Opinion
Civil Action H-24-775
06-20-2024
MEMORANDUM AND ORDER
LEE H. ROSENTHAL, UNITED STATES DISTRICT JUDGE
The only issue before the court is whether the plaintiffs' complaint pleads sufficient factual allegations to state claims for violating the federal Electronic Communications Privacy Act and state law claims for violating privacy rights, resulting in unjust enrichment. The question at this stage is pleading sufficiency, not evidentiary sufficiency.
Edward Sweat sued Houston Methodist Hospital on behalf of himself and other similarly situated individuals, alleging that Houston Methodist transmitted protected patient health information to Facebook and other third parties. (Docket Entry No. 6). Houston Methodist is a large healthcare provider based in Houston, Texas. (Id. at ¶ 7). Sweat and the plaintiffs he wants to represent are individuals who searched for or obtained medical services from Houston Methodist using the hospital's public website or private patient portal. (Id. at ¶ 7-8). Sweat alleges that until 2022, Houston Methodist had a Facebook tracking pixel embedded in its public website and private patient portal. (Id. at ¶ 9). A pixel is a code that tracks details about a website visitor's interactions with the webpage, including text the visitors type while on the site. The plaintiffs allege that they were unaware of the tracking pixels, and that Houston Methodist provided the pixel information to Facebook and other third parties without the plaintiffs' knowledge or consent. (Id. at ¶¶ 9, 18). The plaintiffs allege that the information allowed the entities receiving the information to know that a patient or potential patient was seeking medical care and for what conditions, including pregnancy, dementia, or HIV, linking that information to the patient's Facebook profile. (Id. at ¶¶ 17, 42). In 2022, Houston Methodist stopped using Facebook tracking pixels. (Docket Entry No. 14 at 8).
The plaintiffs assert claims under state law for invasion of privacy and unjust enrichment, and under federal law for violating the Electronic Communications Privacy Act (“Wiretap Act”), 18 U.S.C § 2510 et seq. Methodist has moved to dismiss all claims on the basis that Texas law does not recognize virtual intrusions on privacy and that the plaintiffs voluntarily provided the data to Methodist. (Docket Entry No. 14). Based on the pleadings, motions, briefs, and the applicable law, the court grants in part and denies in part the motion to dismiss. The reasons are set out below.
I. The Legal Standard for Dismissal
Rule 12(b)(6) allows dismissal if a plaintiff fails “to state a claim upon which relief can be granted.” Fed.R.Civ.P. 12(b)(6). Rule 12(b)(6) must be read in conjunction with Rule 8(a), which requires “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). A complaint must contain “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). Rule 8 “does not require ‘detailed factual allegations,' but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 555). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556). “The plausibility standard is not akin to a ‘probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 556).
To withstand a Rule 12(b)(6) motion, a complaint must include “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Lincoln v. Turner, 874 F.3d 833, 839 (5th Cir. 2017) (quoting Twombly, 550 U.S. at 555). “Nor does a complaint suffice if it tenders ‘naked assertion[s]' devoid of ‘further factual enhancement.'” Iqbal, 556 U.S. at 678 (alteration in original) (quoting Twombly, 550 U.S. at 557). “A complaint ‘does not need detailed factual allegations,' but the facts alleged ‘must be enough to raise a right to relief above the speculative level.'” Cicalese v. Univ. of Tex. Med. Branch, 924 F.3d 762, 765 (5th Cir. 2019) (quoting Twombly, 550 U.S. at 555). “Conversely, when the allegations in a complaint, however true, could not raise a claim of entitlement to relief, this basic deficiency should be exposed at the point of minimum expenditure of time and money by the parties and the court.” Cuvillier v. Taylor, 503 F.3d 397, 401 (5th Cir. 2007) (alterations omitted) (quoting Twombly, 550 U.S. at 558).
A court reviewing a motion to dismiss under Rule 12(b)(6) may consider “(1) the facts set forth in the complaint, (2) documents attached to the complaint, and (3) matters of which judicial notice may be taken under Federal Rule of Evidence 201.” Inclusive Cmtys Project, Inc. v. Lincoln Prop. Co., 920 F.3d 890, 900 (5th Cir. 2019).
II. Analysis
A. Invasion of Privacy
In Texas, the tort of “invasion of privacy” stems from specific “privacy interests,” including “[i]ntrusion upon the plaintiff's seclusion or solitude, or into his private affairs . . . Public disclosure of embarrassing private facts about the plaintiff . . . Publicity which places the plaintiff in a false light in the public eye . . . Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.” Ross v. Midwest Commc'ns, Inc., 870 F.2d 271, 273 (5th Cir. 1989) (citing Industrial Foundation of the South v. Texas Industrial Accident Board, 540 S.W.2d 668 (Tex. 1976)).
