KANSAS CITY — A federal judge has partially granted and partially denied a motion to dismiss in a proposed class action lawsuit stemming from a 2024 data breach involving Mid America Physician Services (MAPS), allowing several claims to move forward while dismissing others without prejudice.
U.S. District Judge Roseann A. Ketchmark ruled that claims for breach of implied contract, unjust enrichment and requests for declaratory and injunctive relief were sufficiently pleaded to survive dismissal at this stage of litigation, according to an order filed April 13 in U.S. District Court for the Western District of Missouri.
However, the court dismissed claims including negligence, negligence per se, invasion of privacy, breach of fiduciary duty, and violation of the Missouri Merchandising Practices Act, finding that plaintiffs failed to state a claim upon which relief could be granted.
The lawsuit was filed by multiple plaintiffs from Missouri and Kansas who were patients of MAPS, a Kansas-based provider of obstetrics and gynecological services.
According to the complaint, patients were required to provide sensitive personal and medical information, such as Social Security numbers, financial account details, and health records, to receive care.
The plaintiffs allege that on or about Nov. 14, 2024, MAPS experienced a data breach that compromised its IT systems.
An investigation concluded in early May 2025, and affected individuals were notified in July 2025 through mailed letters and a notice posted on the company’s website.
The plaintiffs claim the breach exposed them to ongoing risks, including identity theft and fraud, as well as causing actual damages such as financial losses, loss of privacy and time spent mitigating the effects of the breach.
They argue that MAPS failed to implement adequate cybersecurity measures despite known risks, particularly in the healthcare industry.
In dismissing the negligence-based claims, the court found that Missouri law does not currently recognize a general duty for entities to safeguard personal data against criminal cyberattacks by third parties.
The judge relied on existing precedent and concluded that the plaintiffs’ allegations of a generalized risk of cybercrime were insufficient to establish that MAPS had a legal duty under state law to prevent the breach.
The court also rejected the negligence per se claim, noting that neither the Health Insurance Portability and Accountability Act (HIPAA) nor the Federal Trade Commission Act provides a private right of action that would support such a claim under Missouri law.
Similarly, the breach of fiduciary duty claim was dismissed because plaintiffs did not plausibly allege that MAPS itself disclosed their private information to unauthorized parties.
The court distinguished between active disclosure by a provider and unauthorized access by third-party cybercriminals, finding the latter insufficient under existing Missouri law.
However, the court allowed the breach of implied contract claim to proceed, concluding that the plaintiffs plausibly alleged a mutual understanding that MAPS would safeguard their personal information as part of the provider-patient relationship.
The court noted that whether such a contract exists is a factual question not suitable for resolution at the motion to dismiss stage.
The unjust enrichment claim also survived dismissal. The plaintiffs argued that a portion of the payments they made for medical services was intended to fund adequate data security, and that MAPS unjustly retained those funds while allegedly failing to implement sufficient protections. The court found this theory sufficiently plausible to proceed.
The invasion of privacy claim was dismissed without prejudice after the plaintiffs indicated they did not oppose its dismissal.
The claim under the Missouri Merchandising Practices Act was also dismissed, with the court finding that data security measures were incidental to the medical services provided and not a product or service sold to consumers.
Because some claims remain active, the court also allowed the plaintiffs’ request for declaratory and injunctive relief to move forward.
U.S. District Court for the Western District of Missouri case number: 4:25-cv-00685
