Opinion
CV-22-01061-PHX-SMB
11-15-2024
Brittney Johnson, et al., Plaintiffs, v. Yuma Regional Medical Center, Defendant.
ORDER
HONORABLE SUSAN M. BRNOVICH, UNITED STATES DISTRICT JUDGE.
Defendant Yuma Regional Medical Center (“Yuma Regional”) was the target of a ransomware attack that resulted in a data breach. Hackers were able to gain access to and extract patients personally identifiable information (“PII”) and protected health information (“PHI”) of Yuma Regional's current and former patients. The fifteen named Plaintiff's here represent the individuals who had their information stolen. Yuma Regional has filed a Motion to Dismiss (Doc. 74) Plaintiffs' Consolidated Class Action Complaint (Doc. 68, the “Complaint”). The Parties fully briefed the Motion (Doc. 75 (Plaintiffs' Response); Doc. 78 (Yuma Regional's Reply). Yuma Regional requested oral argument (Doc. 74 at 1), which was scheduled for November 25, 2024, but the Court now vacates oral argument, finding it unnecessary (Doc. 79). See LRCiv. 7.2(f). Having reviewed the parties' briefs and the applicable law, the Court will grant Yuma Regional's Motion.
The named Plaintiffs include: Dillan Clarke, Elayne Martinez, Brittney Johnson, Brian Kircher, Juanita Sarabia, Megan Kircher, Donald Banti and Marcia Banti, Ryan Mangum and Tiffany Mangum, Anthony Spano, Carol Ashby, Margaret O'Grady, Mayra Esquivel and her minor son, E. N. (Doc. 68 at 2.)
I. BACKGROUND
The Court derives the following facts from Plaintiffs' Complaint. (Doc. 68.) As its name denotes, Yuma Regional is a hospital operating in Yuma, Arizona. (Id. ¶ 24.) Before a patient can receive treatment, Yuma Regional requires its patients to provide their PHI (id. ¶¶ 2 & n.1, 30), which includes “individually identifiable health information” generally relating to an individual's past, present, and future physical or mental health conditions and provisions of health care, see 45 C.F.R. § 160.103. Yuma Regional maintains this information and records, including patients' names, social security numbers, financial information, and other medical information on a computer system. (Doc. 68 ¶ 30.) Through its Privacy Policy, Yuma Regional promises to reasonably safeguard its patients' PHI. (Id. ¶ 31.) The Policy also provides that patients' confidential information will only be released where authorized by law or when authorized by consent. (Id. ¶¶ 31-34.) Yuma Regional also acknowledges that it has a duty to notify its patients upon discovery of a breach. (Id. ¶ 33.)
Beginning on April 21, 2022, cybercriminals breached Yuma Regional's data security systems, gaining unrestricted access to its files for the next few days. (Id. ¶¶ 1, 37-38.) Yuma Regional lost control of its system and the hackers were able to extract highly sensitive files containing data on an estimated 700,000 of its patients. (Id. ¶¶ 2, 37-38.) Yuma Regional identified the breach around April 25 and issued a notice at some point thereafter. (Id. ¶¶ 1, 5, 39, 44.) The notice provided assurances that Yuma Regional was strengthening its system, enhancing its protocols, and offering its patients free credit monitoring and identity theft protection services for an unknown duration. (Id. ¶¶ 1, 5, 7 39, 44-46.) Yuma Regional also sent the patients, including the named Plaintiffs, letters notifying them of the breach, dated June 9, 2022. (Id. ¶¶ 12-23.)
All fifteen named Plaintiffs claim that they suffered a variety of present and future harms, including (1) diminution in the value of personal information; (2) loss of benefit of the bargain and opportunity costs; (3) lost time spent dealing with the breach; (4) anxiety or emotional harm; (5) increased spam emails, texts messages, and phone calls; (6) an increased risk of fraud; and (7) harm from the delay in receiving notice of the breach. (Id. ¶¶ 9, 55-59, 71-73, 82-86, 89, 99-101, 111-14, 123-25, 134-39, 147, 151-54, 163-69, 178, 180-82, 190-93, 201, 204-07.)
Some of the Plaintiffs also allege to have suffered various specific damages. Plaintiffs Clarke, Johnson, D. Banti, T. Mangum, Spano, Ashby, and Esquivel allege they suffered attempted or actual identity theft or fraud. (Id. ¶¶ 56, 83, 136, 150, 164-165, 179, 203.) Plaintiff Sarabia alleges she suffered out-of-pocket losses spent mitigating the effects of the breach. (Id. ¶ 110.) Plaintiff Martinez claims damages for her inability to access medical records and schedule appointments while the system was down. (Id. ¶¶ 68-71.) Plaintiffs Johnson and Spano allege damages from having to freeze their credit. (Id. ¶¶ 85, 168.) Finally, Plaintiffs Johnson, Sarabia, T. Magnum, and R. Magnum claim to suffer damages from their information being available on the “dark web.” (Id. ¶¶ 84, 112, 149.)
Plaintiffs allege that Yuma Regional's data security system was inadequate to timely detect the breach and notify its patients leaving them vulnerable to additional harm. (Id. ¶¶ 5-6, 36, 39.) Specifically, Plaintiffs assert that Yuma Regional failed to adhere to Heath Insurance Portability and Accountability Act (“HIPAA”) data security laws and Federal Trade Commission (“FTC') guidelines. (Id. ¶¶ 237-45.) Plaintiffs bring their Complaint on behalf of all Yuma Regional patients whose PHI was accessed in the data breach under Arizona Rule of Civil Procedure 23(b)(2)-(3). (Id. ¶ 246-60.)
Plaintiffs assert five causes of action: (1) negligence; (2) negligence per se; (3) breach of implied contract; (4) unjust enrichment; and (5) violation of the Arizona Consumer Fraud Act (“ACFA”). (Doc. 68 at 48-59.) Yuma Regional now moves to dismiss all claims asserting various arguments, including a failure to plead: (1) cognizable injuries; (2) breach and causation; (3) negligence per se as a standalone cause of action; (4) an implied contact exists or adequate consideration; (5) unjust enrichment; and (6) the specificity required to support the ACFA claim. (Doc. 74.)
