Illinois Appellate Court Holds No Standing to Sue for Medical Information Data Breach Where Injury is Speculative

Carolyn Metnick
Akerman LLP - Health Law Rx
Contact
LinkedIn
Facebook
X
Send
Embed

On June 2, 2015, the Second District Illinois Appellate Court affirmed the decisions of two lower courts, which had dismissed breach of privacy cases for lack of standing. The cases were consolidated for the purposes of the appeal. Both cases were brought against Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (Advocate), an Illinois network of affiliated physicians and hospitals. 

The cases arose out of the theft of four password protected computers containing information relating to approximately four million Advocate patients. In both cases, the plaintiffs, who were former or current Advocate patients, alleged that their personal information was stolen as a result of Advocate’s negligence in failing to follow best practices concerning the security of personal information. The plaintiffs further alleged that  the computers were not secure or encrypted and that Advocate failed to provide timely breach notification. Notably, the plaintiffs did not allege that anyone had improperly accessed or used the information or that they had been the victim of identity theft or fraud.

On appeal, the plaintiffs argued that the trial courts improperly dismissed their complaints for lack of standing. The Appellate Court held that the plaintiffs’ allegations of injury were speculative, and as such, they lack standing. “Their claims that they face merely an increased risk of, for example, identity theft are purely speculative and conclusory, as no such identity theft has occurred to any of the plaintiffs.” The Court noted that the plaintiffs failed to show “a distinct and palpable injury.”

The Court reasoned that there had been no public disclosure or identity fraud with respect to the data since the burglary. The Court further rejected the argument of two of the plaintiffs who had in fact received notification of fraudulent activity such as attempted access to bank accounts. The Court stated that receiving notification of fraudulent activity does not show imminent, impending or substantial risk of harm. The Court further rejected the plaintiffs’ argument that the nature of the data – medical information- warrants an implicit finding of harm.

This case should bring some relief to Illinois providers and plans, as plaintiffs must allege damages with some certainty or accuracy in order to succeed in a civil action arising out of the breach of medical information. In Illinois, if the plaintiff cannot demonstrate that the information was used in an unauthorized manner or that harm is imminent or impending, a court will likely find that the plaintiffs do not have standing for their case to be heard.

The Maglio v. Advocate Health opinion can be viewed here

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Written by:

Akerman LLP - Health Law Rx
Akerman LLP - Health Law Rx
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Akerman LLP - Health Law Rx on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide