KANNE, Circuit Judge.
In July 2013 burglars stole four desktop computers from one of Defendant Advocate Health and Hospitals Corporation’s administrative offices in Illinois. The computers contained unencrypted private data relating to approximately four million Advocate patients. Six of the affected patients brought this putative class action alleging that Advocate did too little to safeguard their information.
The plaintiffs asserted claims for willful and negligent violations of the Fair Credit Reporting Act (the “Act” or “FCRA”), 15 U.S.C. § 1681, et seq., and state-law claims for negligence and invasion of privacy. The district court dismissed the FCRA claims for failure to state a claim; it also found that four of the plaintiffs lacked standing to sue. Then, having dismissed the federal claims, the court relinquished supplemental jurisdiction over the remaining state-law claims. See 28 U.S.C. § 1367(c)(3). The plaintiffs appeal the dismissal of their FCRA claims.
Before turning to the merits, we briefly address the threshold issue of the’ standing to sue under Article III of the U.S. Constitution. The district court raised this issue sua sponte because it potentially affects our jurisdiction. See Rhodes v. Johnson, 153 F.3d 785, 787 (7th Cir.1998). [451]*451The court concluded that two of the plaintiffs Benkler and Oliver, had sufficiently concrete, particularized, and impending injuries to confer standing: the thieves attempted to use the stolen information to access Benkler’s bank accounts and to open a cell phone account in Oliver’s name. Benkler and Oliver’s standing to sue is uncontested, and we agree with the district court’s conclusion. See Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 794 F.3d 688, 691-94, 2015 WL 4394814, at *3-5 (7th Cir. July 20, 2015) (finding standing in similar circumstances), petition for reh’g en banc filed (Aug. 3, 2015).
The district court concluded that the four other plaintiffs, however, lacked standing because their injuries were too speculative: the thieves had stolen their information but had not yet misused it. Advocate claims that conclusion was correct; the plaintiffs say it was wrong. There is no need to resolve this dispute because “[wjhere at least one plaintiff has standing, jurisdiction is secure and the court will adjudicate the case whether the additional plaintiffs have standing or not.” Ezell v. City of Chicago, 651 F.3d 684, 696 n. 7 (7th Cir.2011). Our jurisdiction is secure.
Now to the merits. We review de novo a district court’s dismissal under Federal Rule of Civil Procedure 12(b)(6). Meade v. Moraine Valley Cmty. Coll, 770 F.3d 680, 684 (7th Cir.2014). To survive dismissal, the complaint must allege sufficient facts to “state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). We accept the plaintiffs’ well-pled facts as true and construe reasonable inferences in their favor. Thulin v. Shopko Stores Operating Co., 771 F.3d 994, 997 (7th Cir.2014). But “allegations in the form of legal conclusions are insufficient.” McReynolds v. Merrill Lynch & Co., 694 F.3d 873, 885 (7th Cir.2012) (citing Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009)). So are “[tjhreadbare recitals of the elements of a cause of action, supported by mere conclusory statements.” Adams v. City of Indianapolis, 742 F.3d 720, 728 .(7th Cir.2014) (quoting Iqbal, 556 U.S. at 678, 129 S.Ct. 1937).
The Act requires every “consumer reporting agency” to “maintain reasonable procedures” to ensure that it does not “furnish[ ] ... consumer reports” to unauthorized third parties or for impermissible purposes. 15 U.S.C. § 1681e(a). The plaintiffs allege that Advocate did not maintain reasonable procedures and thereby exposed their private information to the thieves. They seek various forms of relief, including statutory damages, which the Act makes available for willful violations even without a showing of actual damages. See id. § 1681n(a); Killingsworth v. HSBC Bank Nev., N.A., 507 F.3d 614, 622 (7th Cir.2007).
But the plaintiffs must plausibly allege that the reasonable-procedures provision applies in the first place, which includes, for a start, properly pleading that Advocate is a “consumer reporting agency.” The Act defines that term, in relevant part, to mean:
any person which, [1] for monetary fees, dues, or on a cooperative nonprofit basis, [2] regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers [3] for the purpose of furnishing consumer reports to third parties....