II. LEGAL STANDARD
To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must meet the requirements of Rule 8(a)(2). Rule 8(a)(2) requires a “short and plain statement of the claim showing that the pleader is entitled to relief,” providing “fair notice of what the . . . claim is and the grounds upon which it rests.” BellAtl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (quoting Conley v. Gibson, 355 U.S. 41, 47 (1957)). This exists if the pleader sets forth “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1988). A cognizable legal theory must state a claim to relief that is “plausible on its face.” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 570). Plausibility does not equal “probability,” but requires “more than a sheer possibility that a defendant has acted unlawfully.” Id. The Court views the well-pled factual allegations as true and construes them in the light most favorable to the nonmoving party. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). But legal conclusions couched as factual allegations are not given a presumption of truthfulness, and “conclusory allegations of law and unwarranted inferences are not sufficient to defeat a motion to dismiss.” Pareto v. FDIC, 139 F.3d 696, 699 (9th Cir. 1998). A court ordinarily may not consider evidence outside the pleadings in ruling on a Rule 12(b)(6) motion to dismiss. See United States v. Ritchie, 342 F.3d 903, 907 (9th Cir. 2003). “A court may, however, consider materials-documents attached to the complaint, documents incorporated by reference in the complaint, or matters of judicial notice-without converting the motion to dismiss into a motion for summary judgment.” Id. at 908.
III. DISCUSSION
A. Negligence
Under Arizona law, to state a claim for negligence “a plaintiff must prove: (1) a duty requiring the defendant to conform to a certain standard of care; (2) breach of that standard; (3) a causal connection between the breach and the resulting injury; and (4) actual damages.” CVS Pharmacy, Inc. v. Bostwick ex rel., 494 F.3d 572, 578 (Ariz. 2021) (quoting Quiroz v. ALCOA Inc., 416 P.3d 824, 827-28 (Ariz. 2018)). Yuma Regional seeks dismissal arguing that Plaintiffs' damages theories fail to allege cognizable losses. (Doc. 74 at 9-10.) Yuma Regional also contends that Plaintiffs failed to plead breach of a duty or that their injuries were caused by the breach. (Id. at 16-18.) Plaintiffs respond by arguing they have adequately alleged cognizable harms, breach of a duty, and causation. (Doc. 75 at 10-19.)
1. Cognizable Injury
To sustain a negligence claim, damages must be “actual and appreciable, non-speculative, and more than merely the threat of future harm.” CDT, Inc. v. Addison, Roberts & Ludwig, C.P.A., P.C., 7 P.3d 979, 982-83 (Ariz.Ct.App. 2000) (cleaned up) (quoting Commercial Union Ins. Co. v. Lewis and Roca, 902 P.2d 1354, 1358, 1360 (Ariz. 1995)). Accordingly, the majority view is that general allegations of lost time, continued risk to plaintiffs' personal data, and the danger of future harms are not cognizable injuries for negligence claims. See Griffey v. Magellan Health Inc. (Griffey I), 562 F.Supp.3d 34, 46 (D. Ariz. 2021); see also Gannon v. Truly Nolen of Am. Inc., No. CV 22-428-TUC-JAS, 2023 WL 6536477, at *3 (D. Ariz. Aug. 31, 2023); Quinalty v. FocusIT LLC, No. CV-23-00207-PHX-JJT, 2024 WL 342454, at *4 (D. Ariz. Jan. 30, 2024). The Court addresses each of the alleged injuries in turn.
a. Diminution of Value
Yuma Regional argues the diminution of value is not a cognizable injury. (Doc. 74 at 10-11.) Citing cases like Griffey I, Yuma Regional argues that Plaintiffs alleging that their information may be sold on the “black market” is insufficient to make the requisite showing that a legitimate market exists and impairs their ability to participate in that market. (Id.; Doc. 78 at 7-8.) Plaintiffs respond that the Ninth Circuit in In re Facebook Priv. Litig., 572 Fed.Appx. 494 (9th Cir. 2014) recognized the diminished value of PII as a cognizable injury, thus they have adequately pleaded as much. (Doc. 75 at 11-12.)
Yuma Regional is correct that Plaintiffs must do more than merely assert general allegations of diminution of value. Griffey 1, 562 F.Supp.3d at 45. Plaintiffs “must establish both the existence of a market for [their] personal information and an impairment of [their] ability to participate in that market.” Id. (quoting Pruchnicki v. Envision Healthcare Corp. (Pruchnicki I), 439 F.Supp.3d 1226, 1234 (D. Nev. 2020), aff'd, 845 Fed.Appx. 613 (9th Cir. 2021)). Here, Plaintiffs allege that according to a credit-monitoring service's blog, PHI is a valuable commodity worth up to $1,000.00 on the “black market,” depending on the type of information. (Doc. 68 ¶ 212-13.) Plaintiffs further allege that cybercriminals increasingly and frequently post and sell stolen private information on the “dark web” and that it could take years to identify PHI theft. (Id. ¶¶ 212-215.)
Plaintiffs' complaints do not give rise to compensable damages. Plaintiffs' general allegations of purported “black market” value and the blog posts do not establish their information actually lost value and calls for speculation. See, e.g., Pruchnicki v. Envision Healthcare Corp. (Pruchnicki II), 845 Fed.Appx. 613, 614 (9th Cir. 2021) (finding that, although the plaintiff alleged sufficient injury-in-fact to support standing, studies that show personal information may have value in general are insufficient to allege actual lost value). Similarly, the data being available on the “black market” is insufficient and courts have declined to find such a market as legitimate. See Griffey 1, 562 F.Supp.3d at 45; Durgan v. U-HaulInt'lInc., No. CV-22-01565-PHX-MTL, 2023 WL 7114622, at *3 (D. Ariz. Oct. 27, 2023); see also Pruchnicki II, 845 Fed.Appx. at 614 (“‘[M]ere misappropriation of personal information' does not establish compensable damages.” (citation omitted)).
Plaintiffs' reliance on In re Facebook is misplaced. There, the court concluded that, absent applicable contravening state law, the plaintiffs' allegations that they were harmed by the dissemination of their data and lost sales value that information was sufficient to plead damages for breach of contract and fraud claims. See 572 Fed.Appx. at 494. The case does not address claims of negligence, nor the damages standard under Arizona law. Further, as the Ninth Circuit later recognized, pleading damages sufficient for standing does not necessarily establish compensable damages. Pruchnicki II, 845 Fed.Appx. at 614-15; see also Doe v. Chao, 540 U.S. 614, 624-25 (2004) (explaining establishing injury-in-fact may open the courthouse door for standing purposes, but it does not necessarily create a cause of action of damages absent more than abstract injuries).
