IN THE UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF ILLINOIS
M.C., Individually and on Behalf of all Similarly Situated Persons,
Plaintiff,
v. Case No. 3:24-CV-01336-NJR
EAST SIDE HEALTH DISTRICT, and ELIZABETH PATTON-WHITESIDE,
Defendant.
MEMORANDUM AND ORDER
ROSENSTENGEL, Chief Judge: This case concerns an alleged cybersecurity incident involving East Side Health District (“East Side”), an entity providing healthcare services in Illinois. Plaintiff alleges that her personal information was compromised as a result of this incident. She brings this lawsuit on behalf of herself and others similarly situated against East Side and Ms. Elizabeth Patton-Whiteside, East Side’s Public Health Administrator (collectively “Defendants”). Defendants have moved to dismiss Plaintiff’s complaint for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). (Doc. 22). BACKGROUND The following facts are taken from Plaintiff’s complaint and accepted as true for purposes of Defendants’ motion to dismiss. Wagner v. Teva Pharm. USA, Inc., 840 F.3d 355, 358 (7th Cir. 2016). As a healthcare provider, East Side collects personal and health-related information from patients who receive treatment there. (Doc. 1-1), Compl. ¶ 19. At some point before December 2023, Plaintiff was a patient at East Side, where she provided her personal information in order to receive care. Id. ¶¶ 21-22. Between December 1, 2023,
and December 8, 2023, East Side “learned of an incident that disrupted the operations of some of [its] IT systems.” Id. ¶ 25. On February 2, 2024, Defendants sent a letter to Plaintiff and other patients to notify them of the breach. Id. ¶ 26. The letter stated that East Side’s “investigation determined that an unauthorized party accessed some of [its] systems . . . and accessed or removed certain files.” Id. ¶ 27. The data breach allegedly resulted in Plaintiff’s and other patients’ personal
information being compromised. Id. ¶ 29. This, in turn, caused Plaintiff and other patients to sustain (i) a loss of privacy; (ii) the “imminent, immediate, and continuing increased risk of identity theft, identity fraud and/or medical fraud;” (iii) “out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance, and/or other Breach risk mitigation products;” (iv) “out-of-pocket expenses incurred to mitigate the
increased risk of identity theft, identity fraud, and/or medical fraud pressed upon them by the Breach, including the cost of placing a credit freeze and subsequently removing a credit freeze;” (v) the value of time spent mitigating the risk of identity theft; (vi) the lost benefit of the bargain when they paid for their privacy to be protected and it was not; and (vii) embarrassment, emotional distress, humiliation, and loss of enjoyment of life. Id.
¶¶ 67, 90, 91. Plaintiff, on behalf of herself and others similarly situated, filed this lawsuit in the Circuit Court for the Twentieth Judicial Circuit, St. Clair County, Illinois, on March 20, 2024. Her complaint asserts the following causes of action: breach of implied contract (Count I), negligence (Count II), breach of fiduciary duty of confidentiality (Count ID, negligent training and supervision (Count IV), and negligence per se (Count V). She seeks to represent the following classes of individuals: >» National Class: All persons residing in the United States who were patients of Defendant ESHD whose PHI and/or PII was disclosed by Defendants to unauthorized third parties between December 1, 2023 and December 8, 2023. >» Illinois Class: All persons residing in the United States who were residents of Illinois patients of Defendant ESHD whose PHI and/or PII was disclosed by Defendants to unauthorized third parties between December 1, 2023 and December 8, 2023. Id. § 72. Defendants removed the case to this Court on May 17, 2024, invoking federal subject matter jurisdiction under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d). (Doc. 1). On June 24, 2024, Defendants filed the pending motion to dismiss. (Doc. 22). Before addressing the motion to dismiss, the Court ordered Defendants to cure
a deficiency in their notice of removal to ensure federal subject matter jurisdiction was secure. (Doc. 26). The Court held a hearing on February 6 to discuss its subject matter jurisdiction and Defendants’ motion to dismiss. After the hearing, Defendants filed an amended notice of removal, which secures this Court’s subject matter jurisdiction under CAFA.! (Doc. 32). The motion to dismiss is thus ripe for ruling.
