IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND
JANE DOE, et al.,
Plaintiffs,
Case No. 24-cv-2368-ABA v.
SHADY GROVE REPRODUCTIVE SCIENCE CENTER, P.C., Defendant.
MEMORANDUM OPINION Plaintiffs are patients who sought and received treatment from Shady Grove Reproductive Science Center, P.C. (“Shady Grove”), a physician practice group specializing in fertility services. Plaintiffs do not criticize the treatment they received but allege that Shady Grove incorporated “analytics and advertising tracking technology” operated by Google, Meta, and Microsoft (collectively, “Analytics Companies”) onto its website. Plaintiffs allege that those services resulted in Plaintiffs’ personally identifiable health information, and specifically the fact that they were seeking fertility treatment, being transmitted to those third-party companies. They allege that this violated Maryland common law (intrusion on seclusion and unjust enrichment) and two Maryland statutes (the Maryland Consumer Protection Act and the Maryland Wiretapping and Electronic Surveillance Act). Shady Grove has filed a motion to dismiss, which for the following reasons will be denied. I. PLAINTIFFS’ ALLEGATIONS1 Plaintiffs (Jane Doe I and Jane Doe II) are two individuals who were Shady Grove patients. ECF No. 1 ¶¶ 14, 22. Plaintiffs allege that Shady Grove has approximately 50 facilities in ten states and Washington, D.C. Id. ¶ 1. They used Shady Grove’s website to search for a fertility provider and a clinic location. Id. ¶¶ 15, 23. At the time of their
searches, Jane Doe I was an existing Shady Grove patient and Jane Doe II was a prospective Shady Grove patient. Id. ¶¶ 14, 22−23. Plaintiffs allege that “unbeknownst” to them, Shady Grove was disclosing their “private communications” (i.e., information from their engagement with the website) to third parties, including “at least, Google, Meta, and Microsoft.” Id. ¶¶ 18, 26. Jane Doe I alleges that Shady Grove disclosed to these third parties (1) the name of the fertility provider she searched for on the website’s “Find a Doctor” page, (2) the specific Shady Grove location she intended to visit, and (3) that she had contacted Shady Grove for fertility services. Id. ¶ 19. Jane Doe II alleges that Shady Grove disclosed to these third parties (1) the name of the fertility provider she searched for on the website’s “Find a Doctor” page and (2) that she scheduled an
appointment with that fertility provider for specific medical services “along with her PII [personally identifiable information].” Id. ¶ 27. Plaintiffs allege that Shady Grove “knowingly and intentionally” incorporated analytics and advertising technology into multiple pages on its website with the purpose of disclosing website users’ private communications to the Analytics Companies. Id. ¶¶
1 In considering a motion to dismiss under Rule 12(b)(6), the Court must “accept as true all of the factual allegations contained in the complaint and draw all reasonable inferences in favor of the plaintiff.” King v. Rubenstein, 825 F.3d 206, 212 (4th Cir. 2016). The facts in this section are based on the allegations in Plaintiff’s complaint, ECF No. 1. 11, 31, 38, 105, 112. Plaintiffs contend that Shady Grove was on notice about the potential privacy violations “since at least December 2022” because entities such as the Federal Trade Commission and the U.S. Department of Health & Human Services Office for Civil Rights had issued warnings about the use of this type of tracking technology on health care websites. Id. ¶¶ 35–37. Plaintiffs contend that, despite this notice, Shady
Grove “knowingly and intentionally concealed, suppressed, and omitted material facts in connection with its disclosure of Plaintiffs’ and Class members’ private communications.” Id. ¶ 116. Plaintiffs allege that they did not consent to these disclosures and could not have known about them because the tracking technology was “inconspicuously incorporated” into the website’s code. Id. ¶¶ 20, 28, 59. Shady Grove’s privacy policy stated that it would “[m]aintain the confidentiality of [Plaintiffs’ and Class members’] protected health information” and would not “use or disclose [the] PHI [protected health information] for purposes not described in this Notice unless [users] give [Shady Grove] written authorization to do so.” Id. ¶ 9. Plaintiffs allege that the use of tracking technologies and the related information sharing is “directly contrary” to the privacy
policy’s “clear representations” about how information would be used and shared. Id. ¶¶ 11, 28. II. STANDARD OF REVIEW A complaint must contain “a short and plain statement of the claim showing the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). When a defendant asserts that, even assuming the truth of the alleged facts, the complaint fails “to state a claim upon which relief can be granted,” the defendant may move to dismiss the complaint. Fed. R. Civ. P. 12(b)(6). At the pleadings stage, the Court “must accept as true all of the factual allegations contained in the complaint and draw all reasonable inferences in favor of the plaintiff.” King, 825 F.3d at 212. To withstand a motion to dismiss, the complaint’s “[f]actual allegations must be enough to raise a right to relief above the speculative level” by containing “enough facts to state a claim for relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550
U.S. 544, 555, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Although a court reviewing a 12(b)(6) motion “must accept as true all of the factual allegations contained in the complaint and draw all reasonable inferences in favor of the plaintiff,” King, 825 F.3d at 212, bare legal conclusions “are not entitled to the assumption of truth” and are insufficient to state a plausible claim. Iqbal, 556 U.S. at 679.
