Quantcast

COOK COUNTY RECORD

Sunday, November 24, 2024

Increased risk, but not actual ID theft, not enough to sustain data breach suits vs Advocate, appeals panel says

Advocatelogo

The theft of laptop computers from one of Illinois’ largest health care providers may have increased the possibility millions of people whose information was stored on those computers could suffer identity theft.

But the mere possibility this may occur is not enough to allow a group of plaintiffs to continue with a lawsuit against Advocate Medical Group over the computer thefts, a state appellate panel has ruled.

Advocate Medical Group includes more than 1,200 physicians affiliated with Advocate Health Care, the largest health system in Illinois. The group’s members practice throughout the Chicago region and other parts of north central Illinois.

A three-justice panel of the Illinois Second District Appellate Court in Elgin upheld on Aug. 6 the decisions of two Illinois trial judges to dismiss lawsuits brought against Advocate, which alleged the theft of the computers from the health system put patients at risk for identity theft.

Judge James R. Murphy had dismissed Case No. 13-L-358 with prejudice in Kane County Circuit Court in July 2014, and Judge Mitchell L. Hoffman had dismissed Case No. 13-CH-2701 with prejudice in Lake County Circuit Court two months earlier, in May 2014. Both cases were brought by multiple plaintiffs affected by a July 2013 theft of four computers from Advocate Medical Group. The cases alleged negligence, violations of the Personal Information Protection Act, the Consumer Fraud and Deceptive Business Practices Act and invasion of privacy. The Lake County case also included an assertion of intentional infliction of emotional distress.

In July 2013, burglars stole four password-protected computers from Advocate’s administrative building in Park Ridge. According to court documents, the computers contained data on about 4 million patients. About a month later, Advocate notified the affected patients of the incident, set up a call center to answer patient questions and offered those affected one year of free credit monitoring. The class-action suits were filed in September 2013 in Lake County and a month later in Kane County.

In the most recent appellate court decision, authored by Justice Ann B. Jorgensen, with justices Mary Seminara-Schostok and Joseph E. Birkett concurring, the court noted the stolen computers have not yet been located. However, of the 4 million patients potentially affected by the data breach, only two – neither of whom were plaintiffs in either the Kane or Lake county lawsuits – have demonstrated they suffered actual identity theft. The court also noted several times neither group of plaintiffs alleged they had suffered identity theft or fraud as a result of the computer theft, only that the theft put them at increased risk of becoming victims of fraud.

Under both state and federal law, plaintiffs must have some injury-in-fact to have legal standing, the justices noted. The injury could be either actual or threatened, but it must be distinct and traceable to the actions of the defendant. The court found both sets of plaintiffs lacking in establishing this standing.

“[P]laintiffs’ allegations of injury are clearly speculative, and therefore plaintiffs lack standing to bring suit,” Jorgensen wrote in the court’s decision. “Their claims that they face an increased risk of, for example, identity theft are purely speculative and conclusory, as no such identity theft has occurred to any of the plaintiffs.”

Aside from the increased risk of identity theft, the plaintiffs also claimed they had suffered injury simply by the medical establishment’s failure to keep private information private. The court also rejected that argument, as in the two years since the theft, there has been no known publication of the plaintiffs’ information.

In their appeal, the plaintiffs claimed they did have standing to file invasion of privacy claims, contending the privacy of their health care was compromised by the release of the information, regardless of whether it was accessed.

“Again, given the speculative and conclusory nature of their allegations and the lack of imminent, certainly impending or substantial risk of harm, this argument fails,” the justices wrote.

More News