In Re: Lurie Children's Hospital Data Security Litigation

• Court: District Court, N.D. Illinois
• Decided: September 27, 2025
• Docket: 1:24-cv-05503
• Status: Unknown

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION IN RE: LURIE CHILDREN’S HOSPITAL ) No. 24-cv-05503 DATA SECURITY LITIGATION ) ) Judge Andrea R. Wood ) _______________________________________)

MEMORANDUM OPINION AND ORDER Plaintiffs are patients and the parents or guardians of minor patients who received medical treatment at Defendant Ann & Robert H. Lurie Children’s Hospital of Chicago (“Lurie”), a prominent children’s hospital and pediatric research center. Lurie collects and maintains certain of its patients’ personally identifiable information (“PII”) and personal health information (“PHI”), including their confidential medical and treatment information, payment information, and Social Security Numbers (“SSNs”). Lurie was the target of a cyberattack in late January 2024 (“Data Breach”), which resulted in a criminal ransomware group obtaining the PII and PHI of nearly 800,000 patients. Plaintiffs are among the individuals whose PII and PHI were compromised in the Data Breach, and they claim that the exposure of their private personal and medical information was due to Lurie’s failure to implement and maintain reasonable data security practices and protections. For that reason, Plaintiffs have brought the present action on behalf of themselves and putative classes of similarly situated individuals whose PII and PHI were exposed in the Data Breach. In the Consolidated Amended Class Action Complaint (“CAC”), Plaintiffs assert several Illinois state law claims, such as common law claims for negligence, breach of contract, and invasion of privacy, along with claims for violations of Illinois’s privacy and consumer protection laws. Now, Lurie moves to dismiss the CAC pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). (Dkt. No. 45.) For the reasons that follow, Lurie’s motion is granted in part and denied in part. BACKGROUND As alleged in the CAC, Defendant Lurie is a Chicago-based pediatric hospital that operates 54 locations throughout the Chicago metropolitan area. (CAC ¶¶ 28, 33, Dkt. No. 37.)1 Lurie is nationally recognized as one of the top providers of pediatric care across a variety of specialties. (Id. ¶¶ 3, 32.) Given its reputation for providing high-quality and innovative care,

patients come from across the United States to receive services at Lurie. (Id. ¶¶ 28, 32–33.) To receive treatment at Lurie, patients—usually through their parents or guardians—must provide Lurie with their sensitive and private PII and PHI. (Id. ¶ 34.) The information Lurie collects and maintains from its patients may include their names, dates of birth, SSNs, addresses, medical histories, medical records, insurance information, billing information, and credit or debit card information. (Id. ¶¶ 34, 39.) Given its receipt and storage of PII and PHI, Lurie’s privacy policy acknowledges that “it is required by law to assure that patient information that identifies [a patient] is kept confidential in accordance with the law” and promises “to obtain [a patient’s] written authorization to use or disclose [their] patient information.” (Id. ¶ 36 (internal quotation marks omitted).) Similarly, its website’s privacy policy states that Lurie is “committed to

protecting the privacy of children and committed to maintaining reasonable physical, technical, and administrative measures to protect your personal information.” (Id. ¶ 37 (internal quotation marks omitted).) In addition to its internal policies, Lurie is required under federal law—namely, the Health Insurance Portability and Accountability Act (“HIPAA”)—to implement reasonable

1 For the purposes of Lurie’s motion, the Court accepts as true the well-pleaded facts in the CAC and draws all reasonable inferences in Plaintiffs’ favor. Of course, in summarizing the allegations here, the Court does not vouch for the objective truth of those allegations. Goldberg v. United States, 881 F.3d 529, 531 (7th Cir. 2018). security measures to guard against unauthorized use or disclosure of patients’ PII and PHI. (Id. ¶¶ 98, 101.) Despite its stated commitment to protecting the private and sensitive information disclosed to it by patients, Lurie purportedly failed to implement reasonable security measures to safeguard such information. (Id. ¶¶ 7, 38.) On January 26, 2024, a criminal ransomware group

known as Rhysida gained access to Lurie’s computer systems and network, compromising the PII and PHI of about 791,784 people. (Id. ¶¶ 1, 45.) It was not until about five days later that Lurie first detected unauthorized activity in its systems. (Id. ¶¶ 8, 43.) Upon realizing it had fallen victim to a cyberattack, Lurie took certain of its electronic systems offline and initiated an investigation of the Data Breach. (Id.) By February 8, 2024, Lurie publicly confirmed that its network had been attacked by criminal actors. (Id. ¶ 44.) And in March 2024, Rhysida took credit for the Data Breach, claiming that it had stolen data from Lurie’s systems and sold it for around $3.4 million on the dark web. (Id. ¶ 45.) On May 21, 2024, Lurie announced that it had resolved the active cybersecurity issue.

(Id. ¶ 47.) Yet it waited until June 27, 2024—nearly five months after the cyberattack—to formally notify those affected by the Data Breach that their PII and PHI had been compromised. (Id. ¶¶ 9, 49, 51.) Lurie’s notification letter informed recipients, in relevant part, as follows: Through Lurie Children’s ongoing investigation, Lurie Children’s has determined that cybercriminals accessed Lurie Children’s systems between January 26 and 31, 2024. . . . . Our investigation included a thorough and methodical review and analysis of impacted data on our systems. Through our ongoing investigation, Lurie Children’s has determined that certain individuals’ personally identifiable and/or protected health information was impacted. You have been identified as an individual whose information was impacted in this cybersecurity attack. We are notifying you to provide information and steps you can take to help protect your information. (Id. ¶ 51.) The letter provided few details regarding the nature of the Data Breach. (Id. ¶ 52.) Rather than explain what measures Lurie was taking to prevent future cyberattacks, the notice simply assured its recipients that Lurie “take[s] the privacy of [its] patients seriously. [Lurie is] working closely with security experts to continue [its] ongoing efforts to further enhance the security of [its] systems.” (Id. ¶¶ 52–53.) Finally, Lurie offered individuals impacted by the Data Breach 24 months of credit monitoring services. (Id. ¶ 55.) Each Plaintiff in this action is a current or former patient of Lurie or the parent or guardian of one. (Id. ¶¶ 123, 134, 148, 160, 171, 181, 194, 204, 214, 225, 237.) In connection with their treatment at Lurie, Plaintiffs disclosed their PII and PHI believing that Lurie employed reasonable measures to keep that information secure from unauthorized access or disclosure. (Id. ¶¶ 26, 41–42.) However, the Plaintiff parents received notifications from Lurie in June and July 2024 that their children’s PII and PHI had been exposed in the Data Breach.2 (Id. ¶ 27.) Upon learning that they were affected by the Data Breach, each Plaintiff undertook various efforts to

determine whether their PII and PHI had been misused and to mitigate the impact of any potential exposure. (Id. ¶¶ 130–31, 143–44, 155–56, 167–68, 177–78, 190–91, 200–01, 210–11, 221–22, 232–33, 244–45.) Nonetheless, four Plaintiffs experienced identity theft following the Data Breach, as Plaintiff Andre Avanessian learned that an unauthorized line of credit had been

