The Supreme Court of Illinois recently held that a plaintiff, who brought a class action lawsuit against a physician-owned, multispecialty clinic, did not have legal standing to allege that the clinic failed to prevent its patients' personal data from being exposed to an unknown third party in a data breach. The Court said the complaint's main allegation – that the plaintiff and other members of the class action may have had their private personal data accessed – was insufficient to show standing because it was only a speculative risk of future harm. Hall Prangle filed a successful Amici Curiae "friend of the court" in support of the healthcare defendant.
The Class Action
The case arose from a class-action lawsuit against a physician group that services thousands of patients across Illinois. Plaintiff alleged that the clinic was negligent in failing to prevent an unknown third party from gaining unauthorized access to one of its business email accounts. The clinic's email account (according to the clinic's internal investigation conducted by a well-respected data forensics firm) was accessed for over a month-long period in 2021. Plaintiff received a "Notice of Data Incident" letter sent to her by the clinic. The letter acknowledged that the clinic's compromised email account "MAY have contained" sensitive information, including Plaintiff's Social Security number and insurance information. The letter also said that the unauthorized actor did not have access to the clinic's EMR (electronic medical record) and that the clinic knew of no evidence of identity theft or misuse of Plaintiff's personal information.
Plaintiff sued on behalf of herself and "all persons whose Sensitive Information was exposed" by the data breach. The lawsuit alleged that the clinic was negligent and violated HIPAA and other laws. Plaintiff sought money damages for out-of-pocket expenses spent to mitigate increased risk of identity theft and/or fraud; and the cost of credit, debit, and financial monitoring to prevent identity theft and/or fraud "incurred or likely to occur as a result of [the clinic's] security failures." The lower courts found that Plaintiff did not have standing to bring the lawsuit, and the Supreme Court allowed Plaintiff's petition to appeal.
The Court's Decision
The Supreme Court held that standing in Illinois requires an "injury in fact" that is (1) distinct and palpable, (2) fairly traceable to the defendant's conduct, and (3) substantially likely to be prevented or redressed by a favorable ruling. The Court said that the allegation that a third party may have accessed Plaintiff's data failed the test and did not allege an "injury in fact" required for standing. The lawsuit instead only amounts to an increased risk of harm. The Court cited cases from several Illinois districts, the federal Seventh Circuit, and the US Supreme Court to show that an increased risk of harm does not rise to the level of "injury in fact" needed for standing. Plaintiff argued that she did sustain an injury in fact because there was a fraudulent loan application made in someone else's name using her phone number and city. First, the Court said that Plaintiff's phone number and city are not private personal data, but rather publicly available information which does not amount to identity theft. Second, the Court said that Plaintiff did not connect this loan application to the clinic data breach, and therefore failed to satisfy the "fairly traceable" second prong for injury in fact necessary for standing. The Court therefore affirmed the dismissal of Plaintiff's complaint.
Takeaway for Healthcare Defendants
The key takeaway for healthcare providers and their defense counsel is that allegations of possible data exposure, leading only to increased risk of identity theft or fraud, are insufficient to show standing without a showing of actual misuse of private data. Plaintiffs must allege a concrete injury that is fairly traceable to the breach. This case, therefore, provides useful authority to support an early dispositive motion in the context of speculative harm claims and allegations of privacy violations against providers, particularly concerning HIPAA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
