Opinion
CIVIL 22-5239
06-10-2024
MEMORANDUM
HON. KAI N. SCOTT, UNITED STATES DISTRICT JUDGE
Plaintiff David Smart brings this proposed class action against Defendant Main Line Health, Inc. (“Main Line Health” or “Defendant”) asserting claims for (1) violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq., (2) negligence, and (3) invasion of privacy - intrusion upon seclusion. Presently before the Court is Defendant's Motion to Dismiss Plaintiffs Amended Complaint (ECF No. 23), which has been fully briefed (see ECF Nos. 25-26, 28), and for which both parties have filed Notices of Supplemental Authority (see ECF Nos. 2936). For the reasons set forth below, Defendant's Motion to Dismiss the Amended Complaint (ECF No. 23) will be granted. An appropriate Order will follow.
The Court draws these factual allegations from Plaintiffs Amended Complaint. ECF No. 22.
Main Line Health is a non-profit health system based in Pennsylvania, which maintains a public website, www.mainlinehealth.org. ECF No. 22, Am. Compl. ¶¶ 5, 60. Plaintiff alleges that on this public website, Main Line Health installed software known as Meta Pixel, which is a product sold by Meta (formally known as Facebook). Id. ¶¶ 22-23. As explained by Plaintiff, “[a] Meta Pixel is a snippet of code that a business can insert on the ‘back end' of its website to collect data about which pages users view, which links users click, what content users access, how much time users spend on each page, and how the website responds to users' inquiries.” Id. ¶ 9. The Meta Pixel then sends this data to Meta, which “analyzes the intercepted data and uses it for [its own] commercial purposes like building-out its user profiles and selling targeted advertisements.” Id. ¶ 11. Meta also returns the intercepted data and its analysis to the business, here Main Line Health, “for its own commercial purposes, like understanding how people use its website and determining what ads its users see.” Id.
Plaintiffs original Complaint contained allegations concerning Main Line Health's patient portal. See generally ECF No. 1. However, following Defendant's Motion to Dismiss, which pointed out that Defendant never had Meta Pixel installed on its patient portal (see ECF No. 20-1 at 1 n. 1), Plaintiff dropped the allegations concerning the secure patient portal in his Amended Complaint. Accordingly, the Amended Complaint is limited to the use of the public-facing website, which can be accessed by patients and non-patients alike.
Plaintiff alleges that Main Line Health designed Meta Pixels to capture the ‘“characteristics' of individual patients' communications with the Main Line Health website (i.e., their IP addresses, Facebook ID, cookie identifiers, device identifiers and account numbers) and the ‘content' of these communications (i.e., the buttons, links, pages, and tabs they click and view).” Id. ¶ 22. By installing such Metal Pixels on its website, Plaintiff alleges that Defendant “began to automatically receive [and transmit to Meta] extensive individually-identifiable patient health information from everyone who visited the website,” despite Main Line Health's representations that its website would “not intentionally share [information concerning a patient's specific medical or health conditions] with any third party” and that it would “seek [patients] written permission prior to using or sharing [their] information for marketing purposes or selling [their] information.” Id. ¶¶ 19, 21, 23.
Plaintiff alleges that he has been a patient of Main Line Health and has been a Facebook user since before 2018. Id. ¶ 4. Plaintiff further alleges he has used the Main Line Health website since 2018 “to engage in communications that included individually-identifiable patient health information about his past, present, or future health conditions, including requests for information about specific Main Line Health providers and locations, and information about specific health conditions, treatments, and services.” Id. ¶ 37. Plaintiff brings this action on behalf of himself and others similarly situated, defined as: “[a]ll people who used Main Line Health's website and had individually-identifiable patient health information about their past, present, or future health conditions shared with Meta without notice or consent.” Id. ¶ 43.
II. PROCEDURAL HISTORY
On December 30, 2022, Plaintiff filed his proposed class action Complaint against Defendants Main Line Health and Meta Platforms, Inc. alleging the following four counts: (Count I) violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq. against both Defendants; (Count II) violation of the Stored Communications Act, 18 U.S.C. § 2701 et seq. against Meta only; (Count III) breach of contract against Meta only; and (4) negligence against Main Line Health only. ECF No. 1. Thereafter, on February 1, 2023, the Honorable Joel H. Slomsky granted the parties' Joint Motion to Sever and Transfer Claims Against Meta Platforms, Inc. to the Northern District of California to be consolidated with In re Meta Pixel Healthcare Litig., No. 22-CV-3580. ECF No. 10. On February 24, 2023, this matter was reassigned from the Honorable Joel H. Slomsky to this jurist. ECF No. 19.
