UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION JENNIFER RODRIGUEZ,
Plaintiff, Case No. 24-11576 Honorable Laurie J. Michelson v.
CRG LYNWOOD LLC d/b/a LYNWOOD MANOR,
Defendant.
OPINION AND ORDER GRANTING IN PART DEFENDANT’S MOTION TO DISMISS [15] This case arises from a data breach at Lynwood Manor. Jennifer Rodriguez used to work for Lynwood as a nurse aide. Many years after she left the company, hackers “potentially accessed and acquired” the Social Security numbers, driver’s license numbers, dates of birth, and medical diagnoses of about 6,500 of Lynwood’s current and former employees and patients. One of those former employees was Rodriguez. Shortly after receiving notice that her personally identifiable information may have been compromised, Rodriguez filed this lawsuit on behalf of herself and the other 6,500 or so affected people. She claims that Lynwood was negligent and that it breached an implied agreement to keep her data secure. In exhaustive fashion, Lynwood asks this Court to dismiss Rodriguez’s amended complaint. For the reasons set out below, the Court will GRANT IN PART and DENY IN PART Lynwood’s motion. Lynwood Manor provides medical care and assisted-living services. (ECF No.
14, PageID.237; ECF No. 1-1, PageID.44.) It outsources some of its administrative operations, including its network infrastructure, to non-party Excelerate Healthcare Services. (ECF No. 1-1, PageID.44.) In July 2021, Excelerate experienced a “cybersecurity incident.” (Id.) Initially, it appeared that Lynwood’s data had not been impacted, but about a year after the incident, Lynwood learned that some “patient information may have been impacted.” (Id.) This prompted Lynwood to hire a third party to investigate. (Id.) The
investigation took a while, and it was not until June 2024—nearly three years after the data breach—that Lynwood sent letters to the 6,500 or so people who had potentially been affected. (Id.) One of the people to receive the news was Jennifer Rodriguez. (See ECF No. 1- 1, PageID.44.) About 10 years before the data breach, Rodriguez had worked for Lynwood as a nurse aide. (ECF No. 14, PageID.234.) When she was hired, Rodriguez
gave Lynwood some of her personally identifiable information. (See id.) The data- breach letter informed Rodriguez that some of that information had been “potentially” compromised: “Although Lynwood has no evidence that any sensitive information has been misused by third parties as a result of [the July 2021 cybersecurity] incident, we are notifying you out of an abundance of caution and for purposes of full transparency.” (ECF No. 1-1, PageID.44.) The letter continued, “Based on [the third-party] investigation, the following data was potentially accessed and acquired by a person not authorized to view them: Social Security Number, Date of Birth, Driver License or State ID Number, Medical Diagnosis Information.” (Id.)
Although she has not alleged any misuse or even attempted misuse of her data, Rodriguez is worried about that possibility. She explains that she is generally “very careful” about sharing her sensitive identifying and health information. (ECF No. 14, PageID.235.) Rodriguez says that since learning of the data breach she “checks her bank accounts, credit cards and credit report regularly, spending substantial time just monitoring accounts.” (Id. at PageID.251.)
About a week after receiving the June 2024 letter, Rodriguez filed this lawsuit. (See ECF No. 1.) She claims that, among other things, Lynwood failed to dispose of her personal information after it was no longer needed and failed to keep the information encrypted. (ECF No. 14, PageID.245–246.) According to Rodriguez, Lynwood’s failures to adequately protect her data amount to negligence and breach- of-implied-contract under Michigan law. (Id. at PageID.258, 261.) And while not at issue now, Rodriguez seeks to represent, as a class, the 6,500 other people whose data
may also have been compromised in the breach. (See id. at PageID.254.)
Lynwood asks the Court to dismiss this case. (ECF No. 15.) Truly leaving no stone unturned, Lynwood says that Rodriguez’s amended complaint fails for all kinds of reasons. First, Lynwood says dismissal under Federal Rule of Civil Procedure 12(b)(1) is warranted because Rodriguez lacks standing to pursue the claims in her complaint. (Id. at PageID.281–292.) It then makes several arguments for dismissal under Federal Rule of Civil Procedure 12(b)(6). Just to list a few, Lynwood asserts that a collective bargaining agreement precludes Rodriguez’s claims, that her
negligence claim fails because she has not alleged any physical injuries, and that her breach-of-implied-contract claim fails because she has not adequately pled mutual assent. (Id. at PageID.294–302.)
For a federal court like this one to hear Rodriguez’s claims, she must first establish her “standing” to bring them. See TransUnion LLC v. Ramirez, 594 U.S.
