District Court Dismisses Data Privacy Class Action Against Health Care System For Failure To Sufficiently Allege Disclosure of PHI

By Gerald L. Maatman, Jr., Jennifer A. Riley, Justin Donoho, and Ryan T. Garippo

Duane Morris Takeaways:  On June 10, 2024, in Smart, et al. v. Main Line Health, Inc., No. 22-CV-5239, 2024 WL 2943760 (E.D. Pa. June 10, 2024), Judge Kai Scott of the U.S. District Court for the Eastern District of Pennsylvania dismissed in its entirety a class action complaint alleging that a nonprofit health system’s use of website advertising technology disclosed the plaintiff’s protected health information (“PHI”) in violation of the federal wiretap act and in commission of the common-law torts of negligence and invasion of privacy.  The ruling is significant because it shows that such claims cannot surmount Rule 12(b)(6)’s plausibility standard without specifying the PHI allegedly disclosed.

Background

This case is one of the hundreds of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web browsing data and sent it to Meta, Google, and other online advertising agencies.  This software, often called website advertising technologies or “adtech” is a common feature on many websites in operation today; millions of companies and governmental organizations utilize it.  (See, e.g., Customer Data Platform Institute, “Trackers and Pixels Feeding Data Broker Stores” (reporting that “47% of websites using Meta Pixel, including 55% of S&P 500, 58% of retail, 42% of financial, and 33% of healthcare”); BuiltWith, “Facebook Pixel Usage Statistics” (offering access to data on over 14 million websites using the Meta Pixel and stating “[w]e know of 5,861,028 live websites using Facebook Pixel and an additional 8,181,093 sites that used Facebook Pixel historically and 2,543,263 websites in the United States”).)

In these lawsuits, plaintiffs generally allege that the defendant organization’s use of adtech violated federal and state wiretap statutes, consumer fraud statutes, and other laws, and they often seek hundreds of millions of dollars in statutory damages.  Plaintiffs have focused the bulk of their efforts to date on healthcare providers, but they have filed suits that span nearly every industry including retailers, consumer products, and universities.

In Smart, 2024 WL 2943760, at *1, Plaintiff brought suit against Main Line Health, Inc. (“Main Line”), “a non-profit health system.”  According to Plaintiff, Main Line installed the Meta Pixel on its public-facing website – not on its secure patient portal, id. at *1 n.2 – and thereby transmitted web-browsing information entered by users on the public-facing website such as:

“characteristics of individual patients’ communications with the [Main Line] website (i.e., their IP addresses, Facebook ID, cookie identifiers, device identifiers and account numbers) and the content of these communications (i.e., the buttons, links, pages, and tabs they click and view).”

Id. (quotations omitted).

Based on these allegations, Plaintiff alleged claims for violation of the Electronic Communications Privacy Act (ECPA), negligence, and invasion of privacy.  Main Line moved to dismiss under Rule 12(b)(6) for failure to state sufficient facts that, if accepted as true, would state a claim for relief that is plausible on its face.

The Court’s Opinion

The Court agreed with Main Line and dismissed all three of Plaintiff’s claims.

To state a claim for violation of the ECPA, also known as the federal wiretap act, a plaintiff must show an intentional interception of the contents of an electronic communication using a device.  Main Line, 2024 WL 2943760, at *3.  The ECPA is a one-party consent statute, meaning that there is no liability under the statute for any party to the communication “unless such communication is intercepted for the purposes of committing a criminal or tortious act in violation of the Constitution or laws of the United States or any State.”  Id. (quoting 18 U.S.C. § 2511(2)(d)); 18 U.S.C. § 2511(2)(d).

Plaintiff argued that he plausibly alleged Main Line’s criminal or tortious purpose because, under the Health Insurance Portability and Accountability Act (“HIPAA”), it is a federal crime for a health care provider to knowingly disclose PHI to another person.  The district court rejected this argument, finding Plaintiff failed to allege sufficient facts to support an inference that Main Line disclosed his PHI.  As the district court explained: “Plaintiff has not alleged which specific web pages he clicked on for his medical condition or his history of treatment with Main Line Health.”  Id. at 3 (collecting cases).

In short, the district court concluded that Plaintiff’s failure to sufficiently allege PHI was reason alone for the Court to dismiss Plaintiff’s ECPA claim.  Thus, the district court did not need to address other reasons that may have required dismissal of Plaintiff’s ECPA claims, such as (1) lack of criminal or tortious intent even if PHI had been sufficiently alleged, see, e.g., Katz-Lacabe v. Oracle Am., Inc., 668 F. Supp. 3d 928, 945 (N.D. Cal. 2023) (dismissing wiretap claim because defendant’s “purpose has plainly not been to perpetuate torts on millions of Internet users, but to make money”); Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709, at *15 (W.D. Wash. May 13, 2024) (dismissing wiretap claim because “Plaintiff fails to plead a tortious or criminal use of the acquired communications, separate from the recording, interception, or transmission”); and (2) lack of any interception, see, e.g., Allen v. Novant Health, Inc., 2023 WL 5486240, at *4 (M.D.N.C. Aug. 24, 2023) (dismissing wiretap claim because an intended recipient cannot “intercept”); Glob. Pol’y Partners, LLC v. Yessin, 686 F. Supp. 2d 631, 638 (E.D. Va. 2009) (dismissing wiretap claim because the communication was sent as a different communication, not “intercepted”).

On Plaintiff’s remaining claims, the district court held that lack of sufficiently pled PHI defeated the causation element of Plaintiff’s negligence claim and defeated the element of Plaintiff’s invasion of privacy claim that any intrusion must have been “highly offensive to a reasonable person.”  Main Line, 2024 WL 2943760, at *4.

Implications For Companies

The holding of Main Line is a win for adtech class action defendants and should be instructive for courts around the country.  Other courts already have described the statutory damages imposed by ECPA as “draconian.”  See, e.g., DIRECTTV, Inc. v. Beecher, 296 F. Supp. 2d 937, 943 (S.D. Ind. 2003).  Main Line shows that, for adtech plaintiffs to plausibly plead claims for ECPA violations, negligence, or invasion of privacy, they at least need to identify what allegedly private information allegedly was disclosed via the adtech, in addition to surmounting additional hurdles under ECPA such as plausibly pleading criminal or tortious intent and an interception.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress