaintiffs disagree, 26 arguing a legal duty exists based on a negligent undertaking, also known as an assumed a 27 duty, in collecting their private information and public policy “favors imposition of a duty.” 28 (Doc. 92 at 8–10.) Plaintiffs do not argue any duty arises under recognized categorical 1 relationships. See, e.g., Gipson, 150 P.3d at 232 (providing these categories typically 2 include landowner-invitee relationships, tavern owner-patron relationships, and 3 relationships that create a duty to control the actions of another). 4 Plaintiffs have not adequately established public policy imposes a legal duty. 5 Plaintiffs do not provide any explanation as to why the FTCA, HIPAA, and Arizona 6 Revised Statute § 12-2292 declare a public policy sufficient to create a tort duty. Arizona 7 courts “exercise great restraint in declaring public policy.” Quiroz, 416 P.3d at 830. For 8 a statute to create a civil duty, it must be “designed to protect the class of persons, in which 9 the plaintiff is included, against the risk of the type of harm which has in fact occurred as 10 result of the violation.” Gipson, 150 P.3d at 233; see also Sanchez-Ravuelta v. Yavapai 11 County, 569 P.3d 47, 58 (Ariz. 2025) (“A statute cannot be the basis of a public policy duty 12 if it does not require or prohibit certain conduct.”). “A public policy-based tort duty does 13 not arise from the existence of an entire statutory scheme that implicitly seeks to protect 14 the public at large from general types of harm.” Sanchez-Ravuelta, 569 P.3d at 60. The 15 primary source for public policy tort duties in Arizona comes from state statute. Id. at 58. 16 First, Arizona Revised Statute § 12-2292 relates to evidence in the courts and civil 17 proceedings. Section 12-2292(A) provides medical and payment records are confidential 18 and privileged and that “[a] health care provider may only disclose that part or all of a 19 patient’s medical records and payment records as authorized by state or federal law or 20 written authorization signed by the patient or the patient’s health care decision maker.” 21 The statute covers a provider’s disclosures, i.e., some sort of affirmative disclosure, not the 22 risk that a patient’s information is stolen and then disclosed by bad actors, nor does it 23 require any relevant security measures to ensure confidentiality. See Perez, 564 P.3d at 630 24 (explaining a court may consider case-specific facts to determine whether a statute applies 25 to a circumstance to give rise to a duty). 26 Second, it is unclear how a physician’s Hippocratic Oath covers a hospital’s data 27 security and Plaintiffs are not suing the physicians. Cf. Stanley v. McCarver, 92 P.3d 849, 28 854 n.6 (Ariz. 2004) (noting that while ethical rules may illuminate a standard of care, they 1 do not provide a basis to impose a duty). And finally, this Court has found HIPAA and the 2 FTCA do not establish a tort duty. Gannon v. Truly Nolen of Am. Inc., No. CV 22-428- 3 TUC-JAS, 2023 WL 6536477, at *2 (D. Ariz. Aug. 31, 2023); see also Shepherd v. Costco 4 Wholesale Corp., 482 P.3d 390, 396 (Ariz. 2021) (explaining that HIPAA may inform the 5 standard of care but does not provide a private right of action). Given Plaintiffs’ lack of 6 argument on the issue and the Court’s reasoning thus far, the Court declines to find public 7 policy declares Yuma Regional owed a legal duty to Plaintiffs. In turn, Plaintiffs must then 8 rely on their assumed duty theory. 9 To inform whether a party has assumed a duty of care for the protection of another, 10 Arizona courts look to the Restatement (Second) of Torts § 323 (1965). Dabush, 478 P.3d 11 at 703 (citing § 323). Section 323 provides: 12 One who undertakes, gratuitously or for consideration, to render services to another which he should recognize as necessary for the protection of the 13 other’s person or things, is subject to liability to the other for physical harm resulting from his failure to exercise reasonable care to perform his 14 undertaking, if

