IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
) LISA VAUGHN BERNARDINO and ) NICOLE DELIA, on behalf of all others ) similarly situated, ) ) 1:24-cv-7595 Plaintiffs, ) v. ) Chief Judge Virginia M. Kendall ) HAH GROUP HOLDING, LLC D/B/A ) HELP AT HOME,
Defendant,
MEMORANDUM OPINION & ORDER Plaintiffs Lisa Vaughn Bernardino and Nicole Delia were patients of Help at Home, a national health services provider. Plaintiffs sued HAH Group Holding, LLC, after a data breach exposed their sensitive personal information. Plaintiffs bring eight claims: negligence, negligence per se, breach of express contract, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and declaratory judgment. (Dkt. 32; Amended Class Action Complaint). HAH moved to dismiss the complaint for lack of standing and failure to state a claim. (Dkt. 56). For the reasons below, the Court grants in part and denies in part this motion. BACKGROUND Unless otherwise noted, the following factual allegations are taken from Plaintiffs’ Amended Class Action Complaint (Dkt. 32) and are assumed true for purposes of this motion. W. Bend Mut. Ins. Co. v. Schumacher, 844 F.3d 670, 675 (7th Cir. 2016); Ctr. For Dermatology & Skin Cancer, Ltd. v. Burwell, 770 F.3d 586, 588 (7th Cir. 2014). HAH is a health services provider based in Chicago, Illinois, and serves patients in at least 12 states. (Dkt. 32 ¶ 2). Bernardino is a resident of Indiana, while Delia is a resident of New York. (Id. ¶¶ 18, 19). As patients of HAH, Plaintiffs entrusted the company to protect their personally identifiable information (PII), including protected health information (PHI). (Id. ¶ 1, 121, 125). During March 2024, HAH learned that unauthorized actors accessed their vendor’s
computer systems. (Id. ¶ 31). These unauthorized actors gained access to sensitive PII and PHI, including names, dates of birth, Social Security numbers, financial account numbers, passwords, and information about patients’ health insurance and treatment. (Id. ¶ 32). HAH notified its patients of the data breach in August of the same year, including Delia and Bernardino. (Id. ¶¶ 125, 1271). Delia’s notice letter stated that the data breach exposed her Social Security number, medical information, and date of birth. (Id. ¶ 127). Meanwhile, Bernardino’s letter generally stated, “that her [p]rivate [i]nformation had been included in the data breach.”2 (Id. ¶ 125). HAH offered a year of credit monitoring services to the Plaintiffs. (Id. ¶¶ 126, 128). Between March and May 2024, Delia experienced fraudulent charges on her credit card and saw her credit score drop into the 300s. (Id. ¶ 141). She also experienced an increase in spam phone calls and phishing emails
inquiring about her Social Security number. (Id. ¶ 139). Delia believes these issues result from her sensitive information appearing for sale on the dark web. (Id. ¶ 142). Bernardino fears that her information will appear on the dark web as well but does not provide any facts to support that it has already been posted. (Id. ¶ 137). The Plaintiffs allege they “suffered imminent and impending injury arising from the substantially increased risk of future fraud, identity theft, and misuse” of their sensitive data. (Id. ¶¶ 132, 134).
1 Plaintiffs’ Complaint is misnumbered and repeats Paragraph numbers 124-138 for both plaintiffs. This refers to ¶ 127 on page 31. 2 Unlike Delia, Bernardino does not allege that her letter listed any specific PII or PHI that the data breach exposed. (Id. at 28). The Plaintiffs brought this Amended Complaint for a putative class action during April 2025. (Dkt. 32). Delia and Bernardino allege negligence (Count I), negligence per se (Count II), breach of contract (Count III), breach of implied contract (Count IV), unjust enrichment (Count V), breach of fiduciary duty (Count VI), breach of confidence (Count VII), and declaratory
judgment (Count VIII). The Plaintiffs seek damages in addition to declaratory and injunctive relief. (Id. ¶¶ 296–305). HAH moved to dismiss the Amended Complaint for lack of standing under Federal Rule of Civil Procedure 12(b)(1) and, in the alternative, to dismiss each claim under Rule 12(b)(6). (Dkt. 56 at 1). LEGAL STANDARD Rule 12(b)(1) motions “are meant to test the sufficiency of the complaint, not to decide the merits.” Ctr. for Dermatology & Skin Cancer, Ltd. v. Burwell, 770 F.3d 586, 588 (7th Cir. 2014). While the plaintiffs bear the burden of showing that subject-matter jurisdiction is proper, the Court accepts the well-pleaded factual allegations in the plaintiffs’ complaint as true and draws reasonable inferences in their favor. Id. at 588–89. If the Court lacks subject-matter jurisdiction, it
