FIFTH DIVISION MCFADDEN, P. J., HODGES and PIPKIN, JJ.

NOTICE: Motions for reconsideration must be physically received in our clerk’s office within ten days of the date of decision to be deemed timely filed. https://www.gaappeals.us/rules

October 6, 2025

In the Court of Appeals of Georgia

A25A1133. BLAND et al. v. UROLOGY OF GREATER ATLANTA, LLC.

MCFADDEN, Presiding Judge.

The plaintiffs in this putative class-action lawsuit stemming fron a data breach appeal the dismissal of their complaint under OCGA § 9-11-12 (b) (6) for failure to state a claim. Because it does not appear with certainty that the plaintiffs would be entitled to no relief under any set of facts that could be proven in support of their claims for negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and injunctive relief, we reverse the trial court’s dismissal of those claims. We affirm the trial court’s dismissal of the plaintiffs’ claim for unjust enrichment. Finally, we hold that the trial court judge did not abuse her discretion in dismissing the unjust enrichment claim with prejudice.1 1. Background (a) Legal principles applicable to motions to dismiss for failure to state a claim “We review the grant of a motion to dismiss [for failure to state a claim] de novo. And the well-established test that must be satisfied before a motion to dismiss can be granted is a demanding one[.]” Norman v. Xytex Corp., 310 Ga. 127, 130-131 (2) (848 SE2d 835) (2020) (citations and punctuation omitted). A trial court may grant a motion to dismiss for failure to state a claim “when the plaintiff would not be entitled to relief under any state of provable facts asserted in support of the allegations in the complaint and could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought.” Collins v. Athens Orthopedic Clinic, 307 Ga. 555, 560 (2) (a) (837 SE2d 310) (2019) (citation and punctuation omitted). See also OCGA § 9-11-12 (b) (6). The court must construe

Oral argument was held in this case on June 2, 2025, and is archived on the court’s website. See Court of Appeals of Georgia, Oral Argument, Case No. A25A1133 (June 2, 2025), available at https://vimeo.com/1091265038. “any doubts regarding the complaint . . . in favor of the plaintiff.” Norman, 310 Ga. at 131 (2).

Under Georgia law, a complaint must only “give the defendant fair notice of what the claim is and a general indication of the type of litigation involved; the discovery process bears the burden of filling in details.” Dillingham v. Doctors Clinic, 236 Ga. 302, 303 (223 SE2d 625) (1976). For this reason, the “Georgia test is more difficult for movants to pass than the equivalent federal test, because the federal test imposes on plaintiffs a more stringent pleading standard.” Norman, 310 Ga. at 131 n.

4 (2) (citations and punctuation omitted). See generally Ashcroft v. Iqbal, 556 U.S. 662, 679 (IV) (A) (129 SCt 1937, 173 LE2d 868) (2009) (under federal law, legal conclusions recited in complaint “must be supported by factual allegations” that “plausibly give rise to an entitlement to relief”). Similarly, while “evidence beyond mere allegations [is] required in order for the claimants to prevail” on a summary judgment motion, “[n]ot so” for motions to dismiss for failure to state a claim.

Collins, 307 Ga. at 560 (1) (a) (emphasis omitted).

(b) On information and belief

Before we set forth the allegations in the plaintiffs’ complaint, we address an argument made by the appellee that concerns the complaint’s allegations generally.