413, 423 (2021). In particular, Rodriguez must show that she suffered an “injury in fact” that is traceable to Lynwood and redressable by the Court. See id. At the pleading stage, Rodriguez only needs to allege facts that, when assumed true, make a plausible claim that she has standing. See Ass’n of Am. Physicians & Surgeons v. U.S. Food & Drug Admin., 13 F.4th 531, 544 (6th Cir. 2021). Lynwood asserts that Rodriguez has not suffered an injury-in-fact and, even if she has, that the injury is not traceable to it. The Court takes up injury-in-fact first.
To satisfy the injury-in-fact requirement, the plaintiff has the burden of pleading (and ultimately proving) that her injury is “concrete, particularized, and actual or imminent.” TransUnion, 594 U.S. at 423. No one disputes that Rodriguez has satisfied the particularity requirement. At issue is whether Rodriguez has suffered a “concrete” and “actual or imminent” injury. An injury is “actual” where the plaintiff’s legal right has been “frustrated” or “impeded,” Lewis v. Casey, 518 U.S. 343, 353 (1996), or where such an injury is “certainly impending,” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 401 (2013). And to be concrete, an injury “must actually
exist”—it must be “real, and not abstract.” Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016) (internal quotation marks omitted). Further, because “standing is not dispensed in gross,” DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 353 (2006), the Court will separately evaluate each alleged injury under those two standards. Indeed, a determination that one of Rodriguez’s alleged injuries is concrete and actual or imminent, such that she may seek relief for
that injury, does not mean that she may seek relief for a different, abstract injury. Friends of the Earth, Inc. v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 185 (2000) (“[A] plaintiff must demonstrate standing separately for each form of relief sought.”); see DaimlerChrysler, 547 U.S. at 351–54 (declining to extend concept of supplemental jurisdiction to standing because a plaintiff must separately establish standing for each claim and for “each form of relief sought”); Kanuszewski v. Mich. Dep’t of Health & Hum. Servs., 927 F.3d 396, 406 (6th Cir. 2019) (“[W]ithin each claim we must
determine whether the alleged harm affords Plaintiffs standing to seek injunctive and declaratory relief, or only damages.”). So what are Rodriguez’s alleged injuries? Reading Rodriguez’s amended complaint in the light most favorable to her, Thomas v. Montgomery, 140 F.4th 335, 339 (6th Cir. 2025), Rodriguez has alleged three injuries stemming from the data breach. For one, Rodriguez claims that her privacy was violated. (See ECF No. 14, PageID.252, 254 (noting disclosure of the “most intimate details about a person’s life” resulting in “embarrassment”); see also ECF No. 15, PageID.280.)
For two, Rodriguez says that the data breach has increased the risk that she will be the victim of fraud or identity theft. (See, e.g., ECF No. 14, PageID.234–235, 246.) Rodriguez adds that she has already been injured by this risk because she has spent time and energy mitigating it. (See ECF No. 24, PageID.253.) And, finally, Rodriguez asserts that the value of her private information was diminished when hackers stole her data. (ECF No. 14, PageID.253.)
The Court analyzes Rodriguez’s alleged privacy injury first. The “actual or imminent” requirement seems straightforward: the data breach already happened, and so if hackers accessed Rodriguez’s data, her right to privacy has already been “frustrated” or “impeded.” Lewis, 518 U.S. at 353. But the wording of the breach letter complicates the analysis a bit. It reads, “Based on [a third-party] investigation, the following data was potentially accessed and acquired by a person
not authorized to view them: Social Security Number . . . Medical Diagnosis Information.” (ECF No. 1-1, PageID.44 (emphasis added).) And, as Lynwood points out, at least one court has found that similar language weighed against finding standing. See Greenstein v. Noblr Reciprocal Exch., No. 22-17023, 2024 WL 3886977, at *2 (9th Cir. Aug. 21, 2024) (finding, where data-breach notice stated that the plaintiff’s driver’s license number “may” have been accessed, that a reasonable reader of the notice would only know that his driver’s license number “may (or may not) have been among those stolen”). At this early stage of the case, however, Rodriguez is entitled to the benefit of
the doubt, and so the Court will infer that her data was accessed. See Thomas, 140 F.4th at 335 (providing that on a motion to dismiss, courts must “draw all reasonable inferences in favor of the plaintiff”). After all, Lynwood’s investigation caused it to send Rodriguez the data-breach letter—so certainly Lynwood thought Rodriguez might be at risk. And another part of the letter is less equivocal: “[Lynwood] is writing to inform you of a data security incident involving your sensitive information.” (ECF
No. 1-1, PageID.44.) It is reasonable to infer that if Lynwood sent Rodriguez a letter about a data breach “involving” her sensitive information, her records were among those accessed by hackers. So, for now, the Court finds that Rodriguez’s privacy injury was “actual” for purposes of standing. But is that injury “concrete”? In deciding whether “a harm [is] concrete for purposes of Article III,” “courts should assess whether the alleged injury to the plaintiff has a ‘close relationship’ to a harm ‘traditionally’ recognized as providing a
basis for a lawsuit in American courts.” TransUnion, 594 U.S. at 424 (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016)). This inquiry “asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury”— though an “exact duplicate” is not required. Id. at 424–25, 432. Take, for example, a plaintiff whose credit report was disseminated and falsely identified him as a “potential terrorist.” See id. at 432. That plaintiff has “suffered a harm with a ‘close relationship’ to the harm associated with the tort of defamation”—namely, “reputational harm.” Id. Because such a harm is “traditionally recognized as providing a basis for a lawsuit in American courts,” the plaintiff’s injury is “concrete.”