must dismiss the action without reaching the merits. MAO-MSO Recovery II, LLC v. State Farm Mut. Auto. Ins. Co., 935 F.3d 573, 581 (7th Cir. 2019). To survive a motion to dismiss under Rule 12(b)(6), the complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Kaminski v. Elite Staffing, 23 F.4th 774, 776 (7th Cir. 2022) (quoting Fed. R. Civ. P. 8(a)(2)). The plaintiffs “must allege ‘enough facts to state a claim that is plausible on its face.’ ” Allen v. Brown Advisory, LLC, 41 F.4th 843, 850 (7th Cir. 2022) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible when the plaintiffs plead “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). Again, the Court accepts the plaintiffs’ well-pleaded factual allegations as true, drawing reasonable inferences in their favor. Id. (citing W. Bend, 844 F.3d at 675). DISCUSSION
I. Article III Standing Article III of the Constitution limits federal jurisdiction to “cases” and “controversies.” U.S. Const. art. III § 2; TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). Thus, the party “invoking the power of a federal court must demonstrate standing to do so.” Hero v. Lake Cty. Election Bd., 42 F.4th 768, 772 (7th Cir. 2022) (quoting Hollingsworth v. Perry, 570 U.S. 693, 704 (2013)). To have standing, a plaintiff must show: (1) an injury in fact; (2) traceable to the defendant; and (3) redressable by judicial relief. Pierre v. Midland Credit Mgmt., Inc., 29 F.4th 934, 937 (7th Cir. 2022); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). Plaintiffs need “standing for each claim that they press and for each form of relief that they seek.” TransUnion, 141 S. Ct. at 2208. And in a putative class action, each named plaintiff must
demonstrate “that they personally have been injured, not that injury has been suffered by other, unidentified members of the class.” Warth v. Seldin, 422 U.S. 490, 502 (1975). An adequate injury in fact is “concrete, particularized, and actual or imminent.” Ewing v. MED-1 Sols., LLC, 24 F.4th 1146, 1151 (7th Cir. 2022). Although a concrete injury need not be tangible, it must be “real,” rather than “abstract.” Id. (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016)); see also Markakos v. Medicredit, Inc., 997 F.3d 778, 781 (7th Cir. 2021) (noting that “a statutory violation alone” is not an injury in fact). Its presence (or lack thereof) is also decisive: “No concrete harm, no standing.” Ewing, 24 F.4th at 1151 (quoting TransUnion, 141 S. Ct. at 2200). Then, the actual-or-imminent element “ensure[s] that the alleged injury is not too speculative.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013). An injury is therefore imminent if the threat of future harm is “certainly impending;” the mere possibility of a future injury is not enough. Id. The Supreme Court's opinion in Spokeo, Inc. v. Robins recognized that an intangible injury
can be concrete if it has a “close relationship” to a traditionally recognized common-law harm. 578 U.S. at 340–41. A close relationship, the Court further explained in TransUnion LLC v. Ramirez, “does not require an exact duplicate in American history and tradition.” 594 U.S. 413 at 424; Ewing, 24 F.4th at 1151. Instead, the test is whether the plaintiff's injury has “a close historical or common-law analogue.” Ewing, 24 F.4th at 1151; see also Bost v. Illinois State Bd. of Elections, 146 S. Ct. 513, 524 (2026) (Barrett, J., arguing that a bespoke rule for candidates is out of step with the historical tradition assessment and concurring only in the judgment). To measure concreteness, courts “look to both history and Congress’s judgment.” Pucillo v. Nat’l Credit Sys., Inc., 66 F.4th 634, 639 (7th Cir. 2023). Concrete intangible injuries “include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion,
141 S. Ct. at 2204 (citations omitted). Prior to TransUnion, the Seventh Circuit explicitly found Article III standing in the context of data breaches. In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit upheld standing based on future risk, finding that the customers suffered imminent and impending injuries after a data breach exposed their credit card data. 954 F.3d 688, 693 (7th Cir. 2015); see also Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016); Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (“The plaintiffs have standing because the data theft may have led them to pay money for credit-monitoring services, because unauthorized withdrawals from their accounts cause a loss (the time value of money) even when banks later restore the principal, and because the value of one's own time needed to set things straight is a loss from an opportunity-cost perspective.”); Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1154–55 (7th Cir. 2020) (discussing the unlawful retention and collection of biometric data under the Illinois Biometric Information Privacy Act and analogizing to the common law tort claim for invasion of
