2025 IL 130337

IN THE SUPREME COURT OF THE STATE OF ILLINOIS

(Docket No. 130337)

REBECCA PETTA, Appellant, v. CHRISTIE BUSINESS HOLDINGS COMPANY, P.C., d/b/a Christie Clinic, Appellee.

Opinion filed January 24, 2025.

JUSTICE CUNNINGHAM delivered the judgment of the court, with opinion.

Chief Justice Theis and Justices Neville, Overstreet, Holder White, Rochford, and O’Brien concurred in the judgment and opinion.

OPINION

¶1 The plaintiff, Rebecca Petta, filed a class-action complaint in the circuit court of Champaign County against the defendant, Christie Business Holdings Company, P.C., doing business as Christie Clinic (Christie). The complaint alleged that Christie negligently failed to prevent its patients’ private personal data, including Social Security numbers and health insurance information, from being “exposed” to an unknown third party who gained unauthorized access to one of Christie’s business e-mail accounts. Christie filed a combined motion to dismiss the complaint pursuant to section 2-619.1 of the Code of Civil Procedure (Code) (735 ILCS 5/2- 619.1 (West 2022)), which the trial court granted. On appeal, the appellate court affirmed the trial court’s dismissal of Petta’s complaint, holding that Petta lacked standing. 2023 IL App (5th) 220742. For the reasons that follow, we affirm the judgment of the appellate court.

¶2 BACKGROUND

¶3 Petta’s complaint alleged the following facts, which we take as true for purposes of our review. Rehfield v. Diocese of Joliet, 2021 IL 125656, ¶ 3.

¶4 Christie is a physician-owned, multispecialty group that provides medical services to thousands of patients throughout Illinois. Petta was a patient of Christie’s from approximately 2019 to 2022, during which time she received various medical treatments from Christie’s physicians. In connection with the medical services she received, Petta provided Christie with personal data, including her name, address, date of birth, Social Security number, medical history, and medical insurance information.

¶5 In March 2022, Petta received a letter from Christie titled “Notice of Data Incident.” In the letter, which was attached to Petta’s complaint and incorporated therein, Christie stated that it had “recently discovered suspicious activity related to one of its business email accounts.” As a result of this activity, Christie contacted federal law enforcement and “engaged a leading data forensics firm” to conduct an investigation. According to the letter, on January 27, 2022, the investigation “confirmed that there was unauthorized access to the affected email account from July 14, 2021 to August 19, 2021.” The investigation further indicated that the party who accessed the e-mail account had done so in an attempt “to intercept a business transaction between Christie Clinic and a third party vendor.”

¶6 Christie’s letter went on to explain that the investigation was “unable to determine to what extent email messages in the account were actually viewed or accessed by an unauthorized actor.” Christie therefore “undertook a review to identify the full scope of information that could have been contained in the affected

-2- email account to determine whether protected information was potentially impacted.” On March 10, 2022, Christie’s review determined that “the impacted account MAY have contained certain information related” (emphasis in original) to Petta, including her Social Security number and medical insurance information. The letter further stated that “[t]he unauthorized actor did not have access to [Christie’s] electronic medical record” and that Christie had no “evidence of identity theft or misuse of [Petta’s] personal information.”

¶7 Christie’s letter to Petta concluded by stating that Christie took the security of the information in its care seriously and that it was “providing [Petta] with 12 months of comprehensive credit monitoring and identity protection services through Experian [(a credit reporting bureau)] at no cost to [Petta].” The letter explained that Petta had to activate the credit monitoring herself, as Christie was “not permitted to enroll [Petta] in these services on [her] behalf.” 1

¶8 After receiving the letter from Christie, Petta filed the class-action complaint at issue in this appeal. The complaint was brought on behalf of herself as well as a putative class consisting of “all persons whose Sensitive Information was exposed by the Christie Clinic Data Breach.” The complaint alleged that, as part of its health care practice, Christie collected and stored the private personal data of its patients, including Social Security numbers and health insurance information, and that Christie had a duty to provide “reasonable security” to protect this data. The complaint asserted that Christie breached this duty by “failing to adopt, implement, and maintain reasonable security measures” and that, as a result, Christie suffered a data breach that “exposed a variety of Sensitive Information” to an unauthorized third party.

¶9 Petta’s complaint also alleged that, after the data incident occurred, Petta “experienced suspicious behavior in connection with her phone number and address.” Specifically, “[h]er phone number, city, and state [were] used in connection with a loan application at First Financial Bank, Columbus, Ohio, in someone else’s name” and she received “multiple phone calls” regarding “loan applications she did not initiate.” Petta’s complaint did not allege that either her name or Social Security number was used in any loan application or that any loan

1 At oral argument before this court, counsel for Petta stated that Petta declined Christie’s offer of free credit monitoring.

-3- application made using her phone number was successful. Nor did the complaint allege that any other member of the putative class had a similar experience regarding loan applications.

