Hannant v. Culbertson Memorial Hospital Foundation

• Court: District Court, C.D. Illinois
• Decided: August 20, 2025
• Docket: 4:24-cv-04164
• Status: Unknown

Opinion

UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF ILLINOIS ROCK ISLAND DIVISION

ALANA HANNANT, individually, and on ) behalf of all others similarly situated, ) ) Plaintiff, ) ) v. ) Case No. 4:24-cv-04164-SLD-RLH ) SARAH D. CULBERTSON MEMORIAL ) HOSPITAL, ) ) Defendant. )

ORDER Before the Court is Defendant Sarah D. Culbertson Memorial Hospital’s Motion to Dismiss Amended Class Action Complaint (“Motion to Dismiss”), ECF No. 16, and Unopposed Motion for Leave to File Reply in Support of Defendant’s Motion to Dismiss Amended Class Action Complaint (“Motion to Reply”), ECF No. 23. For the reasons that follow, the Motion to Dismiss is GRANTED IN PART and DENIED IN PART, and the Motion to Reply is GRANTED. BACKGROUND1 Plaintiff Alana Hannant, a citizen of Illinois, on behalf of herself and others similarly situated, alleges that Defendant, a non-profit corporation headquartered in Illinois, wrongfully embedded third-party tracking technology on its website as well as its web-based tools and services (collectively “Online Platforms”). For example, Meta Platforms, Inc., formerly known as Facebook, offers online tracking technology—pixel trackers—that website operators can

1 At the motion to dismiss stage, the court “accept[s] as true all well-pleaded facts in the complaint, and draw[s] all reasonable inferences in [the nonmovant]’s favor.” Pierce v. Zoetis, Inc., 818 F.3d 274, 277 (7th Cir. 2016). Unless otherwise noted, the factual background is drawn from Plaintiff’s Amended Class Action Complaint, ECF No. 14. embed into their webpages to transmit information about their website’s visitors to Facebook. Facebook’s pixel tracker, the Meta Pixel, by default “tracks information about a website user’s device and the URLs and domains they visit” and may be configured to track more information, “including a visitor’s search terms, button clicks, and form submissions.” Am. Compl. ¶ 15,

ECF No. 14. The Meta Pixel can also link this data “with an individual’s unique and persistent Facebook ID . . ., allowing a user’s health information to be linked with her Facebook profile.” Id. Other entities, including Google and Microsoft, offer similar pixel trackers. Plaintiff and other putative class members’ information was collected by Defendant via the pixel trackers and disclosed to entities like Facebook for the purposes of online advertising. Plaintiff asserts that the information Defendant collected and disclosed constituted either Personally Identifying Information and/or Protected Health Information (collectively “Private Information”).2 Defendant had control over the pixel trackers, including the types of information they collected, which webpages contained them, and what they automatically communicated to third parties. Defendant chose to share, trade, or sell Plaintiff and other class members’ Private

Information to third parties “in exchange for improved targeting and marketing services and reduced marketing costs.” Id. ¶ 127. “By installing the Meta Pixel on its Website, Defendant effectively planted a bug on Plaintiff’s and Class Members’ web browsers and compelled them to disclose Private Information and confidential communications to Facebook, without their authorization or knowledge.” Id. ¶ 16. Plaintiff personally used Defendant’s Online Platforms to “find a specific physician, to research treatments, including information related to an MRI test,

2 Plaintiff’s definitions of Personally Identifying Information and Protected Health information are derived from federal regulations. See, e.g., Am. Compl. 1 nn.1–2. The parties dispute whether Plaintiff has sufficiently alleged that Defendant collected and disclosed information satisfying those definitions as well as whether the information is protectible under either federal or state law. The Court’s usage of “Private Information” does not constitute a finding on this question, which is analyzed in the context of the specific claims that Plaintiff asserts. to search for treatment information; to find out how to obtain medical records; [and] to use the patient portal.” Id. ¶ 134. After doing so, “advertisements for MRI tests and advertisements for doctors treating back problems began appearing in her Facebook feed.” Id. ¶ 135. Plaintiff filed her Complaint, ECF No. 1, on September 6, 2024 and received leave to file