15 (a) His failure to exercise such care increases the risk of such harm, or 16 (b) The harm is suffered because of the other’s reliance upon the 17 undertaking. 18 Restatement (Second) of Torts § 323 (1965). This assumed duty is limited to the extent of 19 the specific undertaking and is no broader than the undertaking actually assumed. Dabush, 20 478 P.3d at 704 (noting “the nature of the services undertaken must be for the specific 21 purpose protecting against harm”). 22 Assuming the Plaintiff’s allegations are sufficient for Yuma Regional to have 23 undertaken an act to protect Plaintiffs from some type of harm, that harm is purely 24 economic and not sufficient to trigger an actionable tort duty. (See Doc. 83 ¶¶ 231–32.) 25 The Arizona Supreme Court has disavowed that § 323 provides a basis to establish liability 26 for purely economic harm as opposed to claims involving physical harm to a person or 27 property. See Cal-Am Properties, 509 P.3d at 391 n.1; see also Lips v. Scottsdale 28 Healthcare Corp., 229 P.3d 1008, 1011 (Ariz. 2010) (noting the court’s reluctance to 1 broadly recognize a duty to avoid causing purely economic loss); Calcut v. Paramount 2 Residential Mortg. Grp. Inc., No. CV-22-01215-PHX-JJT, 2024 WL 233175, at *6 (D. 3 Ariz. Jan. 22, 2024) (“[A] plaintiff alleging negligent performance of an undertaking must 4 allege some sort of physical harm.”), aff’d, No. 24-764, 2025 WL 1341672 (9th Cir. May 5 8, 2025). Plaintiff has failed to establish sufficient grounds to find Yuma Regional 6 assumed a duty to protect Plaintiffs against purely economic harms and thus has failed to 7 state a negligence claim. 8 B. Breach of Implied Contract 9 Contracts may be express or implied. Barmat v. John & Jane Doe Partners A-D, 10 747 P.2d 1218, 1220–21 (Ariz. 1987) (“The distinction between an express contract and 11 one implied in fact is that in the former the undertaking is made by words written or spoken, 12 while in the latter conduct rather than words conveys the necessary assent and 13 undertakings.”); Carroll v. Lee, 712 P.2d 923, 926 (Ariz. 1986) (noting there is no 14 difference in legal effect between an express and implied contract). Plaintiffs carry the 15 burden to prove existence of a contract, its breach, and the resulting damages. Thomas v. 16 Montelucia Villas, LLC, 302 P.3d 617, 621 (Ariz. 2013). A valid contract requires “offer, 17 acceptance of the offer, consideration, sufficient specification of terms so that the 18 obligations involved can be ascertained, and the parties must have intended to be bound by 19 the agreement.” Day v. LSI Corp., 174 F. Supp. 3d 1130, 1153 (D. Ariz. 2016) (citations 20 omitted). 21 Plaintiffs assert and argue that they provided Yuma Regional with money in 22 exchange for care and by doing so, they entered into an implied contract in which Yuma 23 Regional was obligated to deploy adequate security practices and safeguard their 24 information. (See Doc. 83 ¶¶ 31–32, 233–48; Doc. 92 at 14.) Yuma Regional argues 25 Plaintiffs’ claim fails because (1) they did not allege they actually read or relied on Yuma 26 Regional’s Privacy Policy; (2) that Privacy Policy did not promise that a breach would not 27 occur; and (3) any promise merely reflects Yuma Regional’s preexisting legal obligations. 28 (Doc. 90 at 17–19.) 1 Whether Yuma Regional promised to deploy “adequate” security measures is a 2 conclusion unsupported by any alleged facts. Plaintiff’s main hook for their claim lies in 3 Yuma Regional’s Notice of Privacy Practices and its Privacy Policy, which, as alleged, 4 states that Yuma Regional is “committed to protecting the confidentiality of [its patients’] 5 medical information” and that the patients should “expect that treatment records are 6 confidential” unless they give permission to release the information. (Doc. 83 ¶¶ 31–32.) 