Id. Rodriguez’s claims bring to mind one of the common-law invasion of privacy torts: intrusion upon seclusion. See TransUnion, 594 U.S. at 425 (identifying intrusion upon seclusion as a claim “traditionally recognized” in American courts). That tort occurs when one person intentionally “intrudes” upon the “private affairs or concerns” of another and the intrusion is “highly offensive to a reasonable person.”
Restatement (Second) of Torts § 652B (A.L.I. 1977). The Restatement explains that one “intrudes” upon the privacy of another “by opening his private and personal mail, searching his safe or wallet, [or] examining his private bank account.” Id. § 625B cmt. b. Those examples are similar to what Rodriguez has alleged: she gave her identifying information to Lynwood for safekeeping, but, through its negligence, Lynwood allowed hackers to examine it. Although Rodriguez’s allegations likely do not satisfy the intrusion-upon-
seclusion elements, that is not what concreteness demands. Salazar v. Paramount Global, 133 F.4th 642 (6th Cir. 2025), illustrates the point. There, Salazar sued Paramount for sharing his video-viewing history with Facebook. Id. at 645. In addressing Salazar’s standing to pursue his claim, the Sixth Circuit acknowledged that “no common-law tort specifically protects against the disclosure of a person’s video-viewing history.” Id. at 647. Even so, Salazar had standing because his injury “resemble[d]” the torts of public disclosure of private facts and intrusion upon seclusion. Id. The Sixth Circuit explained, “finding a close historical or common-law analogue for the modern injury or harm does not require an exact match for each
element of the common-law tort.” Id. at 648 n.6 (internal quotation marks omitted). The Sixth Circuit made a similar point in Dickson v. Direct Energy, LP, 69 F.4th 338 (6th Cir. 2023). The question there was whether ringless voicemails—the kind that can be silently deposited into a voicemail box—amounted to a concrete injury. See id. at 342. The Sixth Circuit answered that question in the affirmative, finding that leaving an unwanted voicemail was analogous to the tort of intrusion
upon seclusion. See id. at 345. In arguing for a contrary result, the defendant stressed that the plaintiff’s phone “never buzzed or emitted a sound” and that he had not even noticed the voicemail “for several minutes.” Id. at 348. The Sixth Circuit explained that this argument “challenge[d] the degree of [the plaintiff’s] harm” but that the “decisive issue” was whether the “claimed injury [was] similar in kind to one recognized at common law.” Id. (emphases in original). In sum, Rodriguez’s assertion that her privacy was violated when Lynwood
failed to adequately protect her private information from hackers is the “kind of harm” that is the basis of a tort claim traditionally addressed by American courts. So her privacy injury is “concrete.” And, as explained, it is “actual.” As such, her alleged privacy injury satisfies the injury-in-fact requirement of standing. Although Rodriguez’s privacy injury is an injury-in-fact, it does not follow that she has standing to pursue relief for other injuries that are abstract or hypothetical.
See DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 351–54 (2006); Kanuszewski v. Mich. Dep’t of Health & Hum. Servs., 927 F.3d 396, 406 (6th Cir. 2019). So the Court addresses whether the other two injuries Rodriguez alleges—increased risk of fraud and the diminished value of her private information—are “actual or imminent” and “concrete.” Future Fraud. The potential for harm in the future satisfies the “actual or
imminent” injury requirement when the harm is “certainly impending” or the risk of harm is “substantial.” See Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 & n.5 (2013). In the data-breach setting, the risk of fraud is more likely to be “substantial” when (1) the data was intentionally taken by hackers (as opposed to unintentionally exposed by the defendant), (2) some of the individuals whose data was taken have been the victim of fraud (even if the plaintiff has not been), and (3) the nature of the data taken lends itself to fraud (e.g., Social Security numbers as opposed to phone
numbers). See Bohnak v. Marsh & McLennan Cos., 79 F.4th 276, 289 (2d Cir. 2023). Here, Rodriguez has gone two for three. It is likely that Lynwood was hacked by those with malicious intent. See Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 389 (6th Cir. 2016) (“Why else would hackers break into a store’s database and steal consumers’ private information?”). And the data taken—Social Security numbers in particular—is the type that lends itself to fraud. Bohnak, 79 F.4th at 289 (agreeing with plaintiff that SSNs “are among the worst kind of personal information to have stolen”). And at least one court has found that two-for-three satisfies the imminence requirement. See id.
But a key fact distinguishes this case from those finding that data-breach victims were at a substantial risk of fraud: nearly three years passed between the data breach and this lawsuit, and Rodriguez has not alleged even one instance of fraud attributable to the breach. When the standard requires imminence, three years is a long time. See Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 366–67 (M.D. Pa. 2015) (“[A] layperson with a common sense notion of ‘imminence’ would find [a one-year]
lapse of time, without any identity theft, to undermine the notion that identity theft would happen in the near future.”); Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1087 (E.D. Cal. 2015) (finding, where plaintiff waited three years post-breach to file suit, that plaintiff had not alleged imminent risk of fraud). Given that almost three years went by without incident before Rodriguez filed her lawsuit, the Court finds that any risk of future fraud stemming from the breach is not substantial. Relatedly, Rodriguez says that she has already spent time and energy
monitoring her financial accounts (ECF No. 16, PageID.431–432) and already experienced anxiety about the possibility of fraud (see ECF No. 14, PageID.254). Although these alleged injuries are current, they are based on an insubstantial risk of harm. So they cannot confer standing. See Greenstein v. Noblr Reciprocal Exch., No. 22-17023, 2024 WL 3886977, at *3 (9th Cir. Aug. 21, 2024) (“Only when the risk of future harm is not speculative can the cost of mitigation efforts form a basis for standing.”); cf. Clapper, 568 U.S. at 416, 422 (explaining that plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm”). Although Rodriguez’s distress about the risk of fraud and her efforts to minimize it is
perhaps understandable, she does not have standing to pursue claims based on those injuries. See id. at 416. Diminished Value of Information. Rodriguez also says that data breach diminished the value of her private information. Courts are divided on whether the diminished value of private information satisfies the injury-in-fact requirement. See In re ESO Sols., Inc. Breach Litig., No.
23-1557, 2024 WL 4456703, at *6 (W.D. Tex. July 30, 2024) (noting split in authority); In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 462 (D. Md. 2020) (discussing conflicting decisions). Even if the Court were to assume that generally, the diminished value of private information satisfies the injury-in-fact requirement, Rodriguez has not adequately pled that the value of her data has been diminished. She has not alleged that the breach caused her to change any of her identifying information (e.g., her
Social Security number) or that she has been hindered in her ability to use the compromised information to obtain services or open accounts. Instead, Rodriguez mainly focuses on the value of her data on the black market. (See ECF No. 14, PageID.248–250 (noting that private information can sell for as much as $363 per record on the black market)). But, as far as the Court can tell, Rodriguez has no intent in participating in an illegal market. See Lochridge v. Quality Temp. Servs., Inc., No. 22-12086, 2023 WL 4303577, at *4 n.2 (E.D. Mich. June 30, 2023) (finding no injury- in-fact where plaintiff did not allege any plan to sell his private information); cf. O’Shea v. Littleton, 414 U.S. 488, 497 (1974) (assuming that plaintiffs would “conduct
their activities within the law” when analyzing standing). In sum, Rodriguez does not have standing to pursue claims based on her assertions that the data breach increased the risk of fraud in the future and diminished the value of her private information.