The appellee argues that the plaintiffs’ allegations made on information and belief should be disregarded. In support of this argument, it cites a Georgia Supreme Court opinion from 1936, Nance v. Daniel, 183 Ga. 538 (189 SE 21) (1936), in which the court affirmed a trial court’s ruling sustaining a general demurrer, in part because the plaintiffs “allege[d] only the plaintiffs’ information and belief that the defendant expect[ed] and intend[ed] to comply with [a certain] proclamation, without averring as a fact that he expect[ed] and intend[ed] to do so.” Id. at 543. The court held that “[t]he pleader must allege the fact on information and belief, and not that he is informed and believes that the fact exists.” Id. But in Tate v. Potter, 216 Ga. 750, 751-752 (1) (a) (119 SE2d 547) (1961), the court explained that a plaintiff’s claim was sufficiently alleged when an allegation was a “positive averment[ ] of facts based upon information and belief, presumptively not within the knowledge of the plaintiff.” Accord McLemore v. Life Ins. Co., 117 Ga. App. 155, 158 (2) (159 SE2d 480) (1968) (“While an allegation that one is informed and believes a fact exists is a mere statement as to one’s information and belief and is not

equivalent to a positive allegation of the fact itself, an allegation of fact on information and belief is sufficient.”) (citation and punctuation omitted). Such is the case here.

In any event, Nance was decided before the enactment of the Civil Practice Act.

Pre-Act complaints were construed most strongly against the pleader when considered on general demurrer and in light of its omissions as well as its averments. If an inference unfavorable to the pleader could be fairly drawn from the facts alleged, that inference would prevail in determining the rights of the parties. The Civil Practice Act changed these rules. . . . On a motion to dismiss, a complaint should be construed in the light most favorable to plaintiff with all doubts resolved in his favor.

Harper v. Defreitas, 117 Ga. App. 236, 237-238 (160 SE2d 260) (1968) (citations and punctuation omitted). Notably, in an opinion decided after the enactment of the Civil Practice Act, our Supreme Court reversed the dismissal for failure to state a claim a petition for quo warranto, even though the petitioner’s crucial allegation that a judge did not satisfy a residency requirement for holding office was made “on information and belief.” Anderson v. Flake, 267 Ga. 498, 500 (480 SE2d 10) (1997). The court applied the standard that we apply here and reversed the dismissal because it could not “be said that, within the framework of the [p]etition, no evidence could be introduced

that would support a finding that at the time the [p]etition was filed, [the judge] did not satisfy the residency requirement for holding office. . . .” Id. at 501 (2).

(c) The plaintiffs’ amended complaint and the procedural background Viewed with these principles in mind, the following facts reflect the well-pleaded allegations set forth in the amended complaint. The named plaintiffs, Michael Bland and Cathy Kreider, provided the defendant, Urology of Greater Atlanta, LLC, with highly sensitive, protected health information and personally identifiable information in order to obtain services from or employment with the defendant. The information that they provided included names, addresses, dates of birth, dates of service, patient account numbers, diagnoses, treatments, social security numbers, bank account information, and credit card numbers.

Beginning on August 8, 2021, unauthorized cybercriminals accessed from the defendant’s computer system the sensitive information of more than 79,000 individuals, including the named plaintiffs. The cybercriminals took the information to engage in identity theft or to sell it to other criminals who will engage in identify theft. The plaintiffs allege on information and belief that the cybercriminals have

placed the information, including social security numbers, for sale on the so-called dark web.2 The defendant learned of the data breach on August 29, 2021. Named plaintiff Bland received a notice dated November 29, 2022, that his information was involved in the data breach. Named plaintiff Kreider received a notice dated February 17, 2023, that her information was involved in the breach.

Since receiving notice of the breach, the plaintiffs have spent time verifying the impact of the data breach, exploring credit-monitoring and identify-theft-insurance options, and monitoring their accounts. They have suffered actual identify theft and out-of-pocket expenses, among other damages. Further, the breach has diminished the value of their protected health information and personally identifiable information.

They are at imminent risk of additional harms and damages.

