In Petta v. Christie Bus. Holdings Co., P.C., 2025 IL 130337 (Jan. 24, 2025) the Illinois Supreme Court affirmed an appellate court decision that a plaintiff who does not suffer a concrete injury lacks standing to pursue a claim against a business for failing to provide reasonable security to protect the plaintiff’s private personal data. While the suit involved a plaintiff’s exposure to an increased risk of identity theft, the decision will likely be cited by defendants seeking the dismissal of other types of lawsuits where the defendant violated a consumer protection law but the plaintiff suffered no harm.
The plaintiff in this class action suit was a patient of the defendant, a physician-owned group, that provided medical services to patients throughout the state. As a patient, the plaintiff provided the defendant with her personal data, including her name, address, date of birth, social security number, medical history, and medical insurance information.
In 2021, the defendant experienced a data incident involving its business email account where a third person gained unauthorized access to the account to intercept a business transaction between the defendant and one of its vendors. The defendant’s investigation revealed that the impacted account may have contained plaintiff’s social security number and medical insurance information but found no evidence of identity theft or misuse of plaintiff’s personal information.
The plaintiff filed a class-action complaint pleading claims for common-law negligence, and violations of the Federal Trade Commission Act (FTC Act) the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Illinois Personal Information Protection Act. She alleged that the defendant had a duty to provide reasonable security to protect her data and that it breached that duty by failing to adopt, implement, and maintain reasonable security measures. As a result, she alleged she suffered a data breach that “exposed a variety of Sensitive Information” to an unauthorized third party. She sought monetary damages including “out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or fraud,” as well as the cost of “credit, debit, and financial monitoring to prevent and/or mitigate identity theft, and/or fraud incurred or likely to occur as a result of [defendant’s] security failures.” The plaintiff also alleged that after the data incident occurred some of her phone number and other personal information were used in connection with a fraudulent loan application in Ohio, but she did not allege that either her name or her social security number was used in the loan application.
The trial court found that because her phone number and city were used in an unauthorized loan application it created a “sufficient inference” that she had suffered an “injury-in-fact”. She therefore had standing to bring her claims. However, it found that neither the common law, the FTC Act, HIPAA, nor the Personal Information Protection Act permitted the type of action alleged in the complaint. It also concluded that the economic loss doctrine barred the claims and accordingly the court dismissed the suit.
On appeal, the appellate court affirmed the dismissal but on the grounds that the plaintiff lacked standing. The appellate court held that the allegations that plaintiff’s private personal data had been “exposed” to an unknown third party and, therefore, she was at an “‘increased risk of identity theft’” were “simply too speculative” to confer standing. With respect to the allegation regarding the unauthorized loan application, the plaintiff had not alleged that her private personal data, such as her social security number, was used in the application. Rather, only her public personal data, i.e., her phone number and city, had been used. Because there was no apparent connection between the purported fraudulent loan attempt and the data breach, the allegation regarding the loan application was purely speculative.
The Supreme Court affirmed. Under Illinois law, to have standing the plaintiff’s injury must be concrete; a plaintiff alleging only a purely speculative future injury or where there is no immediate danger of sustaining a direct injury lacks a sufficient interest to have standing. The plaintiff only alleged that her private personal data, including her social security number and health insurance information, may have been exposed to a third party. She did not allege that this information was actually acquired by a third party. In fact, the Defendant’s investigation revealed that that the unauthorized third party was attempting to intercept a financial transaction, not steal patients’ private personal information.
The allegation regarding the unauthorized loan application was not a sufficiently concrete injury either. For the plaintiff did not allege that any of her private, personally identifiable information, such as her social security number, was used in the loan application. Instead, it was only her publicly available phone number and city that were used. The unsuccessful loan application, therefore, was not fairly traceable to any of the defendant’s alleged misconduct given that the information could be found in a publicly available phone directory.
In sum, the primary factual allegation is that the plaintiff faced only an increased risk that her private personal data was accessed by an unauthorized third party. In a complaint seeking monetary damages, such an allegation of an increased risk of harm is insufficient to confer standing. The plaintiff therefore had not alleged an injury in fact and, therefore, lacked standing.
Author
-
Jim is a founding partner of Noonan & Lieberman. Jim has more than 25 years of experience in civil litigation on behalf of creditors, servicers, business and real estate owners.