III. DISCUSSION As noted above, Plaintiffs have alleged that Shady Grove’s use of website tracking software constituted an intrusion on Plaintiffs’ seclusion, unjust enrichment, a deceptive marketing practice in violation of the Maryland Consumer Protection Act, and unlawful interception of an electronic communication in violation of the Maryland Wiretapping and Electronic Surveillance Act. Shady Grove argues that Plaintiffs lack standing to assert these claims and do not allege facts sufficient to state claims on which relief can be granted. A. Standing Article III standing requires (1) “injury in fact”; (2) that was “likely caused by the defendant”; and (3) “that the injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). Shady Grove contends Plaintiffs have not adequately alleged that they suffered an injury in fact sufficient to confer standing on them to bring the claims they have asserted here, and that instead Plaintiffs have alleged “bare procedural violation[s].” ECF No. 23 at 9. It argues that “Plaintiffs fail to allege well pleaded facts showing they have personally been put at risk, suffered a
privacy threat, or otherwise identify the harm suffered because of SG’s conduct alleged in the Complaint.” Id. at 7 (citing Beck v. McDonald, 848 F.3d 262, 271 (4th Cir. 2017)). “To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016) (cleaned up). “Central to assessing concreteness is whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts.” TransUnion, 594 U.S. at 417 (quoting Spokeo, 578 U.S. at 340–41). Such traditionally actionable harms include not only “physical harm” and “monetary harm,” but also certain “intangible harms.” Id. “Chief among” the intangible harms that have been “traditionally recognized as providing a basis for lawsuits in
American courts” are “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. at 425. And although a plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right,” Spokeo, 578 U.S. at 341; see also, e.g., O’Leary v. TrustedID, Inc., 60 F.4th 240, 242 (4th Cir. 2023) (holding that the plaintiff had “alleged only a bare statutory violation” in disclosing plaintiff’s social security number and thus no Article III injury), a legislative view reflected when a statute creates a cause of action is “instructive and important.” Spokeo, 578 U.S. at 341. In TransUnion, the Supreme Court held that the credit reporting agency’s disclosure to “third-party businesses” of the “credit files” of certain class members (including the named plaintiff) that erroneously identified them as “potential terrorists,
drug traffickers, or serious criminals” constituted a sufficiently concrete injury in fact. 594 U.S. at 432. It reached that conclusion regardless of whether such third-party businesses did anything with that information. And in concluding in TransUnion that “disclosure of private information” to third parties is an intangible injury that has traditionally been recognized as a basis for a lawsuit in American courts, id. at 425, the Supreme Court cited Davis v. Federal Election Commission, which similarly held that disclosure of personal financial information constitutes a cognizable injury in fact. 554 U.S. 724, 733 (2008). Here, Plaintiffs have alleged that they expected that their communications relating to fertility services would remain private, ECF No. 1 ¶¶ 8, 10, 63–71, and that, contrary to Plaintiffs’ expectations, Shady Grove “disclosed their private
communications on the SGF webpages” to the Analytics Companies. Id. ¶ 11. Shady Grove denies that the information that the tools disclosed to the Analytics Companies was in fact personally identifiable or contained any confidential information. ECF No. 23 at 3, 7. The Court need not accept bare legal conclusions at the pleading stage, and discovery might bear out Shady Grove’s point. But the Court must accept Plaintiffs’ factual allegations as true at this stage, and Plaintiffs have alleged that Shady Grove did disclose personally identifiable health data, including the fact that Plaintiffs had scheduled appointments or contacted Shady Grove for fertility treatment. See § III.B, infra. The Fourth Circuit has recently reiterated that “a legally cognizable privacy injury” establishes “Article III standing.” Garey v. James S. Farrin, P.C., 35 F.4th 917, 922 (4th Cir. 2022); see also, e.g., Patel v. Facebook, 932 F.3d 1264, 1272 (9th Cir. 2019) (“[V]iolations of the right to privacy have long been actionable at common law.”); Rodriguez v. FastMed Urgent Care, P.C., 741 F. Supp. 3d 352, 361 (E.D.N.C. 2024)
