UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION Allison Theys, et al., Plaintiffs, No. 25 CV 2464 v. Dental Intelligence, Inc., et al., Judge Lindsay C. Jenkins Defendants.
MEMORANDUM OPINION AND ORDER Dental Intelligence, Inc. (“Dental Intelligence”) provides practice management software products to dental clinics, including three of the Defendants in this case: Dental Experts, LLC d/b/a Dental Dreams (“Dental Dreams”), Familia Dental, LLC (“Familia Dental”), and Familia Dental West Green Bay LLC (“Familia Dental West Green Bay”) (collectively, “the Clinic Defendants”). [Dkt. 53, ¶¶ 12–14.]1 Among its software products is LocalMed, an online scheduling tool that the Clinic Defendants embedded on their websites—and that Plaintiffs Allison Theys, Victoria Grivetti, Julie Bell, Equila Jackson, and Maria Roundtree in turn used to book appointments. [Id., ¶ 14.] When doing so, Plaintiffs submitted personal information, including the reason for their appointment, the name of the clinic they wished to visit, the name of their treating medical provider, their phone number, and their insurance provider. [Id., ¶¶ 21, 27, 33, 39, 45, 88.] Alleging that Dental Intelligence and Clinic Defendants disclosed this personal information without authorization to a third parties such as Google, Plaintiffs bring this putative class action suit for common law invasion of privacy, negligence, breach of implied contract, and unjust enrichment, as well as violations of the federal Electronic Communications Privacy Act (“ECPA”), the Wisconsin Wiretap Act (“WWA”), and the Maryland Wiretapping and Electronic Surveillance Act (“MWESA”). [Id., ¶¶ 168–245.] Before the court are Defendants’ four motions to dismiss, which are granted in part. [Dkt. 59, 62, 64, 73.]
1 Citations to docket filings generally refer to the electronic pagination provided by CM/ECF, which may not be consistent with page numbers in the underlying documents. The following factual allegations are taken from the amended complaint and accepted as true for the purposes of the motions. Smith v. First Hosp. Lab’ys, Inc., 77 F.4th 603, 607 (7th Cir. 2023). In setting forth the facts at the pleading stage, the court does not vouch for their accuracy. See Goldberg v. United States, 881 F.3d 529, 531 (7th Cir. 2018). I. Background Dental Intelligence is a software company incorporated in Delaware and based in Utah. [Dkt. 53, ¶ 12.] Dental Intelligence offers its LocalMed scheduling tool to dental clinics and clinic groups nationwide, including the Clinic Defendants. [Id., ¶¶ 10–14.] Dental Dreams and Familia Dental are incorporated in and maintain their principal place of business in Illinois, but also operate clinics in other states. [Id., ¶¶ 10–11.] Dental Dreams, for instance, has clinics in Maryland. According to the amended complaint, “Familia Dental manages [] and operates over thirty clinics” including in Illinois and Wisconsin, to include Familia Dental West Green Bay. [Id., ¶ 11.]2 The Clinic Defendants are alleged to have installed LocalMed portals on their websites in order to offer online appointment scheduling to patients. [Id., ¶ 14.] Plaintiffs allege that the LocalMed portals use imperceptible tracking features not disclosed to website visitors like Plaintiffs. [Id., ¶¶ 100–03.] To access Google’s business analytics and marketing tools, Dental Intelligence installs its tracking tools on its customers’ websites, including “pixels”: small snippets of code that load when a user visits a website. [Id., ¶¶ 70–71, 87.] Pixels identify and follow individual users, connecting them to data such as “the specific webpages visited by [that] website user, items added to an online shopping cart by [that] website user, information entered into an online form by [that] website user, and the device characteristics of [that] website user’s phone or computer.” [Id., ¶¶ 7, 71, 89.] Named plaintiffs are residents of Wisconsin (Allison Theys), id., ¶ 19, Illinois (Victoria Grivetti, Julie Bell, Equila Jackson), id., ¶¶ 25, 31, 37, and Maryland (Maria Roundtree) and patients of the Clinic Defendants. [Id., ¶ 43.] Plaintiffs allege that Dental Intelligence “configured the Tracking Tools installed on the [LocalMed] Portal to capture and transmit the Sensitive Health Information communicated through the Portal to third parties, including Google,” and that the Clinic Defendants in turn “installed the Portal on their websites and directed their patients, including Plaintiffs, to use the Portal to book medical appoints despite possessing actual and/or constructive knowledge that Sensitive Health Information disclosed through the Portal would be transmitted to unauthorized third parties without their patients’ knowledge or consent.” [Id., ¶ 87; see Dkt. 53, ¶¶ 21, 27, 33, 39, 45.] Plaintiffs booked appointments using LocalMed portals on their dentists’ websites: Theys with Familia Dental West Green Bay location in Wisconsin, [Dkt. 53,
2 As discussed infra, the amended complaint is drafted so as to suggest that Familia Dental, LLC oversees and controls Familia Dental West Green Bay, including through the familiadental.com website. At the pleading stage, the court must accept this allegation as true. But it notes for clarity that both Familia Dental and Familia Dental West Green Bay maintain that they each operate separate dental clinics: Familia Dental has a clinic in Addison, Illinois (that no Plaintiff ever alleges to have visited) and Familia Dental West Green Bay has a clinic in Appleton, Wisconsin, which is the clinic where Plaintiff Theys booked an appointment. [Dkt. 65 at 2; Dkt. 74 at 2.] ¶ 20]; Grivetti, Bell, and Jackson with Dental Dreams in Illinois, [Id., ¶¶ 26, 32, 38]; and Roundtree with Dental Dreams in Maryland. [Id., ¶ 44.] To do so, each entered sensitive health information—such as “the name of the clinic that she scheduled her appointment with, the name of her treating medical provider, the reason for her appointment, her phone number, and her insurance provider”—into the scheduling portal. [Id., ¶¶ 21, 27, 33, 39, 45.] Immediately afterward, Plaintiffs began receiving targeted advertisements for dental services and products. [Id., ¶¶ 24, 30, 36, 42, 48.] Plaintiffs allege as injuries: “(i) invasion of medical privacy; (ii) lack of trust in communicating with medical providers; (iii) emotional distress and heightened concerns related to the release of Sensitive Health Information to third parties, (iv) loss of benefit of the bargain; (v) diminution of value of the Sensitive Health Information; (vi) statutory damages and (vii) continued and ongoing risk to their Sensitive Health Information.” [Id., ¶ 17.] All Defendants move to dismiss under Rule 12(b)(6). The Clinic Defendants also move to dismiss some claims under Rule 12(b)(1) for lack of subject-matter jurisdiction, as does Dental Intelligence under Rule 12(b)(2) for lack of personal jurisdiction. II. Analysis Rule 12(b)(1) governs challenges to the court’s subject-matter