The Illinois Gaming Board (IGB) has been served with a lawsuit this week by Rick Heidner and Gold Rush Amusements Inc after their personal and sensitive financial information was leaked by the board. The plaintiffs allege that the disclosure was made intentionally and illegally by an IGB employee. 

Additionally, they claim that the IGB compounded the harm by failing to promptly notify them of the unauthorized divulgence, and by taking unfair and improper actions against them, resulting in significant financial and reputational harm.

The lawsuit, filed Tuesday in the Illinois Court of Claims, accuses the IGB of causing substantial harm when an IGB employee intentionally and without authorization disclosed sensitive financial information, including personally identifiable information relating to Gold Rush, Heidner, his wife, two of his children, and other individuals. 

The IGB is legally required to keep this data confidential. The complaint, which alleges breach of fiduciary duties and negligence, seeks the maximum allowable damages of $2m each for Heidner and Gold Rush.

Approximately half of the more than 50 individual victims of the IGB data breach had previous contact with Heidner or Gold Rush, a licensed terminal operator serving more than 500 establishments across Illinois. In addition to immediate and extended family members, the victims include individuals with whom Gold Rush has a contractual relationship under the jurisdiction of the IGB.

According to the complaint, Heidner and his family received the IGB’s data breach notices on January 31, well after the IGB discovered the breach on January 3, and a week after the media had reported the breach. 

A statement from Gold Rush read: “The IGB’s failure to promptly notify Mr Heidner and the other victims and cooperate with them in matters relating to the data breach, as well as its failure to implement and maintain reasonable security measures to protect their private information from unauthorized access and disclosures, violates the Illinois Personal Information Protection Act.”

The lawsuit states: “Despite requiring licensees and associated individuals to hand over a veritable treasure trove of their most sensitive data, the evidence will show that the IGB’s approach to protecting Mr Heidner’s data has been careless and cavalier, at best.” 

By leaking confidential, sensitive personal and financial information, “the IGB has breached the trust and confidence that forms the very foundation of the relationship” between the state gaming agency and its licensees, it adds.

The unauthorized disclosures by an IGB employee to three federal government entities purportedly began the day after the first of a series of articles relating to Heidner was published in the Chicago Tribune. The October 11 article criticized certain real estate partnerships and implied they were not properly disclosed to the IGB. 

“Such insinuations were false, in that Mr Heidner had made complete and accurate disclosures in both Gold Rush’s initial terminal operator license application and in all renewal and related submissions to the IGB,” the suit states.

“These disclosures . . . were made without authorization and were not in response to any valid legal request.” Instead, the suit alleges that an “IGB employee made these unauthorized disclosures to fuel – or at least in response to – negative media coverage the IGB helped generate against Mr Heidner and Gold Rush.”