NOTICE Decision filed 11/28/23. The text of this decision may be NO. 5-22-0742 changed or corrected prior to the filing of a Peti ion for IN THE Rehearing or the disposition of the same. APPELLATE COURT OF ILLINOIS

FIFTH DISTRICT ______________________________________________________________________________

REBECCA PETTA, on Her Own Behalf and on ) Appeal from the Behalf of Those Similarly Situated, and JANE ) Circuit Court of DOE, on Her Own Behalf and on Behalf of Those ) Champaign County. Similarly Situated, ) ) Plaintiffs-Appellants, ) ) v. ) No. 22-LA-51 ) CHRISTIE BUSINESS HOLDING ) COMPANY, P.C., d/b/a Christie Clinic, ) Honorable ) Jason M. Bohm, Defendant-Appellee. ) Judge, presiding. ______________________________________________________________________________

JUSTICE MOORE delivered the judgment of the court, with opinion. Justices Welch and Barberis concurred in the judgment and opinion.

OPINION

¶1 In this matter, the plaintiffs, Rebecca Petta and Jane Doe, appeal the circuit court of

Champaign County’s October 28, 2022, order, dismissing their complaints pursuant to sections 2-

615 and 2-619, respectively, of the Code of Civil Procedure (Code) (735 ILCS 5/2-615, 2-619

(West 2022)). The circuit court dismissed Doe’s complaint for lack of standing and did not

consider her substantive claims. The circuit court dismissed Petta’s negligence claims and claim

for violation of the Personal Information Protection Act (815 ILCS 530/45(a) (West 2022)) for

failure to state a claim. On appeal, the plaintiffs challenge the circuit court’s dismissals. For the

following reasons, we affirm.

1 ¶2 I. BACKGROUND

¶3 The defendant is a physician-owned medical group that provides medical services

throughout Illinois. As a part of its medical services, the defendant gathers and stores patient

identification information and health information. Sometime between July 14 and August 19,

2021, a cybercriminal compromised one of the defendant’s business e-mail accounts via a phishing

attack. When the defendant discovered the illicit monitoring of the business e-mail account, it

“launched an internal investigation to determine the nature and scope of this incident, and

contacted federal law enforcement and worked with them to mitigate the impact of the

unauthorized access.”

¶4 Following the investigation, the defendant “provided written notice to all affected

individuals whose information was identified in its review.” It further notified the U.S. Department

of Health and Human Services, the attorneys general in the affected states, and the Montana Office

of Consumer Protection. According to a notification letter sent by the defendant, which was

attached to the plaintiffs’ complaints, “there was unauthorized access to the affected email account

from July 14, 2021 to August 19, 2021,” and based upon the defendant’s forensic review of the

illicit activity, patient names, addresses, Social Security numbers, medical information, and health

insurance information may have been stolen. The extent of the access gained by the cybercriminal

is somewhat disputed, with the defendant’s disclosure stating that the “unauthorized actor did not

have access to the electronic medical record, MyChristie patient portal, or Christie Clinic’s

network” but also indicating that “the extent of the access is unknown and cannot be determined.”

Additionally, the defendant offered free credit monitoring services for 12 to 24 months to

potentially affected individuals.

2 ¶5 Following the notification, Doe filed a lawsuit against the defendant alleging claims of

negligence, breach of implied contract, unjust enrichment, violation of the Consumer Fraud and

Deceptive Business Practices Act (Consumer Fraud Act) (815 ILCS 505/1 et seq. (West 2020)),

breach of fiduciary duty, and invasion of privacy. She alleged that she spent time and effort to

mitigate any risk due to the breach but did not provide any further specifics. Doe alleged only that

the information was improperly accessed in the general sense and did not allege any specific acts

of identity theft or identity fraud of her personal information.

