`GOOGLE, LLC, a Delaware limited
`liability company, THE UNIVERSITY
`OF CHICAGO MEDICAL CENTER, an
`Illinois not-for-profit corporation, and
`THE UNIVERSITY OF CHICAGO, an
`Illinois not-for-profit corporation,
`
`
`v.
`
`Defendants.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`)
`)
`)
`)
`)
`)
`)
`) No. 19 C 4311
`)
`) Judge Rebecca R. Pallmeyer
`)
`)
`)
`)
`)
`
`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 1 of 46 PageID #:1079
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF ILLINOIS
`EASTERN DIVISION
`
`
`MATT DINERSTEIN, individually and on
`behalf of all others similarly situated,
`
`
`Plaintiff,
`
`MEMORANDUM OPINION AND ORDER
`
`
`In 2017, Defendants The University of Chicago and The University of Chicago Medical
`
`Center (collectively “the University”) and Google began a research partnership in which they used
`
`machine-learning techniques to create predictive health models aimed at reducing hospital
`
`readmissions and anticipating future medical events. As part of this research, the University
`
`disclosed to Google the “de-identified” electronic health records of all adult patients treated at its
`
`hospital from January 1, 2010 through June 30, 2016. Plaintiff Matt Dinerstein was an inpatient
`
`at the University in June 2015 and, asserting a variety of state-law claims, brings this suit pursuant
`
`to the Class Action Fairness Act (“CAFA”) on behalf of all patients whose medical information was
`
`disclosed for Defendants’ research. The University and Google have both filed motions to dismiss
`
`[43, 45]. In addition, the University has moved to strike the class allegations [49]. For the following
`
`reasons, Defendants’ motions to dismiss are granted, and the University’s motion to strike is
`
`terminated as moot.
`
`BACKGROUND
`
`The amended class action complaint (“AC”) [42] alleges the following facts, assumed true
`
`for the purposes of this analysis. Plaintiff Matt Dinerstein had two separate hospital stays as a
`
`patient at the University’s hospital in June 2015. (AC ¶ 92.) Each stay lasted for a few days (id.),
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 2 of 46 PageID #:1080
`
`and Plaintiff paid premiums and other fees to health insurers who provided coverage for the
`
`treatment and services he received. (Id. ¶ 98.) During his stays at the hospital and throughout
`
`2015, Mr. Dinerstein maintained an account with Defendant Google and used a smartphone with
`
`Google applications on it, which, he alleges, collected and transmitted to Google his geolocation
`
`information. (Id. ¶ 94.) Also during these stays, the University generated and maintained health
`
`records for Plaintiff, which included such sensitive information as his demographic data, vital
`
`signs, diagnoses, procedures, and prescriptions. (Id. ¶ 93.) Mr. Dinerstein received two forms
`
`relevant to this sensitive information: the Admission and Outpatient Agreement and Authorization
`
`form, and the Notice of Privacy Practices. (Id. ¶ 61.)
`
`The Admission and Outpatient Agreement and Authorization (“the Authorization”), a copy
`
`of which was attached as an exhibit to the amended complaint, contains two paragraphs relevant
`
`to the present dispute:
`
`I understand and agree that my medical information in any form and any tissue,
`fluids, cells and other specimens that may be collected during this hospitalization
`and/or period of treatment may be used and shared for research that has been
`approved by the University of Chicago Institutional Review Board (IRB) and that
`has been found to pose a minimal risk. I acknowledge that such research by the
`University of Chicago Medical Center may have commercial value and, in that
`event, I understand that I will not be entitled to any compensation, regardless of
`the value of such research or any products or inventions developed therefrom.
`
` I
`
` understand that all efforts will be made to protect my privacy and that any use of
`my medical information will be in compliance with federal and state laws, including
`all laws that govern patient confidentiality, and the University of Chicago Medical
`Center Notice of Privacy Practices. I further understand that my identity and the
`identity of my medical records will not be included in any research findings or
`reports.
`
`(Outpatient Agreement & Authorization § III, Ex. 2 to AC [42-2].) See FED. R. CIV. P. 10(c) (“A
`
`copy of a written instrument that is an exhibit to a pleading is a part of the pleading for all
`
`purposes.”).