Most of the other cases that Plaintiffs cite for support are inapposite as they pertain to findings on claims other than negligence, unrelated damages, or standing. See, e.g., In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783, at *14 SN.D. Cal. May 27, 2016) (breach of contract); In re Solara Med. Supplies, LLC Customer ata Sec. Breach Litig., 613 F.Supp.3d 1284 (S.D. Cal. 2020) (unfair trade practices); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d 1284 (S.D. Cal. 2020) (loss of time); In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1204 (S.D. Fla. 2022) (standing); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 462 (D. Md. 2020) (standing).
The only case Plaintiffs cite relating to diminution of value as the damages for a negligence claim is Smallman v. MGMResorts Int '1, 638 F.Supp.3d 1175 (D. Nev. 2022). There, the court reasoned that case law does not require proof of both the availability of a marketplace and impairment to their ability to participate in that market. See Smallman, 638 F.Supp.3d at 1190-91. Yet, the court ultimately found that the plaintiffs alleging that their PII could be bought and sold for identifiable prices on established markets, like those on the “dark web,” was sufficient to plead existence of a market, and because their information was posted on the dark web, it “interfered] with their fiscal autonomy” impairing their ability to participate in the marketplace. Id. at 1191. This Court respectfully disagrees. The case law supports requiring both, availability of the marketplace and impairment in that marketplace. Griffey 1, 562 F.Supp.3d at 46. Plaintiffs here do not allege they cannot sell their data on the “dark web,” nor that they ever have, intend to, or intended to sell on such a market. See, e.g., Quinalty, 2024 WL 342454, at *5. Additionally, Plaintiffs provide no means to measure the value of the damages. See Griffey 1, 562 F.Supp.3d at 46. Thus, Plaintiffs failed to plead a diminution of value.
b. Benefit of the Bargain
Next, Yuma Regional argues that Plaintiffs merely provide the conclusory allegation that they lost the benefit of the bargain. (Doc. 74 at 11-12.) In response, Plaintiffs claim that Yuma Regional “received more money from Plaintiffs than the benefit conferred upon them given [Yuma Regional's] inadequate security,” and that they would have paid less knowing their information would be released. (Doc. 75 at 12-13 (citing Doc. 68 ¶¶ 308-312.) Although Plaintiffs' citation relates to its unjust enrichment claim, they argue the Ninth Circuit recognizes damages for lost benefit of the bargain. (Id.) The only case Plaintiffs cite that addresses lost benefit of the bargain damages under a negligence theory is Smallman and is distinguishable. Unlike the plaintiffs in Smallman, Plaintiffs here make no specific allegations that they intended for part of the price they paid for services was to be used to provide adequate security. Cf. Smallman, 638 F.Supp.3d at 1190. At bottom, Plaintiffs' allegations are backward-looking speculation and insufficiently pleaded.
c. Lost Time and Opportunity Cost
Yuma Regional argues that Plaintiffs' damages allegations under a lost time theory are insufficient for all Plaintiffs except Plaintiff Sarabia because there are no accompanying allegations of out-of-pocket expenses. (Doc. 74 at 12-13.) And even for Plaintiff Sarabia, her allegations are insufficient because she fails to show they are reasonable or necessary. (Id.) Plaintiffs allege that they have spent time addressing and mitigating the effects of the data breach, which are cognizable damages. (Doc. 75 at 13-14.)
Yuma Regional is correct. As noted, general allegations of lost time are not cognizable injuries. Griffey 1, 562 F.Supp.3d at 46; see also Corona v. Sony Pictures Ent., Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015) (finding general allegations of lost time are non-cognizable because they are too speculative as opposed to actual expenses incurred); Smallman, 638 F.Supp.3d at 1192 (“[T]angible, out-of-pocket expenses are required in order for lost time spent monitoring credit to be cognizable as damages.” (citation omitted)). Here, Plaintiffs, excluding Plaintiff Sarabia, make general allegations of time spent dealing with verifying the legitimacy of the breach, exploring creditor monitoring and identity theft protections, and self-monitoring accounts without alleging any out-of-pocket expenses or means to measure any damages based on specific amounts of time spent. (See Doc. 68 ¶¶ 9, 54, 57, 67, 72, 81, 86, 97, 99, 109, 113, 122, 124, 134, 137, 147, 162, 177, 190, 222.) Thus, these damages are speculative and are not grounds to preclude dismissal.
Only Plaintiff Sarabia alleged out-of-pocket expenses for costs she incurred in buying credit monitoring services. (See id. ¶ 110.) Plaintiffs, however, must plead that the costs for credit monitoring services are reasonable and necessary. Griffey 1, 562 F.Supp.3d at 46; see also Durgan, 2023 WL 7114622, at *2 (noting recovery of the costs incurred in mitigating the risk of future harm requires the costs to be reasonable and the harm to be imminent, and merely conjectural or hypothetical mitigation efforts are insufficient). Although it may seem that purchasing credit monitoring in response to a breach in circumstances like this case are reasonable, Plaintiff Sarabia does not allege the amount paid, what those services entailed, or any factual basis to infer or evaluate the reasonableness of her purchases in light of the fact that Yuma Regional provided such a service. Therefore, all Plaintiffs' allegations for lost time are speculative and they failed to state a claim entitling them to damages on this ground.
d. Emotional Distress
Yuma Regional argues that Plaintiffs' allegations of emotional distress fail because they do not allege any physical injury or risk of bodily harm resulting from the data breach. (Doc. 74 at 13.) Plaintiffs argue they have sufficiently pleaded substantial risk of future harm due to individually suffering from anxiety and stress. (Doc. 75 at 14.)