her Amended Complaint to correct an “an inadvertent scrivener’s error” on February 5, 2025. See Feb. 5, 2025 Text Order (quoting Second Mot. File Am. Compl. ¶ 9, ECF No. 13). She invokes both the Court’s federal-question jurisdiction, 28 U.S.C. § 1331, and jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d). She seeks to represent a class of “[a]ll patients of Defendant residing in the United States whose Private Information was disclosed by Defendant to third parties through the Meta Pixel and related technology without authorization,” as well as an Illinois subclass of “[a]ll patients of Defendant who are Illinois Citizens and whose Private Information was disclosed by Defendant to third parties through the Meta Pixel and related technology without authorization.” Am. Compl. ¶¶ 205–06. She asserts twelve counts on behalf of herself and the class: (I) negligence; (II)

negligence per se; (III) invasion of privacy—intrusion upon seclusion; (IV) breach of implied contract; (V) unjust enrichment; (VI) breach of implied duty of confidentiality; (VII) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 ILCS 505/1– 12; (VIII) violation of the Illinois Eavesdropping Statute (“IES”), 720 ILCS 5/14-1 to 14-9; (IX) violation of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510–2523, via interception; (X) violation of the ECPA via unauthorized divulgence by an electronic communications service; (XI) violation of the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701–2713; and (XII) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. Defendant seeks the dismissal of all twelves counts, see generally Mem. Supp. Mot. Dismiss, ECF No. 18, as well as the Court’s leave to file a reply in support of its Motion to Dismiss, see generally Mot. Reply. Plaintiff opposes the Motion to Dismiss in its entirety, see generally Resp. Mot. Dismiss, ECF No. 21, but does not oppose Defendant’s Motion to Reply. DISCUSSION

I. Motion to Reply For all motions other than those for summary judgment, the Court’s Local Rules provide that “[a] reply to the response is only permitted with leave of Court.” Civil LR 7.1(B)(3). “Replies may be allowed for reasons including the non-movant’s introduction of new and unexpected issues in his response, and the interest of completeness.” Magnuson v. Exelon Corp., 658 F. Supp. 3d 652, 658 (C.D. Ill. 2023) (alterations and quotation marks omitted). Defendant seeks the Court’s leave to file a reply “[g]iven the number of claims, as well as their nature and complexity.” Mot. Reply ¶ 8. Defendant’s Motion to Reply is unopposed. Id. ¶ 9. Therefore, the Court grants such leave in the interest of completeness. Defendant’s Motion to Reply is GRANTED.

II. Motion to Dismiss A. Legal Standard A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). At the motion to dismiss stage, the key inquiry is whether the complaint is “sufficient to provide the defendant with ‘fair notice’ of the plaintiff’s claim and its basis.” Indep. Tr. Corp. v. Stewart Info. Servs. Corp., 665 F.3d 930, 934 (7th Cir. 2012) (quoting Erickson v. Pardus, 551 U.S. 89, 93 (2007)). While “detailed factual allegations are unnecessary, the complaint must have ‘enough facts to state a claim to relief that is plausible on its face.’” Pierce v. Zoetis, Inc., 818 F.3d 274, 277 (7th Cir. 2016) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A court must take “[t]he complaint’s well- pleaded factual allegations, though not its legal conclusions, . . . [as] true,” Phillips v. Prudential Ins. Co. of Am., 714 F.3d 1017, 1019 (7th Cir. 2013), and “draw all inferences in the light most favorable to the nonmoving party,” Vesely v. Armslist LLC, 762 F.3d 661, 664 (7th Cir. 2014).

B. Analysis Following the parties’ briefing, the Court analyzes Plaintiff’s claims in three categories: (1) federal statutory; (2) state statutory; and (3) common law.3 The Court dismisses all claims except one but finds that Plaintiff may seek the Court’s leave to file amended versions. See, e.g., Runnion ex rel. Runnion v. Girl Scouts of Greater Chi. & Nw. Ind., 786 F.3d 510, 519 (7th Cir. 2015) (“[A] plaintiff whose original complaint has been dismissed under Rule 12(b)(6) should be given at least one opportunity to try to amend her complaint before the entire action is dismissed.”). 1. Federal Statutory Claims a. Count IX: Interception in Violation of the Electronic Communications Privacy Act

