Gittings-Barrera v. Memorial Hospital Association

• Court: District Court, C.D. Illinois
• Decided: September 26, 2025
• Docket: 4:24-cv-04167
• Status: Unknown

Opinion

ROCK ISLAND DIVISION

LACEY GITTINGS-BARRERA, ) ) Plaintiff, ) v. ) Case No. 4:24-cv-04167-SLD-RLH ) MEMORIAL HOSPITAL ASSOCIATION, ) ) Defendant. )

ORDER

Before the Court is Defendant Memorial Hospital Association’s (“Memorial”) Motion to Dismiss Pursuant to Federal Rule of Civil Procedure 12(b)(6) and Local Rule 7.1, ECF No. 9, and Motion for Leave to File a Reply Brief in Support of its Motion to Dismiss, ECF No. 13. For the reasons that follow, the Motion to Reply is GRANTED and the Motion to Dismiss is GRANTED IN PART and DENIED IN PART. BACKGROUND1 Plaintiff Lacey Gittings-Barrera brings this action on behalf of herself and putative class members. Gittings-Barrera’s suit arises out of Memorial’s encoding of tracking devices into its website. These tracking devices, like the Facebook Pixel, designed by Meta, “track[] information about a website user’s device and the URLs and domains [she] visit[s],” as well as “a visitor’s search terms, button clicks, and form submissions.” Compl. ¶ 14, ECF No. 1. Gittings-Barrera alleges that, for the sake of increasing profits and enhancing marketing efforts, Memorial knowingly and intentionally installed the Meta Pixel and other tracking technologies

1 Unless otherwise stated, the facts described in this section are as alleged in Gittings-Barrera’s complaint. ECF No. 1. For the sake of ruling on a motion to dismiss, the Court “accept[s] as true all factual allegations in the . . . complaint and draw[s] all permissible inferences in [the plaintiff’s] favor.” Bible v. United Student Aid Funds, Inc., 799 F.3d 633, 639 (7th Cir. 2015). on its website which then sent information—including search terms, pages visited, and buttons clicked—to Facebook, Google, and other technology companies. Most relevant to this suit, Memorial shared the parameters of website users’ physician and location searches, as well as their traffic to web pages relevant only to patients, such as a page about financial assistance. This allowed Facebook, Google, and other third parties to utilize

Memorial’s data to create data profiles aimed at optimizing targeted advertisements and sell these profiles for a profit. Memorial did not disclose to website users the use of tracking technologies or the sharing of their Private Information with third parties. Memorial had control over both whether to use these tracking technologies and what information they could access and share with third parties. Gittings-Barrera began using Memorial’s website and online platforms in 2009. Without consent or disclosure, Memorial disclosed to Facebook through use of its Meta Pixel information including Gittings-Barrera’s: identity, status as a patient of Memorial, seeking of medical treatment from Memorial, health conditions, and location. In sum, she alleges the improper

handling and disclosure of her and class members’ “Private Information,” defined as including “confidential Personally Identifying Information” and “Protected Health Information.” Compl. ¶ 1. Since using Memorial’s website, she has received online advertisements related to depression and anxiety medication and services. This has caused her numerous injuries, including loss of privacy, emotional distress, and lost benefit of the bargain. Gittings-Barrera filed her Complaint on September 12, 2024. She invokes the Court’s federal question jurisdiction under 28 U.S.C. § 1331 and its jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d). She seeks to represent a nationwide class defined as “[a]ll patients of Defendant whose Private Information was disclosed by Defendant to third parties through the Meta Pixel and related technology without authorization,” as well as an Illinois Subclass defined as “[a]ll patients of Defendant who are Illinois citizens and whose Private Information was disclosed by Defendant to third parties through the Meta Pixel and related technology without authorization.” Compl. ¶¶ 169–70. Gittings-Barrera asserts eleven counts against Memorial for the above-described

collection and disclosure of personal information: (I) negligence, (II) negligence per se, (III) breach of express contract, (IV) breach of implied contract, (V) unjust enrichment, (VI) bailment, (VII) violation of the Illinois Eavesdropping Statute (“IES”), 720 ILCS 5/14-1 to 14-9, (VIII–IX) two violations of the Electronic Communications Privacy Act (“ECPA”) 18 U.S.C. §§ 2510–23, (X) violation of Title II of the ECPA, or the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701–13, and (XI) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. Memorial seeks dismissal of all eleven counts on grounds that Gittings-Barrera failed to state a claim. See generally Mem. Supp. Mot. Dismiss, ECF No. 9; see also Fed. R. Civ. Proc.

12(b)(6). Gittings-Barrera filed a response opposing the motion to dismiss in its entirety. See generally Resp. Mot. Dismiss, ECF No. 11. She attached a 26-page exhibit listing hundreds of purportedly relevant cases from a variety of jurisdictions across the country with little to no explanation of their legal relevance. See generally Resp. Mot. Dismiss Ex. A, ECF No. 11-1. The Court declines to consider this exhibit both because “[i]t is not the Court’s job to review hundreds of cases and make Plaintiff’s arguments for her,” Doe v. Genesis Health Sys., No. 23- cv-4209-JES-JEH, 2024 WL 3890164, at *1 (C.D. Ill. Aug. 21, 2024), and because the Court finds the exhibit “[an] improper attempt[] to . . . stretch the page limits imposed by Civil Local Rule 7.1(B)(4).” Hannant v. Sarah D. Culbertson Memorial Hospital, No.4:24-cv-04164-SLD- RLH, 2025 WL 2413894, at *9 fn. 8 (C.D. Ill. Aug. 20, 2025). Memorial seeks leave to file a reply, which it has also provided for the Court’s consideration. See Proposed Reply, ECF No. 13-1. DISCUSSION I. Motion to Reply

Under the Court’s Local Rules “[a] reply to the response is only permitted with leave of Court.” Civil LR 7.1(B)(3). “Replies may be allowed for reasons including the non-movant’s introduction of new and unexpected issues in his response, and the interest of completeness.” Magnuson v. Exelon Corp., 658 F. Supp. 3d 652, 658 (C.D. Ill. 2023) (alterations and quotation marks omitted). Memorial seeks leave to file a reply because Gittings-Barrera’s “response raise[d] new issues that Memorial could not fully anticipate and address in its motion.” Mot. Reply ¶ 7. Memorial’s proposed reply does raise arguments not addressed in their motion to dismiss. Specifically, the reply addresses Gittings-Barrera’s contention in her Response that Memorial’s ECPA argument is inapposite because the cases it cites do not interpret the ECPA.

Resp. Mot. Dismiss 16. In its proposed reply, Memorial provides authority to support the applicability of the cases it relies on. Proposed Reply 9–10. But given the nature of its ECPA argument, see infra pt. II(b)(iii)(1), Memorial could—and likely should—have foreseen Gittings- Barrera’s argument. However, despite the lack of new or unexpected issues in the response, the proposed reply identifies legal authorities relevant to resolving the issues. Thus, in the interest of completeness, the Court will consider the proposed reply. Memorial’s Motion to Reply is GRANTED. II. Motion to Dismiss a. Legal Standard A court may dismiss a complaint for “failure to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). To state a claim, a complaint need not prove the case, but it must provide more than “a formulaic recitation of the elements of a cause of action.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). It must “plausibly give rise to an entitlement to relief” by pleading sufficient factual content that the court can reasonably infer “that the

defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678–79 (2009). When reviewing a Rule 12(b)(6) motion to dismiss, a court must accept all well-pleaded facts in the complaint as true and draw all reasonable inferences in favor of the plaintiff. Indep. Tr. Corp. v. Stewart Info. Servs. Corp., 665 F.3d 930, 934 (7th Cir. 2012). A court does not, however, accept a complaint’s legal conclusions. Phillips v. Prudential Ins. Co. of Am., 714 F.3d 1017, 1019 (7th Cir. 2013). b. Analysis i. Common Law Claims 1. Preclusion by Express Contract

