Fertility Clinic Data Breach Suit Survives in Colorado Federal Court

A Colorado federal judge let most claims stand against a fertility provider hit by a ransomware gang that published patients' intimate reproductive records on the dark web, but only one plaintiff's out-of-pocket monitoring costs cleared the injury bar for negligence.

DENVER (LN) — A federal judge in Colorado on Monday issued a mixed ruling in a putative class action against Conceptions Reproductive Associates, Inc. d/b/a Conceptions Reproductive Associates of Colorado and IVI America, LLC — which plaintiffs allege owns and operates Conceptions — allowing breach of implied contract, invasion of privacy, and consumer protection claims to proceed while dismissing negligence claims for three of the four named plaintiffs who could not show a concrete, non-speculative economic loss.

The case stems from a mid-April 2024 cyberattack in which the ransomware group INC Ransom hacked defendants' systems and seized the personal health and financial records of thousands of current and former fertility patients. On April 16, 2024, INC Ransom posted on the dark web that it had a "huge amount of data from [Conceptions]," and stated that "[i]n the event that we do not come to an agreement, all data will be published." Less than two weeks later, the group made good on the threat.

Defendants did not notify affected patients until November 6, 2024 — more than 200 days after the breach — telling them in a letter that "[a]lthough we have seen no evidence of any fraud, identity theft, or other such misuse of your information in the wake of the [Data Breach], it is always a good idea for all of us to be vigilant, including to regularly review account statements, and to monitor free credit reports for any suspicious activity and to detect errors." Plaintiffs alleged that letter was misleading because their data was already live on the dark web when it was sent.

U.S. District Judge Nina Y. Wang drew a sharp line between constitutional standing and cognizable tort injury, rejecting the conflation that both sides had invited. Under Colorado law, she wrote, negligence requires "actual loss or damage" and emotional distress is only actionable when it results in "physical manifestations or mental illness." The plaintiffs' allegations of anxiety, sleep disruption, stress, fear, and frustration were, in Wang's assessment, "conclusory, boilerplate, and unsupported by any actual alleged facts regarding each Plaintiff's symptoms" — the kind of list of "generalized symptoms such as headaches, insomnia, [and] crying spells" that courts have found to be insufficient.

Only plaintiff Jason Markowitz, who enrolled in dark web monitoring for his personal information through several services costing over $100 per year after the breach, survived the negligence cut. Wang concluded that Colorado's mitigation-of-damages doctrine supported treating those out-of-pocket costs as a cognizable economic loss, and that the factual context made it plausible Markowitz would not have incurred the expense but for the breach. The negligence and negligence per se claims of the three other plaintiffs — Jane Doe, Kimberly Gibson, and Alexandra Kumor — were dismissed.

Wang also narrowed the negligence per se count, throwing out the portion premised on the Colorado Security Breach Notification Act because there was no allegation that the 200-plus-day delay in notification caused Markowitz to purchase monitoring services. She separately dismissed the FTC Act as a negligence per se predicate, agreeing with defendants that the statute's general prohibition on "unfair" commercial practices is too broad to "clearly establish" a violation under Colorado law — a conclusion she noted other federal courts applying comparable state law rules have reached.

The implied contract claim cleared the bar for all four plaintiffs. Wang held it plausible that patients who were required to hand over comprehensive personal and reproductive health information as a condition of receiving fertility treatment, and who paid substantial fees for those services, could have formed an implied contract with defendants to adequately protect that data. Colorado law permits a single payment to serve as consideration for multiple contractual obligations, she wrote, and the existence of an implied contract is ordinarily a jury question.

The invasion of privacy claim split down the middle. Wang dismissed the intrusion-upon-seclusion theory because plaintiffs failed to allege that defendants actually knew or believed that a data theft was substantially certain to occur — recklessness, she said, is not enough for that tort. But the disclosure-of-private-facts theory survived: Colorado's Supreme Court has held that a defendant need only act with reckless disregard, and that public disclosure can occur where the defendant "merely initiates the process whereby the information is eventually disclosed to a large number of persons." Wang credited the specific allegation that plaintiffs' data was "[f]ully published" on the dark web shortly after the breach over more boilerplate language about imminent publication.

The Colorado Consumer Protection Act claim largely survived as well. Wang rejected defendants' argument that plaintiffs needed to identify specific statutory subsections in their complaint, holding that federal pleading rules require facts, not legal theories. She held that plaintiffs' allegations — that defendants made specific representations about the adequacy of their data security while actually failing to meet industry and regulatory standards — plausibly stated a claim under the CCPA's prohibitions on false representations about the characteristics of services and on knowing or reckless engagement in deceptive or deliberately misleading practices. She did dismiss the portion of the CCPA claim premised on defendants' post-breach conduct, finding that deceptive statements made after the breach could not have caused patients' pre-breach payments.

Wang dismissed the unjust enrichment and intrusion-upon-seclusion claims entirely. She declined to dismiss the breach of fiduciary duty claim, finding it plausible at this early stage that a fertility provider requiring patients to disclose intimate reproductive information occupied a position of sufficient trust to give rise to a fiduciary relationship — a question of fact ordinarily reserved for a jury — and noting that defendants had made no substantive argument on damages and causation as applied to that claim.

The case, consolidated from two separately filed actions, now moves toward class certification proceedings with most of its core claims intact.