{"id":1528,"date":"2024-06-19T17:40:57","date_gmt":"2024-06-19T21:40:57","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/classactiondefense\/?p=1528"},"modified":"2024-06-19T17:40:57","modified_gmt":"2024-06-19T21:40:57","slug":"district-court-dismisses-data-privacy-class-action-against-health-care-system-for-failure-to-sufficiently-allege-disclosure-of-phi","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/classactiondefense\/2024\/06\/19\/district-court-dismisses-data-privacy-class-action-against-health-care-system-for-failure-to-sufficiently-allege-disclosure-of-phi\/","title":{"rendered":"District Court Dismisses Data Privacy Class Action Against Health Care System For Failure To Sufficiently Allege Disclosure of PHI"},"content":{"rendered":"

\"\"<\/a>By Gerald L. Maatman, Jr., Jennifer A. Riley, Justin Donoho, and Ryan T. Garippo<\/strong><\/p>\n

Duane Morris Takeaways:<\/em><\/strong>\u00a0 On June 10, 2024, in Smart, et al. v. Main Line Health, Inc., No. 22-CV-5239, 2024 WL 2943760 (E.D. Pa. June 10, 2024), Judge Kai Scott of the U.S. District Court for the Eastern District of Pennsylvania dismissed in its entirety<\/a>\u00a0a class action complaint alleging that a nonprofit health system\u2019s use of website advertising technology disclosed the plaintiff\u2019s protected health information (\u201cPHI\u201d) in violation of the federal wiretap act and in commission of the common-law torts of negligence and invasion of privacy.\u00a0 The ruling is significant because it shows that such claims cannot surmount Rule 12(b)(6)\u2019s plausibility standard without specifying the PHI allegedly disclosed.<\/em><\/p>\n

Background<\/strong><\/p>\n

This case is one of the hundreds of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants\u2019 websites secretly captured plaintiffs\u2019 web browsing data and sent it to Meta, Google, and other online advertising agencies.\u00a0 This software, often called website advertising technologies or \u201cadtech\u201d is a common feature on many websites in operation today; millions of companies and governmental organizations utilize it.\u00a0 (See, e.g.<\/em>, Customer Data Platform Institute, \u201cTrackers and Pixels Feeding Data Broker Stores<\/a>\u201d (reporting that \u201c47% of websites using Meta Pixel, including 55% of S&P 500, 58% of retail, 42% of financial, and 33% of healthcare\u201d); BuiltWith, \u201cFacebook Pixel Usage Statistics<\/a>\u201d (offering access to data on over 14 million websites using the Meta Pixel and stating \u201c[w]e know of 5,861,028 live websites using Facebook Pixel and an additional 8,181,093 sites that used Facebook Pixel historically and 2,543,263 websites in the United States\u201d).)<\/p>\n

In these lawsuits, plaintiffs generally allege that the defendant organization\u2019s use of adtech violated federal and state wiretap statutes, consumer fraud statutes, and other laws, and they often seek hundreds of millions of dollars in statutory damages.\u00a0 Plaintiffs have focused the bulk of their efforts to date on healthcare providers, but they have filed suits that span nearly every industry including retailers, consumer products, and universities.<\/p>\n

In Smart<\/em>, 2024 WL 2943760, at *1, Plaintiff brought suit against Main Line Health, Inc. (\u201cMain Line\u201d), \u201ca non-profit health system.\u201d\u00a0 According to Plaintiff, Main Line installed the Meta Pixel on its public-facing website \u2013 not on its secure patient portal, id. <\/em>at *1 n.2 \u2013 and thereby transmitted web-browsing information entered by users on the public-facing website such as:<\/p>\n

\u201ccharacteristics of individual patients\u2019 communications with the [Main Line] website (i.e.<\/em>, their IP addresses, Facebook ID, cookie identifiers, device identifiers and account numbers) and the content of these communications (i.e.<\/em>, the buttons, links, pages, and tabs they click and view).\u201d<\/p>\n

Id.<\/em> (quotations omitted).<\/p>\n

Based on these allegations, Plaintiff alleged claims for violation of the Electronic Communications Privacy Act (ECPA), negligence, and invasion of privacy.\u00a0 Main Line moved to dismiss under Rule 12(b)(6) for failure to state sufficient facts that, if accepted as true, would state a claim for relief that is plausible on its face.<\/p>\n

The Court\u2019s Opinion<\/strong><\/p>\n

The Court agreed with Main Line and dismissed all three of Plaintiff\u2019s claims.<\/p>\n