The plaintiffs filed an amended complaint, alleging claims for negligence; breach of implied contract; breach of the implied covenant of good faith and fair The “dark web” is “the set of web pages on the World Wide Web that cannot be indexed by search engines, are not viewable in a standard Web browser, require specific means (such as specialized software or network configuration) in order to access, and use encryption to provide anonymity and privacy for users.” https://www.merriam-webster.com/dictionary/dark%20web (retrieved Sept. 24, 2025). dealing; and unjust enrichment. They sought damages, injunctive relief, and attorney fees. The defendant moved to dismiss the complaint under OCGA § 9-11-12 (b) (6) on the ground that the plaintiffs failed to state a claim upon which relief can be granted. The trial court granted the motion, and the plaintiffs filed this appeal.

2. Negligence The plaintiffs argue that the trial court erred by dismissing their negligence claim. We agree.

“[T]o recover for injuries caused by another’s negligence, a plaintiff must show four elements: a duty, a breach of that duty, causation, and damages. In other words, before an action for a tort will lie, the plaintiff must show he sustained injury or damage as a result of the negligent act or omission to act in some duty owed to him.”

Collins, 307 Ga. at 557-558 (2) (citations and punctuation omitted). The trial court dismissed the negligence claim on two grounds: that the plaintiffs failed to allege that the defendant breached a duty of care and that they failed to allege a cognizable injury.

(a) Duty of care A “duty can arise either from a valid legislative enactment, that is, by statute, or be imposed by a common law principle recognized in the caselaw.” Rasnick v.

Krishna Hospitality, 289 Ga. 565, 566-567 (713 SE2d 835) (2011). The plaintiffs argue that a duty arises from established negligence principles. See Collins, 307 Ga. at 563 n.7 (2) (noting that the court applied “traditional tort law” to a case involving a data breach).

No Georgia appellate court has decided whether or not a duty arises under traditional tort law principles in a data breach case involving employees and patients of a medical practice, like this one. Cf. Collins, 307 Ga. at 563 (2) (“leav[ing] . . . for another day” the issue of breach of duty in a data exposure case).

In the absence of Georgia authority we may consider persuasive federal court decisions applying Georgia law in similar cases. Our Supreme Court did so in Collins. 307 Ga. at 564-565 (4).

In Ramirez v. The Paradies Shops, 69 F4th 1213 (11th Cir. 2023), the United States Court of Appeals for the Eleventh Circuit determined that under principles of Georgia tort law, an employer had a duty to protect its employees’ sensitive, personally identifiable information from cybercriminals during a data breach, given the allegations that the risk of a data breach was reasonably foreseeable. Id. at 1219-1221 (II) (A) (i), (ii) (“Without clear guidance from Georgia courts on the asserted duty to

safeguard [personally identifiable information], we must apply traditional tort law to [the plaintiff’s] alleged injury to determine whether [the defendant] owed him a duty of care.”) (citation and punctuation omitted).

We find the Eleventh Circuit’s analysis to be persuasive. That court held that under Georgia law, [a] person is under no duty to rescue another from a situation of peril which the former has not caused. But, if the defendant’s own negligence has been responsible for the plaintiff’s situation, a relation has arisen which imposes a duty to make a reasonable effort to give assistance, and avoid any further harm. In other words, traditional negligence principles provide that the creator of a potentially dangerous situation has a duty to do something about it so as to prevent injury to others[;] that is, the creator has a duty to eliminate the danger or give warning to others of its presence.

Ramirez, 69 F4th at 1219 (II) (A) (i) (citations, punctuation, and emphasis omitted).

The court held that “the scope of the duty owed by a defendant is generally limited to reasonably foreseeable risks of harm.” Ramirez, 69 F4th at 1219 (II) (A) (i) (citation and punctuation omitted). The court added that “while the intervening criminal act of a third person will often insulate a defendant from liability for an original act of negligence, that rule does not apply when the defendant had reason to anticipate the criminal act.” Id. The court noted that while the defendant did not owe a duty to all the world, it owed a duty of care to those with whom it had a special relationship, such as the employer-employee relationship at issue there. Id. at 1220 (II) (A) (ii) .

