Summary
denying motion to dismiss negligence claim under Massachusetts law and accepting as adequately pled damages of “her Private Information- including her identity, patient status, and her health conditions and treatments-[having been] collected and transmitted to Facebook and third parties without her consent”
Summary of this case from K.L. v. Legacy HealthOpinion
Civil Action 23-12978-PBS
04-23-2024
JANE DOE, individually, and on behalf of all others similarly situated, Plaintiff, v. TENET HEALTHCARE CORPORATION, d/b/a METROWEST MEDICAL CENTER, Defendant.
MEMORANDUM AND ORDER
SARIS, D.J.
INTRODUCTION
Tenet Healthcare Corporation (“Tenet”) is a healthcare services company that operates hospitals and healthcare facilities across the country, including Framingham Union Hospital in Framingham, Massachusetts. Tenet operates a website through which users can search for physicians and treatment locations, schedule appointments, learn about health conditions and treatments, and take health assessments. Tenet's website uses “trackers” created by Facebook and other companies. These trackers capture and record user interactions with the website, including pages viewed, buttons clicked, and information submitted through forms or assessments. Tenet and third-party companies then utilize the collected data to better understand the impact of its websites and to improve targeted advertising by third parties.
This case challenges the use of these trackers in light of the obligations of a healthcare provider to protect the privacy of website users who are also patients. Plaintiff Jane Doe, a patient at Framingham Union Hospital, commenced this putative class action against Tenet, alleging that Tenet's use of trackers -- in particular Facebook's Meta Pixel tool -- disclosed her personally identifying information and/or protected health information to third parties. Tenet moves to dismiss all nine counts in the amended complaint under Fed.R.Civ.P. 12(b)(6) for failure to state a claim upon which relief can be granted.
For the reasons set forth below, the Court ALLOWS Tenet's undisputed motion to dismiss as to Count II (negligence per se) and Count III (invasion of privacy) because they are not recognized causes of action under Massachusetts law. The Court DENIES Tenet's motion to dismiss as to the seven remaining causes of action: Counts I (Negligence), IV (Breach of Implied Contract), V (Unjust Enrichment), VI (Breach of Fiduciary Duty), VII (Massachusetts Right to Privacy Law), VIII (Massachusetts Consumer Protection Act), and IX (Massachusetts Wiretap Act).
BACKGROUND
Plaintiff alleges the following facts in her amended complaint (Dkt. 1-3). For the purposes of Tenet's motion to dismiss, these facts are accepted as true.
I. Parties
Plaintiff Jane Doe is a resident of Framingham, Massachusetts. She is a patient of Defendant Tenet Healthcare Corporation, a healthcare conglomerate that owns MetroWest Medical Center (“MetroWest”). MetroWest is a health system that operates several hospitals and medical centers in Framingham and Worcester, including Framingham Union Hospital.
II. Website Trackers
Tenet operates the MetroWest Medical Center website (“Website”) and other web-based tools and services. Tenet encourages its patients to use the Website to search for physicians and treatment locations, schedule appointments, learn about health conditions and treatments, take health assessments, learn about insurance and payment options, and sign up for classes and events.
In operating its Website, Tenet employs “trackers” created by companies such as Facebook, Google, Marketo, Invoca, and Siteimprove.In particular, Tenet uses Facebook's tracker called “Meta Pixel.” Meta Pixel is a piece of code that a website owner can integrate on its website to collect user activity data. When a user accesses a webpage containing Meta Pixel, the tool captures and tracks the actions taken by that user (i.e., clicking a button, searching a term, or filling out a form). The collected information -- which includes data such as the user's IP address, information about the user's web browser and operating device, button click data, form field names and values, or other unique identifiers -is duplicated and sent to Facebook. Facebook utilizes the collected Meta Pixel data to improve its own targeted advertising. Website owners, such as Tenet, can also utilize the Meta Pixel data to measure and better understand the impact of their own websites and advertisements. Facebook specifically markets Meta Pixel as “a piece of code that you put on your website that allows you to measure the effectiveness of your advertising by understanding the actions people take on your website.” Dkt. 1-3 at 14.
