UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF ILLINOIS ROCK ISLAND DIVISION
ALANA HANNANT, ) ) Plaintiff, ) ) v. ) Case No. 4:24-cv-04164-SLD-RLH ) CULBERTSON MEMORIAL HOSPITAL ) FOUNDATION, d/b/a SARAH D ) CULBERTSON MEMORIAL HOSPITAL, ) ) Defendant. )
ORDER This case is about the legality of tracking technology allegedly embedded into the website of Defendant Culbertson Memorial Hospital Foundation, d/b/a Sarah D. Culbertson Memorial Hospital (“Culbertson”). Before the Court is Culbertson’s motion to dismiss, ECF No. 33, seeking dismissal on grounds that Plaintiff Alana Hannant’s Second Amended Class Action Complaint, ECF No. 27, fails to state a claim upon which relief can be granted. Also before the Court is Culbertson’s motion for leave to reply, ECF No. 37. For the reasons that follow, Culbertson’s motion for leave to reply is DENIED, and its motion to dismiss is GRANTED IN PART and DENIED IN PART. BACKGROUND1 I. Factual Background Culbertson is a hospital system in Rushville, Illinois, providing in-patient services, an emergency department, outpatient specialty clinics, and family practice clinics. It operates a
1 For the sake of ruling on a motion to dismiss, the Court “accept[s] as true all factual allegations in the amended complaint and draw[s] all permissible inferences in [the plaintiff’s] favor.” Bible v. United Student Aid Funds, Inc., 799 F.3d 633, 639 (7th Cir. 2015). Unless otherwise noted, the factual background is drawn from Hannant’s Second Amended Class Action Complaint. website that provides various web-based resources, tools, and services, including the ability to search for medical providers and services, access a patient portal, pay bills, and search the website for other treatment-related information. In this case, Hannant alleges that Culbertson wrongfully embedded third-party tracking technology in its website. The technology included
trackers from Facebook, Google, and Microsoft that collected details about site users’ interaction with Culbertson’s website. Facebook’s Meta Pixel (the “Pixel”) is illustrative. The Pixel is a portion of code embedded into a website that tracks the site users’ interaction with the website. Website owners can configure their websites to use the Pixel on pages of their choice. When the Pixel is coded into a webpage, it by default collects information about the device and account used to access the page, as well as the URLs and domains the user visits. The Pixel also has the ability to track a user’s search terms, button clicks, and form submissions. The Pixel can then link this tracked information with an individual’s Facebook ID to connect the collected information to the user’s Facebook profile. After collecting the information, Facebook uses it to create and sell targeted
online advertisements and enhanced marketing services. Facebook also markets a Conversions Application Programming Interface (“CAPI”), which it recommends in addition to the Pixel. CAPI uses the website owner’s private servers (rather than the users’ browsers) to track users’ activity, allowing the Pixel to bypass ad blockers and other denials of consent. At least from the period of 2021 to 2023, Culbertson willfully embedded the Pixel into its website. Other trackers were used during this and similar periods. Culbertson thereby collected users’ personal data and activity and transferred it to Facebook and others in exchange for improved marketing. Once embedded, the trackers accessed users’ information such as their browsing activities, including the pages they viewed and the buttons they clicked; information concerning their statuses as patients such as patient portal activities; information concerning their medical concerns such as the providers they searched for and viewed and the medical services they viewed; as well as . . . identifying information, such as IP addresses and identifying cookies.
