{"id":2437,"date":"2025-09-25T13:55:16","date_gmt":"2025-09-25T17:55:16","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/classactiondefense\/?p=2437"},"modified":"2025-09-29T10:47:49","modified_gmt":"2025-09-29T14:47:49","slug":"hospital-defeats-wiretap-adtech-class-action-after-texas-federal-court-finds-no-knowing-disclosure-of-protected-health-information","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/classactiondefense\/2025\/09\/25\/hospital-defeats-wiretap-adtech-class-action-after-texas-federal-court-finds-no-knowing-disclosure-of-protected-health-information\/","title":{"rendered":"Hospital Defeats Wiretap Adtech Class Action After Texas Federal Court Finds No Knowing Disclosure Of Protected Health Information"},"content":{"rendered":"
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

By Gerald L. Maatman, Jr., Justin Donoho, and Hayley Ryan<\/strong><\/p>\n\n\n\n

Duane Morris Takeaways: <\/strong>On September 22, 2025, in Sweat v. Houston Methodist Hospital, No. 24-CV-00775, 2025 U.S. Dist. LEXIS 185310 (S.D. Tex. Sept. 22, 2025), Judge Lee H. Rosenthal of the U.S. District Court for the Southern District of Texas granted <\/a>a motion for summary judgment in favor of a hospital accused of violating the federal Wiretap Act through its use of website advertising technology. This decision is significant. In the wave of adtech class actions seeking millions \u2013 sometimes billions \u2013 in statutory damages under the Wiretap Act and similar statutes, the Court held that the Act\u2019s steep penalties (up to $10,000 per violation) were not triggered because the hospital did not knowingly transmit protected health information.<\/em><\/p>\n\n\n\n

Background<\/strong><\/p>\n\n\n\n

This case is part of a rapidly growing line of class actions alleging that website advertising tools \u2013 such as the Meta Pixel, Google Analytics, and other similar website advertising technology, or \u201cadtech,\u201d \u2013secretly capture users\u2019 web-browsing activity and share it with third-party advertising platforms.<\/p>\n\n\n\n

Adtech is ubiquitous, embedded on millions of websites. Plaintiffs\u2019 lawyers frequently invoke the federal Wiretap Act, the Video Privacy Protection Act (VPPA), state invasion-of-privacy statutes like the California Invasion of Privacy Act (CIPA), and even the Illinois Genetic Information Privacy Act (GIPA). Their theory is straightforward: multiply hundreds of thousands of website visitors by $10,000 per alleged Wiretap Act violation and the potential damages skyrocket. While some of these class actions have resulted in multi-million-dollar settlements, others have been dismissed (as we blogged about here<\/a>), and the vast majority remain pending. With some district courts allowing adtech class actions to survive motions to dismiss (as we blogged about here<\/a>), the plaintiffs\u2019 bar continues to file adtech class actions at an aggressive pace.<\/p>\n\n\n\n

In Sweat<\/em>, the plaintiffs sued a hospital, seeking to represent a class of patients whose personal health information was allegedly disclosed by the Meta Pixel installed on the hospital\u2019s website. The district court granted the hospital\u2019s motion to dismiss the state law invasion of privacy claim but allowed the Wiretap Act claim to proceed to discovery. The hospital then moved for summary judgment, arguing that the Wiretap Act\u2019s crime-tort exception did not apply because the hospital lacked knowledge that it was disclosing protected health information.<\/p>\n\n\n\n

Under the Wiretap Act, \u201cparty to the communication\u201d cannot be sued unless it intercepted the communication \u201cfor the purpose of committing any criminal or tortious act.\u201d 18 U.S.C. \u00a7 2511(2)(d). This provision is commonly called the \u201ccrime-tort exception.\u201d The plaintiffs pointed to alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) as the predicate crime to trigger this exception.<\/p>\n\n\n\n

The Court\u2019s Decision<\/strong><\/p>\n\n\n\n

The Court agreed with the hospital and granted summary judgment, holding that the record contained no evidence that the hospital acted with the \u201cpurpose of committing any criminal or tortious act\u201d that would trigger the crime-tort exception. 2025 U.S. Dist. LEXIS 185310, at *13.<\/p>\n\n\n\n