Facebook changed its name from Facebook, Inc. to Meta Platforms, Inc. in October 2021. References to “Facebook” and “Meta” refer to the same company.
Tenet also uses another Facebook tool called “Conversions API,” which is a tool that directly transmits data from a website owner's server to Facebook, without the need to rely on the user's web browser. Facebook encourages companies to use Conversions API in addition to the Meta Pixel in order to ensure collection of all website activity and events.
III. Privacy Policies and Law
Plaintiff alleges that Tenet uses Meta Pixel, Conversions API, and other trackers to capture and record its patients' personally identifying information and/or protected health information (collectively, “Private Information”) and transmit them to Facebook or other third parties, without patient knowledge or authorization. Tenet's Website privacy policy informs website visitors about its use of trackers to gather data and user activity. See Dkt. 1-3 at 70-74 (“Website Privacy Policy”).
Specifically, the policy states:
Our web servers automatically identify computers by their IP addresses and this information is stored securely for your protection. We may use IP addresses to analyze trends, administer the Sites, track users' movement and gather demographic information for aggregate use. For example, if you view specific pages or download information from specific pages on our Sites, we will track and add the number of your visits to the aggregate number of visits by all users in order to better design our Sites. If you have provided personally identifiable information to us through our online forms, we may associate some of the information we have so gathered with your personally identifiable information, and we may use this combined data to provide relevant Site and email content to you. We purchase third party information that includes name, address, census data and personal attributes for the purpose of marketing campaigns.Id. at 72.
Tenet also maintains a separate privacy notice, also available on the Website, that describes how it uses and discloses patient medical information. See Dkt. 1-3 at 62-69 (“Notice of Privacy Practices”). The notice states that Tenet is “required by law to maintain the privacy of your health information” and “[y]our written authorization . . . must be obtained prior to [Tenet] using your [protected health information] to send you any marketing materials.” Id. at 62, 66.
Under the HIPAA Privacy Rule, a healthcare provider may not disclose a person's protected health information to a third party for marketing purposes without authorization. See 45 CFR § 164.508(a)(3). Plaintiff contends that despite these assurances and Tenet's legal obligations, Tenet shared or sold Private Information to third-party companies in exchange for improved advertising and marketing services.
IV. Tracked Activity
Plaintiff states that she began using Tenet's Website around 2015 or 2016 to “schedule appointments, search for information, and access the patient portal.” Dkt. 1-3 at 24. Shortly thereafter, Plaintiff began noticing targeted online advertisements related to her health conditions, including advertisements related to weight loss and diabetes. With the use of Meta Pixel, Tenet collected and disclosed to Facebook the following information: Plaintiff's identity, patient status, request for medical treatment, health conditions and treatments, and appointment time and location. Because of Tenet's unauthorized disclosure of her Private Information, Plaintiff suffered a loss of privacy. Plaintiff states that she suffered “embarrassment, humiliation, frustration, and emotional distress; decreased value of her Private Information; lost benefit of her bargain; and increased risk of future harm” due to the unauthorized disclosure of her Private Information. Dkt. 1-3 at 25.
LEGAL STANDARD
To survive a Rule 12(b)(6) motion to dismiss for failure to state claim, a complaint must allege “a plausible entitlement to relief.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 559 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). “Plausible, of course, means something more than merely possible, and gauging a pleaded situation's plausibility is a context-specific job that compels [the court] to draw on [its] judicial experience and common sense.” Schatz v. Republican State Leadership Comm'n, 669 F.3d 50, 55 (1st Cir. 2012) (cleaned up) (quoting Iqbal, 556 U.S. at 679).