15 U.S.C. § 1681a(f) (numbering added). The complaint alleges that “Advocate is a Consumer Reporting Agency” because it “assembles] information on consumers” on a “cooperative nonprofit basis and/or for [452]*452monetary fees” for the “purpose of furnishing Consumer Reports to third parties.” But these are merely conclusory allegations — a “threadbare recital” of the statutory elements. Adams, 742 F.3d at 728. On their own, they are insufficient under Twombly and Iqbal.
The complaint’s other, more detailed allegations fall short too. The plaintiffs do successfully plead the second prong of the statutory .definition: the complaint states that Advocate regularly assembles its patients’ personal and medical information— including, e.g., names, dates of birth, social security numbers, medical diagnoses, and health insurance information.
But the complaint does not satisfy the definition’s first prong because Advocate does not assemble this information “for monetary fees.” 15 U.S.C. § 1681a(f) (emphasis added). The complaint does allege that Advocate transmits patient information to insurance companies and government agencies (such as Medicare, presumably) in order to get paid. But the payments Advocate • receives are — in the complaint’s own
Free access — add to your briefcase to read the full text and ask questions with AI
KANNE, Circuit Judge.
In July 2013 burglars stole four desktop computers from one of Defendant Advocate Health and Hospitals Corporation’s administrative offices in Illinois. The computers contained unencrypted private data relating to approximately four million Advocate patients. Six of the affected patients brought this putative class action alleging that Advocate did too little to safeguard their information.
The plaintiffs asserted claims for willful and negligent violations of the Fair Credit Reporting Act (the “Act” or “FCRA”), 15 U.S.C. § 1681, et seq., and state-law claims for negligence and invasion of privacy. The district court dismissed the FCRA claims for failure to state a claim; it also found that four of the plaintiffs lacked standing to sue. Then, having dismissed the federal claims, the court relinquished supplemental jurisdiction over the remaining state-law claims. See 28 U.S.C. § 1367(c)(3). The plaintiffs appeal the dismissal of their FCRA claims.
Before turning to the merits, we briefly address the threshold issue of the’ standing to sue under Article III of the U.S. Constitution. The district court raised this issue sua sponte because it potentially affects our jurisdiction. See Rhodes v. Johnson, 153 F.3d 785, 787 (7th Cir.1998). [451]*451The court concluded that two of the plaintiffs Benkler and Oliver, had sufficiently concrete, particularized, and impending injuries to confer standing: the thieves attempted to use the stolen information to access Benkler’s bank accounts and to open a cell phone account in Oliver’s name. Benkler and Oliver’s standing to sue is uncontested, and we agree with the district court’s conclusion. See Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 794 F.3d 688, 691-94, 2015 WL 4394814, at *3-5 (7th Cir. July 20, 2015) (finding standing in similar circumstances), petition for reh’g en banc filed (Aug. 3, 2015).
The district court concluded that the four other plaintiffs, however, lacked standing because their injuries were too speculative: the thieves had stolen their information but had not yet misused it. Advocate claims that conclusion was correct; the plaintiffs say it was wrong. There is no need to resolve this dispute because “[wjhere at least one plaintiff has standing, jurisdiction is secure and the court will adjudicate the case whether the additional plaintiffs have standing or not.” Ezell v. City of Chicago, 651 F.3d 684, 696 n. 7 (7th Cir.2011). Our jurisdiction is secure.
Now to the merits. We review de novo a district court’s dismissal under Federal Rule of Civil Procedure 12(b)(6). Meade v. Moraine Valley Cmty. Coll, 770 F.3d 680, 684 (7th Cir.2014). To survive dismissal, the complaint must allege sufficient facts to “state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). We accept the plaintiffs’ well-pled facts as true and construe reasonable inferences in their favor. Thulin v. Shopko Stores Operating Co., 771 F.3d 994, 997 (7th Cir.2014). But “allegations in the form of legal conclusions are insufficient.” McReynolds v. Merrill Lynch & Co., 694 F.3d 873, 885 (7th Cir.2012) (citing Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009)). So are “[tjhreadbare recitals of the elements of a cause of action, supported by mere conclusory statements.” Adams v. City of Indianapolis, 742 F.3d 720, 728 .(7th Cir.2014) (quoting Iqbal, 556 U.S. at 678, 129 S.Ct. 1937).