To state a claim for violation of the ECPA, also known as the federal wiretap act, a plaintiff must show an intentional interception of the contents of an electronic communication using a device.\u00a0 Main Line<\/em>, 2024 WL 2943760, at *3.\u00a0 The ECPA is a one-party consent statute, meaning that there is no liability under the statute for any party to the communication \u201cunless such communication is intercepted for the purposes of committing a criminal or tortious act in violation of the Constitution or laws of the United States or any State.\u201d \u00a0Id.<\/em> (quoting 18 U.S.C. \u00a7 2511(2)(d)); 18 U.S.C. \u00a7 2511(2)(d).<\/p>\n

Plaintiff argued that he plausibly alleged Main Line\u2019s criminal or tortious purpose because, under the Health Insurance Portability and Accountability Act (\u201cHIPAA\u201d), it is a federal crime for a health care provider to knowingly disclose PHI to another person.\u00a0 The district court rejected this argument, finding Plaintiff failed to allege sufficient facts to support an inference that Main Line disclosed his PHI.\u00a0 As the district court explained: \u201cPlaintiff has not alleged which specific web pages he clicked on for his medical condition or his history of treatment with Main Line Health.\u201d\u00a0 Id. <\/em>at 3 (collecting cases).<\/p>\n

In short, the district court concluded that Plaintiff\u2019s failure to sufficiently allege PHI was reason alone for the Court to dismiss Plaintiff\u2019s ECPA claim.\u00a0 Thus, the district court did not need to address other reasons that may have required dismissal of Plaintiff\u2019s ECPA claims, such as (1) lack of criminal or tortious intent even if PHI had been sufficiently alleged, see, e.g.<\/em>, Katz-Lacabe v. Oracle Am., Inc.<\/em>, 668 F. Supp. 3d 928, 945 (N.D. Cal. 2023) (dismissing wiretap claim because defendant\u2019s \u201cpurpose has plainly not been to perpetuate torts on millions of Internet users, but to make money\u201d); Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709<\/em>, at *15 (W.D. Wash. May 13, 2024) (dismissing wiretap claim because \u201cPlaintiff fails to plead a tortious or criminal use of the acquired communications, separate from the recording, interception, or transmission\u201d); and (2) lack of any interception, see, e.g., Allen v. Novant Health, Inc.<\/em>, 2023 WL 5486240, at *4 (M.D.N.C. Aug. 24, 2023) (dismissing wiretap claim because an intended recipient cannot \u201cintercept\u201d); Glob. Pol\u2019y Partners, LLC v. Yessin<\/em>, 686 F. Supp. 2d 631, 638 (E.D. Va. 2009) (dismissing wiretap claim because the communication was sent as a different communication, not \u201cintercepted\u201d).<\/p>\n

On Plaintiff\u2019s remaining claims, the district court held that lack of sufficiently pled PHI defeated the causation element of Plaintiff\u2019s negligence claim and defeated the element of Plaintiff\u2019s invasion of privacy claim that any intrusion must have been \u201chighly offensive to a reasonable person.\u201d\u00a0 Main Line<\/em>, 2024 WL 2943760, at *4.<\/p>\n

Implications For Companies<\/strong><\/p>\n

The holding of Main Line<\/em> is a win for adtech class action defendants and should be instructive for courts around the country.\u00a0 Other courts already have described the statutory damages imposed by ECPA as \u201cdraconian.\u201d\u00a0 See, e.g., DIRECTTV, Inc. v. Beecher<\/em>, 296 F. Supp. 2d 937, 943 (S.D. Ind. 2003).\u00a0 Main Line <\/em>shows that, for adtech plaintiffs to plausibly plead claims for ECPA violations, negligence, or invasion of privacy, they at least need to identify what allegedly private information allegedly was disclosed via the adtech, in addition to surmounting additional hurdles under ECPA such as plausibly pleading criminal or tortious intent and an interception.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Gerald L. Maatman, Jr., Jennifer A. Riley, Justin Donoho, and Ryan T. Garippo Duane Morris Takeaways:\u00a0 On June 10, 2024, in Smart, et al. v. Main Line Health, Inc., No. 22-CV-5239, 2024 WL 2943760 (E.D. Pa. June 10, 2024), Judge Kai Scott of the U.S. District Court for the Eastern District of Pennsylvania dismissed … <\/p>\n

Continue reading “District Court Dismisses Data Privacy Class Action Against Health Care System For Failure To Sufficiently Allege Disclosure of PHI”<\/span><\/a><\/p>\n","protected":false},"author":583,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59],"tags":[],"ppma_author":[30],"class_list":["post-1528","post","type-post","status-publish","format-standard","hentry","category-privacy-class-actions"],"authors":[{"term_id":30,"user_id":583,"is_guest":0,"slug":"classactiondefense","display_name":"Class Action Defense","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2020\/10\/dmlogo.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/1528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/users\/583"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/comments?post=1528"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/1528\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/media?parent=1528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/categories?post=1528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/tags?post=1528"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/ppma_author?post=1528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}