Cooney v. Chicago Public Schools

SIXTH DIVISION
December 30, 2010

No. 1-09-1215

JACQUELINE COONEY, EMMA MARTIN, MICHELE ) Appeal from
HARDIN, GWENDOLYN JONES, KAREN SOPRYCH, ) the Circuit Court
THOMAS BALEK, ROBERT GIANCARLO and EULETT ) of Cook County
COX, on Behalf of Themselves and All Others Similarly )
Situated, )
)
Plaintiffs-Appellants, )
v. )
)
CHICAGO PUBLIC SCHOOLS; THE BOARD OF )
EDUCATION OF THE CITY OF CHICAGO; and ALL )
PRINTING AND GRAPHICS, INC., )
)
Defendants-Appellees. ) Nos. 06 CH 25694
________________________________________________ ) 06 L 012902
)
JAN MORGAN-WULF; ALLISON PADELFORD and )
PAUL RIEGER et al., Indiv. and on Behalf of All Persons )
and Entities Similarly Situated, )
)
Plaintiffs-Appellants, )
v. )
)
THE BOARD OF EDUCATION OF THE CITY OF )
CHICAGO and ALL PRINTING AND GRAPHICS, INC., ) Honorable
) Rita Novak,
Defendants-Appellees. ) Judge Presiding.

JUSTICE CAHILL delivered the opinion of the court:

Plaintiffs appeal the circuit court’s order dismissing claims stemming from disclosure of

the personal information of approximately 1,700 former Chicago Public School (CPS)

employees. We affirm.
1-09-1215

Defendant All Printing & Graphics, Inc., was retained by the Board of Education of the

City of Chicago (Board) to print, package and mail a “Chicago Public Schools-COBRA Open

Enrollment List” to over 1,700 former CPS employees. The mailing, sent sometime between

November 23, 2006, and November 27, 2006, informed the former employees that as COBRA

participants, they could change their insurance benefit plans. The list sent to each plaintiff

contained the names of all 1,750 plaintiffs, along with their addresses, social security numbers,

marital status, medical and dental insurers and health insurance plan information (COBRA list).

On November 26, 2006, the Board learned of the disclosure of the personal information.

The following day the Board sent a letter to the former employees, asking them to return the

COBRA list or destroy it.

On December 8, 2006, the Board mailed the former employees a letter offering one year

of free credit protection insurance.

Some of the former employees filed individual and class action lawsuits, and the cases

were later consolidated. The complaints allege: (1) violation of the Personal Information

Protection Act (the Act) (815 ILCS 530/1 et seq. (West 2006)); (2) violation of the Consumer

Fraud and Deceptive Business Practices Act (Consurmer Fraud Act) (815 ILCS 505/1 et seq.

(West 2006)); (3) violation of the Health Insurance Portability and Accountability Act of 1996

(HIPAA) (42 U.S.C. 1320d-6 (2006)) under 42 U.S.C. §1983; (4) violation of the common law

right to privacy; (5) violation of the Illinois Constitution’s privacy clause (Ill. Const. 1970, art. I,

§6); (6) negligent infliction of emotional distress; (7) negligence; and (8) breach of fiduciary

duty. Defendants moved to dismiss the complaints under sections 2-615 and 2-619 of the Illinois

2
1-09-1215

Code of Civil Procedure (735 ILCS 5/2-615, 2-619 (West 2006)). The trial court dismissed the

complaints with prejudice.

Plaintiffs appeal the dismissal of all claims with the exception of the alleged violation of

the Illinois Constitution’s privacy clause.

We review de novo a dismissal under sections 2-615 and 2-619 of the Code. Solaia

Technology, LLC v. Speciality Publishing Co., 221 Ill. 2d 558, 578-79, 852 N.E.2d 825 (2006).