privacy for standing purposes); cf. Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12 (2d Cir. 2017) (holding that the collection of biometric data for use in a company's video games did not raise a material risk of harm to plaintiffs sufficient to confer standing). Then, in TransUnion, the Supreme Court clarified that a substantial risk may support standing only for “forward-looking, injunctive relief to prevent harm from occurring.” TransUnion, 594 U.S. at 435 (citing Clapper, 586 U.S. at 414 n.5). By contrast, damages require a concrete harm that has already materialized. Id. at 436. See Pierre, 29 F.4th at 938 (“A plaintiff seeking money damages has standing to sue in federal court only for harms that have in fact materialized.”). Since then, some courts in this district have concluded “that the mere exposure of personal information in a data breach, absent some reason apart from the breach itself to believe
that identity theft or fraud is imminent, does not suffice to confer standing to sue for damages based on a risk of future harm.” See In re Mondelez Data Breach Litig., 2024 WL 2817489, at *3 (N.D. Ill. June 3, 2024) (collecting cases). The Seventh Circuit itself has referenced Remijas and Lewert as “not [] no longer authoritative” but, post-TransUnion, best understood as cases where “plaintiffs had sufficiently alleged a substantial risk of future harm stemming from breaches of their credit-card information. . . . [deriving from] the common-sense observation that hackers steal private credit-card information for a primary purpose: ‘to make fraudulent charges or assume consumers' identities.’ ” Dinerstein v. Google, LLC, 73 F.4th 502, 516 (7th Cir. 2023) (cleaned up). With this in mind, the Court turns to the alleged facts. A. Imminent Injury HAH argues that the Plaintiffs cannot sustain Article III standing because the alleged future injuries are too speculative. (Dkt. 56 at 4). This Court disagrees. The Plaintiffs allege that their sensitive private information—potentially including their social security numbers, medical
information, financial account numbers, and dates of birth—leaked to unauthorized parties. (Dkt. 32 ¶¶ 6, 32, 124, 127). The Seventh Circuit has recognized that the increased risk of identity theft and fraud after a data breach is sufficient to sustain Article III standing for forward-looking remedies, and the Plaintiffs allege exactly that. Lewert, 819 F.3d 963 (upholding standing where a data breach increased the risk of fraudulent charges and identity theft). While Lewert and Remijas centered on exposed credit card information, the Court finds an even more substantial risk of injury here. In addition to the exposure of medical information, HAH’s data breach notice letter to Delia acknowledged that hackers gained access to her Social Security number. (Dkt. 32 ¶ 127). HAH also argues that Article III standing for the Plaintiffs requires a long chain of causal inferences, but this is not the case. (Dkt. 56 at 5). While listing out each incremental step in
commoditizing PII makes it seem like an attenuated process, common sense suggests otherwise. “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Remijas, 794 F.3d at 694. HAH’s exposed clients, like Delia and Bernardino, “should not have to wait until hackers commit identity theft or credit-card fraud in order to give class standing.” Id. at 693. The Plaintiffs sufficiently alleged that the exposure of their data could lead to a variety of crimes involving fraud and identity theft. (Dkt. 32 ¶ 8). The Court, therefore, finds that the Plaintiffs have made sufficient allegations for forward-looking relief. B. Actual Injury “[I]n a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 594 U.S. at 436 (emphasis in original). In assessing
concrete harm, the Court looks first to Delia’s claims. On that front, HAH fails to convince this Court that Delia’s fraudulent charges are not sufficiently connected to the alleged incident or described with particularity. (Dkt. 56 at 6). HAH notified Delia that the data breach exposed her Social Security number and date of birth. (Dkt. 32 ¶ 127). It seems rather clear how a bad faith actor could use this information to access a credit card account. Additionally, the Plaintiffs have alleged that the hackers may have used a “fullz package” to fill in any information gaps. (Id. ¶¶ 87, 89). See, e.g., Fox v. Iowa Health System, 399 F. Supp. 3d 780, 789 (W.D. Wis. 2019) (“A fullz package is a dossier that compiles information about a victim from a variety of legal and illegal sources. Hackers can take information obtained in one data breach and cross-reference it against information obtained in other hacks and data breaches.”). The Court recognizes that the