1 CAFA authorizes federal courts to hear cases in which “(1) a class has 100 or more class members; (2) at least one class member is diverse from at least one defendant (“minimal diversity”); and (3) there is more than $5 million, exclusive of interest and costs, in controversy in the aggregate.” Sabrina Roppo v. Travelers Comm. Ins. Co., 869 F.3d 568, 578 (7th Cir. 2017) (citing 28 U.S.C. § 1332(d)). East Side is incorporated and has its principal place of business in Illinois, thus making it a citizen of Illinois. Ms. Patton-Whiteside is also a citizen of Illinois. Although Plaintiff is also a citizen of Illinois, Defendants maintain that “at least one member of the putative class is a citizen of Missouri.” (Doc. 32). This satisfies minimal diversity. The complaint alleges that “tens of thousands” of people may be in the classes that Plaintiff seeks to represent. Id. This satisfies the numerosity requirement of 100 or more class members. Finally, Plaintiff's extensive Page 3 of 15
LEGAL STANDARD A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) “tests whether the complaint states a claim on which relief may be granted.” Richards v. Mitcheff, 696 F.3d
635, 637 (7th Cir. 2012). The Court accepts as true the complaint’s well-pleaded factual allegations and draws all reasonable inferences—but not legal conclusions—in the plaintiff’s favor. Burke v. 401 N. Wabash Venture, LLC, 714 F.3d 501, 504 (7th Cir. 2013). To survive a Rule 12(b)(6) motion, a plaintiff only needs to allege enough facts to state a claim for relief that is plausible on its face. Bell Atlantic Corp. v. Twombly, 550 U.S.
544, 570 (2007). A plaintiff need not plead detailed factual allegations, but must provide “more than labels and conclusions, and a formulaic recitation of the elements.” Id. “Plausibility does not mean probability: a court reviewing a 12(b)(6) motion must ‘ask itself could these things have happened, not did they happen.’” Huri v. Off. of the Chief Judge of the Cir. Ct. of Cook Cnty., 804 F.3d 826, 833 (7th Cir. 2015) (quoting Swanson v.
Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010)). “The standard simply calls for enough facts to raise a reasonable expectation that discovery will reveal evidence supporting the allegations.” Id. (citing Olson v. Champaign Cnty., 784 F.3d 1093, 1098 (7th Cir. 2015)). DISCUSSION Defendants’ motion begins by raising two global arguments for dismissal that
apply to all of Plaintiff’s claims. These arguments posit that Plaintiff’s claimed damages are not cognizable under the legal theories she has advanced, and that Defendants are
damages allegations in combination with the potential number of absent class members “easily satisfies” CAFA’s amount in controversy threshold of $5,000,000, exclusive of interest and costs. Id. immune from liability under the Illinois Tort Immunity Act (“TIA”), 745 ILCS 10/1-101, et seq. Next, Defendants advance several claim-specific arguments targeting each cause
of action separately. The Court will address Defendants’ arguments in that order. 1. Global Arguments A. Failure to allege cognizable injuries Defendants’ principal argument is that a data breach, without more, does not support a contract or tort action. Thus, they attack the viability of four damages categories that Plaintiff advances: (i) increased future risk of identity theft, (ii) diminished value of
personal data, (iii) loss of the benefit of the bargain, and (iv) emotional damages. First, Defendants argue that an increased risk of future harm from identity theft has been rejected as a cognizable injury by the Illinois state courts and the Seventh Circuit. In support, they cite Berry v. City of Chicago, 181 N.E.3d 679, 688 (Ill. 2020), for the proposition that “an increased risk of harm is not, for purposes of tort law, an injury.”