2 While not stated directly in the CAC, the Court assumes from the fact that one Plaintiff, Andre Avanessian, is litigating claims solely on his own behalf, that he reached the age of majority sometime after initially receiving treatment at Lurie. Presumably, Avanessian was a legal adult at the time Lurie began mailing notices, as he apparently received notice of the Data Breach directly rather than through a parent or guardian. (CAC ¶¶ 16, 27.) taken out in his name and Plaintiff Yolanda Berry and her children C.C. and C.C. received notice that two unauthorized bank accounts were opened in their names.3 (Id. ¶¶ 145, 157.) The CAC consolidates the multiple individual actions brought by Plaintiffs into a single proceeding before this Court. Together, Plaintiffs allege that their PII and PHI were compromised in the Data Breach, which was only possible due to Lurie’s inadequate

cybersecurity protections and procedures. For the foreseeable future, each Plaintiff must deal with a substantial risk that their PII and PHI will be misused—a risk that has materialized for some Plaintiffs. Based on these allegations, the eleven-count CAC asserts the following claims against Lurie: negligence (Count I); negligence per se (Count II); breach of fiduciary duty (Count III); breach of contract (Count IV); breach of implied contract (Count V); unjust enrichment (Count VI); invasion of privacy (Count VII); violation of the Illinois Personal Information Protection Act (“PIPA”), 815 ILCS 530/1 et seq. (Count VIII); violation of the Illinois Consumer Fraud and Deceptive Practices Act (“ICFA”), 815 ILCS 505/1 et seq. (Count IX); violation of the Illinois Uniform Deceptive Trade Practices Act (“IUDTPA”), 815 ILCS

510/1 et seq. (Count X); and violation of the Illinois Genetic Information Privacy Act (“GIPA”), 410 ILCS 513/1 et seq. (Count XI) (asserted only by Plaintiff Avanessian and Plaintiffs A.D., N.D., I.D., and N.S.D., through Plaintiff Nicole Demonte (collectively, “GIPA Plaintiffs”)). Plaintiffs pursue their claims on behalf of themselves as well as putative classes of similarly situated individuals whose PII and PHI were compromised in the Data Breach. Specifically, Plaintiffs desire to represent a putative nationwide class as to Counts I–VII, and a putative subclass of Illinois residents as to Counts VIII–X. Finally, as to Count XI, GIPA Plaintiffs seek

3 The CAC is not clear as to whether the bank accounts were opened in the name of Berry or in the name of one or both of her children. to represent a GIPA subclass of similarly situated individuals whose genetic testing information was compromised in the Data Breach. DISCUSSION Lurie seeks dismissal of the CAC for lack of subject-matter jurisdiction pursuant to Rule 12(b)(1). Alternatively, to the extent this Court finds jurisdiction over the claims in the CAC, Lurie goes on to argue that the claims are inadequately pleaded4 and therefore must be dismissed

pursuant to Rule 12(b)(6). Because the Court must ensure that it has subject-matter jurisdiction before it can address the merits, the discussion begins there. I. Rule 12(b)(1) Under Rule 12(b)(1), a party may make either a factual or a facial challenge to subject- matter jurisdiction. Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015). A facial challenge requires “only that the court look to the complaint and see if the plaintiff has sufficiently alleged a basis of subject matter jurisdiction.” Apex Digit., Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009). By contrast, “a factual challenge lies where the complaint is formally sufficient but the contention is that there is in fact no subject matter jurisdiction.” Id. at 444 (internal quotation marks omitted). Where a defendant mounts a factual challenge, “the court

may look beyond the pleadings and view any evidence submitted to determine if subject matter jurisdiction exists.” Silha, 807 F.3d at 173. A. CAFA In moving to dismiss the CAC under Rule 12(b)(1), Lurie first argues that the Court should abstain from exercising jurisdiction pursuant to two exceptions to the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d)(2).

4 Lurie does not raise a Rule 12(b)(6) challenge to Count XI’s GIPA claim. CAFA gives federal district courts jurisdiction over class actions where the amount in controversy exceeds $5,000,000 and there is minimal diversity among the parties such that “any member of a class of plaintiffs is a citizen of a State different from any defendant.” 28 U.S.C. § 1332(d)(2)(A); see also Mississippi ex rel. Hood v. AU Optronics Corp., 571 U.S. 161, 165 (2014). Lurie does not contest that those requirements are satisfied here. Nonetheless, even

where CAFA’s jurisdictional requirements are met, the home-state exception requires a district court to “decline to exercise jurisdiction” where “two-thirds or more of the members of all proposed classes in the aggregate, and the primary defendants are citizens of the State in which the action was originally filed.” 28 U.S.C. § 1332(d)(4)(B); see also In re Sprint Nextel Corp., 593 F.3d 669, 671 (7th Cir. 2010). Further, under 28 U.S.C. § 1332(d)(3), a district court has discretion to decline otherwise proper jurisdiction under CAFA where “greater than one-third but less than two-thirds of the members of all proposed plaintiff classes in aggregate and the primary defendants are citizens of the State in which the action was originally filed,” subject to the multiple specified considerations. The party invoking one of these provisions bears the burden of

proving its applicability. Sabrina Roppo v. Travelers Com. Ins. Co., 869 F.3d 568, 584 (7th Cir. 2017). Here, Lurie is the sole Defendant and it is a citizen of Illinois. Lurie offers evidence in the form of a witness declaration stating that its analysis of the known addresses of the 791,7855 individuals impacted by the Data Breach shows that approximately 71% of them had an Illinois mailing address. (Def.’s Mem. in Supp. of Mot. to Dismiss, Ex. A, Siegel Decl. ¶¶ 4–5, Dkt. No. 46-1.) Based on the fact that significantly greater than 66% of the overall nationwide class have

5 There is a very slight discrepancy between the CAC’s allegation that 791,784 individuals were impacted by the Data Breach and Lurie’s declaration stating that the number affected was 791,785. Illinois mailing addresses, Lurie argues that the Court must abstain from exercising jurisdiction pursuant to the home-state exception. The Seventh Circuit, however, has emphasized that the home-state exception “is framed entirely in terms of the parties’ citizenship.” In re Sprint, 593 F.3d at 673. And while evidence of putative class members’ Illinois mailing addresses may show that those members are Illinois

residents, “being a resident isn’t the same thing as being a citizen, that is to say, a domiciliary.” Id. Indeed, for diversity jurisdiction purposes, “[c]itizenship means domicile (the person’s long- term plan for a state of habitation) rather than just current residence.” Myrick v. WellPoint, Inc., 764 F.3d 662, 664 (7th Cir. 2014). Inferring that the overwhelming majority of class members with Illinois mailing addresses also intend to reside in the State long term may be “[s]ensible guesswork, based on a sense of how the world works,” but the Seventh Circuit has held that it is “guesswork nonetheless.” In re Sprint, 593 F.3d at 674. For that reason, “a court may not draw conclusions about the citizenship of class members based on things like their . . . mailing addresses.” Id.

In its reply brief, Laurie points to a district court that found the home-state exception applicable in another case brought by patients against their healthcare provider who purportedly failed to protect the patients’ PII and PHI from exposure in a data breach. See Pearson v. Grp. Health Coop. of S. Cent. Wis., No. 24-cv-310-jdp, 2025 WL 746434 (W.D. Wis. Feb. 12, 2025). There, the district court concluded that the defendant had adequately proved that the home-state exception applied based on its evidence of the putative class members’ Wisconsin mailing addresses combined with the fact that the class members were receiving medical care in that State. Id. at *2. The district court explained that “[i]t is reasonable to infer that a person lives in Wisconsin and intends to remain there for the foreseeable future if he or she has a Wisconsin mailing address and is receiving medical care in Wisconsin” because “[m]ost people would not receive regular medical care from a clinic far from home.” Id. Lurie contends that the same is true here. This Court, respectfully, finds the Pearson court’s inference that a person is likely to be a citizen of the State where they receive regular medical care to be dangerously close to the kind of sensible guesswork that the Seventh Circuit has rejected as competent proof of