jurisdiction, Rule 12(b)(2) those to personal jurisdiction, and Rule 12(b)(6) those to the legal sufficiency of a plaintiff’s claims. Fed. R. Civ. P. 12(b)(1), (2), (6). In all three cases, the court takes well-pleaded factual allegations as true and draws reasonable inferences in the plaintiff’s favor. Reardon v. Danley, 74 F.4th 825, 827 (7th Cir. 2023) (as to 12(b)(1)); Curry v. Revolution Lab’ys, LLC, 949 F.3d 385, 392 (7th Cir. 2020) (as to 12(b)(2)); Choice v. Kohn L. Firm, S.C., 77 F.4th 636, 638 (7th Cir. 2023) (as to 12(b)(6)). To survive a motion to dismiss under Rule 12(b)(6), “a complaint’s factual allegations ‘must be enough to raise a right to relief above the speculative level.’” Emerson v. Dart, 109 F.4th 936, 941 (7th Cir. 2024) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007)). A. Personal Jurisdiction Dental Intelligence challenges whether the court has personal jurisdiction over it regarding two of the named Plaintiffs, Theys and Roundtree, who are residents of Wisconsin and Maryland, respectively. [Dkt. 60 at 31–32.] In class actions, “named [class] representatives must be able to demonstrate either general or specific personal jurisdiction.” Mussat v. IQVIA, Inc., 953 F.3d 441, 447 (7th Cir. 2020). Where “the issue is raised by a motion to dismiss and decided on the basis of written materials rather than an evidentiary hearing, the plaintiff need only make a prima facie showing of jurisdictional facts.” Tamburo v. Dworkin, 601 F.3d 693, 700 (7th Cir. 2010). But “[w]here factual assertions amount only to vague generalizations or unsupported allegations, they are not enough to support personal jurisdiction.” Hill v. Consultants in Pathology, S.C., 345 F. Supp. 3d 1011, 1015 (N.D. Ill. 2018). Here, Plaintiffs’ amended complaint alleges that the court has specific personal jurisdiction over Dental Intelligence, which is incorporated in Delaware and maintains its principal place of business in Utah.3 [Dkt. 53, ¶¶ 49, 55.] When a federal court sits in diversity jurisdiction, as is the case here, it “must determine if a court of the state in which it sits would have personal jurisdiction over the defendant.” Jennings v. AC Hydraulic A/S, 383 F.3d 546, 548 (7th Cir. 2004). Illinois “permits the exercise of personal jurisdiction to the full extent permitted by the Fourteenth Amendment’s Due Process Clause,” and so the court “proceed[s] with a federal due process analysis.” Bilek v. Fed. Ins. Co., 8 F.4th 581, 590 (7th Cir. 2021). Specific personal jurisdiction over an out-of-state defendant has three “essential requirements”: (1) “the defendant’s contacts with the forum state must show that it ‘purposefully availed [itself] of the privilege of conducting business in the forum state or purposefully directed [its] activities at the state’;” (2) “the plaintiff’s alleged injury must have arisen out of the defendant’s forum-related activities;” and (3) “any exercise of personal jurisdiction must comport with traditional notions of fair play and substantial justice.” Curry, 949 F.3d at 398 (citing Lexington Ins. Co. v. Hotai Ins. Co., Ltd., 938 F.3d 874, 878 (7th Cir. 2019)). These requirements “ensure that an out-of-state defendant is not bound to appear to account for merely ‘random, fortuitous, or attenuated contacts’ with the forum state.” Curry, 949 F.3d at 398. The “mere fact that [the defendant’s] conduct affected plaintiffs with connections to the forum State does not suffice to authorize jurisdiction,” and “the plaintiff cannot be the only link between the defendant and the forum.” Advanced Tactical Ordnance Sys., LLC v. Real Action Paintball, Inc., 751 F.3d 796, 801–02 (7th Cir. 2014). Specific jurisdiction is improper when plaintiffs’ claims do not stem from an “affiliation between the forum and the underlying controversy.” Bristol-Myers Squibb Co. 582 U.S. 255, 264–65 (2017) (cleaned up); see id. (noting that “simply operating a website accessible in the forum state” does not amount to “purposefully exploit[ing]” or “target[ing]” a jurisdiction, such that the defendant is subject to personal jurisdiction there). In an underdeveloped paragraph, Dental Intelligence argues that the court does not have specific jurisdiction over Theys and Roundtree’s claims since those two plaintiffs are not citizens of Illinois and their alleged injuries arise from scheduling appointments with clinics in Wisconsin and Maryland. [See Dkt. 60 at 31–32.] It is true that the complaint offers only a conclusory allegation that Dental Intelligence availed itself “of the rights and benefits of the State of Illinois including by (1) providing services in this District; (2) conducting substantial business in this District,
3 No party contends that the court has general personal jurisdiction over Dental Intelligence. including, but not limited to, business with Plaintiffs Bell, Jackson and Grivetti, and some or all of the Clinic Defendants, and/or (3), perpetuating unlawful acts in this District.” [Dkt. 53, ¶ 55.] Plaintiffs all but concede the point. [Dkt. 68 at 30.] Instead of attempting to establish that Theys and Roundtree’s claims do indeed relate to Dental Intelligence’s contacts with Illinois, Plaintiffs argue that the court “can adjudicate claims brought by the out-of-state plaintiffs under its inherent power to extend supplementary jurisdiction” and because “‘class actions . . . are different from many other types of aggregate litigation[.]’” [Dkt. 68 at 24 (quoting Vanegas v. Signet Builders, Inc., 113 F.4th 718, 724 (7th Cir. 2024).] In doing so, Plaintiffs rely implicitly on pendent party personal jurisdiction, which would “permit[] courts asserting personal jurisdiction over one claim [by one party] to extend that jurisdiction to another related claim” by a different party. Vanegas, 113 F.4th at 727. But in Vanegas, the Seventh Circuit declined “to endorse pendent party personal jurisdiction, emphasizing that it has “never done [so],” noting that the theory is “hard to reconcile with Bristol-Myers.” Id. (emphasis in original) (quoting Canaday v. Anthem Cos., Inc., 9 F.4th 392 (6th Cir. 2021)); see also Kinman v. Saraya USA, Inc., 2026 WL 156437, at *3 (N.D. Ill. Jan. 21, 2026) (declining to exercise personal jurisdiction over nonresident named plaintiffs’ claims in a putative class action); Bakopoulos v. Mars Petcare US, Inc., 2021 WL 2915215, at *4 (N.D. Ill. July 12, 2021) (same); see also Sloan v. Gen. Motors LLC, 2019 WL 6612221, at *9 (N.D. Cal. Dec. 5, 2019) (observing that “nearly every court considering the issue has concluded [that] pendent party jurisdiction cannot be exercised by a federal court sitting in diversity”). At best, Plaintiffs allege that Dental Intelligence sold software to Illinois-based entities that in turn operated clinics in Wisconsin and Maryland where Theys and Roundtree booked the appointments that gave rise to their injuries. These contacts are simply too attenuated to support specific personal jurisdiction. Theys and