Patients sued medical group after the group suffered a data breach that allowed hackers access to personal indentifying information concerning patients, including SSNs and medical histories. This decision holds that the patients have UCL standing to sue. Under their “benefit of the bargain” theory, the patients suffered a loss of money by purchasing the medical group’s services which (a) weren’t worth as much as represented because the medical group promised data security that it didn’t provide, and (b) patients would not have purchased if they knew their personal information was not protected. Plaintiffs also adequately alleged damages on their breach of contract claim under the same benefit of the bargain theory. Medical services without data security are worth less than the promised medical services with data security. One patient also had UCL standing and alleged breach of contract damages based on the money she spent on credit and identity monitoring services after being informed of the data breach. However, the economic loss rule bars patients’ negligence claim as they were in contractual privity with the medical group and their claim arises from its alleged breach of that contract. The opinion also holds that patients cannot establish standing or prove damages based on a loss in value of their leaked personal information. Patients didn’t allege that they were in the market to sell their own personal information, and so suffered no harm if the data breach lessened the sale value of that information.