Doe v. Bayhealth Medical Ctr.

• Court: Superior Court of Delaware
• Decided: April 2, 2025
• Docket: N24C-09-002 FJJ
• Status: Published

Opinion

IN THE SUPERIOR COURT OF THE STATE OF DELAWARE

JANE DOE, JOHN DOE, and JACK DOE, ) on behalf of themselves and all others ) C.A. No. N24C-09-002 FJJ similarly situated, ) ) Plaintiffs, ) ) v. ) ) BAYHEALTH MEDICAL CENTER, ) INC., d/b/a BAYHEALTH ) ) Defendants. )

OPINION AND ORDER

Upon Consideration of Defendant, Bayhealth Medical Center, Inc.’s Motion to Dismiss Plaintiffs’ First Amended Complaint DENIED IN PART AND GRANTED IN PART.

Submitted: March 10, 2025 Decided: April 2, 2025

Dean R. Roland, Esquire, and R. Grant Dick, Esquire of Cooch and Taylor P.A., Wilmington, Delaware, Raina C. Borelli, Esquire, pro hac vice counsel of Strauss Borelli, PLLC, Chicago, Illinois, and Joshua R. Jacobson, Esquire, pro hac vice counsel of Jacobson Phillips, PLLC, Altamonte Springs, Attorneys for Plaintiffs, Jane Doe, John Doe, and Jack Doe, on behalf of themselves and all others similarly situated.

Patrick M. Brannigan, Esquire, of Eckert Seamans Cherin & Mellott, LLC, Wilmington, Delaware and Paulyne Gardner, Esquire, pro hac vice counsel of Mullen Coughlin LLC, Devon, Pennsylvania, Attorneys for Defendant Bayhealth Medical Center, Inc.

Jones, J.

1 INTRODUCTION

Three anonymous Plaintiffs, Jane Doe, John Doe, and Jack Doe, (“Plaintiffs”),

bring this case on behalf of themselves and a class of similarly situated persons

against Bayhealth Medical Center (“Defendant”) for an alleged unauthorized

disclosure of their private health information.1 A technology hidden within

Defendant’s website purportedly gathered Plaintiffs’ private health information and

disclosed it to third parties for purposes of targeted advertising.

FACTS AND PROCEDURAL BACKGROUND

Plaintiffs’ claims are based on Defendant’s alleged unauthorized use of “code-

based trackers,” known as “trackers” or “tracking technologies,” on Defendant’s

website to collect Plaintiffs’ private health information and then disclose the

gathered information to third parties.2 Trackers relay website-users’ information to

third parties by tracking the users’ interactions with the website, including page

views, clicks, and submissions, and sends that data to the website server as well as

third parties.3 Third parties can then integrate that data with previously gathered

information to create a targeted ad.4

1 The three named plaintiffs have been identified by name to Defendant confidentially. 2 Docket Item (“D.I.”) 18 ¶ 6. 3 Id. ¶ 10. 4 Id.

2 Plaintiffs purport Defendant used Facebook’s Meta Pixel (hereinafter “Meta

Pixel” or “Pixel”).5 The Meta Pixel not only tracks device information, URLs and

domains visited but can also track “search terms, button clicks, and form

submissions.”6 The Pixel can also link the visitor’s interactions with their Facebook

profile using cookie identifiers.7 Plaintiffs allege this allows their private health

information to be connected to their individual profiles.8 In addition to the Meta

Pixel, Plaintiffs allege Defendant’s website was also using Facebook’s Conversions

Application Programming Interface (“CAPI”). CAPI is a tracker similar to the Pixel,

but it does not require use of ad blockers or consent requests that would inhibit

website users to block the tracked information from getting to Facebook.9 Plaintiffs

allege comparable trackers made by Google (Google Tag Manager, “GTM”) and

Microsoft (Microsoft Universal Events and Microsoft Clarity) are also embedded on

Defendant’s website.10

Plaintiffs are Defendant’s patients and have received healthcare services from

physicians in Defendant’s network.11 Plaintiffs allege Defendant encouraged them

to use Defendant’s website and that Plaintiffs did in fact use the website for purposes

such as searching for physicians and services, accessing the patient portal, paying

5 Id. ¶ 11. 6 Id ¶¶ 11, 49. 7 Id. ¶¶ 11, 49, 60, 104. 8 Id. 9 Id. ¶ 14. 10 Id. ¶ 19. 11 Id. ¶¶ 80, 92, 104.

3 for medical services, scheduling an appointment, and navigating website tabs.12

After using Defendant’s webpage, each Plaintiff began receiving targeted ads for the

respective health conditions they were seeking information for.13 Plaintiffs allege

these targeted ads are a direct result of trackers embedded in Defendant’s website

and gathering their private health information, including but not limited to pages

viewed; buttons clicked; patient statuses; keyword and physician searches; patient

portal activities pertaining to patients’ services, medical records, and billing and

financial information; as well as identifying information, including IP addresses and

cookies, and disclosing it to third parties including Facebook, Google, and Microsoft

to utilize for profit.14

Plaintiffs describe several examples of Defendant’s collection and disclosure

process. One such example involves using a website user’s keyword search to create

a targeted ad for that user related to the search.15 The user searches the words

“cancer” and “pain,” which leads the user to navigate to a webpage on colorectal

cancer. The words searched and webpage clicked are then disclosed to the embedded

trackers on Defendants’ website. In addition, Defendant discloses a website call

event coming from the colorectal cancer webpage when the user calls Defendant

from the webpage and “PageView” events every time the user clicks to another page.

12 Id. ¶¶ 7-8, 38-39 81, 93, 105. 13 Id. ¶¶ 82, 93, 107. 14 Id. ¶¶ 17, 18, 96. 15 Id. ¶¶ 105-10.

4 Another illustration involves a website user clicking the “Find A Doctor”

button on Defendant’s website.16 Defendant discloses the user’s click with a

“SubscribedButtonClick” event and sends a “PageView” event indicating the user

navigated to the “Find A Doctor” page. Moreover, the Defendant transmits any

information the user divulged by filtering their search including physician names,

specialties, and patient’s zip code.

Plaintiffs maintain Defendant guaranteed protection of Plaintiffs’ private

health information through their Privacy Policies posted on Defendant’s website.17

Within the Privacy Policies, Defendant states it “will not use or share your

information other than as described here unless you tell us we can in writing.”18 The

Privacy Policies provide the following situations in which Defendant can disclose a

patient’s personal health information without their written authorization: “[T]o treat

you; run our organization (we can use and share your health information to run our

medical center, improve your care, and contact you when necessary); bill for your

services; help with public health and safety issues; do research; comply with the law;

respond to organ and tissue donation requests; work with a medical examiner or

funeral director; address workers’ compensation, law enforcement and other

government requests; respond to law suits and legal actions.”19 Further, the policies

16 Id. ¶¶ 111-16. 17 Id. ¶¶ 23, 87-94. 18 Id. ¶ 89, Exhibit (“Ex.”) C. 19 Id. ¶ 90, Ex. C.

5 give Plaintiffs the right to “security, personal privacy, and confidentiality of [their]

private information,” and maintain Defendant’s promise that they will keep

confidential information secure, including for “marketing; sale of your information”

unless it is required under law or Plaintiffs give Defendant permission.20

The initial Complaint was filed on September 10, 2024.21 Defendant

responded by filing a Motion to Dismiss on November 21, 2024. 22 Plaintiffs filed

the First Amended Complaint on December 20, 2024,23 making Defendant’s Motion

to Dismiss moot. Defendant filed the instant Motion to Dismiss Plaintiff’s First

Amended Complaint on January 24, 2025.24 Full briefing has occurred and is

complete.25 For the reasons set forth, Defendant’s Motion to Dismiss is granted in

part and denied in part.

STANDARDS OF REVIEW

A. Standing

The standard applied to a Rule 12(b)(1) motion to dismiss varies depending

on whether the claim presents a “facial attack” or a “factual attack.”26 “[A] facial

attack ‘contests the sufficiency of the pleadings,’27 ‘whereas a factual attack

20 Id. ¶¶ 92-93, Ex. B. 21 D.I. 1. 22 D.I. 11. 23 D.I. 18. 24 D.I. 22. 25 See D.I. 25 (Plaintiffs’ Answer in Opposition) and 27 (Defendant’s Reply). 26 Constitution Party of Penn. v. Aichele, 757 F.3d 347, 357-58 (3d. Cir. 2014). 27 Id. at 385 (quoting In re Schering Plough Corp,. 678 F.3d 235, 243 (3d. Cir. 2012)).

6 concerns the actual failure of a [plaintiff’s] claims to comport [factually] with the

jurisdictional prerequisites.’”28 When a party files a motion to dismiss challenging

jurisdiction before the party has filed an answer, the party’s motion to dismiss is, by

definition, a facial attack.29

Defendant filed the instant Motion to Dismiss in response to Plaintiffs’ First

Amended Complaint. Defendant has not filed an Answer nor submitted their

competing facts. Thus, this Motion is not a factual attack but rather a facial attack

to jurisdiction.

In a facial attack to jurisdiction, the Court may examine “allegations of the

complaint and documents referenced therein and attached thereto, in the light most

favorable to the plaintiff.”30 The Court applies a Rule 12(b)(6) standard in reviewing

this type of jurisdictional claim.31

B. Failure to State a Claim

Rule 12(b)(6) allows the Court to dismiss for failure to state a claim upon

which relief can be granted.32 Under this rule, the Court must decide whether the

claimant “may recover under any reasonably conceivable set of circumstances

susceptible of proof.”33 The Court accepts all well-pled allegations as true so long

28 Constitution Party of Penn., 757 F.3d at 358 (quoting CNA v. United States, 535 F.3d 132, 139 (3d. Cir. 2008)). 29 Id. at 385. See Mortensen v. First Fed. Sav. And Loan Ass’n., 549 F.2d 884, 892 n.17 (3d. Cir. 1977) (“A factual jurisdictional proceeding cannot occur until plaintiff’s allegations have been controverted.”) 30 Constitution Party of Penn., 757 F.3d at 358 (quoting In re Schering Plough Corp, 678 F.3d at 243). 31 Id. 32 Super. Ct. Civ. R. 12(b)(6). 33 Abernathy v. Brandywine Urology Consultants, 2021 WL 211144 at *2 (Del. Super. Jan 21, 2021).

7 as they put the opposing party on notice of the claim.34 Factual inferences are drawn

in favor of the non-moving party.35 “If the claimant may recover under that standard

of review, the Court must deny the Motion to Dismiss.”36 While the pleading

standard is “minimal,” claims cannot be substantiated by “conclusory allegations

that lack specific supporting factual allegations.”37 Therefore, dismissal is

appropriate if the complaint fails “to make ‘specific allegations supporting each

element of a claim or if no reasonable interpretation of the alleged facts reveals a

remediable injury.”38

ANALYSIS

A. Plaintiffs Have Pled an Injury-In-Fact to Satisfy Standing.

Defendant contends Plaintiffs’ claims lack standing and should be dismissed

because the alleged injuries are not concrete.39 Defendant cites to case law

dismissing claims of alleged disclosures pertaining to a plaintiff’s website browsing

data because the claims lacked injury sufficient to establish standing.40 Plaintiffs

distinguish the instant case by pointing to the alleged protected health information

34 Id; Travelers Cas. and Sur. Co. of Am., 2024 WL 1298762 at *6. 35 Abernathy, 2021 WL 211144 at *2. 36 Id. 37 Travelers Cas. and Sur. Co. of Am., 2024 WL 1298762 at *6 (quoting Central Mortg. Co. v. Morgan Stanley Mortg. Capital Holdings LLC, 27 A.3d 531, 536-37 n.13 (Del. 2011)). 38 Travelers Cas. and Sur. Co. of Am., 2024 WL 1298762 at *6 (quoting Axogen Corp. v. Integra LifeSciences Corp., 2021 WL 5903306, at *2 (Del. Super. Dec. 13, 2021) (citing Surf's Up Legacy Partners, LLC, 2021 WL 117036, at *6))). 39 See D.I. 22 p. 9-10. 40 See Id.

8 (“PHI”) Defendant disclosed and utilizing case law to support the proposition that

disclosing personal health information is an injury-in-fact.41

“Standing is a threshold question that must be answered by a court affirmatively

to ensure that the litigation before the tribunal is a ‘case or controversy’ that is

appropriate for the exercise of the court’s judicial powers.”42 To establish standing,

the plaintiff has the burden of proving (1) an injury in fact; (2) a causal correlation

between the injury and the conduct challenged; and (3) a likelihood that the injury

will be redressed by a favorable decision.43 “[The] requirements for establishing

standing under Article III to bring an action in federal court are generally the same

as the standards for determining standing to bring a case or controversy within the

courts of Delaware.”44 “At the pleading stage, general allegations of injury are

sufficient to withstand a motion to dismiss because it is ‘presume[d] that general

allegations embrace those specific facts that are necessary to support the claim.’”45

The injury-in-fact must be “concrete, particularized, and actual or imminent – not

conjectural or hypothetical.”46 Further, the injury must be “fairly traceable to the

41 See D.I. 25 p. 8-11. 42 Dover Historical Soc’y 838 A.2d 1103, 1110 (Del. 2003). 43 Id. at 1110 (citing Soc’y Hill Towers Owners’ Ass’n v. Rendell, 210 F.3d 168 (3d Cir. 2000)). 44 Dover Historical Soc’y, 838 A.2d at 1111. 45 Id. (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992)). 46 Abernathy, 2021 WL 211144, at *2.

9 challenged action of the defendant.”47 If a plaintiff asserts their injury has not yet

occurred, the plaintiff must show the future injury is “certainly impending.”48

To determine whether an injury is concrete, the Court asks, “whether the

asserted harm has a ‘close relationship’ to a harm traditionally recognized as

providing a basis for a lawsuit in American courts – such as physical harm, monetary

harm, or various intangible harms.”49 One such recognized intangible harm is the

“disclosure of private information.”50

Plaintiffs rely on several cases with fact patterns akin to theirs. The plaintiffs

in each case, while logged into their Facebook accounts, utilized their healthcare

providers’ websites for purposes such as scheduling appointments and researching

providers, services, and conditions.51 Just as in the instant case, the plaintiffs began

receiving targeted ads based on their activities on the provider’s website.52 The

Courts concluded the respective disclosures of private health information were

concrete injuries-in-fact. The Court in Smith v. Loyola University Medical Center

came to this holding by reasoning that the alleged disclosures had a “close

relationship to disclosure of private information, a common-law theory,” which is

47 Id. 48 Id. (citing Clapper v. Amnesty Int’l USA, 568 U.S. 409, 416-18 (2013)). 49 Salas v. Acuity-CHS LLC, 2023 WL 2710180, at *5 (D. Del. Mar. 30, 2023). 50 Id. (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 425 (2021)). 51 Smith v. Loyola Univ. Med. Ctr., 2024 WL 3338941 (N.D. Ill. 2024); Doe v. Genesis Health Sys., 2024 WL 3890164 (C.D. Ill. 2024); Williams v. Dukehealth, 2024 WL 898051 (M.D.N.C. 2024). 52 Loyola Univ. Med. Ctr., 2024 WL 3338941, at *2; Genesis Health Sys., 2024 WL 3890164, at *1-2.

