Opinion
Civil Action 1:23-CV-5416-TWT
08-28-2024
T.D., individually and on behalf of all others similarly situated, et al., Plaintiffs, v. PIEDMONT HEALTHCARE, INC., Defendant.
OPINION AND ORDER
THOMAS W. THRASH, JR. UNITED STATES DISTRICT JUDGE
This is a putative class action case. It is before the Court on the Plaintiffs' Unopposed Motion to Appoint Interim Co-Lead Class Counsel [Doc. 24], the Defendant Piedmont Healthcare, Inc.'s Motion to Dismiss the Original Complaint [Doc. 25], and the Defendant Piedmont's Motion to Dismiss the Amended Complaint [Doc. 30]. For the reasons set forth below, the Plaintiffs' Unopposed Motion to Appoint Interim Co-Lead Class Counsel [Doc. 24] is GRANTED; Piedmont's Motion to Dismiss the Original Complaint [Doc. 25] is DENIED as moot; and Piedmont's Motion to Dismiss the Amended Complaint [Doc. 30] is GRANTED.
The Court accepts the facts as alleged in the Amended Complaint as true for purposes of the present Motion to Dismiss. Wildling v. DNC Servs. Corp., 941 F.3d 1116, 1122 (11th Cir. 2019).
This case arises from the Defendant Piedmont Healthcare, Inc.'s alleged wrongful disclosure of the Plaintiffs' confidential health information to Facebook through the installation of several data collection and tracking tools on Piedmont's website and its MyChart patient portal. (Am. Compl. ¶¶ 2-3). The Plaintiffs claim that a tracking tool called the Meta Pixel collected their personally identifiable information (PII) and protected health information (PHI) without their consent and then disclosed that information to Facebook in violation of federal and state laws. (Id. ¶¶ 3, 15). The Plaintiffs contend that Piedmont installed the Meta Pixel to optimize its advertising and marketing at the expense of their privacy rights as patients. (Id. ¶¶ 1, 10). They bring claims of (1) invasion of privacy; (2) breach of fiduciary duty; (3) negligence; (4) breach of implied contract; (5) breach of contract; (6) unjust enrichment; and (7) violations of the Electronic Communications Privacy Act. Piedmont now moves to dismiss all claims against it for failure to state a claim.
II. Legal Standard
A complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a “plausible” claim for relief. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); Fed.R.Civ.P. 12(b)(6). A complaint may survive a motion to dismiss for failure to state a claim, however, even if it is “improbable” that a plaintiff would be able to prove those facts; even if the possibility of recovery is extremely “remote and unlikely.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007). In ruling on a motion to dismiss, the court must accept the facts pleaded in the complaint as true and construe them in the light most favorable to the plaintiff. See Quality Foods de Centro Am., S.A. v. Latin Amwi. Agribusiness Dev. Corp., S.A., 711 F.2d 989, 994-95 (11th Cir. 1983); see also Sanjuan v. American Bd. of Psychiatry & Neurology, Inc., 40 F.3d 247, 251 (7th Cir. 1994) (noting that at the pleading stage, the plaintiff “receives the benefit of imagination”). Generally, notice pleading is all that is required for a valid complaint. See Lombard's, Inc. v. Prince Mfg., Inc., 753 F.2d 974, 975 (11th Cir. 1985). Under notice pleading, the plaintiff need only give the defendant fair notice of the plaintiff's claim and the grounds upon which it rests. See Erickson v. Pardus, 551 U.S. 89, 93 (2007) (citing Twombly, 550 U.S. at 555).
III. Discussion
Piedmont moves to dismiss all seven of the Plaintiffs' claims for failure to state a claim. It contends that the Plaintiffs either fail to sufficiently plead one or more elements of the respective claims or plead allegations that bar the claims. (Br. in Supp. of Def.'s Mot. to Dismiss, at 1-2). The Court addresses the claims and the parties' arguments in support thereof in turn.