Memorial contends that the negligence, negligence per se, implied contract, and unjust enrichment claims are precluded by the existence of an express contract between the parties. Mem. Supp. Mot. Dismiss 7–8. With respect to the negligence claims, Memorial raises the economic loss rule, commonly known in Illinois as the Moorman doctrine. The Illinois Supreme Court established in Moorman, in the context of sale of goods, that “[a] plaintiff cannot recover for solely economic loss under the tort theories of strict liability, negligence and innocent misrepresentation.” Moorman Mfg. Co. v. Nat’l Tank Co., 435 N.E.2d 443, 453 (Ill. 1982). It did so in order to prevent tort law from interfering with contracts governed by the UCC. Id. The Illinois Supreme Court later extended this holding from goods to services: “It is appropriate . . . that Moorman should apply to the service industry.” Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994). In short, when a contract for goods or services governs the relationship between parties, they are compelled to recover economic harm under the terms of the contract, not through tort law. Because Moorman applies to contracts for services, it is

applicable to cases such as this one. See Flores v. Aon Corp., 242 N.E.3d 340, 360–61 (Ill. App. Ct. 2023) (“Although the Congregation of the Passion decision concerned a professional malpractice claim against an accounting firm, its reasoning equally applies to data breach cases.”). Despite being generally applicable to data breach cases, Moorman does not operate to bar Gittings-Barrera’s negligence claims for two reasons. First, she pleads non-economic damages in her negligence claim. Although Moorman bars recovery for purely economic harm under tort law when the relationship between the parties is governed by contract, Gittings-Barrera’s alleged emotional distress and loss of privacy are plainly non-economic. See Compl. ¶ 194 (alleging that

Memorial’s negligence caused injuries including improper disclosure of her Private Information and “embarrassment, humiliation, frustration, and emotional distress”). Second, “[t]he economic loss doctrine does not bar recovery in tort for the breach of a duty that exists independently of a contract.” Congregation of the Passion, 636 N.E.2d at 515. Memorial’s Moorman argument fails because the duties alleged by in the complaint—to protect confidential information, see Compl ¶¶ 188, 200—do not arise purely out of contract. The obvious subject of the parties’ express contract is the provision of medical services. See id. ¶ 214. It is at least plausible that the express contract does not cover all conduct at issue, such as Gittings-Barrera’s use of Memorial’s website. And even if the subject of Gittings-Barrera’s negligence and contract claims is overlapping, the source of the duty is distinct. See Flores, 242 N.E.3d at 361 (“Since plaintiffs’ common law tort claims are based on defendant’s common law duty to safeguard personal information rather than any express contractual duty, the Moorman doctrine does not prohibit plaintiffs from bringing their claims.”). Further, Gittings-Barrera expressly pleads her breach of express contract claim in the alternative to her negligence claims.

Compl. ¶ 213. This means her negligence claims are not grounded in her contract claim but are plead on the basis of an independent duty. See, e.g., id. ¶ 205 (pleading the breach of a statutory, not contractual, duty). Because her tort claims are grounded in non-contractual duties, they are not barred by Moorman. With respect to the implied contract claim, Memorial cites Maness v. Santa Fe Park Enterprises, Inc., 700 N.E.2d 194, 200 (Ill. App. Ct. 1998), to support its assertion that “an implied contract cannot coexist with an express contract on the same subject.” Mem. Supp. Mot. Dismiss 2. It is, of course, true that the same contract cannot be both express and implied. See Witkowsky v. Affeld, 119 N.E. 630, 634 (Ill. 1918) (“if there is an express contract existing

between the parties with reference to a certain subject-matter, there cannot exist an implied contract between the same parties as to the same subject-matter.”). However, at the pleading stage, the Federal Rules of Civil Procedure permit a party to “set out 2 or more statements of a claim or defense alternatively or hypothetically.” Fed. R. Civ. P. 8(d)(2). Although Gittings- Barrera did not expressly plead her implied contract claim in the alternative, its substance can be reasonably construed only in the alternative. See Holman v. Indiana, 211 F.3d 399, 407 (7th Cir. 2000) (“While the [plaintiffs] need not use particular words to plead in the alternative, they must use a formulation from which it can be reasonably inferred that this is what they were doing.”). Her implied contract claim is based on implicit agreement to adhere to terms outlined “in [Memorial’s] Privacy Policies and elsewhere.”2 Compl. ¶ 225. The same documents allegedly underly the express contract. See Compl. ¶ 216 (“The express contract . . . was set forth in written Privacy Policies.”). The absence of the words “in the alternative” do not obscure Gittings-Barrera’s obvious argument: Memorial either expressly or impliedly contracted to adhere to its Privacy Policies and protect her data from disclosure to third parties. Gittings-

Barrera does not allege inconsistent facts. She merely reveals an uncertainty over whether the Privacy Policies truly constitute an express contract. The claims are grounded in the same set of facts and present competing theories of recovery, so it can be reasonably inferred that she intends to plead her express and implied contract claims in the alternative. On the whole, because Gittings-Barrera’s claims are most logically construed in the alternative, and because alternative pleading is permitted in federal courts, allegations of an express contract do not preclude contrary allegations of an implied contract for the sake of this motion to dismiss. Finally, Memorial similarly contends that an unjust enrichment claim cannot exist alongside an express contract claim. Mem. Supp. Mot. Dismiss 7. Again, although Memorial is

correct that “[unjust enrichment] is inapplicable where an express contract, oral or written, governs the parties’ relationship,” “a plaintiff may plead claims alternatively based on express contract and an unjust enrichment.” Gagnon v. Schickel, 983 N.E.2d 1044, 1052 (Ill. App. Ct.

2 Although Illinois courts frequently contrast “implied contracts” with “written contracts,” see, e.g., D-B Cartage, Inc. v. Olympic Oil, Ltd., 2019 IL App (1st) 190343-U, at *8 (Ill. App. Ct. 2019) (contrasting “implied contracts” and “written contracts”), extrinsic writings may furnish the terms of an implied contract in certain contexts. The Illinois Supreme Court in Duldulao v. Saint May of Nazareth Hosp. Center, 505 N.E.2d 314, 316, 320 (Ill. 1987), affirmed a judgment in favor of a plaintiff claiming the termination of her employment breached an implied contract memorialized in the terms of an employee handbook. The Duldulao court did not clarify whether it found an express or implied contract, holding only that “an employee handbook or other policy statement creates enforceable contractual rights if the traditional requirements for contract formation are present,” id. at 318, but appellate courts in the state have subsequently interpreted Duldulao as permitting policy statements to define rights under an implied contract. See Lampe v. Swan Corp., 571 N.E.2d 245, 246 (Ill. App. Ct. 1991) (“The Duldulao test determines if an implied-in-fact contract exists.”); Boll v. Hyatt Corp., 614 N.E.2d 71, 74 (Ill. App. Ct. 1993) (applying the Duldulao test to determine whether an implied contract was established); Condon v. American Tel. and Tel. Co., Inc., 569 N.E.2d 518, 521 (Ill. App. Ct. 1991) (same). 2012). For the same reasons as the implied contract, the unjust enrichment claim need not be dismissed merely because the complaint also alleges the existence of an express contract. 2. Count I: Negligence Gittings-Barrera alleges that Memorial had a duty to exercise reasonable care in handling her and class members’ Private Information including by taking measures to reasonably protect

the information from unauthorized disclosure and that it breached this duty by allowing it to be shared with third parties without authorization. See Compl. ¶¶ 188–93. She alleges that Memorial’s duty arose from industry standards, common law, and statute. Id. ¶¶ 191, 195, 200. “To state a claim for negligence, a plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) the defendant breached that duty, and (3) the breach was the proximate cause of plaintiff’s injuries.” Flores, 242 N.E.3d at 353 (citing Cowper v. Nyberg, 28 N.E.3d 768, 772 (Ill. 2015)). For a negligence claim based on violation of a statute, the plaintiff must plead that the defendant violated a statute or ordinance designed to protect human life, that she is in the class of people protected by the statute, and that her injury is

