District Of Arizona Clarifies Causes Of Action Available For Breach Of Health Data

Healthcare providers wrestling with the legal fallout of cyber-attacks just received a fresh reminder from the District of Arizona: traditional tort and contract theories remain difficult to sustain after a breach, but consumer-fraud statutes can keep a case alive.

In Johnson v. Yuma Regional Medical Center, fourteen patients sued the hospital after a ransomware incident exposed the data of roughly 700,000 individuals. In a 16-page opinion, Judge Susan M. Brnovich dismissed four of the five causes of action—negligence, breach of implied contract, unjust enrichment, and breach of fiduciary duty—while allowing a single claim under the Arizona Consumer Fraud Act ("ACFA") to proceed.

Tort and Contract Claims Dismissed

1. No Stand-Alone "Cyber-Duty" The court held the hospital owed no common-law duty to protect patients from purely economic losses flowing from the breach. Arizona's "assumed-duty" doctrine (as set forth in Section 323 of the Restatement (Second) of Torts) requires physical harm, and the statutory sources plaintiffs cited (HIPAA, the FTC Act, and Arizona's medical-records statute) do not, in the Court's opinion, create a private tort duty.
2. Implied Contract Theory Plaintiffs pointed to the hospital's Notice of Privacy Practices and Privacy Policy, which pledged that it was "committed to protecting" patient data. The court deemed that language too vague—more aspirational than contractual—and noted the pledge did not promise security beyond the hospital's existing HIPAA obligations.
3. Unjust Enrichment Lacked a Concrete Benefit Because the hospital actually used the patients' payments on providing care (including some security measures), plaintiffs could not show the hospital retained any unfair windfall.
4. No Hospital-Patient Fiduciary Duty The Court found that, unlike a physician, a hospital as an institution does not automatically owe fiduciary duties to patients, especially where the alleged confidentiality breach arises from third-party criminal acts (that is, from the actions of the threat actors).

Consumer-Fraud Claim Survived

The Court took a different view of plaintiffs' fraud-by-omission theory under the ACFA. Patients alleged they received the hospital's Notice of Privacy Practices and Privacy Policy, relied on its assurances of confidentiality, and were never told about major security deficiencies. Although Rule 9(b) normally demands specificity, the court recognized that omission-based fraud claims have some leeway: plaintiffs cannot pinpoint "the time, place and specific content" of an undisclosed fact. The complaint alleged enough detail to suggest they would have acted differently had the hospital disclosed its security gaps, so the ACFA claim moves forward to discovery.

Key Takeaways for HIPAA Compliance and Breach Response

HIPAA remains a regulatory, not civil-liability, framework

Courts continue to resist plaintiffs' efforts to convert HIPAA into a private duty or implied contract. Compliance failures can trigger OCR investigations and penalties, but they rarely translate directly into negligence or contract damages.

Consumer-protection statutes are a real litigation risk

Even when traditional tort claims fail, plaintiffs can survive a motion to dismiss by alleging that privacy notices or online policies omitted material facts. Updating these documents—and ensuring they accurately reflect the current security environment—has never been more important.

"Puffery" is not a complete shield

Generic statements that an organization is "committed to protecting" data may be safe from contract claims, but they offer little defense against fraud-by-omission allegations if the actual security posture is weak. Precision and transparency are critical.

Economic harms alone may not clear the duty hurdle

At least in the District of Arizona, purely financial injuries from data theft are unlikely to support negligence under an assumed-duty theory. Plaintiffs must, therefore, focus on statutory avenues or show additional, non-economic harms.

Post-incident communications matter

The hospital's proactive credit-monitoring offer and security upgrades did not insulate it from liability. Courts evaluate duty and deception based on pre-breach disclosures, not post-breach remediation.

Conclusion

Johnson reinforces a growing trend: HIPAA violations, standing alone, seldom generate private negligence or contract liability, but plaintiffs can still gain traction by framing their case as a deceptive practice or fraud-by-omission claim where the underlying state laws support such claims. Healthcare entities should view privacy notices as live documents—not boilerplate—and align them closely with the organization's actual cyber-security capabilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.