Applying these principles to the plaintiffs’ amended complaint, we hold that the plaintiffs sufficiently allege that the defendant had a legal duty to protect their personal information on the basis of the foreseeable risk of a data breach. The plaintiffs allege that millions of healthcare records were unlawfully disclosed in hundreds of data breaches in 2019 alone, and that such data breaches are increasingly common, especially in healthcare entities. The plaintiffs allege that medical identity theft is a growing crime. They allege that the defendant knew of the importance of safeguarding their private information and the foreseeable consequences of a data breach. They allege that the defendant could have prevented the data breach by properly securing and encrypting its servers, but it failed to do so in spite of the repeated warnings and alerts about protecting sensitive data and the prevalence of public announcements about data breaches.

[D]ata breach cases present unique challenges for plaintiffs at the pleading stage [and w]e cannot expect a plaintiff in [these plaintiffs’] position to plead with exacting detail every aspect of [the defendant’s] security history and procedures that might make a data breach foreseeable, particularly where the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts.

Ramirez, 69 F4th at 1220 (II) (A) (ii) (citation and punctuation omitted).

Viewing the allegations in the light most favorable to the plaintiffs, it cannot be said that the plaintiffs would “not be able to introduce sufficient evidence [to support a finding of duty] within the framework of the complaint.” Collins, at 563 (3). The plaintiffs have sufficiently alleged a duty so as to survive the motion to dismiss.

(b) Cognizable injury The plaintiffs argue that the trial court erred in dismissing their negligence claim on the ground that they failed to allege a cognizable injury. We agree.

In Collins, our Supreme Court held that the plaintiffs’ allegations that “criminals are now able to assume their identities fraudulently and that the risk of such identity theft is imminent and substantial” were factual allegations that must be accepted as true. 307 Ga. at 561 (2) (a) (punctuation omitted). And viewing those

allegations in the light most favorable to the plaintiffs, the court held, it could not be said that the plaintiffs would “not be able to introduce sufficient evidence of injury within the framework of the complaint.” Id. at 563 (3). See Tracy v. Elekta, Inc., 667 FSupp3d 1276, 1283 (III) (A) (1) (N.D. Ga. 2023) (“Collins [holds] that an injury exists where, at the very least, criminals have hacked into a data system and exfiltrated personally identifiable information and protected health information”).

Like the plaintiffs in Collins, the plaintiffs here allege that cybercriminals stole a large amount of their personal data by infiltrating the defendant’s network; ; that the cybercriminals offered at least some of the data for sale; that unauthorized individuals can now access the plaintiffs’ information; and that the plaintiffs are at risk of “imminent and impending injury arising from the substantially increased risk of fraud, identity theft and misuse [because their protected information was] placed in the hands of unauthorized third parties/criminals.” The plaintiffs sufficiently alleged a cognizable injury. See Collins, 307 Ga. at 562 (2) (b).

As the plaintiffs’ have pled a legally cognizable injury so as to survive a motion to dismiss, we do not address the correctness of the trial court’s specific reasoning regarding the potential categories of damages the plaintiffs have alleged.

In sum, under our de novo review, “we cannot say that the plaintiffs will not be able to introduce sufficient evidence of [duty and] injury within the framework of the complaint. . . . [Their] allegations are sufficient to survive a motion to dismiss the . . . negligence claims.” Collins, 307 Ga. at 563 (3).

3. Breach of an implied contract The plaintiffs argue that the trial court erred by dismissing their claim for breach of an implied contract for data security. We agree.

“A contract is an agreement between two or more parties for the doing or not doing of some specified thing.” OCGA § 13-1-1. “To constitute a valid contract, there must be parties able to contract, a consideration moving to the contract, the assent of the parties to the terms of the contract, and a subject matter upon which the contract can operate.” OCGA § 13-3-1. “[C]ontracts implied in fact depend upon the will of the parties to be bound, indicated . . . by circumstances from which assent may be inferred as a conclusion of fact.” Butts County v. Jackson Banking Co., 129 Ga. 801, 808 (60 SE 149) (1908).