`
`The Notice of Privacy Practices (“the NPP”) contains the following provisions that are also
`
`important to the instant case:
`
`We respect the privacy of your medical information. Each time you visit us, we
`record information about the care you receive, including external information we
`2
`
`
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 3 of 46 PageID #:1081
`
`receive about your health care and information to seek payment for our services
`(your “medical information”). This medical information is also called your
`“Protected Health Information”) (“PHI”). These records may be kept on paper,
`electronically on a computer, or stored by other media.
`
`[The University Chicago Medical Center (“UCMC”)] is required by law to:
`
`
`• Maintain the privacy and security of your PHI;
`• Notify you following a breach of your unsecured PHI, if required by law;
`• Provide this Notice to you and describe the ways we may use and share
`your PHI;
`• Notify you of your rights regarding your PHI;
`• Follow the terms of this Notice.
`
`
`. . .
`
`We perform research at UCMC. Our researchers may use or share your
`information without your authorization (a) if the group that oversees research gives
`them permission to do so, (b) if the patient data is being used to prepare for a
`research study, or (c) if the research is limited to data of deceased patients.
`
` .
`
` . .
`
`We will not use or share your medical information for any reason other than those
`described in this Notice without a written authorization signed by you or your
`personal representative. An authorization is a document that you sign that directs
`us to use or disclose specific information for a specific purpose. . . .
`We will obtain your written permission:
`
` .
`
` . .
`
`
`• For the sale of your medical information.
`
`(NPP at 1–2, 4, 5, Ex. 1 to Univ. Mem. in Supp. of Mot. to Dismiss [44-1].)1
`
`In May 2017, Google announced that it had partnered with the University to use “machine
`
`learning” to identify patients’ health problems and predict future medical events. (AC ¶ 58.) To
`
`conduct this study, the University transferred electronic health records (“EHRs”) to Google. (Id.
`
`¶ 59.) This transfer was made pursuant to a December 2016 Data Use Agreement (“DUA”) under
`
`which the University would transfer to Google the EHRs of every patient, age eighteen or older,
`
`
`Unlike the Authorization, Plaintiff did not include the NPP as an exhibit to the
`1
`amended complaint. The court may nevertheless consider the document as part of the pleadings
`because Plaintiff referred to it in the amended complaint and the University has included it with
`the motion to dismiss. See Feigl v. Ecolab, Inc., 280 F. Supp. 2d 846, 848–49 (N.D. Ill. 2003).
`3
`
`
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 4 of 46 PageID #:1082
`
`who used the University’s outpatient, inpatient, or emergency services between January 1, 2010
`
`and June 30, 2016. (Id. ¶ 66; see DUA at 9, Ex. 1 to AC [42-1].) Google has submitted a patent
`
`application for a system that aggregates EHR data and uses machine learning on those records
`
`to predict future medical events. (AC ¶ 54.) The patent application’s abstract further describes
`
`the invention as providing an interface for healthcare providers to see past and predicted future
`
`medical events for a patient. See U.S. Patent Publication No. US2019/0034591. According to
`
`the amended complaint, by submitting the patent application in 2017, Google “demonstrat[ed] its
`
`clear intent to commercialize the University’s medical records prior to obtaining them.” (AC ¶ 54.)
`
`Plaintiff alleges that while Google retains all rights to the software created using the EHRs,
`
`the DUA granted the University a perpetual license to use that software. (Id. ¶ 66.) Google
`
`disputes this characterization of the DUA. (Google Mem. in Supp. of Mot. to Dismiss [46] at 3
`
`n.3.) In fact, it is not apparent to the court what exactly has been granted to the University. See
`
`Bytska v. Swiss Int'l Air Lines, Ltd., No. 15 C 483, 2016 WL 792314, at *3 (N.D. Ill. Mar. 1, 2016)
`
`(explaining that if “an exhibit incontrovertibly contradicts the allegations in the complaint, the
`
`exhibit ordinarily controls, even when considering a motion to dismiss”). The DUA grants to the
`
`University, “for internal non-commercial research purposes,” “a nonexclusive, perpetual license
`
`to use the [ ] Trained Models and Predictions” created by Google. (DUA § 3.12.) The Trained
`
`Model refers to the model created via machine learning conducted on the EHRs, and Predictions
`
`are the results of the model’s computations. Specifically, the DUA defines “Trained Model” as
`
`“the Model parameters arranged in accordance with the Model’s mathematical form,” which are
`
`determined by using “the Limited Data Set”—the EHRs disclosed by the University to Google—
`
`“as Input Data” to “train” the Model. (Id. § 1.12.) Training a model means “using Model Software
`
`to create Model parameters for a Model form using Input Data.” (Id. § 1.12.) And the “Model
`
`Software” is “used to Train a Model and compute Predictions,” (id. § 1.7), where “Predictions” are
`
`the outputs “of a Model for a given set of Input Data.” (Id. § 1.6.)