Lynwood argues that even if Rodriguez has alleged an injury-in-fact, she
cannot trace her injuries to it. See Friends of the Earth, Inc. v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 180 (2000) (providing that standing requires a plaintiff to show that “the injury is fairly traceable to the challenged action of the defendant”). Lynwood’s point is that data breaches are extremely common, so much so that any injury Rodriguez suffered or will suffer could be attributable to a different data breach. (See ECF No. 15, PageID.291.) The Court’s prior analysis addresses this argument. As explained, Rodriguez’s
alleged privacy injury suffices for standing. And, according to allegations the Court must currently take as true, that injury occurred when hackers breached Lynwood’s (or Excelerate’s) computers. So that injury is traceable to the Lynwood data breach as opposed to some other data breach. As for the other two injuries Rodriguez alleges—the increased risk of fraud and the diminished value of her private information—the Court has determined that they are not injuries-in-fact. So regardless of whether those injuries are traceable to Lynwood, Rodriguez lacks standing to pursue claims based on them.
Before turning to the merits, there is one last aspect of standing the Court should address. As explained, a plaintiff must have standing not only for each claim that she brings, but also for each type of relief she seeks. TransUnion, 594 U.S. at 413. Here, in addition to damages, Rodriguez seeks forward-looking relief. In particular, she wants the Court to order Lynwood to increase its data security, to improve how it addresses data breaches after they occur, and to pay for no less than
10 years of credit monitoring. (See ECF No. 14, PageID.260, 262–263.) Rodriguez lacks standing to seek an order requiring Lynwood to improve its data-security practices. She has not alleged that Lynwood experienced any data breaches prior to the one involving her data. Nor has she alleged that Lynwood has experienced any data breaches in the several years since that one. Of course, Lynwood might suffer a data breach in the future, but a mere possibility does not confer standing. See Hemphill v. Horne, LLP, No. 24-178, 2025 WL 837007, at *9–10 (S.D.
Miss. Mar. 10, 2025) (“So is one past data breach—combined with cybercriminals’ unquenchable thirst for personal data—sufficiently predictive of another data breach in [the] near future? No.”); Duffy v. Lewis Bros. Bakeries, Inc., 760 F. Supp. 3d 704, 716–17 (S.D. Ind. 2024) (same); Hall v. Centerspace, LP, No. 22-2028, 2023 WL 3435100, at *4 (D. Minn. May 12, 2023) (same). As for Rodriguez’s request for an order directing Lynwood to pay for 10 years of credit monitoring, that relief is arguably more of a damages remedy than an injunctive one. But either way, Rodriguez lacks standing to seek it. Credit monitoring
does nothing to fix the injuries Rodriguez experienced from having her privacy violated (e.g., embarrassment). And while credit monitoring does reduce the risk of fraud, the Court has found that Rodriguez lacks standing to pursue claims based on that injury. Thus, Rodriguez lacks standing to seek forward-looking relief. * * *
In sum, Rodriguez only has standing to pursue claims seeking damages for injuries stemming from hackers invading her privacy (e.g., embarrassment). She lacks standing to pursue claims based on her other asserted injuries. And Rodriguez lacks standing to seek prospective relief.
Having established its authority to do so, the Court turns to the merits. Invoking Federal Rule of Civil Procedure 12(b)(6), Lynwood makes a host of
arguments to dismiss Rodriguez’s negligence and breach-of-implied-contract claims. In addressing these arguments, the Court accepts as fact the non-conclusory allegations of the amended complaint, draws all reasonable inferences in favor of Rodriguez, and, ultimately, determines whether she has stated a plausible claim for relief. See Thomas v. Montgomery, 140 F.4th 335, 339 (6th Cir. 2025). The Court begins with one of Lynwood’s arguments that applies equally to Rodriguez’s negligence and breach-of-implied-contract claims. In particular, Lynwood
asserts that both claims are premised on future injury (namely, future fraud), but, under Michigan law, both claims require “present injury.” (See ECF No. 15, PageID.292–294.) The Court’s standing analysis makes this argument moot. As explained, Rodriguez has standing based on injuries stemming from the alleged violation of her privacy. And those injuries are not contingent on future events—if Rodriguez’s
privacy was violated, it happened in 2021 when hackers accessed her data. As far as Rodriguez’s other alleged injuries, the federal courthouse doors remain closed to claims based on those injuries for reasons already given. So the “present injury” requirement adds nothing new to the analysis.
The Court turns to Lynwood’s arguments directed to Rodriguez’s negligence claim.