Plaintiffs do not detail the monetary value or number of fraudulent charges in their Amended Complaint, but the Court accepts as true that Delia closed her credit card and experienced a drop in her credit score. (Dkt. 32 ¶ 140). The Court, then, finds that Delia’s fraudulent credit card charges can support Article III standing at this juncture. Bernardino’s case is a closer call. Some of her arguments as to standing are clearly without merit. First, while Bernardino alleged to have suffered “diminution in the value of her personal, health, and financial information” (Id. ¶ 136), neither the Seventh Circuit nor the Northern District has ever accepted this theory. Remijas, 794 F.3d at 695; Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 912-13 (7th Cir. 2017); Kylie S. v. Pearson PLC, 475 F. Supp. 3d 841, 849 (N.D. Ill. 2020). Next, Bernardino claims to suffer anxiety because of this data breach. (Dkt. 32 at 30). Once again, this does not suffice. Wadsworth v. Kross, Lieberman & Stone, Inc., 12 F.4th 665, 668 (7th Cir. 2021) (finding that “anxiety and embarrassment are not injuries in fact”); accord Florence v. Ord. Express, Inc., 674 F. Supp. 3d 472, 482 (N.D. Ill. 2023). Bernardino also falls short by
alleging she lost the benefit of the bargain because of HAH’s inadequate security measures. (Dkt. 32 ¶ 169). Dinerstein v. Google, LLC, 484 F. Supp. 3d 561, 591 (N.D. Ill. 2020), aff’d as modified, 73 F.4th 502 (7th Cir. 2023); Lewert, 819 F.3d at 968; Remijas, 794 F.3d at 695. From there, the question becomes a closer one. This Court has previously found standing based on a data breach’s close common-law analogue to the loss of privacy3—specifically, the disclosure of private information. Florence, 674 F. Supp. 3d at 481. In Florence, however, the plaintiffs alleged that “six gigabytes of customer data appeared for sale on the dark web.” Id. at 476 (internal quotations omitted). Based on the facts, the Court could reasonably infer that hackers published the plaintiffs’ data. Id. at 479. By contrast, here, Bernardino simply theorizes that the hackers could put her data on the dark web. (Dkt. 32 ¶ 118). Unlike Delia, who experienced
fraudulent charges and received spam messages, Bernardino alleged no facts suggesting that the hackers disseminated her data. If Bernardino squarely alleged evidence that suggested hackers did, in fact, publish her data, this would be an easier call. At most, Bernardino alleges she spent time addressing the consequences of the data breach, (Dkt. 32 ¶¶ 134, 137, 165). Notably, Bernardino has not alleged any corresponding out-of-pocket costs. While Dinerstein discussed the post-TransUnion viability of Remijas and Lewert, it did so specifically in the context of the future risk of harm (i.e., injunctive relief, not damages). Cf. In re
3 The term “invasion of privacy” encompasses “four theories of wrongdoing: intrusion upon seclusion, appropriation of a person's name or likeness, publicity given to private life, and publicity placing a person in a false light.” Pucillo v. Nat’l Credit Sys., Inc., 66 F.4th 634, 639–40 (7th Cir. 2023). Mondelez Data Breach Litigation, 2024 WL 2817489, at *3 (borrowing the Dinerstein language but applying it to find an injury-in-fact). In summary, while both Bernardino and Delia sufficiently allege imminent harm supporting forward-looking remedies, only Delia alleges sufficient facts to support damages.
Lujan, 504 U.S. at 561 (each element of standing “must be supported . . . with the manner and degree of evidence required at the successive stages of the litigation”). Because the Plaintiffs can both support at least injunctive relief, they also can support declaratory judgment. See Amling v. Harrow Indus. LLC, 943 F.3d 373, 377 (7th Cir. 2019) (explaining the coextensive requirements of Article III and the Declaratory Judgment Act). Although the Plaintiffs’ split on damages complicates the putative class, the Court recognizes that it may consider Federal Rule of Civil Procedure 23(c)(5) at a later date. II. Choice of Law HAH claims that Illinois law should not apply to the Amended Complaint under the state’s choice of law rules. (Dkt. 56 at 12–13). A federal court sitting in diversity jurisdiction applies the
choice-of-law principles of the forum state to determine what substantive state law to apply. Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496 (1941); see also Heiman v. Bimbo Foods Bakeries Distrib. Co., 902 F.3d 715, 718 (7th Cir. 2018). Illinois’s approach mirrors the Second Restatement of Conflicts, applying the most significant relationship test for tort law and the most significant contacts test for contracts. Fredrick v. Simmons Airlines, Inc., 144 F.3d 500, 503-04 (7th Cir. 1998) (torts); Abrams v. Unity Mut. Life Ins. Co., 70 F. Supp. 2d 846, 849 (N.D. Ill. 1999), aff’d, 237 F.3d 862 (7th Cir. 2001) (contracts). The Court, however, forgoes a full choice of law analysis at this juncture. As the Seventh Circuit has stated, “the choice-of-law issues in nationwide class actions are rarely so uncomplicated that one can delineate clear winning and losing arguments at an early stage in the litigation.” Mirfasihi v. Fleet Mortg. Corp., 450 F.3d 745, 750 (7th Cir. 2006). Conducting such an analysis before class certification would require facts the Court simply does not have yet. Joseph v. TGI Friday’s, Inc., 2022 WL 17251277, at *10 (N.D. Ill. 2022) (reasoning that the court