of the type the statute was intended to protect against; she must also plead that “the defendant’s violation of the statute proximately caused the injury.” See, e.g., Wittmeyer v. Heartland All. for Hum. Needs & Rts., No. 23 CV 1108, 2024 WL 182211, at *3 (N.D. Ill. Jan. 17, 2024) (citing Kalata v. Anheuser-Busch Cos., Inc., 581 N.E.2d 656, 661 (Ill. 1991)). Memorial argues that Gittings-Barrera fails to state a claim “because Memorial owes no common law duty to protect personal information.” Mem. Supp. Mot. Dismiss 8. In support of this contention, it cites Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 817 (7th Cir. 2018), which relies on an Illinois Appellate Court decision from 2010 to hold that “Illinois has not recognized an independent common law duty to safeguard personal information” (citing Cooney v. Chi. Pub. Sch., 943 N.E.2d 23, 29 (Ill. App. Ct. 2010)). Cooney did, in 2010, hold that there was no common law duty to safeguard personal information in Illinois. However, the Illinois Personal Information Protection Act (“PIPA”), 815 ILCS 530/1–50, was amended in 2017, creating a duty to “implement and maintain reasonable

security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” 815 ILCS 530/45; see Flores, 242 N.E.3d at 354. Cooney and Community Bank of Trenton are unpersuasive because they were decided on old law. Flores, 242 N.E.3d at 353–54 (“Given that the legislature has now created a duty to maintain reasonable security measures under [PIPA], the reasoning of the Cooney court no longer applies.”). In Flores, the Illinois Appellate Court found that the defendant owed a common law duty to protect the personal information of its clients. Id. at 354. Because of PIPA’s amendment, other courts have uniformly found plausible negligence claims premised on a defendant’s unauthorized disclosure of non-public health information in materially identical circumstances.

See, e.g., Allen v. Midwest Express Care, Inc., No. 24-cv-05348, 2025 WL 2240253, at *3–4 (N.D. Ill. Aug. 6, 2025); Mayer v. Midwest Physician Admin. Servs., LLC, No. 23-cv-3132, 2025 WL 963779, at *5 (N.D. Ill. Mar. 31, 2025); Stein v. Edward-Elmhurst Health, No. 23-cv-14515, 2025 WL 580556, at *9 (N.D. Ill. Feb. 21, 2025); A.D. v. Aspen Dental Mgmt., Inc., No. 24 C 1404, 2024 WL 4119153, at *9 (N.D. Ill. Sept. 9, 2024); Smith v. Loyola Univ. Med. Ctr., No. 23 CV 15828, 2024 WL 3338941, at *7 (N.D. Ill. July 9, 2024). Memorial’s only other citation is McGlenn v. Driveline Retail Merchandising, Inc., No. 18-cv-2097, 2021 WL 4301476, at *7 (C.D. Ill. Sept. 21, 2021). Mem. Supp. Mot. Dismiss 8–9. But even McGlenn recognizes the legal evolution brought by the PIPA amendment. The court dismissed the negligence claim in that case only because the plaintiff was a resident of North Carolina.3 McGlenn, 2021 WL 4301476, at *7. Neither party engages in a thorough analysis of the factors relevant to whether a common law duty exists, see Flores, 242 N.E.3d at 354 (finding that all factors relevant to determining whether a common law duty exists “support the conclusion that [the] defendant ha[d] a common

law duty to protect the personal information of its clients, in addition to its duty under [PIPA]”), or whether a statutory violation establishes prima facie evidence of negligence, see Price ex rel. Massey v. Hickory Point Bank & Tr., 841 N.E.2 1084, 1089 (Ill. App. Ct. 2006) (“Statutes and ordinances designed to protect human life establish the standard of conduct required of a reasonable person and thus fix the measure of legal duty.” (quotation marks omitted)), so the Court does not either. Instead, the Court follows the cases cited above and finds that, at this stage, it is sufficient that Gittings-Barrera has alleged that Memorial had a duty to exercise reasonable care to protect her and class members’ Private Information from unauthorized disclosure to third parties. See Compl. ¶¶ 188, 190–91, 192; Resp. Mot. Dismiss 7.

In sum, because Memorial’s argument is based entirely on Cooney and the reasoning from Cooney is no longer valid, its motion to dismiss Count I on this basis is DENIED. 3. Count II: Negligence Per Se Count II, for negligence per se, is grounded on the same facts as Count I, but Gittings- Barrera alleges in Count II that Memorial’s duty to protect her Private Information is based on several federal and state statutes and regulations. See Compl. ¶¶ 200–05. She also alleges that Memorial’s violations of its statutory duties constitute negligence per se under Illinois law. Compl. ¶ 204.

3 PIPA plausibly imposes a duty only to protect Illinois residents. See McGlenn, 2021 WL 4301476, at *11. Gittings-Barrera has plead residency in Illinois. See Compl. ¶ 32. In Illinois, violation of a statute does not constitute negligence per se unless “the legislature clearly intends for the act to impose strict liability.” Flores, 242 N.E.3d at 355 (citing Abbasi v. Paraskevoulakos, 718 N.E.2d 181, 186 (Ill. 1999)); see also Hannant 2025 WL 2413894, at *14. Gittings-Barrera does not claim that any of the statutes she cites were enacted with the intent to impose strict liability, nor does she direct the Court’s attention to any legal

authorities suggesting so. However, as Memorial does not raise this argument in its motion to dismiss, the Court need not independently examine each statute and rule for legislative intent to impose strict liability. Like its response to Gittings-Barrera’s negligence claim, Memorial’s only proffered grounds for dismissal are that “Memorial owes no common law duty to protect personal information.” Mem. Supp. Mot. Dismiss 8; see also id. at 9 (“Illinois court [sic] does not recognize a common law duty to protect information and the absence of such a duty mandates dismissal of Counts I and II.”). Considering that Count II is based on alleged statutory violations, see Compl. ¶¶ 200–205, Memorial’s request to dismiss Count II for lack of a common

law duty can be dismissed outright. Memorial’s motion to dismiss Count II is thus DENIED. 4. Counts III–IV: Breach of Express and Implied Contract Gittings-Barrera alleges that Memorial breached an express contract to not disclose her and the Class’s Private Information except as authorized. Compl. ¶¶ 214–18. She also alleges that Memorial breached an implicit agreement to maintain her and the Class’s Private Information confidentially and securely. Id. ¶¶ 225–30. Memorial does not contest the existence of an express contract but contends that recovery on any breach of contract is precluded because Gittings-Barrera fails to plead sufficient injury. Mem. Supp. Mot. Dismiss 11. “[U]nder [the basic theory of damages for breach of contract,] the claimant must establish an actual loss or measurable damages resulting from the breach in order to recover.” Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 832 (Ill. 2005). To establish measurable damages, Gittings-Barrera must allege “actual monetary damages.” Flores, 242 N.E.3d at 356; see also Hannant, 2025 WL 2413894, at *15–16 (requiring monetary damages to support a claim

for breach of implied contract). Gittings-Barrera pleads twelve distinct injuries. See Compl. ¶ 115. In addition to statutory damages not recoverable at common law, they can be divided into five categories: (1) increased revenue for Memorial, (2) loss of privacy, (3) overpayment and lost benefit of the bargain, (4) diminished value of personal information, and (5) emotional damages. None of these are sufficient to support a claim for breach of express or implied contract. First, Gittings-Barrera claims injuries related to Memorial’s increased revenue and profits resulting from its alleged misconduct. See Resp. Mot. Dismiss 11. This injury is insufficient to support a breach of contract action because a plaintiff’s injury must be grounded in loss to them,

not merely gain for defendants. See Dinerstein v. Google, LLC, 73 F.4th 502, 518 (7th Cir. 2023) (concluding that “a plaintiff cannot base an injury in fact solely on the defendant’s gain”). Dinerstein held such in the context of Article III standing, which has a lower threshold for injury than Illinois contract law has for damages. See Flores, 242 N.E.3d at 356 (showing that the threshold for sustaining a contract action is higher than that of standing, as an injury may be “sufficient to establish standing” without amounting to “actual monetary damages”). Given the higher threshold for contracts damages, if claims based on defendant’s gain fail to attain standing, they necessarily fall short of the damages requirement for Illinois contracts law. Second, Gittings-Barrera alleges loss of privacy. See Resp. Mot. Dismiss 11. She cites Geisberger v. Willuhn, 390 N.E.2d 945, 948 (Ill. App. Ct. 1979), for the proposition that an “action lies [in contract] for the disclosure of personal information, [e].g., information relating to the patient’s mental or physical condition or the physician’s diagnosis or treatment.” Resp. Mot. Dismiss. However, that case is about what actions breach a contract for confidentiality, not what