10 recognized in American courts.53 Plaintiffs’ alleged PHI disclosures bear close ties

to this common-law theory.

The instant case is distinguishable from Massie v. General Motors LLC and

Abernathy v. Brandywine Urology Consultants. These cases, cited to in Defendant’s

Opening Brief, are data breach cases, which is not the scenario dealt with in the

instant case. In Massie, the Court held plaintiffs failed to establish a concrete injury

because they did not have a “privacy interest at stake.”54 The plaintiffs did not show

that the defendant had any information outside of their browsing activity, and

certainly not plaintiffs’ personal information.55 Whereas here, Plaintiffs have

properly alleged their personal health information was collected and disclosed.

Abernathy is discernible from the instant case because the plaintiffs did not allege a

present harm, only hypothetical future harms which the court deemed too conjectural

to be a concrete injury-in-fact.56

Plaintiffs have adequately pled a lost benefit of the bargain in terms of failed

security measures. Plaintiffs allege they were promised, and expected as paying

patients, Defendant would protect their sensitive health information.57 Plaintiffs

base the bargain on Defendant’s privacy policies which explicitly state their health

53 Loyola Univ. Med. Ctr., at *3 (quoting Florence v. Order Express, Inc., 674 F.Supp. 3d 472, 479 (N.D. Ill. 2023)). 54 2022 WL 534468, at *3. 55 Id. 56 Abernathy, 2021 WL 211144, at *4. 57 D.I. 18 ¶¶ 87-94.

11 information will not be used for sale or marketing purposes without prior

authorization.58 In Williams v. Dukehealth, the plaintiff alleged analogous

circumstances and the court determined the loss of benefit of the bargain was an

adequately pled injury in fact.59 The Court supported its holding with the plaintiff’s

allegations that she valued her private health information, the health provider

promised to maintain discretion in their privacy policy, the plaintiff paid her provider

with the understanding that the payment included the provider’s protection of her

private health information, and, finally, the provider disclosed her private

information without the plaintiff’s knowledge or consent.60 Plaintiffs have pled the

same circumstances in their Complaint.61

Abernathy is yet again distinguishable from the instant case. The Abernathy

Court denied the plaintiff’s lost benefit of the bargain argument emphasizing that “a

plaintiff’s ‘claim that some indeterminate part of their premiums went toward paying

for security measures . . . is too flimsy to support standing.’”62 Further, the Court

held the plaintiffs did not raise facts showing the parties had any type of agreement

that funds would be used for data security purposes.63 The plaintiffs in Abernathy

were not basing the bargain on a privacy policy. As stated above, the Abernathy

58 See Id. Exs. B and C. 59 Williams, 2024 WL 898051, at *4. 60 Id. 61 See D.I. 18 ¶¶ 7-9, 80-115. 62 Id. at *5 (quoting In re SAIC, 45 F.Supp.3d 14, 30 (D. D.C. 2014)). 63 Abernathy, 2021 WL 211144 at *5.

12 pleadings fall well below what Plaintiffs in the instant case have pled in terms of

their lost benefit of the bargain claim.

Finally, Plaintiffs have sufficiently pled a future harm. While allegations of a

future harm must be “certainly impending,” allegations that a tracker is gathering a

plaintiff’s sensitive health information is sufficient to allege a likelihood of future

harm because the information already collected by the tracker is out of the plaintiff’s

control.64

Based on the above arguments, the Court finds that Plaintiffs’ alleged injuries

contain sufficient concrete and particularized factual support to establish standing.

Considering all well-pled allegations as true and construing inferences in a light most

favorable to the Plaintiffs, the Court finds a reasonable interpretation of the facts that

allow Plaintiffs standing to recover in this case. Therefore, the Court DENIES

Defendant’s Motion to Dismiss for lack of standing.

B. The Browsing Activity Collected And/Or Disclosed By Defendant Is Protected Health Information Required Under HIPPA To Be Secured By Defendant.

“Protected health information” (“PHI”) is safeguarded by the Health Insurance

Portability and Accountability Act’s (“HIPPA”) Privacy Rule.65 “Individually

identifiable health information (“IIHI”) is PHI,

64 Mekhail v. North American Health Care, 726 F.Supp.3d 916, 933 (D. Minn. 2024). 65 See generally 45 C.F.R. Pts. 160, 164 Subparts A and E.

13 including demographic information collected from an individual, and: (1) is created or received by a healthcare provider, health plan, employer or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the information.66

Put simply, PHI is IIHI so long as the PHI relates to the individual’s healthcare and

identifies or could reasonably be used to identify the individual.67 The Delaware

Code similarly defines PHI as:

[a]ny information, whether oral, written, electronic, visual, pictorial, physical or any other form, that relates to an individuals past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care and that reveals the identity of the individual whose healthcare is the subject of the information, or about which there is a reasonable basis to believe such information could be utilized (either alone or with other information that is or should reasonably be available to predictable recipients of such information) to reveal the identity of that individual.68

Protected health information “is not public information . . . and may not be disclosed

without the informed consent of the individual (or the individual’s lawful

representative) who is the subject of the information . . .”69

66 45 U.S.C. § 1320d(6)) (emphasis added). 67 Id. 68 16 Del. C. § 1210(4). 69 Id. § 1212(a).

14 An “unauthenticated public webpage” (“UPW”) is a webpage that does not

require login credentials or user verification.70 The United States District Court for

the Western District of Washington created a spectrum demonstrating what

constitutes PHI on different webpages.71 On one end, “the transmission of

information submitted to a private patient portal – such as a user clicking on the ‘log

in’ button on that webpage – reveals patient status, which in and of itself is protected

health information.”72 On the other end, in which the only information transmitted

is browsing activity on a publicly available website, “the URLs, or the content of the

pages located at those URLs [do not relate] ‘to the past, present, or future physical

or mental health or condition of an individual,” meaning there is no protected PHI.73

In the middle of the two ends, there is information from UPWs which “may be

actionable as well if the information disclosed demonstrates that the plaintiff’s

interactions plausibly relate to the provision of healthcare, or if the information

connects a particular user to a particular healthcare provider (i.e., patient status.)74

The alleged information disclosed in this case falls in the middle area and to

the far end of information submitted via login to a private patient portal. Plaintiffs

allege they utilized Defendant’s public-facing webpage “to access a patient portal”

70 Id. at 789. 71 Ninebar v. Overlake Hosp. Med. Ctr., 733 F.Supp.3d 1072, 1081-82 (W.D. Wash. 2024). 72 Id. 73 Id. 74 Id.