Second Am. Compl. 8. Culbertson did not disclose its use of these trackers to patients or website users. On the contrary, Hannant and other website users expected that Culbertson would not share such information with third parties like Facebook. Hannant was a patient of Culbertson who used its website and online platforms from 2021 through 2023. She used the website to search for physicians, research treatments, and access the patient portal. As a result, Culbertson collected and transmitted to third parties information about Hannant including “the name and location of her personal physician, the medical treatment she researched including information related to an MRI test, her treatment search information, her research on obtaining medical records, and her log in and use of the patient portal.” Id. at 37. After Hannant’s use of Culbertson’s website, targeted advertisements for MRI tests and other medical treatment appeared in her Facebook feed. She discovered the nature of Culbertson’s tracking and transmission of her data in November 2023. At all times prior to that date, Hannant expected that her interaction with the website was confidential and that information about her use of the website would not be transmitted to third parties. As a result of the disclosure of her information, Hannant has suffered harm including a loss of privacy, emotional distress, the decreased value of her private information, a lost benefit of the bargain, and an increased risk of harm resulting from use of her information. II. Procedural History Hannant filed her first complaint on September 6, 2024, and amended it in February 2025. She sought relief on behalf of “[a]ll patients of Defendant residing in the United States whose Private Information was disclosed by Defendant to third parties through the Meta Pixel and related technology without authorization.” First Am. Compl. 54, ECF No. 14. Hannant brought twelve counts based on a combination of common law, state statutes, and federal statutes. In response to a motion to dismiss, the Court dismissed all counts except for two that it construed as negligence claims. Aug. 20, 2025 Order 37, ECF No. 24.
Hannant filed her Second Amended Class Action Complaint on September 10, 2025. It is now the operative complaint in this case. See Oct. 17, 2025 Order 11, ECF No. 32. The complaint brings five counts on behalf of the same putative class. Second Am. Compl. 55. Hannant re-pleads the two counts that survived the first motion to dismiss, amends two counts brought under Title I of the Electronic Communications Privacy Act (“ECPA”)—one for violating 18 U.S.C. § 2511(1) and one for violating 18 U.S.C. § 2511(3)(a)—and amends one count under Title II of the ECPA, commonly known as the Stored Communications Act (“SCA”). Id. at 61–73. Culbertson filed this second motion to dismiss on November 17, 2025, seeking dismissal of all five counts. Culbertson argues that it is immune from liability for the negligence claims
under the Illinois Tort Immunity Act. Mem. Supp. Mot. Dismiss 13–15, ECF No. 34. It further argues that the claim under 18 U.S.C. § 2511(1) should be dismissed because the ECPA is a one- party consent statute and because Hannant did not allege that Culbertson intercepted the “contents” of any communication. Id. at 3–10. Culbertson seeks dismissal of the remaining ECPA claims because it is not an electronic communication service provider as required by the statute. Id. at 11–13. Hannant opposes the motion, arguing that the Tort Immunity Act does not apply, that Culbertson’s behavior falls within the crime-tort exception to the one-party consent rule, and that Culbertson is an electronic communication service provider. See generally Resp. Mot. Dismiss, ECF No. 35. DISCUSSION I. Motion for Leave to Reply The Central District of Illinois’s local rules provide that “[a] reply to the response is only permitted with leave of Court.” Civil LR 7.1(B)(3). “Replies may be allowed for reasons
including the non-movant’s introduction of new and unexpected issues in his response, and the interest of completeness.” Magnuson v. Exelon Corp., 658 F. Supp. 3d 652, 658 (C.D. Ill. 2023) (quotation marks and alteration omitted). “[T]he Court does not typically permit the moving party to file a reply in order to introduce new arguments or evidence that could have been included in the motion itself, or to rehash the arguments made in the motion.” Shefts v. Petrakis, No. 10-cv-1104, 2011 WL 5930469, at *8 (C.D. Ill. Nov. 29, 2011). Culbertson seeks leave to reply due to “the number of claims, as well as their nature and complexity.” Mot. Leave Reply 2. However, Culbertson does not suggest that Hannant’s response introduced any new and unexpected issues. Instead, the reply largely repeats arguments already presented in Culbertson’s motion to dismiss. Although Hannant brings five counts against Culbertson, the
Court does not find the counts to be so many or so complex as to require additional argumentation in the reply to fully address them. Thus, Culbertson’s motion for leave to reply is DENIED. II. Motion to Dismiss a. Legal Standard A court will dismiss a complaint if it “fail[s] to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). To state a claim, a complaint need not prove the case, but it must provide more than “a formulaic recitation of the elements of a cause of action.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). It must “plausibly give rise to an entitlement to relief” by pleading sufficient factual content that the court can reasonably infer “that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678–79 (2009). When reviewing a Rule 12(b)(6) motion to dismiss, a court must accept all well-pleaded facts in the complaint as true and draw all reasonable inferences in favor of the plaintiff. Indep. Tr. Corp.