`
`
`
`4
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 5 of 46 PageID #:1083
`
`In early 2018, Defendants published a study discussing the results of their research and
`
`methodology. (AC ¶ 64; see Alvin Rajkomar et al., Scalable and Accurate Deep Learning with
`
`Electronic Health Records, 1 NPJ Digital Media (January 2018), https://www.nature.com
`
`/articles/s41746-018-0029-1 (last visited Sept. 1, 2020).) The article explains that the study used
`
`EHRs provided by Defendant University and the University of California, San Francisco (“UCSF”)
`
`that included the following “de-identified” information: “patient demographics, provider orders,
`
`diagnoses, procedures, medications, laboratory values, vital signs, and flowsheet data . . . from
`
`all inpatient and outpatient encounters.” (Rajkomar et al., Scalable and Accurate Deep Learning
`
`at 6.) The article notes that Defendant University—but not UCSF—included the “dates of service”
`
`as well as “free-text medical notes” in the EHRs provided to Google. (Id.) According to Plaintiff,
`
`disclosing such information is a prima facie violation of the Healthcare Insurance Portability and
`
`Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191, 110 Stat. 1936 (1996). (AC ¶ 67.)
`
`These records were not, the amended complaint alleges, sufficiently anonymized, and therefore
`
`put patient privacy at risk. (Id. ¶ 68.) The amended complaint points out that at a 2017 conference
`
`hosted by Google, the University’s Associate Chief Research Informatics Officer himself said that
`
`protecting patient anonymity in free-text notes requires not only making certain redactions but
`
`actually changing information like a patient’s age and other biographical information. (Id. ¶ 69.)
`
`Yet the parties’ DUA provides that the University would share patients’ ages with Google. (Id.)
`
`And the free-text notes shared with Google are alleged to have not been sufficiently redacted or
`
`anonymized. (Id.) Plaintiff claims that free-text notes “are normally not included in de-identified
`
`medical records,” and also “create an enormous wealth of data re-identifying the patients
`
`themselves.” (Id. ¶ 88.) According to the amended complaint, whatever process was used to
`
`redact these notes was not properly audited or independently verified. (Id. ¶ 89.)
`
`These disclosures, Plaintiff alleges, violate HIPAA because the University either did not
`
`make an expert determination that the risk of re-identifying the data was very small or, if such a
`
`
`
`5
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 6 of 46 PageID #:1084
`
`determination was made, it was incorrect.2 (Id. ¶ 70.) Plaintiff suggests that the risk of re-
`
`identification was in fact substantial because of the information Google already possesses about
`
`individuals through the other services it provides.3 Specifically, the amended complaint refers to
`
`Google as “one of the largest and most comprehensive data mining companies in the world,
`
`drawing data from thousands of sources and compiling information about individuals’ personal
`
`traits (gender, age, sexuality, race), personal habits, purchases, and associations.” (Id. ¶ 76).
`
`Google has “create[d] detailed profiles of millions of Americans,” including public and nonpublic
`
`information, and “possess[es] detailed geolocation information that it can use to pinpoint and
`
`match exactly when certain people entered and visited the University’s hospital,” according to the
`
`amended complaint. (Id. ¶¶ 77–78, 80.) In fact, for a user of Google applications like Mr.
`
`Dinerstein, Google can track the specific University hospital buildings or departments he visited
`
`and the time of his visits. (Id. ¶¶ 84–85.) Plaintiff alleges that the combination of such geolocation
`
`information and the EHRs, which include the date and time of hospital services, “creates a perfect
`
`formulation of data points for Google to identify who the patients in those records really are.” (Id.
`
`¶ 87.) The amended complaint does not allege, however, that Google has in fact used its
`
`extensive data to re-identify any EHRs.
`
`
`Under HIPAA regulations, one method for a “[a] covered entity [to] determine that
`2
`health information is not individually identifiable health information” is if “[a] person with
`appropriate knowledge of and experience with generally accepted statistical and scientific
`principles and methods for rendering information not individually identifiable: (i) [a]pplying such
`principles and methods, determines that the risk is very small that the information could be used,
`alone or in combination with other reasonably available information, by an anticipated recipient to
`identify an individual who is a subject of the information; and (ii) [d]ocuments the methods and
`results of the analysis that justify such determination.” 45 C.F.R. § 164.514(b)(1).