constitutes actual monetary damages. See Geisberger 390 N.E.2d at 947 (discussing what standard of confidentiality contracts between doctors and patients require). Because actual monetary damages were not at issue in that case, Geisberger is of little help. Conversely, in a materially identical claim, this Court found that privacy harms, whether present or future, are not the sort of “actual or measurable damages which can support an implied contract claim.” Hannant, 2025 WL 2413894, 16 (quotation marks omitted). As a result, these privacy harms alleged are insufficient to support an action for breach of contract. Third, Gittings-Barrera claims injuries related to overpayment for services and lost benefit of bargain. In the context of standing, the Seventh Circuit has stated, albeit in dicta, that

overpayment does not constitute an injury unless, in the product-liability context, a plaintiff claims that “the product itself was defective or dangerous” and that she “would not have bought it (or paid a premium for it) had [she] known of the defect.” Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016) (stating that the court was “skeptical” that the plaintiffs’ statement that they would not have dined at P.F. Chang’s “had they known of its poor data security” constituted an injury that could support standing). The Seventh Circuit recently revisited the question of whether overpayment of this type constitutes a cognizable injury for Article III standing. See Dinerstein, 73 F.4th at 517–518. The plaintiff’s argument mirrored Gittings-Barrera’s here: that “medical care he . . . purchased came bundled with a promise of medical confidentiality” and that he “would not have purchased the . . . medical treatment had he known that [the defendant] intended to share his private health information.” Id. at 517. The Seventh Circuit concluded that it was “not inclined to recognize the overpayment theory outside the product-liability context.” Id. Federal standing law does not formally bound injuries cognizable for the purposes of

Illinois contract actions, but the same logic applies here. Overpayment has been found a cognizable injury in product-liability cases because only in such cases do plaintiffs allege a defect in the purchased good. See Lewert, 819 F.3d at 968; see, e.g., In re Aqua Dots Prods. Liab. Litig., 654 F.3d 748, 751 (7th Cir. 2011). When the product or service itself is not “defective or dangerous,” any connection between payment for the functional good or service and the allegations of overpayment are excessively attenuated. See Dinerstein, 73 F.4th at 517 (describing as “implausible” any direct connection between the plaintiff’s payment for medical care and his expectation of data security). For this reason, courts regularly dismiss overpayment- based claims under the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”)

for failure to satisfy the statute’s requirement of “actual damages.” See Benson v. Fannie May Confections Brands, Inc., 944 F.3d 639, 644, 646 (7th Cir. 2019) (dismissing claim that the defendant misled the plaintiffs about the amount of chocolate they were purchasing because they did not allege that the chocolate purchased was “worth less than the $9.99 that they paid” or that the chocolate was “defective”); see also, e.g., Kurowski v. Rush Sys. For Health, 683 F. Supp. 3d 836, 846 (N.D. Ill. 2023) (dismissing the plaintiff’s claim under the ICFA that a hospital system “provided a less valuable service than it promised when it breached her privacy” because this type of “benefit of the bargain theory of damages” is inapplicable outside the products-liability context); Aspen Dental Mgmt., 2024 WL 4119153, at *7–8 (same); Genesis Health Sys., 2024 WL 3890164, at *14 (same). Gittings-Barrera’s citation of Posner v. Davis, 395 N.E.2d 133 (1979), though not strictly in the context of products-liability, fits this pattern. The court in Posner determined that defrauded purchasers are “entitled to damages which will give him the ‘benefit of his bargain,’” but it was in the context of fraudulent concealment of flooding issues and water damage in a contract for the sale of a home. Id. at 135, 138. That is, for the sale of a

tangible item that was defective. Posner only proves the rule Gittings-Barrera seeks to avoid: overpayment is only considered actual monetary damages if the subject of the transaction is defective or dangerous. Gittings-Barrera’s lost-benefit-of-the-bargain or overpayment argument seems to rely on her paying Memorial for medical services. See Compl. ¶ 214 (alleging that Gittings-Barrera and proposed class members entered to express agreements where Memorial would provide medical care); id. ¶ 224 (alleging that Gittings-Barrera and other proposed class members paid compensation for medical treatment); Resp. Mot. Dismiss 9 (“Plaintiff paid Defendant for medical services.”). Gittings-Barrera nowhere alleges that the medical services were “defective or dangerous.” As a result, her complaint fails to allege sufficient injuries to

maintain a breach of contract action based on overpayment. Fourth, Gittings-Barrera alleges harm in the form of diminution in value of her Private Information. See Resp. Mot. Dismiss 11. However, this has been found insufficient to support a contract claim. See Flores, 242 N.E.3d at 356 (“We decline to hold that the alleged diminution in value of plaintiffs’ personal information amounts to actual monetary damages.”). Gittings- Barrera points to no cases that contradict this conclusion. Fifth, Gittings-Barrera alleges emotional distress resulting from Memorial’s breach of contract. See Resp. Mot. Dismiss 11. In Illinois, “[e]motional harms are not cognizable contract damages absent allegations that the breach was wanton or reckless and caused bodily harm, or where defendant had reason to know, when the contract was made, that its breach would cause mental suffering for reasons other than mere pecuniary loss.” Hannant, 2025 WL 2413894, at *16 (quotation marks omitted); accord Doe v. Roe, 681 N.E.2d 640, 650 (Ill. App. Ct. 1997) (“Recovery for mental distress is excluded unless the contract or the breach is of such a kind that serious emotional disturbance was a particularly likely result.” (cleaned up)).

Gittings-Barrera does plead that Memorial “knew, or had reason to know” that disclosing her Private Information “would cause mental suffering.” Compl. ¶ 221. However, these allegations are no more than conclusory statements of the elements of her cause of action. Gittings-Barrera pleads no facts suggesting Memorial knew or had reason to know the disclosure would cause mental suffering. She claims her mental suffering was foreseeable “given that such information should reasonably be expected to be held in confidence and not disclosed to unauthorized third parties.” Id. In other words, she alleges that disclosure of confidential information foreseeably causes mental suffering because non-disclosure is the expectation. Accepting such pleading would do away entirely with the requirement that “serious emotional

disturbance” be a “particularly likely result.” Roe, 681 N.E.2d at 650. It would make emotional damages actionable in any contract for confidentiality, since the parties to such a contract would always expect non-disclosure. In short, it collapses the damages analysis into the breach analysis: because a breach of contract is not expected, a defendant would have reason to know that the breach would cause emotional harm. Such argumentation presents no facts showing that Memorial was on-notice regarding the risk that disclosure would cause Gittings-Barrera serious emotional disturbance. Consequently, Gittings-Barrera’s conclusory allegations lack “sufficient factual matter” to “state a claim to relief that is plausible on its face.” Iqbal, 556 U.S. at 678. Finally, in her response to the motion to dismiss, Gittings-Barrera states that she alleges “lost time and money incurred to mitigate and remediate the effects of use of [p]rivate [i]information” and argues that her “mitigation allegations alone are sufficient.” Resp. Mot. Dismiss 11. But she never alleges that she engaged in any specific mitigation actions. The bare recitation of “lost time and money incurred to mitigate and remediate the effects of use of their

information,” see, e.g., Compl. ¶ 247, is insufficiently specific to “plausibly give rise to an entitlement to relief.” Iqbal, 556 U.S. at 679. In conclusion, Memorial’s motion to dismiss is GRANTED. Gittings-Barrera’s express and implied contract claims are dismissed for failure to plead sufficient injury. 5. Count V: Unjust Enrichment Gittings-Barrera next alleges that she and class members conferred a benefit on Memorial “in the form of valuable sensitive medical information,” that they would not have done so had they known that Memorial would convey their Private Information to third parties, and that it would be unjust for Memorial to retain this benefit. Compl. ¶¶ 234–41. “To state a cause of

action based on a theory of unjust enrichment, a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience.” HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989).4