“Intrusion on seclusion” requires two elements: “1) an intentional intrusion, physical or otherwise, upon another's solitude, seclusion, or private affairs or concerns, which 2) would be highly offensive to a reasonable person.” Amin v. United Postal Serv., Inc., 66 F.4th 568, 576 (5th Cir. 2023) (citing Valenzuela v. Aquino, 853 S.W.2d 512, 513 (Tex. 1993)). Although the Fifth Circuit has not decided whether a virtual intrusion is enough for a claim for invasion of privacy, several district courts within the Fifth Circuit have considered the question.
The Northern District of Texas found a non-physical intrusion sufficient to state a claim for invasion of privacy when the defendants allegedly took a photograph from a private digital domain without the plaintiff's consent. Hazlewood v. Netflix Inc., 2023 WL 6771506 (N.D. Tex. Oct. 11, 2023). The Northern District found that allegations of a non-physical intrusion were insufficient to state a claim for invasion of privacy when the defendant allegedly emailed the plaintiff's medical records to a third party without authorization. Walters v. Blue Cross & Blue Shield of Tex., Inc., 2022 WL 902735 (N.D. Tex. March 28, 2022). The same court has held that “disclosure of information to a third party does not qualify as an act of intrusion itself.” Aldridge v. Sec'y, Dep't of the Air Force, 2005 WL 2738327, at 11 (N.D. Tex. Oct. 24, 2005). That court explained that the disclosure of medical records to a third party did not rise to the same level as “spying, opening private mail, [or] wiretapping” and was not, by itself, an actual intrusion. Id.; accord Smocks v. Preston Heights Apt., 2024 WL 38284, at *4 (E.D. Tex. Jan. 3, 2024) (An intrusion “requires more than the disclosure of information to a third party.”).
The court notes that district courts outside the Fifth Circuit, interpreting state law outside Texas, have found that a healthcare provider's use of pixels and disclosure of the pixel can be an intrusion of privacy that is offensive to a reasonable person. See, e.g., Doe v. Regents of University of California, 672 F.Supp.3d 813 (N.D. Cal. May 8, 2023); In re Group Health Plan Litigation, No. 23-cv-267, 2023 WL 8850243, at *2-3 (D. Minn. Dec. 21, 2023). The Ninth Circuit has found Facebook's use of data collection methods such as tracking pixels to be an intrusion of privacy in light of “a holistic consideration of factors such as likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive[.]” In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589, 602-06 (9th Cir. 2020). Other district courts, however, have dismissed state-law privacy claims against hospitals for using tracking pixel software. See, e.g., Murphy v. Thomas Jefferson Univ. Hosps., Inc., 2023 WL 7017734, at *6 (E.D. Pa. Oct. 10, 2023) (dismissing intrusion upon seclusion claim on the basis that plaintiffs did not offer specifics, including failing to show that the hospital's conduct was “highly offensive”); Hartley v. Univ. of Chicago Med. Ctr., 2023 WL 7386060, at *2 (N.D. Ill. Nov. 8, 2023) (dismissing intrusion upon seclusion claim because the plaintiff's complaint was not about the intrusion itself but the publication of the information).
District courts in this circuit interpret Texas law as holding that gathering information and disclosing it to a third party, even medical information, does not qualify as an actual intrusion. Although the court agrees with the plaintiffs that an intrusion need not be physical, the plaintiffs' alleged facts do not rise to the level of actual intrusion that constitutes an invasion of privacy. The disclosure of medical records to third parties, while disturbing, is not in itself an actual invasion of privacy under Texas law. See Walters, 2022 WL 902735.
Based on Texas law, the court dismisses the state law claims as insufficient to state a claim for invasion of privacy. The plaintiffs have already amended their pleadings once and have not requested leave to amend in the briefs on the motion to dismiss. The dismissal of the state law invasion of privacy claim is therefore with prejudice.
B. The Wiretap Act
To state a claim under the Wiretap Act, the plaintiffs must plead facts showing that Methodist intentionally intercepted the contents of plaintiffs' electronic communications by using an electronic, mechanical, or other type of device. 18 U.S.C. §§ 2510-2523. The Wiretap Act defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). Although the Wiretap Act creates an exception from liability for parties to the communication, 18 U.S.C. § 2511(d), the Act provides an exception from the exception by stating that a “party to the communication” may be liable when a “communication is intercepted for the purpose of committing any criminal or tortious act.” 18 U.S.C § 2511(2)(d).
The Fifth Circuit has held that when the plaintiffs themselves provide the information at issue to the defendants, the plaintiffs cannot recover for a violation of the Wiretap Act. Bott v. Vistaprint USA Inc., 392 Fed.Appx. 327 (5th Cir. 2010). In cases involving hospitals that are parties to the communication of patient medical information, courts have found that the fact that the hospitals receive the information is not an actionable interception. For example, in Hartley, the Northern District of Illinois held that hospitals cannot be liable for the receiving communications from a patient, because the hospitals are a “necessary recipient,” even when the information is then disclosed to a third party by the hospital. Hartley, 2023 WL 7386060, at *1-*2.