(“Disclosing Rodriguez’s private medical information without the meaningful opportunity to prevent the disclosure satisfies Article III’s injury requirement.”). If it turns out the information that the software disclosed to the Analytics Companies was not personally identifiable, that may ultimately affect the question of whether Plaintiffs have standing. See, e.g., Mikulsky v. Noom, Inc., Case No. 3:23-cv- 00285-H-MSB, 2024 WL 251171 (S.D. Cal. Jan. 22, 2024) (concluding that “[t]he disclosure of non-individually identifiable data is insufficient to give rise to an injury-in- fact to support Article III standing”). The Court need not and does not decide at this stage whether, if Shady Grove’s incorporation of the software into its website had only disclosed data that was not personally identifiable, that would satisfy the Article III injury-in-fact requirement. That is because Plaintiffs have alleged that Shady Grove, by
installing the tracking software onto its website, effectively directed that Plaintiffs’ personally identifiable information be transmitted to the Analytics Companies. This is sufficient to allege a cognizable injury in fact. Accordingly, Shady Grove’s motion to dismiss on standing grounds will be denied.2
2 Because the Court concludes that Plaintiffs’ privacy-based alleged injury is sufficient for standing, at least at the pleadings stage, the Court need not and does not reach whether Plaintiffs’ alternative proffered injuries, based on alleged violations of the Maryland Wiretapping and Electronic Surveillance Act, see ECF No. 27 at 17, and their “benefit of the bargain” theory, id. at 26 & 28, would establish standing. B. Intrusion on seclusion (Count 1) To state a claim for intrusion upon seclusion under Maryland law, a plaintiff must allege an intentional intrusion upon the plaintiff’s solitude, “seclusion or private affairs in a manner that would be highly offensive to a reasonable person.” Marrs v. Marriott Corp., 830 F. Supp. 274, 283 (D. Md. 1992). Shady Grove argues Plaintiffs
have not stated a claim for intrusion on seclusion for four reasons. First, Shady Grove argues Plaintiffs have not adequately alleged that the data Shady Grove disclosed to the Analytics Companies allowed those companies to “connect Plaintiffs’ identities with the alleged PII/PHI they provided using the Website.” ECF No. 23 at 11 (citing Popa v. PSP Grp., LLC, Case No. 23-cv-0294-JLR, 2023 WL 7001456, at *5, (W.D. Wash. Oct. 24, 2023), and Mikulsky, 2024 WL 251171, at *4). Indeed, in some cases challenging health care providers’ use of website trackers like the ones challenged in this case, courts have dismissed complaints that did not allege (1) that private health data was collected, as opposed to other non-health-related data, and/or (2) that the health data that was collected was personally identifiable, i.e. that the provider was effectively disclosing to analytics companies that the private health data pertained to
particular, identifiable persons. Compare, e.g., Nienaber v. Overlake Hosp. Med. Ctr., 733 F. Supp. 3d 1072, 1083, 1085 (W.D. Wash. 2024) (dismissing original complaint challenging health system’s use of website tracking software, including intrusion upon seclusion claim, because allegations regarding disclosure of information about plaintiff’s use of a patient portal were only “skeletal,” and plaintiff had not alleged that data entered on a public website “plausibly related to the provision of healthcare or were shared by Defendant”), with Nienaber v. Overlake Hosp. Med. Ctr., Case No. 2:23-cv- 01159-TL, 2025 WL 692097, at *6 (W.D. Wash. Mar. 4, 2025) (denying motion to dismiss amended complaint in the same case because, among other things, plaintiff alleged that “the information disclosed by Defendant includes the fact that Plaintiff sought and received medical treatment from Defendant” and thus “related to the provision of healthcare by Defendant to Plaintiff”).3 Here, the complaint sufficiently alleges both points. Plaintiffs allege that the
information collected was private health data, including “the name[s] of the fertility provider” that both Plaintiffs searched for, that Jane Doe I “contacted her fertility provider,” and the specific Shady Grove clinic location that Jane Doe I intended to visit. ECF No. 1 ¶¶ 19, 27. They also allege that the information collected was personally identifiable. For example, Plaintiffs allege that certain information from a Shady Grove webpage was “transmitted alongside a Client ID (‘cid’), which is a unique identifier Google uses to distinguish the specific individual from all other individuals.” Id. ¶ 55; see also id. ¶ 51 (e.g., alleging that the information collected includes “unique user and device identifiers [such as] GUID, Client ID, c_user cookie . . . and IP address”). Of course, at this stage, the Court does not decide whether Shady Grove, by incorporating the tracking software, in fact disclosed personally identifiable private health information
