IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF OREGON
B.N., individually and on behalf of all others Case No. 3:25-cv-00202-IM similarly situated, OPINION AND ORDER GRANTING Plaintiff, DEFENDANT’S MOTION TO DISMISS v. OREGON REPRODUCTIVE MEDICINE, LLC, d/b/a ORM Fertility, Defendant. Cody Hoesly, Barg Singer Hoesly PC, 121 SW Morrison Street, Suite 600, Portland, OR 97204. Sarah N. Westcot and Stephen A. Beck, Bursor & Fisher, P.A., 701 Brickell Avenue, Suite 2100, Miami, FL 33131. Attorneys for Plaintiff. Clifford S. Davison, Jenna M. Teeny, and Patricia Brum, Snell & Wilmer LLP, 601 SW Second Avenue, Suite 2000, Portland, OR 97204. Attorneys for Defendant. IMMERGUT, District Judge. Plaintiff B.N. brings this putative class action against an Oregon-based fertility clinic, Defendant Oregon Reproductive Medicine, LLC (“ORM Fertility” or “Defendant”), alleging that Defendant’s website intercepted patients’ protected health information and disclosed it to LinkedIn without patients’ knowledge or consent. Complaint (“Compl.”), ECF 1. Plaintiff asserts four claims: (1) a violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2511(1); (2) negligence; (3) breach of confidence; and (4) unjust enrichment. Defendant moves to dismiss all four claims under Federal Rule of Civil Procedure 12(b)(6). Motion to Dismiss (“MTD”), ECF 11. Plaintiff filed a response opposing the motion, (“Opp’n”) ECF 14, and Defendant
replied, ECF 15. This Court held a hearing on the Motion to Dismiss on September 30, 2025, ECF 24. For the reasons discussed below, this Court concludes that Plaintiff does not adequately plead her federal claim. Accordingly, this Court declines to exercise supplemental jurisdiction over her remaining state law claims. Defendant’s Motion to Dismiss, ECF 11, is granted. Plaintiff’s Complaint is dismissed with leave to amend within twenty-one (21) days. BACKGROUND1 Defendant ORM Fertility is a healthcare provider in Portland, Oregon, that offers fertility services and treatments. Compl., ECF 1 ¶ 13. Defendant operated a public website, www.ormfertility.com (“Website”), through which visitors could learn about ORM Fertility facilities and services and book consultations. See id. ¶¶ 1, 13, 59.
Plaintiff lives in Portland, Oregon, and is a patient of ORM Fertility. Id. ¶¶ 7–8. Around May 2022 and March 2024, Plaintiff used Defendant’s Website to book consultations for fertility services. Id. ¶ 7. At an unknown date, Plaintiff attended a consultation and received fertility treatment from Defendant. Id. ¶ 8. Plaintiff also maintained an active LinkedIn account and used the same device and browser to access the Website and her LinkedIn account. Id. ¶ 9. After
1 For purposes of the motion to dismiss, this Court takes Plaintiff’s allegations, summarized here, as true. visiting Defendant’s Website, Plaintiff received targeted advertisements relating to fertility services on LinkedIn in November 2024. Id. ¶ 7. Plaintiff alleges Defendant embedded a piece of code known as the LinkedIn Insight Tag on its Website. Id. ¶ 13. Plaintiff further alleges the Insight Tag is a tracking technology that
allows LinkedIn to intercept and record “click” events, which display information about which page a website user browsed and selections on those pages. Id. ¶ 61. When a user who has signed into LinkedIn browses a website that has the LinkedIn Insight Tag embedded, Plaintiff alleges the Insight Tag sends requests about the user’s actions on the website to LinkedIn. Id. ¶ 45. Plaintiff alleges that here, the click events recorded by the LinkedIn Insight Tag showed which procedure a patient on the Website was viewing, whether they clicked to schedule a consult, and whether they submitted an information form. Id. at 17–18 figs. 1–3, ¶ 61. Plaintiff alleges that, through the LinkedIn Insight Tag, Defendant allowed third parties such as LinkedIn to intercept communications that included protected health information (“PHI”), including information related to specific fertility treatment she received at ORM,
