Opinion
CV-23-00434-TUC-SHR
09-30-2024
George Williams, et al., Plaintiffs, v. TMC Health, Defendant.
ORDER GRANTING MOTION TO DISMISS
Honorable Scott H. Rash, United States District Judge.
Pending before the Court is Defendant's “Motion to Dismiss Amended Complaint” (Doc. 19). The Motion to Dismiss is fully briefed and the Court held oral argument on August 14, 2024. (Docs. 19-1, 20, 23, 36.) For the following reasons, the Court grants the Motion to Dismiss.
I. Background
Defendant TMC Health is a healthcare system in Southern Arizona serving patients via several hospitals and clinics. (Doc. 13 ¶ 1.) Plaintiffs are people who have visited TMC's public website and have used the website to access the patient portal. (Id. ¶¶ 2124.) This putative class action raises six claims based on Defendant's use of online tracking technologies from Meta, LinkedIn, Snapchat, Google, CallRail, and potentially other third parties (collectively, “tracking technologies”) on its public website, www.tmcaz.com (the “Website”). (Id. ¶¶ 1, 9.) ....
A. The Website & Technologies Involved
Defendant's Website allows visitors “to search for doctors, research conditions and symptoms,” “sign up for classes and events,” and “seek further information” related to sensitive healthcare topics. (Doc. 13 ¶¶ 1, 82.) “The Website's landing page has a dropdown menu of options, including ‘request my medical records.'” (Id. ¶ 76.) TMC patients can also access the patient portal from Defendant's Website, but the patient portal is a “user-authenticated webpage[],” which means patients are required to log in by providing a user name and password before they are able to access the patient portal. (Id. ¶¶ 21-24, 120, 191.)
Plaintiffs do not allege any disclosure of data related to how they used Defendant's privatepatient portal.
Unbeknownst to the Website's visitors, Defendant embeds code on its Website, allowing third-party technology companies to “intercept and record the visitors' activities on the Website in real-time, including specific searches for sensitive health-related topics.” (Doc. 13 ¶ 2.) These technologies include the Meta Pixel (“Pixel”) and similar tracking technologies. (Id. ¶ 7.) When Pixel code is embedded on a third-party website, like
Although Plaintiffs include detailed descriptions of how each technology operates in their Amended Complaint, the Court will not restate those details in full here because nothing about the specifics of each technology involved changes the legal analysis. Therefore, the Court will treat these technologies together for its analysis.
Defendant's Website, Pixel “tracks the website visitor's activity on that website and sends that data,” including “mouse clicks, words typed into search bars, and pages visited on the website,” to Meta. (Id. ¶ 6.)
Generally, Pixel and related technologies interact with communications between a browser and a server. “Web browsers are software applications that allow consumers to navigate the web and view and exchange electronic information and communications over the internet.” (Doc. 13 ¶ 50.) “Each ‘client device' (such as computer, tablet, or smart phone) accesses web content through a web browser (e.g., Google's Chrome browser, Mozilla's Firefox browser, Apple's Safari browser, and Microsoft's Edge browser).” (Id.) “Every website is hosted by a computer ‘server' that holds the website's contents and through which the entity in charge of the website exchanges communications with Internet users' client devices via their web browsers.” (Id. ¶ 51.)
A user's web browser communicates with a website's server by sending an HTTP Request, most commonly in the form of a GET Request, and the server communicates back by sending an HTTP Response. (Doc. 13 ¶ 52.) “In addition to specifying a particular URL (i.e., web address), GET Requests can also send data to the host server embedded inside the URL, and can include cookies.” (Id.) Other types of HTTP Requests send even more data. For example, a POST Request “can send a large amount of data outside of the URL (for instance, uploading a PDF for filing a motion to a court).” (Id.) Cookies are small text files “used to store information on the client device that can later be communicated to a server or servers.” (Id.) “Cookies are sent with HTTP Requests from client devices to the host server.” (Id.) After receiving an HTTP Request asking the server to retrieve certain information (such as a webpage), the “HTTP Response sends the requested information in the form of ‘Markup.'” (Id. ¶ 53.) “This is the foundation for the pages, images, words, buttons, and other features that appear on the individual's screen as they navigate” a website. (Id.) “Every website is composed of Markup and ‘Source Code.' Source Code is a set of instructions that commands the website visitor's browser to take certain actions when the web page first loads or when a specified event triggers the code.” (Id. ¶ 54.)