15 and for “patient portal activities.”75 According to the PHI-spectrum outlined above,

that information in and of itself is a protected patient status. Further, the other

information Plaintiffs allege was collected and disclosed can be coupled with

Plaintiffs’ identifying information, such as IP address and Facebook IDs, to establish

a patient status.

Defendant argues the facts and holding in American Hospital Association v.

Becerra are instructive for the immediate case.76 Defendant uses Becerra to argue

the browsing information disclosed is not PHI.77 The United States District Court

for the Northern District of Texas in Becerra held a Health and Human Services

(“HHS”) Bulletin “improperly create[d] substantive legal entities” by allowing PHI

to be considered as IIHI under HIPPA when an internet user’s IP address visits a

UPW with health condition or healthcare provider information on it.78

The Court denies applying Becerra to the instant case for multiple reasons.

First, as held in Nick Gaige v. Exer Holding Co., LLC, the HHS guidance vacated by

Becerra has no impact on a plaintiff’s disclosure allegations when the plaintiff’s

claims are based on statutory and common law violations.79 Plaintiffs do not

reference the vacated HHS guideline in their pleadings but rather premise their

75 D.I. 18 ¶ 7, 17, 38, 81, 93, 105. 76 D.I. 22 p. 11-12. 77 Id. 78 Becerra, 738 F.Supp.3d at 789-90. 79 2925 WL 559719 (C.D. Cal. 2025).

16 claims on Defendant’s infringement of the Delaware Code § 1212(a), HIPPA’s

Privacy Rule, the Health Breach Notification Rule under the Federal Trade

Commission (“FTC”) Act, and Delaware common law causes of action.80 Second,

in Becerra, the plaintiffs are two hospitals and a regional healthcare system suing as

covered entities under HIPPA, and the identifying information at issue is IP

addresses.81 In the instant case, patients are bringing claims against the medical

center and the alleged information disclosed includes pages viewed, buttons clicked,

patient statuses, keyword searches, physician searches, patient portal activities, as

well as “identifying information, such as IP addresses and identifying cookies.”82

The Court in Becerra held that to establish IIHI the website visitor’s subjective intent

had to be known and had to relate to their own healthcare because an IP address

alone was not sufficient to serve as an identifier for IIHI purposes.83 Whereas in the

instant case, Plaintiffs’ allege their Facebook IDs were linked to their health

information to establish their patient statuses. Further, Plaintiffs allege HHS

guidance states that IP addresses standing alone are considered individually

identifying information.84

80 See D.I. 18 ¶¶ 124-35, 176-40. 81 Becerra, 738 F.Supp.3d at 789. 82 D.I. 18 ¶ 17. 83 Becerra, 738 F.Supp.3d at 801-05; See J.C. v. Catholic Health System, Inc., 2024 WL 5136236, at *14 (W.D.N.Y. 2024) (declining to apply Becerra because: (1) J.C.’s facts involved alleged disclosures of IIHI connected to individual’s Facebook IDs, and (2) the J.C. court disagreed with the Becerra court’s analysis “concerning user’s subjective intent.”) 84 See D.I. 18 ¶ 137-44 (citing 45 C.F.R. §§ 164.514(2), (2)(ii), (b)(2)(i)(O)).

17 Defendant cites to Smith v. Facebook, Inc., to establish that public information

is browsing activity and not PHI.85 However, multiple cases factually aligning with

the instant case distinguish Smith in their analyses. The cases note that Smith dealt

with publicly available, general health information; whereas each differentiating

case concerned the plaintiffs’ individual health information and had an associating

connection linking that information to their identity.86

These cases support Plaintiffs’ allegations that their disclosed health

information in conjunction with the identification of their Facebook IDs establishes

their patient statuses, which is PHI. 87

C. The Economic Loss Doctrine Does Not Bar Plaintiffs’ Negligence Claim.

“The economic loss doctrine is a judicially created doctrine that prohibits

recovery in tort where a product has damaged itself (i.e., has not caused personal

injury or damage to other property) and, the only losses suffered are economic in

85 D.I. 22. 86 Genesis Health Sys., 2024 WL 3890164, at *6 (found Smith unpersuasive because “in addition to metadata, [the defendant] disclosed class members’ PII and PHI” that may be linked to class members’ Facebook IDs); Kurowski v. Rush Sys. For Health (“Kurowski IV”), 2024 WL 3455020, at *5 (N.D. Ill. 2024) (distinguishing the information collected and disclosed in Smith as “general, publicly accessible health information,” as opposed to the plaintiffs’ “individualized patient data”); Kane v. Univ. of Rochester, 2024 WL 1178340, at *6 (W.D.N.Y. 2024) (data gathered concerns the individual’s healthcare, coupled with Facebook’s ability to “link this data to a specific user profile,” forms a “reasonable basis to believe that the information can be used to identify that individual.”); In re Meta Pixel Healthcare Litig., 647 F.Supp.3d 778, 791-93 (N.D. Cal. 2022) (protected patient status disclosed via the Pixel gathering the defendant’s patient portal URL and plaintiff’s act of clicking the Log In button to the patient portal). 87 See Kurowski IV, 2024 WL 3455020 (holding factual allegations that website trackers disclosed the name, location, and specialty of plaintiff’s physician amounted to IIHI); Cousin v. Sharp Healthcare, 702 F.Supp. 967, 973 (S.D. Cal. 2023) (holding plaintiffs’ information obtained through their activity on provider webpages constituted IIHI because the information “plausibly relate[d] to the provision of health care” and, when linked with the patient’s IP address, identified the individual.).

18 nature.”88 An economic loss is “any monetary loss, costs of repair or replacement,

loss of employment, loss of business or employment opportunities, loss of good will,

and diminution in value.”89

The doctrine “is a court-adopted measure that prohibits certain claims in tort

where overlapping claims based in contract adequately address the injury alleged.”90

The rule is not an affirmative defense but rather a bar to tort actions that are better

suited under contractual claims.91 “The driving principle for the rule is the notion

that contract law provides a better and more specific remedy than tort law.”92 “The

economic loss doctrine supports the ability of persons to allocate the risks of

business transactions.”93 The doctrine is “especially suited to situations where

privity of contract exists.”94

Relying on Salas v. Acuity-CHS and Bray v. Gamestop Corporation, Defendant

asserts Plaintiffs’ alleged lost value, lost benefit of the bargain, and mitigation costs

harms are barred from recovery under a negligence or negligence per se claim due

to the economic loss doctrine.95 Plaintiffs note the holdings relevant to economic

88 Marcucilli v. Boardwalk Builders, 1999 WL 1568612, at *4 (Del. Super. Dec. 22, 1999). 89 McKenna v. Terminex Intern Co., 2006 WL 1229674, at *4 (Del. Super. Mar. 13, 2006). 90 Brasby v. Morris, 2007 WL 949485, at *6 (Del. Super. Mar. 29, 2007). 91 Id. 92 Id. See Am. L. Prod. Liab.3d § 60:41 (“The pragmatic reason behind the rule is straightforward: ‘The physical consequences of negligence usually have been limited, but the indirect economic repercussions of negligence may be far wider, indeed virtually open-ended. Thus, the fear of crushing useful activity by liability is the moving force behind the rule.’”) 93 Brasby, 2007 WL 949485, at *6. 94 Danforth v. Acorn Structures, Inc., 608 A.2d 1194, 1200 (Del. 1992). 95 D.I. 22 p. 16-18.