without Plaintiff’s consent. Id. ¶¶ 10, 62, 66. Plaintiff alleges this conduct violated various provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), id. ¶¶ 22, 28, 105, and Oregon statutes and regulations, id. ¶¶ 19–21, 23, which forbid healthcare providers from disclosing PHI without the patient’s express written authorization. Plaintiff alleges Defendant used the LinkedIn Insight Tag for advertising purposes because the PHI it intercepted and shared with third parties is valuable to advertisers. Id. ¶¶ 13, 40, 43, 58. She alleges both Defendant and LinkedIn monetized this data for targeted advertising purposes. Id. ¶ 62. Plaintiff filed this putative class action on February 6, 2025. Compl., ECF 1. Plaintiff pleads a nationwide class, defined as “all persons in the United States, who during the class period, had a LinkedIn account and booked a consultation on www.ormfertility.com,” id. ¶ 77, and a subclass of “all persons in Oregon who, during the class period, had a LinkedIn account and booked consultation on www.ormfertility.com,” id. ¶ 78. Plaintiff brings four claims: violation of the Electronic Communications Privacy Act, negligence, breach of confidence, and
unjust enrichment. Id. ¶ 5. Defendant moves to dismiss all claims. ECF 11. STANDARDS Federal Rule of Civil Procedure 12(b)(6) provides that a court may dismiss a complaint for failing to state a claim upon which relief can be granted. “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 570 (2007)). The court must construe all well-pleaded material facts in the light most favorable to the non-moving party. Rowe v. Educ. Credit Mgmt. Corp., 559 F.3d 1028, 1029–30 (9th Cir. 2009). However, a court need not accept as true “[t]hreadbare recitals of a cause of action’s elements, supported by mere conclusory statements.” Iqbal, 556 U.S. at 678.
DISCUSSION Defendant’s motion to dismiss argues Plaintiff fails to state a claim for any of her asserted claims: violation of the Electronic Communications Privacy Act, negligence, breach of confidence, and unjust enrichment. This Court first addresses Plaintiff’s federal ECPA claim. A. Electronic Communications Privacy Act The Wiretap Act, as amended by the Electronic Communications Privacy Act (“ECPA”), provides for liability against any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a); see also § 2520 (creating a private right of action for a “person whose wire or oral communication is intercepted . . . in violation of this chapter”). To state a claim under the relevant provisions of ECPA, Plaintiff must allege that Defendant: “(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.” R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 900 (C.D. Cal. 2024). Defendant argues Plaintiff
fails to allege elements two and three: unlawful interception and interception of “contents.” MTD, ECF 11 at 8. 1. Unlawful Interception The statutory term “intercept” is defined as the “acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). ECPA contains a “party exception,” which exempts from liability any interceptions where one person “is a party to the communication.” 18 U.S.C. § 2511(2)(d); see In re Yahoo Mail Litig., 7 F. Supp. 3d 1016, 1026 (N.D. Cal. 2014) (“[T]he consent of one party is a complete defense to a Wiretap Act claim.”). This exception is subject to a further exception: A party to a communication may still be liable if a communication “is intercepted for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d) (emphasis
added). Plaintiff acknowledges that Defendant was a party to the communication, Opp’n, ECF 14 at 8. Plaintiff argues, however, that Defendant’s conduct falls within the crime-tort exception because Defendant intended to violate HIPAA’s criminal prohibition against disclosing “individually identifiable health information” without authorization. Opp’n, ECF 14 at 8–9. Defendant argues that the crime-tort exception does not apply here because, even accepting Plaintiff’s allegations as true, its purpose in installing the LinkedIn Insight Tag was commercial gain, not committing any crime or tort. MTD, ECF 11 at 9–12. The Court first addresses whether a violation of HIPAA can fall under ECPA’s crime-tort exception as a matter of law. Finding that it can, the Court then addresses whether Plaintiff has pleaded enough facts to allege that Defendant ORM violated HIPAA by transmitting her information to LinkedIn. The Court finds Plaintiff has not pleaded sufficient facts to allege that