A complaint is properly dismissed under section 2-615 of the Code where there is no set of facts

that if proven would entitle the plaintiff to recovery. Marshall v. Burger King Corp., 222 Ill. 2d

422, 429, 856 N.E.2d 1048 (2006). A complaint is properly dismissed under section 2-619 of the

Code where no genuine issue of material fact exists and the defendant is entitled to judgment as a

matter of law. Doyle v. Holy Cross Hospital, 186 Ill. 2d 104, 109-10, 708 N.E.2d 1140 (1999).

Plaintiffs first argue that the trial court erred in dismissing their common law and

statutory

negligence claims. To succeed on their negligence claims, plaintiffs must allege and prove that

(1)

defendants owed a duty to plaintiffs; (2) defendants breached that duty; and (3) the breach caused

injury to plaintiffs. First Springfield Bank & Trust v. Galman, 188 Ill. 2d 252, 256, 720 N.E.2d

1068 (1999).

We must first decide whether the Board had a duty to safeguard plaintiffs’ personal

information under a statutory directive, because where no duty is owed, there is no negligence.

Washington v. City of Chicago, 188 Ill. 2d 235, 239, 720 N.E.2d 1030 (1999). Plaintiffs argue

3
1-09-1215

that HIPAA (42 U.S.C. §1320d-6 (2006)) provides a statutory basis for the creation of a new

duty. A violation of a statute designed to protect human life and property may be used as prima

facie evidence of negligence. Kalata v. Anheuser-Busch Cos., 144 Ill. 2d 425, 434-35, 581

N.E.2d 656 (1991). HIPAA prohibits the disclosure of “individually identifiable health

information to another person.” 42 U.S.C. 1320d-6(a)(3) (2006). But, “employment records

held by a covered entity in its role as employer” are specifically excluded from HIPAA

protection. 45 C.F.R. §160.103 (2006). Because the Board held plaintiffs’ health insurance

elections in its role as an employer, the Board’s disclosure falls outside HIPAA’s coverage.

Plaintiffs also contend that the Act (815 ILCS 530/1 et seq. (West 2006)) creates a legal

duty. The Act provides:

“Any data collector that maintains computerized data that includes personal

information that the data collector does not own or license shall notify the owner or

licensee of the information of any breach of the security of the data immediately

following discovery, if the personal information was, or is reasonably believed to have

been, acquired by an unauthorized person.” 815 ILCS 530/10(b) (West 2006).

The “ ‘[b]reach of the security of the system data’ means unauthorized acquisition of

computerized data that compromises the security, confidentiality, or integrity of personal

information [including social security numbers] maintained by the data collector.” 815 ILCS

530/5 (West 2006). In defining “data collector,” the Act includes “government agencies *** and

any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with

4
1-09-1215

nonpublic personal information.” 815 ILCS 530/5 (West 2006).

Plaintiffs claim that the Board, as a data collector, violated the Act because a “breach of

the security of the system data” occurred. Plaintiffs are correct, but while the statute defines

what a breach of system security is, it also codifies the remedy: the data collector must provide

timely notice of a security breach to the parties affected. 815 ILCS 530/10 (West 2006). The

Board complied with the statute by timely notifying plaintiffs of the breach.

Plaintiffs suggest that we adopt an expansive reading of the Act. The argument can be

summarized as follows: in enacting the Act, the legislature intended to protect personal

information from disclosure. If the only obligation imposed by the Act is to provide notice of a

breach, its purpose would be defeated because entities could repeatedly disclose personal

information and then exonerate themselves by providing notice. So, the statute’s purpose can

only be realized by penalizing the disclosure itself.

Because the provisions in the Act are clear, we must assume it reflects legislative intent to

limit defendants’ duty to providing notice. See Comprehensive Community Solutions, Inc. v.

Rockford School District No. 205, 216 Ill. 2d 455, 473, 837 N.E.2d 1 (2005) (“[t]he plain

language of a statute remains the best indication of [the legislature’s] intent”).