Specifically, when a person visits Defendant's Website, i.e. the person's web browser sends an HTTP Request to Defendant's server, “the server sends an HTTP Response including the Markup that displays the webpage visible to the user along with the invisible Source Code that includes the Pixel.” (Doc. 13 ¶ 56.) After this initial communication, the source code containing Pixel then operates to transmit data back to Meta's servers and Defendant's server. (Id.) This data “is also linked to a specific IP address, which Meta may use in combination with other cookies and tracking technologies to associate the web activity to a specific Facebook user.” (Id. ¶ 57.) “Meta does this by placing cookies,” like the “cuser” cookie, which “contains a numerical value known as the Facebook ID” that “uniquely identifies a Facebook user,” in the web browsers of users logged into their services. (Id. ¶ 58.) Therefore, “[w]hen a Facebook user visits the Defendant's Website while logged-in to their Facebook account,” Pixel sends the user's “web communications with the Defendant along with the ‘cuser' cookie” to Meta. (Id.) “Meta can then use this information to match the web communications with the user's Facebook ID.” (Id.)
By embedding these technologies into the Website's source code, data about a user's visits to the Website, “including the URL, referrer, IP address, device and browser characteristics (User Agent),” and searched terms, are shared with third parties including Meta, LinkedIn, Snapchat, Google, and CallRail. (Doc. 13 ¶¶ 56, 70-76, 80-84, 86-89, 91-94.) Defendant embedded these technologies into the Website and shared the data with third parties “to increase its own profits through sophisticated and targeted advertising and to improve its website analytics.” (Id. ¶ 2; see also id. ¶¶ 12, 73, 83, 89, 108, 187.) Plaintiff's never consented to share their data with these third parties. (Id. ¶¶ 65, 77, 85, 90, 95.)
B. Regulatory Landscape
Pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Secretary of the Department of Health and Human Services has promulgated various regulations to ensure the confidentiality of individuals' health information and protect against “unauthorized uses or disclosures of the information.” 42 U.S.C. § 1320d-2; see also 45 C.F.R. §§ 160, 164. The Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), (Doc. 13 ¶ 118), establishes standards for the protection of certain health information, broadly defining “[p]rotected health information” (PHI) as “individually identifiable health information” (IIHI) that is “[transmitted by electronic media,” “maintained in electronic media,” or “transmitted or maintained in any other form or medium.” 45 C.F.R. § 160.103.
In December 2022, the Department of Health and Human Services Office for Civil Rights issued guidance on the use of tracking technologies. (Doc. 13 ¶ 11.) This guidance explained regulated entities are not permitted to use tracking technologies if the use results in “impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” (Id.) “The OCR's guidance also made clear that, ‘disclosures of PHI to tracking technology vendors for marketing purposes, without individuals' HIPAA-compliant authorizations, would constitute impermissible disclosures.'” (Id.)
C. Notice of Privacy Practices
Defendant's Website contains a “Notice of Privacy Practices,” which explains the measures Defendant will take to protect patient PHI under HIPAA. (Doc. 13 ¶ 29.) The Notice states “TMC Health is required by law to provide notification to affected individuals or their representatives and to the [Office for Civil Rights] for [Health and Human Services] following the discovery of a breach of unsecured PHI.” (Id. (alteration in original) (quoting https://www.tmcaz.com/notice-of-privacy-practices).) Additionally, the Notice states “TMC Health will obtain your authorization to use or disclose your PHI in the following circumstances: . . . disclosures for marketing purposes.” (Id. ¶ 30 (quoting https://www.tmcaz.com/notice-of-privacy-practices).) However, the Notice did not mention Defendant's use of tracking technologies on its Website. (Id. ¶ 31.)
