Mosby v. Ingalls Memorial Hospital, 2023 IL 129081
On November 30, 2023, the Illinois Supreme Court issued a critical decision interpreting the highly contentious Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). BIPA is an Illinois state law that allows plaintiffs to recover for mere technical violations of BIPA’s requirements when an entity collects, possesses, or disseminates biometric data. The issue before the court in Mosby v. Ingalls Memorial Hospital was whether the definition of “biometric identifier” under the statute excludes biometrics collected by medication-dispensing systems used by health care workers in a health care setting. The dispensing systems at issue limit access to medication to healthcare workers, such as nurses, who can access medication by scanning their finger. Section 10 of BIPA provides:
Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
In addition to Ingalls Memorial Hospital, other plaintiffs have brought suit against nearly every hospital in the Chicagoland area, as well as the manufacturer of the dispensing systems. The systems, plaintiffs argued, were not covered under Section 10’s exclusion because it was not patient information that was collected, used, or stored. The trial court and appellate court agreed with the plaintiffs and denied the defendants’ motion to dismiss. However, the Illinois Supreme Court agreed with the defendants and found that the legislature purposely included a separate clause to exempt “information used for a particular purpose—healthcare treatment, payment, or operations—regardless of the information’s source.” The court reasoned that the legislature purposely used the disjunctive “or” to differentiate the preceding language regarding patient information from the subsequent language, which covers information used for healthcare treatment, payment, or operations. In so holding, the court reversed the appellate court’s decision and remanded the case to the trial court, where it is expected that the lawsuit will be dismissed.
This decision comes as a positive note in the midst of an untenable landscape for BIPA defendants. The Illinois Supreme Court held in 2019 that no actual damages are required to recover under BIPA (Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186), so mere technical violations of the statute can leave, and have left, Illinois businesses in shambles due to the increased exposure caused by recent decisions. In February of 2023, the Illinois Supreme Court held that each and every instance of biometric collection (i.e., every finger scan) is a separate violation of BIPA. See Cothron v. White Castle System, Inc., 2023 IL 128004. Under the fee-shifting BIPA statute, a plaintiff may collect $1,000 for every negligent violation and $5,000 for every reckless or intentional violation, plus attorney’s fees and costs. Cothron exponentially increased the exposure for BIPA defendants, especially in employment settings using finger-scanning timekeeping technology. If an employee clocks in and out four times per workday, that employee could potentially recover $20,000 per day of work if each scan is determined to be an intentional or reckless violation of BIPA. Thus, exposure for defendants in BIPA suits, which are most often class action lawsuits, could easily reach billions of dollars.
To avoid or reduce liability and exposure, entities doing business in Illinois will be well advised to avoid the use of biometric systems, or anything related to biometrics, where possible. If it is not possible to avoid altogether, entities should ensure they are compliant with BIPA’s mandates which require, among other things, publicly available retention and destruction policies, written releases from those whose biometrics are collected, and security measures for biometric data that are equal to or greater than measures in place to protect other sensitive information. See 740 ILCS 14/15 for specific requirements.
Similar statutes are popping up elsewhere in the United States, and it is anticipated that most states will have enacted some sort of biometric protection legislation in the next five years. To avoid the harsh statutory penalties and damaging consequences of biometric data breaches, private entities everywhere should take notice of the unsustainable landscape for biometric users in Illinois and implement preventive measures to avoid liability down the road.
To read the full decision, please click here.