“need[ed] additional factual development to determine whether any of the alleged differences in state law create a conflict for [p]laintiff and potential class members or whether the class device may be manageable and otherwise appropriate”). HAH seems to implicitly agree, pointing out that the Complaint does not allege where the relevant “data is located, where the alleged conduct occurred, where each Plaintiff received services, or where the alleged ‘harms’ were suffered.” (Dkt. 56 at 13). For this exact reason, the Seventh Circuit disfavors making a choice of law at this stage. Furthermore, HAH failed to show that a dispositive conflict in law exists. A federal court sitting in diversity in Illinois must perform a choice of law analysis when the laws of two different states conflict so much that the difference between the relevant laws will affect the outcome. Sosa
v. Onfido, 8 F.4th 631, 637 (7th Cir. 2021). Otherwise, forum law applies. Id. HAH never detailed any substantive departures in the laws of Illinois, Indiana, and New York. Instead, HAH originally argued that “[r]egardless of which state’s laws apply, Plaintiffs’ claims do not pass muster,” (Dkt. 56 at 13) and repeatedly argued across claims that each state’s laws would require the same result. (Id. at 13, 14, 16, 17, 18, 19, 20). In a footnote within their Reply Brief, HAH argues that they acknowledged meaningful distinctions across jurisdictions. (Dkt. 58 at 4 n.1). They did not. The Court proceeds to apply Illinois law for the purposes of this motion. III. Stating a Claim A. Negligence
HAH moves to dismiss the Plaintiffs’ negligence claim. A plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) the defendant breached that duty, and (3) the breach was the proximate cause of the plaintiff's injuries. Cowper v. Nyberg, 28 N.E.3d 768, 772 (Ill. 2015). HAH advances two arguments to support dismissing Count I: that Plaintiffs did not sufficiently allege a duty of care and that the economic loss doctrine should apply. (Dkt. 56 at 13–15). To start, the Plaintiffs did allege a duty of care. (Dkt. 56 at 14). In Flores v. Aon Corporation, an Illinois appellate court reasoned that a common-law duty exists when a sophisticated enterprise stores its client’s sensitive personal information. N.E.3d at 356. While Aon provided cybersecurity services to some clients, this Court recognizes that HAH operates a
national health services business with thousands of patients. (Dkt. 32 ¶ 25). These alleged facts would suggest a high degree of competence in safeguarding PHI and PII, justifying the same common-law duty invoked in Flores. See also Wittmeyer v. Heartland All. for Hum. Needs & Rts., No. 23 CV 1108, 2024 WL 182211, at *4 (N.D. Ill. 2024) (“declin[ing] to find, as a matter of law, that Heartland owed no duty to the plaintiffs to safeguard their personal information.”).4 Furthermore, the Supreme Court of Illinois has made it clear that the economic loss doctrine, also known as the Moorman doctrine, should not apply to this case. The doctrine only
4 In both of their briefs, HAH cites inapplicable Eighth Circuit precedent to claim that Plaintiffs failed to allege a duty of care. (Dkt. 56 at 14, Dkt. 58 at 5). As another court in the Northern District has made clear about that case, “Kuhns does not discuss the applicability of a legal duty.” See In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 591 (N.D. Ill. 2022). applies to the service industry, like home health services, “where the duty of the party performing the service is defined by the contract that he executes with his client.” Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994). If the duty arises outside of the express contract, the doctrine does not apply. Id. As previously stated, the Plaintiffs
plausibly allege a common-law duty to protect their data. HAH points out that, unlike in Flores, the Plaintiffs allege an express contract, which would ostensibly suggest that the parties could have allocated economic risk. (Dkt. 58 at 5). HAH, however, wants to have their cake while eating it too, arguing separately that no contract pertaining to the data exists. (Dkt. 56 at 16). As explained below, this Court agrees with HAH that no express contract exists. How, then, would the parties allocate these economic risks? HAH leaves the Court with no answer. Thus, the Court does not dismiss the negligence claim. B. Negligence Per Se The Plaintiffs also bring a separate count for negligence per se, alleging that HAH breached statutory duties stemming from federal law. Specifically, Plaintiffs argue these duties stem from