¶6 Plaintiff Petta also filed a lawsuit against the defendant following the data breach. Petta

brought claims for negligence, negligence per se based on the Federal Trade Commission Act (

(2018)), negligence per se based on the Health Insurance Portability and

Accountability Act of 1996 (

(2013)), violation of the Personal Information

Protection Act (815 ILCS 530/10 (West 2020)), and injunctive relief. Petta alleged damages of

“ongoing and imminent threat of identity theft crimes; out-of-pocket expenses incurred to mitigate

the increased risk of identity theft and/or fraud; credit, debit, and financial monitoring to prevent

and/or mitigate theft, identity theft, and/or fraud incurred or likely to occur as a result of

Defendant’s security failures; the value of her time and resources spent mitigating the identity theft

and/or fraud; decreased credit scores and ratings; and irrevocable financial losses due to fraud.”

¶7 Following the filing of both cases, the defendant moved to consolidate the matters, and the

circuit court granted the defendant’s motion. Then the defendant filed a combined section 2-615

and 2-619 motion to dismiss both of the complaints wherein the defendant argued that, pursuant

to section 2-619(a)(9) of the Code (735 ILCS 5/2-619(a)(9) (West 2022)), both Doe and Petta

lacked standing to bring the lawsuit because neither of them suffered an actual injury and,

3 additionally, pursuant to section 2-615, each of the claims brought by Doe and Petta are insufficient

as a matter of law.

¶8 After completion of pleadings and argument on the matter, the circuit court granted the

defendant’s motion and dismissed both complaints in a detailed 13-page order. The circuit court

dismissed Doe’s complaint based upon a lack of standing because it found Doe’s allegations of

wrongdoing and injury too speculative and the harm not to be imminent. The circuit court found

Petta’s standing-related allegations “less speculative” and instead dismissed the complaint based

upon a failure to state valid claims.

¶9 This appeal followed.

¶ 10 II. ANALYSIS

¶ 11 Both Doe and Petta challenge the dismissal of their complaints on appeal. Thus, there are

essentially two overarching issues presently before this court. First is whether the plaintiffs have

standing to bring their claims. Second is whether the claims as stated by the plaintiffs are sufficient

as a matter of law. The circuit court found that Doe lacked standing and that Petta failed to state a

legally sufficient claim. In evaluating motions to dismiss, the circuit court must “interpret all of

the pleadings and supporting documents in the light most favorable to the nonmoving party,”

accepting as true “all well-pled allegations in the complaint and reasonable inferences to be drawn

from the facts.” Kopchar v. City of Chicago,

(2009).

¶ 12 The United States Supreme Court has held that a court may not decide a cause of action on

the merits prior to determining whether the plaintiff has standing to bring the claim. Steel Co. v.

Citizens for a Better Environment,

(1998). This is because “ ‘[w]ithout

jurisdiction the court cannot proceed at all in any cause. Jurisdiction is power to declare the law,

and when it ceases to exist, the only function remaining to the court is that of announcing the fact

4 and dismissing the cause.’ ”

at 94 (quoting Ex parte McCardle,

(1869)). Thus,

we first look to the issue of standing to determine whether the circuit court was correct in

dismissing Doe’s claim for lack of standing and finding that Petta alleged sufficient facts for

standing to be found.

¶ 13 We first examine the circuit court’s determination that Doe lacked standing to bring her

claims. “Lack of standing is an ‘affirmative matter’ that is properly raised under section 2-

619(a)(9).” Glisson v. City of Marion,

(1999). “An order granting this type of

motion to dismiss is given de novo review on appeal.”

Illinois courts have “set forth the general

principle that standing requires some injury in fact to a legally cognizable interest in Greer v.

Illinois Housing Development Authority,

(1988).” Id. at 221. “The claimed

injury may be actual or threatened, and it must be (1) distinct and palpable; (2) fairly traceable to

the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of

the requested relief.” Id. Any threatened injury must be “certainly impending” or must create a

“substantial risk” of harm, as opposed to being merely “possible.” Maglio v. Advocate Health &

Hospitals Corp.,

. “This court has held that a party cannot

gain standing merely through a self-proclaimed interest or concern about an issue, no matter how

sincere.” Glisson,

.

¶ 14 When conducting our analysis of the standing issue, we find the case of Maglio,

, to be instructive and factually similar. In Maglio, burglars broke into an

administrative building of the defendant, a network of affiliated doctors and hospitals in Illinois.