¶ 10 Based on the foregoing allegations, Petta’s complaint asserted claims on behalf of herself and the putative class for (1) common-law negligence, (2) negligence per se based on violation of the Federal Trade Commission Act (FTC Act) (15 U.S.C. § 41 et seq. (2018)), (3) negligence per se based on violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104- 191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code)), and (4) violation of the Personal Information Protection Act (815 ILCS 530/1 et seq. (West 2020)).

¶ 11 Petta’s complaint sought monetary damages for herself and the other putative class members, including “out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or fraud,” as well as the cost of “credit, debit, and financial monitoring to prevent and/or mitigate identity theft, and/or fraud incurred or likely to occur as a result of [Christie’s] security failures.” 2

¶ 12 Christie filed a combined motion to dismiss Petta’s complaint under sections 2- 615 and 2-619(a)(9) of the Code (735 ILCS 5/2-615, 2-619(a)(9) (West 2022)). Pursuant to section 2-619(a)(9), Christie argued that Petta lacked standing to bring her complaint because she did not allege an actual injury. In the alternative, pursuant to section 2-615, Christie argued that Petta’s complaint failed to state a valid claim as a matter of law.

¶ 13 The trial court found that Petta’s allegation that her phone number and city were used in an unauthorized loan application created a “sufficient inference” that she had suffered an “injury-in-fact” and, therefore, she had standing to bring her claims. The trial court also found, however, that Petta’s complaint failed to state a valid claim under Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358, 362 (2010),

2 A second complaint, similar to Petta’s, was filed by a Jane Doe against Christie in the circuit court of Champaign County and was consolidated with Petta’s complaint. The Jane Doe complaint was dismissed by the trial court for lack of standing, and the appellate court affirmed the dismissal. 2023 IL App (5th) 220742. Jane Doe did not appeal the appellate court’s decision to this court, and none of the issues related to the Jane Doe complaint are before us.

-4- which held that neither the common law, the FTC Act, HIPAA, nor the Personal Information Protection Act permits the type of action alleged in Petta’s complaint. In addition, the trial court found that the economic loss doctrine barred Petta’s claims. Accordingly, the trial court dismissed Petta’s complaint.

¶ 14 On appeal, the appellate court affirmed the trial court’s dismissal of Petta’s complaint, but on the ground that Petta lacked standing to bring the action on behalf of herself and the class. 2023 IL App (5th) 220742, ¶ 26. The appellate court held that the allegations that Petta and the putative class members’ private personal data had been “exposed” to an unknown third party and, therefore, that they were at an “ ‘increased risk of identity theft’ ” were “simply too speculative” to confer standing. Id. ¶¶ 15, 24. With respect to the allegation regarding the unauthorized loan application, the appellate court emphasized that Petta had not alleged that her private personal data, such as her Social Security number, was used in any of the applications. Id. ¶ 23. Rather, Petta alleged only that her public personal data, i.e., her phone number and city, had been used. The appellate court concluded that the allegation regarding the loan application was “ ‘purely speculative’ ” because there was “no apparent connection between the purported fraudulent loan attempt and the data breach at issue. Anyone could have committed the fraud using the same readily available public information.” Id. Because it was not possible to “trace the fraudulent activity back to the defendant’s actions” (id.), the appellate court concluded that Petta’s complaint should be dismissed for lack of standing (id. ¶ 26).

¶ 15 This court allowed Petta’s petition for leave to appeal. Ill. S. Ct. R. 315(a) (eff. Dec. 7, 2023). We also granted leave to the Illinois Health and Hospital Association and the Illinois State Medical Society to file an amicus curiae brief in support of Christie. Ill. S. Ct. R. 345(a) (eff. Sept. 20, 2010).

¶ 16 ANALYSIS

¶ 17 At issue in this appeal is whether the appellate court properly affirmed the trial court’s dismissal of Petta’s complaint on the ground that Petta lacked standing. Like the allied doctrines of “mootness, ripeness, and justiciability, the standing doctrine is one of the devices by which courts attempt to cull their dockets so as to preserve for consideration only those disputes which are truly adversarial and capable of resolution by judicial decision.” Greer v. Illinois Housing Development Authority,

-5- 122 Ill. 2d 462, 488 (1988). The standing requirement exists “to preclude persons who have no interest in a controversy from bringing suit.” Glisson v. City of Marion, 188 Ill. 2d 211, 221 (1999).

¶ 18 In Illinois, standing

“requires only some injury in fact to a legally cognizable interest. [Citation.] More precisely, the claimed injury, whether ‘actual or threatened’ [citation], must be: (1) ‘distinct and palpable’ [citation]; (2) ‘fairly traceable’ to the defendant’s actions [citation]; and (3) substantially likely to be prevented or redressed by the grant of the requested relief [citations].” Greer, 122 Ill. 2d at 492-93.

The injury alleged by the plaintiff must be concrete; a plaintiff alleging only a “purely speculative” future injury or where there is no “immediate danger of sustaining a direct injury” lacks a sufficient interest to have standing. Chicago Teachers Union, Local 1 v. Board of Education of Chicago, 189 Ill. 2d 200, 206- 07 (2000). Lack of standing is an “affirmative matter” that is properly raised in a motion to dismiss under section 2-619(a)(9) of the Code. Glisson, 188 Ill. 2d at 220. Our review of this issue is de novo. Id.

