On September 4, in Tierney et al. v. Advocate Health and Hospitals Corp., the United States District Court for the Northern District of Illinois issued an order dismissing a putative Fair Credit Reporting Act class action accusing Advocate Health and Hospitals Corp. of violating the FCRA by failing to secure health data stolen from its facilities.

The plaintiffs alleged that the hospital’s failure to adopt and/or maintain adequate procedures to protect personal and medical data, which led to the theft and dissemination of that information, violated the protections mandated by the FCRA.  The court dismissed the FCRA claims on the basis that the hospital was not a “consumer reporting agency,” a prerequisite to any liability under the FCRA, and a status that applies only to entities that “regularly engage in whole or part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.”  The court held that, “Defendant — a health care provider — does not engage in such a practice.”   The court also declined to accept the plaintiffs’ contention that Advocate Health and Hospitals Corp. had violated the FCRA by furnishing protected information to third parties, noting that the plaintiffs had only shown that the computers containing the personal data had been stolen, and not that the hospital had willingly engaged in the provision of the data to third parties.

Due to the court’s ruling that the FCRA allegations (which were the only federal claims asserted in the suit) could not proceed, the court declined to exercise pendent jurisdiction over the state law claims of negligence and invasion of privacy by public disclosure of private facts.