7 “Contract terms cannot be vaguely pleaded.” Griffey v. Magellan Health Inc., 562 8 F. Supp. 3d 34, 51 (D. Ariz. 2021); Jarvis v. Traka USA LLC, No. CV-24-08111-PCT- 9 SMM, 2024 WL 4651937, at *11 (D. Ariz. Nov. 1, 2024). The vague reference that Yuma 10 Regional is “committed to protecting” Plaintiffs’ information fails to provide any basis to 11 infer how Yuma Regional would fulfill its commitment to protect the information. The 12 Court cannot be left to “guess” how a party failed to perform its contractual obligations. 13 Griffey, 562 F. Supp. 3d at 51. Plaintiffs do not plead any facts that support a contractual 14 duty to prevent a data breach all together or that Yuma Regional promised to do anything 15 beyond what it was already obligated to do under HIPAA or the FTCA. See, e.g., id. at 52 16 (finding a general promise to protect the plaintiffs’ information under a privacy policy did 17 not suggest a promise beyond any pre-existing legal obligations and did not support a 18 breach of implied contract claim); Gannon v. Truly Nolen of Am. Inc., No. CV 22-428- 19 TUC-JAS, 2023 WL 6536477, at *3 (D. Ariz. Aug. 31, 2023); cf. Durgan v. U-Haul Int’l 20 Inc., No. CV-22-01565-PHX-MTL, 2023 WL 7114622, at *4 (D. Ariz. Oct. 27, 2023) 21 (finding that the plaintiffs adequately alleged the terms of an implied contract where the 22 defendant’s privacy policy represented that it would use “commercially reasonable” 23 precautions to safeguard the plaintiffs’ information and its systems).2 Therefore, there is

24 2 Plaintiffs cite Dearing v. Magellan Health Inc., No. CV 2020-013648, 2021 WL 7186207 (Ariz. Super. May 6, 2021) as its only relevant case out of Arizona in which the Superior 25 Court stated, “it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of . . . sensitive personal information would not imply the recipient’s 26 assent to protect the information sufficiently.” 2021 WL 7186207, at *4 (quoting Castillo v. Seagate Tech., LLC, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016)). Beyond 27 conjecture, the court provided no meaningful analysis of how the assent to protect the information went beyond what the defendant was already legally obligated to perform. 28 This Court has rejected similar reasoning and reliance on Castillo. See, e.g., Griffey, F. Supp. 3d at 52–53. Therefore, the Court finds Dearing unpersuasive and adopts its 1 nothing to support that Yuma Regional assumed a contractual duty to support the claim.3 2 C. Breach of Fiduciary Duty 3 Plaintiffs’ FAC now asserts a new claim, alleging that Yuma Regional breached a 4 fiduciary duty. (See Doc. 83 ¶¶ 258–64.) Yuma Regional argues Arizona does not 5 recognize that hospitals, as opposed to physicians, owe a fiduciary duty to patients. (Doc. 6 90 at 20–21 (citing Gonzales v. Palo Verde Mental Health Servs., 783 P.2d 833, 835 (Ariz. 7 Ct. App. 1989)).) 8 As a preliminary matter, the FAC’s allegations on this claim are conclusory and 9 address the physician-patient relationship, not the hospital-patient or -customer 10 relationship. (See Doc. 83 ¶¶ 258–64.) Plaintiffs also do not address Yuma Regional’s 11 argument that, unlike for physicians, Arizona has not recognized that hospitals owe a 12 fiduciary duty to patients. (See Doc. 92 at 19–20.); Gonzales, 783 P.2d at 835 (finding no 13 authority that a hospital owes a fiduciary duty to a patient). Instead, Plaintiffs rely on cases 14 addressing the physician-patient relationship without appreciating the distinction. See, 15 e.g., Duquette v. Superior Court, 778 P.2d 634, 640 (Ariz. Ct. App. 1989); Hales v. 16 Pittman, 576 P.2d 493, 496 (Ariz. 1978). 17 Plaintiffs further rely on inapplicable cases. See, e.g., Taeger v. Cath. Fam. & Cmty. 18 Servs., 995 P.2d 721, 726–30 (Ariz. Ct. App. 1999) (addressing whether there was a 19 fiduciary duty between an adoption agency and adopting parents in which the agency 20 collected information from the biological mother that was inaccessible to the adopting 21 parents); In re Est. of Meinel, No. 2 CA-CV 2016-0032, 2016 WL 6108408, at *2–3 (Ariz. 22 Ct. App. Oct. 19, 2016) (finding there was no fiduciary duty where the defendant facilitated 23 the transfer of funds from the plaintiff’s joint account with her consent without disclosing 24 a change in the beneficiary of the funds). “The law does not create a fiduciary relation in 25 every business transaction involving one party with greater knowledge, skill, or training,