Roundtree are not residents of the forum state, did not use Dental Intelligence’s product in Illinois, and did not sustain their alleged injuries in Illinois. Cf. Bristol- Myers, 582 U.S. at 260 (California courts did not have specific jurisdiction where nonresident plaintiffs had not been prescribed an allegedly defective product in California, had not purchased the product in California, had not ingested the product in California, and had not sustained their injuries in California). As in Bristol-Myers, the forum state and Dental Intelligence’s activities in Illinois lack a sufficient connection to Theys and Roundtree’s claims. The absence of any jurisdictional connection between Illinois and Dental Intelligence precludes this court’s exercise of specific jurisdiction over any of Theys and Roundtree’s claims against Dental Intelligence, so those claims are dismissed without prejudice. B. Standing At the pleading stage, the court evaluates only whether the factual allegations “plausibly suggest” the existence of subject-matter jurisdiction under the familiar Iqbal-Twombly standard. Silha v. ACT, Inc., 807 F.3d 169, 174 (7th Cir. 2015); see Twombly, 550 U.S. at 570; Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “Standing is one essential piece of a court’s subject matter jurisdiction,” Word Seed Church v. Village of Hazel Crest, 111 F.4th 814, 822 (7th Cir. 2024) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 559–61 (1992)), and it is the plaintiff’s burden to properly allege standing. Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016). To establish standing, a plaintiff must show that she has suffered an injury in fact that is fairly traceable to the defendant and that is capable of being redressed through a favorable judicial ruling. J.B. v. Woodard, 997 F.3d 714, 719–20 (7th Cir. 2021). “This familiar triad of injury in fact, causation, and redressability constitutes the core of Article III's case-or-controversy requirement.” Id. A complaint must set out what each defendant is accused of doing. Bank of Am., N.A. v. Knight, 725 F.3d 815, 818 (7th Cir. 2013). However, a plaintiff may rely on group pleading if the allegations provide sufficient notice of the claims against them. See Fulton v. Bartik, 547 F. Supp. 3d 799, 810 (N.D. Ill. 2021). While there is no bright-line rule, “at some point the factual detail in a complaint may be so sketchy that the complaint does not provide the type of notice of the claim to which the defendant is entitled under Rule 8.” Airborne Beepers & Video, Inc. v. AT & T Mobility LLC, 499 F.3d 663, 667 (7th Cir. 2007). Still, a complaint that directs claims or allegations at all defendants does not necessarily fail to provide notice; rather, when a plaintiff specifies that some or all claims or allegations are directed at all the defendants, each defendant must defend against those claims or allegations. See Brooks v. Ross, 578 F.3d 574, 582 (7th Cir. 2009). Allegations must be read “sensibly and as a whole.” Engel v. Buchan, 710 F.3d 698, 710 (7th Cir. 2013). Each Clinic Defendant raises a variation of the same standing argument— whether Plaintiffs’ injuries are fairly traceable to their conduct. Dental Dreams maintains that Plaintiffs allege that Dental Intelligence is responsible for “deploy[ing]” and “control[ling]” the LocalMed Portal and therefore it, and not Dental Dreams, is the party who collected and transmitted data. [Dkt. 63 at 4–5.] Similarly, Familia Dental and Familia Dental West Green Bay argue that Theys does not allege an injury traceable to them, both because Dental Intelligence operated the Portal that shared Theys’ personal information and because neither Familia Dental nor Familia Dental West Green Bay control the familiadental.com website through which Theys booked her appointment. [Dkt. 65 at 2–3; Dkt. 74 at 6–7 (arguing that if the Portal shared information, “there is no basis to point the blame at Familia Dental WGB simply because Theys used the Portal—allegedly accessed through [a] Website (that Familia Dental WGB did not control in the first place) to lead to another website where the appointment was made on the Portal”).] Accepting Plaintiffs’ allegations as true, as the court must at this stage, Plaintiffs allege that the Clinic Defendants installed the LocalMed scheduling portal “directly onto their practice websites,” and that “wherever it is installed, the Portal collects and transmits the Sensitive Health Information provided by patients when scheduling their appointments to third parties, including Google, instantaneously and contemporaneously through the Tracking Tools.” [Dkt. 53, ¶ 14.] They also allege that the Clinic Defendants disclosed the information despite privacy policies assuring patients that they would maintain the privacy of patient health information. [Id., ¶¶ 94, 96.] This is sufficient at the pleadings stage to establish the fairly traceable requirement for standing. But this conclusion comes with a caveat. Only Plaintiffs Grivetti, Bell, Jackson, and Roundtree are alleged to have booked appointments with Dental Dreams clinics. [Id., ¶¶ 25–48.] There is no allegation that Plaintiff Theys (who purports to represent the putative Wisconsin subclass) ever booked an appointment with Dental Dreams, nor does the amended complaint allege that Dental Dreams ever operated a clinic in Wisconsin. [Id., ¶¶ 19–24.] It follows that the factual allegations are sufficient to establish standing by Plaintiffs Grivetti, Bell, Jackson, and Roundtree with respect to claims against Dental Dreams only. But not as to Theys or a Wisconsin class. See Mathis v. Metropolitan Life Ins. Co., 12 F.4th 658, 663 (7th Cir. 2021) (“Federal courts at all levels must assure themselves of their subject-matter jurisdiction.”). This dovetails with a related argument raised by Familia Dental. It argues that Plaintiffs sued both it and Familia Dental West Green Bay, when Familia Dental only operates a dental clinic in Addison, Illinois, it “is not at all connected to” Familia Dental West Green Bay, and that it is not the entity that controls the familiadental.com website. [Dkt. 77 at 2–3.] It is true that the amended complaint does not suggest that Theys ever booked an appointment with Familia Dental in Addison, Illinois. It alleges that in August 2020, Theys booked an appointment on her personal device “to schedule an appointment with Defendant Familia Dental’s clinic in Green Bay, WI for dental care.” [Id., ¶¶ 20, 11 (reiterating that “the specific clinic location with which Plaintiff Theys made her appointment” was Familia Dental West Green Bay).] But the amended complaint does allege “all Familia Dental clinics share one website operated by Familia Dental through which patients can access the Portal to book appointments with any Familia Dental dental provider, in every state that it operates.” [Dkt. 53, ¶ 11.] The court must accept that allegation as true at the pleading stage even if, as Defendants observe, there is no “factual support for her assumption.” [Dkt. 74 at 2.] Still, the court urges the parties to prioritize resolving this issue in fact discovery, as Plaintiffs all but concede that they do not know who controls the website, instead faulting Familia Dental for making “no attempt to identify” the entity that does. [Dkt. 69 at 2.] For now, Familia Dental’s motion to dismiss is denied. C. Statute of Limitations The ECPA claim alleged in Count V has a two-year statute of limitations. 