Plaintiffs next contend that we should recognize a “new common law duty” to safeguard

information. They claim a duty is justified by the sensitive nature of personal data such as dates

of birth and social security numbers. Plaintiffs do not cite to an Illinois case that supports this

argument. While we do not minimize the importance of protecting this information, we do not

believe that the creation of a new legal duty beyond legislative requirements already in place is

5
1-09-1215

part of our role on appellate review. As noted, the legislature has specifically addressed the issue

and only required the Board to provide notice of the disclosure.

All Printing also had no duty to protect plaintiffs’ information from disclosure. All

Printing met its contractual obligations by printing and mailing the Board’s information packets.

Plaintiffs cite to no authority for the proposition that All Printing had a duty to inspect the

contents of the packets or inform the Board of any irregularity. Absent a duty, there is no

negligence. Washington, 188 Ill. 2d at 239. We affirm the trial court’s dismissal of plaintiffs’

negligence claims.

Plaintiffs next seek recovery for negligent infliction of emotional distress. A plaintiff

claiming to be a direct victim of negligently inflicted emotional distress must establish the

traditional elements of negligence: duty, breach, causation and injury. Corgan v. Muehling, 143

Ill. 2d 296, 306, 574 N.E.2d 602 (1991). Because plaintiffs failed to establish a duty on the part

of either defendant, their negligent infliction of emotional distress claim must fail with their

general negligence claims.

Plaintiffs next assert that the Board, as their former employer, had a fiduciary duty to

avoid disclosure of personal information. “To state a cause of action for a breach of a fiduciary

relationship, a plaintiff must allege that the defendant owed a fiduciary duty to the plaintiff, and

that duty must exist as a matter of law.” Dames & Moore v. Baxter & Woodman, Inc., 21 F.

Supp. 2d 817, 823 (N.D. Ill. 1998), citing Mid-America National Bank of Chicago v. First

Savings & Loan Ass’n of South Holland, 161 Ill. App. 3d 531, 538, 515 N.E.2d 176 (1987).

Plaintiffs’ sole contention is that a fiduciary duty was created when they provided the Board with

6
1-09-1215

information “in confidence.” Plaintiffs cite to no authority supporting such a duty. See Eckiss v.

McVaigh, 261 Ill. App. 3d 778, 786, 634 N.E.2d 476 (1994) (“[m]ere contentions without

argument or citation of authority do not merit consideration on appeal”). We affirm the trial

court’s dismissal of this claim.

Next, plaintiffs contend that the trial court erred in dismissing their causes of action under

42 U.S.C. §1983 for a violation of HIPAA (42 U.S.C. §1320d-6 (2006)) and the fourth

amendment to the United States Constitution (U.S. Const., amend. IV).

To establish municipal liability under section 1983 of Title 42 of the United States Code

(42 U.S.C. §1983 (2006)), a plaintiff must allege that he has been deprived of a constitutionally

protected right and that deprivation was caused by a municipal policy, custom or practice.

Waters v. City of Chicago, 580 F.3d 575, 580 (7th Cir. 2009), citing Monell v. Department of

Social Services, 436 U.S. 658, 694, 56 L. Ed. 2d 611, 638, 98 S. Ct. 2018, 2037-38 (1978); see

also Weimann v. County of Kane, 150 Ill. App. 3d 962, 965, 502 N.E.2d 373 (1986). "A

plaintiff may establish municipal liability by showing '(1) an express policy that causes a

constitutional deprivation when enforced; (2) a widespread practice that is so permanent and

well-settled that it constitutes a custom or practice; or (3) an allegation that the constitutional

injury was caused by a person with final policymaking authority.’ ” Waters, 580 F.3d at 581,

quoting Estate of Sims ex rel. Sims v. County of Bureau, 506 F.3d 509, 515 (7th Cir. 2007).

Non-state actors, such as All Printing here, may be found liable where they have conspired or

acted in concert with state actors to deprive a person of his civil rights. Pesek v. Marzullo, 566

F. Supp. 2d 834, 839 (N.D. Ill. 2008) (mem. op.), citing Adickes v. S.H. Kress & Co., 398 U.S.

7
1-09-1215

144, 152, 26 L. Ed. 2d 142, 151, 90 S. Ct. 1598, 1605-06 (1970).

