Summary
finding that the transmission of the name of the plaintiff's physician and physician's specialty for financial gain was sufficient to trigger HIPAA and the exception carve-out
Summary of this case from K.L. v. Legacy HealthOpinion
22 C 5380
12-11-2023
MEMORANDUM OPINION AND ORDER
MATTHEW F. KENNELLY, United States District Judge
This is a putative class action brought by Marguerite Kurowski and Brenda McClendon (collectively Kurowski) against Rush University System for Health. Kurowski filed the case in federal court pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d). In general terms, Kurowski's claims arise from her contention that Rush has violated her and other patients' privacy interests by surreptitiously intercepting and transmitting to third parties information that includes patients' personally identifiable patient and health data.
The Court has issued two previous decisions on motions to dismiss filed by Rush. In the first decision, which concerned Kurowski's original complaint, the Court dismissed all but one of Kurowski's claims, leaving standing only a claim for injunctive relief under the Illinois Deceptive Trade Practices Act (DTPA), 815 ILCS 510/3. See Kurowski v. Rush Sys. for Health, No. 22 C 5380, 2023 WL 2349606 (N.D. Ill. Mar. 3, 2023) (Kurowski I). Kurowski then filed an amended complaint in which she reasserted (with some additional allegations) the claims the Court had dismissed, as well as several new claims. In the Court's second decision, which concerned the amended complaint, the Court dismissed all but two of Kurowski's claims, including, this time, her DTPA claim. The Court left standing two newly asserted claims, one for breach of contract and one under the Illinois Eavesdropping Act. See Kurowski v. Rush Sys. for Health, No. 22 C 5380, 2023 WL 4707184 (N.D. Ill. July 24, 2023) (Kurowski II).
Kurowski has now moved for leave to file a second amended complaint. In this iteration of her complaint, she has reasserted three of her previously dismissed claims and attempts to address the deficiencies noted by the Court in its earlier rulings. Rush opposes Kurowski's motion. The Court addresses the motion in this opinion.
Discussion
The Court assumes familiarity with Kurowski's allegations as summarized in its earlier decisions and discusses them here only to the extent needed to provide background and context for the motion for leave to amend.
Kurowski alleges that as a Rush patient, she has used and continues to use Rush's web properties to obtain information related to her health care. This includes Rush's patient portal MyChart, which Kurowski uses to exchange with her health care providers communications about appointments, test results, prescription refills, and other treatment. The MyChart patient portal is a software system designed and licensed to Rush by Epic Software Systems. As deployed by Rush, it is available only to patients, and it is password-protected.
Kurowski alleges that the MyChart system, with Rush's knowledge and agreement, secretly deploys "custom analytics scripts"-for example, Google Analytics. Proposed 2d Am. Compl. ¶ 31. This source code, Kurowski alleges, allows for contemporaneous unauthorized interception and transmission of personally identifiable patient data, and redirection and disclosure of "the precise content of patient communications with Rush" whenever a Rush patient uses a Rush web property, including MyChart. Id. ¶ 32. Kurowski alleges that the data transmitted to third parties, including Facebook, Google, and Bidtellect, includes patient IP addresses, patient cookie identifiers, device identifiers, account numbers, URLs, other unique identifying numbers or codes, and browser fingerprints, all of which can be used to direct targeted advertising to patients. Id. ¶¶ 35, 40. She also alleges that patient communications within the MyChart portal are, or were, shared with at least Facebook, Google, and Bidtellect. Id. ¶¶ 38-39. Kurowski alleges that Rush did all of this without her knowledge or authorization and that it derived a benefit from doing so. See, e.g., id. ¶¶ 45, 60, 152.
Kurowski previously asserted, and asserts again in her proposed second amended complaint, claims under the federal Wiretap Act, as amended by the Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2511(1)(a), (c)-(d); the DTPA; and under Illinois common law for breach of an implied duty of confidentiality. The Court previously dismissed each of these claims in Kurowski I and/or Kurowski II. The Court will discuss the details of these claims in this opinion only to the extent needed to explain any changes, whether in Kurowski's claim, in the Court's ruling, or in both.
1. Wiretap Act claim
Under the Wiretap Act, "any person who-(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication" commits an offense and may be subject to a civil penalty. 18 U.S.C. §§ 2511(1), (4) & (5). This is also true for any person who intentionally discloses or uses, or endeavors to disclose or use, the contents of an intercepted communication. Id. § 2511(1)(c), (d).