DISCUSSION
I. Negligence
Plaintiff alleges that Tenet acted negligently by using trackers and disclosing Private Information to third-party companies, in breach of its duties to exercise reasonable care in handling patient information. To state a claim for negligence under Massachusetts law, the plaintiff must prove that “the defendant owed the plaintiff a duty of reasonable care, that the defendant breached this duty, that damage resulted, and that there was a causal relation between the breach of the duty and the damage.” Doe v. Stonehill Coll., Inc., 55 F.4th 302, 338 (1st Cir. 2022) (quoting Jupin v. Kask, 849 N.E.2d 829, 834-35 (Mass. 2006)). Tenet makes three arguments as to why Plaintiff's negligence claim should be dismissed, none of which are availing.
First, Tenet argues that Plaintiff's negligence claim is barred by the economic loss doctrine, a common law doctrine which prohibits recovery in tort for “purely economic losses . . . in the absence of personal injury or property damage.” In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498-99 (1st Cir. 2009) (quoting Aldrich v. ADD Inc., 770 N.E.2d 447, 454 (Mass. 2002)). This argument fails because “Massachusetts courts have declined to apply the economic loss doctrine to tort claims against a fiduciary.” In re Shields Health Care Grp., Inc. Data Breach Litig., No. 22-10901, 2024 WL 939219, at *3 (D. Mass. Mar. 5, 2024) (quoting Szulik v. State St. Bank and Tr. Co., 935 F.Supp.2d 240, 271 n.11 (D. Mass. 2013)). Under Massachusetts law, a fiduciary relationship exists between a healthcare provider and a patient. Id. Accordingly, Plaintiff, who has been a patient of Tenet for over twenty years, has stated a plausible claim that Tenet serves as a healthcare provider and that it was in a fiduciary relationship with a patient who was seeking medical assistance from her longtime provider.
Second, Tenet contends that Plaintiff failed to plead causation. However, Plaintiff plausibly alleges that Tenet's use of third-party trackers was the proximate cause of the unauthorized disclosure of her Private Information to third-party companies and that this disclosure was the cause of the advertisements she received -- for example, the ones related to diabetes or obesity.
Finally, Tenet argues that Plaintiff failed to plead damages. But Plaintiff states that she was injured because her Private Information -- including her identity, patient status, and her health conditions and treatments -- was collected and transmitted to Facebook and third parties without her consent. Tenet retorts that her allegations center on search terms that she voluntarily typed into a public website. However, a patient seeking services for diabetes or obesity does not reasonably expect that her illness will be publicly disclosed in the marketplace. These factual allegations of invasion of privacy are sufficient to defeat a motion to dismiss.
Tenet's motion to dismiss Plaintiff's negligence claim (Count I) is therefore DENIED .
II. Negligence Per Se
Massachusetts does not recognize negligence per se as an independent cause of action. See Juliano v. Simpson, 962 N.E.2d 175, 179 (Mass. 2012) (“The Commonwealth does not follow the doctrine of negligence per se[.]”); Deutsche Lufthansa AG v. Mass. Port Auth., No. 17-11702, 2018 WL 3466938, at *2 (D. Mass. July 18, 2018) (“[N]egligence per se does not exist as a cause of action independent from a general negligence action because violation of [a] statute can only be some evidence of the defendant's negligence.”). Plaintiff concedes that negligence per se is not maintainable as a separate count. Thus, Tenet's motion to dismiss Plaintiff's negligence per se claim (Count II) is ALLOWED .
III. Invasion of Privacy
Plaintiff also concedes that Massachusetts does not recognize “invasion of privacy” as a common law cause of action either. See Axford v. TGM Andover Park, LLC, No. 19-11540, 2021 WL 681953, at *13 (D. Mass. Feb. 22, 2021). Instead, Massachusetts recognizes a statutory right of privacy under the Massachusetts Right to Privacy Law, Mass. Gen. Laws ch. 214, § 1B, which is addressed in a separate count. Accordingly, Tenet's motion to dismiss Plaintiff's common law invasion of privacy claim (Count III) is ALLOWED .