v. Stewart Info. Servs. Corp., 665 F.3d 930, 934 (7th Cir. 2012). However, a court does not have to accept a complaint’s legal conclusions as true. Phillips v. Prudential Ins. Co. of Am., 714 F.3d 1017, 1019 (7th Cir. 2013). b. Analysis i. Counts I–II: Negligence and Negligence Per Se Counts I and II re-state claims that survived Culbertson’s first motion to dismiss. See Aug. 20, 2025 Order 24–30; Second Am. Compl. 61–65. Count I alleges that Culbertson violated its duty to exercise reasonable care in handling patients’ private information. Second Am. Compl. 61–63. Count II is brought in the alternative and alleges that Culbertson violated various state and federal laws that were designed to protect Hannant and other similarly situated
patients. Id. at 63–65. The claims are identical in both the first and second amended complaints. Compare First Am. Compl. 62–66, with Second Am. Compl. 61–65. Culbertson raises only one ground for dismissal: the negligence claims are barred by the Illinois Tort Immunity Act (the “Act”), 745 ILCS 10/1-101–10/10-101. Mem. Supp. Mot. Dismiss 13–15. The Act states: “A local public entity is not liable for an injury resulting from an act or omission of its employee where the employee is not liable.” 745 ILCS 10/2-109. It further provides that “a public employee serving in a position involving the determination of policy or the exercise of discretion is not liable for an injury resulting from his act or omission in determining policy when acting in the exercise of such discretion even though abused.” Id. § 2-201. The Act defines “local public entity” to include “any not-for-profit corporation organized for the purpose of conducting public business.” Id. § 1-206. For a non-profit to fall within this definition and thereby receive tort immunity, it “must demonstrate that it conducts ‘public business’ by establishing that it pursues ‘an activity that benefits the entire community
without limitation’ and that it is ‘tightly enmeshed with government either through direct governmental ownership or operational control by a unit of local government.’” Brugger v. Joseph Acad., Inc., 781 N.E.2d 269, 275 (Ill. 2002) (quoting Carroll v. Paddock, 764 N.E.2d 1118, 1124–25 (Ill. 2002)). Culbertson claims that, as a non-profit hospital organized for the purpose of conducting public business, it falls within the statutory definition of a “local public entity” to which the Act’s protections apply. Mem. Supp. Mot. Dismiss 14. Its alleged use of third-party tracking technologies, Culbertson continues, constitutes a determination of policy or exercise of discretion, meaning it is immune from liability under Sections 2-109 and 2-201 of the Act. Id. at 14–15. Hannant responds that Culbertson has failed to show its status as a municipal corporation
subject to the protections of the Act, and that the complaint’s allegations are related to a ministerial duty, not an act of discretion, meaning Culbertson is not immune from liability. Resp. Mot. Dismiss 13–15. The Court first notes that it is generally improper to raise new grounds for dismissal in a successive motion to dismiss if the arguments could have been presented the first time around. Fed. R. Civ. P. 12(g); Kramer v. Am. Bank & Tr. Co., No. 11 C 8758, 2014 WL 3638852, at *2 (N.D. Ill. July 23, 2014); Redwood v. Piland, No. 00-2305, 2005 WL 8164631, at *2 (C.D. Ill. Jan. 24, 2005). However, in the interest of judicial economy, the Court will consider whether the negligence claims are barred by the Illinois Tort Immunity Act. Immunity under the Act is an affirmative defense. Prokop v. Hileman, 588 F. Supp. 3d 825, 844-45 (N.D. Ill. 2022). Dismissal on the basis of an affirmative defense is appropriate only if the complaint’s allegations establish all elements of the defense. Hyson USA, Inc. v. Hyson 2U, Ltd., 821 F.3d 935, 939 (7th Cir. 2016). The complaint here does not contain any