Berry provides compelling support for Defendants’ argument. There, the plaintiffs asserted claims of negligence against the City of Chicago because an improvement project to the City’s water lines had allegedly caused the lead levels in the water supply to rise. Id. at 682-83. The plaintiffs’ only damages were their alleged increased risk of negative health effects from their exposure to the water—none reported any health effects that had
materialized. Id. at 687. The Illinois Supreme Court dismissed the plaintiffs’ negligence claim because they had not suffered a cognizable harm from the City’s alleged misconduct. Berry, 181 N.E.3d at 687-88. This was so, the court explained, because “[t]he long-standing and primary purpose of tort law is not to punish or deter the creation of this risk but rather to compensate victims when the creation of risk tortiously manifests into harm.” Id. at 688. A person may thus only pursue a negligence claim “once harm
occurs.” Id. The Court agrees with Defendants that, under Berry, any unrealized harm from the data breach, including the increased risk of identity theft, cannot support Plaintiff’s claims sounding in negligence. Accord Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007) (under Indiana law, risk of financial harm and identity theft, without more, not enough to satisfy damages element of negligence and breach of contract claims).
Second, Defendants argue that Plaintiff’s allegation of a diminished value of her personal data is not a viable legal theory supporting a tort or breach of contract action. In Petta v. Christie Bus. Holding Co., 230 N.E.3d 162, 169 (Ill. App. Ct. 2023), the Illinois Appellate Court rejected the premise that personal information is “property.” Even if it was, the court expounded, there would be no “nonspeculative way to assess the
diminution in value of the property right.” Id. Although Petta is not a decision of the Illinois Supreme Court, this Court finds it instructive here. Plaintiff has cited no authority calling Petta into question, nor has she offered any information that would allow the Court or the jury to quantify the value of her personal information. This means that the alleged diminution of the value of her personal information cannot support her claims in
this case. Accord Flores v. Aon Corp., 242 N.E.3d 340, 356 (Ill. App. Ct. 2023) (rejecting diminution in value theory); McLaughlin v. Taylor Univ., No. 23-cv-00527, 2024 WL 4274848, at *4 (N.D. Ind. Sept. 23, 2024) (same under Indiana law). Third, Defendants argue that the benefit of the bargain theory cannot support Plaintiff’s claims. They are correct. This theory holds that if Plaintiff had known of East Side’s ineffective data security infrastructure, she would not have chosen to receive care
there. Thus, any money she spent on her care was effectively an “overpayment” for the services she received. The Seventh Circuit rejected a nearly identical claim under Illinois law in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016). There, the plaintiffs learned that a restaurant where they had dined was the subject of a data breach and that their credit and debit card data was compromised as a result. Id. at 965. Although the court found that the plaintiffs had Article III standing to bring their claims, it rejected
their benefit of the bargain claims. “Plaintiffs claim that the cost of their meals is an injury because they would not have dined at P.F. Chang’s had they known of its poor data security. As we noted in Remijas, such arguments have been adopted by courts only where the product itself was defective.” Id. at 968. Here, the product was the care Plaintiff received at East Side. Her complaint contains no allegations that it was substandard or
ineffective. Thus, as in Lewert, this Court is “not inclined to push th[e] [benefit of the bargain] theory beyond its current scope.” Id.; accord Archey v. Osmose Util. Srvs., Inc., No. 10-cv-5247, 2021 WL 3367156, at*2 (N.D. Ill. Aug. 3, 2021) (rejecting benefit of the bargain theory in data breach case). Fourth, Defendants argue that Plaintiff’s emotional distress is not a cognizable
injury. In support, they cite Wadsworth v. Kross, Lieberman & Stone, Inc., 12 F.4th 665, 668 (7th Cir. 2021), for the proposition that stress and annoyance are “quintessential abstract harms that are beyond our power to remedy.” But Wadsworth is distinguishable here because it involved an individual’s standing to bring a claim under the Fair Debt Collection Practices Act (“FDCPA”). Id. at 666-67. There, the plaintiff suffered no harm other than the annoyance of a debt collectors attempts to claw back a bonus she had
received from her employer. Id. at 666. Indeed, the plaintiff’s whole claim was based on the debt collector’s “procedural violations” of the FDCPA. Id. at 667. Here, Plaintiff advances negligence claims based on a data breach that compromised her personal information. She is not merely alleging “procedural violation[s]” of a federal statute. If Plaintiff alleged that Defendants failed to comply with a federal data protection statute, without a data breach ever having taken place, then Wadsworth may be more analogous.
