Fingerprint, Retinal Scan Privacy Claim Hits Hospital

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Mary Anne Pazanowski

A massive litigation wave in Illinois has ensnared at least three Chicago-area health-care industry employers.

Northshore University Healthsystem is the latest health-care organization targeted by a potential class action alleging an employer is unlawfully collecting, using, storing, and disclosing fingerprints, retinal scans and other biometric data of its employees. Because the information collected is unique, workers may be exposed to “serious and irreversible privacy risks” if a biometric information database is hacked or breached, the complaint says.

The stakes are high for employers because plaintiffs who prove violations of the Illinois Biometric Information Privacy Act can recover the greater of actual damages or $1,000 in liquidated damages per negligent violation or $5,000 per violation for intentional acts. For employers that have thousands of employees, that could add up quickly.

Health-Care Defendants

Lawsuits alleging BIPA violations are pending against employers in industries as diverse as social media site Facebook Inc. and restaurant chain Hooters Inc.—about 100 in Illinois trial courts alone since September 2017. Health-care providers haven’t been immune. In addition to Northshore, Chicago Lakeshore Hospital and St. Bernard Hospital are alleged to have violated the BIPA, plaintiffs’ attorney Ryan F. Stephan told Bloomberg Law.

Jim Anthony, senior public relations director at Northshore in Evanston, Ill., told Bloomberg Law the provider hasn’t yet been served with the complaint and couldn’t comment. Chicago Lakeshore Hospital and St. Bernard Hospital didn’t reply to Bloomberg Law’s request for comments.

So far, all of the cases that Stephan has filed “have involved workers, either direct employees or vendors,” he said. He said is “not aware of any cases brought on behalf of patients or other visitors.” Stephan, James B. Zouras, and Catherine T. Mitchell, of Stephan Zouras LLP, Chicago, are representing the potential class in the Northshore suit.

Molly K. McGinley, a partner in the Chicago office of K&L Gates who counsel clients on biometric data compliance and litigation defense, told Bloomberg Law the BIPA contains an exception for Health Insurance Portability and Accountability Act-covered entities and their business associates. Because biometric information collected from a patient in connection with the provision of health care isn’t covered by the law, the viability of a patient-filed complaint would depend on the facts, she said.

BIPA Requirements

The BIPA, the complaint says, is an informed consent law. That is, it makes it unlawful for a company to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifiers or biometric information” unless it notifies people whose information is being collected of the fact of collection, the reason for the data’s collection, and the duration of time for which the data will be collected. Subjects must consent in writing.

The law defines biomtric data to include retina and iris scans, voiceprints, hand and face geometric mapping, and fingerprints. Private entities that collect such data may not disclose it without the subject’s consent.

McGinley said the BIPA doesn’t outright prohibit businesses from collecting biometric data. It merely regulates the manner in which they do so. The question in any given case, she said, is whether the defendant business had statutorily required policies and procedures in place.

Allegations Against Northshore

According to the complaint, Northshore violated the BIPA by failing to tell employees in writing the specific purpose for and length of time during which the information would be collected; failing to provide publicly available guidelines for how long such information would be retained; failing to provide a policy for how the information would be destroyed or deleted; and failing to obtain written permission from employees to collect their biometric information.

The named plaintiff, Charles Thurman, said Northshore required him to pass through hand and retina scanners before entering restricted areas of its four hospitals during the six months he worked there as a contract security and public safety director.

Thurman said he was never told the reason for the scans, or how his information was stored, used, or disposed of, the complaint says. Thurman alleged Northshore didn’t tell employees about its biometric information retention policy or guidelines for destroying the information.

Rise in Lawsuits

Attorneys on both sides of the courtroom previously told Bloomberg Law there is no one clear reason for this litigation trend. It may be due to a combination of factors, they said.

Jay Edelson, of Edelson PC in Chicago, told Bloomberg Law that companies “are so excited to use” new biometric technology that they aren’t really considering their legal obligations in relation to the information collected. Edelson has filed at least four BIPA suits on behalf of plaintiffs.

Defense-side attorney Jenny R. Goltz, of Cozen O’Connor in Chicago, previously told Bloomberg Law that some plaintiffs’ attorneys have “caught on and realized there are liquidated damages” available under the law. She called the claims “basically low-hanging fruit.”

Litigation so far primarily has involved two types of biometric information, facial geometry mapping and fingerprints, Steven Grimes and Eric J. Shinabarger, of Winston & Strawn LLP in Chicago, wrote in a Bloomberg Law Insights. They discussed various defenses to BIPA claims. For example, they said, defendants have argued that plaintiffs lack standing to assert the claims because they are unable to show they actually were harmed by the alleged violations.

Facebook recently lost two attempts to dismiss BIPA cases on these grounds. Judge James Donato, of the U.S. District Court for the Northern District of California, said the plaintiffs had alleged sufficient harm to move the case forward toward trial.

An intermediate appeals court in Illinois, however, has said the BIPA provides a cause of action only for a “person aggrieved by a violation” of the law. A person who has suffered “no actual harm has not been ‘aggrieved,’” the Illinois Appellate Court, Second District, said in a December 2017 decision. The plaintiffs alleged Six Flags Entertainment Corp. and Great America LLC violated the BIPA by fingerprinting season pass purchasers without first obtaining their consent or disclosing the companies’ plan for collecting, using, storing, and destroying the information.

The Illinois court didn’t suggest how a BIPA plaintiff could show he or she was aggrieved by a statutory violation, McGinley said. She added that it is difficult to predict where this litigation is going, as there have been few decisions to date interpreting the law.

Other State Laws

Texas and Washington also have passed laws regulating businesses’ collection of biometric data. Unlike Illinois’s BIPA, these laws don’t include a private right of action that allows individual plaintiffs to sue for violations. Only the state attorneys general can enforce the laws’ requirements.

Biometric privacy laws have been proposed and failed in California, Connecticut, Montana, Arizona, Missouri, Alaska, and New Hampshire, according to Bloomberg Businessweek.

The case is Thurman v. Northshore Univ. Healthsystem , Ill. Cir. Ct., No. 2018-CH-03544, filed 3/19/18 .

To contact the reporter on this story: Mary Anne Pazanowski in Washington at

To contact the editor responsible for this story: Peyton M. Sturges at

For More Information

The complaint is at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law