allegations establishing that Culbertson is either subject to direct governmental ownership or governmental control or that it conducts public business. Culbertson nevertheless argues that it is “part of a hospital district organized under Illinois law,” and that it accordingly receives the protections of the Act. Mem. Supp. Mot. Dismiss 14; see Sappington v. Sparta Mun. Hosp. Dist., 245 N.E.2d 262, 263 (Ill. App. Ct. 1969) (holding that “a hospital district is a municipal corporation” for purposes of the Act). To support that contention, Culbertson cites to the “History” page of its website, which Hannant references in passing in her complaint. See id. 14 n.4; Second Am. Compl. 12 n.32. However, the contents of Culbertson’s webpage are obviously beyond the face of the complaint, and the webpage is not so central to the complaint as to be incorporated by reference, see Fin. Fiduciaries, LLC v. Gannett Co., 46 F.4th 654, 663 (7th Cir.
2022) (requiring that material referenced but not present in the complaint to be “central to the plaintiff’s claim” in order to be considered when ruling on a motion to dismiss). Even if the existence of a hospital district that itself is a municipal corporation is judicially noticeable, neither the facts pled in the complaint nor the content of Culbertson’s webpage sufficiently outline the relationship between Culbertson (sued as “the Culbertson Memorial Hospital Foundation”), the hospital itself, and a hospital district. As a result, the Court cannot determine at this stage that Culbertson falls within the definition of a “local public entity” for purposes of the Act. Accordingly, Counts I and II survive the motion to dismiss. For the reasons stated in the Court’s previous order, Count II is construed as another negligence claim based on the violation of a statute. See Aug. 20, 2025 Order 29–30. ii. Count III: ECPA
Hannant brings Count III for a violation the ECPA. Second Am. Compl. 65–68. She alleges that Culbertson violated § 2511(1)(a) of the ECPA by embedding the tracking technology on its website to intercept her communications regarding medical treatment. Id. at 67. She further alleges that Culbertson’s disclosure of the intercepted communications to third parties like Facebook and Google violates § 2511(1)(c) and that Culbertson’s use of the communications violated § 2511(1)(d). Id. The ECPA makes it unlawful to “intentionally intercept[], endeavor[] to intercept, or procure[] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a). It also makes it unlawful to use or disclose to a third party the contents of any communication while knowing or having reason to know that it was
obtained in such a manner. Id. § 2511(1)(c)–(d). It creates a private right of action for any person whose electronic communication is intercepted, disclosed, or intentionally used in violation of the ECPA. Id. § 2520(a). The ECPA carves out an exception wherein it is not unlawful for a person to intercept electronic communication “where such person is a party to the communication.” Id. § 2511(2)(d). But there is a further “crime-tort exception” to this exception: the exception does not apply if “such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” Id. The Court dismissed a similar claim in Hannant’s first amended complaint. See Aug. 20, 2025 Order 5–11. It held that Culbertson was a party to the alleged communication and that the complaint did not plead sufficient facts to demonstrate that the crime-tort exception should apply. Id. at 6, 11. Hannant argues that the revised complaint cures this issue. Resp. Mot.