But that is not the case here. Defendants are correct that emotional damages cannot support Plaintiff’s contract claim. Flores, 242 N.E.3d at 356 (“To successfully make a breach of implied contract claim, a plaintiff must allege actual monetary damages.”). But her negligence claims can be based on her emotional damages. See In re Arthur J. Gallagher Data Breach Litig., 631 F.
Supp. 3d 573, 587 (N.D. Ill. 2022) (“There can be no dispute that Plaintiffs have alleged present injuries or damages; for instance, all allege experiencing emotional harms such as anxiety and increased concerns for the loss of privacy. . . . These types of non-economic damages are recoverable under Illinois law.”). Thus, the Court partially agrees with Defendants—Plaintiff’s emotional damages do not support her contract claim, but they
do support her tort claims. With several damages categories in the complaint either limited or eliminated altogether, the Court must take stock of where that leaves the case. A generous reading of the complaint provides enough information about Plaintiff’s injuries to sustain some of her claims at this nascent stage. In addition to the four damages classes that Defendants dispute, Plaintiff alleges that she and the class sustained “out-of-pocket expenses
incurred to mitigate the risk of identity theft,” and “the value of their time spent mitigating identity theft.” Compl. ¶ 91. These claimed damages are compensable in a contract action under Illinois law. See id. at 587 (rejecting similar arguments to those raised here and holding that out-of-pocket costs and value of time spent are cognizable in contract action under Illinois law); see also Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 830 (7th Cir. 2018) (“Money out of pocket is a standard understanding of actual
damages in contract law”). And as to her negligence-based claims, Plaintiff has alleged, among other things, that she suffers and continues to suffer emotional distress, embarrassment, and fear of identity theft, which are non-economic damages that are recoverable in a negligence action under Illinois law. In re Arthur J. Gallagher, 631 F. Supp. 3d at 587; see also Volling v. Antioch Rescue Squad, 999 F.Supp.2d 991, 999 (N.D. Ill. 2013)
(“Under Illinois law, negligence is actionable if it directly causes emotional distress even without any physical symptoms.”). Plaintiff’s damages are indeed imperfectly pled, as she does not point to specific expenditures or undertakings that she made in response to the data breach. But at this stage, she is not required to plead her damages with “mathematical certainty.” H.B. Williamson Co. v. Ill-Eagle Enter., Ltd., No. 14–cv–0575–
MJR–PMF, 2015 WL 802250, at *5 (S.D. Ill. Feb. 25, 2015). And for that reason, the Court concludes that Plaintiff has sufficiently pled some damages that are recoverable under her chosen causes of action. See In re Arthur J. Gallagher, 631 F. Supp. 3d at 587 (denying motion to dismiss in data breach case even though some of plaintiff’s claimed damages were not cognizable). B. The Illinois Tort Immunity Act Defendants’ other global argument contends that the TIA protects them from
liability. See 745 ILCS 10/1-101, et seq. The TIA “protects local public entities and public employees from liability arising from the operation of government.” Coleman-Napper v. CKEM, Inc., No. 3:21-CV-1701-NJR, 2023 WL 1766278, at *5 (S.D. Ill. Feb. 3, 2023). A local public entity includes “any not-for-profit corporation organized for the purposes of conducting public business.” 745 ILCS 10/1-206. Moreover, “a public employee serving
in a position involving the determination of policy or the exercise of discretion is not liable for an injury resulting from his act or omission in determining policy when acting in the exercise of such discretion even though abused.” 745 ILCS 10/2-201. Defendants argue that they are covered by these immunity provisions and thus exempt from potential liability. They may be right, but it is too early to tell. Whether a
defendant qualifies for immunity under the Tort Immunity Act generally turns on the facts of the case. The issue is thus generally inappropriate for resolution on a motion to dismiss. Hayes v. Bd. of Educ. of City of Chicago, 629 F. Supp. 3d 816, 825 (N.D. Ill. 2022). This cautious approach to an immunity defense is consistent with the Seventh Circuit’s acknowledgement that because “immunity defense[s] usually depend[ ] on the facts of
the case, dismissal at the pleading stage is inappropriate.” Alvarado v. Litscher, 267 F.3d 648, 649 (7th Cir. 2001) (qualified immunity). Moreover, it is well settled that “[p]laintiffs are not required to plead around every possible defense in a complaint.” U.S. ex rel. Grenadyor v. Ukrainian Village Pharm., Inc., 895 F. Supp. 2d 872, 878 (N.D. Ill. 2012). At the hearing, defense counsel alleged that Plaintiff did not plead any facts to refute immunity. But the premise that Plaintiff was required to do so is unfounded. Defendants are
certainly free to pursue a sovereign immunity defense in discovery and possibly in a motion for summary judgment. But the contention that Plaintiff’s failure to disprove immunity at this stage warrants dismissal is unpersuasive. C. Claims against Defendant Elizabeth Patton-Whiteside Defendants also argue that Elizabeth Patton-Whiteside should be dismissed from the case because the complaint lacks any allegations concerning her individual conduct.