citizenship. Instead, the Seventh Circuit has suggested that mailing address evidence can be bolstered by “tak[ing] a random sample of [class members], ascertain[ing] the citizenship of each of these on the date the case was removed [or filed], and extrapolate[ing] to the class as a whole.” Myrick, 764 F.3d at 665. In any case, the Court finds inferring citizenship based on class members’ Illinois mailing addresses and the fact that they received medical care in the State far less justified here than in Pearson. Lurie is not a typical regional medical provider but rather it is “the largest pediatric hospital and research center in the Midwest,” “nationally ranked in eleven specialties by U.S. News & World Report,” and known for providing “the latest benefits and innovations in medical

technology.” (CAC ¶¶ 3, 32.) Given its national profile and reputation for providing high-quality specialized care, Lurie may be more likely than an average hospital to attract out-of-state patients; for example, patients needing specialized care for which there is no equivalent in their home state. Further, many of those out-of-state patients may have conditions that require long- term care such that it might make sense for their parents to temporarily relocate to the Chicago area. The Court therefore does not believe it appropriate to draw any conclusions regarding the class members’ domicile simply from the fact that they sought care from Lurie in Illinois. Because Lurie’s sole evidence pertaining to the citizenship of the aggregate class is their Illinois mailing addresses, it fails to carry its burden of establishing the applicability of the home- state exception. Likewise, the mailing address evidence does not suffice to establish the applicability of § 1332(d)(3)’s discretionary exception to CAFA jurisdiction. That is true even though it is highly probable that the number of Illinois citizens will comfortably surpass the discretionary exception’s one-third threshold, given that 71% of the members of the aggregate class have Illinois mailing addresses. E.g., Matthews v. Cresco Labs, Inc., No. 25 CV 1928, 2025

WL 1918581, at *3 (N.D. Ill. July 11, 2025) (“While it seems highly likely that at least one-third of the putative class members are Illinois citizens, [the opponent of jurisdiction] presents only evidence of residence, which is not enough to prove citizenship.”). Accordingly, Lurie fails to establish that the Court must or should refrain from exercising jurisdiction pursuant to § 1332(d)(4)(B) or § 1332(d)(3). B. Standing Lurie also contends that the CAC’s allegations fail to plead Plaintiffs’ standing with respect to certain of their claims. Standing is an essential component of Article III’s limitation of federal courts’ judicial power only to cases or controversies. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). “The doctrine limits the category of litigants empowered to maintain a

lawsuit in federal court to seek redress for a legal wrong.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). There are three elements that constitute the “irreducible constitutional minimum” of standing. Lujan, 504 U.S. at 560. A “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 578 U.S. at 338 (internal quotation marks omitted). Where a plaintiff does not have Article III standing, a federal district court lacks subject-matter jurisdiction to hear their claims. Simic v. City of Chicago, 851 F.3d 734, 738 (7th Cir. 2017). According to Lurie, the CAC fails to plead that Plaintiffs suffered a cognizable injury in fact as to the contract claims at Counts IV and V, the unjust enrichment claim at Count VI, and the ICFA and GIPA claims at Counts IX and XI. Since Lurie challenges only the allegations of Plaintiffs’ injuries in fact, it raises a facial challenge to standing. The same standard used to evaluate facial challenges under Rule 12(b)(1) is used to evaluate motions brought under Rule 12(b)(6). Silha, 807 F.3d at 174. Thus, the Court accepts all well-pleaded allegations in the complaint as true and draws all reasonable inferences in favor of the plaintiff. Scanlan v.

Eisenberg, 669 F.3d 838, 841 (7th Cir. 2012) (Rule 12(b)(1)); McReynolds v. Merrill Lynch & Co., Inc., 694 F.3d 873, 879 (7th Cir. 2012) (Rule 12(b)(6)). A plaintiff establishes an injury in fact by showing that they “suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560). An injury is particularized when it affects “the plaintiff in a personal and individual way.” Id. (internal quotation marks omitted). And a concrete injury is one that actually exists. Id. at 340. “‘Concrete’ is not, however, necessarily synonymous with ‘tangible.’ Although tangible injuries are perhaps easier to recognize, [the Supreme Court has] confirmed in many of [its] previous

cases that intangible injuries can nevertheless be concrete.” Id. Most prominently, the Supreme Court has found intangible “injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts” to be concrete; “for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion LLC v. Ramirez, 594 U.S. 413, 425 (2021). In two decisions addressing standing in the data breach context, the Seventh Circuit has held that allegations of “an increased risk of future fraudulent charges and greater susceptibility to identify theft” can suffice to plead concrete injuries in fact so long as the alleged future harm “is ‘certainly impending’ [whereas] ‘allegations of possible future injury are not sufficient.’” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013)); see also Lewert v. PF Chang’s China Bistro, Inc., 819 F.3d 963, 966 (7th Cir. 2016) (“[T]he increased risk of fraudulent charges and identity theft [the plaintiffs] face because their data has already been stolen . . . . are concrete enough to support a lawsuit.”). When a plaintiff’s “data has already been stolen,” they face “a substantial

risk of harm from the data breach, because a primary incentive for hackers is ‘sooner or later to make fraudulent charges or assume those consumers’ identities.’” Lewert, 819 F.3d at 967 (quoting Remijas, 794 F.3d at 693). Following the Remijas and Lewert decisions, the Supreme Court clarified in TransUnion LLC v. Ramirez that an imminent risk of future harm, standing alone, provides a plaintiff standing only to “pursue forward-looking injunctive relief to prevent the harm from occurring.” 594 U.S. at 435. Because “a plaintiff must ‘demonstrate standing separately for each form of relief sought,’ . . . . a plaintiff’s standing to seek injunctive relief does not necessarily mean that the plaintiff has standing to seek retrospective damages.” Id. at 436 (quoting Friends of the Earth, Inc. v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 167, 185

(2000)). Rather, to have standing to seek damages, “the mere risk of future harm” does not suffice “unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. As a result of TransUnion, Plaintiffs are squarely foreclosed from predicating their standing solely on the imminent risk of identity theft that they claim to face from the unauthorized disclosure of their PII and PHI in the Data Breach. Plaintiffs contend that such a conclusion runs afoul of Remijas and Lewert, neither of which the Seventh Circuit has repudiated following TransUnion. But while it is true that the Seventh Circuit has declined to find that those cases “are no longer authoritative,” it has nonetheless “recognize[d] that TransUnion marked a shift in the [Supreme] Court’s standing jurisprudence.” Dinerstein v. Google, LLC, 73 F.4th 502, 516 (7th Cir. 2023). As such, “[t]o the extent that [a plaintiff affected by a data breach] rests his claim for damages on allegations of future risk, the argument is a nonstarter.” Id. at 515. Consistent with TransUnion, the Seventh Circuit now adheres to the rule that “[a] plaintiff seeking money damages has standing to sue in federal court only for harms that have in fact materialized.” Id. (internal quotation marks omitted).

For the four Plaintiffs—Avanessian, Berry, C.C., and C.C.—who allege that unauthorized lines of credit or accounts have been taken out in their names, the risk of identity theft has already materialized, and they therefore have suffered a concrete injury in fact from the Data Breach.6 The risk of identity theft has not yet materialized for the remaining Plaintiffs. Nonetheless, those Plaintiffs assert that the time and money they spent toward mitigating the consequences of the Data Breach suffice to plead a separate concrete harm. Specifically, the CAC alleges that each Plaintiff “lost time and money incurred to mitigate and remediate the effects of the Data Breach,” including “expenditures for protective and remedial services.” (CAC ¶ 122.) Independent of and in addition to an imminent risk of identity theft, Remijas and Lewert

“found injuries sufficient for standing . . . in the time and money [the plaintiffs] spent protecting against future identity theft or fraudulent charges.” Lewert, 819 F.3d at 966–67 (citing Remijas, 794 F.3d at 694). There is no reason to think that TransUnion undermines the Seventh Circuit’s recognition in those decision that mitigation efforts may constitute concrete injuries in fact.