Dismiss 7–11; see Second Am. Compl. 37. She highlights her allegations that Culbertson intercepted and transferred information including “the name and location of her personal physician, the medical treatment she researched including information related to an MRI test, her treatment search information, her research on obtaining medical records, and her log in and use of the patient portal.” Resp. Mot. Dismiss 9; Second Am. Compl. 37. Culbertson contends that the amended claim fails for two reasons: (1) Hannant still insufficiently alleges facts to establish the crime-tort exception, Mem. Supp. Mot. Dismiss 4–8, and (2) she does not allege that the “contents” of her communication were intercepted or disclosed, id. at 9–10. 1. Crime-tort Exception
As before, the parties do not contest that Culbertson was a party to the relevant communication. See Resp. Mot. Dismiss 7 (“Culbertson was a party to the subject medical communications . . . .”). Culbertson is thus exempt from liability under this section of the ECPA unless it intercepted the communication “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d). Hannant argues, as in her first amended complaint, that Culbertson’s purpose in intercepting the communication was to transmit the communication to third parties in violation of the Health Insurance Portability and Accountability Act (“HIPAA”), 42 U.S.C. §§ 1320d to d-9. Resp. Mot. Dismiss 7–11. Two things must be true for this argument to prevail: (1) that Culbertson’s actions violated HIPAA; and (2) that Culbertson’s interception of the communication was for the purpose of committing an independent act that violated HIPAA. See Doe v. Deaconess Ill. Union Cnty. Hosp., Inc., No. 3:24-CV-02284-NJR, 2025 WL 2771415, at *9–11 (S.D. Ill. Sept. 29, 2025) (separately discussing each consideration). In this case, Hannant has sufficiently alleged each.
Generally, HIPAA criminalizes the knowing disclosure of “individually identifiable health information” (“IIHI”) to a third party. 42 U.S.C. § 1320d-6(a). It defines IIHI as: [A]ny information, including demographic information collected from an individual that— (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and— (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Id. § 1320d(6). Courts generally distinguish between, on the one hand, the disclosure of metadata related to visits to a publicly available website and, on the other, the disclosure of information specific to patients—such as their appointments, the identity of their health care providers, and actions taken to seek medical care including clicking links to log in to patient portals or schedule appointments. For instance, the Northern District of Illinois held that a plaintiff plausibly alleged a HIPAA violation when her amended complaint stated that the hospital “transmitted the name and location of her personal physician, as well as her physician’s specialty.” See Kurowski v. Rush Sys. for Health (Kurowski III), No. 22 C 5380, 2023 WL 8544084, at *3 (N.D. Ill. Dec. 11, 2023). This was in contrast with the plaintiff’s initial complaint, which was dismissed because it alleged merely that the tracking tools collected “IP addresses, cookie identifiers, device identifiers, account numbers, URLs, and browser fingerprints.” Id. at 2; see also Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 380 (S.D.N.Y. 2024) (finding plausible IIHI disclosure based on allegations that the hospital “disclosed [the p]laintiffs’ names, emails, computer IP addresses, device identifiers, web URLs, and the days on which they sought