In making its present-injury argument, Lynwood has drawn the Court’s attention to a related, physical-injury requirement. In arguing that Rodriguez’s claims require present injuries, Lynwood relied heavily on Rakyta v. Munson Healthcare, No. 354831, 2021 WL 4808339 (Mich. Ct. App. Oct. 14, 2021). (See ECF No. 15, PageID.293.) That decision states: “The [Michigan Supreme] Court explained [in Henry v. Dow Chemical Co., 701 N.W.2d 684, 692 (Mich. 2005)] that Michigan law only recognized emotional distress as the basis for a negligence claim when the emotional distress involved present physical manifestations of the distress.” Rakyta, 2021 WL 4808339, at *5. And in a different section of its brief, Lynwood quotes this
very language from Rakyta to argue that Rodriguez’s emotional distress is not an injury-in-fact. (ECF No. 15, PageID.291.) So, while Lynwood should have been more explicit, it has asserted that Rodriguez has not adequately pled a negligence claim because she has not alleged physical injury. In evaluating this assertion, a good place to start is Henry v. Dow Chemical. There, the plaintiffs alleged that Dow Chemical had negligently polluted the flood
plain where they lived. 701 N.W.2d at 685–86. Although the plaintiffs had not yet manifested any physical injury, they alleged that they had spent money to monitor their health and had experienced emotional distress over possibly falling ill in the future. See id. at 691–92. In evaluating these alleged injuries, the Michigan Supreme Court “reaffirm[ed]” that “present harm to person or property is a necessary prerequisite to a negligence claim.” Id. at 690. Because the plaintiffs had not alleged that “they suffered from present physical injuries to person or property,” they had not
stated a viable negligence claim. See id. (emphasis in original). And while the plaintiffs had alleged present financial harm, those economic losses were “wholly derivative of a possible, future injury rather than an actual, present injury,” and thus “not compensable.” See id. at 691 (emphasis in original). As for the plaintiffs’ emotional distress over falling ill in the future, the Michigan Supreme Court explained, “our common law recognizes emotional distress as the basis for a negligence action only when a plaintiff can also establish physical manifestations of that distress.” See id. at 692; see also id. at 691 (explaining that a “showing of an actual physical injury” helps reduce “unfounded suits”).
After the parties filed their briefs here, a court in this District applied Henry in the data-breach setting. See Hearing Transcript, Angus v. Flagstar Bank, FSB, No. 21-10657, ECF No. 106, PageID.2105–2115 (E.D. Mich. June 11, 2025) (Leitman, J.). In Angus, as here, the plaintiffs were victims of a data breach and brought an ordinary negligence claim. See No. 21-CV-10657, 2025 WL 937760, at *1 (E.D. Mich. Mar. 27, 2025). And there, as here, the plaintiffs had not alleged that the data breach
caused them physical injury. See Angus, ECF No. 106, PageID.2111–2112. The court in Angus concluded that the Michigan Supreme Court’s decision in Henry “lays down . . . a bright line rule that a Michigan plaintiff alleging ordinary negligence must make . . . plausible allegations that he or she suffered a present physical injury, with ‘physical’ being the key here.” Id. In reaching this conclusion, the court relied on the Sixth Circuit’s opinion in Means v. United States Conference of Catholic Bishops, 836 F.3d 643 (6th Cir. 2016). See Angus, ECF No. 106, PageID.2105, 2113. There, the
Sixth Circuit stated, “In Michigan, ‘present physical injury’ is necessary to state a claim for negligence.” 836 F.3d at 653 (citing Henry, 701 N.W.2d at 691). As Rodriguez has not pursued possible routes around the physical-injury requirement, the Court finds Angus persuasive. See Daley v. LaCroix, 179 N.W.2d 390, 392 (Mich. 1970) (indicating that a plaintiff without physical injuries may recover for a defendant’s negligence through an “independent basis for tort liability”); Gore v. Rains & Block, 473 N.W.2d 813, 819 (Mich. Ct. App. 1991) (permitting recovery for mental anguish on a professional negligence claim where plaintiff did not suffer physical injury). Above, the Court determined that Rodriguez only has
standing to pursue claims based on injuries stemming from hackers viewing her private data. But those injuries are not physical. So the Court will dismiss Rodriguez’s negligence claim for failure to plead physical injury. Because the physical-injury requirement is fatal to Rodriguez’s negligence claim, the Court does not address Lynwood’s other bases for dismissing that claim.
Remaining are Lynwood’s arguments to dismiss Rodriguez’s breach-of-implied- contract claim.
Relying on a collective-bargaining agreement between itself and Rodriguez’s former union, Lynwood argues that (1) Rodriguez’s state law claims are preempted by federal law, (2) Rodriguez did not exhaust her claims as required by the CBA, and (3) the CBA is an express contract that precludes the existence of an implied contract.