IV. Breach of Implied Contract
Under her breach of implied contract claim, Plaintiff alleges that Tenet “implicitly promised to keep its patients' Private Information secure and confidential,” but breached its implied duty by disclosing this Private Information to third parties without authorization. Dkt. 1-3 at 47. Tenet argues that the implied contract claim fails because the amended complaint alleges neither a meeting of the minds nor Tenet's agreement to specific contractual terms. It points out that Plaintiff does not claim she read or relied on the privacy policies on the Website.
Under Massachusetts law, “[i]n the absence of an express agreement, an implied contract may be inferred” from “the conduct of the parties” and “the relationship of the parties.” T. F. v. B.L., 813 N.E.2d 1244, 1249 (Mass. 2004). A “contract implied in law is an obligation created by law ‘for reasons of justice, without any expression of assent and sometimes even against a clear expression of dissent.... [C]onsiderations of equity and morality play a large part . . . in constructing a quasicontract.'” Salamon v. Terra, 477 N.E.2d 1029, 1031 (Mass. 1985) (quoting 1 A. Corbin, Contracts § 19 (1963)).
Here, the amended complaint contains sufficient factual allegations that Tenet breached its implied contractual obligations by using third-party trackers on its Website. Tenet argues there is no reasonable expectation that information collected from the public-facing portion of the Website be treated as confidential or as a condition of receiving medical treatment, and distinguishes such collected information from confidential medical information provided directly to MetroWest physicians. However, Plaintiff alleges that Tenet used trackers to collect Private Information entered by patients accessing their patient portals on the Website. See Dkt. 1-3 at 24 (“Jane Doe has used the Website and Online Platforms to . . . access the patient portal.”); id. at 28 (describing health systems that installed the Meta Pixel inside patient portals). Tenet's privacy policies do not distinguish between where information is collected with respect to patients. Plaintiff paid Tenet for healthcare services with the understanding that Tenet would maintain Plaintiff's Private Information confidentially, as expected in a physician-patient relationship. Tenet's promise to keep Plaintiff's Private Information secure and confidential is evidenced by its privacy policies, such as its Notice of Privacy Practices, which states that Tenet is “required by law to maintain the privacy of [patient] health information” and that a patient's written authorization is required before Tenet uses Private Information to send the patient marketing materials. Dkt. 1-3 at 62, 66. When a patient uses a healthcare provider's website to communicate or transfer confidential health or personal data, she has a reasonable expectation under HIPAA, as well as the privacy policies, that the information will be kept private and not sold to third-party companies, regardless of whether she read the privacy policies as a matter of law. Shedd v. Sturdy Mem'l Hosp., Inc., 2022 WL 1102524, at *9-10 (Mass. Super. Ct. Apr. 5, 2022).
Other courts addressing the use of the Meta Pixel tracker have found similar allegations sufficient to support an implied contract claim. See Doe v. Emerson Hosp., No. 2277-01000, 2023 WL 8869624, at *4 (Mass. Super. Ct. Nov. 22, 2023) (“[T]he allegations sufficiently suggest that Emerson may have entered into an implied contract which included an agreement not to disclose health information to third parties, like Facebook, without consent.”); Doe v. Regents of Univ. of Cal., 672 F.Supp. 813, 821 (N.D. Cal. 2023) (finding it “plausible that the parties entered into an implied contract” and that defendant “breached this implied contract by disclosing that information to Meta, a third party”). Tenet's motion to dismiss Plaintiff's breach of implied contract claim (Count IV) is therefore DENIED .