II. Legal Standard
A. Motion to Dismiss
The Court can dismiss a complaint or the claims in it under Federal Rule of Civil Procedure 12(b)(6) if the claims lack a cognizable legal theory or if insufficient facts are alleged to support the theory. Balistreri v. Pacifica Police Dep 't, 901 F.2d 696, 699 (9th Cir. 1988). A complaint must “contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Glazer Cap. Mgmt., L.P. v. Forescout Techs., Inc., 63 F.4th 747, 763 (9th Cir. 2023) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). Moreover, Rule 8(a) requires “a complaint to contain ‘a short and plain statement of the claim showing . . . the pleader is entitled to relief.'” Id. (quoting Fed.R.Civ.P. 8(a)(2)). While “[a]ll allegations of material fact are taken as true and construed in the light most favorable to the nonmoving party,” Silvas v. E*Trade Mortg. Corp., 514 F.3d 1001, 1003 (9th Cir. 2008), “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice,” Plaskett v. Wormuth, 18 F.4th 1072, 1083 (9th Cir. 2021) (quoting Iqbal, 556 U.S. at 678).
B. Leave to Amend
Leave to amend should be freely given “when justice so requires.” Fed.R.Civ.P. 15(a)(2). “This policy is ‘to be applied with extreme liberality.'” Eminence Cap., LLC v. Aspeon, Inc., 316 F.3d 1048, 1051 (9th Cir. 2003) (quoting Owens v. Kaiser Found. Health Plan, Inc., 244 F.3d 708, 712 (9th Cir. 2001)). Generally, a “district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc) (citation omitted).
Both parties cite many District Court cases, including in numerous notices of supplemental authority. The Court is not bound by these decisions, nor will it rule based on “trends” in cases not before it. See Camreta v. Greene, 563 U.S. 692, 709 n.7 (2011) (“A decision of a federal district court judge is not binding precedent in either a different judicial district, the same judicial district, or even upon the same judge in a different case.” (citation omitted)).
The Court will dismiss all of Plaintiffs' claims but will grant leave to amend as detailed below.
A. Count One: Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) provides a private right of action against any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication. 18 U.S.C. §§ 2511(1)(a), 2520. A person who is a “party” to the communication is generally exempt from liability for “intercepting] a wire, oral, or electronic communication.” § 2511(2)(d). However, there is an exception to this exemption if a party to the communication intercepts it “for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” Id. “[T]he focus is not upon whether the interception itself violated another law; it is upon whether the purpose for the interception-its intended use-was criminal or tortious.” Sussman v. Am. Broad. Cos., 186 F.3d 1200, 1202 (9th Cir. 1999) (citation omitted). “This criminal or tortious purpose must be separate and independent from the act of the recording.” Planned Parenthood Fed'n of Am., Inc. v. Newman, 51 F.4th 1125, 1136 (9th Cir. 2022).
Additionally, under subsection (1)(c), it is unlawful to “intentionally disclose[], or endeavor[] to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection.” § 2511(1)(C) (emphasis added). Under subsection (1)(d), it is unlawful to “intentionally use[], or endeavor[] to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection.” § 2511(1)(d) (emphasis added).
Plaintiffs allege Defendant violated subsections (1)(a), (c), and (d) of the ECPA by intercepting information searched for by Plaintiffs on its public website, sharing it with third parties, and having an improper purpose while doing so. (Doc. 13 ¶¶ 183, 186-88.) The success of Plaintiffs' allegations hinges on whether the crime-tort exception to the party exemption applies because Plaintiffs do not allege Defendant was not a party to the communications. Specifically, Plaintiffs allege Defendant intercepted the communications with the purpose of committing a tort or crime and assert five grounds for the crime-tort exception. Namely, Plaintiffs allege Defendant committed the tort of intrusion upon seclusion and violated the Arizona Consumer Fraud Act (ACFA), 42 U.S.C. § 1320d-6, HIPAA, and A.R.S. § 13-2316(A)(1). (Doc. 13 ¶¶ 188-89.) Defendant contends the party exception applies-arguing it could not intercept a communication when it was the intended recipient (Doc. 19-1 at 6-7)-and the crime-tort exception does not apply because, first, Plaintiffs pled insufficient facts, and second, any allegedly criminal or tortious act resulting from the interception was not the purpose of the intercepting act. (Doc. 19-1 at 7-8.)