26 previous reasoning. 3 Because the Court finds no enforceable contract exists, Plaintiffs’ claim for breach of the 27 implied covenant of good faith and fair dealing also necessary fails. In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *5 (D. Ariz. Dec. 28 20, 2017) (explaining a claim based on the implied covenant requires an enforceable promise). 1 but requires peculiar intimacy or an express agreement to serve as a fiduciary.” Cook v. 2 Orkin Exterminating Co., 258 P.3d 149, 152 (Ariz. Ct. App. 2011). It is not clear how a 3 hospital’s collection of data establishes a confidential relationship with its customers or 4 patients to establish a fiduciary duty. See, e.g., id. (noting a fiduciary duty is not established 5 from a plaintiff’s mere trust in another’s competence or integrity). Further, Plaintiffs have 6 not articulated a coherent and plausible basis for establishing a fiduciary duty exists under 7 these circumstances beyond conclusory argument. Cf. id. (“Generally, commercial 8 transactions do not create a fiduciary relationship unless one party agrees to serve in a 9 fiduciary capacity.”). Therefore, the Court finds Plaintiffs have failed to state a claim. 10 D. Unjust Enrichment 11 Under Arizona law, “[u]njust enrichment occurs when one party has and retains 12 money or benefits that in justice and equity belong to another.” Loiselle v. Cosas Mgmt. 13 Group, LLC, 228 P.3d 943, 946 (Ariz. Ct. App. 2010). A party must allege: “(1) an 14 enrichment, (2) an impoverishment, (3) a connection between the enrichment and the 15 impoverishment, (4) the absence of justification for the enrichment and the 16 impoverishment, and (5) the absence of a remedy provided at law.” Span v. Maricopa 17 Cnty. Treasurer, 437 P.3d 881, 886 (Ariz. Ct. App. 2019). As an initial matter, Plaintiffs 18 have not alleged or argued there is an absence of justification. (See Doc. 83 ¶¶ 250–57; 19 Doc. 92 at 17–19.) 20 Plaintiffs allege that Yuma Regional received a “benefit” from the receipt, 21 possession, and use of their information and from compensation they paid for medical 22 services, which they contend that some of the money should have gone to adequate data 23 security. (Doc. 83 ¶¶ 251–52.) Mere receipt of a benefit is insufficient to establish a claim 24 for unjust enrichment. Murdock-Bryant Const., Inc. v. Pearson, 703 P.2d 1197, 1203 25 (Ariz. 1985). A plaintiff must demonstrate that through receipt of that benefit, the 26 defendant was unjustly enriched at the plaintiff’s expense. Pyeatte v. Pyeatte, 661 P.2d 27 196, 202 (Ariz. Ct. App. 1982). Plaintiffs allege that Yuma Regional “wrongfully accepted 28 and retained benefits at [their] expense. This enrichment is at [their] expense, and is 1 unjust.” (Id.) These allegations are conclusory and do not provide factual support for any 2 purported detriment and benefit. (See Doc. 83 ¶ 256.) 3 As a general matter, to determine whether unjust enrichment has occurred, courts 4 view the parties’ obligations to one another in view of the larger context of their transaction. 