While it appears that Plaintiffs conceded emotional distress harms other than those occurring in the future, their allegations for future emotional distress fail. The rule in Arizona is that “there can be no recovery for mental disturbance unless physical injury, illness or other physical consequence accompany it, or physical harm develops as a result of the plaintiff's emotional distress.” Dehart v. Johnson & Johnson, 562 F.Supp.3d 189, 198 (D. Ariz. 2022) (emphases in original) (quoting DeStories v. City of Phoenix, 744 P.2d 705, 709 (Ariz.Ct.App. 1987)); see also Amari v. Scottsdale Healthcare Hosps., No. 1 CA-CV 17-0443, 2018 WL 2928040, at *4 (Ariz.Ct.App. June 12, 2018) (“[E]motional distress damages are recoverable absent impact if the emotional distress manifests itself physically or results in long-term physical illness or mental disturbance.”). Plaintiffs make no allegations beyond suffering from “anxiety” and “annoyance” to support they suffered from emotional distress. Plaintiffs' allegations patently fall short of the requisite showing, and therefore they fail to state a claim to such damages.
e. Spam
Yuma Regional argues that Plaintiffs purported injuries from receiving unsolicited spam emails, messages, and calls do not constitute a cognizable injury. (Doc. 74 at 13-14.) Plaintiffs rebut that the injury is cognizable because their self-monitoring and purchasing additional credit monitoring is sufficient to show harm. (Doc. 75 at 14.) On its own, “receiving spam or mass mail does not constitute an injury.” Jackson v. Loews Hotels, Inc., No. ED CV 18-827-DMG (JCx), 2019 WL 6721637, at *4 (C.D. Cal. July 24, 2019). Plaintiffs cite In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *8 (D. Ariz. Dec. 20, 2017) for support. (Doc. 75 at 14.) That case, however, supports the proposition that “[a] person whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened.” See In re Banner Health, 2017 WL 6763548, at *8 (citation omitted). See also Durgan, 2023 WL 7114622, at *2 (noting merely conjectural or hypothetical mitigation efforts are insufficient, the expenditures must be reasonable and for imminent harms). As noted, only Plaintiff Sarabia alleged she purchased credit monitoring services “to mitigate the consequences” of the breach. (Doc. 68 ¶ 110.) Now, Plaintiffs seemingly impute that purchase on to every Plaintiff, and then assert in their Response for the first time that the expenditure was reasonable. (Doc. 75 at 14.) There is no connection between credit monitoring services and how those services avert spam or phishing or what those expenditures entailed. The threat averted is that of fraud and identity theft, not the “annoyance” experienced in receiving spam. As such, Plaintiffs spam allegations fail.
f. Risk of Fraud
Yuma Regional argues that Plaintiffs allegations that they have been injured “arising from the imminent and substantial risk of fraud, identity theft, and misuse resulting from” the breach are not cognizable harms because they are speculative future harms. (Doc. 74 at 14.) Yuma Regional further contends that even for the Plaintiffs alleging to have suffered from attempted or actual identity theft fail because those circumstances merely refer to attempts of thwarted fraud without actual losses. (Id.; Doc. 78 at 8-9.) Plaintiffs respond that their allegations that the hackers extracted Plaintiffs' highly sensitive information, including their social security numbers, health insurance information, and medical information, pose a creditable threat of harm to sustain damages given the nature of the information extracted. (Doc. 75 at 14-15.)
“Threats of future harm, on their own, are not cognizable negligence injuries.” Griffey 1, 562 F.Supp.3d at 46 (citing CDT, 7 P.3d at 982-83); Quinalty, 2024 WL 342454, at *5. Therefore, the Court focuses on Plaintiffs who alleged attempted or actual identity theft-Plaintiffs Clarke, Johnson, D. Banti, T. Mangum, Spano, Ashby, and Esquivel. (See Doc. 68 ¶¶ 56, 83, 136, 149-50, 162, 164-65, 179, 203.)
Plaintiff Clarke alleges she suffered from identity theft because after the breach her personal debit card was compromised and she was unable to use it, and that her bank contacted her about an unauthorized device accessing her account. (Id. ¶ 56.) Even construing this allegation in Plaintiff Clarke's favor, when it is not clear if the unknown fraudster actually accessed the account or just attempted to gain access triggering the bank to contact her, she makes no allegations that her debit card was actually used or that she incurred any out-of-pocket expenses to establish an actual injury. See, e.g., Griffey v. Magellan Health Inc. (Griffey II), No. CV-20-01282-PHX-MTL, 2022 WL 1811165, at *4 (D. Ariz. June 2, 2022) (finding that, absent allegations of out-of-pocket expenses or of actual misuse, allegations having to replace a debit card and asserting plaintiff's efforts responding to unsuccessful attempts of misuse are nothing more than allegations of lost time and increased risk of future harm and non-cognizable).
Plaintiff Johnson alleges she suffered from fraud and identity theft because after the breach a creditor bill was noted as unpaid even though it had been paid and her credit score lowered as a result of the bill being sent to collections. (Doc. 68 ¶ 85.) She also alleges that she immediately froze her accounts to mitigate the effects of the breach. (Id. ¶¶ 83.) Plaintiff Johnson does not make even a vague attempt to connect the bill to the breach or that the bill reflected amounts that she did not initially occur on her own. On these sparce facts, the allegations seem to reflect an accounting issue independent of the breach. Further, Plaintiff Johnson does not allege in freezing her accounts, she incurred any out-of-pocket expenses, and instead she appears to have proactively frozen her accounts without suffering harms from any misuse. See Griffey II, 2022 WL 1811165, at *4. Therefore, she has not alleged a cognizable harm resulting from identity theft.
Plaintiff D. Banti alleges that he suffered from identity theft because after the breach, he was contacted by his bank alerting him of suspicious activity caused by an unauthorized person on his debit card. (Doc. 68 ¶ 136.) On these facts, an alert of suspicious activity causing harm is purely speculative. See, e.g., I.C. v. Zynga, Inc., 600 F.Supp.3d 1034, 1052 (N.D. Cal. 2022) (finding attempts to commit identity theft without those attempts succeeding are insufficient to support damages even for standing purposes). Absent from D. Banti's allegations are any indication the suspicious activity resulted in any charges or any form of harm other than possibly lost time in responding to the bank's notice. Therefore, his alleged harm here is not cognizable.
Plaintiffs' Complaint alleges that both D. Banti and M. Banti suffered from identity theft, however, they only allege specific facts related to D. Banti. (Id.) Therefore, the Court only addresses his factual allegations.