The trial court held that the plaintiffs failed to establish the existence of an implied contract, because they failed to identify any facts that show that the defendant

assented to an obligation to safeguard their information. We hold that plaintiffs have alleged circumstances under which they could introduce evidence within the framework of the complaint from which a factfinder could infer the defendant’s assent.

The plaintiffs allege that they and the defendant entered into implied contracts for the provision of medical services, as well as implied contracts for the defendant to implement data security adequate to safeguard and protect the privacy of the plaintiffs’ personal information. The plaintiffs allege that they paid money and gave their private information in exchange for the defendant’s services or as a condition of their employment.

They allege that they relied on the defendant’s privacy notice, which included promises that the defendant would implement reasonable and adequate data security safeguards and would not disclose their private information to anyone, outside of certain, specific circumstances.3 The plaintiffs’ allegations in support of the breach-of-implied-contract claim largely focus on their providing personal information in order to seek medical services rather than employment, even though they also assert that the representative plaintiffs provided their personal information “as required to obtain services and/or employment” from the defendant. But the defendant does not argue on appeal any distinction between plaintiffs who sought medical services and plaintiffs who sought Our role at this stage is not to decide whether the privacy notice alone demonstrates the defendant’s assent to a contractual obligation to protect the plaintiffs’ personal information. We simply must decide whether the plaintiffs could possibly introduce evidence “within the framework of the complaint sufficient to warrant a grant of the relief sought.” Collins, 307 Ga. at 560 (2) (a) (citation and punctuation omitted). We cannot say that, within the framework of the complaint, the plaintiffs could not possibly introduce evidence of “circumstances from which assent may be inferred as a conclusion of fact.” Butts County, 129 Ga. at 808. See Hummel v. Teijin Auto. Techs., 23-CV-10341, 2023 U.S. Dist. LEXIS 167438, 2023 WL 6149059, at *11 (IV) (B) (ii) (E.D. Mich. Sept. 20, 2023) (“it is incredibly difficult to imagine, how, in our day and age of data and identity theft, the mandatory receipt of (personal information) would not imply the recipient’s assent to protect the information sufficiently”) (citation and punctuation omitted).

employment. So we do not make such a distinction at this stage of the proceedings.

Additionally, in two paragraphs of this count of the complaint the plaintiffs refer to the defendant as “BMC” instead of Urology of Greater Atlanta or “UGA,” as they do elsewhere. But the trial court did not dismiss for this reason, and the defendant does not argue any issue related to the defendant’s name.

To the extent the trial court dismissed the breach-of-implied-contract claim on the ground that the plaintiffs failed to allege a cognizable injury, the trial court erred as discussed in Division 2 (b), supra. 4. Breach of the implied duty of good faith and fair dealing The plaintiffs argue that the trial court erred by dismissing their claim for breach of the implied duty of good faith and fair dealing. We agree.

The trial court dismissed this claim because it is derivative of the dismissed breach-of-an-implied contract claim. Because we reverse the dismissal of the breach- of-an-implied-contract claim, we also reverse the dismissal of this claim. See TechBios v. Champagne, 301 Ga. App. 592, 595 (1) (c) (688 SE2d 378) (2009).

5. Unjust enrichment The plaintiffs argue that the trial court erred in dismissing their claim for unjust enrichment.4 We disagree.

“Unjust enrichment is an equitable concept and applies when as a matter of fact there is no legal contract but when the party sought to be charged has been conferred

In this count, too, the plaintiffs’ allegations focus on their paying for medical services rather than their employment, although they asserted the unjust enrichment claim on behalf of the entire proposed class. a benefit by the party contending an unjust enrichment which the benefitted party equitably ought to return or compensate for.” St. Paul Mercury Ins. Co. v. Meeks, 270 Ga. 136, 137 (1) (508 SE2d 646) (1998) (citation and punctuation omitted).