4 Courts frequently state that “unjust enrichment is not a separate cause of action” in Illinois. See, e.g., Vanzant v. Hill’s Pet Nutrition, Inc., 934 F.3d 730, 739 (7th Cir. 2019) (quotation marks omitted). However, the strict accuracy of this assertion is uncertain. Compare Sergeants Benevolent Ass’n Health & Welfare Fund v. Actavis, plc, 15 Civ. 6549 (CM), 2018 WL 7197233, at *61 (S.D.N.Y. Dec. 26, 2018), and Raintree Homes, Inc. v. Vill. of Long Grove, 807 N.E.2d 439, 445 (Ill. 2004), with All. Acceptance Co. v. Yale Ins. Agency, Inc., 648 N.E.2d 971, 977 (Ill. App. Ct. 1995), and Charles Hester Enters., Inc. v. Illinois Founders Ins. Co., 484 N.E.2d 349, 354 (Ill. App. Ct. 1985), aff’d, 499 N.E.2d 1319 (1986). On its face, such a categorical statement seems to contradict the Illinois Supreme Court’s statement in HPI Health Care describing the “cause of action based on a theory of unjust enrichment.” HPI Health Care, 545 N.E.2d at 679. Gittings-Barrera alleges that she conferred a benefit upon Memorial (1) “in the form of valuable sensitive medical information” and (2) through payment for receipt of medical services. See Compl. ¶¶ 236–37. Memorial, in turn, contends that Gittings-Barrera “never alleges facts suggesting that Memorial received any benefit from the use of Memorial’s free website.” Mem. Supp. Mot. Dismiss 10.

Gittings-Barrera’s payment of money to Memorial is not a benefit conferred in this case. Payment given for medical services cannot alone constitute a benefit for an unjust enrichment claim when the plaintiff does not “allege[] that any specific portion of their payments went toward data protection.” Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 766 (C.D. Ill. 2020). Gittings-Barrera does not allege any specific payment given for data protection. Conversely, she concedes that “[she] paid [Memorial] for medical services.” Resp. Mot. Dismiss 9 (emphasis added). Because her payment was for medical services, not data protection, this payment cannot support an action for unjust enrichment based on poor data security. See Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064, 1072 (C.D. Ill. 2016) (“Irwin paid for food products. She

The Seventh Circuit examined this apparent discrepancy in Cleary v. Philip Morris Inc., 656 F.3d 511, 516 (7th Cir. 2011). It concluded: Unjust enrichment is a common-law theory of recovery or restitution that arises when the defendant is retaining a benefit to the plaintiff’s detriment, and this retention is unjust. What makes the retention of the benefit unjust is often due to some improper conduct by the defendant. And usually this improper conduct will form the basis of another claim against the defendant in tort, contract, or statute. So, if an unjust enrichment claim rests on the same improper conduct alleged in another claim, then the unjust enrichment claim will be tied to this related claim—and, of course, unjust enrichment will stand or fall with the related claim. Id. at 517 (footnote omitted).

This Court recently dismissed a similar unjust enrichment claim because it was connected to an Illinois statutory count that failed to state a claim, relying on the language that “unjust enrichment is not a separate cause of action.” See Hannant, 2025 WL 2413894, at *17 (quotation marks omitted) (dismissing unjust enrichment claim because it could not survive when Illinois False Claim Act and implied contract claims were dismissed). In this case, however, Gittings-Barrera appears to plead unjust enrichment as an independent claim. See Compl. ¶¶ 234–41; Resp. Mot. Dismiss 9. Because Memorial does not argue that the unjust enrichment claim is dependent on any other claims surviving, see Mem. Suppl Mot. Dismiss 10–11, and Gittings-Barrera expressly pleads her unjust enrichment claim in the alternative of her implied contract claim, Compl. ¶ 235, the Court need not address here whether her unjust enrichment claim stands or falls with related claims. did not pay for a side order of data security and protection; it was merely incident to her food purchase, as is the ability to sit at a table to eat her food, or to use Jimmy John’s restroom.”). Admittedly, the difference in market value of services resulting from widespread market misinformation has been found to be conferral of a benefit for the purposes of unjust enrichment. See Thompson’s Gas & Elec. Serv., Inc. v. BP Am. Inc., 691 F. Supp. 2d 860, 872 (N.D. Ill.

2010) (“Plaintiffs have adequately alleged their conferral of a benefit upon Defendants—in this case, the difference in price between the inflated price paid and the value of the propane had the market not been misinformed.”). However, there are no allegations here that widespread misinformation caused market distortion increasing the price of medical services. Gittings- Barrera alleges only that she and class members “would not have used [Memorial]’s services, or would have paid less for those services, if they had known that [Memorial] would collect, use, and disclose their Private Information to third parties.” Compl. ¶ 237. The counterfactual Gittings-Barrera presents—that she would not have used Memorial’s services if she had known their data security practices—has been found to not be an actionable injury in an analogous

context. See Lewert, 819 F.3d at 968 (“Plaintiffs claim that the cost of their meals is an injury because they would not have dined at P.F. Chang’s had they known of its poor data security. . . . such arguments have been adopted by courts only where the product itself was defective or dangerous.”). Lewert was decided in the context of Article III standing, but it has been used to support the lack of benefit for the sake of unjust enrichment. See, e.g., Perdue, 455 F. Supp. 3d at 766. On the other hand, benefit provided in the form of personal information given while using the publicly accessible website could plausibly support an unjust enrichment claim. Gittings-Barrera alleges that the provision of valuable medical information, independent of any exchange for medical treatment, is a benefit conferred upon Memorial. She alleges that she gave personal information to Memorial, for instance, simply while using its publicly accessible website. For the purposes of a motion to dismiss, the Court accepts Gittings-Barrera’s allegations that the information given to Memorial through use of the website is valuable. See Compl. ¶ 236 (alleging that Memorial “collected, used, and disclosed this information for its own

gain, for marketing purposes, and for sale or trade with third parties”); cf. Doe v. Tenet Healthcare Corp., 731 F. Supp. 3d 142, 151 (D. Mass. 2024) (finding that the plaintiff alleged a plausible unjust enrichment claim under Massachusetts law by alleging that she conferred a benefit on the defendant “in the form of her [p]rivate [i]nformation, which [wa]s valuable marketing information to third parties”). Memorial has failed to identify any legal authority showing that provision of Private Information cannot be a benefit for the purposes of unjust enrichment. In sum, Memorial’s motion to dismiss Count V is DENIED because the provision of personal information plausibly supports an unjust enrichment claim.

6. Count VI: Bailment Gittings-Barrera also claims that the parties “contemplated a mutual benefit bailment when [she] and Class members transmitted their Private Information to [Memorial] solely for treatment and the payment thereof.” Compl. ¶ 243. She then argues that Memorial breached its duty as a bailee by using the information for a longer time, for a different purpose, and in a different manner than the parties intended. Id. ¶ 246. A bailment requires “(1) an express or implied agreement to establish a bailment; (2) delivery of the property in good condition; (3) the bailee’s acceptance of the property; and (4) the bailee’s failure to return the property or the bailee’s redelivery of the property in a damaged condition.” Longo Realty v. Menard, Inc., 59 N.E.3d 1, 7 (Ill. App. Ct. 2016). Memorial argues that Gittings-Barrera’s bailment claim fails because she did not allege an agreement to return the bailed property. Mem. Supp. Mot. Dismiss 13. This is not, however, a strict requirement for a bailment to exist. When no agreement for the return of bailed property

exists, bailees are obligated instead “to keep and preserve the property for the benefit of the owner.” Am. Fam. Mut. Ins. Co. v. Tyler, 68 N.E.3d 442, 446 (Ill. App. Ct. 2016); see also Indem. Ins. Co. of N. Am. v. Hanjin Shipping Co., 348 F.3d 628, 637 (7th Cir. 2003) (“A bailment ‘is the delivery of property for some purpose upon a contract, express or implied, that after the purpose has been fulfilled, the property shall be redelivered to the bailor, or otherwise dealt with according to his directions, or kept until he reclaims it.’” (emphasis added) (quoting Am. Ambassador Cas. Co. v. Jackson, 692 N.E.2d 717, 721 (Ill. App. Ct. 1998)). The complaint does not fail simply because it does not allege an agreement to return the bailed property. However, Memorial’s argument highlights the uncomfortable fit of bailment law to this

scenario. To begin with, it is difficult to imagine what it means to return this allegedly bailed property. How would Memorial return its knowledge of its patients’ names? What would it look like for a website host to return the data inputted by website users? Although the return of bailed property is not a strict requirement for a bailment to exist, if allegedly bailable property cannot even conceptually be returned to or reclaimed by its owner, then bailment law is at best an uncomfortable fit.5