`
` 3
`
`In fact, the amended complaint cites studies showing that researchers without
`
`Google’s extensive resources are able to re-identify medical records at high rates. (AC ¶¶ 72–73
`(discussing Latanya Sweeney, Matching Known Patients to Health Records in Washington State,
`HARVARD UNIV., http://dataprivacylab.org/projects/wa/1089-1.pdf (last visited Sept. 1, 2020) (re-
`identifying 43 percent of patients); then discussing Linda Carroll, Anonymous Patient Data May
`Thought, REUTERS
`(Dec.
`21,
`2018),
`Not Be
`as Private
`as Previously
`http://news.yahoo.com/anonymous-patient-data-may-not-private-previously-thought-
`190248280.html (last visited Sept. 1, 2020) (reporting on a study that re-identified 95 percent of
`adult patient EHRs based on physical activity data collected via movement trackers like Fitbit).)
`6
`
`
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 7 of 46 PageID #:1085
`
`* * *
`
`Mr. Dinerstein brings this action on behalf of himself and all individuals in the United States
`
`whose EHRs were transferred by the University to Google. (Id. ¶ 99.) According to the amended
`
`complaint (id. ¶ 18), the court has jurisdiction under CAFA because at least one member of the
`
`proposed class is a citizen of a different state than Defendants and the amount in controversy
`
`exceeds $5,000,000. 28 U.S.C. § 1332(d)(2). Plaintiff asserts several causes of action on behalf
`
`of himself and the class: Against the University, he brings claims for violating the Illinois Consumer
`
`Fraud and Deceptive Business Practices Act (“ICFA”), 815 ILCS 505/1 et seq. (Count I), breach
`
`of express contract (Count II), breach of implied contract (Count III), and unjust enrichment
`
`(Count VII). Against Google, he asserts claims for tortious interference with contract (Count IV)
`
`and unjust enrichment (Count VI). And he asserts a claim for intrusion upon seclusion against
`
`both Defendants (Count V).
`
`The University and Google have both filed motions to dismiss [43, 45], contending that
`
`Plaintiff lacks standing and has failed to state a claim upon which relief can be granted. See
`
`FED. R. CIV. P. 12(b)(1), (6). The University has also filed a motion to strike Plaintiff’s class
`
`allegations [49] on the grounds that Plaintiff’s counsel has a conflict of interest that disqualifies
`
`him from representing the class. As the court discusses below, the court finds that Plaintiff lacks
`
`standing to pursue one of his asserted claims and dismisses the rest of the complaint under
`
`Rule 12(b)(6). The University’s motion to strike class allegations is terminated as moot.
`
`I. Subject Matter Jurisdiction
`
`DISCUSSION
`
`A motion to dismiss for lack of standing tests the jurisdictional sufficiency of the complaint.
`
`FED. R. CIV. P. 12(b)(1). Both Defendants present facial challenges to the court’s subject matter
`
`jurisdiction (see Univ. Mem. in Supp. of Mot. to Dismiss [44] at 4–8; Google Mem. In Supp. of
`
`Mot. to Dismiss at 5–6), arguing that Mr. Dinerstein has not adequately alleged a basis for
`
`standing in his amended complaint. Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015). In
`
`
`
`7
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 8 of 46 PageID #:1086
`
`reviewing such a challenge, the court must accept all well-pleaded factual allegations as true and
`
`draw all reasonable inferences in favor of Plaintiff.4 Id. Article III standing requires a plaintiff to
`
`“demonstrate (1) that he or she suffered an injury in fact that is concrete, particularized, and actual
`
`or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely
`
`be redressed by the requested judicial relief.” Thole v. U. S. Bank N.A., 140 S. Ct. 1615, 1618
`
`(2020) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)). “To establish injury in fact,
`
`a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is
`
`‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo,
`
`Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (quoting Lujan, 504 U.S. at 560). Plaintiff has
`
`identified three injuries that he claims satisfy this standard, while Defendants contend that none
`
`is sufficient to confer him standing. The court addresses the claimed injuries in turn.
`
`A.