On March 13, 2023, Main Line Health filed a Motion to Dismiss (ECF No. 20), to which Plaintiff responded to by filing an Amended Complaint alleging the following three counts against Main Line Health: (Count I) violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq., (Count II) negligence, and (Count III) invasion of privacy - intrusion upon seclusion. ECF No. 22. On April 10, 2023, Main Line Health filed a Motion to Dismiss the Amended Complaint (ECF No. 23), to which Plaintiff filed an Opposition (ECF No. 25), Defendant filed a Reply (ECF No. 26), and Plaintiff filed a Sur-Reply (ECF No. 28). Since that period, both parties have filed Notices of Supplemental Authority, which the Court has also considered. See ECF Nos. 29-36. Accordingly, this matter is ripe for resolution.
III. LEGAL STANDARD
To survive a Rule 12(b)(6) motion, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face!” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “Plausibility means ‘more than a sheer possibility that a defendant has acted unlawfully.'” Tatis v. Allied Interstate, LLC, 882 F.3d 422, 426 (3d Cir. 2018) (quoting Iqbal, 556 U.S. at 678). A claim is plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citing Twombly, 550 U.S. at 556). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id. In considering a motion to dismiss under Rule 12(b)(6), all well-pleaded allegations in the complaint are accepted as true and interpreted in the light most favorable to the plaintiff, and all inferences are drawn in the plaintiffs favor. See McTernan v. City of York, 577 F.3d 521, 526 (3d Cir. 2009) (quoting Schrob v. Catterson, 948 F.2d 1402, 1408 (3d Cir. 1991)).
IV. DISCUSSION
For the reasons that follow, the Court grants Defendant's Motion to Dismiss the Amended Complaint (ECF No. 23).
A. Plaintiff Does Not Allege Sufficient Facts to State an Electronic Communications Privacy Act (“ECPA”) Claim
To plead a prima facie case under the ECPA, a plaintiff must show that the defendant “‘(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.'” In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125,135 (3d Cir. 2015) (quoting In re Pharmatrak, Inc., 329 F.3d 9, 18 (1st Cir. 2003)). “[O]rdinarily, [however] no cause of action will lie against a private person where such a person is a party to the communication[.]” In re Google, 806 F.3d at 135 (internal quotations and citation omitted). This is because pursuant to § 251 l(2)(d) of the ECPA, it is not unlawful for a person to intercept electronic communications “where such person is a party to the communication . . . unless such communication is intercepted for the purposes of committing a criminal or tortious act in violation of the Constitution or laws of the United States or any State.” 18 U.S.C. § 251 l(2)(d).
Plaintiff concedes in his Opposition that Main Line Health was a party to the website communications, meaning that the one-party consent defense provisionally applies. ECF No. 251 at 3. Thus, as Defendant was a party to the at-issue communications, the question becomes whether Defendant intercepted the communications “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 251 l(2)(d). The parties dispute whether this crime-tort exception applies.
In arguing that the crime-tort exception applies, Plaintiff contends that Defendant violated the Health Insurance Portability and Accountability Act (“HIPPA”) by disclosing the individually-identifiable patient health information to Meta without Plaintiffs notice or consent. ECF No. 251 at 6-9. HIPPA makes it a federal crime for a person to “knowingly . . . disclos[e] individually identifiable health information to another person.” 42 U.S.C. § 1320d-6(a)(3). The HIPPA regulations define “individually identifiable health information” as:
any information, including demographic information collected from an individual, that-(A) is created or received by a health care provider . . . and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and-(i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.Id. § 1320d(6).
Plaintiff has not alleged sufficient facts, however, to support an inference that Defendant disclosed its patients' individually identifiable health information. The Amended Complaint only avers generally that: “[s]ince 2018, Mr. Smart has used Main Line Health's website to engage in communications that included individually-identifiable patient health information about his past, present, or future health conditions, including requests for information about specific Main Line Health providers and locations, and information about specific health conditions, treatments, and services.” Am. Compl. ¶ 37. This Court cannot conclude from these general averments what information Plaintiff actually communicated with Main Line Health via his web browsing and when exactly such information was communicated. For example, Plaintiff has not alleged which specific web pages he clicked on for his medical condition or his history of treatment with Main Line Health. And although the Amended Complaint provides an example of a search by a hypothetical visitor to the Main Line Health webpage (Am. Comp. ¶¶ 24-27), Plaintiff fails to state what specific HIPPA-protected information Plaintiff himself provided to Defendant via his browsing activity that was subsequently disclosed to Meta. Without such factual allegations, the Amended Complaint consists of nothing more than bare-bone conclusions which are insufficient to withstand dismissal.