Defendant transmitted her PHI to LinkedIn and therefore, does not adequately allege that Defendant violated HIPAA, and the crime-tort exception does not apply. a. Crime-tort exception Plaintiff alleges that “Defendant intercepted Plaintiff’s and Class Members’ electronic communications through the LinkedIn Insight Tag, which tracked, stored and unlawfully disclosed Plaintiff’s and Class Members’ PII and PHI to third parties, such as LinkedIn.” Compl., ECF 1 ¶ 100. Plaintiff alleges this confidential information “was then monetized for targeted advertising purposes.” Id. ¶ 101. Plaintiff alleges that in so doing, Defendant violated the criminal provision of the Health Insurance Portability and Accountability Act (“HIPAA”) that prohibits healthcare providers from knowingly disclosing an individual’s identifiable health information to a third party. Id. ¶ 105; see id. ¶ 19 (discussing Oregon’s comparable health
privacy statute, ORS 192.553). Defendant argues that because the LinkedIn Insight Tag intercepts communications “for advertising purposes,” Compl., ECF 1 ¶¶ 13, 58, not for the purpose of facilitating a crime or tort, the crime-tort exception cannot apply as a matter of law. See MTD, ECF 11 at 10. The parties dispute whether an alleged violation of HIPAA can constitute an independent act for purposes of the crime-tort exception. “Courts around the country, including courts within this circuit, are divided on th[is] issue.” K.L. v. Legacy Health, No. 3:23-cv-1886-SI, 2024 WL 4794657, at *6 & n.11 (D. Or. Nov. 14, 2024) (collecting cases); see MTD, ECF 11 at 11–12; Opp’n, ECF 14 at 10–11. Courts in this District that have considered the issue concluded that alleged disclosure of information in violation of HIPAA can constitute an independent criminal act under the crime-tort exception, beyond the act of intercepting the information alone. See Legacy Health, 2024 WL 4794657, at *6; M.R. v. Salem Health Hosps. & Clinics, No. 6:23-cv- 01691-AA, 2024 WL 3970796, at *5 (D. Or. Aug. 28, 2024). This Court agrees with the
reasoning in those cases that a HIPAA violation can be an independent act sufficient to invoke the crime-tort exception. The Ninth Circuit has yet to address the issue but has broadly held that to trigger the crime-tort exception under ECPA, the “criminal or tortious purpose must be separate and independent from the” interception. Planned Parenthood Fed’n of Am. v. Newman, 51 F.4th 1125, 1136 (9th Cir. 2022); Nienaber v. Overlake Hosp. Med. Ctr., 733 F. Supp. 3d 1072, 1095 (W.D. Wash. 2024) (noting district courts in this Circuit have adopted this rule). However, the Court has also instructed that the existence of a “lawful purpose does not mean that the interception is not also for a tortious or unlawful purpose.” Sussman v. Am. Broad Cos., 186 F.3d 1200, 1202 (9th Cir. 1999) (explaining that “the focus is not upon whether the interception itself
violated another law; it is upon whether the purpose for the interception—its intended use—was criminal or tortious”). The crux of the issue is interpreting the text of the crime-tort exception to the ECPA: “unless such communication was intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d). The statute’s text does not distinguish between crimes or torts or the severity of either. Nor does it exclude any class of criminal or tortious acts, including those with a financial motivation. Rather, “criminal or tortious” in the statute modifies “act.” Here, the act is the alleged disclosure of personal health information. The appropriate inquiry is whether a defendant intercepted communications with the purpose of completing the act, disclosure HIPAA-protected information, which is “criminal or tortious.” The existence of a financial motivation for committing the alleged disclosure does not render the act not tortious or not criminal. This Court rejects a reading that would require a heightened purpose requirement not