Plaintiff T. Magnum alleges that she suffered from identity theft and/or fraud because after the breach she was notified that her information was on the “dark web” and that she had to dispute a medical bill that she received for a February 2022 procedure for which she did not owe money. (Doc. 68 ¶ 149-50.) As previously stated, allegations that Plaintiff's information is on the “dark web” are insufficient. See, e.g., Quinalty, 2024 WL 342454, at *5. The medical bill relates to a procedure occurring before the breach. On these limited facts, there is no indication that Plaintiff T. Magnum did not incur those medical expenses. Nor does she allege, assuming she did not incur those expenses, that she remains liable to pay or actually paid the bill after she disputed it. Therefore, her allegations failed to plead a cognizable harm.
Plaintiffs' Complaint alleges that both T. Magnum and R. Magnum suffered from identity theft, however, they only allege specific facts related to T. Magnum. (Id.) Therefore, the Court only addresses her factual allegations.
Plaintiff Spano alleges that he suffered from identity theft after the breach because he detected unfamiliar and unauthorized transactions on two of his credit cards, including fraudulent charges at a store leading him to close the account, and that he received notice from a credit reporting company that someone was attempting to change the mailing address on his accounts. (Doc. 68 ¶ 164-65.) He also spent time monitoring his accounts and filed a police report regarding the fraud he experienced. (Id. ¶ 162.) Plaintiff Spano's allegation appear to carry more weight than his co-Plaintiffs', however, he also fails to allege that the actual misuse of this information resulted in cognizable damages. He does not allege that he was required to or did pay the unauthorized transactions or had any out-of-pocket expenses. Plaintiff Spano's allegations are nothing more than damages resulting from time lost and are not cognizable.
Like Plaintiff Johnson, Plaintiff Sparo also alleges that the fact that he froze his credit supports that he alleged cognizable damages. (Id. ¶168.) Freezing credit here is untethered from the unauthorized transactions and it is not clear from the alleged facts whether he froze his credit before or after those transactions. But even so, Plaintiff Sparo fails to allege any expenses or actual damages stemming from instituting the credit freeze.
Plaintiff Ashby alleges that that she suffered from identity theft because she was alerted by the Internal Revenue Service that someone tried to file a fraudulent tax return using her information and spent time mitigating the consequences of that attempted filing. (Doc. 68 ¶ 179.) Notably, Plaintiff Ashby's allegation of identity theft is the only allegation among all Plaintiffs that does not specifically indicate the events giving rise to the alleged injury occurred after the breach. She does not allege any details pertaining to this alleged fraudulent filing other than that she was notified of the attempt, or that she incurred expenses responding to the attempt. At most, Plaintiff Ashby alleges delay in receipt of tax refund monies (see Doc. 68 ¶ 212), but does not indicate how long that delay was or if it impacted the amount refunded in anyway. Plaintiff Ashby's allegations are absent any facts to elevate them beyond insufficient general and conclusory allegations. Therefore, her allegation of identity theft giving rise to cognizable damages fail.
Plaintiff Esquivel alleges that she suffered from identity theft and/or fraud because after the breach someone attempted to log into her federal student loan account (FAFSA) and spent time investigating how to preclude unauthorized attempts to log into her account. (Doc. 68 ¶ 202-3.) Again, lost time is not cognizable here. Plaintiff Esquivel does not allege that she incurred any expenses due to the attempted log in, nor does she allege it impacted her ability obtain any student aid she desired. Therefore, her alleged identity theft is purely speculative and insufficient to plead a cognizable injury.
g. Delay in Notice
Yuma Regional argues that Plaintiffs' allegations that the two-month delay in notice gives rise to cognizable damages fails because they do not allege any incremental harm caused by the delay and not the breach itself. (Doc. 74 at 14.) Plaintiffs rebut that the delay exacerbated the harms alleged and is sufficient to create cognizable damages. (Doc. 75 at 15-16.) As discussed, however, those harms do not give rise to cognizable damages to whatever extent those harms stem from the delay and not the breach. The parties do not cite any case law related to unreasonable delays under a negligence claim or Arizona law. See, e.g., Griffey 1, 562 F.Supp.3d at 56-67 (reporting requirements under Virginia statute to the Virginia Attorney General); In re MCG Health Data Sec. Issue Litig., CASE NO. 2:22-CV-849-RSM-DWC, 2023 WL 3057428, at *5 (W.D. Wash. Mar. 27, 2023) (breach of contract); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F.Supp.3d 1284, 1300 (S.D. Cal. 2020) (California Consumer Records Act); In re Sony Gaming Networks, 996 F.Supp.2d 942, 1010 (S.D. Cal 2014) (California Database Breach Act). To the extent any of these cases are instructive, the standard generally imposes a reasonableness requirement and require plaintiffs to allege incremental harm beyond the breach. See, e.g., In re Solara, 613 F.Supp.3d at 1300. Here, there are no incremental harms, therefore no harms to exacerbate the effect through delay. Thus, Plaintiffs fail to allege that the delay in notice brought on cognizable injuries.
After considering all the alleged injuries, Plaintiffs have failed to plead cognizable damages to support their negligence claim.
Plaintiff Martinez also alleges that after the breach she was unable to access her test records or schedule appointments. (Id. ¶ 68.) She also alleges that she has received spam emails for appointments she did not schedule. (Id. ¶ 70.) As the Court has previously reasoned for the other Plaintiffs, these are insufficient allegations of harm.
2. Causation
Causation is generally a question of fact for the jury. Cramer v. Starr, 11, 375 P.3d 69, 76 (Ariz. 2016). But at the pleading stage, plaintiffs must adequately allege causation for the case to proceed. Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 (2014). “[T]o prove proximate cause, a ‘[p]laintiff need only present probable facts from which the causal relationship reasonably may be inferred.'” Pompeneo v. Verde Valley Guidance Clinic, 249 P.3d 1112, 1114 (Ariz.Ct.App. 2011) (quoting Robertson v. Sixpence Inns of Am., Inc., 789 F.2d 1040, 1047 (Ariz. 1990)).
Yuma Regional argues that, even assuming Plaintiffs have adequately pleaded cognizable damages, they fail to establish the harms were caused by the breach because they are temporal only. (Doc. 74 at 16-18.) Plaintiffs respond that they have created a plausible inference of causation because they allege their PII and PHI were extracted from the breach and used for spamming purposes, filing fraudulent tax returns, accessing their accounts, and posted on the “dark web.”
