Yesterday, a federal district court in Arizona denied in part and granted in part Banner Health’s motion to dismiss class action claims arising from a 2016 data breach.

As we reported in a previous post, hackers gained access to Banner Health’s “point-of-sale” system at food and beverage outlets at some of the health-care provider’s locations. Banner Health announced that, because of the breach, hackers may have gained “unauthorized access to patient information” and “payment card data” for approximately 3.7 million patients, employees, health-plan members, food and beverage customers, and physicians.

After the breach was disclosed, some of Banner Health’s patients, plan members, healthcare providers, and employees promptly filed suit. According to plaintiffs, Banner Health failed to separate its systems and servers containing personally identifying information (“PII”) and protected health information (“PHI”) from those used for its point-of-sale system. Banner Health moved to dismiss.

U.S. District Judge Susan R. Bolton found that plaintiffs’ allegations were sufficient to establish standing to sue under Article III. Like the Sixth and Seventh Circuits, the district court held that it was enough that plaintiffs “alleg[ed] an increased risk of identity theft due to the theft of [their] PII” to satisfy the threshold issue of harm to confer standing.

Plaintiffs, however, received a mixed decision on the substance of their claims. The district court dismissed plaintiffs’ claims for breaches of contract, of the implied covenant of good faith and fair dealing, and of the duty to perform with reasonable care. Banner’s Health Summary Plan Description, Medical Treatment Agreement, and Employee Handbook did not contain “reasonably ascertainable express promises to maintain data security” beyond the company’s “preexisting duties under the law.”

But the rest of plaintiffs’ claims fared better. Judge Bolton held that plaintiffs plausibly alleged a claim for unjust enrichment: Banner Health’s patients and members paid money “to be used for the costs of data security,” and Banner Health “failed to provide adequate data security.” Likewise, the court concluded that plaintiffs adequately pleaded claims under Arizona’s consumer-protection law, because they alleged that Banner Health’s “notices” did “not contain information about Defendant’s allegedly inadequate security practices.”

Plaintiffs’ negligence claim also survived the motion to dismiss. The district court concluded that plaintiffs properly pleaded that they incurred damages: Some of the named plaintiffs “suffered actual misuse of their personal information,” and others incurred “out-of-pocket expenses to mitigate the future risk of identity theft.” And, the court held, they adequately alleged that Banner Health’s conduct caused those damages. According to plaintiffs, the company’s “inadequate security practices” left their PII and PHI exposed, their PHI and PII was stolen, and the breach “led to identity theft and an increase risk of identity theft.”

The Banner Health breach was one of the largest in its sector. We will continue to monitor the case, so stay tuned for further updates.