This conclusion is consistent with two recent Eastern District of Pennsylvania decisions which dismissed complaints with nearly identical allegations to this case because of the lack of specific facts describing plaintiffs' HIPPA-protected information which was allegedly transferred to Meta. See Santoro v. Tower Health, No. CV 22-4580, 2024 WL 1773371, at *3-5 (E.D. Pa. Apr. 24, 2024) (Murphy, J.) (dismissing plaintiffs' ECPA claim finding complaint lacked specific examples of what HIPPA-protected information from plaintiffs was transferred to Meta); Murphy v. Thomas Jefferson Univ. Hosps., Inc., No. CV 22-4674, 2023 WL 7017734, at *3-4 (E.D. Pa. Oct. 10, 2023) (Schiller, J.) (dismissing plaintiffs' ECPA claim finding general allegations that the communications pertained to plaintiffs' “medical symptoms, conditions, and concerns, medical appointments, medical tests and test results, doctors' visit notes, medications and treatments, and health insurance and medical bills” were too vague to state a claim).
Accordingly, this Court will dismiss Count I of Plaintiff s Amended Complaint.
B. Plaintiff Fails to State a Negligence Claim
“In Pennsylvania, the elements of negligence are: a duty to conform to a certain standard for the protection of others against unreasonable risks; the defendant's failure to conform to that standard; a causal connection between the conduct and the resulting injury; and actual loss or damage to the plaintiff.” Brewington v. City of Philadelphia, 199 A.3d 348, 355 (Pa. 2018) (citation omitted). Defendant argues that Plaintiffs negligence claim fails because: (a) Plaintiff fails to plead facts showing Main Line Health owed him a duty of care; (b) Plaintiff fails to establish a breach of any duty; and (c) Plaintiff fails to plead that he incurred any actual loss or damage. ECF No. 23-1 at 13.
Even assuming, arguendo, that Plaintiff has adequately pled an existence of a duty, Plaintiffs negligence claim does not identify the specific individually-identifiable health information searched for on Defendant's website and the consequences of those searches and, therefore, fails to adequately plead causation. Without any specific averments about the “identity of any intended recipient or the content, timing, or number of alleged communications,” the allegations in Count II of Plaintiff's Amended Complaint are no more than “naked assertion[s] devoid of further enhancement.” Murphy, 2023 WL 7017734, at *5 (dismissing similar negligence claim as insufficiently pled) (quoting Iqbal, 556 U.S. at 678-79); see also Santoro, 2024 WL 1773371, at *5-6 (same). Accordingly, Count II of Plaintiff's Amended Complaint will be dismissed.
C. Plaintiff Fails to State an Intrusion Upon Seclusion Claim
Under Pennsylvania law, to state a claim for intrusion upon seclusion, “a plaintiff must aver that there was an intentional intrusion on the seclusion of their private concerns which was substantial and highly offensive to a reasonable person, and aver sufficient facts to establish that the information disclosed would have caused mental suffering, shame or humiliation to a person of ordinary sensibilities.” Pro GolfMfg., Inc. v. Trib. Rev. Newspaper Co., 809 A.2d 243, 247 (Pa. 2002).
Plaintiffs intrusion upon seclusion claim fails to state a claim for the same reasons his prior two claims failed-i.e., because of the lack of specific factual allegations and the reliance on conclusory statements. In support of this claim, Plaintiff alleges generally that Main Line Health's intrusion was “highly offensive” because it intercepted, disclosed to Meta, and used Plaintiffs individually-identifiable health information despite its representations that it would not and, moreover, it did so without notice or written permission from Plaintiff. Am. Compl. ¶¶ 86-94. However, Plaintiff does not include any specific factual matter describing the information. Thus, as Plaintiff fails to identify the nature of the patient health information at issue or offer any specifics regarding the purportedly objectionable conduct, the Court concludes that there are insufficient factual allegations to show that the alleged conduct was “highly offensive.” See Murphy, 2023 WL 7017734, at * 6-7 (dismissing intrusion upon seclusion claim because plaintiffs did not set forth sufficient factual allegations); Santoro, 2024 WL 1773371, at *6-7 (same). Accordingly, Count III of Plaintiff s Amended Complaint will be dismissed.
V. CONCLUSION
For the foregoing reasons, Defendant's Motion to Dismiss (ECF No. 23) will be granted and Plaintiffs Amended Complaint will be dismissed without prejudice. An appropriate Order will follow.