Plaintiffs have not cited to a case that supports the assertion of these rights in the context

of a private right of action under HIPAA. See Bagent v. Blessing Care Corp., 363 Ill. App. 3d

916, 919-20, 844 N.E.2d 469 (2006) (“[HIPAA] *** does not support a private cause of action”),

overruled on other grounds, 224 Ill. 2d 154, 862 N.E.2d 985 (2007); University of Colorado

Hospital Authority v. Denver Publishing Co., 340 F. Supp. 2d 1142, 1145 (D. Colo. 2004)

(finding HIPAA precludes “implication of a private right of action” and citing other federal

decisions finding no private right of action under HIPAA); Doe v. Board of Trustees of

University of Illinois, 429 F. Supp. 2d 930, 944 (N.D. Ill. 2006) (“[e]very court to have

considered the issue *** has concluded that HIPAA does not authorize a private right of action”);

see also Gonzaga University v. Doe, 536 U.S. 273, 284, 153 L. Ed. 2d 309, 321-22, 122 S. Ct.

2268, 2275-76 (2002) (“a plaintiff suing under an implied right of action must still show that the

statute manifests an intent ‘to create not just a private right, but a private remedy’ ”) (emphasis in

original), quoting Alexander v. Sandoval, 532 U.S. 275, 286, 149 L. Ed. 2d 517, 528, 121 S. Ct.

1511, 1519 (2001).

We also find that plaintiffs have forfeited the appeal of their fourth amendment claim.

Plaintiff Cooney mentioned the fourth amendment in her third amended complaint but never

briefed or argued the issue before the trial court. The trial court “completely ignored” the fourth

amendment claim because Cooney failed to bring it before the court. See People v. Phipps, 238

Ill. 2d 54, 62, 933 N.E.2d 1186, 1191 (2010), citing People v. Blair, 215 Ill. 2d 427, 443-44, 831

N.E.2d 604 (2005) (forfeiture applies to issues that could have been raised but were not).

8
1-09-1215

We turn next to plaintiffs’ claims under the Consurmer Fraud Act. 815 ILCS 505/1 et

seq. (West 2006). Section 2QQ of the Consurmer Fraud Act provides that a “person” may not

“[p]ublicly post or publicly display in any manner an individual’s social security number.” 815

ILCS 505/2QQ(a)(1) (West 2006) (renumbered as 505/2RR in West 2008). It defines “[to]

'publicly post' or 'publicly display' ” as “to intentionally communicate or otherwise make

available to the general public.” 815 ILCS 505/2QQ(a)(1) (West 2006).

The statute defines a “person” as “any natural person or his legal representative,

partnership, corporation (domestic and foreign), company, trust, business entity or association,

and [agents and representatives of these entities].” 815 ILCS 505/1(c) (West 2006). The Board,

as a body politic, is not a “person” within the meaning of the Consurmer Fraud Act and therefore

cannot be held liable for a violation of the statute. Board of Education v. A, C & S, Inc., 131 Ill.

2d 428, 467-68, 546 N.E.2d 580 (1989).

Unlike the Board, All Printing is a domestic corporation and qualifies as a “person”

within the meaning of the Consurmer Fraud Act. See 815 ILCS 505/1(c) (West 2006). But,

plaintiffs must allege actual damages to bring a Consurmer Fraud Act action. See 815 ILCS

505/10a(a) (West 2006) (“[a]ny person who suffers actual damage as a result of a violation of

this Act committed by any other person may bring an action against such person”); see Morris v.

Harvey Cycle & Camper, Inc., 392 Ill. App. 3d 399, 402, 911 N.E.2d 1049 (2009) (“[t]he failure

to allege specific, actual damages precludes a claim brought under the Consurmer Fraud Act”).