A. Invasion of Privacy - Intrusion Upon Seclusion (Count I)
As one judge has said recently, “[t]hese days, it is widely understood that when browsing websites, your behavior may be tracked, studied, shared, and monetized. So it may not come as much of a surprise when you see an online advertisement for fertilizer shortly after searching for information about keeping your lawn green. But what about if you visit your hospital's website and browse information about a medical condition that may be of particular concern?” Santoro v. Tower Health, 2024 WL 1773371, at *1 (E.D. Pa. Apr. 24, 2024). This is such a case where expectations of privacy may collide with modern technology. Piedmont contends that the Plaintiffs' intrusion upon seclusion claim should be dismissed because they fail to plausibly plead an intrusion or actionable intent, or that any intrusion was reasonably offensive or objectionable. (Br. in Supp. of Def.'s Mot. to Dismiss, at 6-7). Piedmont first argues that the Plaintiffs fail to allege an intrusion because they willingly provided their private information to Piedmont and because Piedmont's alleged disclosure of that information to Facebook does not constitute an intrusion. (Id. at 7-8). Piedmont also contends that the Plaintiffs fail to plead that it “intended to intrude into any private concern of Plaintiffs in a manner that would be offensive or objectionable to a reasonable person” or that any intrusion was either offensive or objectionable. (Id. at 8-11).
In response, the Plaintiffs argue that Piedmont intruded on their privacy when it used the Meta Pixel to secretly transmit their PII and PHI to a third party for commercial gain. (Resp. Br. in Opp'n to Def.'s Mot. to Dismiss, at 16). They argue that they had a reasonable expectation of privacy in the information they disclosed. (Id. at 17). And they contend that the alleged intrusion was highly offensive and objectionable because it included specific doctors' appointments and personal identifiers from the patient portals where they believed their information was safe and secure. (Id. at 20-21).
“The tort of intrusion involves an unreasonable and highly offensive intrusion upon another's seclusion.” Summers v. Bailey, 55 F.3d 1564, 1566 (11th Cir. 1995). “The ‘unreasonable intrusion' aspect of the invasion of privacy involves a prying or intrusion, which would be offensive or objectionable to a reasonable person, into a person's private concerns.” Yarbray v. S. Bell Tel. & Tel. Co., 261 Ga. 703, 705 (1991) (citation omitted). This tort requires “a plaintiff [to] show a physical intrusion which is analogous to a trespass; however, this ‘physical' requirement can be met by showing that the defendant conducted surveillance on the plaintiff or otherwise monitored [the plaintiff's] activities.” Sitton v. Print Direction, Inc., 312 Ga.App. 365, 369 (2011) (quotation marks and citations omitted).
Cases like this have sprouted like weeds in recent years. In the Court's view, it seems that the weight of authority in similar pixel tracking cases is now solidly in favor of Piedmont's argument. There is no intrusion upon privacy when a patient voluntarily provides personally identifiable information and protected health information to his or her healthcare provider. See Allen v. Novant Health, Inc., 2023 WL 5486240, at *2 (M.D. N.C. Aug. 24, 2023) (“Because the plaintiffs acknowledge in the complaint that they voluntarily provided their information directly to Novant . . . they have not alleged an intrusion or unauthorized prying and this claim is dismissed.”); Okash v. Essentia Health, 2024 WL 1285779, at *7 (D. Minn. Mar. 26, 2024) (“Because Okash voluntarily provided his data to Essentia, Essentia did not intrude upon his seclusion and the Court will dismiss Count I.”); Steinberg v. CVS Caremark Corp., 899 F.Supp.2d 331, 342-43 (E.D. Pa. 2012) (“The plaintiffs acknowledge that they voluntarily disclosed the information later disseminated by the defendants, and argue that their claim is premised not on the receipt of that information but instead on its sale to third parties This argument is unavailing. In Pennsylvania, liability for intrusion upon seclusion cannot exist where a defendant legitimately obtains information from a plaintiff.”); Kurowski v. Rush Sys. for Health, 659 F.Supp.3d 931, 944 (N.D. Ill. 2023); Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709, at *9 (W.D. Wash. May 13, 2024) (“Because Plaintiff voluntarily shared her information with Defendant, there was no intrusion upon Plaintiff's solitude, seclusion, or private affairs by Defendant.”). But see, In re Grp. Health Plan Litig., 2023 WL 8850243 (D. Minn. Dec. 21, 2023) (Patients adequately alleged that health care organization committed intentional intrusion into their seclusion, as required to state claim for intrusion upon seclusion under Minnesota law; patients alleged that organization deliberately integrated tracking tool into its website and servers which intercepted and shared communications with third parties, including social media company). The motion to dismiss should thus be granted as to the intrusion upon seclusion claim.