to the Analytics Companies. But Plaintiffs have alleged that it did, and those allegations are sufficiently factual, as opposed to constituting legal conclusions, to be sufficient for
3 Also compare Cousin v. Sharp Healthcare, 681 F. Supp. 3d 1117 (S. D. Cal. 2023) (“Cousin I”) (dismissing claim under California’s Confidentiality of Medical Information Act because plaintiffs had not alleged that the defendant healthcare system’s use of Meta Pixel resulted in their “medical information” being “viewed or otherwise accessed by Meta”), with Cousin v. Sharp Healthcare, 702 F. Supp. 3d 967, 975 (S.D. Cal. 2023) (“Cousin II”) (denying motion to dismiss amended complaint in which the plaintiffs alleged that the Pixel software did result in the disclosure of “individually identifiable” medical information). pleading purposes. See also, e.g., M.R. v. Salem Health Hospitals and Clinics, Case No. 6:23-cv-01691-AA, 2024 WL 3970796 (D. Or. Aug. 28, 2024) (denying motion to dismiss intrusion upon seclusion claim in part because “Plaintiff alleges that she voluntarily disclosed PHI to Defendant as a part of the patient-physician relationship, but never intended Google and Facebook to receive it”).4
And as for Shady Grove’s reliance on Popa v. PSP Group, the defendant in that case operated a pet supply website, 2023 WL 7001456, at *2, and the court there relied on a case involving a video game website, id. at *3 (citing Cook v. GameStop, Inc., 689 F. Supp. 3d 58, 65 (W.D. Pa. 2023)). Such information is very different from information that a person is in the process of seeking or obtaining fertility treatment. See id. at *4 (“Ms. Popa alleges only that she ‘brow[s]ed for pet supplies,’ and ‘communicated with PSP’s website by using her mouse to hover and click on certain products.’ . . . This information, like the information at issue in Cook, reveals nothing more than the products that interested Ms. Popa and thus is not the type of private information that the law has historically protected.”). Second, Shady Grove argues the intrusion on seclusion claim fails because
Plaintiffs “have not alleged any conduct that would be highly offensive to a reasonable person.” ECF No. 23 at 11. But, as a California district court observed at the pleadings stage in a case where a fertility clinic had been the subject of a cybersecurity hack,
4 In concluding that the complaint adequately alleges that Plaintiffs’ private and identifiable health data was disclosed, the Court need not and does not decide whether the data that the website trackers that Shady Grove used collected “protected health information” within the meaning of Health Insurance Portability and Accountability Act (“HIPAA”) (42 U.S.C. § 1320d, et seq.; 45 C.F.R. Part 160 and 164). Plaintiffs have not asserted any claims under HIPAA. “having one’s name associated with a fertility clinic such as defendant would constitute the revelation of the most intimate of health and family planning information.” Doe v. N. California Fertility Med. Ctr., Case No. 22-CV-01861-DAD-JDP, 2024 WL 246178, at *2 (E.D. Cal. Jan. 23, 2024). Although it appears the information that was disclosed through the hack in that case was more extensive (perhaps substantially so) than the
information that Shady Grove disclosed to the Analytics Companies through the use of the tracking software here, whether disclosure of private information would qualify as “highly offensive” is often a fact-intensive inquiry. Like the Cousin II court, this Court concludes that whether the intrusion alleged here would be “highly offensive to a reasonable person is an issue not capable of resolution, on these facts, at the motion to dismiss stage.” 702 F. Supp. 3d at 973. Plaintiffs have adequately alleged that private information, including the fact that they were seeking fertility treatment, was disclosed to third parties (the Analytics Companies) for tracking and marketing purposes, and that a reasonable person would consider such disclosure to be highly offensive. ECF No. 1 ¶¶ 50–54, 63–71. These allegations regarding the offensiveness of disclosure of Plaintiffs’