found in the text of the statute. Neither of the prior cases from this District, however, squarely addressed whether allegations that the defendant intercepted communications for commercial or financial gain preclude a finding that the defendant intercepted communications “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d). Defendant cites cases holding that an alleged interception for commercial or financial purposes precludes an intent to commit a criminal or tortious act. See MTD, ECF 11 at 10–12. While some district courts in the Ninth Circuit and others have reached this conclusion,2 other district courts have held the crime-tort exception may still apply when there is also an alleged commercial or financial motivation.3
2 See, e.g., In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 797 (N.D. Cal. 2022) (“Multiple courts in this district have found that the crime-tort exception to the Wiretap Act is inapplicable where the defendant’s primary motivation was to make money, not to injure plaintiffs tortiously.”); Katz-Lacabe v. Oracle Am., 668 F. Supp. 3d 928, 945 (N.D. Cal. 2023) (dismissing a Wiretap Act claim where the interceptor’s “purpose has plainly not been to perpetuate torts on millions of Internet users, but to make money.” (citations omitted)); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 519 (S.D.N.Y. 2001) (finding the crime- tort exception did not apply where the defendant’s purpose was not “to perpetuate torts on millions of Internet users, but to make money by providing a valued service to commercial Web sites.”); Doe v. Genesis Health Sys., No. 4:23-cv-04209-JEH, 2025 WL 1000192 at *9 (C.D. Ill. Mar. 18, 2025) (holding that a provider embedding tracking technologies for marketing and advertising purposes was “not for the purpose of knowingly committing a violation of the HIPAA”); Goulart v. Cape Cod Healthcare, Inc., No. 25-10445-RGS, 2025 WL 1745732, at *4 (D. Mass. June 24, 2025), appeal filed No. 25-1672 (1st Cir. July 23, 2025) (“Commercial purposes or advantages are not the stuff of which a crime-tort is made.”). 3 See, e.g., R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 901 (C.D. Cal. 2024) (“But even where a defendant is arguably motivated by monetary gain, the crime-tort exception may nonetheless apply if plaintiffs have adequately alleged that the defendant’s conduct violated state law.”); Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 381–82 (S.D.N.Y. 2024) This Court concurs with the district courts that have addressed this issue and found that an alleged commercial or financial purpose does not preclude a defendant’s conduct from falling under ECPA’s crime-tort exception. As discussed above, “the statutory text . . . gives no hint that conduct falls outside the reach of the statute if a person acted based on financial motivations.”
Stein, 2025 WL 580556, at *5. Crimes and torts often have financial motivations, and the statutory text broadly covers “any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d) (emphasis added). Acts can have multiple, simultaneous purposes. The Ninth Circuit has cautioned that the existence of a “lawful purpose does not mean that the interception is not also for a tortious or unlawful purpose.” Sussman, 186 F.3d at 1202. Nothing in the statute’s text or binding precedent excludes any class of criminal or tortious acts. Accordingly, this Court finds that a defendant’s financial motivation does not insulate a health care provider from liability under the ECPA, where they intentionally disclosed individually identifiable patient health information in violation of HIPAA.