18 U.S.C. § 2520(e); see Abdul Mohammed v. Jenner & Block, LLP, 2022 WL 619851 at *10 (N.D. Ill. Mar. 2, 2022). Familia Dental and Familia Dental West Green Bay argue that the statute of limitations has run on these claims as to Plaintiff Theys, since she had knowledge of the events needed to sue as early as August 2020, when she alleges she began seeing targeted advertisements for dental services, but did not file suit until over four years later in March 2025. [See Dkt. 65 at 6–9; Dkt. 74 at 7– 10.] Theys invokes the delayed discovery rule, arguing that tolling should apply because despite reasonable diligence, she was delayed from discovering her injury and its cause because the tracking pixel technology at issue is generally “invisible to the average website user,” making her “ignorant of the information essential to pursue [her] claims without any fault or lack of diligence on [her] part.” [Dkt. 53, ¶¶ 147–49.] And she argues that receiving the ads did not put her on notice of how, to what extent, or which website was responsible for disseminating her health information to third parties. [See Dkt. 69 at 6.] Dismissal on the statute of limitations is premature, particularly given the delayed discovery arguments. “Usually the date on which a plaintiff receives inquiry notice is a fact question for the jury.” Aebischer v. Stryker Corp., 535 F.3d 732, 734 (7th Cir. 2008); see A.J. v. LMND Med. Grp., Inc., 2024 WL 4579143, at *1 (N.D. Cal. Oct. 25, 2024) (noting that “whether immediately seeing targeted advertisements after visiting [defendant’s] website would have put a reasonable person on inquiry notice of an injury is an issue not suited for resolution on the pleadings”). And at the pleading stage, allegations like those here are sufficient to survive dismissal on statute of limitations grounds. See, e.g., Nguyen v. Abbott Lab’ys, Inc., 2025 WL 2299753, at *4 (N.D. Ill. Aug. 8, 2025) (declining to dismiss on statute of limitations grounds where plaintiffs alleged “that the hidden nature of tracking technologies prevented their earlier discovery”). Theys also advances a fraudulent concealment argument for tolling. “Equitable estoppel, a subset of which is fraudulent concealment, applies when the plaintiff shows that the defendant misled him or took active steps to prevent him from filing suit before the statutory period expired.” Asher v. Chase Bank USA, N.A., 310 Fed. Appx 912, 917 (7th Cir. 2009). In the context of tolling, “[a] plaintiff must plead with Rule 9(b) particularity the specific conduct of the defendant that entitles the plaintiff to toll the limitations period for fraudulent concealment.” Hammer v. Residential Credit Sols., Inc., 2014 WL 4477948, at *12 (N.D. Ill. Sept. 11, 2014) (cleaned up). Here, Plaintiffs allege that each of the Defendants misrepresented through its privacy policies, what information would be collected and shared with third parties before affirmatively installing tracking pixels and sharing Plaintiffs’ sensitive health information with Google and others. [Dkt. 53, ¶¶ 70, 87–89.] Accepting the pleadings as true, dismissal based on the statute of limitations would be premature. Nguyen, at *4; see Reilly v. Will Cnty. Sheriff’s Off., 142 F.4th 924, 930 (7th Cir. 2025) (explaining dismissal is inappropriate so “long as there is a conceivable set of facts, consistent with the complaint, that would defeat a statute-of-limitations defense”); Brown v. Google, LLC, 525 F. Supp. 3d 1049, 1071 (N.D. Cal. 2021) (tolling claims where defendant’s tracking methods were not apparent to users and its privacy policy failed to disclose the full scope of tracking). D. Remaining Claims The claims that remain are Theys’s claims against Familia Dental and Familia Dental West Green Bay (Counts I–VI); Grivetti, Bell, and Jackson’s claims against Dental Intelligence and Dental Dreams (Counts I–V); and Roundtree’s claims against Dental Dreams (Counts I–V, VII). The court turns to the merits of those claims now. 1. Invasion of Privacy (Count I) Count One alleges a common law invasion of privacy claim. To have standing for this claim, Plaintiffs must allege that they suffered an actual, concrete injury, that is, the “alleged injury must be ‘concrete and particularized’ as well as ‘actual or imminent, not conjectural or hypothetical.’” Sweeney v. Raoul, 990 F.3d 555, 559 (7th Cir. 2021) (quoting Lujan, 504 U.S. at 560). Intangible injuries, like what’s alleged here, can be concrete, so long as they are “real, and not abstract.” Spokeo, 578 U.S. at 340 (cleaned up). To this end, courts consider “whether the alleged injury to the plaintiff has a ‘close relationship’ to a harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” TransUnion v. Ramirez, 594 U.S. 413, 424 (2021) (quoting Spokeo, 578 U.S. at 341). These include “four distinct [privacy] torts: intrusion upon seclusion, appropriation of another person’s name or likeness, publicity given to another person’s private life, and publicity that places one in a false light.” Nabozny v. Optio Sols. LLC, 84 F.4th 731, 735 (7th Cir. 2023). Examples include reputational harms, privacy harms like intrusion upon seclusion and giving publicity to private information, and “harms specified by the Constitution itself.” Id. (quoting TransUnion, 594 U.S. at 425). Although Illinois and Maryland recognize common law invasion of privacy claims, Defendants Familia Dental and Familia Dental West Green Bay contend that Wisconsin does not. [Dkt. 60 at 11–12; Dkt. 65 at 6; Dkt. 74 at 7]; see, e.g., Flores v. Aon Corp., 2023 IL App (1st) 230140, ¶ 23 (Ill. App. Ct. 2023); Woodbury v. Victory Van Lines, 286 F. Supp. 3d 685, 696 (D. Md. 2017). Indeed, Wisconsin historically did not. Not until “1977[ did] the Wisconsin legislature enact[] Wis. Stat. [§ 995.50], creating a cause of action for invasion of privacy previously unrecognized at common law.” Marino v. Arandell Corp., 1 F. Supp. 2d 947, 951–52 (E.D. Wis. 1998). Although Wis. Stat. § 995.50(3) does provide that “[t]he right of privacy recognized in this section shall be interpreted in accordance with the developing common law of privacy,” Plaintiffs do not respond to this argument; do not plead invasion of privacy under Wis. Stat. § 995.50; and do not attempt to establish a claim at Wisconsin common law. Count One as to Theys is therefore dismissed without prejudice. The remaining Plaintiffs allege in Count One that they had a reasonable expectation of privacy in their communications