personally identifiable health information are sufficient at the pleadings stage, at least in the context of this case, as the alleged disclosures involve information that Plaintiffs plausibly allege is inherently private and particularly sensitive. See R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 886, 893 (C.D. Cal. 2024) (denying motion to dismiss invasion of privacy claim based in part on Walgreens’ use of the Meta Pixel software to “track, collect, and disclose ‘custom events’ such as the name of the sensitive healthcare products including Plan B, HIV tests, pregnancy tests, prenatal vitamins, hyperglycemic/hypoglycemic management products and numerous other products to diagnose and/or treat highly sensitive and private conditions that a customer was seeking to purchase, and the fact that the customer was purchasing these sensitive healthcare products”); Doe v. Regents of Univ. of Calif., 672 F. Supp. 3d 813, 820 (N.D. Cal. 2023) (“Personal medical information is understood to be among the most sensitive information that could be collected about a person.”); Cousin II, 702 F. Supp. 3d at 974
(holding that plaintiffs had plausibly alleged highly offensive behavior where they claimed that “their medical conditions and statuses as patients with certain doctors were tracked” on the defendant’s website, linked to their Facebook account, and transmitted to Meta for targeted advertising); M.R., 2024 WL 3970796 at *6 (“[P]ersonal medical information is among the most sensitive information that could be collected about a person, and the existence of many statutes like HIPAA . . . regulating its disclosure supports this idea.”). Third, Shady Grove argues that Plaintiffs have not alleged that Shady Grove “intrude[d] upon Plaintiffs’ solitude” because Plaintiffs voluntarily provided their information to Shady Grove and thus “consented to the alleged intrusion by [Shady Grove].” ECF No. 23 at 12. Shady Grove did include a disclosure on its website that
patient information could be shared with third parties under some conditions, including with “business associates,” which may include “billing and collection services . . . software providers, lawyers, accountants, and other person or entities” that provide Shady Grove with items or services used in its business. ECF No. 23 at 4−5. But Plaintiffs have alleged that that disclosure did not put a reasonable patient or prospective patient on notice that Shady Grove would be disclosing their private health information to internet marketing companies or platforms like the Analytics Companies. See, e.g., ECF No. 1 ¶ 75 (“[T]here were no disclosures or other indication that would inform a reasonable SGF user that SGF was disclosing their private communications to third parties, including Google, Meta, and Microsoft.”). Those allegations are sufficient, at the pleadings stage, to allege that Plaintiffs’ use of Shady Grove’s website did not constitute consent for their private health information to be disclosed. Fourth, Shady Grove argues Count 1 should be dismissed for failure to allege that
Plaintiffs suffered any damages because of the disclosure. For the same reasons Plaintiffs have alleged an injury in fact for standing purposes (discussed above), they have sufficiently alleged that they were injured by disclosure of private health information to the Analytics Companies. For these reasons, the motion to dismiss Count 1 will be denied. C. Unjust enrichment (Count 2) An unjust enrichment claim requires “(1) [a] benefit conferred upon the defendant by the plaintiff; (2) [a]n appreciation or knowledge by the defendant to the benefit; and (3) [t]he acceptance or retention by the defendant of the benefit under such circumstances as to make it inequitable for the defendant to retain the benefit without the payment of its value.” Hill v. Cross Country Settlements, LLC, 402 Md. 281, 295
(2007) (citing Berry & Gould, P.A. v. Berry, 360 Md. 142, 151–52 (2000)). “A successful unjust enrichment claim serves to ‘deprive the defendant of benefits that in equity and good conscience he ought not to keep . . . even though the plaintiff may have suffered no demonstrable losses.’” Id. at 295–96 (quoting Dep’t of Hous. & Cmty. Dev. v. Mullen, 165 Md. App. 624, 659 (2005)). “A person who receives a benefit by reason of an infringement of another person’s interest, or of loss suffered by the other, owes restitution to him in the manner and amount necessary to prevent unjust enrichment.” Berry, 360 Md. at 151 (quoting Restatement (Second) of Restitution § 1 (Tentative Draft No. 1, 1983)). Shady Grove argues the complaint fails to state a claim for unjust enrichment because Plaintiffs have not adequately alleged “that any interactions they had with the Website conferred a benefit upon [Shady Grove].” ECF No. 23 at 14 (citing Gordon v.