(finding the plaintiff’s allegations “plausibly support the inference that [defendant], for commercial ends, intentionally disclosed individually identifiable patient health information, and thus violated HIPAA, which makes it a crime for a health care provider to disclose individually identifiable health information for commercial gain.”); Stein v. Edward-Elmhurst Health, No. 23-cv-14515, 2025 WL 580556, at *6 (N.D. Ill. Feb. 21, 2025) (“The existence of a financial motivation (on the one hand) and a criminal or tortious motivation (on the other hand) are not mutually exclusive.”); In re Grp. Health Plan Litig., 709 F. Supp. 3d 707, 720 (D. Minn. 2023) (“[T]his district has not found that the crime-tort exception to the Wiretap Act is inapplicable where the defendant’s primary motivation was to make money.”); Riganian v. LiveRamp Holdings, Inc., No. 25-cv-00824, 2025 WL 2021802, at *9 (N.D. Cal. July 18, 2025) (finding that although Defendant may have been motivated by financial gain, “committing a tort and seeking a profit are not mutually exclusive.”); Doe v. Tenet Healthcare Corp., No. 1:23-cv- 01106-DC-CKD, 2025 WL 1635956, at *24 (E.D. Cal., June 9, 2025) (“The court joins those courts that have held a monetary purpose does not insulate a party from liability under the ECPA . . . .”). b. Plaintiff’s allegations Turning to the allegations here, Plaintiff must sufficiently allege that she disclosed PHI to ORM, and ORM disclosed that PHI to LinkedIn through the LinkedIn Insight Tag, and that this disclosure led to targeted marketing. This Court concludes Plaintiff has not pleaded sufficient facts to support an inference that ORM disclosed her PHI to LinkedIn.
While information that relates to patients’ “past, present, or future physical . . . health condition[s]” is protected, 45 C.F.R. § 160.103, courts in this Circuit have held that PHI does not stretch so far as to include a user’s browsing activity on a public-facing website that generates only general search queries. The Legacy Health court, for example, held that the “generic search queries” the plaintiff generated while browsing the defendant’s public website could not constitute PHI. 2024 WL 4794657, at *4. In Smith v. Facebook, Inc., the court held that a list of URLs visited by the plaintiff, including “information about a specific doctor,” “search results” for a phrase, and “other publicly available medical information” did not qualify as PHI because it did not contain “information relat[ing] specifically to [p]laintiffs’ health.” 262 F. Supp. 3d 943, 954–55 (N.D. Cal. 2017), aff’d, 745 F. App’x 8 (9th Cir. 2018); see Nienaber, 733 F. Supp. 3d at
1082 (“where nothing but browsing activity on a publicly available website is transmitted, courts within this circuit have held that the URLs, or the content of the pages located at those URLs, [do not relate] to the past, present, or future physical or mental health or condition of an individual” (internal quotation marks omitted)). Plaintiff contends that the existence of the LinkedIn Insight Tag on ORM’s Website, Compl., ECF 1 at 16–18, figs. 1–3, is enough to show that ORM transmitted her PHI to LinkedIn. See Opp’n, ECF 14 at 14. This Court finds that those allegations alone are insufficient. Read in the light most favorable to Plaintiff, the Complaint alleges that B.N. accessed three pages on Defendant’s Website. The first page Plaintiff included in her Complaint is ORM’s homepage. Compl., ECF 1 at 17 fig. 1. The screenshot, by including a red box around the subpage, implies that Plaintiff clicked on the dropdown menu for “Fertility Care” and the subpage for “IVF – In Vitro Fertilization.” See id. The second page is ORM’s subpage for IVF, and this screenshot includes the URL (“ormfertility.com/ivf-in-vitro-fertilization/”) at the top and
on the overlaid coding panel. Id. at 17 fig. 2. The screenshot, by including a red box around the button’s text, implies that Plaintiff clicked on the button “SCHEDULE YOUR CONSULT TODAY” on that page. See id. These first two pages are clearly public-facing portions of ORM’s website, and queries on those two pages do not constitute PHI. See Legacy Health, 2024 WL 4794657, at *4 (“[G]eneric search queries created during such browsing activity [] do not constitute PHI.”). In Legacy Health, the plaintiff used “a personalized, password protected page” where patients could “communicate online with their physicians, retrieve healthcare records, review prescriptions, sign up for research, and schedule appointments.” 2024 WL 4794657, at *2. This Court likewise “sees a meaningful difference between searches conducted on a website accessible to anyone and