treatment, as well as the services they selected, and their patient statuses, medical conditions, treatments, and provider and appointment information”); Kane v. Univ. of Rochester, No. 23- CV-6027-FPG, 2024 WL 1178340, at *6 (W.D.N.Y. Mar. 19, 2024) (finding it plausible that the defendant disclosed IIHI if it transmitted a user’s attempts to schedule an appointment); Juenger v. Deaconess Health Sys., Inc., No. 3:24-CV-2332-NJR, 2025 WL 2780221, at *4 (S.D. Ill. Sept. 30, 2025) (similar), reconsidered in part, No. 3:24-CV-2332-NJR, 2025 WL 3235753 (S.D. Ill. Nov. 19, 2025); Doe v. Deaconess, 2025 WL 2771415, at *9 (similar). Hannant’s allegations establish a plausible HIPAA violation. She alleges that Culbertson intercepted and transferred information including “the name and location of her personal physician, the medical treatment she researched including information related to an MRI test, her
treatment search information, her research on obtaining medical records, and her log in and use of the patient portal.” Second Am. Compl. 37. These allegations contrast with Hannant’s first amended complaint, in which she “d[id] not allege that she actually contacted any specific physician, that she actually obtained any of her medical records, nor even that she logged into the patient portal.” Aug 20, 2025 Order 9. In the light most favorable to Hannant, at least her use of the patient portal and name of her personal physician are IIHI. These each relate specifically to her treatment and status as a patient. When combined with identifying information such as Hannant’s “IP addresses and/or ‘c_user’ cookie and/or Facebook ID,” Second Am. Compl. 38, Culbertson plausibly disclosed identifiable information “relat[ed] to . . . the provision of health care” to Hannant. 42 U.S.C. § 1320d(6). Culbertson claims that even if there was a HIPAA violation, the crime-fraud exception does not apply because its interception of Hannant’s communication was not for the purpose of
violating HIPAA. Mem. Supp. Mot. Dismiss 6. It argues that the alleged HIPAA violation is not separate from the alleged ECPA violation, and that the allegations show Culbertson was motivated by financial gain, not a desire to violate HIPAA. Id. at 7–8. As Culbertson notes, Mem. Supp. Mot. Dismiss 7, the crime-tort exception applies only “where the defendant allegedly committed a tortious or criminal act independent from the act of recording itself.” Kurowski v. Rush Sys. for Health (Kurowski II), 683 F. Supp. 3d 836, 844 (N.D. Ill. 2023); see also Planned Parenthood Fed. of Am., Inc. v. Newman, 51 F.4th 1125, 1136 (9th Cir. 2022) (“This criminal or tortious purpose must be separate and independent from the act of the recording.”); Caro v. Weintraub, 618 F.3d 94, 100 (2d Cir. 2010) (“Intent may not be inferred simply by demonstrating that the intentional act of recording itself constituted a tort.”).
There is an independent criminal act in this case. As the Southern District of Illinois has noted in analogous cases, the allegations identify two steps: (1) the capture of personal health information through trackers embedded in the hospital’s website, and (2) the disclosure of that information to third parties. Juenger, 2025 WL 2780221, at *9; accord Doe v. Deaconess, 2025 WL 2771415, at *10. Similarly here, the alleged criminal act is the disclosure of IIHI to third parties. This is conceptually separate from the alleged interception of the information by use of the trackers. A few courts have held that the disclosure of a communication is not for the purpose of committing a crime or tort if it is primarily motivated by financial gain. See, e.g., Roe v. Amgen Inc., No. 2:23-cv-07448-MCS-SSC, 2024 WL 2873482, at *6 (C.D. Cal. June 5, 2024) (“[T]he crime-tort exception is inapplicable where a defendant’s primary motivation is to make money rather than to injure plaintiffs tortiously or criminally.”), reconsideration denied sub nom., Doe v. Amgen, Inc., No. 2:23-cv-07448-MCS-SSC, 2024 WL 3811251 (C.D. Cal. Aug. 13, 2024); accord Williams v. TMC Health, No. CV-23-00434-TUC-SHR, 2024 WL 4364150, at *4 (D.