Chipotle Mexican Grill, Inc., 344 F. Supp. 3d 1231, 1249 (D. Colo. 2018), where the court held the plaintiffs’ unjust enrichment claim failed because the plaintiffs received what they paid for, namely burritos, etc.). Plaintiffs do not contend that Shady Grove obtained an unjust benefit by receiving Plaintiffs’ private health information. Instead, Plaintiffs allege that when Shady Grove disclosed Plaintiffs’ private health information to the Analytics Companies, that resulted in two “benefits” for Shady Grove: (1) the use of their personal data for marketing purposes, ECF No. 1 ¶ 104, and (2) the revenue Plaintiffs paid Shady Grove for services that Plaintiffs would not have purchased “had they known Shady Grove would share and misuse their private health data.” ECF No. 27 at 25 (citing ECF No. 1 ¶¶ 106, 122). Here, the Court concludes that the first category of benefit is sufficient to satisfy
the “benefit” element for pleading purposes; the Court need not and does not reach the question of whether the second would qualify. Plaintiffs allege that Shady Grove received a benefit for the “advertising, analytics, and marketing” component of its business. ECF No. 1 ¶ 104. Although Plaintiffs acknowledge that by entering information into Shady Grove’s website they were disclosing to Shady Grove that they may be interested in obtaining fertility treatment there, they allege that they did not intend to authorize Shady Grove to disclose Plaintiffs’ information to the Analytics Companies, whether to more effectively persuade Plaintiffs to engage Shady Grove for fertility treatment or for any other purpose. Id. ¶¶ 20, 28, 47–48, 104, 106. Plaintiffs’ point in this regard is not that Shady Grove was conferring a benefit on the Analytics Companies (even if that was another upshot), but rather that disclosure of the information to the Analytics Companies resulted in a benefit to Shady Grove.
“Maryland courts have long embraced [a] broad definition of ‘benefit’ as encompassing anything that ‘in any way adds to the other’s security or advantage.’” Lacks v. Ultragenyx Pharmaceutical, Inc., 734 F. Supp. 3d 397, 437 (D. Md. 2024) (citing Hamilton & Spiegel, Inc. v. Bd. of Educ. of Montgomery Cnty., 233 Md. 196, 195 A.2d 710, 712 (1963), and State, Cent. Collection Unit v. Kossol, 138 Md. App. 338, 347 (2001)). Plaintiffs’ allegations here regarding the benefit conferred on Shady Grove are sufficient to satisfy this broad definition, at least at the pleadings stage. See R.C., 733 F. Supp. 3d at 900 (denying motion to dismiss unjust enrichment claim because the plaintiffs there had alleged that “their data has financial value and Defendant received a financial benefit from disclosing their data without Plaintiffs’ consent”); Doe v. Tenet Healthcare Corp., 731 F. Supp. 3d 142, 151 (D. Mass. 2024) (holding that the plaintiff
there had adequately alleged that she “conferred a benefit on Tenet in the form of her Private Information, which is valuable marketing information to third parties”); M.R., 2024 WL 3970796, at *7 (“The Complaint alleges that the benefit conferred was medical information of patients; that Defendant took affirmative steps to collect it; and that it would be unjust for Defendant to retain the benefit from selling this information to advertisers. This amounts to a plausible claim for unjust enrichment.”). For these reasons, Plaintiffs have alleged sufficient facts to establish an unjust enrichment claim, and the motion to dismiss Count 2 will be denied. D. Maryland Consumer Protection Act (Count 3) To state a claim under the Maryland Consumer Protection Act (“MCPA”), a plaintiff “must allege (1) an unfair or deceptive practice or misrepresentation that is (2) relied upon, and (3) causes them actual injury.” Alexander v. Carrington Mortg. Serv., LLC, 23 F.4th 370, 380 (4th Cir. 2022) (quoting Stewart v. Bierman, 859 F. Supp. 2d
754, 768 (D. Md. 2012)) (internal quotations omitted). The MCPA lists various categories of conduct that comprise “[u]nfair, abusive, or deceptive trade practices.” Md. Code Ann., Com. Law § 13-301. Plaintiffs allege that Shady Grove’s disclosure of their information to the Analytics Companies constituted a “[f]ailure to state a material fact” that “deceive[d] or tend[ed] to deceive” in violation of § 13-301(3) and “[d]eception, fraud, false pretense, false premise, misrepresentation, or knowing concealment, suppression, or omission of any material fact with the intent that a consumer rely on the same in connection with . . . the promotion or sale of any . . . consumer service” in violation of § 13-301(9). ECF No. 1 ¶ 111. Shady Grove argues that Plaintiffs’ MCPA claims fail for two reasons. First, Shady Grove argues Plaintiffs have inadequately alleged that they suffered