a private portal provided to an individual patient.” Id. *4. Figures 1 and 2 provide the sort of “general health information that is accessible to the public at large” that is not PHI under HIPAA. Id. at *4 (citation omitted). Figure 3, the third page, appears to be a form to submit information to ORM. Compl., ECF 1 at 19 fig. 3. The page does not include any detail about IVF services, and context suggests the form is ORM’s general interest form. The screenshot does not show the URL at the top of the page, but on the overlaid coding panel, it includes “‘url’: ‘https://ormfertility.com/general- fertility.’” Id. The “pageTitle” on the next line of code is “Start Your Journey Towards Parenthood – ORM Fertility”—not ORM’s subpage for IVF, Figure 2. Id. at 17–18 figs. 2, 3. This context also suggests that Figure 3 is not a subpage accessed from clicking on Figure 2. The screenshot, by including a red box around the button’s text, implies that Plaintiff clicked on the “SUBMIT” button after inputting her information. See id. at 18 fig. 3. While “intercept[ing] data relating to patient portal logins and logouts alongside
identifiers for each patient,” In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 791, may be protected by HIPAA, Plaintiff pleads no facts suggesting that LinkedIn’s tool on the Figure 3 page collected her PHI. Plaintiff’s theory of the violation is that the Insight Tag allows LinkedIn to intercept and record “click” events that “detail information about which page on the Website the patient was viewing as well as the selections they were making.” Compl., ECF 1 ¶ 61. While Plaintiff alleges that the LinkedIn Insight Tag intercepted “confidential information related to [] fertility-related medical appointments” and “the procedure and whether a consultation was booked,” id. ¶¶ 62, 63, the Complaint does not supply facts that support that conclusion. Moreover, unlike other cases that have survived a motion to dismiss, the Complaint does not plead that the webpage tracked what physician or other provider she scheduled an
appointment with or any treatment details. See, e.g., R.S. v. Prime Healthcare Servs., Inc., No. 24-cv-00330, 2025 WL 103488, at *5 (C.D. Cal. Jan. 13, 2025) (holding that HIPAA protected information about a user’s “medical conditions, treatment details, appointment information, and the physician she selected”). Plaintiff does not describe any other activity on Defendant’s Website that could constitute PHI. See generally Compl., ECF 1. Plaintiff’s allegations about LinkedIn’s advertising do not show that ORM specifically disclosed anything to LinkedIn. Plaintiff does not provide any detail about the advertisements, nor does the Complaint specify how the advertisement matches information Plaintiff disclosed to ORM.4 The Complaint states that she “received targeted advertisements on LinkedIn relating to fertility services.” Compl. ECF 1 ¶ 9 (emphasis added). The Complaint also states that “Plaintiff and Class Members face ongoing harassment and embarrassment in the form of unwanted targeted advertisements.” Id. ¶ 139. This does not establish, however, that LinkedIn found out
that Plaintiff was seeking IVF treatment through ORM rather than any other source. If Plaintiff, for example, googled anything relating to IVF, those queries could have equally likely led to the LinkedIn advertisement than click activity on one website eight months prior.5 In Legacy Health, the plaintiff alleged that she never disclosed her health condition anywhere else on the internet other than the defendant’s website and after using the defendant’s website, received advertising targeted to that specific condition. 2024 WL 4794657, at *2–3. Plaintiff does not allege that Defendant’s website was the only place on the internet where she input information related to fertility services, nor does she plead facts that she extensively used the Website. See, e.g., In re Grp. Health Plan Litig., 709 F. Supp. 3d at 713, 719 (denying motion to dismiss where plaintiffs used provider websites “to communicate private health information with healthcare providers;
search for physicians; schedule appointments and procedures; receive and discuss medical diagnoses and treatment from healthcare providers; receive lab results; review medical records; review medical bills; and search symptoms and medical conditions relating to personal medical treatment”).
