On January 24, 2025, the Illinois Supreme Court ruled in Petta v. Christie Business Holding Co., P.C., 2025 IL 130337, that a patient who alleged an increased risk of harm arising from a data breach at a medical clinic did not suffer an injury in fact sufficient to confer standing.
The plaintiff, Rebecca Petta, brought a class-action suit against her medical provider, Christie Clinic, after she received a “Notice of Data Incident” alerting her to suspicious activity in one of the clinic’s email accounts. The notice disclosed that an investigation performed by a data forensics firm confirmed unauthorized access by an unknown third party intended to “intercept a business transaction between Christie Clinic and a third party vendor.”
The notice also reported that Christie Clinic reviewed the email account to identify the information that could have been accessed and concluded that the account may have contained information related to Petta. While that may have included her Social Security number and medical insurance information, Christie Clinic reported that it “had no evidence of identity theft or misuse” of Petta’s personal data.
Petta’s complaint alleged that, after the data breach, she learned that her phone number, city, and state were used in connection with a third-party’s loan application. The complaint did not allege similar experiences by the rest of the putative class.
On behalf of the putative class, Petta alleged that Christie Clinic had a duty to provide “reasonable security” to the private personal data of its patients, and that its failure to do so exposed Petta’s sensitive information to an unauthorized third party. Petta sought damages for out-of-pocket expenses to mitigate the increased risk of identity theft and the cost of financial monitoring.
In a unanimous opinion, the Illinois Supreme Court held that Petta lacked standing to sue because the “data incident” at issue caused her only a heightened risk of harm, an allegation too speculative to support a claim for damages. The Court emphasized that the letter from Christie Clinic, which formed the basis for Petta’s complaint, merely claimed that the personal data may have been exposed to a third party, not that it was actually acquired by the third party.
In an attempt to overcome this flaw, Petta pointed to the unauthorized loan application, but the Court rejected that position. First, the Court determined that an unauthorized loan application did not use the personally identifiable data that was at risk via the Christie Clinic breach. Second, the Court emphasized that loan application wasn’t “fairly traceable” to any of Christie Clinic’s alleged misconduct—the data used in the loan application could have been found in a public phone directory. The Illinois high court found that Petta’s allegations were too speculative to support a claim for relief.
In a world where consumers regularly are receiving similar data breach notices, the Petta decision will be frequently cited as support for dismissal of data-breach class actions. Plaintiffs will need to include in their complaints more concrete allegations of harm to overcome a motion to dismiss and state a valid claim for relief.