Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358

Board printed, packaged, and mailed a COBRA enrollment list to 1,700+ former CPS employees containing names, addresses, Social Security numbers, marital status, and health-insurance details.
Board learned of the disclosure on November 26, 2006 and requested return/destroy; offered one year of free credit protection on December 8, 2006.
Multiple plaintiffs filed consolidated actions alleging violations of the Personal Information Protection Act (PIPA), Consumer Fraud Act, HIPAA (via §1983), common-law privacy, state privacy clause, negligent infliction of emotional distress, negligence, and breach of fiduciary duty.
Trial court dismissed all claims with prejudice; plaintiffs appeal the dismissal except for the privacy clause claim.
The court reviews de novo the dismissals under sections 2-615 and 2-619; the core issue is whether a duty to safeguard personal information exists under statutory/constitutional law, and whether any viable claims remain after considering HIPAA, PIPA, CFA, privacy torts, and related theories.
The Board’s disclosure is at issue, not merely its possession of records; the majority holds HIPAA does not create a duty here and PIPA requires only notice, which was provided; several claims are properly dismissed for lack of duty, lack of statutory support, or lack of damages.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Whether HIPAA creates a private duty for the Board	Plaintiffs contend HIPAA implies a new duty to safeguard information	HIPAA does not apply because employment records are excluded and no private right of action exists	HIPAA does not create a private duty; dismissal affirmed
Whether PIPA imposes a duty beyond notice of a breach	Statute creates broader duty to prevent disclosures	Statute requires notice only; Board complied	PIPA duty limited to notice; dismissal affirmed
Whether there is a viable common-law negligence or emotional-distress claim	Duty to safeguard exists and breach caused harm	No duty established under HIPAA/PIPA; no negligence	No viable duty; negligence claims dismissed
Whether CFA claims survive given damages requirements	Credit-monitoring purchases constitute damages; Board as a consumer	Board not a ‘person’ under CFA; damages not shown	CFA claims fail; Board not a CFA “person”; no proven actual damages

Solaia Technology, LLC v. Speciality Publishing Co., 221 Ill. 2d 558 (Ill. 2006) (de novo review of dismissals; standard for 2-615/2-619)
Marshall v. Burger King Corp., 222 Ill. 2d 422 (Ill. 2006) (standards for dismissals under 2-615/2-619)
Washington v. City of Chicago, 188 Ill. 2d 235 (Ill. 1999) (duty analysis; when no duty, no negligence)
Kalata v. Anheuser-Busch Cos., 144 Ill. 2d 425 (Ill. 1991) (statute violation as prima facie negligence evidence)
Busse v. Motorola, Inc., 351 Ill. App. 3d 67 (Ill. App. 2004) (privacy tort framework; private facts/private intrusion analysis)
Giangiulio v. Ingalls Memorial Hospital, 365 Ill. App. 3d 823 (Ill. App. 2006) (HIPAA term includes names, addresses, SSNs as identifiable health information)
Board of Education of the City of Chicago v. A, C & S, Inc., 131 Ill. 2d 428 (Ill. 1989) (definitions and scope of entities under CFA)