To support a Consurmer Fraud Act claim, actual damages must arise from “purely economic

injuries.” Morris, 392 Ill. App. 3d at 402.

9
1-09-1215

Plaintiffs contend that they alleged actual damages because the disclosure put them at

increased risk of future identity theft. In Yu v. International Business Machines Corp., 314 Ill.

App. 3d 892, 732 N.E.2d 1173 (2000), we held that allegations of potential harm arising from a

software defect were insufficient to support a Consurmer Fraud Act claim, justifying a section

2-615 dismissal. Without actual injury or damage, the plaintiff’s claims “constitute[d] conjecture

and speculation.” Yu, 314 Ill. App. 3d at 897. See also Williams v. Manchester, 228 Ill. 2d 404,

425, 888 N.E.2d 1 (2008) (“as a matter of law, an increased risk of future harm is an element of

damages that can be recovered for a present injury - it is not the injury itself”) (emphasis in

original); Pisciotta v. Old National Bancorp, 499 F.3d 629, 639 (7th Cir. 2007) (“[w]ithout more

than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm

that the law is prepared to remedy”); Morris, 392 Ill. App. 3d at 403, citing Xydakis v. Target,

Inc., 333 F. Supp. 2d 686, 688 (N.D. Ill. 2004) (“[t]here is no cause of action under the

Consurmer Fraud Act when a plaintiff alleges only aggravation and not actual damages”).

Plaintiffs also allege actual economic injury: the purchase by some plaintiffs of credit

monitoring services. They claim that the Board’s offer of credit monitoring services constitutes

an admission of actual damages.

While neither party has directed us to Illinois authority addressing whether the purchase

of credit monitoring services constitutes an economic injury under the Consurmer Fraud Act,

there is federal authority on this issue supporting the position that the purchase of these services,

without more, is not an economic injury. See Rowe v. Unicare Life & Health Insurance Co., No.

09 C 2286 (N.D. Ill. January 5, 2010) (finding the provision of credit monitoring services by the

10
1-09-1215

defendants “does not resolve the question of whether credit monitoring costs are actual damages”

and finding that “the costs of credit monitoring services are not a present harm in and of

themselves”); Aliano v. Texas Roadhouse Holdings LLC, No. 07 C 4108 (N.D. Ill. December 23,

2008) (finding that the purchase of credit monitoring services does not constitute actual damages

and citing district courts in Michigan, Minnesota, Ohio and New York in agreement); see also

Harris v. Wal-Mart Stores Inc., No. 07 C 02561 (N.D. Ill. November 25, 2008) (rejecting claim

for damages under the Credit and Debit Card Receipt Clarification Act of 2007, Pub. L. No. 110-

241, 122 Stat. 1565 (2008) (codified at 15 U.S.C. §1681) for the cost of credit monitoring

services). We affirm the trial court’s dismissal of plaintiffs’ Consurmer Fraud Act claims.

Finally, we address plaintiffs’ invasion of privacy claims. Illinois courts recognize four

ways to state a cause of action for invasion of privacy: “(1) intrusion upon the seclusion of

another; (2) appropriation of another’s name or likeness; (3) public disclosure of private facts;

and (4) publicity placing another in a false light.” Busse v. Motorola, Inc., 351 Ill. App. 3d 67,

71, 813 N.E.2d 1013 (2004). Plaintiffs allege facts to support the first and third theories:

intrusion upon seclusion and public disclosure of private facts.

To support the intrusion theory, plaintiffs must allege: (1) an unauthorized intrusion

into seclusion; (2) the intrusion would be highly offensive to a reasonable person; (3) the matter

intruded upon was private; and (4) the intrusion caused the plaintiffs anguish and suffering.

Busse, 351 Ill. App. 3d at 71. Public disclosure of private facts requires that “(1) publicity was

given to the disclosure of private facts; (2) the facts were private, and not public, facts; and (3)

the matter made public was such as to be highly offensive to a reasonable person.” Miller v.