V. Unjust Enrichment
Plaintiff alleges that Tenet was unjustly enriched by collecting and using patient Private Information “for its own gain, for marketing purposes, and for sale or trade with third parties.” Dkt. 1-3 at 48. Under Massachusetts law, “[u]njust enrichment is defined as retention of money or property of another against the fundamental principles of justice or equity and good conscience.” Sacks v. Dissinger, 178 N.E.3d 388, 397 (Mass. 2021) (quoting Santagate v. Tower, 833 N.E.2d 171, 176 (Mass. App. Ct. 2005)). To state a claim, a plaintiff “must show (1) a benefit conferred upon defendant by plaintiff, (2) an appreciation or knowledge by defendant of the benefit, and (3) that acceptance or retention of the benefit under the circumstances would be inequitable without payment for its value.” Infinity Fluids Corp. v. Gen. Dynamics Land Sys., Inc., 210 F.Supp.3d 294, 309 (D. Mass. 2016). Whether a benefit is “unjust” turns “on the reasonable expectations of the parties.” Metro. Life Ins. Co. v. Cotter, 984 N.E.2d 835, 850 (Mass. 2013) (quoting Glob. Invs. Agent Corp. v. Nat'l Fire Ins. Co., 927 N.E.2d 480, 494 (Mass. App. Ct. 2010)). And “[a]lthough damages for breach of contract and unjust enrichment are mutually exclusive,” a plaintiff may plead them in the alternative. Chang v. Winklevoss, 123 N.E.3d 204, 212 (Mass. App. Ct. 2019).
Tenet argues that the unjust enrichment claim must be dismissed because Plaintiff's “allegations do not show that she knowingly conferred a benefit on Tenet or that Plaintiff (or Tenet) understood an expectation of payment at the time a benefit was conferred.” Dkt. 12 at 11. But the amended complaint states that Plaintiff knowingly conferred a benefit on Tenet in the form of her Private Information, which is valuable marketing information to third parties. Plaintiff also alleges that she paid for medical services from Tenet with the expectation that her health information would remain confidential, and not disclosed for Tenet's benefit, for marketing purposes, or for sale or trade with third parties. Plaintiff's factual allegations “plausibly suggest that [Tenet] retained a measurable benefit and that the retention of that benefit was unjust.” Emerson, 2023 WL 8869624, at *5.
VI. Breach of Fiduciary Duty
Plaintiff alleges that Tenet breached its fiduciary duty of confidentiality by intentionally disclosing its patients' Private Information. As stated earlier, a fiduciary relationship exists between healthcare providers and patients. See Shields, 2024 WL 939219, at *3. Plaintiff, a patient at Tenet, states a viable claim of breach of fiduciary duty against her healthcare provider for disclosing her Private Information.
VII. Massachusetts Right to Privacy Law
Next, Plaintiff alleges that Tenet's disclosure of patients' Private Information constituted “an unreasonable and substantial invasion of Plaintiff and Class Members' privacy” in violation of the Massachusetts Right to Privacy Law, Mass. Gen. Laws ch. 214, § 1B. Dkt. 1-3 at 50-51. The statute creates an actionable “right against ‘unreasonable, substantial or serious' interference with a person's privacy.” Ayash v. Dana-Farber Cancer Inst., 822 N.E.2d 667, 681 (Mass. 2005). The statute's “broad terms” allow for plaintiffs to pursue invasion-of-privacy theories, including public disclosure of private facts and intrusion upon seclusion. Schlesinger v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 567 N.E.2d 912, 915 (Mass. 1991); Ayash, 822 N.E.2d at 681 n.16. To prevail on an invasion of privacy claim, “a plaintiff must prove that there was 1) a gathering and dissemination of facts of a private nature that 2) resulted in an unreasonable, substantial or serious interference with his privacy.” Branyan v. Sw. Airlines Co., 105 F.Supp.3d 120, 126 (D. Mass. 2015) . No matter the theory, invasion of privacy “is an intentional tort under Massachusetts law.” Elliott-Lewis v. Abbott Lab'ys, 378 F.Supp.3d 67, 71 (D. Mass. 2019); see Mass. Gen. Laws ch. 258, § 10(c) (listing “intentional tort[s], including . . . invasion of privacy”).