Id. ¶ 3. The burglars stole computers from the defendant that contained “certain information

relating to about 4 million patients.” Id. Some of the affected patients then sued the defendant for

negligence, violation of the Personal Information Protection Act, the Consumer Fraud Act, and

5 invasion of privacy, similar to this matter. Id. ¶ 1. The patients “did not allege that their personal

information was used in any unauthorized manner as a result of the burglary, but they claimed that

they face an increased risk of identity theft and/or identity fraud.” Id. They also claimed they

incurred “time and expenses *** to mitigate the risk of identity theft” and suffered “anxiety and

emotional stress.” Id. ¶¶ 10, 12. They further claimed that the defendant’s failure to abide by

industry-standard security practices facilitated the disclosure of the patient information. Id. ¶ 5.

The circuit court dismissed the claims for lack of standing, and the plaintiffs appealed. Id. ¶ 11.

The appellate court found such claims of an “increased risk of, for example, identity theft” to be

“purely speculative and conclusory.” Id. ¶ 24. Therefore, because the allegations “fail[ed] to show

a distinct and palpable injury,” the appellate court found the patients in Maglio lacked standing.

(Emphasis in original.) Id. Put another way, despite the information being stolen, at that time, none

of the plaintiffs had been victimized, and speculation or fear alone was insufficient to confer

standing.

¶ 15 Doe’s claims essentially mirror those laid out in Maglio. Most significantly, Doe does not

allege that her information has been improperly used or that she has suffered identity theft and/or

identity fraud because of the data breach. Doe admits in her complaint that she “is unsure of what

has happened to her [personally identifying information] and [personal health information].” Thus,

while she claims she has spent “considerable time and effort monitoring her accounts to protect

herself from identity theft,” those allegations do not differ from those set forth in Maglio, which

were rejected as “speculative fear.” Id. ¶ 28. Thus, based upon Maglio and the reasoning therein,

we also find that Doe’s claims of an “increased risk of identity theft” and her damages of “time

and effort” in monitoring and combating potential identity theft are simply too speculative and not

imminent so as to confer standing.

6 ¶ 16 Both plaintiffs rely on a string of federal case law that appears to have reached different

outcomes regarding standing in data breach cases than that found in Maglio. However, as noted in

Maglio, Illinois courts have departed from the standard set forth in the Seventh Circuit by requiring

more than “increased risk of harm” in data breach cases. Id. ¶ 26. This departure does not affect or

negate Maglio, however, because the Illinois Supreme Court has explained that it “is not required

to follow federal law on issues of standing, and has expressly rejected federal principles of

standing.” Lebron v. Gottlieb Memorial Hospital,

, 254 n.4 (2010); see Greer v.

Illinois Housing Development Authority,

(1988); see also Bryant v. Compass

Group USA, Inc.,

(7th Cir. 2020). Thus, although we acknowledge that there

exists federal case law that has determined factually similar cases differently for the purposes of

standing, we agree with the reasoning of the Maglio court and decline to depart from it.

¶ 17 Doe’s additional argument that she has a property interest in her personal information and

that the data breach somehow diminished the value of her property also fails. First, this court does

not find that a person’s personal information is “property.” This court is unaware of any case law

holding that a person has a property right in her personal information. The federal courts have

refrained from finding such a right, and we decline to create one. See Remijas v. Neiman Marcus

Group, LLC,

(7th Cir. 2015) (“This assumes that federal law recognizes such a

property right. Plaintiffs refer us to no authority that would support such a finding. We thus refrain

from supporting standing on such an abstract injury, particularly since the complaint does not

suggest that the plaintiffs could sell their personal information for value.”). Additionally, even if

such a right did exist, we cannot determine any nonspeculative way to assess the diminution in

value of the property right. See Dinerstein v. Google, LLC,

, 578 (N.D. Ill.

2020). We also note that Petta also puts forth a similar argument. Petta offers various sources that

7 suggest certain dollar amounts that this personal information can be sold for on the black market

or dark web. However, Petta fails to offer any indication of how the dissemination of the personal

information would affect its value. Thus, for us to attempt to determine the diminution in value of

the property right, should we determine it existed, again, would simply be pure speculation.