with Clinic Defendants through the LocalMed portal and that disclosure of those communications to third parties such as Google without their knowledge or informed consent constitutes (1) an intentional intrusion on their seclusion and (2) a publication of private facts. [Dkt. 53, ¶¶ 170– 75.] Because the public disclosure of private facts tort is sufficient to confer standing, the court only analyzes this injury. Public disclosure of private facts occurs when someone “‘gives publicity’ to a matter that concerns ‘the private life of another,’ is ‘highly offensive to a reasonable person,’ and is not of legitimate public concern.” Nabozny, 84 F.4th at 735 (quoting Restatement (Second) of Torts § 652D (A.L.I. 1977)). It requires either that the matter be communicated “to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Id. This is a qualitative inquiry, and so “while the number of recipients might be a relevant consideration,” more important is the character of the recipient and context of the disclosure. Id. (citing Hunstein v. Preferred Collection & Mgmt. Servs., Inc., 48 F.4th 1236, 1246 (11th Cir. 2022)). Here, Plaintiffs allege (1) that Defendants installed the tracking pixels on their websites, (2) what information the pixels were designed to capture, and (3) how the information was transmitted to third parties like Google. Such alleged disclosure of private health information to a third party, via embedded tracking pixels, for targeted marketing purposes is sufficiently analogous to the common-law tort of public disclosure of private facts. See Thakkar v. Ocwen Loan Servicing, 2019 WL 2161544, at *13 (N.D. Ill. May 17, 2019) (emphasizing that “facts regarding a person’s . . . medical life are inherently private”); Smith v. Loyola Univ. Med. Ctr., 2024 WL 3338941, at *4 (N.D. Ill. July 9, 2024) (healthcare provider’s disclosure of information to Meta and Google via tracking pixels on its website constituted a concrete harm); L.C. v. Fertility Centers of Illinois, PLLC, 2025 WL 3514494, at *5 (N.D. Ill. Dec. 8, 2025) (same); Roper v. Rise Interactive Media & Analytics, LLC, 2023 WL 7410641, at *3 (N.D. Ill. Nov. 9, 2023) (“Loss of privacy through the disclosure of private information is an intangible harm, but one that courts routinely recognize as concrete” given its close relationship to a traditionally recognized harm); see also Salazar v. Nat'l Basketball Ass’n, 118 F.4th 533, 543 (2d Cir. 2024) (internal citations omitted). Because their alleged injury sufficiently resembles the tort of publication of private facts, Count One survives as to Grivetti, Bell, Jackson and Roundtree. 2. Negligence (Count II) A claim for negligence requires (1) a duty owed to the plaintiff; (2) a breach of that duty; (3) proximate and actual causation; and (4) an injury. Scott v. Wendy’s Props., 131 F.4th 815, 819 (7th Cir. 2025); see also Hornback v. Archdiocese of Milwaukee, 752 N.W.2d 862, 867 (Wis. 2008); Jones v. State, 425 Md. 1, 18 (Md. 2012). Defendants argue that Plaintiffs fail to plausibly allege that it owed them a duty to prevent the disclosure of their private health information. Regarding Illinois law, Defendants primarily rely on Cooney v. Chicago Public Schools, which declined to recognize a new common law duty to safeguard personal information. 943 N.E.2d 23, 28–29 (Ill. App. Ct. 2010). But “the Illinois legislature has since created a duty that requires data collectors ‘to maintain reasonable security measures under the [Illinois] Information Protection Act,” Loyola Univ. Med. Ctr., 2024 WL 3338941, at *7 (quoting Flores v. Aon Corp., 2023 IL App (1st) 230140, ¶ 23 (Ill. App. Ct. 2023.) That duty is not limited to “allegations of data breach.” See id. While the Information Protection Act does not expressly repeal Cooney’s holding, subsequent cases have called into question the notion that no duty exists under Illinois law to safeguard personal information. E.g., Flores, 2023 IL App (1st) 230140, ¶ 23; Olson v. Ferrara Candy Co., 2025 IL App (1st) 241126, ¶ 53, appeal denied, 273 N.E.3d 805 (Ill. App. Ct. 2025) (quoting Flores and recognizing defendant’s “common law duty to safeguard personal information” as to a negligence claim). In Olson, the court reversed the dismissal of a negligence claim in a data breach case, essentially accepting without discussion the existence of a common law duty to safeguard personal information. Id.; Nazzaro v. Tecta Am. Corp., 2025 WL 2604790, at *3–4 (N.D. Ill. Sept. 9, 2025). The court therefore cannot conclude at this stage that, as a matter of law, Defendants had no duty to safeguard Plaintiffs’ personal information. See also In re Mondelez Data Breach Litig., 2024 WL 2817489, at *4 (N.D. Ill. 2024) (concluding, based on Flores, that “the Court is in no position to conclude that, as a matter of law, defendants had no duty to safeguard plaintiffs’ personal information”); Wittmeyer v. Heartland Alliance for Hum. Needs & Rights, 2024 WL 182211, at *2 (N.D. Ill. 2024) (given Flores’s explanation that “the reasoning of the Cooney court no longer applies,” district court “decline[d] to find, as a matter of law, that [the defendant] owed no duty to the plaintiffs to safeguard their personal information”). Here, Plaintiffs allege that by collecting and storing their health data, Defendants assumed a duty to use reasonable means to secure and safeguard it from unauthorized disclosure to third parties. [Dkt. 53, ¶ 184.] The Illinois statute requires data collectors to “implement and maintain reasonable security measures to protect” records from “unauthorized access, acquisition, destruction, use, modification, or disclosure. 815 ILCS 530/45(a). The complaint therefore plausibly alleges a duty to prevent the disclosure of the Illinois resident Plaintiffs’ information, i.e., not Theys or Roundtree. That’s because the statute expressly pertains to only “Illinois resident[s].”4 Id.; see McGlenn v. Driveline Retail Merch., Inc., 2021 WL 4301476, at *7 (C.D. Ill. Sept. 21, 2021). Alternatively, Defendants also raise the economic loss doctrine, otherwise known as the Moorman doctrine, which bars tort recovery for purely economic losses based on the failure to perform contractual obligations. Moorman Manf. v. Nat’l Tank Co., 435 N.E. 2d 443 (Ill. 1997); Catalan v. GMAC Mortg. Corp., 629 F.3d 676, 692– 93 (7th Cir. 2011). The doctrine is inapplicable here for two reasons: first, plaintiffs plead non-economic damages, including loss of privacy and emotional harm. Second, “[t]he economic loss doctrine does not bar recovery in tort for the breach of a duty that exists independently of a contract.” Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994); see Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547, 567 (7th Cir. 2012). Here, the alleged duty to protect confidential information does not arise purely out of contract, so the Illinois negligence claims are not barred. See Gittings-Barrera v. Mem’l Hosp. Ass’n, 2025 WL 2776142, at *3 (C.D. Ill. Sept. 26, 2025). That resolves the negligence claim as it pertains to Illinois law. Plaintiffs cite to no such duty to prevent disclosure of private health information under Wisconsin or Maryland law as to Theys or Roundtree, respectively. In a last ditch attempt to save those negligence claims, Plaintiffs suggest that the Clinic Defendants breached a “non-delegable duty, including under HIPAA, to protect the Sensitive Health Information that they solicited in the course of their business, including a duty to fully vet all third-party software to ensure it would not improperly disclose their patients’ Sensitive Health Information.” [Dkt. 53, ¶ 87.] But as Defendants observe, HIPAA does not create a private right of action. Stewart v. Parkview Hosp., 940 F.3d 1013, 1015 (7th Cir. 2019) (“all other circuits to have considered the question have concluded that HIPAA does not confer individual enforcement rights—express or implied”); Brown v. State Farm Mut. Auto. Ins. Co., 2025 WL 81340, at *6 (N.D. Ill. Jan. 13, 2025) (noting that “[i]t is well established that HIPAA does not create a private right of action” and collecting cases). So, this theory does not save Theys or Roundtree’s claims. Theys and Roundtree’s negligence claims are dismissed without prejudice, but the negligence claim stands to the extent it arises out of Illinois law.
4 The statute provides: “A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” (emphasis added). 3. Breach of Implied Contract (Count III) “Under Illinois law, a breach of contract claim has four elements: (1) the existence of a valid and enforceable contract; (2) performance by the plaintiff; (3) a breach of contract by the defendant; and (4) resultant injury to the plaintiff.” Hess v. Bresney, 784 F.3d 1154, 1158–59 (7th Cir. 2015). In Wisconsin, a breach of contract claim requires: “(1) the existence of a contract between the plaintiff and the defendant; (2) breach of that contract; and (3) damages.” Pagoudis v. Keidl, 988 N.W.2d 606, 612 (Wis. 2023). And in Maryland, a plaintiff must demonstrate (1) “the existence of a contractual obligation owed by the defendant to the plaintiff,” and (2) “a material breach of that obligation by the defendant.” RRC Northeast, LLC v. BAA Maryland, Inc., 413 Md. 638, 658 (Md. 2010). Implied contracts require the same elements as an express contract, plus a meeting of the minds and a mutual intent to contract. See Dinerstein v. Google, 484 F. Supp. 3d 561, 593 (N.D. Ill. 2020); Mogavero v. Silverstein, 790 A.2d 43, 52 (Md. 2002) (distinguishing implied-in-fact contracts from circumstances that give rise to claims for unjust enrichment); Lindquist Ford, Inc. v. Middleton Motors, Inc., 557 F.3d 469, 480–81 (7th Cir. 2009) (Wisconsin). Plaintiffs allege that when they “provided their Sensitive Health Information to Defendants in exchange for dental services, they entered into an implied contract pursuant to which Defendants agreed to safeguard and not disclose the Sensitive Health Information without consent.” [Dkt. 53, ¶ 192.] They also allege that all Defendants maintained—and violated—privacy policies in which they promised to maintain the privacy of patient health information. [Id., ¶¶ 94–96.] But “emotional distress is generally not compensable in contract.” Cummings v. Premier Rehab Keller, P.L.L.C., 596 U.S. 212, 221 (2022). “To plead a viable breach of implied contract claim under Illinois law, Plaintiffs must allege actual monetary damage.” In re Arthur J. Gallagher, 631 F. Supp. 3d at 587 (cleaned up); see TAS Distributing Co., 491 F.3d 625, 631 n.6 (7th Cir. 2007). Olson, 2025 WL 1750241, at *11 (allegations of actual monetary damages are necessary to successfully state a claim for breach of an implied contract). Likewise, Wisconsin and Maryland generally do not recognize emotional harms in claims for breach of contract. Christensen v. Sullivan, 768 N.W.2d 798, 820 (Wis. 2009); Richter v. North American Van Lines, 110 F. Supp. 2d 406, 413–14 (D. Md. 2000). Here, Plaintiffs do not allege that they have spent money mitigating the harm they face from the exposure of their sensitive health information. They state only that “[a]s a direct and proximate result of Defendants’ breaches of these implied contracts, Plaintiffs and Class Members sustained damages,” and that the alleged injuries fall into one four buckets: emotional harms (ii, iii); privacy harms (i, vii); diminution in value of patient data (iv, v); and statutory damages (vi). [Dkt. 53 at ¶¶ 17, 196.]. This won’t suffice. Cf. In re Lurie Children’s Hosp. Data Sec. Litig., 2025 WL 2754760, at *12 (N.D. Ill. Sept. 27, 2025) (denying motion to dismiss as to implied contract claim where plaintiffs alleged they “spent money mitigating the harm they face from the exposure of their [personal information] to criminal actors”); M.C. v. Side Health Dist., 2025 WL 435992, at *1, *6 (S.D. Ill. Feb. 7, 2025) (denying motion to dismiss as to implied contract claim where the plaintiff had sufficiently alleged out-of-pocket costs like expenditures to prevent identity theft). Emotional harms for breaches of contract are not cognizable damages “except where the breach was wanton or reckless and caused bodily harm, or where defendant had reason to know, when the contract was made, that its breach would cause mental suffering for reasons other than mere pecuniary loss.” Dinerstein, 484 F. Supp. 3d at 590–91; see Christensen, 768 N.W.2d at 820; Letke v. Wells Fargo Home Mortg., Inc., 2015 WL 1438196, at *6 (D. Md. Mar. 27, 2015). The emotional injuries alleged here fall short of alleging this exception. As to the privacy harms and increased risk of future harm, these intangible harms are not the sort of “actual or measurable damages” which can support an implied contract claim. Cf. Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (“[T]he value of [a data breach victim’s] time needed to set things straight is a loss from an opportunity-cost perspective. These injuries can justify money damages, just as they support standing.”) Plaintiffs only response is to say that “Google values such [personal] information so highly that it provides access to its highly valuable marketing and analytics tools in exchange for it.” [Dkt. 68 at 12.] But “a plaintiff’s claim of injury in fact cannot be based solely on a defendant’s gain; it must be based on a plaintiff’s loss.” Dinerstein v. Google, LLC, 73 F.4th 502, 518 (7th Cir. 2023). Because Plaintiffs do not allege cognizable damages, the court dismisses all their breach of implied contract claims without prejudice.5 4. Unjust Enrichment (Count IV) To state an unjust enrichment claim under Illinois law, “a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience.” Hernandez et al. v. Ill. Inst. of Tech., 63 F.4th 661, 671 (7th Cir. 2023) (cleaned up). Wisconsin and Maryland law require “(1) a