As the Court explained, case law authorities have developed two different approaches to determine \u201cpurpose\u201d under the crime-tort exception. Some courts use the \u201cindependent act\u201d approach, under which the unlawful act must be independent of the interception itself. Other courts have used the \u201cprimary purpose\u201d approach, under which the defendant\u2019s primary motivation must be to commit a crime or tort.<\/p>\n\n\n\n

Applying the \u201cprimary purpose\u201d approach, the Court found \u201cno evidence that [the hospital] acted with the purpose of violating HIPAA\u2026the evidence shows that it did not know it was doing so.\u201d Id<\/em>. at *13. In so holding, the Court cited to the fact that, although the Pixel was installed on \u201carguably sensitive portions\u201d of the hospital\u2019s website, the hospital received only aggregated, anonymized data, and there was no proof it knew any protected health information was being disclosed. Id<\/em>. at *13-14. The Court rejected the plaintiffs\u2019 argument that anonymized aggregate data necessarily originates from identifiable data, emphasizing that Meta\u2019s algorithm could anonymize data \u201cat the input level,\u201d preventing the hospital from receiving identifiable data in the first place. Id.<\/em> at *16.<\/p>\n\n\n\n

Implications For Companies<\/strong><\/p>\n\n\n\n

The Court\u2019s holding in Sweat <\/em>is a significant win for healthcare providers and other defendants facing adtech class actions. This ruling reinforces two key principles. First, knowledge is critical. Like the Wiretap Act\u2019s HIPAA-based crime-tort exception, similar statutes such as the VPPA require a knowing disclosure of identifiable information. If a defendant lacks knowledge that data is tied to specific individuals, liability should not attach. Second, anonymization matters. Where transmissions are encrypted, anonymized, or otherwise inaccessible at the point of input, there may be no \u201cdisclosure\u201d at all.<\/p>\n\n\n\n

For example, the VPPA requires disclosure of a person\u2019s specific video-viewing activity, and GIPA requires disclosure of an identified individual\u2019s genetic information. When adtech merely sends anonymized or encrypted data to third-party algorithms\u2014data that cannot be traced back to a specific person\u2014there is no knowing disclosure.<\/p>\n\n\n\n

Sweat <\/em>provides strong authority for defendants to argue that anonymized adtech transmissions cannot satisfy the statutory knowledge requirements of the Wiretap Act\u2019s HIPAA-based crime-tort exception or similarly worded privacy statutes.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Gerald L. Maatman, Jr., Justin Donoho, and Hayley Ryan Duane Morris Takeaways: On September 22, 2025, in Sweat v. Houston Methodist Hospital, No. 24-CV-00775, 2025 U.S. Dist. LEXIS 185310 (S.D. Tex. Sept. 22, 2025), Judge Lee H. Rosenthal of the U.S. District Court for the Southern District of Texas granted a motion for summary … <\/p>\n

Continue reading “Hospital Defeats Wiretap Adtech Class Action After Texas Federal Court Finds No Knowing Disclosure Of Protected Health Information”<\/span><\/a><\/p>\n","protected":false},"author":575,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59],"tags":[],"ppma_author":[7,122,145],"class_list":["post-2437","post","type-post","status-publish","format-standard","hentry","category-privacy-class-actions"],"authors":[{"term_id":7,"user_id":575,"is_guest":0,"slug":"gmaatman","display_name":"Gerald L. Maatman, Jr.","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2022\/09\/maatmangerald-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""},{"term_id":122,"user_id":686,"is_guest":0,"slug":"jrdonoho","display_name":"Justin Donoho","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2025\/02\/donohojustin-1-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""},{"term_id":145,"user_id":740,"is_guest":0,"slug":"hhryan","display_name":"Hayley Ryan","avatar_url":{"url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2025\/09\/ryanhayley.jpg","url2x":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2025\/09\/ryanhayley.jpg"},"0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/2437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/users\/575"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/comments?post=2437"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/2437\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/media?parent=2437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/categories?post=2437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/tags?post=2437"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/ppma_author?post=2437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}