`
`Breach of Contract
`
`First, Plaintiff argues that he has standing because he alleged that the University breached
`
`a contract—namely, the promises the University made in the Authorization and NPP he received
`
`when admitted to the hospital. (See Pl.’s Mem. in Opp’n to Defs.’ Mots. to Dismiss [65] at 5.) An
`
`alleged breach of contract, Mr. Dinerstein insists, confers Article III standing even if the breach is
`
`not claimed to have resulted in any “monetary loss or other concrete harm.” (Id. at 4–5 (quoting
`
`J.P. Morgan Chase Bank, N.A. v. McDonald, 760 F.3d 646, 650–51 (7th Cir. 2014).) The
`
`University responds that such an injury is purely a legal one and hence neither concrete nor even
`
`an injury in fact. (Univ. Reply Mem. in Supp. of Mot. to Dismiss [71] at 1–2 (citing Spokeo, 136
`
`S. Ct. at 1549).)
`
`Whether alleging breach of contract—without actual damages—is enough to confer
`
`standing is a close call. There is authority on both sides of the issue, but the court concludes that
`
`Plaintiff has the better argument. The Supreme Court in Spokeo, 136 S. Ct. at 1549, wrote that
`
`
`In contrast, for a factual challenge, which questions whether a plaintiff actually has
`4
`standing even if the pleadings are sufficient, the court may look beyond the pleadings to determine
`whether subject matter jurisdiction exists. Silha, 807 F.3d at 173.
`8
`
`
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 9 of 46 PageID #:1087
`
`for a court engaging in standing analysis, “it is instructive to consider whether an alleged intangible
`
`harm has a close relationship to a harm that has traditionally been regarded as providing a basis
`
`for a lawsuit in English or American courts.” There is common law authority for the proposition
`
`that a plaintiff may sue for breach of contract even where the breach resulted in no harm. See,
`
`e.g., RESTATEMENT (FIRST) OF CONTRACTS ch. 12, topic 2, § 328 (AM. LAW INST. 1932) (“Where a
`
`right of action for breach exists, but no harm was caused by the breach, . . . judgment will be given
`
`for nominal damages, a small sum fixed without regard to the amount of harm.”); see also Spokeo,
`
`136 S. Ct. at 1551 (Thomas, J., concurring) (“Historically, common-law courts possessed broad
`
`power to adjudicate suits involving the alleged violation of private rights, even when plaintiffs
`
`alleged only the violation of those rights and nothing more. . . . ‘Private rights’ have traditionally
`
`included rights of personal security (including security of reputation), property rights, and contract
`
`rights.”). After the parties submitted their briefs, however, the Supreme Court issued an opinion
`
`in Thole holding that participants in a defined-benefit retirement plan, which the Court observed
`
`is “in the nature of a contract,” lack standing to sue a plan manager for breach of fiduciary duties
`
`because they had suffered no monetary injury. 140 S. Ct. at 1618, 1620. This could be construed
`
`to mean that breach of contract, without monetary harm, does not confer standing. Indeed, that
`
`appears to be how, in dissent, Justice Sotomayor interpreted that portion of the majority opinion.
`
`See id. at 1630 (Sotomayor, J., dissenting). Thole concerned a cause of action under ERISA and
`
`does not correctly control the analysis of the issue here.
`
`There is conflicting precedent, but the Seventh Circuit seems to have endorsed Plaintiff’s
`
`standing theory. J.P. Morgan Chase Bank, 760 F.3d at 650–652, which Plaintiff cites, is on point.
`
`In that case, the McDonalds, two customers of J.P. Morgan Chase Bank (“the Bank”), had filed
`
`an arbitration demand against an affiliate of the Bank, J.P. Morgan Securities (“JPMS”), even
`
`though the losses suffered by the McDonalds were in an account held with the Bank itself. Id. at
`
`648–49. The McDonalds’ contract with JPMS required arbitration, but their agreement with the
`
`Bank did not have such a provision and instead included a forum-selection clause that required
`
`
`
`9
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 10 of 46 PageID #:1088
`
`that disputes be litigated in federal or state court. Id. at 649. The Bank sued to enforce the forum-
`
`selection clause, and the Seventh Circuit held that the Bank had standing to enforce it:
`
`The McDonalds’ attempt to arbitrate appears to have violated the clause of their
`contract with the Bank, and the Bank’s claim of the violation is enough to give the
`Bank standing to bring this action to enforce the clause. Formation of a bilateral
`contract requires each party to take on one or more legally binding obligations in
`exchange for the other party doing the same. When one party fails to honor its
`commitments, the other party to the contract suffers a legal injury sufficient to
`create standing even where that party seems not to have incurred monetary loss
`or other concrete harm.