On this point, the Court agrees. The complaint identifies Ms. Patton-Whiteside as the “Public Health Administrator” for East Side. That is the only allegation that specifically implicates her in this case. Without more, Plaintiff has failed to raise the specter of Ms. Patton-Whiteside’s liability. At the hearing, Plaintiff acknowledged that she has no further information about Ms. Patton-Whiteside’s potential liability in this case. Indeed,
she only named Ms. Patton-Whiteside as a defendant because she was the author of the notification letter that Plaintiff received about the data breach, a point that is not even mentioned in the complaint. Without more, the claims against Ms. Patton-Whiteside will be dismissed. 2. Claim-Specific Arguments
Defendants also press several arguments targeting each of Plaintiff’s claims for relief. First, Defendants argue that Plaintiff’s breach of implied contract claim fails because she has not alleged the existence of a contract or a breach. Under Illinois law, “an implied contract can be created as a result of the parties’ actions, even if there is no express contract between them.” Flores, 242 N.E.3d at 355. An “agreement in an implied-
in-fact contract is created through the actions and conduct of the parties.” Id. Defendants contend that Plaintiff has not alleged an implied contract because East Side made no representations concerning data security in its dealings with her. But the lack of an affirmative representation is not dispositive here. Where a person voluntarily provides personal information to facilitate a transaction, “it is implied from the relationship between the parties that defendant would take reasonable steps to ensure that plaintiffs’
personal information would be protected from unauthorized disclosure.” Id. Common sense dictates that this understanding is present when a person checks into a hospital. Plaintiff alleges that East Side received and possessed her confidential information by virtue of her relationship as a patient there. Under Flores, she has sufficiently alleged the existence and breach of an implied contract that survives a motion to dismiss. Id at 356.
Her alleged “out-of-pocket” costs, moreover, serve as the required “monetary damages,” which are necessary to a contract claim under Illinois law. Id. Thus, Plaintiff’s breach of implied contract claim (Count I) survives Defendants’ motion to dismiss. Second, Defendants contest the viability of all of Plaintiff’s negligence-based claims: negligence (Count II), negligent training and supervision (Count IV), and
negligence per se (Count V). A negligence claim requires a plaintiff to allege that “the defendant owed a duty of care to the plaintiff, that the defendant breached that duty, and that the breach was the proximate cause of the plaintiff’s injuries.” Cowper v. Nyberg, 28 N.E.3d 768, 772 (Ill. 2015). Defendants argue that Plaintiff has failed to allege a causal connection between the data breach and her claimed injuries. They contend that “the Complaint does not state whether Plaintiff took any measures to protect her information
or whether her information has been compromised in any other data breach.” (Doc. 23 at 21). But Plaintiff alleges several damages including emotional distress which, as noted, support the viability of her negligence claims. The temporal connection between the data breach and these claimed injuries, moreover, supports a causal connection at the pleading stage. Flores, 242 N.E.3d at 354; see also In re Arthur J. Gallagher, 631 F. Supp. 3d at 587. Thus, Plaintiff’s negligence claim (Count II) survives Defendants’ motion to dismiss.