11
1-09-1215

Motorola, Inc., 202 Ill. App. 3d 976, 978, 560 N.E.2d 900 (1990), citing W. Prosser, Torts §117

(5th ed. 1984). While the theories contain different elements, both the intrusion and public

disclosure torts require “private” matters or facts.

In Busse, we suggested that “[i]n the absence of an Illinois law defining social security

numbers as private information, we cannot say that defendants’ use of this number fulfills the

privacy element necessary to plead intrusion upon seclusion.” Busse, 351 Ill. App. 3d at 73. We

also noted that matters of public record such as names and dates of birth have not been held to be

private facts. Busse, 351 Ill. App. 3d at 72, citing Geisberger v. Willuhn, 72 Ill. App. 3d 435,

439, 390 N.E.2d 945 (1979).

Plaintiffs contend that, after Busse, the legislature defined social security numbers as

private facts, overruling that holding. They again rely on the Act, which includes social security

numbers in its definition of “personal information.” 815 ILCS 530/5 (West 2006). By equating

“personal” with “private” information, plaintiffs ignore the distinction we relied on in Busse.

See Busse, 351 Ill. App. 3d at 72 (“[h]ere, none of the ‘personal’ information furnished by the

customers *** has been held to be private facts”). The language of the Act is consistent with

Busse, which distinguished personal information, such as names and social security numbers,

from private facts, which are facially embarrassing and highly offensive if disclosed. See 815

ILCS 530/5 (West 2006); Busse, 351 Ill. App. 3d at 72-73, comparing Johnson v. K mart Corp.,

311 Ill. App. 3d 573, 578-79, 723 N.E.2d 1192 (2000) (private facts were clearly alleged); see

also Phillips v. Grendahl, 312 F.3d 357, 373 (8th Cir. 2002); Andrews v. TRW, Inc., 225 F.3d

1063, 1067 (9th Cir. 2000), rev’d on other grounds, 534 U.S. 19, 151 L. Ed. 2d 339, 122 S. Ct.

12
1-09-1215

441 (2001).

Having found no viable causes of action, there is no need for us to address the

applicability of the Local Governmental and Governmental Employees Tort Immunity Act. 745

ILCS 10/1-101 et seq. (West 2006).

For the foregoing reasons we affirm the trial court’s dismissal of plaintiffs’ complaints.

Affirmed.

GARCIA, P.J., concurs.

R.E. GORDON, J., dissents.

13
1-09-1215

JUSTICE ROBERT E. GORDON, dissenting:

In the case at bar, defendants sent each and every class member a complete list of over

1,700 former employees’ first and last names, addresses, marital status, social security numbers,

medical and dental insurers, and other health care insurance information.1 That means, for every

class member, over 1,700 people received his or her personal information. In other words,

approximately 1,700 people received the personal information of approximately 1,700 other

people.

Most of the conclusions in the majority opinion are dependent on its first conclusion. If

the first conclusion is removed, then the other dependent conclusions become unpersuasive.

The majority’s first conclusion is that the Board’s disclosure falls outside of HIPAA’s

coverage. The majority bases this conclusion entirely on an exclusion in the Code of Federal

Regulation. This exclusion states that “employment records held by a covered entity in its role as

employer” are excluded from HIPAA’s protection. (Emphasis added.) 45 C.F.R. §160.103

(West 2006); see slip op. at 4.

What the majority misses is that there is a world of difference between “held” and

1
Paragraph 10 of the Cooney second amended complaint alleged that the mailing included

“addresses, social security numbers and specific health insurance plan selection information.”

Paragrapn 10 of the Morgan-Wulf third amended complaint alleged that the mailing included

“first and last names, addresses, dates of qualification, medical and dental insurers and marital

status,” as well as social security numbers. The two cases were consolidated.