Plaintiffs explicitly argued the party exemption applies at oral argument. (See Oral Arg. Tr. at 38:14-18 (“[TMC is] a party to the communication. They can tap that conversation through their website all they want. . . . No liability [under ECPA] for that unless they're intending to use it for some tortious or criminal purpose.”).)
Plaintiffs fail to state a claim under the ECPA because they have not sufficiently alleged a criminal or tortious purpose. According to the Amended Complaint, Defendant uses these technologies “to obtain valuable personal data about visitors to its Website, . . . to increase its own profits through sophisticated and targeted advertising[,] and to improve its website analytics.” (Doc. 13 ¶ 2.) Another reason Defendant uses these technologies is for “marketing purposes.” (Id. ¶¶ 4, 39.) Therefore, Plaintiffs' allegation Defendant intended to commit various torts or violate various state and federal laws is conclusory and unsupported by any facts. Instead, all the facts Plaintiffs alleged regarding Defendant's purpose in intercepting the communications point to one conclusion-a noncriminal, non-tortious purpose. Even if Defendant had an improper purpose, Plaintiffs' ECPA claim would fail for an independent reason-the Website cannot distinguish between who is a patient and who is not a patient clicking on the “patient portal” link. Therefore, the disclosure of data regarding what healthcare information someone searches for and whether someone clicks on the patient portal link does not necessarily implicate HIPAA. Thus, Plaintiffs fail to state a claim under § 2511(1)(a).
Next, the Court must address what this means for Plaintiffs' § 2511(1)(c) and (d) claims. (See Doc. 13 ¶¶ 186-87.) Because this Court finds no violation of subsection (1)(a), Plaintiffs' subsection (1)(c) and (d) claims also fail. Defendant could not have disclosed or used the contents of a communication while “knowing or having reason to know that the information was obtained through [an] interception . . . in violation of this subsection” if there is no violation of subsection (1)(a). § 2511(1). This alone dooms
Plaintiffs' secondary ECPA claims.
Even if the Court were to disregard this fatal flaw, the allegations are otherwise insufficient because it is unclear to the Court what “content” required under these subsections of the statute Plaintiffs allege was “disclosed” or “used.” (See Doc. 13 ¶¶ 18687.). In sum, Plaintiff fails to allege how the technology at issue here violates the requirements of these subsections of ECPA. Therefore, Plaintiffs' § 2511(1)(c) and (d) claims fail. Accordingly, Plaintiffs' ECPA claim is dismissed.
B. Count Two: Arizona Consumer Fraud Act
The ACFA provides:
The act, use or employment by any person of any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practice.A.R.S. § 44-1522(A). “‘Advertisement' includes the attempt by publication, dissemination, solicitation or circulation, oral or written, to induce directly or indirectly any person to enter into any obligation or acquire any title or interest in any merchandise.” A.R.S. § 44-1521(1). “‘Merchandise' means any objects, wares, goods, commodities, intangibles, real estate or services.” § 44-1521(5). “‘Sale' means any sale, offer for sale or attempt to sell any merchandise for any consideration.” § 44-1521(7).