¶ 19 In this court, Christie contends that Petta has not alleged an injury in fact and, therefore, she lacks standing to bring her claims. We agree.

¶ 20 The principal factual basis of Petta’s complaint is the letter that she received from Christie notifying her of the “data incident.” This letter states only that Petta’s private personal data, including her Social Security number and health insurance information, may have been exposed to a third party. It does not state that this data was actually acquired by a third party. Nor does anything in the letter suggest that it is likely the third party did, in fact, take the data. To the contrary, according to the letter, Christie’s investigation revealed that the unauthorized third party was attempting to intercept a financial transaction, not steal patients’ private personal information.

¶ 21 Viewing the letter in the light most favorable to Petta, the primary factual allegation of the complaint is that Petta and the other members of the putative class faced only an increased risk that their private personal data was accessed by an

-6- unauthorized third party. In a complaint seeking monetary damages, such an allegation of an increased risk of harm is insufficient to confer standing. See, e.g., Maglio v. Advocate Health & Hospitals Corp., 2015 IL App (2d) 140782, ¶ 24 (holding that a plaintiff’s “claims that they face an increased risk of *** identity theft are purely speculative and conclusory” and thus “their allegations fail to show a distinct and palpable injury” (emphasis omitted)); Flores v. Aon Corp., 2023 IL App (1st) 230140, ¶ 15 (“speculative allegations concerning an increased risk of future identity theft or fraud” are insufficient to establish standing); see also TransUnion LLC v. Ramirez, 594 U.S. 413, 436-37 (2021) (an unmaterialized risk of future harm, without more, is insufficiently concrete to confer standing to sue for damages in federal court); Pierre v. Midland Credit Management, Inc., 29 F.4th 934, 938 (7th Cir. 2022) (“A plaintiff seeking money damages has standing to sue in federal court only for harms that have in fact materialized.”); Maddox v. Bank of New York Mellon Trust Co., N.A., 19 F.4th 58, 64 (2d Cir. 2021) (in suits for damages, plaintiffs cannot establish standing in federal court “by relying entirely on a statutory violation or risk of future harm: ‘No concrete harm; no standing.’ ” (quoting TransUnion, 594 U.S. at 442)).

¶ 22 In addition to the letter received from Christie, Petta also points to the allegation in her complaint regarding the unauthorized loan application that was made sometime after the data incident occurred. Petta contends that this incident, which she describes as an “attempted fraud or identity theft” using her private personal information, is a sufficiently concrete injury to confer standing.

¶ 23 We note, initially, that the allegation regarding the unauthorized loan application pertains only to Petta, the named plaintiff. Petta’s complaint does not allege that any other member of the putative class had a similar experience regarding a loan application. This fact raises the question of whether, in a class- action complaint, the standing determination is made by focusing on those allegations that are applicable to the class as a whole, including the named plaintiff, or whether the standing determination is made by looking at those allegations that pertain solely to the named plaintiff. In other words, must standing be shown at the outset for the entire putative class or only the named plaintiff? This court has not answered that question. The United States Supreme Court has held that, under federal law, every member of the class must show standing but has left open the “distinct question” of “whether every class member must demonstrate

-7- standing before a court certifies a class.” (Emphasis in original.) TransUnion, 594 U.S. at 431 n.4. We need not resolve this issue here. Even if we focus solely on Petta individually, as the named plaintiff, the allegation regarding the loan application is insufficient to confer standing.

¶ 24 As alleged in Petta’s complaint, the wrongful act committed by Christie was the failure to adequately prevent Petta’s private personal data from being disclosed to an unauthorized third party. Critically, however, Petta’s complaint does not allege that any of her private, personally identifiable information, such as her Social Security number, was used in the loan application. Instead, Petta alleges only that her publicly available phone number and city were used in an application that was made “in someone else’s name.” The allegation regarding the loan application is therefore not, in fact, an instance of someone stealing Petta’s identity or an indication that an unauthorized third party had acquired Petta’s private, personally identifiable information.

¶ 25 Further, as the appellate court observed, the unsuccessful loan application cannot be said to be “fairly traceable” to any of Christie’s alleged misconduct given that the information used in the loan application (Petta’s phone number and city) could be found in a publicly available phone directory. Thus, as the appellate court determined, Petta’s allegation regarding the loan application is “ ‘purely speculative’ because there is no apparent connection between the purported fraudulent loan attempt and the data breach at issue. Anyone could have committed the fraud using the same readily available public information.” 2023 IL App (5th) 220742, ¶ 23. Accordingly, the appellate court correctly concluded that Petta lacked standing and that her complaint should be dismissed on that basis.

¶ 26 CONCLUSION

¶ 27 For the foregoing reasons, the judgment of the appellate court affirming the circuit court’s dismissal of the plaintiff’s complaint is affirmed.

¶ 28 Judgments affirmed.

-8-