Section 5 of the Federal Trade Commission Act and the Health and Insurance Portability and Accountability Act, 42 U.S.C. § 1302 et seq. (Dkt. 32 ¶ 212).5 Typically, the common law defines a duty of care owed by a defendant. Cuyler v. Illinois, 362 F.3d 949, 952 (7th Cir. 2004). Illinois law, however, provides that statutes or ordinances designed to protect human life or property may establish the relevant standard of care. See Price ex rel. Massey v. Hickory Point Bank & Tr., Tr. No. 0192, 841 N.E. 2d 1084, 1089 (Ill. App. Ct. 2006). Illinois law recognizes negligence per se only as “prima facie evidence of negligence, unless the legislature clearly intends to impose strict liability.” Abbasi ex rel. Abbasi v. Paraskevoulakos, 187 2d 386, 395 (Ill. 1999). In other words,
5 Plaintiffs specifically cite to § 1032(d), which does not exist. (Dkt. 32 at 52); see 42 U.S.C. § 1302. The Court still considers § 1302. for Plaintiffs to allege a separate cause of action for negligence per se under Illinois law—and not simply evidence of a breach of duty—Congress must have intended to create strict liability. Another court in the Northern District rejected identical claims in Wittmeyer, and this Court agrees with the reasoning laid out there. Wittmeyer, 2024 WL 182211 at *4 (dismissing the
negligence per se count after finding that the plaintiffs failed to allege a strict liability claim); see also Int’l Tax Advisors, Inc. v. Tax L. Assocs., LLC, 2011 WL 612093 (N.D. Ill. 2011), at *5 (finding no private right of action under the FTCA); Butler v. Illinois Dep’t of Transp., 53 F. Supp. 2d 821, 827 (N.D. Ill. 2008) (finding that HIPAA did not create a private right of action). The Plaintiffs argue that they are not pursuing a private cause of action but that HAH’s “violations of these statutes evince Defendant’s breach of its duty to protect sensitive PII and PHI.” (Dkt. 57 at 13). To the extent that this negligence per se theory has any merit, it supports Count I and does not warrant a separate claim. Wittmeyer, 2024 WL 182211 at *4. Because Count II is not supported by a separate cause of action, the Court dismisses accordingly. C. Breach of Express Contract
Count III alleges that HAH breached their express services contract when the data breach occurred, claiming that a separate “[p]rivacy [p]olicy memorialized the rights and obligations of HAH and its patients.” (Dkt. 32 ¶ 226). HAH argues that the Complaint lacks sufficient facts to demonstrate the terms and formation of an express contract. (Dkt. 56 at 16). Under Illinois law, breach of an express contract requires “(1) offer and acceptance, (2) consideration, (3) definite and certain terms, (4) performance by the plaintiff of all required conditions, (5) breach, and (6) damages.” Ass’n Ben. Servs., Inc. v. Caremark RX, Inc., 493 F.3d 841, 849 (7th Cir. 2007) (citing MC Baldwin Fin. Co. v. DiMaggio, Rosario & Veraja, LLC, 845 N.E.2d 22, 30 (Ill. App. Ct. 2006)). Determining whether an express contract exists is a matter of law in Illinois. Id. at 849– 50. Plaintiffs provide no evidence that the privacy policy either operated as a separate enforceable contract or that the services contract effectively incorporated it. First and foremost, it
is unclear whether the Plaintiffs even allege that the privacy policy could operate as an independent, express contract. The Plaintiffs do not allege any of the contract elements with respect to the privacy policy. (Dkt. 32 ¶¶ 224–234). Under Illinois law, no contract exists where these elements are not definite and certain. Ass’n Ben. Servs., Inc., 493 F.3d at 849–50. Second, and perhaps more importantly, the Plaintiffs do not allege that the services contract explicitly incorporated the privacy policy. Instead, they simply state that the policy “was provided to Plaintiffs and [c]lass members in a manner in which it became part of the agreement for services.” (Dkt. 32 ¶ 226). The Court is left to guess as to how. Comparable cases in this District have dismissed complaints that lack essential facts regarding contract incorporation before. See, e.g., Wittmeyer, 2024 WL 182211 at *4 (dismissing an express breach of contract claim after finding
the complaint “devoid of any allegations that the plaintiffs were required to read or agree to either of the privacy documents in order to receive services.”). Wittmeyer also noted that no contract expressly incorporated the relevant privacy policy. Id. Neither theory, then, can support an express breach of contract claim. The Plaintiffs have not alleged in any meaningful way that the privacy policy operates as an express contract or that the services agreement incorporates the policy. Thus, the Court dismisses Count III. D. Breach of Implied Contract In the alternative, the Plaintiffs argue in Count IV that HAH breached an implied contract. (Dkt. 32 ¶ 236). The elements of an implied contract parallel those of an express contract under Illinois law, but a court may determine the terms of an implied contract based on the parties’ conduct. Gociman v. Loyola Univ. of Chi., 41 F.4th 873, 883 (7th Cir. 2022). The Plaintiffs allege that they “turned over valuable [p]rivate [i]nformation to HAH” and “[a]ccordingly, Plaintiffs and Class Members bargained with HAH to securely maintain and store their [p]rivate [i]nformation.”