19 loss doctrine are inapplicable to the instant case and argue Plaintiffs’ diminution in

value of their private health information and loss of privacy harms impact person

and property and are not purely economic.96

Defendant maintains that the Delaware District Court cases Salas and Bray

govern Delaware law concerning the economic loss doctrine in the data breach

context.97 Defendant purports these cases both stand for the proposition that in data

breach cases the economic loss doctrine bars any claim based on

negligence.98 Defendants are correct that the Court in each of these two cases

dismissed the negligence claims. However, neither decision directly addressed the

question of whether an adequately drafted complaint including allegations of injury

to person or property based on diminution of the value of a person’s private

information or loss of privacy states a valid cause of action. In both cases, plaintiffs

pled only financial or economic losses, triggering the economic loss doctrine’s bar.99

There is no Delaware case controlling the question of whether an allegation that

a plaintiff has suffered a diminution in value of their personal privacy or a violation

of their privacy is sufficient to support a claim sounding in negligence. 100 The

96 D.I. 25 p.16-18. 97 D.I. 22 p. 17-18. 98 Id. 99 See Salas, 2023 WL 2710180, at *7; Bray v. Gamestop Corp., 2018 WL 11226516, at *3-4 (D. Del. Mar. 16, 2018). 100 However, there is Delaware case law recognizing cognizable claims in the violation of the right of privacy (see Barbieri v. News-Journal Co., 189 A.2d 773, 773-74 (Del. 1963)) and the invasion of privacy torts (see Fanean v. Rite Aid Corp. of Del., 984 A.2d 812, 821 (Del. Super. Ct. 2009)).

20 growing trend across the country is that courts have held that such allegations

support a claim based on a negligence theory.101 This judge is of the view, depending

on the evidence developed, that Delaware should join this growing trend and

recognize a claim based on tort given the realities of the 21 st century and the harm

that can be done to an individual by having their privacy breached.

It is clear to the Court that, unlike the situation in both Bray and Salas, Plaintiffs

have alleged a non-economic injury based in negligence. At this motion to dismiss

stage, this Court will allow this claim to proceed and give Plaintiffs a full opportunity

through the discovery process to prove up this non-economic claim. With a more

complete record, the Court can have a better understanding on the damages alleged

to determine whether Delaware should follow the current trend.

D. Plaintiffs Have Adequately Pled a Negligence Claim.

A claim for negligence requires the plaintiff to allege “(i) a duty that is owed to

plaintiff; (ii) defendant breached that duty; and (iii) as a proximate cause of the

breach, plaintiff suffered damages.”102 Delaware Superior Court Civil Rule 9(b)

requires circumstances surrounding a negligence claim to be pled with

101 M. R. v. Salem Health Hosps. & Clinics, 2024 WL 3970796, at *7-8 (D. Or. 2024)(holding plaintiffs’ loss of privacy and diminished value of private health information supported a negligence claim and were not “purely economic” harms); Harris v. Mercy Health Network, 2024 WL 5055556, at *18 (S. D Iowa 2024) (allowing negligence and negligence per se claims “to proceed on the narrow issue of whether [the plaintiff] can recover damages in the form of diminution in value of his personal information, loss of privacy, and loss of time.”); Toy v. Life Line Screening of Am. Ltd., 2024 WL 1701263, at *4 (N. D. Cal. 2024) (holding “invasion of [the plaintiff’s] reasonable expectation of privacy in their medical information” amounts to intrusion upon seclusion and is a non- economic injury.) 102 Travelers Casualty and Sur. Co. of Am. v. Blackbaud, Inc., 2024 WL 1298762, at *12.

21 particularity.103 A plaintiff satisfies this requirement by pleading “(1) what duty, if

any, was breached; (2) who breached it; (3) what act or failure to act breached the

duty; and (4) the party upon whom the act was performed.”104

Defendant alleges Plaintiffs plead conclusory and speculative negligence claims

in their Complaint.105 Defendant again relies on Becerra’s holding to argue the

information disclosed in this case was not protected; therefore, Defendant asserts it

did not have a duty to protect this information, nor did Plaintiffs suffer a “legally

cognizable harm.”106 Plaintiffs reject this argument and direct the Court to the

allegations within their Complaint.107

For the reasons discussed prior, the Court will not apply Becerra to the instant

case and finds that Plaintiffs adequately pled the information disclosed by Defendant

is Plaintiffs’ protected and individually identifiable health information. Therefore,

the Court disagrees with Defendant’s argument that Plaintiffs failed to plead legally

cognizable harms.

In addition, Plaintiffs have sufficiently pled Defendant’s duty to Plaintiffs “to

exercise reasonable care in handling and using Plaintiffs’ and Class Members’

Private Information in its care and custody, including implementing industry-

103 Del. Super. Ct. Civ. R. 9(b). 104 Travelers Casualty and Sur. Co. of Am., 2024 WL 1298762, at *12. 105 D.I. 22 p. 19. 106 Id. 107 D.I. 25 p. 19-21.

22 standard privacy procedures sufficient to reasonably protect the information from

the Disclosure and unauthorized transmittal and use of Private Information that

occurred.”108 The Complaint states that Plaintiffs are “members of a well-defined,

foreseeable, and probable class of individuals whom Defendant knew or should have

known would suffer injury-in-fact from Defendant’s disclosure of their Private

Information to benefit third parties and Defendant.”109 Moreover, Plaintiffs

extensively describe the alleged breach throughout their entire Complaint.110

Therefore, this Court finds Plaintiffs have adequately pled the elements of

negligence with particularity.

Based on the above reasons, Defendant’s Motion to Dismiss Plaintiffs’

Negligence claim is DENIED.

E. Plaintiffs Fail to State a Claim for Negligence Per Se.

Negligence per se is applicable when a plaintiff establishes (1) “the statute in

question was enacted for the safety of others,” (2) there is a “causal connection

between the statutory violation and the injury,” (3) “the statute set[s] forth a standard

of conduct which was designed to avoid the harm plaintiff suffered,” and (4)

“defendant violated the statute by failing to comply with that standard of conduct.”111

108 D.I. 18 ¶ 176. 109 D.I. 18 ¶ 179. 110 See D.I. 18. 111 NFO Co. v. Garrett Snuff Mills, Inc., 2002 WL 130536, at *2 (Del. Super. Jan. 30, 2002).