6 Lurie argues that those Plaintiffs’ allegations of actual identity theft are too vague to show that their injuries are fairly traceable to the Data Breach. The Court disagrees. The CAC alleges that those Plaintiffs assiduously protected the privacy of their PII and PHI, the Data Breach compromised information that can be used for identity theft (such as SSNs), and the incidents of identity theft occurred sometime after the Data Breach. (CAC ¶¶ 48, 141, 145, 153, 157.) For purposes of a facial challenge to standing, those allegations suffice to plead an injury fairly traceable to Lurie’s failure to reasonably guard against the Data Breach. See Roper v. Rise Interactive Media & Analytics, LLC, No. 23 CV 1836, 2023 WL 7410641, at *5 (N.D. Ill. Nov. 9, 2023) (“Plaintiff . . . alleges that within three months of the breach, an unknown party attempted to use her personal information to open a bank account. These allegations are sufficient at the pleading stage to satisfy the fairly traceable requirement for standing.” (citation omitted)). Indeed, most “post-TransUnion data-breach decisions in the Seventh Circuit have relied on Remijas and Lewert to find that mitigation costs based on imminent future harm amount to a concrete injury in fact.” Florence v. Order Express, Inc., 674 F. Supp. 3d 472, 481 (N.D. Ill. 2023). And, again, the Seventh Circuit has indicated that those decisions retain authoritative value even after TransUnion. The Court therefore concludes that, when paired with an imminent

risk of identity theft, Plaintiffs’ mitigation efforts can provide the separate concrete harm needed for standing after TransUnion. E.g., Duffy v. Lewis Bros. Bakeries, Inc., 760 F. Supp. 3d 704, 715 (S.D. Ind. 2024) (“The mitigation costs in Remijas and Lewert would pass through the door left open by TransUnion and thus fall within that category of separate, concrete harms.”). Plaintiffs allege in the CAC that they undertook mitigation efforts after learning of the Data Breach, and thus the key question is whether they plead adequately that they faced a sufficiently imminent harm. A plaintiff “cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” Clapper, 568 U.S. at 422. Accordingly, the Seventh Circuit has emphasized that “mitigation expenses qualify as ‘actual injuries’ only when the harm is

imminent.” Lewert, 819 F.3d at 967. In determining whether those impacted by a data breach face an imminent risk of harm from the disclosure of their private information, a key consideration is “the sensitivity of the data in question.” Kylie S. v. Pearson PLC, 475 F. Supp. 3d 841, 846 (N.D. Ill. 2020). “Critical to the Seventh Circuit’s finding of cognizable injuries-in- fact in both Lewert and Remijas was the fact that the plaintiffs had alleged that the data stolen was sufficiently sensitive to expose the victims to a material risk of identity theft or fraudulent transactions.” Fus v. CafePress, Inc., No. 19-cv-06601, 2020 WL 7027653, at *3 (N.D. Ill. Nov. 30, 2020); see also Baysal v. Midvale Indem. Co., 78 F.4th 976, 978 (7th Cir. 2023) (explaining that costs for credit-monitoring services are not reasonably incurred in response to a certainly impending harm “when the disclosed information does not facilitate credit-related frauds”). But exposure of less sensitive information such as names, birth dates, emails, and home addresses is far less likely to result in fraudulent transactions; the materialization of any risk “depends on a ‘highly attenuated chain of possibilities’ that ‘does not satisfy Article III.’” Kylie S., 475 F. Supp. at 847 (quoting Clapper, 568 U.S. at 410).

Lurie contends that the CAC fails to allege that the Data Breach compromised the type of information that would cause Plaintiffs to face such an imminent threat of identity theft or credit fraud as to necessitate their mitigation efforts and expenses. That argument ignores that Lurie is alleged to have publicly acknowledged that the PII exposed in the Data Breach included SSNs and driver’s license numbers (CAC ¶ 48), data that is extremely vulnerable to misuse by bad actors. E.g., Florence, 674 F. Supp. 3d at 482 (“Plaintiffs have alleged an imminent threat of identity theft and fraud due to the exposure of their social security and driver’s license numbers.”). Apparently, Lurie wants the Court to focus instead on the contents of Lurie’s individual notices to Plaintiffs, none of which list SSNs among the information that Lurie

believed could have been stolen in the Data Breach. (CAC ¶¶ 127, 140, 152, 164, 174, 187, 197, 207, 218, 229, 241.) But those notices did not purport to provide a comprehensive assessment for each recipient of all the information that was exposed in the Data Breach. (E.g., id. ¶ 127 (“The letter disclosed that information stolen ‘may have included . . . .’” (emphasis added)).) Moreover, Lurie did, in fact, collect and maintain SSNs and driver’s license numbers, along with other financial information that could be used for fraud. (Id. ¶ 39.) At this stage, the CAC sufficiently pleads that Plaintiffs had reason to believe that the information exposed in the data breach was sensitive enough to warrant the mitigation efforts they undertook. That Lurie proactively offered to those impacted by the Data Breach 24 months of free credit monitoring (id. ¶ 55), reinforces the reasonableness of Plaintiffs’ mitigation efforts. Florence, 674 F. Supp. 3d at 482 (“Underscoring the reasonableness of Plaintiffs’ mitigation efforts is [the defendant’s] offer to pay for two years of credit monitoring and identify-theft protection.”); Doe v. Fertility Ctrs. Of Ill., S.C., No. 21 C 579, 2022 WL 972295, at *2 (N.D. Ill. Mar. 31, 2022) (“The fact that Defendants offered [the plaintiff] one year of complimentary

access to credit monitoring and identity restoration services confirms the reasonableness of at least some of [the plaintiff’s] out-of-pocket mitigation expenditures.” (citation omitted)). Thus, the Court finds that Plaintiffs’ mitigation efforts constitute a concrete injury in fact. Plaintiffs also allege that their loss of confidentiality in the exposed PII and PHI, itself, constitutes an injury in fact giving them standing. The Court agrees. One of the intangible harms expressly identified in TransUnion as “traditionally recognized as providing a basis for lawsuits in American courts” was “disclosure of private information.” TransUnion, 594 U.S. at 425. “At common law, the disclosure of private information imposes liability where the defendant gives publicity to a private matter that would be highly offensive to a reasonable person and is not of

legitimate concern to the public.” Smith v. Loyola Univ. Med. Ctr., No. 23 CV 15828, 2024 WL 3338941, at *4 (N.D. Ill. July 9, 2024). Accordingly, courts in this Circuit regularly recognize that a plaintiff whose PII or PHI has been disclosed in a data breach suffers a concrete injury in fact. E.g., Roper v. Rise Interactive Media & Analytics, LLC, No. 23 CV 1836, 2023 WL 7410641, at *5 (N.D. Ill. Nov. 9, 2023) (finding that the plaintiffs pleaded an injury in fact where they “allege[]d that Defendant caused their sensitive health information, including medical diagnoses, to be improperly accessed and publicized to an unknown number of hackers”); Florence, 674 F. Supp. 3d at 480 (“Plaintiffs allege that [the defendant] failed to prevent hackers from stealing and publishing their social security, driver’s license, and tax identification numbers—information which a reasonable person would prefer to keep private. . . . Since disclosure of private information is a sufficiently close common-law analogue for Plaintiffs’ alleged harm, the injury is concrete.”). Likewise, here, the Court finds that Plaintiffs’ allegations regarding the disclosure of their medical diagnoses and other treatment information pleads an injury in fact. See Smith, 2024 WL 3338941, at *4 (“Facts regarding a person’s medical life are

inherently private, the unauthorized dissemination of which would no doubt be highly offensive to a reasonable person. Nor can it be said that an individual’s medical history or diagnoses is generally a matter of legitimate public concern.” (internal quotation marks and citations omitted)). Together, Plaintiffs’ allegations regarding their mitigation efforts and the disclosure of their PII and PHI adequately allege concrete injuries in fact with respect to their claims at Counts IV, V, VI, and IX.7 Nonetheless, as to the GIPA claim at Count XI, Lurie argues that GIPA Plaintiffs fail to allege a particularized injury. The GIPA “regulates the use, disclosure, and acquisition of ‘genetic information.’” McKnight v. United Airlines, Inc., No. 23-cv-16118, 2024

WL 3426807, at *2 (N.D. Ill. July 16, 2024). Under the GIPA, “genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing . . . by that individual to receive the information.” 410 ILCS 513/15(a). Therefore, the statute provides, among other things, that “[n]o person to whom the results of a test have been disclosed may disclose the test results to another person except as authorized under this Act,” 410 ILCS 513/35, and gives a right of action to “[a]ny person aggrieved by a violation of this Act,” 410 ILCS 513/40(a).