In Counts IX and X, Plaintiff alleges that Defendant violated the ECPA, commonly known as the Wiretap Act. Am. Compl. ¶¶ 334–65. Specifically in Count IX, Plaintiff alleges violations of 18 U.S.C. § 2511(1)(a), (c), and (d). E.g., id. ¶¶ 342, 345–46. The ECPA “makes it unlawful to ‘intentionally intercept[ ], endeavor[ ] to intercept, or procure[ ] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.’” Stein v. Edward-Elmhurst Health, No. 23-cv-14515, 2025 WL 580556, at *3 (N.D. Ill. Feb. 21, 2025)

3 The parties use Illinois law for their arguments addressing Plaintiff’s common law claims. See Mem. Supp. Mot. Dismiss 18–30; Resp. Mot. Dismiss 19–30; Reply Mot. Dismiss 12–18, ECF No. 23-1. The Court therefore applies Illinois law to those claims. See, e.g., Selective Ins. Co. of S.C. v. Target Corp., 845 F.3d 263, 266 (7th Cir. 2016) (“If no party raises a choice of law issue to the district court, the federal court may simply apply the forum state’s substantive law.” (quotation marks omitted)), as amended (Jan. 25, 2017). (alterations in original) (quoting 18 U.S.C. § 2511(a)); see also id. (“A plaintiff must show that the defendant (1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.” (quotation marks omitted)). The ECPA excepts from liability persons who

are “party to the communication . . . unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation” of federal or state law.” 18 U.S.C. § 2511(2)(d). Therefore, Section 2511(2)(d) sets forth a “party exception,” to which the further “criminal or tortious exception” applies—one is normally not liable for intercepting her own communications but may be liable if her conduct satisfies the crime or tort exception. See, e.g., Kurowski v. Rush Sys. for Health (Kurowski I), 659 F. Supp. 3d 931, 937–39 (N.D. Ill. 2023). The parties do not contest that Defendant was a party to the alleged communications but do dispute whether Plaintiff has plausibly invoked the crime-tort exception. Mem. Supp. Mot. Dismiss 4–7; Resp. Mot. Dismiss 5–8. They focus on whether Defendant’s usage of the pixel trackers without prior consent violates the Administrative Simplification provisions of the Health

Insurance Portability and Accountability Act (“HIPAA”), 42 U.S.C. §§ 1320d to d-9. Generally, HIPAA provides for criminal and civil penalties against a person “who knowingly . . . discloses individually identifiable health information [(‘IIHI’)] to another person.” 42 U.S.C. § 1320d-6. IIHI is defined as: [A]ny information, including demographic information collected from an individual, that—(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—(i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. 42 U.S.C. § 1320d(6) (emphasis added). When deciding whether a plaintiff has plausibly alleged that IIHI was obtained and improperly disclosed via a pixel tracker, courts seek to distinguish between tracking data derived from healthcare provider websites generally and tracking data which both relates to a specific individual’s health and reasonably can be used to identify that

individual. As a rough analogy, the dividing line is somewhere between precise geolocation data showing that an individual ate in a hospital’s cafeteria and such data showing that an individual was in their primary care physician’s examination room—the latter could be the basis of a HIPAA violation; the former is probably just lunch. For example, a court analyzed whether certain disclosure standards under HIPAA applied to the tracking of URLs which “point[ed] to pages containing information about treatment options for melanoma, information about a specific doctor, search results related to the phrase ‘intestine transplant,’ a wife’s blog post about her husband’s cancer diagnosis, and other publicly available medical information.” Smith v. Facebook, Inc., 262 F. Supp. 3d 943, 954–55 (N.D. Cal. 2017) (footnotes omitted), aff’d, 745 F. App’x 8 (9th Cir. 2018). The Smith court concluded

that the tracked information did not relate “to the past, present, or future physical or mental health or condition of an individual,” because the “pages contain[ed] general health information that [wa]s accessible to the public at large,” such that HIPAA did not apply. Id. at 955; see also Kurowski I, 659 F. Supp. 3d at 935–36, 939 (finding that allegations that “patient IP addresses, patient cookie identifiers, device identifiers, account numbers, URLs, other unique identifying numbers, characteristics, or codes, and browser-fingerprints” were transmitted did not “support an inference that [the defendant] disclosed its patients’ [IIHI],” such that the plaintiff did not plausibly invoke the crime-tort exception to the ECPA (footnotes omitted) (quotation marks omitted)). Another court considered an administrative challenge to guidance issued by the United States Department of Health and Human Services which sought to include within HIPAA’s ambit the disclosure of metadata connecting “(1) an individual’s IP address with (2) a visit to a [unauthenticated public webpage] addressing specific health conditions or healthcare providers.”