5 While it is true that information can be bailable property, it has only been held to be so in a limited set of circumstances. In Liddle v. Salem School District No. 600, 619 N.E.2d 530, 533 (Ill. App. Ct. 1993), the Illinois Appellate Court held that information contained in a scholarship letter could be bailable property. In that case, a college mailed a letter containing information about recruitment for a basketball scholarship to a high school basketball player, to be delivered by the basketball coach at his high school. Id. at 530. The coach did not deliver the letter for several months, at which time the college had discontinued its recruitment efforts. Id. Liddle is distinguishable from the case at hand for several reasons. First, the information in the scholarship offer was It is similarly unclear how it is possible for Memorial to take “exclusive possession” of Gittings-Barrera’s name or search history, as is typically required of a bailment. Multiple people know the name “Lacey Gittings-Barrera,” and in all probability her internet service provider holds information about her search history. That is, much if not all of the information delivered to Memorial is held by any number of third parties. The factual impossibility of Memorial

having truly “exclusive possession” of Gittings-Barrera’s personal information suggests her complaint attempts to extend bailment law beyond its outer bounds. See In re Mondelez Data Breach Litig., No. 23 C 3999, 2024 WL 2817489, at *9 (N.D. Ill., 2024) (“The law of bailment in Illinois does not map onto the circumstances of this case, as no one can have ‘exclusive possession’ of another person’s personal information.”); see also Genesis Health Sys., 2025 WL 1000192, at *7 (dismissing a bailment claim based on strikingly similar facts because the plaintiff did not include any facts evidencing an expectation of return of her personal information, instructions for how to deal with the property, or any agreement to take exclusive possession of the information).

Given the uneasy fit between the facts alleged and Illinois bailment law, this Court follows the practice of other federal courts and declines to extend Illinois bailment law to this novel scenario. As the Northern District of Illinois said in an analogous case: True, the Court has recognized above that, in borderline cases, it may be preferable to deny a motion to dismiss and permit the parties to develop the record before ruling on the availability of an untried legal theory. But plaintiffs’ bailment claim does not present a question of foreseeability that might benefit from further factual development. Rather, the bailment claim would be a stretch under any conceivable

connected to a tangible object and left in the care of a specific individual for delivery to the recipient. Although the letter itself was assumed not to be bailable property for the purposes of the Liddle court, see id. at 531, the connection between the letter and the information allows the information to more closely track the traditional idea of bailment. Second, the information was held only by a narrow set of people, unlike at least some of the information at issue here, such as Gittings-Barrera’s name. Finally, of particular importance to the Liddle court, the information at issue was of valuable only to the intended recipient, and “[h]e could not assign or sell that information.” Id. at 533. Because of these substantial factual differences, Liddle does not control. version of the facts, and federal court is not the place to press innovative theories of state law.

In re Mondelez Data Breach Litig., 2024 WL 2817489, *9 (quotation marks omitted); accord Doe 1 v. Chestnut Health Sys., Inc., No. 1:24-cv-01475-JEH-RLH, 2025 WL 1616635, *6 (C.D. Ill. June 6, 2025); see also Great N. Ins. Co. v. Amazon.com, Inc., 524 F. Supp. 3d 852, 856 (N.D. Ill. 2021) (“[T]his court must bear in mind the Seventh Circuit’s admonition that, ‘[w]hen given a choice between an interpretation of Illinois law which reasonably restricts liability, and one which greatly expands liability, [a federal court] should choose the narrower and more reasonable path (at least until the Illinois Supreme Court [says] differently).’” (alterations in original) (quoting Todd v. Societe Bic, S.A., 21 F.3d 1402, 1412 (7th Cir. 1994)). In order to extend the applicability of bailment law to personal data, Gittings-Barrera relies primarily on Krupa v. TIC International Corp., No. 1:22-cv-01951-JRS-MG, 2023 WL 143140 (S.D. Ind. Jan. 10, 2023), a case from the Southern District of Indiana applying Indiana law. See Resp. Mot. Dismiss 13. Despite Gittings-Barrerra’s acknowledgment elsewhere in her response that Krupa is a Southern District of Indiana case, she quotes at length from Krupa in her bailment argument with the representation that it is a Southern District of Illinois case applying Illinois law. See id. (noting “Illinois’s longstanding recognition of constructive bailments” and then introducing the long quote from Krupa with, “As the Southern District of Illinois explained”). The Court does not find this citation to out-of-state law persuasive. Because personally identifying information of the type identified by Gittings-Barrera is

not bailable property, the Court GRANTS Memorial’s motion to dismiss Count VI. ii. Count VII: Violation of the Illinois Eavesdropping Statute Gittings-Barrera pleads a violation of the IES pursuant to its civil suit provision in 720 ILCS 5/14-6. The IES provides, in relevant part: (a) A person commits eavesdropping when he or she knowingly and intentionally: . . . (2) Uses an eavesdropping device, in a surreptitious manner, for the purpose of transmitting or recording all or any part of any private conversation to which he or she is a party unless he or she does so with the consent of all other parties to the private conversation; (3) Intercepts, records, or transcribes, in a surreptitious manner, any private electronic communication to which he or she is not a party unless he or she does so with the consent of all parties to the private electronic communication; . . . (5) Uses or discloses any information which he or she knows or reasonably should know was obtained from a private conversation or private electronic communication in violation of this Article, unless he or she does so with the consent of all of the parties.

720 ILCS 5/14-2. Gittings-Barrera quotes from section (a)(2) and (a)(5) in her complaint. Compl. ¶¶ 250– 51. In its motion to dismiss, Memorial contends that Gittings-Barrera fails to state a claim because the IES only applies to those not party to a communication, Mem. Supp. Mot. Dismiss 14, citing to § (a)(3), which prohibits the interception or conveyance of “any private electronic communication to which he or she is not a party,” 720 ILCS 5/14-2(a)(3) (emphasis added). This, of course, is not correct—there are other provisions of the IES that apply to communications to which the defendant is the party. In any case, Memorial is correct that Gittings-Barrera cannot proceed on a § (a)(3) claim. See Zak v. Bose Corp., No. 17-cv-02928, 2019 WL 1437909, at *5 (N.D. Ill. Mar. 31, 2019) (dismissing claim brought under § (a)(3) because “the [complaint] does not allege facts to suggest that the App is not a party to the communication, and indeed the facts alleged contradict Zak’s conclusory allegation that Bose is not a party”). Regardless, Gittings-Barrera argues that she is bringing her claim, inter alia, under section (a)(2). Resp. Mot. Dismiss 15. Section (a)(2) applies to communications “to which [the defendant] is a party.” 720 ILCS 5/14-2(a)(2) (emphasis added). However, Gittings-Barrera’s citation to § (a)(2) cannot save her claim as that section applies only to the transmission or recording of “private conversation[s].” Id. The IES defines “private conversation” as “any oral communication between 2 or more persons.” Id. 5/14-1(d). Gittings-Barrera makes no allegation of an oral communication, so this section does not apply. See Aspen Dental, 2024 WL 4119153, at *4 (dismissing a materially identical claim because the IES’s definition of “private

conversation” “does not apply to the electronic communications about which Plaintiffs complain[ed]”). Insofar as Gittings-Barrera intended to assert a claim under § (a)(5) as well, that claim is also dismissed. Section (a)(5) requires the information disclosed or used to be “obtained from a private conversation or private electronic communication in violation of this Article,” meaning it can only apply if there is a violation of another subsection. 720 ILCS 5/14-2(a)(5); see Hannant, 2025 WL 2413894, at *11 (“[T]here must be adequate allegations of a violation of another subsection of section 14-2(a) to invoke section 14-2(a)(5).”). Because Gittings-Barrera failed to state a claim under any other subsection, any claim under (a)(5) must also be dismissed.