7 Because their mitigation efforts and the disclosure of their private information suffice to establish standing, the Court need not address the viability of Plaintiffs’ other asserted injuries in fact at this time. Lurie’s contention that the CAC relies only on speculation as to how GIPA Plaintiffs were personally harmed by a GIPA violation is baseless. Each GIPA Plaintiff alleges that they underwent genetic testing at Lurie and that Lurie received and retained their genetic test results. (CAC ¶¶ 137–38, 184–85.) And GIPA Plaintiffs’ notices of the Data Breach specifically identified their “medical condition or diagnosis; medical treatment; [and] other health/medical

records” as potentially exposed. (Id. ¶¶ 140, 187.) At this stage of the proceedings, those allegations support the reasonable inference that GIPA Plaintiffs’ genetic test results were among the information compromised in the Data Breach, and therefore they suffered a particularized GIPA injury. Consequently, the Court is satisfied that the CAC pleads a concrete and particularized injury in fact as to each asserted claim. II. Rule 12(b)(6) Having found no basis to dismiss the CAC for lack of subject-matter jurisdiction, the Court proceeds to address Lurie arguments that Plaintiffs have not stated plausible claims at Counts I–X. To survive a Rule 12(b)(6) motion, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal,

556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This pleading standard does not necessarily require a complaint to contain detailed factual allegations. Twombly, 550 U.S. at 555. Rather, “[a] claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Adams v. City of Indianapolis, 742 F.3d 720, 728 (7th Cir. 2014) (quoting Iqbal, 556 U.S. at 678). A. Negligence At Count I, Plaintiffs allege that Lurie’s negligent data security practices resulted in the exposure of their PII and PHI. In Illinois, “[t]he essential elements of a cause of action based on common law negligence are the existence of a duty owed by the defendant to the plaintiff, breach of that duty, and an injury proximately caused by that breach.” Clifford v. Wharton Bus. Grp., LLC, 817 N.E.2d 1207, 1212 (Ill. App. Ct. 2004) (citing Ward v. K Mart Corp., 554 N.E.2d 223, 226 (Ill. 1990)). Lurie argues that Plaintiffs fail to allege adequately both the duty and proximate cause elements.

1. Duty Beginning with the duty element, Lurie contends that there is no common-law duty to safeguard information in Illinois. “Generally, a duty of care arises where the parties stand in such a relationship to one another that the law imposes upon the defendant an obligation of reasonable conduct for the benefit of the plaintiff.” Clifford, 817 N.E.2d at 1212–13. The existence of such a duty may be derived from the common law or from statute. Barnett v. Zion Park Dist., 665 N.E.2d 808, 812 (Ill. 1996). While the Illinois Supreme Court has not spoken about whether there is a duty to safeguard personal information in the context of data breaches, the Seventh Circuit has previously predicted that “the state court would not impose [such a] common law data security

duty.” Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 816 (7th Cir. 2018). In reaching that conclusion, the Seventh Circuit relied on an Illinois Appellate Court decision, Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28–29 (Ill. App. Ct. 2010), which concluded that there was no duty to safeguard personal information in Illinois. First, the Cooney court found that PIPA did not create that duty because the statute’s plain language required only that a data collector “provide timely notice of a security breach to the parties affected.” Id. at 28. Second, the Illinois Appellate Court declined to recognize a new common law duty to safeguard information because it did “not believe that the creation of a new legal duty beyond legislative requirements already in place is part of [its] role on appellate review.” Id. at 29. Because the Seventh Circuit found no reason that the Illinois Supreme Court would disagree with Cooney, it likewise held that that “no duty to safeguard personal information existed” in Illinois. Schnuck, 887 F.3d at 816. Normally, the Seventh Circuit’s prediction that the Illinois Supreme Court would not recognize a duty in these circumstances would compel this Court to reach the same conclusion.

Luna v. United States, 454 F.3d 631, 636 (7th Cir. 2006) (“[T]he district court should not be making contrary [state-law] predictions when this court has ruled squarely on the matter.”). However, the Cooney decision, which largely informed the Seventh Circuit’s rejection of a duty to safeguard personal information in Schnuck, has since been superseded by the Illinois state legislature’s 2017 amendments to the PIPA. Specifically, the PIPA now mandates that a “data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, . . . or disclosure.” 815 ILCS 530/45. Based on this language, the Illinois Appellate

Court has revisited its prior holding and concluded that the PIPA imposes “a duty to maintain reasonable security measures [and] the reasoning of the Cooney court no longer applies.” Flores v. Aon Corp., 242 N.E.3d 340, 353 (Ill. App. Ct. 2023). Although Schnuck was decided after the PIPA was amended, “the data breach at issue . . . occurred in 2012, so the 2017 amendments to PIPA were not relevant to the Seventh Circuit’s analysis.” McGlenn v. Driveline Retail Merch., Inc., No. 18-cv-2097, 2021 WL 4301476, at *7 (C.D. Ill. Sept. 21, 2021). Consequently, the vast majority of district courts in this Circuit to have considered the issue have found that there is a duty under Illinois law to safeguard personal information in the data breach context. E.g., In re Mondelez Data Breach Litig., Nos. 23 C 3999, 23 C 4249, 2024 WL 2817489, at *4 (N.D. Ill. June 3, 2024); Wittmeyer v. Heartland All. For Hum. Needs & Rights, No. 23 CV 1108, 2024 WL 182211, at *2 (N.D. Ill. Jan. 17, 2024); Contra Doe v. Genesis Health Sys., No. 4:23-cv-04209-JEH, 2025 WL 1000192, at *4 (C.D. Ill. Mar. 18, 2025). This Court agrees that the holding in Schnuck does not control the analysis in light of the current version of the PIPA. Again, in finding no statutory duty, Schnuck

echoed Cooney’s conclusion that the PIPA did not “impose[] any . . . duty beyond providing notice of a security breach.” Schnuck, 887 F.3d at 816 (citing Cooney, 943 N.E.2d at 28). And Cooney explained that, “[b]ecause the provisions in the [PIPA] are clear, we must assume it reflects legislative intent to limit defendants’ duty to providing notice.” Cooney, 943 N.E.2d at 28. But with the 2017 amendments to the PIPA, the legislature spoke again by adding language requiring data collectors to “implement and maintain reasonable security measures” to protect personal information. 815 ILCS 530/45(a). Because the PIPA now reflects a legislative intent to impose a duty on data collectors to protect personal information, the Court declines to dismiss the negligence claim at Count I for failure to plead a duty on the part of Lurie.