Section 2511(2)(d) provides an exception when the person intercepting or causing an interception of a communication "is a party to the communication or where one of the parties to the communication has given prior consent to such interception." Id. § 2511(2)(d). The Court has ruled that Rush is "a party to the communication[s]" at issue. But this "party exception" does not permit a party that intercepts or causes interception to escape liability if the "communication is intercepted for the purpose of committing any tortious or criminal act in violation of the Constitution or laws of the United States or of any State." Id.
Kurowski contends that this exception to the party exception applies here. In the previous versions of her complaint, Kurowski contended-and she contends now-that Rush had violated a provision of the Health Insurance Portability and Accountability Act, specifically 42 U.S.C. § 1320d-6(a)(3). This provision imposes a criminal penalty for knowingly "disclosing individually identifiable health information" (again, IIHI) to a third party. HIPAA defines IIHI as
any information, including demographic information collected from an individual, that-(A) is created or received by a health care provider . . . (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or
the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.Id. § 1320d(6) (emphasis added).
In addressing the original version of Kurowski's complaint, the Court found that she had alleged only that IP addresses, cookie identifiers, device identifiers, account numbers, URLs, and browser fingerprints were transmitted to third parties like Facebook, Google, and Bidtellect. The Court found no basis in the complaint to support a plausible inference that such information (at least without more) constituted IIHI within the meaning of HIPAA. See Kurowski I, 2023 WL 2349606, at *5. With regard to the second version of Kurowski's complaint-her first amended complaint-the Court found, again, that she had plausibly alleged only the transmission of metadata to third parties and again concluded this was insufficient to invoke the HIPAA provision quoted above. In this regard, the Court declined to rely on guidance from the Department of Health and Human Services that Kurowski cited in response to Rush's motion to dismiss, finding that the guidance did not warrant deference in interpreting the statute. See Kurowski II, 2023 WL 4707184, at *2-3.
Kurowski's proposed second amended complaint, however, includes additional factual allegations regarding the information she contends was transmitted to third parties with Rush's knowledge and at its instance. In particular, Kurowski (again, a term used to reference the two plaintiffs collectively) alleges that Rush-via the previously-referenced tracking tools-transmitted the name and location of her personal physician, as well as her physician's specialty. See Proposed 2d Am. Compl. ¶¶ 36 ("The communications and information that Rush discloses through third-party tracking tools includes detailed content, including doctors, condition, and/or location information, often transmitted together."), 79. She further alleges that this information was, in turn, used by at least Facebook to target her with particular advertising associated with her particular health conditions. Id. ¶¶ 75-76. In its motion, Rush appears to dispute that this is what actually happens, but the Court cannot adjudicate that sort of factual dispute on a motion to dismiss for failure to state a claim. Rather, the Court is required to take as true Kurowski's well-pleaded allegations, which is what these are. In this regard, the Court also notes that Kurowski lacks the direct access to what occurs in the background on Rush's web properties, and at Facebook, Google, and Bidtellect, that she would need to provide further details supporting her claim of improper disclosures of personal health information.
Finally, Kurowski alleges that Rush knowingly transmits this data and that it does so for the purpose of financial gain. See Proposed 2d Am. Compl. ¶¶ 309-15. All of these allegations, taken together, are sufficient to invoke the HIPAA exception-to-the-party-exception quoted earlier. See 18 U.S.C. § 2511(2)(d). The Court concludes that count one of Kurowski's proposed second amended complaint, unlike the previous versions, plausibly states a claim for relief under the Wiretap Act.
The Court notes in this regard, however, that Kurowski's attempt to invoke violations of the Federal Trade Commission Act as a predicate for violation of the Wiretap Act falls short. She contends that Rush's conduct amounts to an "unfair act[ ] or practice[ ] in or affecting interstate commerce" that runs afoul of 15 U.S.C. § 45(a)(1) by virtue of the FTC's Health Breach Notification Rule, which imposes notification requirements upon vendors of personal health records in the event of a breach of security relating to personal health information. See 16 C.F.R. § 318.3(a). By its terms, however, the Rule does not apply to HIPAA-covered entities and their business associates, a category that includes Rush. See id. § 318.1(a).
2. DTPA claim
When the Court addressed Kurowski's original complaint, it dismissed her claim for damages under the Illinois DTPA after concluding the statute does not authorize monetary relief. See Kurowski I, 2023 WL 2349606, at *8. The Court left standing only her claim for prospective injunctive relief under the statute. More recently, in addressing Kurowski's first amended complaint, the Court dismissed the DTPA injunctive relief claim because Kurowski alleged that transmissions by Rush from MyChart and www.rush.edu to Google and Facebook had ceased as of late March 2023. The Court noted in this regard that the changes that Rush had made were not easily undone and thus that the alleged transmission of information could not reasonably be expected to recur. See Kurowski II, 2023 WL 4707184, at *7-8.
