[co-author: Jason Betke- Law Clerk]

An Illinois circuit court judge has dismissed five of six claims in a consolidated class action against Advocate Health and Hospital Corporation arising from a data breach in July 2013. The judge’s dismissal with prejudice leaves only a negligence claim, based on a duty to reasonably safeguard information, pending against Advocate. The complaint included allegations that the hospital’s written policies, which referenced compliance with data privacy laws, formed part of Advocate’s promise to plaintiffs. The plaintiffs argued that Advocate’s failure to follow its own policies and procedures, and adequately protect patient information, was a breach of contract. However, the circuit court’s order dismissed the claims based on breach of express contract, implied contract, fiduciary duty and unjust enrichment.

The dismissal order in the consolidated case represented a new episode in a series of suits filed against Advocate stemming from its announcement that four unencrypted laptop computers were stolen from an administrative office in July 2013. In August 2015, in a federal court case arising from the Advocate data breach, the Seventh Circuit Court of Appeals affirmed a lower court’s decision that Advocate was not a “consumer reporting agency” under the Fair Credit Reporting Act (“FCRA”). Tierney v. Advocate Health and Hospitals Corporation. In part, the federal law defines a consumer reporting agency as a person collecting and furnishing consumer information to third parties in exchange for payment. In affirming dismissal of the FCRA claims, the court determined Advocate was not paid by Medicare and insurance companies for collecting and transmitting patient information, rather, payments received by Advocate were for healthcare services provided by its physicians.

Two other state court cases that raised claims of negligence and violations of state data breach laws against Advocate were dismissed earlier this year for lack of standing. On appeal, the Second District Illinois Appellate Court consolidated both cases and affirmed the dismissal orders. Maglio v. Advocate Health and Hospitals Corporation. The Appellate Court held that plaintiffs’ allegations of injury based only on an increased risk for identity theft were speculative and conclusory.

As the Advocate cases demonstrate, data breaches will continue to generate claims under both federal and state laws. The federal privacy law, HIPAA, has provided a compliance cornerstone for healthcare providers to safeguard patient information. While HIPAA litigation is alive and well, a developing caveat is that state laws – through data breach and negligence claims – are becoming litigation pressure points for healthcare providers. Additionally, the enactment of new and amended state laws aimed at further protecting the consumer and medical information may provide fertile grounds for data breach claims under state law.