23 Defendant argues Plaintiffs’ negligence per se claim based on violations of

HIPPA as well as Section 5 of the Federal Trade Commission (“FTC”) Act is

inappropriate because Delaware case law is clear that HIPPA112 as well as the FTC

Act113 do not provide private rights of action for individuals to bring suits under

them.114

Plaintiffs respond that rather than bringing a private cause of action under these

statutes, they are depending on Defendant’s violation of the statutes to establish the

duty owed by Defendant.115

The Delaware Supreme Court in Toll Brothers, Inc. v. Considine held while an

OSHA violation could not be the basis for a negligence per se claim, “the substance

of the OSHA regulations may, nonetheless, be relevant as standards bearing upon

conduct.”116 The Superior Court in Fanean v. Rite Aid Corp. of Delaware, Inc. relied

on this logic to hold the same applied to HIPPA. The Fanean Court held the

plaintiffs could not use HIPPA as a basis for a negligence per se claim but could

“enforce [HIPPA] as a guidepost for determining the standard of care applicable to

a negligence action.”117

112 See Brown v. United States, 2023 WL 2428838, at *7 (D. Del. Mar. 9, 2023); Fatir v. Phelps, 2019 WL 216720, at *12 (D. Del. May 17, 2019) (“It has been commonly recognized that HIPPA does not create a private cause of action. HIPPA creates its own enforcement mechanism under 42 U.S.C. §§ 300gg-22, which limits enforcement actions to the states or the Secretary of Health and Human Services.”); Fanean, 984 A.2d at 815. 113 See Recovery Fund II USA LLC v. Rabobank, National Assoc., 2020 WL 509166, at *8 (D. Del. Jan. 31, 2020) (“There is no private right of action under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45.”) 114 D.I. 22 p. 20-22. 115 D.I. 25 p. 21-22. 116 706 A.2d 493, 498 (Del. 1998). 117 984 A.2d at 823-24.

24 Based on this reasoning, this Court finds Plaintiffs’ negligence per se claims

dependent on HIPPA and the FTC dismissed because these statutes do not provide a

private cause of action. However, Plaintiffs may use the duty standards under these

statutes as “guideposts” for establishing duty under their negligence claim.

Based on the above reasons, Defendant’s Motion to Dismiss Plaintiffs’

Negligence Per Se claim is GRANTED.

F. Plaintiffs Adequately Pled Breach of Implied Contract.

To establish a breach of contract, a plaintiff must prove “(1) the existence of

an express or implied contract; (2) a party breached the obligation imposed by the

contract; and (3) any damages that the plaintiff incurred as a result of the breach.”118

An implied contract is “proven through conduct rather than words.”119 Just as in an

express contract, an implied contract requires offer, acceptance, and consideration.120

“There must be a ‘meeting of the minds,’ and ‘the parties’ mutual assent to the

contract terms must be objectively manifest or shown.”121 However, “naked

assertions devoid of further factual enhancement” do not support an actionable claim

of breach of implied contract.122

118 Salas, 2023 WL 2710180, at *8 (quoting Saunders v. E.I. duPont de Nemours & Co., 2014 WL 7051078, at *4 (D. Del. Dec. 12, 2014)). 119 Salas, 2023 WL 2710180, at *8 (quoting Chase Manhattan Bank v. Iridium Africa Corp., 239 F.Supp.2d 402, 407 (D. Del. 2002)). 120 Salas, 2023 WL 2710180, at *9. 121 Id. (quoting Chase Manhattan Bank, 239 F.Supp.2d at 408). 122 Longnecker-Wells v. Benecard Servs. Inc., 658 Fed. App’x. 659, 662 (3d. Cir. 2016) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)).

25 Defendant rejects Plaintiffs’ alleged reliance on the Privacy Policies as a

source of Defendant’s contractual duties. Defendant perceives Plaintiffs’ “subjective

belief” that paying for Defendant’s medical services, coupled with the Privacy

Policies, does not amount to an implied contractual obligation that Defendant will

protect Plaintiffs’ PHI.123

Plaintiffs allege that, “as a condition of receiving medical care from

Defendant,” Plaintiffs compensated Defendant for received treatment with the

understanding that “a portion of [compensation] was for adequate data security."124

Plaintiffs utilize Defendant’s Privacy Policies as the source of contractual terms for

this implied agreement.125 Plaintiffs claim this exchange established an implied

contract between the parties under which Defendant breached its duty to protect

Plaintiffs’ PHI.126

At this point in litigation, Plaintiffs have adequately pled the existence of an

implied contract. As encouraged by Defendant, an integral portion of being

Defendant’s patient is using the website for reasons such as checking the patient

portal, researching health conditions, and booking appointments. In exchange for

payment of medical services, Plaintiffs expected Defendant to align with the

123 D.I. 22 p. 22-24. 124 D.I. 18 ¶ 198. 125 Id. (“Plaintiffs and Class Members entered into contracts with Defendant by which Defendant agreed to safeguard and protect such information, in its Privacy Policies . . .”) 126 D.I. 25 p. 32-35.

26 promises made in their Privacy Policies and protect Plaintiffs’ information from sale,

unless otherwise authorized. Nonetheless, according to Plaintiffs, Defendant

disclosed Plaintiffs’ sensitive health information to third parties for profit. Plaintiffs

urge they would not have used Defendant’s website, nor paid for medical services,

if they knew the Privacy Policy would not be followed and their information would

be disclosed to third parties. These allegations are sufficient to establish the presence

and breach of an implied contract between the parties.

This conclusion aligns with the reasoning in several cases finding an implied

contract where a defendant was dealing with sensitive health information.127 The

District of Massachusetts dealt with comparable facts in Doe v. Tenet Healthcare

Corporation. In that case, the Court allowed the implied breach of contract claim to

proceed past the motion to dismiss stage where the plaintiffs adequately pled the

defendant breached contractual obligations under an implied contract, based on the

defendant’s privacy policy, by disclosing the plaintiffs’ information to third

parties.128 The Delaware District Courts emphasize the prudence of allowing such

claims to proceed cautiously at the early stages of litigation.129

127 Salas, 2023 WL 2710180, at *10 (finding an implied contract requiring the healthcare provider to adequately safeguard the patient’s private health information based on the parties’ conduct and relationship); Doe v. Regents of Univ. of Cal., 731 672 F.Supp.3d 813, 821 (N.D. Cal. 2023)(plaintiffs plausibly pled an implied contract between parties when they alleged they would not have paid for the defendant’s services and entrusted the defendant with their confidential data in the absence of data-safeguarding promises made in defendant’s privacy statements.) 128 731 F.Supp.3d 142, 150 (D. Mass. 2024). 129 Salas, 2023 WL 2710180 at *10; Bray, 2018 WL 11226516, at *6.

27 At the motion to dismiss stage, a plaintiff needs only to plead “a causally related

injury that warrants a remedy.”130 Defendant’s argument that Plaintiffs did not allege

actual damages is incorrect. As Plaintiffs stated, they have “alleged actual damages,

including unauthorized access of their Private Information by third parties, improper

disclosure of their Private Information, inappropriate advertisements, and increased

risk of future harm, embarrassment, humiliation, frustration, and emotional

distress.”131

Based on the above reasons, Defendant’s Motion to Dismiss Plaintiffs’ Breach of

Implied Covenant claim is DENIED.

G. Plaintiffs Adequately Pled Unjust Enrichment.

A plaintiff states a claim for unjust enrichment when they establish “(1) an

enrichment, (2) an impoverishment, (3) a relation between the enrichment and the

impoverishment, (4) the absence of justification, and (5) the absence of a remedy

provided by law.”132 “The existence of either an express or implied contract

precludes recovery on a quasi-contractual claim like unjust enrichment.”133

However, “where a bona fide dispute exists as to the existence of [a] contract, the

plaintiff may proceed on both breach of contract and quasi contract theories.”134

130 Garfield on behalf of ODP Corp. v. Allen, 277 A.3d 296, 328 (Del. Ch. 2022). 131 D.I. 25 p. 26 (citing D.I. 18 ¶¶ 45, 90, 118). 132 Salas, 2023 WL 2710180, at *11 (quoting Nemec v. Shrader, 991 A.2d 1120, 1130 (Del. 2010)). 133 Kane, 2024 WL 1178340, at *15 (quoting Nakamura v. Fujii, 253 A.2d 387, 390 (N.Y. App. Div. 1998)). 134 Id.