(ECF No. 15, PageID.298–300; ECF No. 17, PageID.450–451.) The Court addresses these arguments in that order. Lynwood’s preemption argument is based on § 301 of the Labor Management Relations Act. Under § 301, state law claims are preempted where “the right claimed by the plaintiff is created by the collective bargaining agreement” or where “proof of the state law claim requires interpretation of collective bargaining agreement terms.” Adamo Demolition Co. v. Local 150, Int’l Union of Operating Eng’rs, 3 F.4th 866, 873 (6th Cir. 2021). Lynwood says that Rodriguez’s claims require interpretation of the CBA. (ECF No. 15, PageID.299; ECF No. 17, PageID.450–451.)
The Court is not persuaded. Tellingly, Lynwood identifies not one provision of the CBA that discusses the collection of employees’ identifying information, let alone one that governs how that information will be secured. See Keown v. Int’l Ass’n of Sheet Metal Air Rail Transp. Workers, No. 23-3570, 2024 WL 4239936, at *12 (D.D.C. Sept. 19, 2024) (finding no § 301 preemption where the union’s constitution “nowhere” referenced its “data security obligations”); In re Unite Here Data Sec. Incident Litig.,
740 F. Supp. 3d 364, 381 (S.D.N.Y. 2024) (same). Lynwood does point to the management-rights clause of the CBA. But it fails to explain how Rodriguez’s claims about data security require the Court to interpret its rights to “hire,” to “evaluate and determine the competency of employees,” and to “determine the method, means and person[nel] required to provide services” (ECF No. 15-3, PageID.402). Lynwood also directs the Court to Fernandez v. Kerry, Inc., 14 F.4th 644 (7th Cir. 2021), but that case does not help its cause. There, Kerry required its employees
to clock in and out using their fingerprints. Id. at 644. Former employees sued, claiming that Kerry had violated state law by not obtaining their consent for the collection and use of their fingerprints. See id. The employer countered that the employees’ union had consented to the fingerprinting procedure and, short of that, it had authority to collect the prints under the management-rights clause of the CBA. See id. at 646. The court found that because the union’s consent and Kerry’s authority under the CBA were both in dispute, the employees’ state law claim was preempted by § 301: “It is not possible even in principle to litigate a dispute about how an [employer] acquires and uses fingerprint information for its whole workforce without
asking whether the union has consented on the employees’ collective behalf.” Id. at 646 (quoting Miller v. Sw. Airlines Co., 926 F.3d 898, 904 (7th Cir. 2019)). The same cannot be said here. Instead, it is entirely possible to litigate Rodriguez’s claim that Lynwood needed to make reasonable efforts to secure her personally identifiable information without inquiring into whether the union consented to having Lynwood obtain and store that data. Moreover, how workers
clock in and out is “no doubt” a matter for collective bargaining. See Miller, 926 F.3d at 904. In contrast, Lynwood’s data security not only affects its employees, but also its patients. In all, given what is at issue in this case, Fernandez does not persuade. Preemption aside, Lynwood says that Rodriguez failed to exhaust the remedies provided in the CBA before coming to court. (ECF No. 15, PageID.300.) What has already been said largely disposes of this argument. The CBA defines a “grievance” to be a dispute between an employee and Lynwood “concerning the
meaning, interpretation, application, or alleged violation of a provision of this Agreement or the discipline or discharge of an employee.” (ECF No. 15-3, PageID.404.) But, as just stated, there is no provision of the CBA that discusses Lynwood’s obligations to keep employee identifying information secure (or at least Lynwood has not identified any). That leaves Lynwood’s preclusion argument. Lynwood’s legal basis is correct: “a contract cannot be implied when an express contract already addresses the pertinent subject matter.” Liggett Rest. Grp., Inc. v. City of Pontiac, 676 N.W.2d 633,
639 (Mich. Ct. App. 2003). But Lynwood has not established the factual basis for this argument. As stated when addressing Lynwood’s preemption and exhaustion arguments, Lynwood has not identified any provision of the CBA that relates to how employee identifying information would be secured. Instead, Lynwood seems to take the position that the CBA covers the same “pertinent subject matter” as Rodriguez’s alleged implied contract because it governed “the terms of her employment.” (ECF
No. 15, PageID.299.) But Lynwood cites no precedent backing such a sweeping rule. Nor does Lynwood make any argument based on the CBA’s acknowledgement-and- waiver provision. (ECF No. 15-3, PageID.420.) Such an argument will have to await summary judgment. As such, the Court is not persuaded that an express contract precludes Rodriguez’s implied-contract claim. In sum, at this stage of the case, Lynwood has not shown that the CBA warrants dismissal of Rodriguez’s breach-of-implied-contract claim.