2. Proximate Causation To the extent it owed Plaintiffs a duty to protect their PII and PHI, Lurie nonetheless claims that the CAC fails to plausibly allege that Lurie proximately caused Plaintiffs’ injuries. Proximate cause incorporates “two distinct requirements: cause in fact and legal cause.” Abrams v. City of Chicago, 811 N.E.2d 670, 674 (Ill. 2004) (internal quotation marks omitted). “A defendant’s conduct is a ‘cause in fact’ of the plaintiff’s injury only if that conduct is a material element and a substantial factor in bringing about the injury.” Id. at 675. That will be the case where, “absent [the defendant’s] conduct, the injury would not have occurred.” Id. On the other hand, “legal cause” entails an assessment of foreseeability; the question “is whether the injury is of a type that a reasonable person would see as a likely result of his or her conduct.” Id. (internal quotation marks omitted). The CAC is replete with allegations addressing how Lurie’s inadequate data security practices left it vulnerable to the Data Breach, thereby pleading cause in fact. (CAC ¶¶ 98–121.) Yet Lurie asserts that the legal cause of Plaintiffs’ injuries was the intervening conduct of third-

party criminal actors such that those injuries were not the foreseeable result of any conduct on the part of Lurie. As an initial matter, “proximate cause is typically a question of fact; it should only be decided as a matter of law if the facts alleged demonstrate that a party would never be entitled to recover.” Kramer v. Szczepaniak, 123 N.E.3d 431, 441 (Ill. App. Ct. 2018). And intervening criminal acts of a third party do not automatically absolve the initial wrongdoer of liability. Duncavage v. Allen, 497 N.E.2d 433, 437 (Ill. App. Ct. 1986). Rather, the issue remains one of foreseeability—whether “the criminal act might reasonably have been foreseen at the time of the negligence.” Id. Moreover, the CAC provides extensive detail about why medical information is so valuable to identity thieves that a major healthcare provider like Lurie could

have and should have foreseen that it would be targeted by cybercriminals. (CAC ¶¶ 63–84.) At a minimum, those allegations preclude the Court from deciding proximate cause as a matter of law. And because the CAC alleges that Lurie’s breach of its duty to safeguard Plaintiffs’ personal information proximately caused the exposure of their PII and PHI, the CAC adequately states a claim for ordinary negligence. B. Negligence Per Se In addition to Count I’s claim for ordinary negligence, Count II asserts a claim for negligence per se. Specifically, the CAC alleges that Lurie’s violations of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45(a)(1), and HIPAA constitute negligence per se. As Plaintiffs correctly note in their response brief, in Illinois, “[a] violation of a statute or ordinance designed to protect human life or property is prima facie evidence of negligence.” Kalata v. Anheuser-Busch Cos., Inc., 581 N.E.2d 656, 661 (Ill. 1991). However, that means “the violation of the statute is only evidence of duty and breach, nonbinding on the jury,” and a defendant may still prevail “if he can show that he acted reasonably under the circumstances or

that a violation of the statute was not the proximate cause of the plaintiff’s injury.” Bier v. Leanna Lakeside Prop. Ass’n, 711 N.E.2d 773, 783 (Ill. App. Ct. 1999). What Plaintiffs fail to apprehend is that “[a] violation of a statute only constitutes negligence per se (which would mean strict liability) if the legislature clearly intends for the act to impose strict liability.” Flores, 242 N.E.3d at 355. Due to that misapprehension, Plaintiffs do not even attempt to argue that either the FTC Act or HIPAA are strict liability statutes. Indeed, courts regularly reject claims of negligence per se predicated on violations of those statutes. Wittmeyer, 2024 WL 182211, at *4 (“The plaintiffs . . . do not allege that either the [FTC Act] or HIPAA imposes strict liability; nor does the Court have any authority before it that would support a finding of strict liability.”); see

also M.C. v. E. Side Health Dist., No. 3:24-CV-01336-NJR, 2025 WL 435992, at *6 (S.D. Ill. Feb. 7, 2025) (rejecting negligence per se claim based on violations of HIPAA); Flores, 242 N.E.3d at 355 (rejecting negligence per se claim based on violations of the FTC Act). The Court likewise dismisses Count II’s claim of negligence per se. C. Breach of Fiduciary Duty Count III of the CAC asserts a claim for breach of fiduciary duty. To state a claim for breach of fiduciary duty, a plaintiff must allege “that a fiduciary duty exists, that the fiduciary duty was breached, and that such breach proximately caused the injury of which the plaintiff complains.” Neade v. Portes, 739 N.E.2d 496, 502 (Ill. 2000). Lurie denies that it owed a fiduciary duty to Plaintiffs. In Illinois, a fiduciary duty may arise either “automatically pursuant to specific legal relationships, such as those between attorneys and their clients; or . . . by virtue of circumstances unique to the parties’ relationship, where one party places trust in another so the latter gains superiority and influence over the former.” Landale Signs & Neon, Ltd. v. Runnion Equip., No. 16-cv-07619, 2016 WL 7409916, at *4 (N.D. Ill. Dec. 22, 2016). Plaintiffs contend that their

relationship with Lurie falls into the latter category and note that Illinois law recognizes that the physician-patient relationship gives rise to a fiduciary duty. E.g., San Roman v. Child.’s Heart Ctr., Ltd., 954 N.E.2d 217, 222 (Ill. App. Ct. 2010) (“It is well-settled in Illinois . . . that a fiduciary duty arises between doctor and patient.”). The Court finds that Plaintiffs improperly use the fiduciary duty a treating physician owes their patients to bootstrap into Illinois law a fiduciary duty owed to patients by the healthcare facility at which their treating physician practices. See Nutty v. Jewish Hosp., 571 F. Supp. 1050, 1052 (S.D. Ill. 1983) (“While physicians clearly have a fiduciary relationship with their patients, the relationship between a hospital and a patient is more difficult to categorize.”).

At least based on the allegations here, the Court cannot conclude that the same fiduciary duty owed by the physicians who treated Plaintiffs also applied to Lurie and its administrative and information technology staff in charge of maintaining patient information in Lurie’s systems. See Doe v. Genesis Health Sys., No. 23-cv-4209-JES-JEH, 2024 WL 3890164, at *13 (C.D. Ill. Aug. 21, 2024) (“Plaintiff fails to support that any court in Illinois has found that a healthcare facility has a fiduciary duty in relation to patients’ private information.”); cf. Jezek v. CareCredit, LLC, No. 10 C 7360, 2011 WL 2837492, at *3 (N.D. Ill. July 18, 2011) (“Plaintiffs cite no authority to show that in the context of the physician-patient relationship, transactions outside of medical treatment . . . are subject to the fiduciary relationship.”). For that reason, Count III is dismissed. D. Breach of Express Contract The CAC alleges that Lurie expressly promised Plaintiffs and members of the putative classes that it had implemented sufficient measures to protect the confidentiality of their PII and PHI. Yet Lurie failed to honor its promises regarding data security, as evidenced by the Data Breach. Thus, Count IV asserts a claim for breach of contract.