(Dkt. 32 ¶ 239). HAH moves to dismiss, arguing that collecting data was merely incidental to providing services and that the Plaintiffs cannot speak clearly as to what level of data security was promised. (Dkt. 56 at 17). The Amended Complaint plausibly alleges an implied contract. Once again, the Court finds Wittmeyer particularly instructive. There, the court reasoned that “[i]t can be inferred from the plaintiffs’ relationship to Heartland (as clients) and the requirement that the plaintiffs provide sensitive information to Heartland as a condition of receiving its services that Heartland, in turn, would keep this information private and protect it from unauthorized disclosures.” Wittmeyer, 2024 WL 182211 at *5. Similar logic applies here. It does not require a stretch of the imagination to think that a “meeting of the minds” occurred when Plaintiffs provided HAH with their sensitive
personal information. See In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 591 (N.D. Ill. 2022) (stating that an implied contract still requires mutual assent under Illinois law); (Dkt. 32 at 56). Furthermore, HAH cannot credibly argue that the Plaintiffs did not allege the covered data security measures. The Plaintiffs listed out eight implied promises pertaining to data security in the Amended Complaint.6 Based on the alleged facts, the Court concludes that an implied contract could exist between the Plaintiffs and HAH. This case departs from Wittmeyer, however, with regard to alleged damages. Recall that Delia experienced fraudulent charges on her credit card, while Bernardino did not allege any
6 The Plaintiffs allege that an implied contract covers the following implied promises: “(1) taking steps to ensure that anyone who is granted access to [p]rivate [i]nformation also protect the confidentiality of that data; (2) taking steps to unexpected expenses. (Id. at 28–31, 33). In Illinois, a plaintiff must allege “an actual loss or measurable damages resulting from the breach.” Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 832 (Ill. 2005). In Wittmeyer, the relevant plaintiff claimed that time spent responding to a data breach amounted to sufficient monetary damages. 2024 WL 182211 at *6. Both Plaintiffs
here allege the same theory. (Dkt. 32 ¶¶ 134, 136). The Wittmeyer court rejected that reasoning, highlighting that an Illinois appellate court recently “decline[d] to hold that the alleged diminution in value of plaintiffs’ personal information amounts to actual monetary damages.” Flores, 242 N.E. at 356; see also 2024 WL 182211 at *6 (quoting Flores, 242 N.E. at 356 (holding that the lost-time theory stems from federal law, not Illinois state law)). Yet, as another district court pointed out in permitting a “lost-time damages theory” to go forward, the Seventh Circuit has observed that in the data breach context, “the value of one’s own time needed to set things straight is a loss from an opportunity-cost perspective. These injuries can justify money damages, just as they support standing.” In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 587 (N.D. Ill. 2022) (quoting Dieffenbach, 887 F.3d at 828 (emphasis
added)). Without guidance from the Illinois Supreme Court, this Court hesitates to diverge from the Dieffenbach language, at least at this stage in the proceeding. See Reiser v. Residential Funding Corp., 380 F.3d 1027, 1029 (7th Cir. 2004) (explaining that “decisions of intermediate state
ensure that the [p]rivate [i]nformation that is placed in the control of its employees is restricted and limited to achieve an authorized business purpose; (3) restricting access to qualified and trained employees and/or agents; (4) designing and implementing appropriate retention policies to protect the [p]rivate [i]nformation against criminal data breaches; (5) applying or requiring proper encryption; (6) implementing multifactor authentication for access; (7) complying with HIPAA standards to make sure that Plaintiffs’ and Class Members’ PHI would remain protected; and (8) taking other steps to protect against foreseeable data breaches.” (Id. at 54). courts,” which are themselves “just prognostications,” do not “liberate district judges from the force of” an interpretation of state law in a binding decision of the United States Court of Appeals). Further, at least with regard to Delia: there are alleged actual monetary damages here. The complaint states that Delia experienced fraudulent charges, closed her credit card account, and
suffered a subsequent drop in her credit score. (Dkt. 32 ¶¶ 140, 141). Because Delia’s notice letter did not state that the data breach exposed her credit card information, HAH contests that these fraudulent charges resulted from the incident. (Dkt. 56 at 6). Recall, however, the letter stated that her “Social Security number, medical information, and date of birth” were exposed. (Dkt. 32 ¶ 127). Based on these allegations, the Court may reasonably infer that an individual equipped with Delia’s most confidential personal information could find a way to access her credit card account. At the very least, the fraudulent charges would appear to fit the plain meaning of actual damages.7 Taking the facts as alleged as true, one may reasonably infer that an implied contract existed and that the fraudulent charges flowed from the alleged breach. Therefore, the Court denies the Motion to dismiss Count IV.