Tenet contends that Plaintiff failed to allege what information of a “highly personal or intimate nature” was disclosed or how such a disclosure was “an unreasonable, substantial or serious interference with her privacy.” Dkt. 12 at 15. However, the health information that was allegedly disclosed to Facebook (e.g., Plaintiff's identity, patient status, request for medical treatment, health conditions and treatments, and appointment time and location) constitutes information of a “highly personal or intimate nature.” Moreover, “whether an intrusion is unreasonable, substantial, or serious is a question of fact.” Emerson, 2023 WL 8869624, at *5. As other courts have concluded, these allegations suffice to advance Plaintiff's claim under the Massachusetts Right to Privacy Law. See Bos. Med. Ctr., No. 2384-00326, 2023 WL 7105628, at *5 (Mass. Super. Ct. Sep. 14, 2023) (“[A]t the motion to dismiss stage, the alleged disclosure of personal and healthcare-related information over multiple website visits for the sole purpose of targeted advertising efforts suffices to advance Plaintiffs' [statutory invasion of privacy] claim.”). Tenet's motion to dismiss Plaintiff's claim under the Massachusetts Right to Privacy Law (Count VII) is DENIED .
VIII. Massachusetts Consumer Protection Act (Ch. 93A)
Plaintiff alleges that by disclosing Private Information to third parties, Tenet violated the Massachusetts Consumer Protection Act (“MCPA”). Chapter 93A of the MCPA forbids “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce.” Mass. Gen. Laws ch. 93A, § 2(a). Plaintiff plausibly alleges that Tenet's disclosure of Plaintiff's Private Information to third parties contradicted its express promises contained in its privacy policy and notice, and thus constituted an “unfair or deceptive act.” As discussed above, Plaintiff has adequately alleged injury or harm resulting from the unauthorized disclosure of her Private Information. Finally, Tenet had adequate notice of Plaintiff's claim because it was sent a demand letter that identified Plaintiff under the pseudonym “Jane Doe,” a patient of MetroWest Medical Center. Plaintiff represents that it is willing to confidentially disclose the identity of “Jane Doe” to Tenet. Thus, Tenet's motion to dismiss Plaintiff's Chapter 93A claim (Count VIII) is DENIED .
IX. Massachusetts Wiretap Act
Finally, Plaintiff alleges that Tenet intentionally intercepted communications between patients and Tenet and transmitted those communications to Facebook and third parties without patient consent, in violation of the Massachusetts Wiretap Act, Mass. Gen. Laws ch. 272, § 99. This statute provides a cause of action for “any aggrieved person whose oral or wire communications were intercepted, disclosed or used . . . or whose personal or property interests or privacy were violated by means of an interception,” except as permitted or authorized by the statute. Mass. Gen. Laws ch. 272, § 99(Q). “Interception” is defined to mean “to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication.” Id. § 99(B)(4). Tenet argues that dismissal is required because (1) the alleged interceptions did not take place in Massachusetts, (2) the “ordinary course of business” exception applies, and (3) Plaintiff's allegations are unsupported by plausible facts.
The applicability of the Massachusetts Wiretap Act is pending before the Massachusetts Supreme Judicial Court, and the Court defers deciding this issue. See Vita v. New Eng. Baptist Hosp., et al., No. SJC-13542 (Mass. 2024). Accordingly, Tenet's motion to dismiss Plaintiff's claim under the Massachusetts Wiretap Act (Count IX) is DENIED without prejudice.
ORDER
For the reasons stated above, the Court ALLOWS Tenet's motion to dismiss as to Count II (negligence per se) and Count III (invasion of privacy) because they are not recognized causes of action under Massachusetts law. The Court DENIES Tenet's motion to dismiss as to the other seven remaining counts: Counts I (Negligence), IV (Breach of Implied Contract), V (Unjust Enrichment), VI (Breach of Fiduciary Duty), VII (Massachusetts Right to Privacy Law), and VIII (Massachusetts Consumer Protection Act) . Count IX (Massachusetts Wiretap Act) is DENIED WITHOUT PREJUDICE .
SO ORDERED.