any damages from the alleged disclosure of their private health information to the Analytics Companies. ECF No. 23 at 15. For the same reasons that Plaintiffs have alleged a cognizable privacy-based injury in fact, see § III.A, supra, Plaintiffs have adequately alleged damages for purposes of their MCPA claims. Second, Shady Grove argues that Plaintiffs “fail to allege any non-conclusory facts regarding causation.” ECF No. 23 at 15. Under § 13-301(3), “[a]n omission is considered material if a significant number of unsophisticated consumers would attach importance to the information in determining a choice of action.” Golt v. Phillips, 308 Md. 1, 10 (1986) (collecting cases). Although the Maryland Supreme Court appears to not have articulated a reliance or causation standard in the context of material omission claims, other judges of this court have applied the same standard as for material misrepresentation claims. See Bank of Am., N.A. v. Jill P. Mitchell Living Tr., 822 F. Supp. 2d 505, 535 (D. Md. 2011). Under the “substantial inducement” test, see id. (citing
Luskin’s, Inc. v. Consumer Prot. Div., 353 Md. 335, 386 (1999), and Nails v. S & R, Inc., 224 Md. 398, 417-18 (1994)), “a consumer relies on a material omission under the MCPA where it is substantially likely that the consumer would not have made the choice in question had the commercial entity disclosed the omitted information.” Id. Judge Grimm held that this test was satisfied where plaintiffs alleged that they would not have paid for goods and services (or would have paid less) if the company had informed them about the known risk of data disclosure. In re Marriott, 440 F. Supp. 3d 447, 489–90 (D. Md. 2020). Plaintiffs have sufficiently alleged that they relied on the alleged omission by Shady Grove and that the omission was material based in part on data that reflects that the general public attaches importance to their personal data. ECF No. 1 ¶¶ 65–70.
Plaintiffs also allege that the nature of the information (relating to fertility treatment) was inherently private and was disclosed to the Analytics Companies. Id. ¶ 60. Therefore, Plaintiffs have sufficiently alleged facts to establish reliance and causation under the MCPA. See Bank of Am., 822 F. Supp. 2d at 533. For these reasons, the motion to dismiss Count 3 will be denied. 5
5 Having concluded that Plaintiffs have stated a claim under § 13-301(3) of the MCPA, and thus that Count 3 may proceed to discovery, the Court need not and does not decide whether Count 3 would alternatively survive under a § 13-301(9) theory. E. Maryland Wiretapping & Electronic Surveillance Act (Count 4) A claim under the Maryland Wiretapping & Electronic Surveillance Act (“MWESA”), requires, in pertinent part, that a person “[w]illfully . . . procure[d] any other person to intercept . . . any wire, oral, or electronic communication; . . . or [w]illfully use[d], or endeavor[ed] to use, the contents of any wire, oral, or electronic
communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication.” Md. Code Ann., Cts. & Jud. Proc. § 10-402(a)(1), (3). Shady Grove argues Count 4 should be dismissed because Plaintiffs fail to allege (1) that Shady Grove acted willfully or (2) that the “contents” of “communications” were disclosed as those terms are used in the MWESA. i. Willfulness Shady Grove argues that Plaintiffs failed to sufficiently allege willfulness. ECF No. 23 at 16 (citing Benford v. Am. Broad. Co., 649 F. Supp. 9, 10 (D. Md. 1986)). In Benford, Judge Northrop noted that the Maryland courts had not yet interpreted “willfully” within this statute. Benford, 649 F. Supp. at 10. But since then, the Maryland Supreme Court has clarified that, under MWESA, “willful” requires only “purposeful
conduct,” not “a bad motive” or “knowing unlawfulness.” Deibler v. State, 365 Md. 185, 199 (2001). Therefore, the question here is whether Plaintiffs sufficiently allege that the actions taken by Shady Grove were purposeful rather than “arising from inadvertence or simple negligence”; Plaintiffs need not have alleged that Shady Grove had a bad motive or awareness of the possible illegality of its actions. Deibler, 365 Md. at 199. Here, Plaintiffs have sufficiently alleged that Shady Grove “willfully” incorporated the Analytics Companies’ tracking technologies into its website. Maryland courts have had little opportunity to evaluate similar technologies as those alleged in this Complaint. But courts applying other states’ laws have held that, because adding Meta Pixel and other similar technologies is a multi-step process that must be undertaken by the website owner, health providers that incorporated these technologies into their websites engaged in sufficiently purposeful conduct to qualify as “willful” (or knowing and deliberate) under similar statutes. See Cooper v. Mount Sinai Health Sys. Inc., 742 F.