¶ 18 Thus, based upon the foregoing, we find that Doe lacks standing to bring her claims against

the defendant and the circuit court property dismissed Doe’s complaint.

¶ 19 We now turn to Petta’s complaint. The allegations contained in Petta’s complaint are

similar to those in Doe’s complaint. Of importance, Petta alleged the same shortcomings by the

defendant and contends that the relaxed security in place failed to meet industry standards and

resulted in the hacker’s ability to steal the personal information. Petta alleged the same damages

as Doe including “ongoing and imminent threat of identity theft crimes; out-of-pocket expenses

incurred to mitigate the increased risk of identity theft and/or fraud; credit, debit, and financial

monitoring to prevent and/or mitigate theft, identity theft, and/or fraud incurred or likely to occur

as a result of the Defendant’s security failures; the value of her time and resources spent mitigating

the identity theft and/or fraud; decreased credit scores and ratings; and irrevocable financial losses

due to fraud.” Again, just as with Doe’s complaint, Petta offers no additional allegations that give

us any further details or specificity as to the amount or the extent of those damages. Thus, such

conclusory allegations are not sufficient.

¶ 20 However, the most significant difference, and what the circuit court relied upon in finding

standing existed for Petta, was her allegation that she “experienced suspicious behavior” in that

someone applied for a loan using her phone number and address. Specifically, Petta alleges the

following in her complaint:

8 “Since the Data Breach, Petta has experienced suspicious behavior in connection

with her phone number and address. Her phone number, city, and state have been

used in connection with a loan application at First Financial Bank, Columbus, Ohio,

in someone else’s name. Petta received multiple phone calls in recent months

regarding loan applications she did not initiate.”

¶ 21 “Illinois is a fact-pleading state, and conclusions of law and conclusory factual allegations

unsupported by specific facts are not deemed admitted.” Alpha School Bus Co. v. Wagner,

(2009). “In addition, a pleading that merely paraphrases the elements of a cause

of action in conclusory terms is insufficient.”

Petta’s claim that she has received phone calls

regarding loan applications that she did not initiate simply falls short of this standard. It is too

conclusory and lacks sufficient facts for us to properly evaluate. Additionally, her general claim

that she “experienced suspicious behavior” also leaves us wanting. However, even assuming it is

sufficient for the purposes of fact pleading, it would still fail to meet all the requirements of

standing.

¶ 22 As previously stated, to confer standing, a “claimed injury may be actual or threatened, and

it must be (1) distinct and palpable; (2) fairly traceable to the defendant’s actions; and

(3) substantially likely to be prevented or redressed by the grant of the requested relief.” Glisson,

. Here, we find that the claimed injury fails the “fairly traceable to the defendant’s

actions” requirement.

¶ 23 Petta alleges only that her phone number and address were used. Based upon her complaint,

no other personal information, such as her name, her Social Security number, insurance

information, etc., was misused. She makes no direct allegation that the fraudulent loan application

(which was apparently detected and thwarted prior to the loan being approved) resulted as a direct

9 consequence from the data breach. Nor does she allege with any specificity that this application

damaged her in any way. Moreover, this court sees no way in which Petta could, in good faith,

allege that loan application activity is “fairly traceable” back to the defendant’s action. This is

because the information used, Petta’s phone number and address, is publicly available information

that anyone could readily obtain via a quick Internet search. 1 Petta does not allege that her name

or Social Security number or other “identifying” information was used. As a result, this allegation

alone is “purely speculative” because there is no apparent connection between the purported

fraudulent loan attempt and the data breach at issue. Anyone could have committed the fraud using

the same readily available public information. There is no way, outside of speculating, for this

court to determine that, had these hackers not breached the defendant’s e-mail, Petta’s phone

number and address would still not have been used fraudulently. The information would still have

been public had this breach not occurred. Thus, we cannot trace the fraudulent activity back to the

defendant’s actions. Additionally, generally for an injury to be “fairly traceable to the defendant’s

conduct means in part that the injury must not be the product of some independent action taken by

a third party that is not before the court.” In re Grason,

(Bankr. C.D. Ill. 2013)

(citing Lujan v. Defenders of Wildlife,

(1992)). Thus, here, we have the

independent hackers who are responsible for this data breach, which are not before this court. This

is not a case where the defendant accidentally or intentionally disseminated the information. The

information was stolen by criminals.