Ariz. Sept. 30, 2024). Insofar as these courts suggest that interception motivated by financial gain cannot also be for the purpose of committing a crime or tort, this Court does not find their reasoning persuasive. As courts in this circuit have recognized, criminal acts are routinely motivated by the possibility of financial gain. See, e.g., A.D. v. Aspen Dental Mgmt., Inc., No. 24 C 1404, 2024 WL 4119153, at *3 (N.D. Ill. Sept. 9, 2024) (“Aspen claims that its only purpose was to improve its marketing and boost its revenues, but this purpose cannot be detached from the reality that Aspen achieved this improved marketing and revenue boost by disclosing Plaintiffs[’] IIHI.”); Doe v. Deaconess, 2025 WL 2771415, at *11 (recognizing that intent to disclose IIHI in violation of HIPAA can be ultimately motivated by financial concerns); see also Doe v. Tenet Healthcare Corp., 789 F. Supp. 3d 814, 850 (E.D. Cal. 2025) (“[M]onetary purpose
does not insulate a party from liability under the ECPA.”); In re Grp. Health Plan Litig., 709 F. Supp. 3d 707, 720 (D. Minn. 2023) (“[T]his district has not found that the crime-tort exception to the Wiretap Act is inapplicable where the defendant’s primary motivation was to make money.”). HIPAA itself anticipates that IIHI can be transferred for the purpose of commercial advantage or personal gain and, in such cases, imposes heightened criminal sanctions. See 42 U.S.C. § 1320d-6(b)(3). The Court therefore holds that a hospital could intercept a patient’s IIHI for the purpose of disclosing it to third parties in violation of HIPAA even if its ultimate motivation was monetary. “Many crimes and torts are motivated by a desire to make money, and it defies common sense that a clearly harmful act could escape liability as long as it was done for profit.” Kurowski v. Rush Sys. for Health (Kurowski IV), No. 22 C 5380, 2024 WL 3455020, at *5 (N.D. Ill. July 18, 2024) (quotation marks omitted). Hannant’s complaint plausibly alleges that Culbertson intercepted communications with the tracking devices in order to disclose the intercepted information to third parties in exchange
for marketing services. As discussed above, this disclosure plausibly violated HIPAA. The fact that Culbertson’s ultimate end was financial does not insulate it from the reasonable conclusion that it acted for the purpose of committing an act that was criminal or tortious. Therefore, the complaint alleges that Culbertson’s interception was for the purpose of committing an independent criminal act, so the crime-tort exception applies. 2. “Contents” Culbertson claims that even if the crime-tort exception applies, Hannant’s claims under 18 U.S.C. § 2511(1)(c) and (d) still cannot survive because she does not allege the use or disclosure of any “contents” of electronic communications. Mem. Supp. Mot. Dismiss 9–10. The ECPA defines “contents” as “any information concerning the substance, purport, or meaning
of that communication.” 18 U.S.C. § 2510(8). Some courts distinguish “contents” from “record information,” such as names, addresses, and identities of website visitors. See, e.g., In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). Culbertson contends that the information intercepted and disclosed here, such as the URLs of pages Hannant visited, is “record information,” not “contents” because it does not communicate substance or meaning. Mem. Supp. Mot. Dismiss 9–10. The Court disagrees. Much of the information Hannant alleges to have been intercepted and disclosed is “contents,” not “record information.” Information including individuals’ status as medical patients, the identity of their medical providers, details of their treatment, and their use of log-in buttons has been found to be “contents” of communication. See, e.g., Mekhail v. N. Mem’l Health Care, 726 F. Supp. 3d 916, 925–26 (D. Minn. 2024) (declining to decide whether data including search queries is “contents” because the complaint goes much further to include details about medical treatment and conditions). Even URLs can be “contents” if they include
search terms identifying “specific medical conditions and medical providers.” Smith v. Loyola Univ. Med. Ctr., No. 23 CV 15828, 2024 WL 3338941, at *6 (N.D. Ill. July 9, 2024); see also In re Grp. Health Plan Litig., 709 F. Supp. 3d at 718 (holding that a URL that discloses search terms is “content” under the ECPA); Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1076– 77 (N.D. Cal. 2023) (same). Hannant’s amended complaint includes allegations that Culbertson intercepted and transferred “the name and location of her personal physician, the medical treatment she researched including information related to an MRI test, her treatment search information, her research on obtaining medical records, and her log in and use of the patient portal.” Second Am. Compl. 37. Such information rises far above the level of “record information” and is