`
`Id. at 650–51. True, J.P. Morgan Chase Bank was decided before Spokeo, 136 S. Ct. at 1548,
`
`where the Court made clear that for an injury to satisfy the concreteness requirement, it “must
`
`actually exist” and cannot be “abstract.” But Defendants have cited no post-Spokeo Seventh
`
`Circuit case that revisits or is at odds with J.P. Morgan Chase Bank.
`
`The court acknowledges pre-Spokeo Seventh Circuit cases cited by the University that
`
`are in some tension with J.P. Morgan Chase Bank, but finds those cases distinguishable. In Silha,
`
`807 F.3d at 171, students sued administrators of the ACT and SAT tests because, even though
`
`the plaintiffs had consented to the administrators sharing their personal information with
`
`educational organizations, the administrators had not told the students that their information would
`
`be sold. Among the claims asserted was an alleged breach of contract, but the Court of Appeals
`
`concluded the plaintiffs lacked standing. Id. at 172, 174–75. In contrast with the case before this
`
`court, where Mr. Dinerstein has adequately alleged the existence of a contract and identified the
`
`terms he claims were breached, the well-pleaded factual allegations in Silha included neither. Id.
`
`at 174–75. Indeed, in the district court, the Silha plaintiffs had not identified a contract breach as
`
`one of their injuries. Silha v. ACT, Inc., No. 14 C 0505, 2014 WL 11370440, at *2 (N.D. Ill. Sept.
`
`2, 2014).
`
`The University also relies on language from two Seventh Circuit data breach cases, but
`
`these too are inapposite. In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692–94 (7th
`
`Cir. 2015), plaintiffs, whose credit card numbers had been stolen when the defendant department
`
`store’s servers were hacked, alleged that they had “overpaid for the products at Neiman Marcus
`10
`
`
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 11 of 46 PageID #:1089
`
`because the store failed to invest in an adequate security system.” Id. at 694. The court found
`
`these plaintiffs had standing—but not on the basis of plaintiffs’ overpayment theory. Instead, the
`
`court noted other claims: that plaintiffs faced an increased risk of future fraudulent charges,
`
`greater susceptibility to identity theft, and lost time and money expended to protect themselves
`
`from future identity theft and fraudulent charges. The court did note that overpayment can
`
`sometimes confer standing, but “many of those cases [in which overpayment claims conferred
`
`standing] involve products liability claims against defective or dangerous products. Our case
`
`would extend that idea from a particular product to the operation of the entire store . . . . This is a
`
`step we need not, and do not, take in this case.” Id. at 695 (citation omitted). The Seventh Circuit
`
`reiterated its skepticism about such a basis for standing in Lewert v. P.F. Chang’s China Bistro,
`
`Inc., 819 F.3d 963, 968 (7th Cir. 2016) (citation omitted):
`
`Plaintiffs claim that the cost of their meals is an injury because they would not have
`dined at P.F. Chang’s had they known of its poor data security. As we noted in
`Remijas, such arguments have been adopted by courts only where the product
`itself was defective or dangerous and consumers claim they would not have bought
`it (or paid a premium for it) had they known of the defect. The plaintiffs here make
`no such allegations, and we are not inclined to push this theory beyond its current
`scope.
`
`The University argues that these two cases support the proposition that being denied the
`
`benefit of his bargain is insufficient to confer standing on Plaintiff. (Univ. Reply Mem. in Supp. of
`
`Mot. to Dismiss at 3.) As the University sees it, the theory rejected in Remijas and Lewert
`
`concerned breaches of implied contract, which is no different from Mr. Dinerstein’s breach of
`
`express contract theory. (Id. at 3 n.3.) But in those cases, the Seventh Circuit appeared to doubt
`
`that the implied contract between the plaintiff patrons and defendant stores included a promise
`
`that the stores would implement better information security practices. See Lewert, 819 F.3d at
`
`968 (noting that the plaintiffs made no allegations that they would not have dined at P.F. Chang’s
`
`had they known of their security practices). In this case, in contrast, Plaintiff alleges that the
`
`University expressly made certain promises about privacy to Plaintiff, which he has alleged were
`
`breached.