Third, Defendants argue that Plaintiff’s negligence per se claim must be dismissed because it is based on their alleged non-compliance with HIPAA and the Health Information Technology Act (“HITECH”). These statutes are not strict liability statutes and thus, so Defendants’ argument goes, they are not suited to support a negligence per se claim. The Court agrees. In Flores, the Illinois Appellate Court explained that “[a]
violation of a statute only constitutes negligence per se (which would mean strict liability) if the legislature clearly intends for the act to impose strict liability.” 242 N.E.3d at 355. But Plaintiff has offered no authority for the proposition that HIPAA or HITECH are strict liability statutes, nor did she dispute this point at the hearing. At most, she identifies these statutes as “pertinent” to the standard of care. That is not enough to support a
negligence per se claim. Even if it is established that Defendants violated HIPAA and HITECH, Illinois law provides that “the violation of a statute is not negligence per se, which refers to strict liability, but rather only prima facie evidence of negligence, unless the legislature clearly intends to impose strict liability.” Abbasi ex rel. Abbasi v. Paraskevoulakos, 718 N.E.2d 181, 186 (Ill. 1999). Plaintiff’s failure to identify HIPAA and HITECH as strict liability statutes is thus fatal to her claim of negligence per se. See Brown
v. State Farm Mut. Auto. Ins. Co., No. 23 C 6065, 2025 WL 81340, at *6 (N.D. Ill. Jan. 13, 2025) (rejecting negligence per se claim under Illinois law based on HIPAA); Wittmeyer v. Heartland Alliance for Human Needs & Rights, No. 23 CV 1108, 2024 WL 182211, at *3-4 (N.D. Ill. Jan. 17, 2024) (same). Plaintiff’s negligence per se claim (Count V) will thus be dismissed. Fourth, Defendants argue that Plaintiff’s breach of fiduciary duty of
confidentiality claim (Count III) should be dismissed because it is not a recognized cause of action in Illinois. In Dinerstein v. Google, LLC, 484 F. Supp. 3d 561, 594-95 (N.D. Ill. 2020), the court recognized that Illinois has not adopted the tort of breach of confidentiality, and Plaintiff, for her part, has not identified any subsequent authority from the Illinois Supreme Court to suggest otherwise. Federal courts sitting in diversity apply state law,
they do not create it. Sabrina Roppo v. Travelers Com. Ins. Co., 869 F.3d 568, 596 (7th Cir. 2017). Thus, when a plaintiff seeks to bring a cause of action in federal court that does not exist under state law, dismissal is the appropriate response. That is what happened here, which means Plaintiff’s breach of fiduciary duty of confidentiality claim (Count III) will be dismissed.
Finally, Plaintiff’s negligent supervision claim is barely mentioned in her opposition to Defendants’ motion to dismiss, nor does the complaint mention any facts that would support such a claim. That is problematic because “[w]hen presented with a motion to dismiss, the non-moving party must proffer some legal basis to support his cause of action.” Cnty of McHenry v. Insurance Co. of the West, 438 F.3d 813, 818 (7th Cir. 2006) (internal quotations omitted). And “[i]f [judges] are given plausible reasons for dismissing a complaint, they are not going to do the plaintiff's research and try to discover whether there might be something to say against the defendants’ reasoning.” Kirksey v. R.J. Reynolds Tobacco Co., 168 F.3d 1039, 1042 (7th Cir. 1999). Thus, Plaintiff's lack of a response to Defendants’ argument as to her negligent supervision claim results in her forfeiture of that claim. See Worrell v. Wells Fargo Bank, N.A., No. 13-cv-643-bbc, 2014 WL 12726562, at *2 (W.D. Wis. Jan. 27, 2014) (plaintiff's failure to respond to arguments in defendant’s motion to dismiss resulted in forfeiture of claims in question). Accordingly Plaintiff's negligent supervision claim (Count IV) will be dismissed.
CONCLUSION For these reasons, Defendants’ Motion to Dismiss (Doc. 22) is GRANTED in part and DENIED in part. All claims against Defendant Elizabeth Patton-Whiteside are DISMISSED without prejudice. Counts III, IV, and V insofar as they are pled against East Side are DISMISSED without prejudice. Plaintiff is GRANTED leave to file an amended complaint on or before March 10, 2025. IT IS SO ORDERED. DATED: February 7, 2025 Tl neff nasegl NANCY J. ROSENSTENGEL | Chief U.S. District Judge
Page 15 of 15