In this count of the complaint, the plaintiffs allege that the defendant “obtained a benefit by unduly taking advantage of” the plaintiffs. Although they allege that they entrusted their information to the defendant, they do not allege that this benefitted the defendant. “For example, [they] do not allege that [the defendant] used or sold [the information] for a profit.” Brooks v. Peoples Bank, 732 FSupp3d 765, 782 (III) (B) (6) (S.D. Ohio 2024).

Instead, the plaintiffs allege that they reasonably believed the defendant would keep their information safe; that the defendant was aware of this belief; that the defendant failed to disclose the vulnerabilities of its data security; and so that the defendant denied the plaintiffs the ability to make an informed purchasing decision.

These allegations do not allege a benefit conferred upon the defendant and thus do not state a claim for unjust enrichment. The trial court did not err in dismissing this claim.

6. Injunctive relief

The plaintiffs argue that the trial court erred by dismissing their prayer for injunctive relief. We agree.

OCGA § 9-5-1 provides, “Equity, by a writ of injunction, may restrain proceedings in another or the same court, a threatened or existing tort, or any other act of a private individual or corporation which is illegal or contrary to equity and good conscience and for which no adequate remedy is provided at law.” “[A] person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” TransUnion v. Ramirez, 594 U.S. 413, 435 (III) (A) (2) (141 SCt 2190, 210 LE2d 568) (2021).

The trial court dismissed the prayer for injunctive relief for three reasons: 1) given the dismissal of the plaintiffs’ claims, the prayer for injunctive relief was untethered to any valid cause of action; 2) the plaintiffs failed to allege how the injunctive relief they sought would prevent the harm they sought to prevent; and 3) the plaintiffs have an adequate remedy of law, given their allegations of monetary damages.

Because we reverse the dismissal of the plaintiffs’ claims for negligence, breach of an implied contract, and breach of the duty of good faith, we reject the trial court’s first reason for dismissing the prayer for injunctive relief.

As for the second reason, the plaintiffs allege that their information remains in the defendant’s possession and that its computer systems and networks are inadequately protected. They allege that their information is subject to further unauthorized disclosures as long as the defendant does not undertake appropriate protective measures. They allege that further unauthorized access by more cybercriminals is imminent. We hold that these allegations — taken as true — are sufficient to survive the defendant’s motion to dismiss. See In re Equifax, Inc., Customer Data Sec. Breach Litig., 371 FSupp3d 1150, 1184 (I) (I) (N.D. Ga. 2019) (applying Georgia law and denying motion to dismiss claim for injunctive relief because plaintiffs’ allegations that defendant’s “cybersecurity systems remain inadequate, and another breach is imminent” were “sufficient at this stage”).

As for the trial court’s third reason, given the prospective nature of the harm, the fact that damages could be available should another data breach occur may not amount to an adequate remedy of law. “[T]his matter is at the pleading stage and the

. . . plaintiffs are permitted to seek alternative remedies at this time.” Miller v. NextGen Healthcare, 742 FSupp3d 1304, 1325 (III) (I) (iii) (N.D. Ga. 2024).

7. Dismissal with prejudice The plaintiffs argue that the trial court erred by dismissing their complaint with prejudice instead of allowing them to amend. “Under Georgia law, dismissals on the merits, including dismissals for failure to state a claim, are typically with prejudice.”

Azizan v. Hajianbarzi, 372 Ga. App. 396, 398 n.5 (1) (903 SE2d 677) (2024). See also OCGA § 9-11-41 (b). The plaintiffs have not shown that the trial court erred in dismissing their unjust enrichment claim with prejudice. (Given our reversal of the dismissal of the claims for negligence, breach of an implied contract, and breach of the duty of good faith and fair dealing as well as the prayer for injunctive relief, this argument pertains only to the claim for unjust enrichment.)

Judgment affirmed in part and reversed in part. Hodges and Pipkin, JJ., concur.