Supp. 3d 369, 381 (S.D.N.Y. 2024) (denying motion to dismiss claim under the Electronic Communications Privacy Act (“ECPA”) because the complaint “plausibly alleges that Mount Sinai engaged in such disclosures knowingly and deliberately”); R.C., 733 F. Supp. 3d at 902 (holding that plaintiffs adequately alleged, for an ECPA claim, that Walgreen had “intentionally utilized tracking technologies to collect, use, and distribute Plaintiffs’ sensitive information to third parties like Facebook”). Similar to Cooper and R.C., Plaintiffs here have sufficiently alleged that Shady Grove was the website owner (ECF No. 1 ¶ 32), that the technology was provided by and disclosed information to third parties (id. ¶¶ 50–54), that Shady Grove “knowingly and intentionally” incorporated the technology into its website (id. ¶¶ 31, 49–51, 54, 73–74), and that the technology disclosed information that included personally identifiable
information, patient status, the provider and/or location where Plaintiffs sought fertility services, and what types of fertility services they sought (id. ¶¶ 54–58). Therefore, Plaintiffs have sufficiently pleaded that Shady Grove met the requisite mental state under MWESA. ii. Contents of communications Shady Grove next argues that Plaintiffs fail to allege that the software disclosed to the Analytics Companies “contents” of a “communication,” and specifically that the software disclosed Plaintiffs’ identities and thus Plaintiffs’ PHI. ECF No. 23 at 7, 16. Under MWESA, the term “contents” “includes any information concerning the identity of the parties to the communication or the existence, substance, purport, or meaning of that communication.” Md. Code Ann., Cts. & Jud. Proc. § 10-401(4). This broad definition encompasses various contents of communication including online data. See Doe v. Medstar Health, Inc., 24-c-20-000591, 2020 WL 14005240, at *2 (Md. Cir.
Ct. August 5, 2020) (holding that the plain language of MWESA includes the interception and disclosure of online health data to third parties, relying on similar holdings in other states). As an initial matter, Plaintiffs do allege that the software disclosed that Plaintiffs were communicating with Shady Grove about seeking fertility treatment. The information users relayed through Shady Grove’s website, particularly on the “Schedule Appointment” and “Contact SGF” webpages, is similar to some of the information that one would communicate to a physician directly during a face-to-face appointment. ECF No. 1 ¶¶ 3–4; see, e.g., In re Group Health Plan Litigation, 709 F. Supp. 3d 707, 718 (D. Minn. 2023) (holding that plaintiffs had adequately pled that using Meta Pixel software resulted in the disclosure of “content” of “communications” within the meaning of
ECPA, which has similar elements to MWESA); In re Meta Pixel Healthcare Litigation, 647 F. Supp. 3d 778, 795–96 (N.D. Cal. 2022) (same). Thus, Plaintiffs sufficiently allege the disclosure of “information concerning . . . the existence, substance, purport, or meaning of that communication” to the Analytics Companies. Md. Code Ann., Cts. & Jud. Proc. § 10-401(4); ECF No. 1 ¶¶ 54–58. In addition, as discussed above, Plaintiffs sufficiently allege that their personally identifiable information was relayed to the Analytics Companies, namely, user and device identifiers such as GUID, Client ID, c_user cookie, and IP Addresses. ECF No. 1 ¶ 54.Plaintiffs provide examples of URLs demonstrating how these identifiers are relayed. Id. ¶¶ 55–57. Plaintiffs allege that these URLs specifically identify the specific device and/or location of the device that submitted the form through Shady Grove’s website. Id. ¶¶ 16, 24. Plaintiffs also allege that they used the same internet browser to visit Shady Grove’s website that they used to visit their personal Facebook and Instagram
accounts. Id. ¶¶ 17, 25. Thus, they allege, by disclosing user and device identifiers to the Analytics Companies, Shady Grove was providing information that the Analytics Companies could match up with other data from which to determine or confirm what person—as opposed to an anonymous user—was seeking fertility treatment at Shady Grove. Id. ¶ 53. Discovery may reveal that the data that Shady Grove disclosed to the Analytics Companies was not personally identifiable, but Plaintiffs have alleged that it was. Thus, Plaintiffs have sufficiently alleged that the information allegedly disclosed to the Analytics Companies included “contents” within the meaning of the MWESA. For these reasons, the motion to dismiss Count 4 will be denied. IV. CONCLUSION For the reasons discussed above, Shady Grove’s motion to dismiss (ECF No. 23)
will be denied. A separate order follows.
Date: September 30, 2025 /s/ Adam B. Abelson United States District Judge