appropriately considered “contents.” Because Hannant alleges the interception and disclosure of “contents” and because the crime-tort exception applies, she states a claim for the violation of 18 U.S.C. § 2511(1). iii. Counts IV–V In Count IV, Hannant brings a second ECPA claim, alleging a violation of 18 U.S.C. § 2511(3)(a). Second Am. Compl. 68–71. This section prohibits “a person or entity providing an electronic communication service to the public” from “intentionally divulg[ing] the contents of any communication” to a third party. 18 U.S.C. § 2511(3)(a). Count V brings a claim under the SCA. Second Am. Compl. 71–74. In relevant part, the SCA prohibits “a person or entity providing an electronic communication service” from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.” 18 U.S.C. § 2702(a)(1). The ECPA and SCA both define “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic
communications.” 18 U.S.C. § 2510(15); id. § 2711(1). The Court dismissed claims under these same subsections in its previous order, finding that Hannant “d[id] not plausibly allege that Defendant is an electronic communication service provider.” Aug. 20, 2025 Order 14. Culbertson now seeks dismissal of these claims for the same reason. Mem. Supp. Mot. Dismiss 11–13. It contends, highlighting the Court’s previous order, that “[s]imply operating a website is not enough to transform a website owner to an electronic communication service provider.” Id. at 11 (citing Aug. 20, 2025 Order 13–14). To cure the deficiencies identified by the Court in its prior order, Hannant amended her complaint to add an allegation that “Defendant’s Website facilitates two-way electronic communications between patients and third-party doctors.” Second Am. Compl. 69, 72. She
argues that this statement sufficiently alleges that Culbertson is an electronic communication service provider because its website “facilitated electronic communications between Plaintiff (and the Class) and third-party physicians.” Resp. Mot. Dismiss 13. This amendment is not sufficient to plausibly state a claim for relief. The complaint provides no factual details about the nature of the communication the website allegedly facilitates. Does the website link to doctors’ emails? Does the communication happen on the public-facing website or in the patient portal? Does Culbertson have its own messaging platform or does it utilize third-party software such as MyChart? Each question is relevant to whether Culbertson is an “electronic communication service provider.” See Kurowski v. Rush Sys. for Health (Kurowski I), 659 F. Supp. 3d 931, 939–40 (N.D. Ill. 2023) (holding that a defendant hospital is not an electronic communication service provider if it merely licenses MyChart, a service that facilitates electronic communication, from a third party); Garner v. Amazon, Inc., 603 F. Supp. 3d 985, 1003–04 (W.D. Wash. 2022) (“A company that merely utilizes electronic
communications in the conduct of its own business is generally considered a purchaser or user of the communications platform, not the provider of the service to the public.”); Steinbach v. Vill. of Forest Park, No. 06 C 4215, 2009 WL 2605283, *5 (N.D. Ill. 2009) (distinguishing between those merely “provid[ing] the email address name” with electronic communication service providers that actually “provide[] the email service”); Doe 1 v. Chestnut Health Sys., Inc., No. 1:24-cv-01475-JEH-RLH, 2025 WL 1616635, at *12 (C.D. Ill. June 6, 2025) (collecting cases and distinguishing between those providing the ability to send or receive electronic communications with mere business consumers of electronic communication services). Hannant does not provide sufficient factual allegations to plausibly state a claim that Culbertson is an electronic communication service provider. As a result, Counts IV and V are
DISMISSED. Because this is the second time the Court has dismissed these claims for failure to state a claim, they are dismissed with prejudice. CONCLUSION Accordingly, Defendant Culbertson Memorial Hospital Foundation’s motion to dismiss, ECF No. 33, is GRANTED IN PART and DENIED IN PART, and its motion for leave to reply, ECF No. 37, is DENIED. Counts IV (18 U.S.C. § 2511(3)(a)) and V (Stored Communications Act) are DISMISSED WITH PREJUDICE for failure to state a claim. The deadline for a responsive pleading is April 2, 2026. Fed. R. Civ. P. 12(a)(4)(A). Entered this 19th day of March, 2026. s/ Sara Darrow SARA DARROW UNITED STATES DISTRICT JUDGE