An Illinois state court recently dismissed several claims against Advocate Medical Group (“Advocate”) for failure to satisfy the injury-in-fact requirement for standing. Plaintiffs were patients of Advocate, a network of doctors and hospitals, who filed suit after four computers containing their personal and confidential information were stolen from Advocate’s administrative office. The computers contained patients’ names, addresses, dates of birth, social security numbers, treating physicians and/or departments, medical diagnoses, medical record numbers, medical service codes, and health insurance information—all of which was unencrypted. Plaintiffs asserted claims for violation of the Illinois Personal Information Protection Act, negligence, and consumer fraud, among others. Plaintiffs’ alleged injuries included increased risk of identity theft and/or fraud, out-of-pocket expenses incurred and time lost to mitigate those increased risks, loss of privacy, and anxiety and emotional distress. The court dismissed all claims for failure to allege injury in fact sufficient to establish standing. The court held that increased risk of identity theft was insufficient to establish injury in fact where it was dependent on a number of variables, including whether the data was taken after removal, subsequently sold or transferred, or whether anyone was successful in attempting to use the data. Time and expense exhausted in mitigating such risk and emotional distress were also insufficient because they derived out of “fears of hypothetical future harm.”

Tip: This case suggests that class actions arising after a breach will not always be able to continue, especially when no harm has been established. However, it is also a reminder for companies to look at their underlying protection measures to ensure they are appropriate to the type of information the company maintains.