5 Span, 437 P.3d at 886. First, Plaintiffs have failed to articulate how mere receipt, as 6 opposed to inadvertent disclosure, of their information and Yuma Regional’s use of that 7 information to provide them with medical care and to facilitate payment collection for both 8 of their benefits caused any detriment or expense to Plaintiffs that they did not willingly 9 incur. Plaintiffs’ alleged detriment seemingly lies in the reduced value of their information 10 after the breach. But any value Yuma Regional derived from receipt and retention of the 11 information is long gone after the hospital-customer relationship ceased, i.e., after Yuma 12 Regional’s provision of medical care and payment services to Plaintiffs. Plaintiffs do not 13 allege that Yuma Regional derives any quantifiable benefit from that information beyond 14 the initial hospital-customer relationship. To extent Yuma Regional possibly derives some 15 sort of abstract benefit from the continued retention of the information after the breach, any 16 lost value to that information caused by the breach reasonably affected the value of the 17 information in the hands of both Plaintiffs and Yuma Regional. In other words, Yuma 18 Regional was not unjustly enriched at Plaintiffs’ expense based on collection and retention 19 of information alone. See Pyeatte, 661 P.2d at 202. 20 Second, any benefit purportedly conveyed to Yuma Regional based on monies 21 Plaintiffs paid for medical services they intended to cover adequate security measures calls 22 for rank speculation that unjust enrichment has occurred. Plaintiffs’ allegations that they 23 intended for a portion of the amount they paid to Yuma Regional for medical services to 24 also cover adequate security measures is irrelevant. Murdock-Bryant, 703 P.2d at 1203 25 (“[T]he duty to compensate for unjust enrichment is an obligation implied by law without 26 reference to the intention of the parties.”). And even if they expected that a portion of the 27 payment to go to security, there are no allegations to support that Plaintiffs expected to be 28 repaid some amount of this money upon a data breach in the effect those security measures 1 proved to be inadequate. See, e.g., Pyeatte, 661 P.2d at 203 (noting a duty to compensate 2 may not be imposed “if it is clear that there was indeed no expectation of payment” (citation 3 omitted)). 4 Plaintiffs cite Hannibal-Fisher v. Grand Canyon Univ., 523 F. Supp. 3d 1087 (D. 5 Ariz. 2021) for the proposition that alleging that they did not receive what they paid for is 6 sufficient to state a claim. (See Doc. 92 at 18–19.) In that case, the plaintiffs paid for 7 housing costs and fees but that the defendants did not provide housing during the 8 COVID-19 pandemic and effectively required students to return home, including the 9 plaintiffs, without refunding the amounts paid. See Hannibal-Fisher, 523 F. Supp. 3d 10 at 1096, 1097–98. This Court reasoned that the plaintiffs did not receive what they paid 11 for, and so the impoverishment was directly linked to the defendant’s enrichment. Id. 12 Compared to the circumstances here, the issue in Hannibal-Fisher was fairly straight- 13 forward—the plaintiffs did not receive the housing for which they paid. Here, Plaintiffs’ 14 issue lies in the adequacy of the security they received, not the lack of security all together. 15 This is an important distinction in this case. Perhaps if Yuma Regional retained the funds 16 that had been specifically earmarked for data security this case would be different. But 17 that is not Plaintiffs’ claim. 18 The Court finds no basis to conclude that Yuma Regional unjustly retained a benefit. 19 At bottom, Plaintiffs’ allegations are the Yuma Regional spent the money on its security 20 systems, albeit those systems were inadequate to prevent the breach. Yuma Regional’s 21 ineffective use of the funds does not provide a plausible basis to find it retained some 22 benefit to Plaintiffs’ detriment. Yuma Regional did not retain the money, it spent the 23 money in part to protect Plaintiffs’ information. See Wang Elec., Inc. v. Smoke Tree Resort, 24 LLC, 283 P.3d 45, 50–51 (Ariz. Ct. App. 2012) (noting “unjust enrichment should not be 25 used to saddle entities with expenses they chose not to incur”). Whatever benefit remains 26 is unidentified. Plaintiffs’ conclusion that Yuma Regional was somehow unjustly enriched 27 under these circumstances lacks factual support and does not squarely fit the claim. 28 E. ACFA 1 Under the ACFA, it is unlawful for any person to use or employ “any deception, 2 deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, 3 or concealment, suppression or omission of any material fact with intent that others rely on 4 such concealment, suppression or omission, in connection with the sale or advertisement 5 of any merchandise.” Ariz. Rev. Stat. § 44-1522(A). Generally, like common law fraud 6 claims, claims under this statute are based on affirmative misrepresentations, concealment, 7 or omission of material fact. Tavilla v. Cephalon, Inc., 870 F. Supp. 2d 759, 776 (D. Ariz. 8 2012), on reconsideration in part (May 30, 2012). 9 To state a claim under the ACFA, “a plaintiff must show (1) a false promise or 10 misrepresentation made in connection with the sale or advertisement of ‘merchandise,’ and 11 (2) consequent and proximate injury resulting from the misrepresentation.” Watts v. 12 Medicis Pharmaceutical Corp., 365 P.3d 944, 953 (Ariz. 2016) (citing Kuehn v. Stanley, 13 91 P.3d 346, 351 (Ariz. Ct. App. 2004)). Federal Rule of Civil Procedure 9(b)’s 14 particularity requirement applies to state law causes of action relating to fraud. Irving 15 Firemen’s Relief & Ret. Fund v. Uber Techs., Inc., 998 F.3d 397, 404 (9th Cir. 2021) 16 (citation omitted) (noting the pleading must give ample notice of the loss causation theory 17 and provide the court some assurance the theory has a basis in fact). A plaintiff filing a 18 ACFA fraud-by-omission claim, however, “faces a slightly more relaxed burden, due to 19 the fraud-by-omission plaintiff’s inherent inability to specify the time, place, and specific 20 content of an omission in quite as precise a manner.” Griffey, 562 F. Supp. 3d at 53–54. 21 These plaintiffs must articulate the “how.” Id. at 54. 22 Plaintiffs appear to assert their claim based on nearly all conceivable 23 theories—deceptive acts, deceptive practices, omissions, and concealment. (See Doc. 83 24 ¶ 268.) The parties dispute centers on the disclosures, or lack thereof, within Yuma 25 Regional’s Notice of Privacy Practices and Privacy Policy and its alleged concealment or 26 omission of the inadequacies of its security systems. (Doc. 90 at 22; Doc. 92 at 20–21; 27 Doc. 83 ¶¶ 269–71.) As noted, Yuma Regional’s Notice of Privacy Practices states that it 28 is “committed to protecting the confidentiality” of its patient’s medical information and its 1 Privacy Policy on its website indicated that the patients could “expect that treatment 2 records are confidential” absent their permission to release them. (Doc. 83 ¶¶ 31–32.) 3 The Court begins with Plaintiffs’ allegations to the extent they are based on 4 affirmative deceptive acts or practices. An affirmative misrepresentation requires that the 5 plaintiff to have actually relied on the statement even if that reliance is unreasonable. 6 Cheatham v. ADT Corp., 161 F. Supp. 3d 815, 825–26 (D. Ariz. 2016) (distinguishing this 7 requirement from common law fraud claims). There are no factual allegations to support 8 that Plaintiffs relied on any statements in the Privacy Policy listed on Yuma Regional’s 9 website. (See, e.g., Doc. 83 ¶¶ 33, 275 (stating vaguely and in general terms that Plaintiffs 10 “relied on these representations” and “relied on the concealed facts”). For each Plaintiff, 11 their allegations are nearly identical and assert that they were “provided and reviewed” 12 only the Notice of Privacy Practices when receiving care. (See id. ¶¶ 47, 58, 70, 79, 89, 13 101, 113, 124, 137, 148, 158.) 