Kurowski's proposed second amended complaint does not add any new allegations regarding the DTPA claim. The Court is unpersuaded that it should depart from its previous rulings, in particular the July 2023 Kurowski II ruling dismissing the claim outright. Indeed, Kurowski does not even bother to argue the point in her motion for leave to amend. The Court denies leave to amend regarding this claim, which is count three of the proposed second amended complaint.
3. Implied duty of confidentiality claim
Kurowski's claim for breach of an implied duty of confidentiality was premised on her contention that "every patient-health care provider relationship" between her and Rush "implies a contract[,] and . . . a provider's disclosure of a patient's private health care information constitutes breach of [this] contract." Kurowski II, 2023 WL 4707184, at *4. She further alleged that Rush's disclosure of her personal health information constituted a breach of the common law duty of confidentiality regarding patient-health care provider communications. Id. In addressing Kurowski's original complaint, the Court found that Kurowski had not sufficiently alleged that any information protected by the physician-patient privilege had been disclosed, see Kurowski I, 2023 WL 2349606, at *6-7, and in addressing the first amended complaint the Court concluded that Illinois law does not permit a claim for breach of this duty of confidentiality. Kurowski II, 2023 WL 4707184, at *4-5.
In reasserting this claim as count two of her proposed second amended complaint, Kurowski does not include any new allegations that would warrant reconsideration by the Court of the latter conclusion. Nor does she argue that the Court overlooked anything in concluding that Illinois law does not authorize a civil cause of action for breach of this implied duty of confidentiality.
Rather, Kurowski's only reference to this claim is a footnote at the end of her motion in which she seeks certification of the earlier dismissal of this claim for interlocutory appeal under 28 U.S.C. § 1292(b). See Pls.' Mot. for Leave to File Second Am. Compl. at 10 n.2. This footnote consists of only a single sentence asking for certification, without any argument or justification. The Court concludes that Kurowski has forfeited the point.
Even were the Court to consider the request for certification on its merits, it would fall short of the mark. Before certifying an order for interlocutory appeal, a court must find that "[its] order involves a controlling question of law as to which there is substantial ground for difference of opinion and that an immediate appeal from the order may materially advance the ultimate termination of the litigation." 28 U.S.C. § 1292(b). The Seventh Circuit has described the criteria for granting a section 1292(b) motion as follows:
There are four statutory criteria for the grant of a section 1292(b) petition to guide the district court: there must be a question of law, it must be controlling, it must be contestable, and its resolution must promise to speed up the litigation. There is also a nonstatutory requirement: the petition must be filed in the district court within a reasonable time after the order sought to be appealed.Ahrenholz v. Bd. of Trs. of Univ. of Ill., 219 F.3d 674, 675 (7th Cir. 2000) (citation omitted).
Kurowski's request for certification of the July 24 dismissal of the breach of confidentiality claims fails for at least three reasons. The first is that it is untimely. She waited two full months after the Court's July 24 ruling before making the request, and even then, she did not file a motion for certification as such but rather buried the request in a footnote at the end of her motion to amend. Second, Kurowski has made no effort to show that the dismissal on legal grounds is a point that is fairly contestable. She cites no authority going the other way, and as the Court has noted at least one other judge in this District has dismissed a similar claim on a similar basis. And third, Kurowski has not shown how an interlocutory appeal on this particular point would "materially advance the ultimate termination of the litigation" as required under section 1292(b). The Seventh Circuit has recognized that interlocutory appeals tend to cause unnecessary delays in proceedings and waste judicial resources. See Herdrich v. Pegram, 154 F.3d 362, 368 (7th Cir. 1998). For this reason, the party seeking an interlocutory appeal must show that "exceptional circumstances justify the departure from the basic policy of postponing appellate review until after the entry of final judgment." Coopers & Lybrand v. Livesay, 437 U.S. 463, 475 (1978) (quoting Fisons, Ltd. v. United States, 458 F.2d 1241, 1248 (7th Cir. 1972)). Kurowski has made no attempt to make this showing.
Conclusion
For the reasons stated above, the Court grants plaintiffs' motion for leave to file a second amended complaint [67] in part. The Court will allow plaintiffs leave to amend with regard to counts one, four, and five of the proposed second amended complaint. Count one is the Wiretap Act claim that the Court has now found sufficient to state a claim for relief, and counts four and five are claims that survived a previous motion to dismiss. Plaintiffs are directed to file within two days a second amended complaint that includes these claims but omits proposed counts two and three. At the telephonic status hearing on December 12, the Court will discuss setting a briefing schedule on defendant's motion to dismiss for lack of standing [74].