On June 2, 2015, the Second District Illinois Appellate Court affirmed the decisions of two lower courts, which had dismissed breach of privacy cases for lack of standing. The cases were consolidated for the purposes of the appeal. Both cases were brought against Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (Advocate), an Illinois network of affiliated physicians and hospitals.
The cases arose out of the theft of four password protected computers containing information relating to approximately four million Advocate patients. In both cases, the plaintiffs, who were former or current Advocate patients, alleged that their personal information was stolen as a result of Advocate’s negligence in failing to follow best practices concerning the security of personal information. The plaintiffs further alleged that the computers were not secure or encrypted and that Advocate failed to provide timely breach notification. Notably, the plaintiffs did not allege that anyone had improperly accessed or used the information or that they had been the victim of identity theft or fraud.
On appeal, the plaintiffs argued that the trial courts improperly dismissed their complaints for lack of standing. The Appellate Court held that the plaintiffs’ allegations of injury were speculative, and as such, they lack standing. “Their claims that they face merely an increased risk of, for example, identity theft are purely speculative and conclusory, as no such identity theft has occurred to any of the plaintiffs.” The Court noted that the plaintiffs failed to show “a distinct and palpable injury.”
The Court reasoned that there had been no public disclosure or identity fraud with respect to the data since the burglary. The Court further rejected the argument of two of the plaintiffs who had in fact received notification of fraudulent activity such as attempted access to bank accounts. The Court stated that receiving notification of fraudulent activity does not show imminent, impending or substantial risk of harm. The Court further rejected the plaintiffs’ argument that the nature of the data – medical information- warrants an implicit finding of harm.
This case should bring some relief to Illinois providers and plans, as plaintiffs must allege damages with some certainty or accuracy in order to succeed in a civil action arising out of the breach of medical information. In Illinois, if the plaintiff cannot demonstrate that the information was used in an unauthorized manner or that harm is imminent or impending, a court will likely find that the plaintiffs do not have standing for their case to be heard.
The Maglio v. Advocate Health opinion can be viewed here.