The ACFA “imposes the actionable duty-to refrain from a ‘deceptive act or practice' or an ‘omission of any material fact with intent that others rely' thereon.” State ex rel. Horne v. AutoZone, Inc., 275 P.3d 1278, 1281 (Ariz. 2012) (quoting A.R.S. § 44-1522(A)). “[T]o succeed on a claim of consumer fraud, a plaintiff must show (1) a false promise or misrepresentation made in connection with the sale or advertisement of ‘merchandise,' and (2) consequent and proximate injury resulting from the misrepresentation.” Watts v. Medicis Pharm. Corp., 365 P.3d 944, 953 (Ariz. 2016); see also Nataros v. Fine Arts Gallery of Scottsdale, Inc., 612 P.2d 500, 504 (Ariz.Ct.App. 1980) (noting that damage is an element of an ACFA claim). Claims under the ACFA's omission clause “require[] proof that the omission is material and made with intent that a consumer rely thereon.” Horne, 275 P.3d at 1281. Furthermore, “a false or deceptive ‘advertisement' must have been related to a sale between the parties.” Sullivan v. Pulte Home Corp., 290 P.3d 446, 454 (Ariz.Ct.App. 2012), vacated in part on other grounds, 306 P.3d 1 (Ariz. 2013).
Plaintiffs allege Defendant concealed, suppressed, and omitted material facts regarding its use of tracking technologies on the Website to intercept and disclose Plaintiffs' information. (Doc. 13 ¶ 201.) In its Motion, Defendant asserts the ACFA does not apply because “there is no merchant-consumer transaction at issue,” and it owes no duty to a visitor of a public website. (Doc. 19-1 at 11.) Finally, to the extent Plaintiffs attempt to allege an omission under the ACFA, Defendant argues the omission was not material and Defendant did not intend for consumers to rely upon it. (Id. at 12.)
Here, Plaintiffs fail to state a claim under the ACFA. As a preliminary matter, it is unclear whether Plaintiffs allege a deceptive “practice” or “omission.” Instead, Plaintiffs seem to blend the two together. (See Doc. 13 ¶ 201 (“Defendant committed unfair or deceptive acts and practices in and from Arizona, in violation of the [ACFA], by concealing, suppressing, and omitting material facts regarding its use of tracking technologies.”).) Insofar as Plaintiffs attempt to allege a deceptive practice of concealing relevant facts, Plaintiffs' claim is conclusory because they allege no more than omissions of material fact subject to the omissions clause of the ACFA. (Id.)
Having determined Plaintiffs fail to state a claim based on a deceptive practice, Plaintiffs' only remaining cognizable legal theory is under the omission clause. This too fails. Plaintiffs do not sufficiently allege they relied on the Website's omission of facts in connection with seeking healthcare services, nor do they allege an independent sale or advertisement of the Website itself. Plaintiffs claim “Defendant was selling or advertising merchandise (including services) as those terms are defined in A.R.S. § 44-1521” and “[a]s part of its healthcare services to patients and prospective patients, Defendant offered the Website as a means for Plaintiffs” to research healthcare matters. (Doc. 13 ¶ 200.) However, these allegations conflate whether Plaintiffs are claiming the Website is an advertisement for Defendant's healthcare services or claiming the Website itself is a service. Assuming the former, Plaintiffs fail to allege how the Website's failure to disclose its use of tracking technologies impacted Plaintiffs' decision to seek Defendant's healthcare services after using the Website. In other words, Plaintiffs fail to show any relationship between this omission and Defendant's sale of healthcare services to Plaintiffs. See Sullivan, 290 P.3d at 454. Assuming the latter, meaning the Website is a service in and of itself, then Plaintiffs fail to allege any independent sale or advertisement related to the Website. Nevertheless, even assuming these problems with Plaintiffs' complaint could be resolved, Plaintiffs still fail to allege Defendant intended Plaintiffs rely on the omission in either choosing to use the Website or choosing to use Defendant's healthcare services. Therefore, the Court will dismiss Plaintiffs' ACFA claim.
C. Count Three: Negligence
To state a claim for negligence, a plaintiff must allege: “(1) a duty requiring the defendant to conform to a certain standard of care; (2) breach of that standard; (3) a causal connection between the breach and the resulting injury; and (4) actual damages.” Quiroz v. ALCOA Inc., 416 P.3d 824, 827-28 (Ariz. 2018). Under Arizona law, a duty can arise either from the parties' special relationship or public policy. Avitia v. Crisis Preparation & Recovery Inc., 536 P.3d 776, 782 (Ariz. 2023). When determining whether a duty exists, the Court looks primarily to statutes and common law. Id. The Arizona Supreme Court has recognized HIPAA and internal privacy practices can inform the standard of care in a negligence claim but do not give rise to a per se duty. Shepherd v. Costco Wholesale Corp., 482 P.3d 390, 396 (Ariz. 2021). The existence of a duty is a matter of law for the Court to decide. Gipson v. Kasey, 150 P.3d 228, 230 (Ariz. 2007).