The Act requires every “consumer reporting agency” to “maintain reasonable procedures” to ensure that it does not “furnish[ ] ... consumer reports” to unauthorized third parties or for impermissible purposes. 15 U.S.C. § 1681e(a). The plaintiffs allege that Advocate did not maintain reasonable procedures and thereby exposed their private information to the thieves. They seek various forms of relief, including statutory damages, which the Act makes available for willful violations even without a showing of actual damages. See id. § 1681n(a); Killingsworth v. HSBC Bank Nev., N.A., 507 F.3d 614, 622 (7th Cir.2007).
But the plaintiffs must plausibly allege that the reasonable-procedures provision applies in the first place, which includes, for a start, properly pleading that Advocate is a “consumer reporting agency.” The Act defines that term, in relevant part, to mean:
any person which, [1] for monetary fees, dues, or on a cooperative nonprofit basis, [2] regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers [3] for the purpose of furnishing consumer reports to third parties....
15 U.S.C. § 1681a(f) (numbering added). The complaint alleges that “Advocate is a Consumer Reporting Agency” because it “assembles] information on consumers” on a “cooperative nonprofit basis and/or for [452]*452monetary fees” for the “purpose of furnishing Consumer Reports to third parties.” But these are merely conclusory allegations — a “threadbare recital” of the statutory elements. Adams, 742 F.3d at 728. On their own, they are insufficient under Twombly and Iqbal.
The complaint’s other, more detailed allegations fall short too. The plaintiffs do successfully plead the second prong of the statutory .definition: the complaint states that Advocate regularly assembles its patients’ personal and medical information— including, e.g., names, dates of birth, social security numbers, medical diagnoses, and health insurance information.
But the complaint does not satisfy the definition’s first prong because Advocate does not assemble this information “for monetary fees.” 15 U.S.C. § 1681a(f) (emphasis added). The complaint does allege that Advocate transmits patient information to insurance companies and government agencies (such as Medicare, presumably) in order to get paid. But the payments Advocate • receives are — in the complaint’s own words — “for health care services that its physicians have rendered” (emphasis added). Advocate is not getting paid for assembling patient information. After all, that is not its business. Advocate is, as the complaint acknowledges, a “network of affiliated doctors and hospitals that treat patients” — not a credit or consumer reporting company.
The complaint alleges that Advocate’s patient information serves other purposes as well. The insurance companies and government agencies allegedly usé it to determine eligibility and pricing for health services and to set rates for a variety of insurance products. But, again, none of that shows that Advocate receives fees in exchange for compiling and transmitting patient information.
The plaintiffs’ allegations also fail the third prong of the statutory definition. To qualify as a “consumer reporting agency,” Advocate must assemble consumer information “for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f) (emphasis added). A consumer report includes any communication “bearing on a consumer’s credit worthiness” which is used to establish the consumer’s eligibility for credit, insurance, or other listed purposes. Id. § 1681a(d)(l). But the Act expressly excludes from this definition any “report containing information solely as to transactions or experiences between the consumer and the person making the report.” Id. § 1681a(d)(2)(A)(i).
Advocate does not meet this definition. The information it transmits to insurers is obviously sent to third parties, and it arguably is used to determine eligibility for insurance coverage. But the information concerns Advocate’s experiences with its own patients, including, e.g., personally identifying information, medical diagnoses, and the names of treating physicians. It thus falls within the exclusion. See DiGianni v. Stern’s, 26 F.3d 346, 349 (2d Cir.1994) (per curiam).