Although these injuries are not cognizable, Plaintiffs are correct that there is at least a plausible inference of causation. See, e.g., Stollenwerk v. Tri-W. Health Care All., 254 Fed.Appx. 664, 668 (9th Cir. 2007) (finding where a plaintiff pleaded that he actively took steps to protect his information and there were no other known thefts of his information, the plaintiff had adequately created a logical relationship between the theft of a computer and identity theft); see also Griffey 1, 562 F.Supp.3d at 44-45 (finding that where personal information was stolen directly in a data breach, the causal link is not just plausible but certain because for the plausible link in Stollenwerk, the court assumed the information could be extracted from the computer). Here, the allegations discussed herein certainly give rise to the plausibility that the breach caused the injuries.
3. Breach of Duty
Yuma Regional argues that Plaintiffs failed to allege breach of a duty owed to them because general allegations that it did not comport to “industry standards” is insufficient. (Doc. 74 at 16-17.) Plaintiffs contend that their allegations that Yuma Regional failed to adequately train its employees, failed to upgrade its security system to industry standards, and that Yuma Regional kept unencrypted personal data in an unsecured environment with knowledge of the prevalence of cyber-attacks and industry practices. (Doc. 75 at 17.)
Regarding Plaintiffs' negligence claim, in their Complaint they allege Yuma Regional owed a duty and breached that duty because it “failed to adequately safeguard their PHI in accordance with state-of-the-art industry practices.” (See Doc. 68 ¶¶ 262-264.) Plaintiffs repeatedly invoke said “industry practices.” (See id. ¶¶ 8, 43, 225.) Plaintiffs do not describe what those practices entail, and presume that because the breach occurred, Yuma Regional's system was not up to par. As pleaded, Plaintiffs' allegations rely on speculation that, had Yuma Regional used the industry standards, the breach would not have occurred. See Quinalty, 2024 WL 342454, at *4 (finding mere allegations of industry standards insufficient to plead a duty owed). These allegations are conclusory and employ circular reasoning. Plaintiffs' allegations that Yuma Regional “kept the unencrypted personal data or Plaintiffs and Class Members in an unsecured internet-accessible environment” do not appear in the Complaint. (See Doc. 68 ¶¶ 36-39, 42-43, 228-33, 235.) This argument appears couched in Plaintiffs' presumed conclusion that because the breach happened, it must be true Yuma Regional's system is insecure. (See Doc. 68 ¶¶ 36-39, 42-43, 228-33, 235.) As such, these allegations are insufficiently pleaded to establish breach of a duty, whatever that duty may have been.
4. Negligence Per Se
Yuma Regional argues that negligence per se is not a standalone cause of action, and Plaintiffs cannot otherwise rely on negligence per se to establish the duty element of negligence. (Doc. 74 at 18.) Plaintiffs respond in arguing that Yuma Regional violated its own privacy policy, as well as HIPAA and the FTC Act (the “FTCA”), therefore negligence per se applies. (Doc. 75 at 19-20 (citing Doc. 68 ¶¶ 31-33, 270-287.)
Yuma Regional is correct. “Negligence per se is not a cause of action separate from common law negligence. It is a doctrine under which a plaintiff can establish the duty and breach elements of a negligence claim based on a violation of a statute that supplies the relevant duty of care.” Craten v. Foster Poultry Farms Inc., 305 F.Supp.3d 1051, 1054 n.2 (D. Ariz. 2018). “[Violation of a statute establishes the elements of duty and breach, requiring the plaintiff to prove only proximate cause and damages.” Resolution Trust Corp. v. Dean, 854 F.Supp. 626 (D. Ariz. 1994). Plaintiffs do not dispute that neither HIPAA nor the FTCA provide a private right of action. See Gannon, 2023 WL 6536477, at *2. To the extent Plaintiffs do not bring suit in direct violation of the statute but relies on them for evidence that a duty was established, both acts provide their own enforcement mechanisms and do not create a private right of action nor provide evidence of a duty. See id. (collecting cases). Accordingly, the Court will dismiss Plaintiffs' negligence per se claim with prejudice to the extent it is a standalone cause of action. Griffey 1, 562 F.Supp.3d at 47.
B. Implied Contract
Contracts may be express or implied. Barmat v. John & Jane Doe Partners A-D, 747 P.2d 1218, 1220-21 (Ariz. 1987) (“The distinction between an express contract and one implied in fact is that in the former the undertaking is made by words written or spoken, while in the latter conduct rather than words conveys the necessary assent and undertakings.”). Plaintiffs carry the burden to prove existence of a contract, its breach, and the resulting damages. Thomas v. Montelucia Villas, LLC, 302 P.3d 617, 621 (Ariz. 2013). A valid contract requires “offer, acceptance of the offer, consideration, sufficient specification of terms so that the obligations involved can be ascertained, and the parties must have intended to be bound by the agreement.” Day v. LSI Corp., 174 F.Supp.3d 1130, 1153 (D. Ariz. 2016) (citations omitted).
Yuma Regional argues that its privacy policy does not provide sufficient specification of terms to establish an implied contract. (Doc. 74 at 18-20.) Yuma Regional further argues that Plaintiffs failed to adequately plead consideration because they do not allege that they relied on Yuma Regional's privacy policy before they received treatment and Yuma Regional was already had a pre-existing legal duty to provide protection to Plaintiffs' information. (Id.; Doc. 78 at 11-12.) Plaintiffs argue that Yuma Regional advertises through its privacy policy that it is “committed to protecting the confidentiality [its patients'] medical information,” and that patients have a right to “expect that treatment records are confidential” absent consent. (Doc. 75 at 20 (citing Doc. 68 ¶¶ 33-34.) According to Plaintiff's, when they entrusted their information to Yuma Regional, they had an expectation that it would remain confidential. (Id.) Plaintiffs further argue that Yuma Regional's assurances that they could expect their information to remain confidential establishes contractual duties beyond those imposed by law. (Id.)
The Court notes that Plaintiffs provide the following citation: “Dearing v. Magellan Health, Inc., No. CV 2020-013648, 2021 WL 7186207, at *4 (Ariz. May 6, 2021).” (Id. at 21.) The Court, however, cannot locate that case, nor does the citation provide effective means to locate it. Therefore, the Court declines address arguments related to the case.