B. Breach of Fiduciary Duty (Count II)
Piedmont next contends that the Plaintiffs' breach of fiduciary duty claim should be dismissed because they fail to plausibly plead a breach of any fiduciary duty, causation, or damages. (Br. in Supp. of Def.'s Mot. to Dismiss, at 11-14). It argues that Georgia law does not recognize a health provider's duty to refrain from sending encrypted versions of private patient information to third parties or to notify the patient of such disclosures. (Id. at 11). Piedmont also claims that “the provision of encrypted information only to Facebook was caused by Plaintiffs' own provision and consent to such, not by any alleged breach of fiduciary duty by Piedmont.” (Id. at 12). Finally, Piedmont contends that the Plaintiffs fail to plausibly plead any damages, framing their “overpayment, underpayment, and mitigation damages” theories as insufficient to state a claim. (Id. at 12-14). In response, the Plaintiffs argue that “Piedmont has a well-recognized fiduciary duty as a healthcare provider and covered entity under HIPAA to safeguard its patients' Private Information.” (Resp. Br. in Opp'n to Def.'s Mot. to Dismiss, at 6-7). The Plaintiffs also contend that they plausibly allege both causation and damages sufficient to state a claim for breach of fiduciary duty. (Id. at 8-9, 13-16).
Under Georgia law, “a claim for breach of fiduciary duty requires proof of three elements: (1) the existence of a fiduciary duty; (2) breach of that duty; and (3) damage proximately caused by the breach.” Bedsole v. Action Outdoor Advert. JV, LLC, 325 Ga.App. 194, 201 (2013) (citation omitted). Fiduciary duties exist “where one party is so situated as to exercise a controlling influence over the will, conduct, and interest of another or where, from a similar relationship of mutual confidence, the law requires the utmost good faith, such as the relationship between partners, principal and agent, etc.” Id. (citing O.C.G.A. § 23-2-58).
The existence of a confidential or fiduciary relationship is a question for the jury. Such relationship may be created by law, contract, or the facts of a particular case. Moreover, because a confidential relationship may be found whenever one party is justified in reposing confidence in another, the existence of this relationship is generally a factual matter for the jury to resolve.Id. (citation omitted). This court has recognized that a defendant's provision of medical care to a plaintiff could suggest a confidential relationship sufficient to state a claim for breach of fiduciary duty. Purvis v. Aveanna Healthcare, LLC, 563 F.Supp.3d 1360, 1383 (N.D.Ga. 2021). But this court has also foreclosed certain types of damages claims, like the ones the Plaintiffs make here, in cases involving alleged data privacy breaches. See, e.g., Everhart v. Colonial Pipeline Co., 2022 WL 3699967, *2-5 (N.D.Ga. July 22, 2022); Provost v. Aptos, Inc., 2018 WL 1465766, at *4 (N.D.Ga. Mar. 12, 2018).
The Court finds that the Plaintiffs have failed to state a plausible claim for breach of fiduciary duty against Piedmont. Although this court in Purvis noted that a defendant's provision of medical care to a plaintiff could support a claim for breach of fiduciary duty, the Plaintiffs here fail to plausibly plead damages to support their claim. The Plaintiffs identify their damages as including the following:
(i) invasion of privacy, including increased spam and targeted advertising they did not ask for; (ii) loss of confidentiality;
(iii) embarrassment, emotional distress, humiliation and loss of enjoyment of life; (iv) lost time and opportunity costs associated with attempting to mitigate the consequences of the disclosure of their Private Information; (v) loss of benefit of the bargain;
(vi) diminution of value of Private Information and (vii) the continued and ongoing risk to their Private Information.(Resp. Br. in Opp'n to Def.'s Mot. to Dismiss, at 13). These damages are alleged in the identical conclusory fashion for each of the identified Plaintiffs. No facts are alleged that any of the Plaintiffs have actually suffered any of these damages. No facts are alleged that would explain how receiving targeted advertisements from Facebook and Piedmont would plausibly cause any of the Plaintiffs to suffer these damages. This is not a case where the Plaintiffs' personal information was stolen by criminal hackers with malicious intent. The Plaintiffs received targeted advertisements because they are Facebook users and have Facebook IDs. The Court finds the Plaintiffs' damages theories untenable. Indeed, this court has rejected many identical theories arising under similar circumstances. See Everhart, 2022 WL 3699967, *2-5; Provost, 2018 WL 1465766, at *4. The better view from other courts around the country is that these types of damage claims are not actionable. See Steinberg v. CVS Caremark Corp., 899 F.Supp.2d 331, 339-40 (E.D. Pa. 2012) (“Other district courts examining the issue have found that the collection and sale of this kind of information does not carry a compensable value to consumers, and cannot sustain a finding of injury without a specific showing that the plaintiff has sustained a resulting loss.”). Accordingly, the Plaintiffs' claim for breach of fiduciary duty should be dismissed without prejudice.