“Under Illinois law, a plaintiff looking to state a colorable breach of contract claim must allege four elements: ‘(1) the existence of a valid and enforceable contract; (2) substantial performance by the plaintiff; (3) a breach by the defendant; and (4) resultant damages.’” Reger Dev., LLC v. Nat’l City Bank, 592 F.3d 759, 764 (7th Cir. 2010) (quoting W.W. Vincent & Co. v. First Colony Life Ins. Co., 814 N.E.2d 960, 967 (Ill. App. Ct. 2004)). Lurie contends that the CAC fails to plead the existence of any express contract concerning the security of Plaintiffs’ PII and PHI. In response, Plaintiffs point to their allegations regarding the promises made in Lurie’s privacy policy and its separate website privacy policy. (CAC ¶¶ 36–37.) Those allegations are insufficient to plead an express contract, however, because the CAC contains no allegations suggesting that Plaintiffs were required to read and agree to Lurie’s privacy policies or that those

policies were incorporated into some other contract between Lurie and Plaintiffs. And a contract is not “formed by an offer that . . . lacks definite and certain material terms and does not require such terms to be supplied by an acceptance.” Wittmeyer, 2024 WL 182211, at *4 (quoting Ass’n Benefit Servs., Inc. v. Caremark RX, Inc., 493 F.3d 841, 849 (7th Cir. 2007)). Like another court in this District considering allegations similar to those here, the Court finds that the CAC fails to plead a contract as to data security because neither of Lurie’s privacy policies “lay out—with any sort of specificity—the terms by which [Lurie] agreed to be bound with respect to the security measures that it would employ to maintain and safeguard PII and PHI.” Id. at *5. Count IV is therefore dismissed. E. Breach of Implied Contract Pleaded in the alternative to Count IV’s express contract claim, Count V sets forth a claim for breach of implied contract. A claim for breach of implied contract has the same elements as a claim for breach of express contract. In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 590 (N.D. Ill. 2022). But “[u]nlike an express contract, in which the parties

arrive at an agreement using words, an agreement in an implied-in-fact contract is created through the actions and conduct of the parties.” Olson v. Ferrara Candy Co., --- N.E.3d ---, 2025 WL 1750241, at *11 (Ill. App. Ct. June 25, 2025). Accordingly, “[a]n implied contract arises from a promissory expression which may be inferred from the facts and circumstances and the expressions on the part of the promisor which show an intention to be bound.” In re Arthur J. Gallagher, 631 F. Supp. 3d at 591 (internal quotation marks omitted). The Court finds that the CAC’s allegations concerning Lurie’s privacy policies provide adequate support for an implied contract. Courts have found that even general commitments to protecting personal information in a defendant’s privacy policy can support an inference of an implied promise. E.g., In re Mondelez, 2024 WL 2817489, at *7; In re Arthur J. Gallagher, 631

F. Supp. 3d at 591. Indeed, an implied contract can be implied simply from the nature of Plaintiffs’ relationship with Lurie: since Plaintiffs were required to provide Lurie with their PII and PHI to receive services, they could reasonably expect that Lurie, “in turn, would keep this information private and protect it from unauthorized disclosures.” Wittmeyer, 2024 WL 182211, at *5; see also Flores, 242 N.E.3d at 355 (“On top of defendant’s representations in its privacy policy, it is implied from the relationship between the parties that defendant would take reasonable steps to ensure that plaintiffs’ personal information would be protected from unauthorized disclosure.”). To the extent Plaintiffs have alleged the existence of an implied contract, Lurie argues that the CAC nonetheless fails to plead adequately that Plaintiffs suffered any monetary damages as a result of any breach of that implied contract by Lurie. Allegations of actual monetary damages are necessary to successfully state a claim for breach of an implied contract. Olson, 2025 WL 1750241, at *12. As discussed above, Plaintiffs each claim to have spent money

mitigating the harm they face from the exposure of their PII and PHI to criminal actors. Those expenditures suffice to plead monetary damages. Id.; see also Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 830 (7th Cir. 2018) (“Money out of pocket is a standard understanding of actual damages in contract law . . . .”). While Lurie faults the CAC for not specifying the amount each Plaintiff spent, such details are not necessary at this stage. See, e.g., Duffy, 760 F. Supp. 3d at 724 (“Plaintiffs need not plead damages with mathematical precision.”). And because the CAC alleges that Plaintiffs’ money damages were caused by Lurie’s breach of its implied promises to safeguard Plaintiffs’ PII and PHI, Count V states a claim for breach of implied contract.

F. Unjust Enrichment Count VI asserts a claim for unjust enrichment. A claim for unjust enrichment requires a plaintiff to “allege that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience.” HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989). Here, Lurie contends that the unjust enrichment claim fails because the CAC does not show that Lurie unjustly retained any benefit conferred by Plaintiffs. The Court agrees. Any monetary benefit that Plaintiffs (or their insurers) conferred upon Lurie was for healthcare services, and the CAC does not claim that there was any separate outlay for data security. E.g., Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 766 (C.D. Ill. 2020) (“Plaintiffs have not alleged that any specific portion of their payments went toward data protection; rather, they state that their payments were for food and gas. Additionally, Plaintiffs have not alleged a benefit conferred in exchange for protection of their personal information.”); Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064, 1072 (C.D. Ill. 2016) (“[The plaintiff] paid for food

products. She did not pay for a side order of data security and protection . . . .”). Thus, the unjust enrichment claim at Count VI is dismissed. G. Invasion of Privacy At Count VII, the CAC alleges that Lurie allowed criminal actors to obtain Plaintiffs’ highly-sensitive PII and PHI, thereby resulting in an invasion of Plaintiffs’ privacy. Illinois recognizes four invasion of privacy torts, and Plaintiffs’ response brief clarifies that their claim is for public disclosure of private facts. Such a claim requires a plaintiff to establish that: “(1) publicity was given to the disclosure of private facts; (2) the facts were private and not public facts; and (3) the matter made public would be highly offensive to a reasonable person.” Johnson v. K mart Corp., 723 N.E.2d 1192, 1197 (Ill. App. Ct. 2000).

Count VII falters at the first element: the CAC fails to allege any public disclosure of Plaintiffs’ PII and PHI. For purposes of this tort, public disclosure “means communicating the matter to the public at large or to so many persons that the matter must be regarded as one of general knowledge.” Wynne v. Loyola Univ. of Chi., 741 N.E.2d 669, 677 (Ill. App. Ct. 2000) (internal quotation marks omitted). Here, the CAC alleges only that Plaintiffs’ private data was obtained by criminal actors and offered for sale on the dark web. (CAC ¶ 45.) Communicating private facts to criminal actors who, in turn make that information available on a black market falls well short of a public disclosure. Roper v. Rise Interactive Media & Analytics, LLC, No. 23- cv-1836, 2024 WL 1556298, at *5 (N.D. Ill. Apr. 10, 2024) (“Plaintiffs allege a nefarious third- party stole information from [the defendant], and the third-party could theoretically share their data in the future. Courts have routinely found these allegations insufficient to qualify as a ‘public disclosure.’”); see also Nabozny v. Optio Sols. LLC, 84 F.4th 731, 736 (7th Cir. 2023) (“[H]aving some finite number of people know (true) details about your life is fundamentally different than having that information disseminated to the general public.” (internal quotation

marks omitted)). While a disclosure to a small number of people may satisfy the publicity requirement, that is only the case where “a plaintiff has a special relationship with the individuals to whom the matter was disclosed.” Wynne, 741 N.E.2d at 677. Needless to say, Plaintiffs have no special relationship with the strangers who illicitly obtained their PII and PHI. Roper, 2024 WL 1556298, at *3 (“Plaintiffs’ relationship is not made ‘special’ by the mere fact that the bad actors have Plaintiffs’ information and can attempt to use it or sell it to others in the future.”). Given that there has been no public disclosure of Plaintiffs’ private facts, Count VII’s invasion of privacy claim is dismissed. H. ICFA Count VIII asserts a claim under PIPA and Count IX asserts a claim under the ICFA.