28 Plaintiffs allege, in the alternative to the breach of contract claim, the “valuable

sensitive medical information” collected by Defendant “conferred a monetary

benefit upon” Defendant.135 Plaintiffs assert Defendant received a benefit from the

collection and disclosure of Plaintiffs’ sensitive information “for their own gain,

including for advertisement purposes, sale, or trade for valuable services from third

parties” as well as from Plaintiffs’ monetary compensation for Defendant’s

services.136 Plaintiffs then claim they were impoverished by the value Defendant

received by disclosing Plaintiffs’ information for “marketing and sales purposes.”137

Defendant’s main contention is that Defendant could not have been unjustly

enriched by Plaintiffs because Defendant never received a benefit from Plaintiffs.138

The third element of unjust enrichment, “a relation between the enrichment and the

impoverishment,” does not allow a plaintiff to recover unjust enrichment from a

defendant when a third party is receiving the benefit rather than the defendant.139

However, despite the Defendant's argument, Plaintiffs allege Defendant increased

profits and enhanced the marketing of its services by disclosing Plaintiffs’

135 D.I. 18 ¶ 210. 136 Id. 137 Id. ¶ 214. 138 D.I. 25 p.26-27. 139 See Anguilla RE, LLC v. Lubert-Adler Real Estate Fund IV, L.P., 2012 WL 5351229, at *6 (Del. Super. Oct. 16, 1012) (“[T]here must be ‘a showing that the defendant was enriched unjustly by the plaintiff who acted for the defendant’s benefit.”) (quoting Metcap Secs. LLC v. Pearl Senior Care, Inc., 2007 WL 1498989, at *6 (Del. Ch. May 16, 2006)).

29 information to third parties.140 This allegation is sufficient at this time to satisfy an

benefit conferred to Defendant under unjust enrichment.

Based on the above reasons, Defendant’s Motion to Dismiss Plaintiffs’ Unjust

Enrichment claim is DENIED.

H. Plaintiffs Adequately Pled a Violation of the Delaware Consumer Fraud Act.

The Delaware General Assembly’s purpose for enacting the Delaware Consumer

Protection Act (hereinafter, “DCFA” or “the Act”) was “to protect consumers and

legitimate business enterprises from unfair or deceptive merchandising practices in

the conduct of any trade or commerce in part or wholly within [Delaware].”141 The

Act makes the following unlawful:

[t]he act, use, or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, unfair practice, or the concealment, suppression, or omission of any material fact with intent that others rely upon such concealing, suppression, or omission, in connection with the sale, lease, receipt, or advertisement of any merchandise . . .142

A plaintiff seeking damages under this Act must allege “(1) a defendant engaged in

conduct which violated the statute; (2) the plaintiff was a victim of the unlawful

conduct; and (3) a causal relationship exists between the defendant’s unlawful

conduct and the plaintiff’s ascertainable loss.”143 The Act is to be “liberally

140 D.I. 18 ¶ 16, 39, 140, 145, 214. 141 Teamsters Local 237 Welfare Fund v. AstraZeneca Pharm. LP, 136 A.3d 688, 692 (Del. 2016). 142 6 Del. C. § 2513(a). 143 Id.

30 construed” because it’s purpose is to “protect consumers . . . from unfair or deceptive

merchandising practices.”144

Parties disagree over whether a DCFA claim must be pled with particularity under

Superior Court Civil Rule 9(b). The Delaware District Court makes very clear that

“the Act must still be pleaded with particularity under Rule 9(b).” 145 However, the

District Court further clarifies:

[t]he Act “makes it easier to establish a claim for consumer fraud than common law fraud” in three ways: (1) a negligent misrepresentation is sufficient to violate the statute; (2) an unlawful practice is committed regardless of actual reliance by the plaintiff; and (3) the Act does not require proof of intent to induce action or inaction by the plaintiff. A negligent misrepresentation is sufficient under the Act, meaning the “defendant need not have intended to misrepresent or to make a deceptive or untrue statement. Instead, the only intent requirement of the Act is that in omitting or concealing a material fact, the defendant must have intended that others rely on the omission or concealment.”146

Plaintiffs allege Defendant violated the DCFA by encouraging use of their

webpages yet intentionally failing to inform Plaintiffs that their information was

being disclosed to third parties.147 Defendant raises several opposing arguments in

response.

First, Defendant contends its Privacy Policies cannot be construed as

“advertisements” because the policies are requirements under HIPPA and do not

144 6 Del. C. § 2512. 145 Williams v. Progressive Direct Ins. Co., 631 F.Supp.3d 202, 207 (D. Del. 2022)(citing Homsey v. Vigilant Ins. Co., 496 F.Supp.2d 433, 438-39 (D. Del. 2007)). 146 Williams, 631 F.Supp.3d at 207 (quoting Stephenson v. Capano Dev., Inc., 462 A.2d 1069, 1074 (Del. 1983))(emphasis added). 147 D.I. 18 ¶ 222.

31 prompt a commercial transaction.148 The Act defines “advertisement” as “the

attempt by publication, dissemination, solicitation or circulation to induce, directly

or indirectly, any person to enter into any obligation or acquire any title or interest

in, any merchandise.”149 This broad definition encompasses the published Privacy

Policies. Plaintiffs depended on the Policies’ guaranteed protection in their

continued use of Defendant’s medical services.150 These are sufficient allegations to

properly plead the alleged misrepresentations were “in connection with an

advertisement.”151

Second, Defendant argues the geographical requirement of the DCFA is not

satisfied because the Complaint does not allege Defendant made misrepresentations

in Delaware.152 Plaintiffs’ Complaint alleges Plaintiffs are all domiciled in Delaware

and are all patients of Defendant whose place of business is in Delaware as well.153

The parties’ jurisdictions coupled with Plaintiffs use of the DCFA indicates to the

Court that Defendant’s alleged violations of the Act occurred in Delaware.

148 D.I. 22 p.28 n.8. 149 6 Del. C. § 2511(1). 150 D.I. 18 ¶ 88, 100, 112. 151 The Delaware Courts have not faced a DCFA claim in a scenario with factual allegations akin to the instant case. However, several district and state courts have allowed claims under their respective consumer fraud acts to pass the motion to dismiss stage. See Strong v. Lifestance Health Grp. Inc., 2025 WL 317552, at *8-9 (D. Ariz. 2025); Lamarr v. Goshen Health Sys., Inc. d/b/a Goshen Health, No. 20D02-2404-PL-000090 (Ind. Super. Oct. 3, 2024); Doe v. Va. Mason Med. Ctr., No. 19-2-26671-4 (Wash. Super. Feb. 12, 2020); see also In re Meta Pixel Tax Filing Cases, 724 F.Supp. 987, 1012-23 (N.D. Cal. 2024) (dismissing Consumer Fraud Act claim solely on the ground the plaintiffs’ failed to plead they “actually reviewed” privacy policy communications; whereas, in the instant case, Plaintiffs’ continuously plead they relied on Defendant’s Privacy Policies in using their services.) 152 D.I. 22 p.29. 153 D.I. 18 ¶¶ 29-33, 217.