Since Gittings-Barrera’s complaint does not plead the interception or transmission of any oral communication or communication to which Memorial was not a party, the Court GRANTS Memorial’s motion to dismiss Count VII. iii. Federal Statutory Claims 1. Electronic Communications Privacy Act Gittings-Barrera raises three counts of violations of the ECPA: two of Title I, also known as the Wiretapping Act, and one of Title II, also known as the SCA. See Compl. ¶¶ 273–321. First, she alleges violations of § 2511(1)(a), (c), and (d) on grounds that Memorial used and intentionally disclosed her electronic communications to third parties while knowing that the information was obtained in violation of the statute. See, e.g., id. ¶¶ 284–85. Next, she alleges a violation of § 2511(3)(a), which provides that “a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication . . . while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intended

recipient,” 18 U.S.C. § 2511(3)(a). Compl. ¶¶ 292–303. Finally, under the SCA, Gittings- Barrera alleges a violation of § 2702, which provides in relevant part that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” 18 U.S.C. § 2702(a)(1). Memorial’s only grounds for dismissing all three of these counts is that Gittings-Barrera fails to plead economic injury. Mem. Supp. Mot. Dismiss 15–16. It cites Doe v. Chao, 540 U.S. 614, 627 (2004), for the proposition that the “Privacy Act” requires a showing of “actual damages” and Federal Aviation Administration v. Cooper, 566 U.S. 284, 299 (2012), for the

proposition that “actual damages” means “proven pecuniary or economic harm.” a. Counts VIII–IX: Violations of the Wiretap Act The damages provision of the Wiretap Act allows a plaintiff to recover “whichever is the greater of—(A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or (B) statutory damages.” 18 U.S.C. § 2520(c)(2). In an attempt to insert a requirement to show “actual damages” into the Wiretap Act, Memorial presents Chao as an authoritative interpretation of the ECPA. However, Chao is about the Privacy Act of 1974, not the ECPA. Chao, 540 U.S. at 616. The Supreme Court in Chao concluded that actual damages were required under 5 U.S.C. § 552a(g)(4), the damages provision of the Privacy Act. Id. The Privacy Act imposes liability, in relevant part, “in an amount equal to the sum of (A) actual damages sustained by the individual . . . , but in no case shall a person entitled to recovery receive less than the sum of $1,000; and (B) the costs of the action.” 5 U.S.C. § 552a(g)(4). The Chao Court refused to accept the plaintiff’s argument that they were entitled to $1,000 in statutory damages even in the absence of actual damages. Chao,

540 U.S. at 620–27. The Court instead found that § 522(a)(g)(4) restricted liability to only those who suffered some actual damages. Memorial cites several cases in an attempt to show that the standard from the Privacy Act also applies to the ECPA. See Reply 9 (citing Seale v. Peacock, 32 F.4th 1011 (10th Cir. 2022), Vista Mktg., LLC v. Burkett, 812 F.3d 954 (11th Cir. 2016), and Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199 (4th Cir. 2009)). However, those cases were deciding how to interpret the SCA, not the Wiretap Act. See Seale, 32 F.4th at 1027 (“[W]e hold plaintiffs cannot recover statutory damages under the SCA without first showing they suffered actual damages.”); accord Vista Mktg., 812 F.3d at 971; Van Alstyne, 560 F.3d at 210. Memorial cites no authority

applying the “actual damages” requirement of the Privacy Act to the Wiretap Act. It cannot do so because the actual damages requirement of Chao plainly should not be inserted into the Wiretap Act. This is evident from the language of the damages provisions. The SCA states: “The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.” 18 U.S.C. 2707(c). This is remarkably similar to the language of the Privacy Act at issue in Chao. The Wiretap Act, by contrast, allows a court to assess as damages the greater of “the sum of the actual damages suffered by the plaintiff and any profits made by the violator” or “statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000.” 18 U.S.C. 2520(c)(2). Because the Wiretap Act expressly permits statutory damages in the alternative of actual damages, it cannot reasonably be read, as Memorial suggests, to require a showing of economic damages. The reasoning of the Eleventh Circuit in Vista Marketing, a case Memorial perplexingly

cited in support of its contention that the entire ECPA requires actual damages, shows compellingly why the actual damages requirement should be applied to the SCA but not the Wiretap Act. See Vista Mktg., 812 F.3d at 965–71. The Eleventh Circuit decided to apply Chao to the SCA because several core elements of the Supreme Court’s reasoning in Chao applied equally to the SCA. These included (1) “the simplest reading of the phrase ‘person entitled to recovery’” being a person who sustained actual damages; (2) the need to require actual damages to account for and give meaning to the phrase “entitled to recovery”; (3) the placement of that same phrase in the context of the statute; and (4) the use of the phrase “entitled to recover” to limit liability instead of speaking of liability in a freestanding, unqualified manner. See Id. at

965–67. Conversely, the damages provision of the Wiretap act nowhere uses the phrase “entitled to recover.” Further, the court in Vista Marketing expressly compared the damages provisions from the Wiretap Act and the SCA, finding that the distinction between the two supported requiring actual damages under the SCA. See id. at 967–71. Specifically, it noted that if Congress had “intended for the SCA to allow a party to choose between actual damages and statutory damages, the contemporaneously enacted amendments to the Wiretap Act certainly demonstrate that Congress knew how to say so.” See id. at 968. Another case Memorial relies upon for its argument that the ECPA requires a showing of actual damages, Van Alstyne, also uses distinctions between the SCA and the Wiretap Act to support finding that actual damages are required under the SCA. See Van Alstyne, 560 F.3d at 205–07. It specifically points to the fact that the Senate Report on the Wiretap Act “clearly specifies that a court may award, in actions under the Wiretap Act, actual damages or statutory damages.” Id. at 207 (citing S.Rep. No. 99-541, at 27 (1986)). Because Memorial’s sole argument for dismissal, that damages under the Wiretap Act are

limited to actual damages, incorrectly interprets the statute’s damages provision, the motion to dismiss Counts VIII and IX is DENIED. b. Count X: Violation of the Stored Communications Act Unlike the Wiretap Act, the damages provision of the SCA is remarkably similar to that of the Privacy Act. As a result, as Memorial points out, every circuit to consider the question has applied Chao’s requirement of actual damages to the SCA. See Seale, 32 F.4th 1011 at 1027; Vista Mktg., 812 F.3d at 971; Van Alstyne, 560 F.3d at 206; Hovanec v. Miller, 831 F.App’x 683, 685 (5th Cir. 2020).6 Although the SCA requires actual damages, it does not necessarily follow that Gittings-Barrera’s claim can only proceed upon a pleading of economic damages.

Cooper reads the similar language of the Privacy Act to require economic damages, Cooper, 566 U.S. at 299, but its writing on the matter did not start from a blank slate. The Privacy Act creates liability for the United States when an agency commits certain willful or intentional statutory violations. 5 U.S.C. 522(a)(g)(4). Cooper’s interpretation of the Privacy Act’s damages provision, then, is made in the context of whether Congress waived sovereign immunity for Privacy Act suits over non-economic injuries. See Cooper, 566 U.S. at 290–99. Because the Supreme Court found that “the Privacy Act does not unequivocally authorize an

6 Admittedly, some district courts have held otherwise. See, e.g., Brooks Grp. & Assocs. Inc. v. LeVigne, No. 12- 2922, 2014 WL 1490529, 10 (E.D. Pa. Apr. 15, 2014) (“[Plaintiff] need not allege actual damages to state a claim under [§ 2707 of] the ECPA.”). However, this is against the weight of persuasive circuit court authority and the compelling value of reading similar statutory provisions as harmonious. award of damages for mental or emotional distress,” it held that the Privacy Act “does not waive the Federal Government’s sovereign immunity from liability for such harms.” Id. at 304. The case at hand does not implicate sovereign immunity, so the statute need not be “unequivocal” in permitting the recovery of non-economic injury. The language of the SCA, “actual damage,” does not on its face appear limited to only economic injury. See id. at 292

(“Even as a legal term . . . the meaning of ‘actual damages’ is far from clear.”). Memorial has pointed to no authority applying Cooper or its reasoning to the SCA, nor has the Court in its own research uncovered any. Absent reason to restrict the definition of “actual damages” in the SCA to economic damages, Memorial’s motion to dismiss Gittings-Barrera’s SCA claim is DENIED. 2. Count XI: Violation of the Computer Fraud and Abuse Act Finally, Gittings-Barrera alleges that Memorial violated the CFAA by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from [a] protected computer,” 18 U.S.C. § 1030(a)(2)(C). Compl. ¶ 324. She seeks civil damages pursuant to § 1030(g). Id. ¶ 327.