Am. Hosp. Ass’n v. Becerra, 738 F. Supp. 3d 780, 789 (N.D. Tex. 2024). The court concluded that such a combination of data did not constitute a HIPAA violation in part because attributing IIHI status to that combination depended upon the visitor’s subjective motive for visiting that website—one would need to infer that the webpage’s visitor was a patient, as opposed to a public-health researcher or hospital employee, and the combination of metadata standing alone did not support such an inference. Id. at 801–04; see also id. at 803 (“Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).”). Conversely, plaintiffs have succeeded in invoking the crime-tort exception via HIPAA violations by plausibly alleging that their patient status was captured in interceptions or disclosures showing that they had clicked “the ‘Schedule an Appointment’ button or click[ed]

the physician’s phone number to schedule an appointment,” Kane v. Univ. of Rochester, No. 23- CV-6027-FPG, 2024 WL 1178340, at *5–7 (W.D.N.Y. Mar. 19, 2024), or had clicked a button to log in to a healthcare provider’s patient portal, In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 791–93 (N.D. Cal. 2022); see also Nienaber v. Overlake Hosp. Med. Ctr. (Nienaber II), No. 2:23-cv-01159-TL, 2025 WL 692097, at *5–6 (W.D. Wash. Mar. 4, 2025) (finding that the disclosure of an individual’s Facebook ID, as opposed to just an IP address, distinguished the instant case from the challenged administrative guidance in American Hospital Association and that the plaintiff “just barely demonstrate[d] that [her] interactions with [the d]efendant’s website plausibly relate[d] to the provision of health care” in part because she “allege[d] that she used the website to log in to [the d]efendant’s patient portal”). However, courts have found that even transmissions showing navigation to a page containing methods for scheduling an appointment or logging into a hospital’s patient portal are insufficient without further information demonstrating that the individual availed herself of those methods. See Doe

v. Upperline Health, Inc., No. 1:23-cv-01261-RLY-CSW, 2024 WL 4953503, at *3 (S.D. Ind. Sept. 24, 2024); Williams v. TMC Health, No. CV-23-00434-TUC-SHR, 2024 WL 4364150, at *4 (D. Ariz. Sept. 30, 2024). Plausibility in this context turns on the details. Here, Plaintiff’s allegations of her own experience, as opposed to a potential class member, lack the detail necessary to plausibly invoke the crime-tort exception via a HIPAA violation. See Am. Compl. ¶¶ 132–40. When discussing a potential class member, her allegations might be sufficient to invoke the crime-tort exception— as examples, she details how the acts of calling to schedule an appointment, calling a specific provider, and logging in to Defendant’s patient portals would be transmitted. Id. ¶¶ 102–03, 113–14, 118–24. But when discussing her own experiences, the specificity is replaced by vague

generalities. She alleges that she “used the Website and Online Platforms to: find a specific physician, to research treatments, including information related to an MRI test, to search for treatment information; to find out how to obtain medical records; to use the patient portal, and more.” Id. ¶ 134. But she does not allege that she actually contacted any specific physician, that she actually obtained any of her medical records, nor even that she logged into the patient portal. Thus, the Amended Complaint is closer to the insufficient allegations of Upperline Health than the “just barely” plausible allegations of Nienaber II. She also alleges “[o]n information and belief” that Defendant disclosed information like her “status as a patient” and her “patient portal activity” but provides no detail as to what information was disclosed that demonstrated her patient status or what activities she took with respect to the patient portal. As the caselaw discussed above demonstrates, an allegation that patient status was disclosed, standing alone, is closer to a legal conclusion than a factual allegation. The necessary specificity about Plaintiff’s use of the Online Platforms is simply not

part of the Amended Complaint. The Court is cognizant that discovery would likely be necessary to understand the exact mechanism of Defendant’s alleged interception, disclosure, or use of Private Information, see Kurowski v. Rush Sys. for Health (Kurowski IV), No. 22 C 5380, 2023 WL 8544084, at *3 (N.D. Ill. Dec. 11, 2023), but Plaintiff has access to her end of the equation, such as whether she used Defendant’s website to book an appointment or log into a patient portal. In sum, the eleven paragraphs related to Plaintiff’s personal experiences in her 388-paragraph-long Amended Complaint provide insufficient detail to conclude that she has plausibly alleged that her IIHI was improperly intercepted, disclosed, or used. See, e.g., Hartley v. Univ. of Chi. Med. Ctr. (Hartley I), No. 22 C 5891, 2023 WL 7386060, at *2 (N.D. Ill. Nov. 8, 2023) (dismissing ECPA claim where “there [wa]s an absolute dearth of information specific to