Plaintiffs allege a duty arises from Defendant's special relationship with its “patients and prospective patients” and contractual obligations arising from the Privacy Policy on its Website. (Doc. 13 ¶ 214.) Defendant contends it owes no duty to safeguard public online browsing information. (Doc. 19-1 at 13.) In response, Plaintiffs cite a variety of sources as purported bases of this duty, including the Restatement (Second) of Torts § 551 (Am. L. Inst. 1977) and A.R.S. §§ 12-2235 and 12-2291 through 2297. (See Doc. 20 at 20.) For the following reasons, the Court finds Plaintiffs fail to state a claim for negligence under Arizona law because Defendant owed no duty to Plaintiffs.
First, although healthcare providers like Defendant may have a duty under HIPAA to protect unauthorized disclosure of sensitive information, that duty only extends to patients. Plaintiffs do not sufficiently allege, nor is the Court independently aware of, any portion of HIPAA or the regulations promulgated by the Department of Health and Human Services requiring healthcare providers who maintain websites to protect website visitors from having their interactions with the webpage logged and shared for advertising purposes. Such an interpretation would stretch HIPAA and federal guidance implementing HIPAA to an extent completely divorced from the text.
Second, the Arizona statutes cited by Plaintiffs do not support a duty between a healthcare provider and people visiting its free, public website. Section 12-2235 does not create a special relationship because the statute only applies to communications between a physician and patient and Plaintiffs do not allege any communications via the Website occurred between Defendant's physicians and patients. Additionally, § 12-2291 does not create any duty related to the data disclosure at issue here because it discusses only medical records and payment records, neither of which are alleged to have been disclosed.
Third, the Restatement section Plaintiffs cite involves liability for nondisclosure in a “business transaction.” Restatement § 551. Here, Plaintiffs fail to explain how browsing a free informational website gives rise to a “business transaction.” Therefore, the Court finds Defendant did not owe Plaintiffs a duty under § 551.
Lastly, as discussed below in Section III.E, there is no contractual relationship between Defendant and Plaintiffs to support a duty based on a contract. Therefore, the Court concludes Plaintiffs fail to sufficiently allege Defendants owed them a duty, and, thus, the Court dismisses their negligence claim.
D. Count Four: Invasion of Privacy - Intrusion Upon Seclusion
A plaintiff asserting a claim for intrusion upon seclusion must allege an intentional intrusion, physical or otherwise, “upon the solitude or seclusion of another or his private affairs or concerns” that “would be highly offensive to a reasonable person.” Hart v. Seven Resorts Inc., 947 P.2d 846, 853 (Ariz.Ct.App. 1997) (quoting Restatement (Second) of Torts § 652B). “The defendant is subject to liability [for intrusion upon seclusion] only when he has intruded into a private place[] or has otherwise invaded a private seclusion that the plaintiff has thrown about his person or affairs.” Id. (quoting Restatement § 652B cmt. c).
Plaintiffs allege “Defendant intruded upon and permitted unauthorized third parties to intrude upon Plaintiffs' and the Class's private communications with Defendant regarding sensitive medical information” by “intentionally embedding and implementing the tracking technologies on its Website.” (Doc. 13 ¶ 226.) Defendant contends “the intrusion, if any, was carried out by a third party,” the conduct was not highly offensive, and “the transmission of Plaintiffs' public website browsing data” cannot amount to an invasion of privacy. (Doc. 19-1 at 15-17.)