We have found the Act inapplicable in analogous circumstances. In Frederick v. Marquette National Bank, for example, the plaintiff contracted to buy a condominium from Marquette National Bank. Marquette asked Frederick for permission to obtain her credit report; when she refused, Marquette ordered it anyway. 911 F.2d 1, 1 (7th Cir.1990). She sued for alleged violations of the Act. We held that “[t]he statute is not even potentially applicable” because Marquette was a bank, not a consumer reporting agency. Id. at 2. Moreover, we found the plaintiffs claims not only wrong, but frivolous. Id. (“When a statute expressly confines liability to X’s [453]*453and the defendant is a Y, the suit is frivolous.”).
We reiterated the point in a different context in Mirfasihi v. Fleet Mortgage Corporation, 551 F.3d 682 (7th Cir.2008). There, the plaintiffs, as a class, sued Fleet Mortgage Corporation for having transmitted their personal financial information to telemarketing companies, allegedly in violation of the Act. The district court approved a settlement that placed no value on the FCRA claim. Id. at 684. (The plaintiffs ‘also brought other claims that did have value, but they do not concern us here.) We affirmed, holding that the claim (in addition to having been forfeited) “has no possible merit, and in fact is frivolous.” Id. at 686. Fleet, we observed, “is not a consumer reporting agency — it is a bank.” Id. (citing Frederick, 911 F.2d at 2).
Similarly, the Second Circuit concluded in DiGianni that the term “consumer reporting agency” did not include retail department stores that merely received and transmitted information about their own customers. 26 F.3d at 348-49. The Eleventh Circuit reached the same conclusion in Rush v. Macy’s New York, Inc., where defendant Macy’s “did no more than furnish information to a credit reporting agency.” 775 F.2d 1554, 1557 (11th Cir.1985). The Act itself expressly distinguishes between companies that furnish information about their own customers (or patients, etc.) and those that get paid to assemble, evaluate, and report credit-related information. See 15 U.S.C. § 1681S-2.1 Advocate falls on the first side of that line.
Nevertheless, the plaintiffs take another shot at fitting Advocate within the definition of “consumer reporting agency.” In an effort to meet the first prong of the definition, they claim that Advocate assembles and shares its patients’ data “on a cooperative nonprofit basis,” even if not for fees. 15 U.S.C. § 1681a(f) (emphasis added). Specifically, the complaint alleges that “Advocate, through Advocate Physician Partners, collects, manages, and shares a multitude of patient information ... in a variety of ways.” It then lists several examples: programs to improve health care quality and efficiency; a Medicare savings program; a “shared savings contract with its biggest commercial insurance partner”; and the hiring of “outpatient care managers.”2 There is no allegation that these programs involve cooperative sharing of information with third parties. Judging by the allegations, these are internal Advocate programs, with the possible exception of the insurance contract. Nor is there any claim that these programs operate on a nonprofit basis. Even drawing reasonable inferences in the plaintiffs’ favor, we think these allegations are too thin.
Moreover, the allegations do not meet the definition’s third prong. Using information internally does not count as “furnishing ... to third parties.” 15 U.S.C. § 1681a(f).' And there is no claim that Advocate shares the information so that the recipient can make determinations of credit or insurance eligibility. In other words, Advocate is not providing “consumer reports.” See id. § 1681a(d)(l).
For these reasons, we conclude that the plaintiffs did not plausibly allege that Advocate is a consumer reporting agency. [454]*454Therefore, the Act’s reasonable-procedures provision does not apply, and the FCRA claims were properly dismissed.
Our conclusion does not confine the Act’s reach to the nation’s three major credit bureaus, as the plaintiffs suggest. Other entities outside that mold may act in ways that satisfy the statutory definition of “consumer reporting agency.” See, e.g., Adams v. Nat’l Eng’g Serv. Corp., 620 F.Supp.2d 319, 328 (D.Conn.2009) (holding that a staffing agency was a consumer reporting agency because it prepared and furnished background investigation reports for a fee). That, however, is not what Advocate allegedly did here.
We need not address Advocate’s other statutory defense — that it did not “furnish” any information to the' thieves. Nor do we need to decide whether the plaintiffs sufficiently pled their claims for willful and negligent FCRA violations under 15 U.S.C. §§ 1681n and 1681o.
The judgment of the district court is AFFIRMED.