Plaintiff as what was disclosed to Facebook that would plausibly be in violation of HIPAA”). Plaintiff asserts that courts within the Seventh Circuit have found allegations similar to hers to be sufficient. See, e.g., Resp. Mot. Dismiss 4–5 (first citing Stein, 2025 WL 580556, at *6; then A.D. v. Aspen Dental Mgmt., Inc., No. 24 C 1404, 2024 WL 4119153, at *2–3 (N.D. Ill. Sept. 9, 2024); then Kurowski IV, 2024 WL 3455020, at *2; and then Hartley v. Univ. of Chi. Med. Ctr. (Hartley II), No. 22 C 5891, 2024 WL 1886909, at *1–2 (N.D. Ill. Apr. 30, 2024)). But she has not demonstrated that her allegations are sufficiently similar to any of those cases. Stein rejected the defendant’s argument that a financial motivation meant that it could not act with a criminal or tortious purpose and did not analyze whether the plaintiffs’ allegations about their own experiences were sufficient to plausibly allege a HIPAA violation. Stein, 2025 WL 580556, at *4–6. A.D. concluded without much explanation that the plaintiffs’ “allegations regarding their individual experiences using [the defendant]’s online platform—and the inferences drawn from those experiences—[we]re sufficient to plausibly allege that [the

defendant disclosed information regarding their personal health conditions and treatments to third parties.” A.D., 2024 WL 4119153, at *3. More on point are Kurowski and Hartley, both of which only allowed the ECPA claims to proceed after the plaintiffs satisfactorily amended their complaints. See Kurowski IV, 2024 WL 3455020, at *2 (noting that the allegations in the plaintiff’s first two complaints “were far too vague to allow an inference to be drawn that [the defendant] was actually disclosing IIHI as it is unambiguously defined by HIPAA, rather than just metadata” (quotation marks omitted)); Hartley II, 2024 WL 1886909, at *2 (similar). At this stage, Plaintiff’s allegations are closer to Kurowski I and Hartley I than Kurowski IV or Hartley II. More factual detail is required to find that Plaintiff has plausibly alleged that her IIHI, as opposed to a potential class member’s IIHI, was disclosed. Accordingly, Plaintiff has not

demonstrated that the crime-tort exception should apply and Count IX is DISMISSED. b. Counts X–XI: Status as Electronic Communication Service Provider under the Electronic Communications Privacy Act and Stored Communications Act

Plaintiff alleges in Count X that Defendant violated another part of the ECPA, specifically 18 U.S.C. § 2511(3)(a), because it provided an electronic communication service and intentionally divulged communications.4 Am. Compl. ¶¶ 353–65. Relatedly, she alleges in

4 The ECPA provides that:

a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication (other than one to such person or entity, or an agent Count XI that Defendant violated the SCA because it provided an electronic communication service, held communications in storage, and intentionally divulged the contents of those communications while they were in storage.5 Id. ¶¶ 366–82. The viability of both Counts X and XI turns on whether Defendant is plausibly an electronic communication service provider.

Both the ECPA and SCA define “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15); id. § 2711(1) (cross-referencing the definitions used in the ECPA, including 18 U.S.C. § 2510(15)). Defendant argues that it is not an electronic communication service provider because merely “[h]aving a public website does not transform [it] into a service provider under the ECPA or SCA.” Mem. Supp. Mot. Dismiss 9–10; see also id. at 10 (“The ‘majority of courts addressing [the statute’s scope] interpret the ECPA . . . to encompass only traditional “electronic communications services” such as internet service providers, electronic mail providers, telecommunications companies, and remote computing services.’” (alteration in original) (quoting St. Johns Vein Ctr., Inc. v. StreamlineMD LLC, 347 F.