1 Defendant on appeal contends that Petta’s phone number and address are publicly available on the Internet. This court conducted a quick Google search and was able to locate Petta’s information. “[A]n appellate court may take judicial notice of matters not previously presented to the trial court when the matters are capable of instant and unquestionable demonstration.” Boston v. Rockford Memorial Hospital,

(1986). Therefore, because this court was able to instantly corroborate the claim by the defendant, we take judicial notice that Petta’s phone number and address are publicly available and accessible by anyone with Internet access as of the date of the filing of this disposition. 10 ¶ 24 Again, the other allegations in Petta’s complaint track the ones articulated by Doe (hackers

gained access to patient information, breach created risk or threat of identity theft, time and effort

were spent in mitigation, etc.), and for the same reasons as stated above when addressing Doe’s

complaint, Petta’s allegations also fail as conclusory allegations that do not meet the required

standard as articulated under Maglio.

¶ 25 Finally, we note another aspect of the “fairly traceable” requirement, which is that “[s]elf-

inflicted harm does not confer standing because it does not qualify as an injury *** because it is

not traceable to the defendant’s conduct.”

Thus, Doe’s and Petta’s allegations of time and effort

spent monitoring their accounts and out-of-pocket expenses cannot support standing “because [it]

involve[s] a response to a speculative threat.” Maglio,

. “In other

words, [plaintiffs] cannot manufacture standing merely by inflicting harm on themselves based on

their fears of hypothetical future harm that is not certainly impending.” Clapper v. Amnesty

International USA,

(2013). This is especially true in a case such as this, where

the defendant offered free credit and identity monitoring services following the breach to mitigate

any issues.

¶ 26 Thus, while we find that the circuit court erred by finding that Petta’s allegations contained

within her complaint properly conferred standing for the reasons stated above, we agree with the

circuit court’s dismissal of her complaint. “[W]e may affirm the trial court ‘for any reason or

ground appearing in the record regardless of whether the particular reasons given by the trial court,

or its specific findings, are correct or sound.’ ” Akemann v. Quinn,

(quoting BDO Seidman, LLP v. Harris,

(2008)). Therefore, because the

allegations in Petta’s complaint were too speculative and cannot be “fairly traced” back to the

11 defendant’s conduct where the only information claimed to be used is readily available public

information, we agree with the circuit court’s dismissal of Petta’s complaint.

¶ 27 III. CONCLUSION

¶ 28 For the foregoing reasons, we affirm the circuit court’s October 28, 2022, order dismissing

the plaintiffs’ complaints.

¶ 29 Affirmed.

12 Petta v. Christie Business Holding Co.,

Decision Under Review: Appeal from the Circuit Court of Champaign County, No. 22- LA-51; the Hon. Jason M. Bohm, Judge, presiding.

Attorneys David Cates, of Cates Law Firm, LLC, of Swansea, Brian C. for Gudmundson (pro hac vice), David M. Cialkowski, Michael J. Appellant: Laird, (pro hac vice), and Rachel K. Tack (pro hac vice), of Zimmerman Reed LLP, of Minneapolis, Minnesota, Christopher D. Jennings (pro hac vice), of Johnson Firm, of Little Rock, Arkansas, , Samuel J. Strauss and Raina C. Borrelli, of Turke & Strauss LLP, of Madison, Wisconsin, Lynn Toops, Lisa M. La Fornara, and Arend J. Abel, of Cohen & Malad, LLP, of Indianapolis, Indiana, and J. Gerard Stranch IV, of Branstetter, Stranch & Jennings, PLLC, of Nashville Tennessee, for appellants.

Attorneys Jonathan B. Amarilio, Jeffrey M. Schieber, and Jaimin H. Shah, for of Taft Stettinius & Hollister LLP, of Chicago, for appellee. Appellee:

13