14
1-09-1215

“disclosed.” No one objects to the fact that the Board “held” the records. The Board’s ability to

hold and maintain these records is not at issue here. If the Board had simply held the records --

and held on to them -- there would be no lawsuit. But the Board did not hold on to them. It is

their disclosure, not their holding, that is at issue in this case.2

This distinction between holding and maintenance on the one hand, and disclosing on the

other, was made clear by the recent amendment to section 1320d-6. Act Feb. 17, 2009, P.L. 111-

5, Div. A, Title XIII, Subtitle D, Part 1, §13409, 123 Stat. 271 (effective Feb. 17, 2010).

Although this amendment was not in effect on the date of the disclosure in question, the

amendment merely clarifies the existing statute, rather than adding to it. The amendment

clarifies that an individual “shall be considered” to have disclosed individually identifiable health

information in violation of this section, if a covered entity both “maintained” the information and

then subsequently “disclosed” it. The amendment thus recognizes what we would have assumed

even without it, that there is a world of difference between maintaining or holding on the one

hand, and disclosing on the other.

Thus, the exclusion for “held” records, quoted by the majority, does not apply to the case

at bar. As a result, the majority’s first conclusion, that there is no duty because of this exclusion,

is incorrect.

The majority seems to imply that, but for this exclusion, there would be a duty, and we

2
The dictionary defines “hold” as “to have and keep in one’s grasp.” The American

Heritage Dictionary, College Edition 616 (2d ed. 1982).

15
1-09-1215

agree. See also Moss v. Amira, 356 Ill. App. 3d 701, 712 (2005) (Quinn, J., specially

concurring) (observing that Illinois law concerning disclosure is generally “far more restrictive”

than HIPPA); 215 ILCS 5/1021(B) (2006) (providing a private cause of action and damages for

the unauthorized disclosure of personal information by “an insurance institution, agent or

insurance-support organization”).

The majority correctly states:

“We must first decide whether the Board had a duty to safeguard

plaintiffs’ personal information under a statutory directive, because

where no duty is owed, there is no negligence. Washington v. City

of Chicago, 188 Ill. 2d 235, 239 (1999). Plaintiffs argue that

HIPPA (42 U.S.C. §1320d-6 (West 2006))3 provides a statutory

basis for the creation of a new duty. A violation of a statute

designed to protect human life and property may be used as prima

facie evidence of negligence. Kalata v. Anheuser-Busch

3
Section 1320d-6(a)provides that “[a] person who knowingly and in violation of this part

*** discloses individually identifiable health information to another person, shall be punished as

provided in subsection b” of this section. 42 U.S. C. §1320d-6 (a) (West 2006). Subsection b

provides that for a base offense, which is a disclosure committed without false pretenses and

without an intent to sell, then the punishment can be up to one year in jail and may include up to

a $50,000 fine. 42 U.S. C. §1320d-6 (a) (West 2006).

16
1-09-1215

Companies, Inc., 144 Ill. 2d 425, 434-35 (1991).4 HIPPA prohibits

the disclosure of ‘individually identifiable health information to

another person.’ 42 U.S.C. §1320d-6(a)(3) (West 2006).” Slip op.

at 3-4.

This court has already held that the term “individually identifiable health information” in

HIPPA includes names, addresses and social security numbers. Giangiulio v. Ingalls, 365 Ill.

App. 3d 823, 839 (2006). Specifically, in Giangiulio, we found that this term “includes

common identifiers such as name, address, birth date, and social security numbers.” Giangiulio,

365 Ill. App. 3d at 839. See also In re: Bextra and Celebrex Marketing, 2008 U.S. Dist. Lexis

111875, 187 (N.D. Cal. 2008) (interpreting the term to include social security numbers).

Our holding in Giangiulio, that the term includes names, addresses and social security

numbers, is also supported by the definition provided for the term. The term “individually

identifiable health information,” as used in HIPPA, is defined in both the statute and in the Code

of Federal Regulations. 42 U.S.C. §1320d(6); 45 C.F.R. §160.103 (West 2006). This definition

includes “demographic information” (1) that is received by an employer; (2) that relates to the

provision of or payment for health care; and (3) that identifies an individual. 42 U.S.C.