Yuma Regional is correct in part. Plaintiffs do allege the privacy policy exists, that is undisputed. And it is undisputed that the policy provides that Yuma Regional will maintain safeguards to protect patients' information and that it will notify patients upon discovering a breach. (See Doc. 74 at 6.) Yuma Regional's policy providing for the possibility of a breach does not negate its commitment to safeguard patients' information. See, e.g., Durgan, 2023 WL 7114622, at *4 (finding a privacy policy provided adequate terms under similar circumstances). But even if these terms are sufficient, Plaintiffs do not allege that they read or relied on the privacy policy before entering a business relationship with Yuma Regional to establish valid consideration. See Durgan, 2023 WL 7114622, at *4 (finding a privacy policy could not provide the basis for reliance to support consideration where plaintiffs never read or relied on the policy before entering a business relationship with the defendant). Plaintiffs' allegations are merely conclusory. Further, the privacy policy providing that patients could expect their information to remain confidential does not necessarily promise an outcome that a breach would not occur. As such, Plaintiffs have failed to articulate how Yuma Regional's promises exceed pre-existing legal obligations. See In re Banner Health, 2017 WL 6763548, at *3 (noting the performance of a promise to do something a party is already legally obligated to do does not provide adequate consideration). Therefore, Plaintiffs failed to state an implied contract claim.
Plaintiffs also allege a breach of the covenant of good faith and fair dealing. (Doc. 68 ¶¶ 297-305.) Arizona law implies a covenant of good faith and fair dealing in every contract. Wells Fargo Bank v. Ariz. Laborers, Teamsters & Cement Masons Local No. 395 Pension Trust Fund, 38 P.3d 12, 28 (Ariz. 2002) (en banc). However, because the Court concludes Plaintiffs have not adequately alleged an enforceable promise here, Yuma Regional could not have breached the implied covenant of good faith and fair dealing. See In re Banner Health, 2017 WL 6763548, at *5.
C. Unjust Enrichment
Under Arizona law, “[u]njust enrichment occurs when one party has and retains money or benefits that in justice and equity belong to another.” Loiselle v. Cosas Mgmt. Group, LLC, 228 P.3d 943, 946 (Ariz.Ct.App. 2010). A party must allege: “(1) an enrichment, (2) an impoverishment, (3) a connection between the enrichment and the impoverishment, (4) the absence of justification for the enrichment and the impoverishment, and (5) the absence of a remedy provided at law.” Span v. Maricopa Cnty. Treasurer, 437 P.3d 881, 886 (Ariz.Ct.App. 2019).
Plaintiffs allege that because Yuma regional failed to provide adequate data security practices and retained a portion of monies Plaintiffs spent in the transactions that cover the expenses of said practices, Yuma Regional was unjustly enriched. (Doc. 68 ¶¶ 306-312.) Yuma Regional argues Plaintiffs' allegations fall short of stating a claim because they fail to allege an amount they paid in connection with and for the security practices, and otherwise fail to specify why the practices deployed were inadequate. (Doc. 74 at 20-21.) Plaintiffs rebut that they have adequately alleged Yuma Regional failed to adhere to specific industry practices, like encrypting information, disposing of unneeded data, and updating or patching software to sustain their unjust enrichment claim. (Doc. 75 at 21-22 (citing Doc. 68 ¶¶ 36, 42-43, 225, 237-45).) Plaintiffs further argue that unjust enrichment is only unavailable if they already received the benefit of the bargain, in which they argue they have not. (Id.) Yuma Regional replies that Plaintiffs specific industry practices are conclusory and assume that because the breach occurred, the practices were not in place. (Doc. 78 at 12-13.) Yuma Regional further contends that allegations that Plaintiffs paid for “treatment services” does not mean that because a breach occurred, Plaintiffs did not receive the services for which they paid. (Id.)
Yuma Regional is correct. First, Plaintiffs do not allege any specifics to decern the amount they paid that would go towards security practices and is based on speculation that Yuma Regional recovers those costs by building them into the provision of medical treatment. Plaintiffs also do not specify to whom they paid other than through a vague reference to them “confer[ing] a monetary benefit upon [Yuma Regional] in the form of monies paid for treatment services.” (Doc. 68 ¶ 308 (emphasis added).); see Griffey II, 2022 WL 1811185, at *6 (finding alleging that plaintiff's paid for health services that the defendant sold does not specify to whom those payments were made and are insufficient to support an unjust enrichment claim). Assuming payment for treatment services includes payments earmarked for security of the data, that assumption requires further speculation that Yuma Regional did not use that money to safeguard their data and retained some benefit. Second, Plaintiffs' “specific industry practices” argument assumes in a conclusory fashion, for example, that because the breach occurred the information must not have been encrypted. The Court has already rejected such circular reasoning. Finally, for this same reason, the allegation that Plaintiffs have not yet received the benefit of their bargain is inadequate. Even though Yuma Regional assured its patients that it would safeguard their information, which is not reasonably a promise to an impenetrable system, and the fact that a breach occurred, does not show Yuma Regional did not provide the safeguards promised. Plaintiffs' proof is in the pudding approach all the while asserting vague, speculative, and conclusory allegations uttered as fact to show their predetermined conclusion is exactly that-a mere conclusion lacking sufficient facts. See, e.g., Feins v. Goldwater Bank NA, No. CV-22-00932-PHX-JJT, 2022 WL 17552440, at *7 (D. Ariz. Dec. 9, 2022) (finding “a data breach does not by itself demonstrate an inadequate data security infrastructure”); Griffey 1, 562 F.Supp.3d at 49 (rejecting unjust enrichment allegations because plaintiffs failed to explain why the defendant's security system was inadequate).