Here, Plaintiffs fail to state a claim for intrusion upon seclusion because their Complaint is devoid of factual allegations supporting an intrusion by Defendant. As discussed above, these tracking technologies are only employed when Defendant's server receives an HTTP Request from a user's web browser. Then, the source code containing the tracking technologies essentially allows the technology companies to “listen in” on the communications between Plaintiffs and Defendant. If this is the case, as the Plaintiffs allege, the only intrusion is perpetrated by the technology companies, not Defendant. Plaintiffs specifically request Defendant to intrude, i.e. respond, by providing answers to healthcare questions on the Website. Plaintiffs cannot then turn around and bring a legal claim based on an interaction with a public website they not only invited but also requested.
Moreover, Plaintiffs do not develop a cognizable legal argument that Defendant's communication with Plaintiffs via a public website with knowledge that third parties may be “intruding” constitutes an intrusion upon seclusion. Any acts Plaintiffs allege constitute an “intrusion” arise either from Plaintiffs' HTTP Requests or from the third-party technology companies themselves. Even assuming this were not the case, Plaintiffs fail to allege “solitude or seclusion.” Although Plaintiffs assert a privacy interest in communications regarding “sensitive medical information,” they do not explain how the sensitivity of their communications can transform public communications into “solitude or seclusion.” Even assuming these allegations support some level of intrusion from Defendant into Plaintiffs' solitude by allowing third parties access to browsing data for analytical purposes, Plaintiffs do not plead facts to support their conclusory allegations regarding whether this intrusion would be highly offensive to a reasonable person. (Doc. 13 ¶ 229.) Thus, the Court will dismiss Plaintiffs' intrusion upon seclusion claim.
E. Count Five: Breach of Implied Contract
An implied contract is inferred by law, not evidenced by an explicit agreement, “from the acts and conduct of the parties and circumstances surrounding their transaction.” Carroll v. Lee, 712 P.2d 923, 926 (Ariz. 1986). To succeed on a breach of implied contract claim, Plaintiffs must allege facts establishing (1) the existence of a contract through the parties' acts or conduct; (2) breach; and (3) resulting damages. See First Am. Title Ins. Co. v. Johnson Bank, 372 P.3d 292, 297 (Ariz. 2016).
Plaintiffs allege when they “paid money and provided their Sensitive Information to Defendant as consideration in exchange for services, they entered implied contracts pursuant to which Defendant agreed to safeguard and not disclose their Sensitive Information without Plaintiffs' and Class Members' consent.” (Doc. 13 ¶ 236.)
Furthermore, as “[a]n implicit part of the agreement,” “Defendant would safeguard Plaintiffs' and Class Members' Sensitive Information consistent with industry and regulatory standards and Defendant's privacy policy and would timely notify Plaintiffs in the event of a disclosure to third parties.” (Id. ¶ 237.) Defendant asserts Plaintiffs' allegations fail because they are conclusory and fail to plead facts showing the parties shared the requisite mutuality of assent. (Doc. 19-1 at 18.) Specifically, Defendants contend “there are [neither] facts that plausibly show that TMC Health agreed to not use pixels or similar technology on its website . . . [n]or are there facts pled demonstrating any mutual understanding between the parties that payment for medical treatment somehow meant that TMC Health would not use pixels on its public website.” (Id. (emphasis added).)
Here, Plaintiffs do not make sufficient, non-conclusory factual allegations about Defendant's conduct to establish an implied-in-fact contract between the parties nor do they sufficiently allege any supposed contract terms. To the extent Plaintiff's attempt to allege Defendant breached an implied contract by not complying with its own written Privacy Policy (see Doc. 13 at ¶ 237), the attempt fails. The Privacy Policy cannot serve as the basis for an implied contract because there would be no consideration for any such contract. See In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *3 (D. Ariz. Dec. 20, 2017) (concluding no contract was formed where the defendant “was already under a preexisting legal duty to protect [the plaintiff's] information” because the privacy policy could not “be read as a promise to do anything above and beyond what is already required by law”). Based on the allegations in Plaintiffs' complaint, Defendant was already required under HIPAA to protect patients in the ways that it promised. Accordingly, Plaintiffs' allegations fail to state a breach of implied contract claim.