5 In the interest of completeness, the court notes that Plaintiffs have adequately pled a meeting of the minds, Defendants’ arguments notwithstanding. [Dkt. 68 at 17–18; Dkt. 63 at 8.] The amended complaint alleges that Plaintiffs provided sensitive health information in exchange for dental related services and that they would not have entrusted Defendants with that information absent an implied promise to safeguard it, including as expressed through the relevant privacy policies. [Dkt. 53, ¶¶ 192–94.] Those allegations suffice. Wittmeyer, 2024 WL 182211, at *5 (“It can be inferred from the plaintiffs’ relationship to Heartland (as clients) and the requirement that the plaintiffs provide sensitive information to Heartland as a condition of receiving its services that Heartland, in turn, would keep this information private and protect it from unauthorized disclosures.”); Doe v. Fertility Ctrs. of Ill., S.C., 2022 WL 972295, at *4 (N.D. Ill. Mar. 31, 2022). benefit conferred on the defendant by the plaintiff; (2) appreciation or knowledge by the defendant of the benefit; and (3) acceptance or retention of the benefit by the defendant under circumstances making it inequitable to do so.” Sands v. Menard, 904 N.W.2d 789, 798 (Wis. 2017); Eastland Food Corp. v. Mekhaya, 301 A.3d 308, 332 (Md. 2023). Defendants contend that Plaintiffs’ unjust enrichment claims should be dismissed because they (1) do not allege facts establishing that Defendants unjustly retained any benefit conferred by plaintiffs and (2) do not establish a connection between any alleged detriment to plaintiffs and an alleged benefit to Defendants. [Dkt. 60 at 22; Dkt. 63 at 9.] On the contrary, Plaintiffs plead that both Dental Intelligence and the Clinics were unjustly enriched when they exchanged Plaintiffs’ private information for access to Google’s business tools, which compromised Plaintiffs’ medical privacy and caused them emotional distress, among other alleged injuries. [Dkt. 53, ¶¶ 6–9, 17, 67, 104–106.] Under Illinois law, however, “unjust enrichment is not a separate cause of action. Rather, it’s a condition brought about by fraud or other unlawful conduct.” Vanzant v. Hill’s Pet Nutrition, Inc., 934 F.3d 730, 739–40 (7th Cir. 2019) (quotation marks omitted). Where “an unjust enrichment claim rests on the same improper conduct [underlying] another claim, then the unjust enrichment claim will be tied to this related claim—and, of course, unjust enrichment will stand or fall with the related claim.” Platt v. Brown, 872 F.3d 848, 853 (7th Cir. 2017). Here, Plaintiffs’ unjust enrichment allegations are based on the same improper conduct alleged in their breach of implied contract claim, so the unjust enrichment claim cannot stand. See, e.g., A.D. v. Aspen Dental Mgmt., Inc., 2024 WL 4119153, at *2–3 (N.D. Ill. Sept. 9, 2024). Since Plaintiffs’ breach of implied contract claim fails, so too must the unjust enrichment claim under Illinois law. By contrast, in Maryland and Wisconsin, unjust enrichment may provide an independent basis for liability and be pursued as an alternative theory at the pleading stage. Lacks v. Ultragenyx Pharm., Inc., 734 F. Supp. 3d 397, 427 (D. Md. 2024) (quoting Clark Off. Bldg., LLC v. MCM Cap. Partners, LLLP, 245 A.3d 186, 190 (Md. Ct. Spec. App. 2021)); Tikalsky v. Friedman, 928 N.W.2d 502, 523 (Wis. 2019) (explaining that “[u]njust enrichment is a stand-alone cause of action”) (collecting cases); see also Transam. Premier Life Ins. Co. v. Selman & Co., 401 F. Supp. 3d 576, 598 (D. Md. 2019) (noting “a plaintiff is not barred from pleading” breach of contract and unjust enrichment “in the alternative where the existence of a contract concerning the subject matter is in dispute”). Defendants argue that unjust enrichment claims are equitable in nature and therefore not viable here, since Plaintiffs’ statutory claims provide an adequate remedy at law. [Dkt. 60 at 23]; see Smith v. RecordQuest, LLC, 989 F.3d 513, 520 (7th Cir. 2021) (holding that plaintiffs “cannot resort to a remedy in equity (unjust enrichment) when [they] ha[ve] a remedy at law”). For now, though, Plaintiffs “may plead and pursue [their] unjust enrichment claim in the alternative, such that if [they] cannot prove some of [their] statutory claims later in litigation, [they] might still be able to prevail on his claim for unjust enrichment.” Kahn v. Walmart Inc., 107 F.4th 585, 606–07 (7th Cir. 2024); Stanley v. Cent. Garden & Pet Corp., 891 F. Supp. 2d 757, 766 (D. Md. 2012) (noting that “plaintiffs may plead claims for both legal and equitable relief, as equitable relief may become available if no adequate legal remedy remains”); see Fed. R. Civ. P. 8(d)(3) (“A party may state as many separate claims or defenses as it has, regardless of consistency.”). So, Theys and Roundtree’s unjust enrichment claims survive. The remaining Plaintiffs’ unjust enrichment claims is dismissed without prejudice. 5. ECPA Violation (Count V) The ECPA provides a private right of action against any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any . . . electronic communication” or for anyone who intentionally discloses or uses the contents of an intercepted communication. 18 U.S.C. § 2511(1)(a), (c)–(d). Where a defendant is a party to the communication, as is the case here, liability may be established under the crime-tort exception if the “communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” § 2511(2)(d). 42 U.S.C. § 1320(d)(6) of HIPAA imposes a criminal penalty for knowingly “disclosing individually identifiable health information (IIHI) to another person.” Id. As defined by the statute, IIHI entails: any information, including demographic information collected from an individual, that—(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—(i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Id. Here, Plaintiffs invoke the crime-tort exception and allege that Defendants intentionally disclosed communications—including requests for appointments, the names of the dental clinics where those appointments were made, the reason for the appointments, the name of the attending medical provider, their phone numbers, and their insurance providers—with intent to violate HIPAA. [Dkt. 53, ¶¶ 21, 27, 33, 39, 45.] Defendants counter that the exception does not apply because plaintiffs did not allege with sufficient specificity what information was intercepted. [Dkt. 60 at 24.] The court cannot agree. At the pleading stage, Plaintiffs provide enough detail to allege that their IIHI was disclosed in violation of HIPAA. See, e.g., Aspen Dental, 2024 WL 4119153, at *3 (allegations that healthcare provider transmitted plaintiffs’ “patient status, medical conditions, information about their medical appointments and treatments, specific medical providers” sufficient for crime-tort exception); Kurowski v. Rush System for Health, 2023 WL 8544084, at *3 (N.D. Ill. 2023) (allegations that healthcare provider transmitted the name and location of plaintiff’s personal physician, as well as the physician’s specialty were sufficient); Loyola Univ. Med. Ctr., 