Supp. 3d 1047, 1064 (M.D. Fla. 2018))). Plaintiff responds that other courts have entertained EPCA claims and that one court rejected an interpretation of § 2510(15) that restricted its scope to only internet service providers. Resp. Mot. Dismiss 11–12. “[C]ompanies that merely purchase or use electronic communications services in the conduct of their ordinary business are not themselves electronic communications services.” Kurowski I, 659 F. Supp. 3d at 939–40 (N.D. Ill. 2023); see also Garner v. Amazon.com, Inc.,

thereof) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intended recipient.

18 U.S.C. § 2511(3)(a). 5 The SCA provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” 18 U.S.C. § 2702(a)(1). 603 F. Supp. 3d 985, 1003–04 (W.D. Wash. 2022) (“A company that merely utilizes electronic communications in the conduct of its own business is generally considered a purchaser or user of the communications platform, not the provider of the service to the public.”). Plaintiff’s argument—that Defendant’s Online Platforms make it an electronic communication service

provider because “in the absence of Defendant’s Website, internet users could not send or receive communications regarding Plaintiff[’s] and Class Members’ Private Information,” [14] Am. Compl. ¶ 355—has been squarely rejected by another court in this district. See Doe 1 v. Chestnut Health Sys., Inc., No. 1:24-cv-01475-JEH-RLH, 2025 WL 1616635, at *12 (C.D. Ill. June 6, 2025) (“[T]here are many steps involved in an electronic communication that, in their absence, would have prevented the [p]laintiffs from communicating with the [d]efendant’s website. That alone does not make each step an electronic communication service.”); see also id. (collecting cases). This Court agrees—simply operating a website is not enough. Plaintiff’s contrary citations are distinguishable. Most of them shed no light on the issue at hand.6 The only potentially relevant citation is In re BetterHelp, Inc., No. 23-cv-01033-RS,

2024 WL 4504527, at *2 (N.D. Cal. Oct. 15, 2024), in which a court determined that the defendant had not “shown the statute should be construed so narrowly as to apply only to internet service providers.” But the court did not affirmatively decide that entities with websites provide electronic communication services. Instead, it found notable that the defendant “d[id] not merely receive its own customers’ communications electronically” but rather “allegedly facilitate[d] two-way electronic communications between its customers and third-party therapists.” Id. at *2

6 Without identifying any page of her cited decisions, Plaintiff asserts that courts “have concluded that ECPA claims have merit” in “the hospital website privacy context.” See Resp. Mot. Dismiss 11 (first citing Smith v. Loyola Univ. Med. Ctr., No. 23 CV 15828, 2024 WL 3338941 (N.D. Ill. July 9, 2024); then citing A.D., 2024 WL 4119153; then citing Kurowski IV, 2024 WL 3455020; and then citing Hartley II, 2024 WL 1886909). She also cites Amedisys Holding, LLC v. Interim Healthcare of Atl., Inc., 793 F. Supp. 2d 1302, 1316 (N.D. Ga. 2011). None of those cases address whether the mere provision of a website makes an entity an electronic communication service provider for purposes of § 2511(3)(a), such that they shed no light on the resolution of this dispute. n.1. Plaintiff does not make any similar allegations that Defendant facilitated two-way communications between herself and third parties, such that In re BetterHelp is distinguishable. The Court finds that Plaintiff does not plausibly allege that Defendant is an electronic communication service provider, and therefore Counts X and XI are DISMISSED.

c. Count XII: Computer Fraud and Abuse Act

The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” and thereby obtaining “information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). Plaintiff alleges in Count XII that her and class members’ computers and mobile devices are “protected computers”7 and Defendant exceeded its authorized access to those protected computers. Am. Compl. ¶¶ 383–88. Defendant argues that Plaintiff has failed to allege that it exceeded its authorized access by “reach[ing] into any ‘off- limits areas’ of her or other potential class members’ computers.” Mem. Supp. Mot. Dismiss 10–11. Plaintiff responds that pixel trackers are analogous to cookies implanted in users’ computers, the use of which has previously been found to exceed authorized access. Resp. Mot. Dismiss 12–13. The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The Supreme Court clarified the scope of the CFAA in Van Buren v. United States, 593 U.S. 374 (2021). As relevant here, the Supreme Court noted “that the exceeds authorized access clause prohibits only unlawful