F. Count Six: Unjust Enrichment
An unjust enrichment claim allows the Court to grant “a flexible, equitable remedy” where a defendant is “obliged by the ties of natural justice and equity” to compensate plaintiff for benefits received. Murdock-Bryant Constr, Inc. v. Pearson, 703 P.2d 1197, 1202 (Ariz. 1985) (quoting Dan B. Dobbs, Law of Remedies § 4.2 at 235 (1973)). “An unjust enrichment claim requires proof of ‘(1) an enrichment, (2) an impoverishment, (3) a connection between the enrichment and impoverishment, (4) the absence ofjustification for the enrichment and impoverishment, and (5) the absence of a remedy provided by law. '” Perdue v. La Rue, 474 P.3d 1197, 1205 (Ariz.Ct.App. 2020) (quoting Wang Elec., Inc. v. Smoke Tree Resort, LLC, 283 P.3d 45, 49 (Ariz.Ct.App. 2012)). Plaintiff need not have suffered a “loss corresponding to the defendant's gain for there to be a valid claim for an unjust enrichment.” John A. Artukovich & Sons, Inc. v. Reliance Truck Co., 614 P.2d 327, 329 (Ariz. 1980).
Plaintiffs allege an unjust enrichment claim “in the alternative in the event Plaintiffs . . . have an inadequate remedy at law.” (Doc. 13 ¶ 248.) To support this claim, Plaintiffs allege they provided information to Defendant via the Website “for the purposes of receiving healthcare services or healthcare-related information and knowledge.” (Doc. 13 ¶ 244.) Plaintiffs also allege “Defendant receives a benefit” by using Plaintiffs' information “for its own gain, without consent or authorization,” to save on marketing and advertising costs and to increase profits by acquiring new patients and using the information to get existing patients to seek more services. (Id.) Additionally, Plaintiffs allege they were “not compensated by Defendant for the data they provided,” and “Defendant unjustly retained those benefits at the expense of Plaintiffs.” (Id. ¶ 245.) In its Motion, Defendant asserts Plaintiffs' allegations are conclusory and no benefit was conferred upon TMC Health through cost savings for marketing and advertising and increased profits from this advertising. (Doc. 19-1 at 20.)
Here, Plaintiffs have not plead facts sufficient to support an unjust enrichment claim. Specifically, Plaintiffs never state facts supporting a cognizable impoverishment. Plaintiffs attempt to plead an impoverishment based on the perceived value of their data. But, first, this ignores the benefit they received by being able to use the Website to seek healthcare information. And, second, the complaint is devoid of allegations indicating Plaintiffs ever intended to profit from their data or even had some other avenue of profiting from their data. Therefore, the allegations do not suggest it would be unjust for Defendant to use the data for analytics and advertising purposes because, in the absence of Defendant's use, Plaintiffs would still be in the same position, i.e. those benefits were not retained at the expense of Plaintiffs. Therefore, the Court will dismiss Plaintiffs' unjust enrichment claim.
G. Leave to Amend
Plaintiff's specifically request leave to amend their complaint in the event the Court finds their allegations deficient or lacking specificity. (Doc. 20 at 27 n. 11.) Defendant requests all the claims be dismissed with prejudice and specifically mentions amendment would be futile for the ECPA and intrusion upon seclusion claims. (Doc. 19-1 at 7, 16.) Although it is difficult for the Court to see how Plaintiffs could successfully allege these claims, it is not impossible for the Court to envision a set of facts sufficient to state the claims. Therefore, the Court will dismiss the claims without prejudice and provide an opportunity for Plaintiffs to amend their complaint.
IV. Conclusion
IT IS ORDERED Defendant's Motion to Dismiss (Doc. 19) is GRANTED.
IT IS FURTHER ORDERED Plaintiffs' First Amended Complaint is DISMISSED WITHOUT PREJUDICE.
IT IS FURTHER ORDERED Plaintiffs may file an amended complaint no later than Thursday, October 31, 2024.
IT IS FURTHER ORDERED, if Plaintiffs do not file a second amended complaint by Thursday, October 31, 2024, the Clerk of Court shall close this case.