By Gerald L. Maatman, Jr., Justin Donoho, and George J. Schaller
Duane Morris Takeaways: On January 24, 2025, in Petta v. Christie Bus. Holdings Co., P.C., 2025 IL 130337, the Illinois Supreme Court ruled that a plaintiff lacked standing under Illinois law to bring her class action complaint alleging that her social security number and insurance information may have been accessed in connection with a data incident where a medical provider discovered unauthorized access to one of its business email accounts. The ruling is significant because it shows that data breach claims cannot be brought in Illinois court without specifying actual injury that is fairly traceable to the breach.
Case Background
This case is one of the thousands of data breach class actions filed in the last three years. In Petta, Plaintiff brought suit against a medical provider. According to Plaintiff, she received a letter from the provider titled “Notice of Data Incident” explaining that an unknown third party gained unauthorized access to one of its business email accounts for about a month, in an attempt to intercept a business transaction between the provider and a third-party vendor. Id. ¶¶ 1, 6. The letter also stated that “the impacted account MAY have contained certain information related” to Plaintiff’s social security number and medical insurance information but “[t]he unauthorized actor did not have access to [the provider’s] electronic medical record” and there was no “evidence of identity theft or misuse of [Plaintiff’s] personal information.” Id. ¶ 6 (emphasis in letter).The letter concluded by offering Plaintiff 12 months of credit monitoring and identity protection services at no cost if she wished to enroll. Id., ¶ 7.
Plaintiff also alleged her “phone number, city, and state [were] used in connection with a loan application … in someone else’s name” and she received multiple calls regarding “loan applications she did not initiate.” Id., ¶ 9.
Based on these allegations, Plaintiff alleged claims for negligence and violation of Illinois’ Personal Information Protection Act.
The trial court dismissed the complaint for lack of a viable legal theory and a bar by the economic loss doctrine. The Illinois Appellate Court affirmed, but on the basis that the Plaintiff lacked standing to bring the action on behalf of herself and the putative class.
Plaintiff thereafter appealed to the Illinois Supreme Court.
The Illinois Supreme Court’s Opinion
The Illinois Supreme Court affirmed and ruled Plaintiff lacked standing and affirmed the dismissal of her complaint on that basis. Id., ¶ 25.
In Illinois, standing requires an injury in-fact. As a result, the Illinois Supreme Court reasoned that a plaintiff alleging only “a ‘purely speculative’ future injury” and “no ‘immediate danger of sustaining a direct injury’ lacks sufficient interest to have standing.” Id. ¶ 18 (quoting Chi. Teachers Union, Local 1 v. Bd. of Ed. of Chi., 189 Ill. 2d 200, 206-07 (2000)).
The Illinois Supreme Court affirmed Plaintiffs’ lack of standing, reasoning that she, and the putative class, faced “only an increased risk that their private personal data was accessed by an unauthorized third party” and that “an increased risk of harm is insufficient to confer standing” in a complaint seeking money damages. Id., ¶ 21. The Illinois Supreme Court opined nothing “in the letter suggest[ed] that it is likely the third party did, in fact, take the [private personal] data” and the provider’s investigation revealed that the unauthorized third party was “attempting to intercept a financial transaction, not steal patients’ private personal information.” Id, ¶ 20.
The Illinois Supreme Court also noted that Plaintiff’s unauthorized loan application related solely to Plaintiff and her complaint did not present any allegations that putative class members had a similar experience regarding a loan application. Id., ¶ 23. However, the Illinois Supreme Court declined to answer the question of whether standing must be shown at the outset for the entire putative class and instead focused “solely on [Plaintiff] individually,” finding that “Plaintiff’s allegation regarding the loan application is insufficient to confer standing.” Id.
In short, the Illinois Supreme Court concluded that the unsuccessful loan application allegations were not “fairly traceable” to any of the provider’s alleged misconduct and instead were “purely speculative” given there was “no apparent connection between the purported fraudulent loan attempt and the data breach at issue” as the phone number and city information used in the loan application was “readily available” to the public. Id., ¶ 25(citing 2023 IL App (5th) 220742, ¶ 23). Therefore, Plaintiff lacked standing to bring her claims.
Implications For Companies
The Illinois Supreme Court’s decision in Petta is a win for companies that suffered a data breach only possibly affecting customers, informed the customers of the breach, and offered to pay for their credit monitoring. Petta shows that to confer standing under Illinois law, more is required. Specifically, data breach plaintiffs need to identify actual injury fairly traceable to the breach.