4 The Complaint states “Plaintiff has not included in her allegations the precise nature of the treatment she received from ORM” in order “[t]o prevent further disclosure of Plaintiff’s confidential medical information.” Compl., ECF 1 at 3. However, Plaintiff can move to file documents containing sensitive personal information under seal. See L.R. 5-2(e). 5 Plaintiff also does not allege that she typed ORM’s URL into a browser directly. Plaintiff also does not allege that she started receiving targeted advertisements related to fertility services close in time to using Defendant’s Website. Plaintiff states that she used Defendant’s Website around May of 2022 and March of 2024. Compl., ECF 1 ¶ 7. Plaintiff became aware of the disclosure eight months later in November 2024. Id. This is not enough to
support an inference that ORM disclosed Plaintiff’s information to LinkedIn. Therefore, the Complaint does not plead facts sufficient to support an inference that it was this defendant who transmitted any of B.N.’s PHI to LinkedIn, and the crime-tort exception to ECPA’s one-party rule cannot apply. Because the Complaint does not supply facts that connect any disclosure of PHI shared with ORM’s Website to LinkedIn, Plaintiff’s ECPA claim cannot survive a motion to dismiss. 2. Interception of “Contents” Defendant argues Plaintiff fails to allege any facts showing that the “contents” of a communication were disclosed to LinkedIn or any third party. MTD, ECF 11 at 13. ECPA defines “contents” as “any information concerning the substance, purport, or meaning” of a communication. 18 U.S.C. § 2510(8). Defendant argues Plaintiff fails to allege that “any actual
message content—such as the substance of any communication with a healthcare provider—was transmitted” and that metadata or technical information related to the transmission do not fit within the statutory definition of “contents.” MTD, ECF 11 at 13. Since this Court finds Plaintiff has not pleaded adequate detail to allege that Defendant disclosed her PHI to LinkedIn, or that Defendant disclosed any such information, this Court need not address Defendants arguments regarding whether Plaintiff can allege an interception of “contents” and declines to do so. In sum, viewing the allegations in the Complaint in the light most favorable to Plaintiff, this Court finds that she cannot state a claim under ECPA. This Court dismisses Plaintiff’s ECPA claim. B. State Law Claims Plaintiff also brings three state law claims: negligence, breach of confidence, and unjust enrichment. Compl., ECF 1 ¶ 5. ECPA, a federal statute, gives this Court federal question subject-matter jurisdiction, 28 U.S.C. § 1331,6 and this Court may exercise supplemental jurisdiction over state law claims “that are so related to claims in the action within such original
jurisdiction that they form part of the same case or controversy.” 28 U.S.C. § 1367. However, because this Court dismisses the federal ECPA claim, the Court dismisses Plaintiff’s related state law claims. See 28 U.S.C. § 1367(c)(3). C. Leave to Amend Plaintiff argues that if the Complaint is dismissed, the Court should grant leave to amend. Opp’n, ECF 14 at 7–8. Defendant argues that because Plaintiff’s ECPA claim cannot be sustained as a matter of law, the Court should grant its motion without leave to amend. MTD, ECF 11 at 8, 15. This Court agrees with Plaintiff. “[I]n dismissals for failure to state a claim, a district court should grant leave to amend . . . unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Cook, Perkiss & Liehe, Inc. v. N. Cal.
Collection Serv. Inc., 911 F.2d 242, 247 (9th Cir. 1990). Plaintiff does not plead adequate detail to support an inference that Defendant disclosed her PHI to LinkedIn or any other third party. However, because this Court finds a violation of HIPAA for financial gain can fall under ECPA’s crime-tort exception, this Court grants Plaintiff leave to amend.
6 Both B.N. and ORM are domiciled in Oregon, so this Court cannot exercise diversity jurisdiction. See 28 U.S.C. § 1332(a)(1) (diversity jurisdiction only exists in actions between “citizens of different states”). CONCLUSION Defendant’s Motion to Dismiss, ECF 11, is GRANTED. Plaintiff is given leave to amend within twenty-one (21) days.
IT IS SO ORDERED.
DATED this 12th day of November, 2025.
/s/ Karin J. Immergut Karin J. Immergut United States District Judge