§1320d(6); 45 C.F.R. §160.103 (West 2006). Demographic information is widely understood to

4
In its brief to this court, defendant Board of Education concedes, as it must, that the

violation of a statute designed to protect human life or property may be used as prima facie

evidence of negligence.

17
1-09-1215

include social security numbers, as well as names and addresses. E.g. In re: Bextra, 2000 U.S.

Dist. Lexis at 187 (discussing “names and addresses, dates of birth, social security numbers ***

and other demographic information”); Mayfield v. U.S., 504 F. Supp. 2d 1023, 1027 (D. Ore.

2007) (“Demographic information included name, date of birth, sex, race, and social security

number”). In the case at bar, the names, addresses and social security numbers (1) were received

by the employer, (2) related to the provision of or payment for health care, and (3) identified the

individual. Thus, our holding in Giangiulio, that the term includes names, addresses and social

security numbers, is also supported by the definition provided for the term.

Since the disclosed names, addresses and social security numbers in the case at bar

qualify as “individually identifiable health information,” HIPAA applies to the disclosed

information. HIPAA also applies to enrollment and disenrollment decisions. 42 U.S.C. §1320d-

2(a)(2)(C) (covered transactions include “[e]nrollment and disenrollment in a health plan”); 45

C.F.R. 160.103.

As the majority already observed, “[a] violation of a statute designed to protect human

life and property may be used as prima facie evidence of negligence.” Slip op. at 3-4, citing

Kalata, 144 Ill. 2d at 434-35. See also Noyola v. Board of Education, 179 Ill. 2d 121, 129

(1997), discussed recently with approval in Vancua v. Katrus, No. 108652, slip op. at 18-19 (Ill.

October, 7, 2010). Following the majority’s suggestion, I would find that the HIPAA violation

serves as prima facie evidence of negligence, and I would not dismiss at this early stage of the

litigation. Acosta v. Smith, 180 N.C. App. 562, 571-72 (N.C. App. Ct. 2006) (HIPAA violation

used as evidence of “the duty” owed in a negligence case).

18
1-09-1215

In short, the majority and I seem to be in agreement that, but for the exception, there

would be a duty. We differ primarily because the majority believes that the exception applies,

and I do not.

Most of the remaining conclusions in the majority opinion are based on this first

conclusion, and thus are also faulty. For example, later in the opinion, the majority concludes

that plaintiff’s claim of emotional distress must fail because plaintiffs “failed to establish a duty”

on the part of defendants. Slip op. at 6.5 However, this conclusion depends on finding, first, that

there was no duty under HIPAA. If there was a duty then, at this early stage, plaintiffs would

have only to allege, rather than provide evidence, of their anxiety and emotional distress. Rowe

v. Unicare Life and Health Insurance Co., 2010 U.S. Dist. Lexis 1576, 11-14 (N.D. Ill.,

E.D.2010) (although plaintiffs did not allege that the disclosure of their social security numbers

and other personal information resulted in unauthorized access by specific persons, plaintiffs’

allegations of anxiety were sufficient to withstand a motion to dismiss their emotional distress

claim, under Illinois state law).

Similarly, the majority concludes that plaintiffs failed to establish that the Board had a

fiduciary duty to avoid disclosure, because the majority finds that plaintiffs cited “no authority

supporting such a duty.” Slip op. at 6. Again, this conclusion depends on finding no duty under

HIPAA

5
The majority does not find that plaintiffs failed to allege emotional distress; rather they

simply do not reach this issue. Slip op. at 6.

19
1-09-1215

Since I find that the exclusion, quoted by the majority, does not apply, I must find that the

majority’s first conclusion is incorrect. Since that first conclusion is the foundation for much of

the subsequent opinion, I must respectfully dissent.

I cannot find that HIPAA would allow the disclosure of someone’s social security

number, marital status, and insurance information, and leave that person without any recourse.

20