14 Plaintiffs do not articulate how Yuma Regional stating that it is “committed to 15 protecting” its patients’ confidential information is an actionable or deceptive misstatement 16 of fact. Deceptive acts or practices include representations that have a “tendency or 17 capacity” to convey misleading impressions to consumers. Madsen v. W. Am. Mortg. Co., 18 694 P.2d 1228, 1232 (Ariz. Ct. App. 1985) (noting “the test is whether the least 19 sophisticated reader would be misled” from “all that is reasonably implied”). Subjective 20 characterizations of a service do not give rise to a fraud claim because they do not describe 21 a specific or absolute characteristic of the service that is objectively verifiable or false. See, 22 e.g., Cheatham, F. Supp. 3d at 827–29 (discussing inactionable “puffery” in the context of 23 an ACFA claim based on an affirmative statement). This Court has found similar 24 statements inactionable as too far removed from being a statement of fact, including a 25 statement that “we are committed to providing you with state-of-the-art equipment and 26 service.” Id. at 822, 829. Here, the Court tends to agree with that outcome. Plaintiffs issue 27 lies not with Yuma Regionals commitment to protecting the information as a matter of 28 1 objective fact but rather its adequacy in effectuating that commitment.4 Therefore, a theory 2 premised on an affirmative and deceptive misrepresentation does not support Plaintiffs’ 3 ACFA claim. 4 At its core, the substance Plaintiffs’ claim is really premised on Yuma Regional 5 omitting facts pertaining to how it would protect its patients’ confidential information. As 6 such, Plaintiffs face a “slightly more relaxed burden” due to their “inherent inability to 7 specify the time, place, and specific content of an omission in quite as precise a manner.” 8 In re Banner Health Data Breach Litig., 2017 WL 6763548, at *7 (citation omitted). Here, 9 Plaintiffs have specifically identified Yuma Regional’s Notice of Privacy Practices that 10 allegedly omitted information about its inadequate data security systems. (See Doc. 83 11 ¶ 270.) Plaintiffs have also alleged that they relied on these omissions and were required 12 to provide written acknowledgement that they received the Notice. (See id. ¶¶ 31, 33, 275.) 13 In accepting these allegations as true, which the Court must do at this stage, the Court finds 14 these allegations sufficiently raise a plausible inference that Plaintiffs were aware of Yuma 15 Regional’s privacy practices and would have acted differently had Yuma Regional 16 disclosed the alleged security deficiencies. See, e.g., In re Banner Health Data Breach 17 Litig., 2017 WL 6763548, at *7 (finding the plaintiff adequately stated a claim under 18 similar circumstances). Therefore, the Court will deny Yuma Regional’s Motion to 19 Dismiss on this ground. 20 IV. CONCLUSION 21 Accordingly, 22 IT IS HEREBY ORDERED granting in part Defendant’s Motion to Dismiss

23 4 Additionally, Yuma Regional’s representation is essentially a generic pledge that it was committed to protect Plaintiffs’ information going forward. “When the promise is made 24 without a present intent to perform, an action for fraud will lie.” Correa v. Pecos Valley Dev. Corp., 617 P.2d 767, 771 (Ariz. Ct. App. 1980); but see Powers v. Guar. RV, Inc., 25 278 P.3d 333, 338 (Ariz. Ct. App. 2012) (noting this does not require a specific intent to deceive). The fact that the breach later occurred does not provide a factual basis to establish 26 intent. See, e.g., McAlister v. Citibank, 829 P.2d 1253, 1260 (Ariz. Ct. App. 1992) (explaining an intent not to perform must be established independent of a showing of a 27 defendant’s failure to perform). All of Plaintiffs allegations relate to inadequacies revealed by the breach itself and based on post-hoc commentary, i.e., that there were gaps in the 28 system, there was a small data security team, and there was allegedly inadequate training for employees. (See Doc. 83 ¶¶ 35–42.) || (Doc. 90). The Motion is denied as to Plaintiffs’ ACFA claim and granted as to all other || claims. 3 IT IS FURTHER ORDERED dismissing Plaintiffs’ negligence, breach of implied contract, unjust enrichment, and breach of fiduciary duty claims in Doc. 83. 5 Dated this 13th day of August, 2025. 6 . 7 SO ts g A lonorable Susan M. Brnovich United States District Judge 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

-16-