HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Increased Risk of Harm Not Grounds For Advocate Health Breach Lawsuit

An Advocate Health breach lawsuit was recently deemed to be too speculative to warrant a class-action claim for damages. The Illinois Appellate Court recently ruled that an increased risk of suffering harm as a result of an exposure of confidential health data, is insufficient by itself to confer standing in a class-action data breach claim. The risk of harm was not deemed to be severe enough to warrant a data breach class action lawsuit. For damages to be awarded, evidence of actual harm must be provided.

The case, Maglio v. Advocate Health and Hospitals Corporation, was filed by Matias Maglio on behalf of Macailee Maglio, Alexander Gill, and a number of other patients and next friends of minors’ affected by the breach. The plaintiffs allege they face an increased risk of suffering identity theft and fraud as a result of the exposure of their Protected Health Information (PHI). No identity theft had yet been reported or been suffered by any of the patients named on the lawsuit. The threat of fraud and loss was believed to be sufficient grounds for the compliant.

The defendants moved to dismiss the case, maintaining the theft of data was not sufficient grounds for any claim for damages, and said the complaint was simply too speculative in nature with no cognizable injury-in-fact suffered by any of the plaintiffs.

The trial court dismissed the case and now too the Illinois Appellate Court. Because there has been no palpable injury suffered by the breach victims, the case was deemed to have no standing. Emotional injury was also claimed to have been suffered by the plaintiffs as a result of the data theft, but the same conclusion was drawn by the court and the emotional damage claim was also considered to be too speculative in nature.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Recent Rulings Have Been in Favor of Plaintiffs


While the Illinois state courts may not be ruling in favor of plaintiffs who file class-actions without having suffered fraud, had their identity stolen or otherwise suffered measurable losses, the same is not the case in other U.S states. In recent weeks a number of court decisions have gone in favor of plaintiffs, even without injuries having been suffered as a direct result of PHI exposure.

However, the recent ruling is unlikely stem the tide of class-action lawsuits that are being filed for breaches of healthcare data and Social Security numbers. With another two multi-million record data breaches reported in recent weeks, more lawsuits than ever are expected to be filed by breach victims seeking damages.

Class action claims for healthcare data breaches may be threatening to swamp the U.S court system, but the Illinois state courts may feel the burden ease. It is probable that class-action data breach lawsuits will be filed in more favorable states over the coming few months in light of the recent ruling.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.