By: Duke Truong
J.D. Candidate, 2017
Valparaiso University School of Law
Imagine being one of four million members under the care of Advocate Health and Hospitals Corporation (Advocate) and waking up to news that thieves have stolen your confidential information. This is exactly what happened the morning after July 15, 2013, when burglars stole four password-protected computers from Advocate. The computers contained patient’s confidential information: social security numbers, Medicare and Medicaid data, medical record numbers, health insurance data, and medical diagnoses along with names, addresses, and date of birth. Advocate, whom patients entrusted with the duty of protecting their data, did not notify them of the breach until August 23, 2013. Despite these facts, no proof of improper access or improper use of the confidential information actually occurred.
Matias Maglio and other affected patients brought a class action suit against Advocate in the circuit court of Lake County and Kane County. Both lawsuits alleged claims of negligence, invasion of privacy, and violations of the Consumer and Deceptive Business Protection Act and the Illinois Personal Information Act. Yet, plaintiffs failed to allege any unauthorized uses of their private information. Despite the fact plaintiffs did not suffer any actual injury, they moved forward with their lawsuits anyhow.
Advocate moved to dismiss the complaints under the Rules of Civil Procedure for failure to state a claim and for lack of standing. The plaintiffs did not suffer an injury-in-fact and only speculated that their stolen confidential information may lead to increased risk of identity fraud. The doctrine of standing requires a plaintiff to raise issues of a real injury to which the law can recognize so to provide a remedy. The complaints only alleged future, uncertain risk of identity fraud. The district courts of Lake County and Kane County dismissed the complaints in May and July of 2014, respectively.
However, the plaintiffs appealed to the Appellate Court of Illinois on grounds that the lower courts erred in its decisions. The appellate panel consolidated the cases from the two counties and affirmed the district court’s decisions in Maglio v. Advocate Health and Hospitals Corporation on August 6, 2015.
The appellate panel reiterated that plaintiff’s failure to establish any specific injury makes the lawsuits insufficient. To date, only two of the 4 million members suffered actual identity theft and they are not parties in the lawsuits. The court held that this fact alone does not prove that plaintiffs face certain imminent risk of substantial harm. Speculating about a future injury or harm is not grounds for a claim in the court of law. To move forward, plaintiffs must show that their medical records were in fact disclosed to third parties.
Although the breach did not result in unauthorized use of information, speculation is not a cause for action. To help lessen the burden on the courts, plaintiffs have to make sure their claims contain actual injuries otherwise it is a waste of resources for parties involved. It may seem minor to determine actual injury, but the practicality is priceless. As society increasingly depend on technology to store confidential information, employers (especially healthcare providers) should make data security one of the top priorities. Employers should consider safeguards such as encryption and periodic audits to lessen the likelihood of a data breach. Proper training about HIPAA, security regulations and data privacy laws will further guard against a breach.