Memorial raises three grounds on which to dismiss Count XI for failure to state a claim: (1) it is time-barred, (2) Gittings-Barrera failed to plead actionable damage, and (3) the pleadings do not allege that Memorial’s access to Gittings-Barrera’s computer was unauthorized or that it unlawfully exceeded its authorized access to her computers. Mem. Supp. Mot. Dismiss 16–18. First, the alleged violation of the CFAA cannot stand because Gittings-Barra pleads no actionable damage or loss. Under the CFAA, a civil action may be brought by “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g). The only loss or damage Gittings-Barrera alleges is the unlawful access to protected computers, the “secret transmission of [her] and the Class Members’ Private Information,” and the publication of private and personally identifiable data. Compl. ¶¶ 324–26. In her response to the motion to dismiss, Gittings-Barrera argues that she “alleges damages by way of the decreased value of her Private Information and a portion [of] [Memorial]’s profits from selling her Private Information because she did not receive the data security protections from [Memorial] for which she paid.” Resp. Mot. Dismiss 18 (citing Compl. ¶ 318). None of these qualify as “damage” or “loss.”

The statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). Damage includes “the destruction, corruption, or deletion of electronic files, the physical destruction of a hard drive, or any diminution in the completeness or usability of the data on a computer system.” Farmers Ins. Exch. v. Auto Club Grp., 823 F. Supp. 2d 847, 852 (N.D. Ill. 2011) (quotation marks omitted). “[T]he mere copying of electronic information from a computer system is not enough to satisfy the CFAA’s damage requirement.” Id. Gittings-Barrera alleges only misuse of her information, not harm to her devices or electronic files. Any allegations of damage when the only injury pleaded is wrongful access and

publication are “untenable.” First Fin. Bank, N.A. v. Bauknecht, 71 F. Supp. 3d 819, 851 (C.D. Ill. 2014). Leaning on the word “integrity” still does not create damage for Gittings-Barrera since impairing the integrity of data requires “some diminution in the completeness or useability of data or information on a computer system.” Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704, 709 (N.D. Ill. 2008) (quotation marks omitted). “Loss” is “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). District courts disagree on whether an interruption of service is required to prove a “loss” under the CFAA or if damage assessments and other mitigation measures are actionable loss despite no interruption. See Farmers, 823 F. Supp. 2d at 854 (discussing differing definitions of “loss” in Northern District of Illinois decisions). However, even under the most liberal definition of “loss,” a plaintiff’s loss must be associated with something like a damage assessment, a response

to service outages, or impairment of data availability. See id. As one court in this District stated while applying a more liberal construction of the statute, “there are two categories of statutory loss: expenses incurred while responding to or investigating a violation, and costs incurred, or revenue lost, because of a service disruption.” Bauknecht, 71 F. Supp. 3d at 851. The harm alleged by Gittings-Barrera does not qualify as “loss” under either construction. As a result, the Court need not decide whether interruption of service is required to qualify as a “loss.” Gittings-Barrera pleads only that her information was wrongly accessed and distributed, not that the wrongful action damaged or in any other way affected her computer or any other electronic systems. Nor does she allege that she undertook any mitigation measures to

protect or investigate the health of her computer or systems upon discovering a breach. As a result, Gittings-Barrera’s complaint fails to allege any damage or loss, and her CFAA claim therefore cannot be maintained. Further, Count XI fails because Gittings-Barrera fails to plead that Memorial unlawfully exceeded whatever access it had to Gittings-Barrera’s computer or systems. To prevail on a CFAA claim, Gittings-Barrera must show that Memorial “intentionally access[ed] a computer without authorization or exceed[ed] authorization.” 18 U.S.C. § 1030(a)(2). It is unclear whether Gittings-Barrera is contending that Memorial had some authorized access that it exceeded, see Resp. Mot. Dismiss 19 (arguing that “Plaintiff alleges that Defendant exceeded its authorized access to Plaintiff’s protected computers”), or that Memorial had no authorized access at all, see id. at 19 (“Plaintiff alleged Defendant had no authorized access to disclose her data.”). In any case, because Gittings-Barrera voluntarily visited, utilized, and input information into Memorial’s website, Memorial was authorized to access Gittings-Barrera’s data. Gittings- Barrera argues that “[t]hird parties like Facebook and Google had no authorization to access

[her] computers and any further question is one of fact.” Id. (citing United States v. Thompson, No. CR19-159RSL, 2022 WL 834026, at *4 (W.D. Wash. Mar. 21, 2022) (holding, in a criminal CFAA claim, that whether a “mistake or technological process rendered [the] defendant ‘authorized’ [to access servers] is properly resolved by the trier of fact”)). But Gittings-Barrera is not suing Facebook or Google for accessing her computer without authorization, so this is irrelevant. Moreover, she has not alleged any technological mistake that would make Thompson relevant. Gittings-Barrera also fails to allege that Memorial exceeded its authorized access. Under the CFAA, to exceed unauthorized access, Memorial must have entered into portions of Gittings-

Barrera’s computer and obtained information to which its access was not authorized. See Van Buren v. United States, 593 U.S. 374, 396 (2021) (holding that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer . . . that are off limits to him.”). The “exceeds authorized access” clause does not prohibit “downstream information misuse.” Id. Gittings- Barrera does not allege that Memorial entered into her computer or systems and gathered information beyond that typically provided through interaction with a publicly accessible website. Her allegations are, instead, that Memorial wrongly stored and shared the data it gained through her interaction with the website. Such claims ring not of exceeding authorized access but of “downstream information misuse.” Injuries of this kind are not actionable under the CFAA. Although, as Gittings-Barrera notes, “questions regarding a person’s authorized access and the scope of that authorization . . . are fact-intensive inquiries,” Moonlight Mountain Recovery v. McCoy, No. 1:24-cv-00012-BLW, 2024 WL 4027972, at *4 (D. Idaho 2024) (quotation marks omitted), CFAA claims based entirely on downstream information misuse are

plainly legally insufficient. Because the claim must be dismissed on these grounds, the Court need not address Memorial’s statute of limitations argument. Because Gittings-Barrera does not allege actionable harm under the CFAA, nor does she allege wrongful action covered by the CFAA, Memorial’s motion to dismiss with respect to Count XI is GRANTED. CONCLUSION For the foregoing reasons, Defendant Memorial Hospital Association’s Motion to Dismiss Pursuant to Federal Rule of Civil Procedure 12(b)(6) and Local Rule 7.1, ECF No. 9, is GRANTED IN PART and DENIED IN PART. Count I and II (negligence and negligence per

se), Count V (unjust enrichment), and Counts VII through X (Electronic Communications Privacy Act claims) are allowed to proceed. Counts III and IV (breach of express and implied contracts), Count VI (bailment), Count VII (Illinois Eavesdropping Statute), and Count XI (Computer Fraud and Abuse Act) are DISMISSED. Plaintiff Lacey Gittings-Barrera is granted leave to file an amended complaint, if she so desires, within fourteen days of entry of this Order. Defendant’s Motion for Leave to File a Reply Brief in Support its Motion to Dismiss, ECF No. 13, is GRANTED. The Clerk is directed to file the Reply, ECF No. 13-1, on the docket. Entered this 26th day of September, 2025. s/ Sara Darrow SARA DARROW CHIEF UNITED STATES DISTRICT JUDGE