7 The CFAA defines a protected computer in part as “a computer . . . which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” 18 U.S.C. § 1030(e)(2)(B). information access, not downstream information misuse.” Van Buren, 593 U.S. at 395–96 (alteration and quotation marks omitted). Here, Plaintiff’s allegations concern downstream information misuse. She does not allege that Defendant took some action to access or alter her hard drive, file architecture, or other

information stored on her protected computers, i.e., hacking in the now-traditional sense of that term. Instead, she complains that, after she voluntarily shared with Defendant the fact that she was using its Online Platforms, Defendant subsequently misused that information by sharing it with entities like Meta or Google. E.g., Am. Compl. ¶ 104 (“Not only did [Defendant] disclose data about patients’ keyword searches, but it also shared information with Facebook when patients conducted searches for physicians.”). Such allegations of downstream information misuse do not support a CFAA claim in the wake of Van Buren. See Chestnut Health Sys., 2025 WL 1616635, at *13; Nienaber v. Overlake Hosp. Med. Ctr. (Nienaber I), 733 F. Supp. 3d 1072, 1096–97 (W.D. Wash. 2024); Allen v. Novant Health, Inc., No. 1:22-CV-697, 2023 WL 5486240, at *5 (M.D.N.C. Aug. 24, 2023). Plaintiff’s lone contrary citation, In re Toys R Us,

Inc., Priv. Litig., No. 00-CV-2746, 2001 WL 34517252, at *9–12 (N.D. Cal. Oct. 9, 2001), is a pre-Van Buren case which analyzed the adequacy of the plaintiffs’ allegations of damages, not the predicate issue of whether the defendants had exceeded their authorized access. Plaintiff fails to persuade the Court that the use of cookies standing alone creates exposure to criminal and civil liability under federal law. Cf. Van Buren, 593 U.S. at 393 (noting that “the Government’s interpretation of the [CFAA] would attach criminal penalties to a breathtaking amount of commonplace computer activity” and describing this as an additional reason to reject the Government’s broad interpretation of the CFAA). Because Plaintiff does not plausibly allege that Defendant exceeded its authorized access, Count XII is DISMISSED. 2. State Statutory Claims a. Count VII: Violation of the Illinois Consumer Fraud and Deceptive Business Practices Act

Plaintiff alleges in Count VII that Defendant violated the ICFA. Am. Compl. ¶¶ 289– 309. The ICFA requires allegations “that the defendant committed a deceptive or unfair act with the intent that others rely on the deception, that the act occurred in the course of trade or commerce, and that it caused actual damages.” Benson v. Fannie May Confections Brands, Inc., 944 F.3d 639, 646 (7th Cir. 2019) (quotation marks omitted); see also Oliveira v. Amoco Oil Co., 776 N.E.2d 151, 160 (Ill. 2002) (articulating similar elements). The IFCA thus proscribes two categories of conduct: deceptive acts and unfair acts. Allegations of deceptive conduct must satisfy the heightened pleading standard of Federal Rule of Civil Procedure 9(b). Benson, 944 F.3d at 646. Whether based upon deceptive or unfair acts, showing actual damages requires “pecuniary loss.” Id. This requirement of actual damages limits the ICFA to “purely economic injuries.” Flores v. Aon Corp., 242 N.E.3d 340, 357 (Ill. App. Ct. 2023). “Actual damages must be calculable and measured by the plaintiffs[’] loss.” Morris v. Harvey Cycle & Camper, Inc., 911 N.E.2d 1049, 1053 (Ill. App. Ct. 2009) (quotation marks omitted). “The failure to allege specific economic damages precludes a claim brought under the [ICFA].” Flores, 242 N.E.3d at 357. The parties dispute whether Plaintiff adequately alleges that she incurred actual damages.

Mem. Supp. Mot. Dismiss 14–16; Resp. Mot. Dismiss 16–17. The Amended Complaint describes the following categories of harms: a. Sensitive and confidential information that Plaintiff and Class Members intended to remain private is no longer private. b. Defendant eroded the essential confidential nature of the doctor-patient relationship. c. Defendant took something of value from Plaintiff and Class Members and derived benefit therefrom without Plaintiff’ [sic] and Class Members’ knowledge or informed consent and without sharing the benefit of such value. d. Plaintiff and Class Members did not get the full value of the medical services for which they paid, which included Defendant’s duty to maintain confidentiality. e. Defendant’s actions diminished the value of Plaintiff’ [sic] and Class Members’ personal information.