E. Unjust Enrichment In the alternative to their breach of contract claims, the Plaintiffs argue unjust enrichment. (Dkt. 32 ¶ 259). This Court found a cognizable breach of implied contract, but in the alternative, briefly addresses the unjust enrichment claim. To make a valid unjust enrichment claim, “a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit
7 The complaint does not address whether the credit card company cancelled these charges or reimbursed Delia. (Id. at 33–34). A real complication could arise if the fraudulent charges did not result in out-of-pocket expenses. See, e.g., Dieffenbach v. Barnes & Noble, Inc., 886 F.3d 826, 830 (7th Cir. 2018) (“Money out of pocket is a standard understanding of actual damages in contract law”). This Court infers that she did not receive reimbursement, however, given that Delia canceled her credit card and experienced a drop in her credit score. violates the fundamental principles of justice, equity, and good conscience.” HPI Health Care Services, Inc. v. Mt. Vernon Hospital, Inc., 545 N.E.2d 672 (1989). Illinois law does not consider unjust enrichment an independent cause of action but a “condition that may be brought about by unlawful or improper conduct as defined by law.” Flores, N.E.3d at 356 (quoting Charles Hester
Enterprises, Inc. v. Illinois Founders Insurance Co., 484 N.E.2d 349 (Ill. App. Ct. 1985), aff’d, 499 N.E.2d 1319 (Ill. 1986)). This Court rejects the alternative unjust enrichment claim. Transferring sensitive data as part of a contract—either implied or express—does not confer an additional benefit but instead satisfies a necessary and incidental act to that contract. Id. at 357 (reasoning that plaintiffs providing personal information was not payment for services but incidentally and administratively necessary); Irwin v. Jimmy John’s Fran., LLC, 175 F. Supp. 3d 1064 (C.D. Ill. 2016) (rejecting a similar theory of unjust enrichment because the collection of sensitive information “was merely incident” to plaintiff’s purchase). Additionally, the third-party hackers benefitted from the data breach, not HAH. Gallagher, 631 F. Supp. 3d at 592. Finally, the Central District of Illinois
rejected a very similar unjust enrichment claim for being too vague when the plaintiffs could not allege with any specificity what portion of their payment went towards data protection. Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 766 (C.D. Ill. 2020). It seems for multiple reasons that Plaintiffs cannot allege a valid unjust enrichment claim. The Court dismisses accordingly. F. Breach of Fiduciary Duty In Count VI, the Plaintiffs encourage the Court to recognize a breach of fiduciary duty currently foreign to Illinois law. (Dkt. 32 ¶ 272). To the best of this Court’s knowledge, Illinois law has never recognized a fiduciary duty between a home services provider and its patients. The Seventh Circuit has consistently held that it is not the place of federal courts to break new ground on state law. Roppo v. Travelers Com. Ins. Co., 869 F.3d 568, 596 (7th Cir. 2017) (quoting Lopardo v. Fleming Cos., Inc., 97 F.3d 921, 930 (7th Cir. 1996)); Insolia v. Philip Morris Inc., 216 F.3d 596, 607 (7th Cir. 2000). Supporting this dismissal further, the Supreme Court of Illinois rejected a fiduciary duty claim against a physician when it duplicated “the same operative facts and
result[ed] in the same injury” as a separate negligence claim brought in the same case. Neade v. Portes, 739 N.E.2d 496, 500 (Ill. 2000) (“We determine that plaintiff's breach of fiduciary duty claim is a re-presentment of her medical negligence claim.”). In accordance with both principles, this Court dismisses Count VI. G. Breach of Confidence The Plaintiffs put forward a similarly novel claim in Count VII, arguing that HAH breached a duty of confidence stemming from an established confidential relationship. (Id. ¶ 285). The Plaintiffs concede that “Illinois courts have not yet addressed breach of confidence in the data breach context.” (Dkt. 57 at 19). Recognizing that state courts have yet to weigh in on whether Illinois common law provides a cause of action under these circumstances, at least one other court
in the Northern District has declined to recognize this novel claim. Dinerstein v. Google, LLC, 484 F. Supp. 3d 561, 595 (N.D. Ill. 2020), aff’d as modified, 73 F.4th 502 (7th Cir. 2023). Once again, this Court follows the Seventh Circuit’s guidance regarding novel questions of state law. See Roppo, 869 F.3d at 596. This predisposition is only strengthened in circumstances such as this one where Plaintiffs’ ability to establish the requisite confidential relationship is tenuous, even setting aside the novelty aspect. See Kurowski v. Rush Sys. for Health, 683 F. Supp. 3d 836, 845 (N.D. Ill. 2023) (concluding that Illinois law likely does not recognize a breach of confidentiality when a hospital discloses PII without the patient’s consent). The Court dismisses Count VII. H. Declaratory Judgment In Count VIII, the Plaintiffs argue for declaratory judgment. Plaintiffs seem to confuse
declaratory relief—a remedy—with a cause of action. See Wittmeyer, 2024 WL 182211 at *7 (N.D. Ill. 2024) (explaining this important distinction to at least one of the Plaintiff’s counselors currently before this Court). The Court dismisses Count VIII accordingly. The Court’s dismissal of this claim does not bear on the merits as to whether the Plaintiffs are entitled to a declaratory judgment as a form of relief moving forward. See Garrard v. Rust-Oleum Corp., 575 F. Supp. 3d 995, 1004 (N.D. Ill. 2021).
CONCLUSION For the reasons above, the Court grants in part and denies in part HAH’s motion to dismiss the complaint for lack of standing and failure to state a claim. [56] Specifically, the Court dismisses
Counts II, III, V, VI, VII, and VIII as it pertains to the Plaintiffs. Because they are novel state law claims, the Court dismisses Counts VI and VII without prejudice, but accordingly dismisses Counts II, III, V and VIII with prejudice. Counts I (negligence) and IV (breach of implied contract) can proceed. The parties should note that only Delia, and any subclass that she may represent, can seek damages moving forward. Both Plaintiffs can support injunctive and declaratory relief. The class certification briefing schedule remains as laid out during the parties’ status hearing on December 17, 2025. [55] £3 la”
ginia M. Kendall UniteY States District Judge Date: May 19, 2026