D. ACFA
Plaintiffs allege that Yuma Regional violated ACFA, see Ariz. Rev. Stat. § 44-1522(A), by using deceptive acts or practices and fraudulently withheld material facts in connection with the sale of medical services. (Doc. 68 ¶ 313-323.) Yuma Regional argues dismissal is appropriate because (1) Plaintiffs failed to satisfy Federal Rule of Civil Procedure 9(b)'s particularity requirements by asserting boilerplate elements of the claim; and (2) Plaintiff's failed to articulate the specific omissions they allegedly relied upon or that reliance was possible. (Doc. 74 at 21-22; Doc. 78 at 15-16.) Plaintiffs reassert many of their arguments used to justify other claims, e.g., they explained how Yuma Regional failed to safeguard their information by alleging (1) an untimely notification; (2) inadequate employee training; (3) use of outdated software; (4) compliance with HIPAA and the FTCA; and (5) maintenance of the system, data, and use of encryption were inadequate. (Doc. 75 at 23-24.) Plaintiffs further argue that they relied on the absence of disclosed material related to Yuma Regional's security systems, and had it disclosed the details, they would not have provided their information. (Id.)
Under the ACFA, it is unlawful for any person to use or employ “any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise.” Ariz. Rev. Stat. § 44-1522(A). To state a claim under the ACFA, “a plaintiff must show (1) a false promise or misrepresentation made in connection with the sale or advertisement of ‘merchandise,' and (2) consequent and proximate injury resulting from the misrepresentation.” Watts v. Medicis Pharmaceutical Corp., 365 P.3d 944, 953 (Ariz. 2016) (citing Kuehn v. Stanley, 91 P.3d 346, 351 (Ariz.Ct.App. 2004)).
“It is established law that Rule 9(b)'s particularity requirement applies to state law causes of action relating to fraud when asserted in federal court.” Irving Firemen 's Relief & Ret. Fund v. Uber Techs., Inc., 998 F.3d 397, 404 (9th Cir. 2021) (citation omitted). To satisfy this standard, plaintiffs “must ‘identify the who, what, when, where, and how of the misconduct charged, as well as what is false or misleading about the purportedly fraudulent statement, and why it is false.'” Depot, Inc. v. Caring for Montanans, Inc., 915 F.3d 643, 668 (9th Cir. 2019) (citation omitted). Plaintiffs filing a ACFA fraud-by-omission claim, however, faces a slightly more relaxed burden, due to the fraud-by-omission plaintiff's inherent inability to specify the time, place, and specific content of an omission in quite as precise a manner.” Griffey 1, 562 F.Supp.3d at 53-54. Plaintiffs, however, must articulate the “how.” Griffey 1, 562 F.Supp.3d at 54. Plaintiffs can show reliance on an omission by showing that had the information been disclosed, they would have been aware of it and behaved differently. In re Ariz. Theranos, Inc., Litig., 256 F.Supp.3d 1009, 1028 (D. Ariz. 2017), on reconsideration in part, No. 2:16-CV-2138-HRH, 2017 WL 4337340 (D. Ariz. Sept. 29, 2017) (noting plaintiffs must describe the content of the omission and provide representative examples that they relied on to make their alleged uninformed purchased). “Injury occurs when the consumer relies on the misrepresentation, even though reliance need not be reasonable.” Correa v. Pecos Valley Dev. Corp., 617 P.2d 767, 771 (Ariz.Ct.App. 1980).
Plaintiffs' allegations for the “how” are insufficient. A material omission “must be logically related to the transaction in which it occurs and rationally significant to the parties in view of the nature and circumstances of the transaction.” Haisch v. Allstate Ins. Co., 5 P.3d 940, 945 (Ariz.Ct.App. 2000). There are two issues here. First, the omission of the details underlying Yuma Regional's security system, the inadequacy of which Plaintiffs claim are material, are not logically related to the transaction because Plaintiffs do not allege that they were aware of or read the privacy policy. In other words, on these facts, it is not possible to establish reliance absent some indication of awareness of the policy claimed to be omitting facts at the time the reliance allegedly occurred. See Kuehn, 91 P.3d at 352 (holding reliance was not possible because the plaintiffs became aware of the alleged misrepresentation after the transaction at issue). Second, Plaintiffs fail to establish whether the privacy policy is false or misleading. Plaintiffs essentially call for the Court to speculate that, had Yuma Regional disclosed the specific or technical details of its security apparatus, that Plaintiffs would appreciate those details and would base their decision to receive medical care on the adequacy of that information. Yuma Regional made no absolute guarantee against rogue actors' ability to penetrate its system and extract information. Plaintiffs' allegations that the system and the response Yuma Regional did deploy was insufficient is conclusory without factual support. Therefore, the Court will dismiss Plaintiffs' ACFA claim.
E. Leave to Amend
Federal Rule of Civil Procedure 15(a) requires that leave to amend be “freely give[n] when justice so requires.” Leave to amend should not be denied unless “the proposed amendment either lacks merit or would not serve any purpose because to grant it would be futile in saving the plaintiff's suit.” UniversalMortg. Co. v. Prudential Ins. Co., 799 F.2d 458, 459 (9th Cir. 1986). Therefore, “a district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (cleaned up).
While Plaintiffs have not requested leave to amend, Yuma Regional has not argued that it would be prejudiced if Plaintiffs amend their claims. Aside from Plaintiffs' negligence pro se claim, their negligence, implied contract, unjust enrichment, and ACFA claims are dismissed as not pleaded with the necessary facts to state a claim. How Plaintiffs may cure those deficiencies is not abundantly clear to the Court. But because Plaintiffs could remedy the deficiencies identified, it is inappropriate for the Court to dismiss them with prejudice at this time. Thus, leave to amend shall be granted on the negligence, unjust enrichment, implied contract, and ACFA claims.
IV. CONCLUSION
Accordingly, IT IS ORDERED granting Defendant Yuma Regional Medical Center's Motion to Dismiss Plaintiffs' Consolidated Class Action Complaint (Doc. 74). Yuma Regional's Motion as to all claims is granted for failure to state a claim, with leave to amend (Doc. 68 Counts 1, 3 through 5), except for Plaintiffs' negligence per se claim, which are dismissed with prejudice (Doc. 68 Count 2).
IT IS FURTHER ORDERED that Plaintiffs shall file a Second Amended Complaint, if they so choose, no later than 30 days after this Order is filed.
IT IS FURTHER ORDERED that, if Plaintiffs fail to file an amended complaint within 30 days of the date of this Order, the Clerk of the Court shall enter judgment dismissing this entire case without prejudice.
IT IS FURTHER ORDERED vacating the oral argument scheduled for November 25, 2024 (Doc. 79).