Healthcare providers wrestling with the legal fallout of cyber-attacks just received a fresh reminder from the District of Arizona: traditional tort and contract theories remain difficult to sustain after a breach, but consumer-fraud statutes can keep a case alive. 

In Johnson v. Yuma Regional Medical Center, fourteen patients sued the hospital after a ransomware incident exposed the data of roughly 700,000 individuals. In a 16-page opinion, Judge Susan M. Brnovich dismissed four of the five causes of action—negligence, breach of implied contract, unjust enrichment, and breach of fiduciary duty—while allowing a single claim under the Arizona Consumer Fraud Act ("ACFA") to proceed.

Tort and Contract Claims Dismissed

1. No Stand-Alone “Cyber-Duty”
   The court held the hospital owed no common-law duty to protect patients from purely economic losses flowing from the breach. Arizona’s “assumed-duty” doctrine (as set forth in Section 323 of the Restatement (Second) of Torts) requires physical harm, and the statutory sources plaintiffs cited (HIPAA, the FTC Act, and Arizona’s medical-records statute) do not, in the Court’s opinion, create a private tort duty.
2. Implied Contract Theory
   Plaintiffs pointed to the hospital’s Notice of Privacy Practices and Privacy Policy, which pledged that it was “committed to protecting” patient data. The court deemed that language too vague—more aspirational than contractual—and noted the pledge did not promise security beyond the hospital’s existing HIPAA obligations. 
3. Unjust Enrichment Lacked a Concrete Benefit
   Because the hospital actually used the patients’ payments on providing care (including some security measures), plaintiffs could not show the hospital retained any unfair windfall.
4. No Hospital-Patient Fiduciary Duty
   The Court found that, unlike a physician, a hospital as an institution does not automatically owe fiduciary duties to patients, especially where the alleged confidentiality breach arises from third-party criminal acts (that is, from the actions of the threat actors).

Consumer-Fraud Claim Survived

The Court took a different view of plaintiffs’ fraud-by-omission theory under the ACFA. Patients alleged they received the hospital’s Notice of Privacy Practices and Privacy Policy, relied on its assurances of confidentiality, and were never told about major security deficiencies. Although Rule 9(b) normally demands specificity, the court recognized that omission-based fraud claims have some leeway: plaintiffs cannot pinpoint “the time, place and specific content” of an undisclosed fact. The complaint alleged enough detail to suggest they would have acted differently had the hospital disclosed its security gaps, so the ACFA claim moves forward to discovery. 

Key Takeaways for HIPAA Compliance and Breach Response

HIPAA remains a regulatory, not civil-liability, framework
Courts continue to resist plaintiffs’ efforts to convert HIPAA into a private duty or implied contract. Compliance failures can trigger OCR investigations and penalties, but they rarely translate directly into negligence or contract damages. 

Consumer-protection statutes are a real litigation risk
Even when traditional tort claims fail, plaintiffs can survive a motion to dismiss by alleging that privacy notices or online policies omitted material facts. Updating these documents—and ensuring they accurately reflect the current security environment—has never been more important.

“Puffery” is not a complete shield
Generic statements that an organization is “committed to protecting” data may be safe from contract claims, but they offer little defense against fraud-by-omission allegations if the actual security posture is weak. Precision and transparency are critical. 

Economic harms alone may not clear the duty hurdle
At least in the District of Arizona, purely financial injuries from data theft are unlikely to support negligence under an assumed-duty theory. Plaintiffs must, therefore, focus on statutory avenues or show additional, non-economic harms.

Post-incident communications matter
The hospital’s proactive credit-monitoring offer and security upgrades did not insulate it from liability. Courts evaluate duty and deception based on pre-breach disclosures, not post-breach remediation.

Conclusion

Johnson reinforces a growing trend: HIPAA violations, standing alone, seldom generate private negligence or contract liability, but plaintiffs can still gain traction by framing their case as a deceptive practice or fraud-by-omission claim where the underlying state laws support such claims. Healthcare entities should view privacy notices as live documents—not boilerplate—and align them closely with the organization’s actual cyber-security capabilities.