C. Negligence, Breach of Contract, and Unjust Enrichment (Counts III-VI)
Piedmont also moves to dismiss the Plaintiffs' claims for negligence, negligence per se, breach of implied contract, breach of express contract, and unjust enrichment. (Br. in Supp. of Def.'s Mot. to Dismiss, at 14-22). For the same reasons as discussed above, the Court concludes that the Plaintiffs fail to state a claim for negligence, breach of contract, or unjust enrichment because they fail to plead actionable damages or unjust enrichment of Piedmont. Accordingly, their negligence, breach of implied/express contract, and unjust enrichment claims should be dismissed without prejudice.
D. Violations of the Electronic Communications Privacy Act (Count VII)
Finally, Piedmont moves to dismiss the Plaintiffs' claim for violations of the Electronic Communications Privacy Act, arguing that they fail to plausibly allege an interception or a purpose to commit a crime or tort. (Br. in Supp. of Def.'s Mot. to Dismiss, at 22-25). It argues that Piedmont could not have intercepted the same transmission it received on its website, nor could it have acted with a tortious or criminal purpose in seeking to drive marketing and revenue. (Id. at 23-24). In response, the Plaintiffs contend that they state a plausible ECPA claim, arguing that Piedmont intercepted the contents of their PII and PHI when it acquired such information through the Meta Pixel on its website and that the party exception is inapplicable because Piedmont acted with criminal and tortious intent in “wiretapping” their PII and PHI. (Resp. Br. in Opp'n to Def.'s Mot. to Dismiss, at 27-30).
The ECPA “prohibits the unauthorized interception of electronic communication and the intentional disclosure or use of the contents of an intercepted communication.” In re Grp. Health Plan, 2023 WL 8850243, at *6 (citing 18 U.S.C. § 2511(1)(a), (c), (d)).
Section 2511(2)(d) of the statute provides a “party exception” when the person intercepting a communication “is a party to the communication or where one of the parties to the communication has given prior consent to such interception.” This “party exception” does not apply, however, if the “communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State”-known as the “criminal or tortious exception” or the “crime-tort exception.”Id. (citation omitted). As was the case in the invasion of privacy context, the weight of persuasive authority in similar pixel tracking cases supports Piedmont's position. See In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 142-43 (3d Cir. 2015) (“Because the defendants were the intended recipients of the transmissions at issue-i.e. GET requests that the plaintiffs' browsers sent directly to the defendants' servers-we agree that § 2511(2)(d) means the defendants have done nothing unlawful under the Wiretap Act.”); Allen v. Novant Health, Inc., 2023 WL 5486240, at *4 (M.D. N.C. Aug. 24, 2023); Kurowski v. Rush Sys. for Health, 659 F.Supp.3d 931, 938 (N.D. Ill. 2023) (“The Court concludes that Rush-and not Facebook, Google, or Bidtellect-was the intended recipient of the allegedly intercepted communications here. Rush is therefore a party to those communications and cannot be liable under the Wiretap Act for its alleged interception of them, if such an interception even occurred.”); Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709, at *15 (W.D. Wash. May 13, 2024); Santoro v. Tower Health, 2024 WL 1773371, at *3-4 (E.D. Pa. Apr. 24, 2024); Crowley v. Cybersource Corp., 166 F.Supp.2d 1263, 1268-71 (N.D. Ca. 2001); Okash v. Essentia Health, 2024 WL 1285779, at *3-4 (D. Minn. Mar. 26, 2024). Accordingly, the ECPA claim should be dismissed.
IV. Conclusion
For the foregoing reasons, the Plaintiffs' Unopposed Motion to Appoint Interim Co-Lead Class Counsel [Doc. 24] is GRANTED; Piedmont's Motion to Dismiss the Original Complaint [Doc. 25] is DENIED as moot; and Piedmont's Motion to Dismiss the Amended Complaint [Doc. 30] is GRANTED.
SO ORDERED