`
`
`
`11
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 12 of 46 PageID #:1090
`
`Out-of-circuit caselaw generally—albeit not universally—confirms this court’s view that
`
`Plaintiff has standing to pursue his contract claims. See Springer v. Cleveland Clinic Emp. Health
`
`Plan Total Care, 900 F.3d 284, 287 (6th Cir. 2018) (citations omitted) (“Like any private contract
`
`claim, his injury does not depend on allegation of financial loss. His injury is that he was denied
`
`the benefit of his bargain. . . . The injury therefore stemmed from traditional principles of contract
`
`law that did not depend on financial harm.”); Kuhns v. Scottrade, Inc., 868 F.3d 711, 716 (8th Cir.
`
`2017) (quoting Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (8th Cir. 2016)) (“[A] party to a
`
`breached contract has a judicially cognizable interest for standing purposes, regardless of the
`
`merits of the breach alleged.”); In re Facebook Internet Tracking Litig., 263 F. Supp. 3d 836, 844
`
`(N.D. Cal. 2017) (“Actual damages are not required to establish standing for contractual claims.”),
`
`aff’d in part, rev’d in part, 956 F.3d 589 (9th Cir. 2020). But see Case v. Miami Beach Healthcare
`
`Grp., Ltd., 166 F. Supp. 3d 1315, 1318–20 (S.D. Fla. 2016) (holding that plaintiff did not have
`
`standing even though she alleged that the defendants “breached their contractual obligation to
`
`protect her sensitive information”); Svenson v. Google Inc., No. 13 C 04080, 2016 WL 8943301,
`
`at *10 (N.D. Cal. Dec. 21, 2016).
`
`In a footnote, the University has cited a number of cases in which courts dismissed cases
`
`for lack of standing, but none of those cases considered claims of standing based on a breach of
`
`contract theory. See Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 879 (N.D. Ill.
`
`2014); Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 754 (W.D.N.Y. 2017); Kahn v.
`
`Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 533 (D. Md. 2016); In re Sci. Applications Int'l
`
`Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 24–31 (D.D.C. 2014). In fact,
`
`these were data breach cases where the courts rejected theories similar to the overpayment
`
`theory considered by the Seventh Circuit in Remijas and Lewert, which the court has already
`
`noted are not on point here. See Fero, 236 F. Supp. 3d at 754 (citation omitted) (“The Excellus
`
`Defendants argue that Plaintiffs cannot establish injury-in-fact based on their alleged
`
`overpayment for health insurance. The Court agrees.”); Kahn, 188 F. Supp. 3d at 533 (rejecting
`
`
`
`12
`
`

`

`Case: 1:19-cv-04311 Document #: 85 Filed: 09/04/20 Page 13 of 46 PageID #:1091
`
`the plaintiff’s claim that she was deprived the full value of her bargain because she did “not allege
`
`any facts showing that she overpaid for those services or that she would have sought those
`
`services from another provider had she been aware of the hospital’s allegedly lax data security”);
`
`SAIC, 45 F. Supp. 3d at 30 (“Plaintiffs have not alleged facts that show that the market value of
`
`their insurance coverage (plus security services) was somehow less than what they paid. Nothing
`
`in the Complaint makes a plausible case that Plaintiffs were cheated out of their premiums.”).
`
`The weight of authority supports the conclusion that Mr. Dinerstein’s allegation that the
`
`University breached an express contract is sufficient for Article III standing purposes. Standing,
`
`however, “‘is not dispensed in gross.’ To the contrary, ‘a plaintiff must demonstrate standing for
`
`each claim he seeks to press and for each form of relief that is sought.’” Town of Chester, N.Y. v.
`
`Laroe Estates, Inc., 137 S. Ct. 1645, 1650 (2017) (citations omitted) (quoting Davis v. Fed.
`
`Election Comm’n, 554 U.S. 724, 734 (2008)). Plaintiff therefore has standing to pursue his
`
`contract claims, including his interference of contract claim against Google,5 but the court will
`
`review his other injuries independently to determine whether he has standing to pursue his
`
`intrusion-upon-seclusion and ICFA claims.
`
`B.
`
`Invasion of Privacy
`
`Second, Plaintiff contends that an invasion of his privacy is an injury in fact sufficient for
`
`Article III standing. (See Pl.’s Mem. in Opp’n to Defs.’ Mots. to D