The rule that a party to, or necessary recipient of, the communication of medical information is not liable for receiving those communications does not apply when a “communication is intercepted for the purpose of committing any criminal or tortious act.” 18 U.S.C § 2511(2)(d). The plaintiffs allege that Methodist falls within this exception because it received the patient health information for the purpose of disclosing it to a third party, Facebook. The plaintiffs allege that this disclosure was a criminal violation of HIPAA, 42 U.S.C. § 1320d-6; a violation of the Texas Administrative Code, § 133.42 (a)(1)(H); and a violation of the Texas Health and Safety Code, § 181.153. HIPAA makes “disclos[ing] individually identifiable health information to another person . . . without authorization” from the patient a criminal violation and provides for penalties when the information is disclosed for commercial purposes. 42 U.S.C. § 1320d-6.
The plaintiffs also allege that the exception does not apply because Methodist's receipt of the information was a tortious invasion of privacy, a claim that the court has dismissed.
Houston Methodist cites In re Google Inc. Gmail Litig., 2014 WL 1102660, at *18 n.13 (N.D. Cal. Mar. 18, 2014), which explains that “[a]lleged interceptions fall within the tort or crime exception only where the primary motivation or a determining factor in the interceptor's actions has been to injure plaintiffs tortiously, . . . [and] cannot apply where the interceptor's purpose . . . [was] to make money.” (internal quotation omitted). But In re Google did not implicate HIPAA and the disclosure of individuals' medical information, and instead involved allegations that Google was scanning users' e-mails to provide targeted ads.
Accepting the plaintiffs' well pleaded factual allegations as true, as required in considering the motion to dismiss, a purpose of the disclosure “was to commit wrongful and tortious acts, namely, the use of patient data for advertising in the absence of express written consent, and the use for marketing and revenue generation ... in violation of HIPAA[.]” In re Grp. Health Plan Litig., --- F.Supp.3d ---, 2023 WL 8850243, at *8 (D. Minn. Dec. 21, 2023). Other courts have applied the crime-tort exception to similar cases involving hospitals transmitting medical information to a third party through the use of pixels, allegedly in violation of HIPAA. See, e.g., Kane v. University of Rochester, No. 23-cv-6027, 2024 WL 1178340, at *8 (W.D.N.Y. Mar. 19, 2024) (holding that the plaintiffs had sufficiently plead that the information disclosed could reasonably identify a person who scheduled an appointment, the provider, and their specialty, in violation of the Wiretap Act); Mekhail v. North Memorial Health Care, No. 23-cv-00440, 2024 WL 1332260, at *5-*6 (D. Minn. Mar. 28, 2024) (holding that the plaintiffs had sufficiently plead a violation of HIPAA to survive a motion to dismiss). The plaintiffs' allegations that Methodist disclosed the pixel data to “Facebook and any third-party purchasers . . .[that] could reasonably infer from the data that a specific patient was being treated for a specific type of medical condition, such as cancer, pregnancy, dementia, or HIV[,]” (Docket Entry No. 6 at ¶ 17), are enough to plead that individually identifiable patient information was disclosed to third parties without the patient's knowledge or consent.
In the absence of guidance from the Fifth Circuit on whether the crime-tort exception applies when a medical provider's primary purpose in disclosing patient medical information is commercial, the plaintiffs have sufficiently pleaded a crime-tort exception under the Wiretap Act to withstand dismissal at this pleading stage. This ruling allows the parties to argue on summary judgment whether Methodist's purpose in intercepting patient data falls within the statutory exemption from liability, even though the hospital disclosed individually identifiable patient information to a third party.
C. Unjust Enrichment
Methodist argues that the unjust enrichment claim must be dismissed because there is no other prevailing claim, as required for plaintiffs to recover under a theory of unjust enrichment. See, e.g., Juan Antonio Sanchez, PC v. Bank of S. Tex., 494 F.Supp.3d 421, 440 (S.D. Tex. 2020); Schouest v. Medtronic, Inc., 92 F.Supp.3d 606, 614 (S.D. Tex. 2015); Applin v. Deutsche Bk. Nat. Trust, 2014 WL 1024006, at *7 (S.D. Tex. 2014). Because the court has allowed the statutory claim to proceed, there is no basis to dismiss the unjust enrichment claim at this time.
III. Conclusion
Houston Methodist's motion to dismiss, (Docket Entry No. 14), is granted with prejudice as to the invasion of privacy claim, and otherwise denied without prejudice.