Lynwood also says that Rodriguez’s breach-of-implied-contract claim must be dismissed because she has not adequately pled that it agreed to secure her private information. (ECF No. 15, PageID.301–302.) In other words, Lynwood attacks the mutual assent element. This is a very close call. Even reducing the field to (1) data-breach cases (2) where employees (or former employees) have asserted that their employers impliedly agreed to protect their personal information, courts are divided on what must be pled to state a claim upon
which relief may be granted. Courts that have rejected employees’ implied-contract claims have found that vague or conclusory statements about an agreement do not satisfy Iqbal’s demand for factual matter sufficient to state a plausible claim. See Longenecker-Wells v. Benecard Servs. Inc, 658 F. App’x 659, 662–63 (3d Cir. Aug. 11, 2016); Ramirez v. Paradies Shops, LLC, 69 F.4th 1213, 1221 (11th Cir. June 5, 2023). And, although not in the
employer-employee setting, one court has sensibly explained that plaintiffs should not be allowed to work backwards from the mere fact that there was a data breach to establish that the defendant had promised the very thing that would have prevented the breach. See Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 51 (D. Ariz. 2021) (“Plaintiffs’ argument boils down to . . . . [b]ecause there was a data breach, Magellan’s data security must have been inadequate, which is a breach of the implied contracts.”).
On the other hand, courts that have allowed plaintiffs to proceed on their implied-contract claims have given weight to the common-sense notion that “the employer-employee relationship generally encompasses the implicit mutual understanding that [personally identifiable information] should be kept private and not be subject to public disclosure.” Duffy v. Lewis Bros. Bakeries, Inc., 760 F. Supp. 3d 704, 724 (S.D. Ind. 2024); see also Castillo v. Seagate Tech., LLC, No. 16-01958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) (“When a person hands over sensitive information, in addition to receiving a job, good, or service, they presumably expect to receive an implicit assurance that the information will be protected.”).
While Lynwood and Rodriguez each have plenty of authority to back their contrary positions, at this stage of the case, the scales tip slightly in favor of Rodriguez. True, Rodriguez has not pled any specific “words or actions” on the part of Lynwood regarding data security. See Allen v. Michigan State Univ., No. 358135, 2024 WL 4982523, at *9 (Mich. Ct. App. Dec. 4, 2024) (providing that for an implied contract, “mutual assent is inferred from the parties’ words and actions”). But “it is
difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently.” Castillo, 2016 WL 9280242, at *9. Further, to require a plaintiff to plead the specific scope of data protection would preclude an implied-contract claim for all but “the most sophisticated and familiar” employees. Id. Moreover, as far as the Court can tell, every judge in this District that has addressed an implied-contract claim based on a
data breach has allowed the claim to survive past the pleading stage. Lochridge v. Quality Temp. Servs., Inc., No. 22-12086, 2023 WL 4303577, at *7 (E.D. Mich. June 30, 2023) (Behm, J.); Hummel v. Teijin Auto. Techs., Inc., No. 23-10341, 2023 WL 6149059, at *10 (E.D. Mich. Sept. 20, 2023) (Borman, J.); In re Flagstar Dec. 2021 Data Sec. Incident Litig., No. 22-11385, 2024 WL 5659583, at *13 (E.D. Mich. Sept. 30, 2024) (McMillion, J.); Angus v. Flagstar Bank, FSB, No. 21-10657, 2025 WL 937760, at *1 (E.D. Mich. Mar. 27, 2025) (Leitman, J.). In short, while discovery may well show that Lynwood did not impliedly agree
to any particular data-security measures (or, for that matter, that the measures it agreed to would not have prevented the breach), Rodriguez has adequately pled mutual assent.
For the reasons given, Lynwood’s motion to dismiss (ECF No. 15) is GRANTED IN PART and DENIED IN PART. The Court lacks jurisdiction over Rodriguez’s
negligence and breach-of-implied-contract claims insofar as they seek injunctive relief and insofar as they seek damages for increased risk of fraud and diminished value of private information. The remainder of Rodriguez’s negligence claim is DISMISSED for failure to plead physical injury. The only claim remaining in this case is a breach-of-implied contract claim to recover damages for injuries stemming from hackers invading Rodriguez’s privacy (e.g., embarrassment). SO ORDERED.
Dated: September 22, 2025
s/Laurie J. Michelson LAURIE J. MICHELSON UNITED STATES DISTRICT JUDGE