Because “[t]he PIPA itself does not provide for a private cause of action to seek damages for violations” but instead makes violations actionable under the ICFA, Count VIII is effectively a second ICFA claim. Best v. Malec, No. 09 C 7749, 2010 WL 2364412, at *7 (N.D. Ill. June 11, 2010); see also 815 ILCS 530/20. The elements of an ICFA claim include: “(1) a deceptive or unfair act or practice by the defendant; (2) the defendant’s intent that the plaintiff rely on the deceptive or unfair practice; and (3) the unfair or deceptive practice occurred during a course of conduct involving trade or commerce.” Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547, 574 (7th Cir. 2012) (internal quotation marks omitted). The Court first addresses whether Count VIII states an ICFA claim based on Lurie’s purported violation of the PIPA and then turns to consider whether the CAC alleges any other unfair or deceptive acts or practices that would also support the separate ICFA claim at Count IX. 1. The PIPA The CAC alleges that Lurie violated the PIPA’s command to timely notify those affected by a data breach. Under the PIPA, data collectors are required to “notify the [Illinois] resident at

no charge that there has been a breach of the security of the system data following discovery or notification of the breach,” and such “notification shall be made in the most expedient time possible and without unreasonable delay.” 815 ILCS 530/10(a). According to Plaintiffs, the nearly five-month interval between when Lurie detected the Data Breach and when Lurie first informed Plaintiffs of the breach demonstrates that it unreasonably delayed in providing notice. As for the length of time it took Lurie to provide notice of the Data Breach, Lurie contends that what constitutes “the most expedient time possible” varies based on the circumstances. The Court agrees, but that only demonstrates that the timeliness of notice cannot be resolved at the pleading stage. For present purposes, it is at least plausible that the five-month delay was unreasonable. Nonetheless, because the purported PIPA violation is brought under the

ICFA, the CAC must also adequately allege actual, economic damages to state a claim. Flores, 242 N.E.3d at 357 (“The failure to allege specific economic damages precludes a claim brought under the [ICFA].”). Plaintiffs Avanessian, Yolanda Berry, C.C., and C.C., who have already experienced incidents of identity theft, have a plausible claim that Lurie’s delayed notice caused them harm— if they had known earlier that they were at risk, they might have had a better chance at thwarting the identity thieves. On the other hand, the other Plaintiffs fail plausibly to identify what pecuniary harms they could have avoided had they known of the Data Breach earlier. Consequently, Count VIII may proceed only as to Plaintiffs Avanessian, Berry, C.C., and C.C.; the remaining Plaintiffs’ claims are dismissed. 2. Unfair or Deceptive Acts or Practices An ICFA claim may be predicated on either deceptive or unfair conduct. Robinson v. Toyota Motor Credit Corp., 775 N.E.2d 951, 960 (Ill. 2002). The only well-pleaded factual

allegations supporting Count IX relate to deceptive conduct—namely, Lurie’s purported misrepresentations regarding its data security practices. While Lurie argues that the CAC fails to plead any deceptive act or practice with the particularity required by Federal Rule of Civil Procedure 9(b), Plaintiffs contend that their ICFA claims are subject only to Rule 8(a)’s notice pleading standard rather than the heightened standard of Rule 9(b). Plaintiffs are mistaken. Whereas an ICFA unfairness claim need only meet the Rule 8(a) standard, because a deceptive acts or practices claim sounds in fraud it is subject to Rule 9(b). Kahn v. Walmart Inc., 107 F.4th 585, 601 (7th Cir. 2024). As such, the CAC must “state with particularity the circumstances constituting fraud,” although “[m]alice, intent, knowledge, and other conditions of a person’s mind may be alleged generally.” Fed. R. Civ. P. 9(b). To state the circumstances of fraud with

sufficient particularity, the plaintiff must allege “the who, what, when, where, and how: the first paragraph of any newspaper story.” DiLeo v. Ernst & Young, 901 F.2d 624, 627 (7th Cir. 1990). Here, the Court agrees with Lurie that the ICFA claim is not pleaded with the particularity required of Rule 9(b). All the alleged affirmative misrepresentations concern statements made in Lurie’s privacy policies that were published on its website or in some unspecified “other materials provided to Plaintiffs.” (CAC ¶¶ 36–37, 303.) Allegations that certain statements were made in privacy policies available on Lurie’s website fail to satisfy Rule 9(b) because the CAC does not allege that any Plaintiff ever visited the website to read them. See Baldwin v. Star Sci., Inc., 78 F. Supp. 3d 724, 738 (N.D. Ill. 2015) (“Plaintiff’s complaint fails to satisfy Rule 9(b) [because] it does not specify when or where he saw the misrepresentations.”). As for the non-specific reference to the other materials provided to Plaintiffs, that allegation lacks all the necessary details regarding “who, what, when, where, and how.” And “a plaintiff cannot maintain an ICFA claim if the plaintiff does not receive, directly or indirectly, communication . . . from the defendant.” Ko v. Univ. of Potomac at Chi. LLC, No. 24 C 1455,

2024 WL 3694489, at *5 (N.D. Ill. Aug. 7, 2024) (internal quotation marks omitted). Absent allegations of a misrepresentation that was actually received by Plaintiffs, any allegations of omissions also fail to plead fraud; “[i]f there has been no communication with [Plaintiffs], there have been no . . . omissions.” Id. Thus, the Court concludes that the CAC fails to plead a deceptive act or practice with the particularity required by Rule 9(b). Count IX’s ICFA claim is dismissed. I. IUDTPA Finally, Count X of the CAC sets forth a claim under the IUDTPA based on Lurie’s misrepresentations about its data security practices. The IUDTPA provides that “[a] person likely to be damaged by a deceptive trade practice of another may be granted injunctive relief upon

terms that the court considers reasonable.” 815 ILCS 510/3. As suggested by the statute’s language, injunctive relief is the only remedy available under the IUDTPA. Kurowski v. Rush Sys. For Health, 659 F. Supp. 3d 931, 942 (N.D. Ill. 2023). But to state a claim for such relief, a plaintiff must allege “ongoing or future harm.” Sanchez v. Walmart Inc., 733 F. Supp. 3d 653, 667 (N.D. Ill. 2024). The CAC fails to plead an ongoing or future harm related to Lurie’s representations of its data security measures since the Data Breach has already occurred and Plaintiffs’ PII and PHI has already been exposed. Fox v. Iowa Health Sys., 399 F. Supp. 3d 780, 799 (W.D. Wis. 2019) (analyzing an IUDTPA claim and observing that “[i]n most consumer actions . . . the plaintiff is unable to allege facts showing a likelihood of future harm because the harm has already occurred, and because the plaintiff is unlikely to be deceived in the future”). While Plaintiffs argue that they face a future risk because Lurie still has their PII and PHI and that information remains vulnerable, that goes only “to the risk of harm that [Plaintiffs] face[] from the data breaches themselves, not the risk of harm that [they] face[] if [Lurie] continues to misrepresent

its protective measures.” Id. at 799–800. In any case, Plaintiffs’ assertion that Lurie is not taking effective action to preclude future data breaches is entirely speculative, based only on Lurie’s failure to explain to them what steps it is taking to upgrade its cybersecurity practices. Cf. Dusterhoft v. OneTouchPoint Corp, No. 22-cv-0882-bhl, 2024 WL 4263762, at *7 (E.D. Wis. Sept. 23, 2024) (finding that the plaintiffs failed to plead a risk of future harm to have standing for injunctive relief because they alleged “no specific facts establishing how [the defendant’s] data security remains inadequate, or how they face a real and immediate threat of future injury from another data breach occurring due to [the defendant’s] failure to protect their data”). Because the CAC does not sufficiently allege an ongoing or future harm, the IUDTPA claim at

Count X is dismissed. CONCLUSION For the foregoing reasons, Lurie’s motion to dismiss (Dkt. No. 45) is granted in part and denied in part. Counts II, III, 'V, VI, VU, [X, and X of the CAC are dismissed for failure to state a claim. Count VII is similarly dismissed for failure to state a claim, with the exception of the claims brought by Plaintiffs Avanessian, Yolanda Berry, C.C., and C.C. Lurie’s motion is otherwise denied. The dismissals are without prejudice to Plaintiffs seeking leave to file an amended complaint that cures the pleading deficiencies of the dismissed claims.

ENTERED:

Dated: September 27, 2025 opok ; Andrea R. Wood United States District Judge

2A