Illinois Supreme Court Rules a Data Breach Alone Not Grounds for Lawsuit

Illinois doctors earned a win with the high court over bogus data breach lawsuit 

Despite the lack of any verified harm imposed, a class-action complaint was filed in the Circuit Court of Champaign County against Christie Clinic by a patient alleging that Christie failed to prevent its patients’ private personal data from being exposed. In 2021, a cybercriminal had gained unauthorized access to one of Christie's business email accounts by way of a phishing attack.

Petta v. Christie Business Holding Company, Illinois Supreme Court No. 130337, Fifth District Appellate No. 5-22-0742, and Circuit Court of Champaign County No. 22-LA-51

The case was centered on the Illinois Personal Information Protection Act (PIPA) and the ability of the plaintiff to bring a cause of action based on alleged violations of PIPA.

First, Christie moved to dismiss the complaint and argued that the plaintiff lacked standing to bring the suit because the plaintiff did not suffer an actual injury, the claims were insufficient as a matter of the law and the plaintiff did not prove there were actual damages.

The Circuit Court of Champaign County granted the motion. Simply receiving a notification letter concerning a data security breach was deemed not sufficient. On appeal, the appellate court accepted the trial court’s decision, and the case then moved up to the Illinois Supreme Court.

The ISMS joined with the Illinois Health and Hospital Association in submitting a joint amicus brief to the Illinois Supreme Court in support of Christie Clinic. In a victory for Christie Clinic, the Illinois Supreme Court sided with the decisions of the trial court and the appellate court and unanimously dismissed the case, ruling that the plaintiff did not have standing to sue. 

This case has implications for physicians, practices and hospitals throughout Illinois as they qualify as “data collectors” under PIPA. Had the courts not ruled to dismiss, increases in litigation following a data breach in which a plaintiff had no actual damages would likely skyrocket in Illinois.