Hospital Data Breach Target Isn't Reporting Agency

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Aug. 11 — A health-care service provider that was a target of a data breach isn't a consumer reporting agency within the meaning of the Fair Credit Reporting Act, the U.S. Court of Appeals for the Seventh Circuit affirmed Aug. 10.

Judge Michael S. Kanne, however, said that the reach of the FCRA, 15 U.S.C. § 1681, isn't confined to major credit bureaus and that “other entities outside that mold may act in ways” that meet the statutory definition of consumer reporting agency.

Advocate Health and Hospitals Corp. is a network of hospitals and doctors providing medical care in Illinois. In July 2013, four computers containing unencrypted personal health information for more than 4 million patients were stolen from one of its offices. Patients affected by the breach filed suit in state and federal courts.

‘Not a Credit or Consumer Reporting Company.'

Following the dismissal of two state court cases for lack of standing and failure to allege present injury, a federal district court in Illinois also dismissed FCRA claims against Advocate, holding that the company isn't a consumer reporting agency.

Appealing, the plaintiffs argued that Advocate failed to maintain “reasonable procedures” to make sure that it doesn't furnish “consumer reports” to unauthorized third parties, as required under the FCRA. The appeals court, however, said that the plaintiff must first show that the reasonable procedures provision “applies in the first place, which includes, for a start, properly pleading that Advocate is a ‘consumer reporting agency.' ”

“Advocate does not meet this definition,” the appeals court concluded. Although the plaintiffs sufficiently showed that Advocate assembles its patients' personal and medical information, it failed to show that Advocate assembles the information “‘for monetary fees.' ”

Advocate isn't getting paid for assembling patient information, the appeals court said. As the complaint acknowledged, Advocate is “ ‘a network of affiliated doctors and hospitals that treat patients'—not a credit or consumer reporting company,” it concluded.

Judge Ilana D. Rovner and Judge Theresa L. Springmann joined the majority opinion.

Barnow & Associates PC represented the plaintiffs. Baker & Hostetler LLP represented Advocate. 

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Full text of the court's opinion is available at

Request Bloomberg Law: Privacy & Data Security