2024 WL 3338941, at *7 (allegations that healthcare provider transmitted “plaintiffs’ status as medical patients, the content of their communications with LUMC’s webpage, information about their medical appointments, location of treatments, specific medical providers, specific medical conditions and treatments, and other sensitive health information to third parties” were sufficient). In an attempt to distinguish what was allegedly disclosed here from the IIHI contemplated by HIPAA, Defendants emphasize that Plaintiffs input their information into a scheduling tool rather than a patient portal where individuals could communicate directly with their doctors. But this distinction cannot be resolved on a motion to dismiss. An alleged disclosure that violates HIPAA is sufficient to plausibly allege a violation of the ECPA, and here, Plaintiffs have sufficiently alleged that Defendants transmitted their individually identifiable health information to third parties in violation of HIPAA such that the crime-tort exception may apply. These claims survive. 6. WWA Violation (Count VI) Theys asserts a claim under the Wisconsin Wiretap Act, which prohibits anyone from (1) “[i]ntentionally intercepting, attempt[ing] to intercept or procur[ing] any other person to intercept or attempt to intercept, any wire, electronic or oral communication”; (2) “[d]isclos[ing], or attempt[ing] to disclose, to any other person the contents of any wire, electronic or oral communication, knowing or having reason to know that the information was obtained through the interception of a wire, electronic or oral communication in violation of [the Act]”; or (3) “[u]s[ing], or attempt[ing] to use, the contents of any wire, electronic or oral communication, knowing or having reason to know that the information was obtained through the interception of a wire, electronic or oral communication in violation of [the Act].” Wis. Stat. Ann. § 968.31(1). Theys alleges that Defendants violated the statute by embedding tracking tools on their website that transmitted her private health information to unauthorized third parties. [Dkt. 53, ¶¶ 87, 239–40.] Although Defendants argue that they are exempt from liability as a party to these allegedly confidential communications, that exemption may not apply if “the communication is intercepted for the purpose of committing any criminal or tortious act in violation of the constitution or laws of the United States or of any state or for the purpose of committing any other injurious act.” Wis. Stat. Ann. § 968.31(2)(c). Like the ECPA, then, the WWA contains a crime-tort exception, so for the reasons just discussed, these claims survive. See, e.g., Brahm v. Hosp. Sisters Health Sys., 2024 WL 3226135, at *6 (W.D. Wis. June 28, 2024) (finding that plaintiff plausibly alleged that a health system disclosed IIHI in violation of HIPAA and declining to reject application of crime-tort exception on a motion to dismiss). 7. MWESA Violation (Count VII) Finally, Roundtree brings a claim under the Maryland Wiretapping and Electronic Surveillance Act, which prohibits anyone from “[w]illfully us[ing], or endeavor[ing] to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subtitle.” Md. Code Ann., Cts. & Jud. Proc. § 10-402(a)(3). Though Defendants argue that Roundtree has not alleged a “willful interception,” [Dkt. 60 at 25], at least one district court applying this statute has reasoned that “because adding Meta Pixel and other similar technologies is a multi- step process that must be undertaken by the website owner, health providers that incorporated these technologies into their websites engaged in sufficiently purposeful conduct to qualify as ‘willful’ (or knowing and deliberate) under similar statutes.” Doe v. Shady Grove Reprod. Sci. Ctr., P.C., 2025 WL 2781542, at *8 (D. Md. Sept. 30, 2025) (collecting cases). Here, Roundtree has alleged that Defendants controlled the website she used to book an appointment, that Defendants installed tracking technology on the website, and that the technology disclosed information that included personally identifiable information, as well as the providers and locations where they sought dental services, and their reasons for requesting appointments. [Dkt. 53, ¶¶ 70, 87, 88.] And like the ECPA and WWA, the MWESA contains both a one-party exception and a crime-tort exception to that exception. § 10-402(c)(3). As above, insofar as Plaintiffs have plausibly alleged a violation of HIPAA, this claim survives. See, e.g., Shady Grove, 2025 WL 2781542, at *8 (denying motion to dismiss where plaintiffs alleged that a medical clinic relayed health information to third-party analytics companies without authorization and noting that ECPA “has similar elements to MWESA”). IV. Conclusion Theys’s claims against Dental Dreams are dismissed with prejudice, as are Grivetti, Bell, Jackson, and Roundtree’s claims against Familia Dental and Familia Dental West Green Bay. The court also dismisses Theys and Roundtree’s claims against Dental Intelligence for lack of personal jurisdiction (and thus the dismissal is without prejudice). Theys’s Wisconsin common law invasion of privacy claim (Count I) against Defendants Familia Dental and Familia Dental West Green Bay; Theys and Roundtree’s negligence claims under Wisconsin and Maryland law (Count IT) against the Clinic Defendants; the breach of implied contract claim (Count II]); and Grivetti, Bell, and Jackson’s unjust enrichment claims under Illinois law (Count IV) against Dental Intelligence and Dental Dreams are dismissed without prejudice. The claims the survive are as follows: Theys’s Wisconsin unjust enrichment claim (Count IV), her ECPA claim (Count V), and her Wisconsin Wiretap Act claim (Count VI) against Familia Dental and Familia Dental West Green Bay. Grivetti, Bell, and Jackson’s Illinois common law invasion of privacy claim (Count J), their Illinois negligence claim (Count IT), and their ECPA claim (Count V) against Dental Intelligence and Dental Dreams. Roundtree’s Maryland common law invasion of privacy claim (Count I), her Maryland unjust enrichment claim (Count IV), her ECPA claim (Count V) and her Maryland Wiretapping and Electronic Surveillance Act claim (Count VII) against Dental Dreams. Notably, no claim remains that connects all plaintiffs with all defendants, any single plaintiff with all defendants, or any single defendant with all plaintiffs. This naturally raises the continued propriety of joining the surviving claims in a single action. To the extent Plaintiffs elect to file an amended complaint to fix those deficiencies that can be corrected, they should bear in mind Rule 20 joinder principles, and the possibility that the court may invite a motion to sever under Rule 21 (misjoinder of parties is not grounds for dismissal but the court may “at any time, on just terms, add or drop a party, or may sever any claim against a party.) Enter: 25-cv-2464 Date: March 6, 2026 Lindsay C. Jenkins 19