32 Construing these well-pled allegations as true, the Court finds the DCFA’s

geographical requirement is satisfied.

Third, Defendant purports the alleged deception was not made in relation to the

“sale, lease, or advertisement of . . . merchandise,” as is required by the Act.154

Defendant argues the Privacy Policies are “post-sale representations” not amounting

to recognized consumer fraud under the Act.155 “Claims made under the DCFA must

relate to communications made before or during the contested transaction.”156

Delaware case law makes clear that “post-sale representations” which are not

connected to the sale or advertisement cannot be consumer fraud under the Act.157

Norman Gershman’s Things to Wear, Inc. v. Mercedes-Benz of North America,

Inc. is instructive on what amounts to a “post-sale representation.” In Norman, the

Delaware Supreme Court held purported misrepresentations made after the sale of a

car were “not connected to the sale or advertisement” for purposes of consumer fraud

under the DCFA.158 The plaintiff claimed it “relied upon [the post-sale

misrepresentations] in not exercising its rights under the law.” In contrast, the

alleged misrepresentations allowing the DFCA claim to pass the summary

judgement stage were pre-sale statements concerning the defendant’s warranty

154 6 Del. C. § 2513(a)(emphasis added). The Act defines “merchandise” as “any objects, ware, goods, commodities, intangibles, real estate or services.” 6 Del. C. § 2511(6). 155 D.I. 22 p.29-30 156 Fulkerson, 2002 WL 32067510, at *3 (Del. Super. Sept. 24, 2002). 157 Norman Gershman’s Things to Wear, Inc. v. Merces-Benz of North Am., 558 A.2d 1066, 1074 (Del. Super. Feb. 10, 1989). 158 Id.

33 promises.159 The post-sale representations in Norman differ from the privacy

representations alleged in the instant case.

The Privacy Policies bear on Plaintiffs’ use of Defendant’s website alleged to be

an integral aspect of receiving Defendant’s medical care. The Privacy Policies were

not made available until 2021, after Plaintiffs became patients; nevertheless, the

Court is uncertain if the policies are “post-sale representations,” considering

Plaintiffs continued medical care from Defendants is an ongoing transaction.

Finally, Defendant asserts Plaintiffs’ DCFA claim must be dismissed because the

conduct, and alleged damages, concerning Plaintiffs’ fraud and the breach of implied

contract claims are the same.160 A complaint can allege both fraud and breach of

contract only if the fraud claim is founded “on conduct that is separate and distinct

from the conduct constituting breach.”161 In addition, “[a] plaintiff alleging both

fraudulent misrepresentation and breach of contract must prove that the damages

pled under each cause of action are distinct.”162 Looking to the Complaint, Plaintiffs’

DCFA and breach of implied contract claims plead distinct conduct and damages.163

At this early stage of litigation, the Court will not dismiss Plaintiffs’ DCFA claim

159 Id. at 1075. 160 D.I. 22 p.31. 161 Hiller & Arban, LLC v. Reserves Mgmt., LLC, 2016 WL 3678544, at *4 (Del. Super. July 1, 2016) (quoting ITW Glob. Invs. v. Am. Indus. Partners Capital Fund IV, L.P., at *6 (Del. Super. June 24, 2015)). 162 Hiller & Arban, 2016 WL 3678544, at *4 (quoting 4C, Inc. v. Pouls, 2014 WL 1047032, at *7 (D. Del. Mar. 5, 2014)). 163 Compare D.I. 18 ¶¶ 197-207 with D.I. 18 ¶¶ 217-30.

34 based on this argument and will give plaintiffs the opportunity to substantiate the

claim during the discovery process.

Based on the above reasons, Defendant’s Motion to Dismiss Plaintiffs’ Delaware

Consumer Fraud Act claim is DENIED.

I. Breach of Confidentiality

A breach of confidentiality claim requires a plaintiff to show “(1) defendant owed

a duty of confidentiality; (2) a physician-patient relationship exists; and (3) that duty

was breached.”164 Defendant argues Plaintiffs failed to plead a breach of

confidentiality claim because, according to Martin v. Baheler,165 a third party is

required to actually view the disclosed information. Further, Defendant contends it

does not owe a duty of confidentiality to Plaintiffs.166 Plaintiffs find Defendant

misconstrued Martin’s holding and argue that their Complaint adequately pleads all

requirements of breach of confidentiality.167

In Fanean v. Rite Aid Corp. of Delaware, Inc., the Delaware Superior Court

inferred Rite Aid’s customers expected confidentiality due to the nature of the

sensitive health information disclosed to the pharmacy.168 The Court deemed Rite

Aid a pharmacy, rather than a corporation, with the duty of confidentiality a

164 Redden by Redden v. Meadow Wood Hosp. for Children and Adolescents, 1997 WL 127981, at *2 (Feb. 21, 1997). 165 1993 WL 258843 (Del. Super. May 20, 1993) 166 D.I. 22 p. 31-32. 167 D.I. 25 p. 32-35. 168 984 A.2d at 824.

35 pharmacy owes to its patient-customers because Rite Aid was “holding itself out to

the public as a pharmacy.”169 Similarly, Plaintiffs have an expectation of Defendant

to keep their sensitive health information protected because Defendant is their

medical provider and also promised to keep their information confidential. The

Court finds the duty of confidentiality satisfied.

Delaware case law interpreting breach of confidentiality claims against medical

providers supports the existence of a physician-patient relationship between the

parties to the instant case. In Fanean, and other cases, the Delaware courts have

found relationships other than the traditional individual physician and patient to fall

under this category.170 The nature of the relationship between a patient and their

medical provider as an entity establishes the physician-patient relationship because

the medical provider handles a patient’s protected health information. A patient has

an expectation that their provider will control that information with discretion.

The Court agrees with Plaintiffs argument that Martin v. Baehler does not require

proof that a third party viewed the disclosed information. The holding of Martin

finds that a physician breached their duty of confidentiality when an employee

disclosed confidential patient information “if the jury finds [the physician] did not

implement reasonable office procedures to guard against such a disclosure.”171

169 Id. 170 See 984 A.2d at 824; Redden by Redden, 1997 WL 127981, at *2; Martin v. Baehler, 1993 WL 258843, at *4. 171 Id. at *4.

36 However, the Court can infer from the Complaint that by producing targeted

advertisements from Plaintiffs’ disclosed information, the third parties likely viewed

it.

Finally, Plaintiffs have sufficiently alleged Defendant’s duty of confidentiality

was breached by disclosing their identifiable, protected health information to third

parties.172

Based on the above reasons, Defendant’s Motion to Dismiss Plaintiff’s Breach of

Confidentiality claim is DENIED.

172 D.I. 18 ¶ 235-37.

37 CONCLUSION

Based on the above reasons, Defendants’ Motion to Dismiss is GRANTED.

IT IS SO ORDERED.

/s/ Francis J. Jones, Jr. Francis J. Jones, Jr., Judge

cc: File&ServeXpress Dean R. Roland, Esquire Raina C. Borelli, Esquire Joshua R. Jacobson, Esquire Patrick M. Brannigan, Esquire Paulyne Gardner, Esquire