Am. Compl. ¶ 307. Plaintiff summarizes these allegations into three categories: (1) “Plaintiff’s lost benefit of the bargain” (i.e., that she “paid for medical services and confidentiality of information, which she did not receive”); (2) “diminished value of personal information”; and (3) “harm to privacy interests.” Resp. Mot. Dismiss 16. The Court addresses each category in turn. Beginning with the lost-benefit-of-the-bargain or overpayment theory of damages, the Seventh Circuit has previously recognized that an overpayment—i.e., the plaintiff paid more than she otherwise would have if she had fully known the nature of a product or service—could constitute a financial injury sufficient to support Article III standing. See, e.g., In re Aqua Dots Prods. Liab. Litig., 654 F.3d 748, 751 (7th Cir. 2011) (“The plaintiffs’ loss is financial: they paid more for the toys than they would have, had they known of the risks the beads posed to children. A financial injury creates standing.”). However, the Seventh Circuit has repeatedly declined to expand this theory of standing beyond the product-liability context, limiting its application to cases in which “the product itself was defective or dangerous and [the plaintiffs] claim they would not have bought it (or paid a premium for it) had they known of the defect.” Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016); see also Dinerstein v. Google, LLC (Dinerstein II), 73 F.4th 502, 517–18 (7th Cir. 2023); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694–95 (7th Cir. 2015). In Lewert, the Seventh Circuit concluded that the overpayment theory “fare[d] no better” to show standing in federal court under the IFCA due to the statute’s requirement of actual damages. See Lewert, 819 F.3d at 968–69 (citing People ex rel. Madigan v. United Constr. of Am., Inc., 981 N.E.2d 404, 410–11 (Ill. App. Ct. 2012)). Lewert implicitly holds, then, that an allegation that the plaintiff paid more than she otherwise would have for a product or service is insufficient to allege actual damages under the ICFA. Following Lewert, ICFA claims premised upon an overpayment theory of actual damages and

asserted against healthcare providers that allegedly utilized pixel trackers are often dismissed. See Kurowski II, 683 F. Supp. 3d at 846; A.D., 2024 WL 4119153, at *7–8; Doe v. Genesis Health Sys. (Genesis I), No. 23-cv-4209-JES-JEH, 2024 WL 3890164, at *14 (C.D. Ill. Aug. 21, 2024); Loyola Univ. Med. Ctr., 2024 WL 3338941, at *8. Plaintiff provides no persuasive argument that the cases above were wrongly decided.8 She points to In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 526 (N.D. Ill. 2011), for the idea that “allegations that plaintiffs lost money [are] sufficient to allege an ICFA claim.” Resp. Mot. Dismiss 16. As relevant to the instant case, the plaintiffs in In re Michaels premised their actual damages on the “monetary losses from unauthorized bank account withdrawals and/or related bank fees charged to their accounts.” In re Michaels, 830 F. Supp. 2d at 526.

Here, Plaintiff does not allege that she was subjected to any unauthorized withdrawals or that any fees were wrongfully charged to her—i.e., she does not allege any concrete pocketbook harms. Instead, her damages are premised on the idea that she would have paid less or not paid at all for

8 Plaintiff asserts that Kurowski II, A.D., Genesis I, and Loyola University Medical Center “go against the decisions of nearly fifty courts across the country,” directing the Court to an exhibit which simply lists forty-seven cases. Resp. Mot. Dismiss 16 (citing Online Tracking Technology Motion to Dismiss Orders Allowing Consumer Protection Claims, Resp. Mot. Dismiss Ex. A-9, ECF No. 21-1 at 25–26). The Court already gave Plaintiff leave to file an oversized response, see Mar. 20, 2025 Text Order, and finds this exhibit and the others like it to be improper attempts to further stretch the page limits imposed by Civil Local Rule 7.1(B)(4). Even if the Court were to ignore this length manipulation, “Plaintiff does not explain the facts, relate them to this case, or compare the law in these states to Illinois tort law,” and the Court will not “review hundreds of cases and make Plaintiff’s argument for her.” Genesis I, 2024 WL 3890164, at *1. Plaintiff may not rely on such perfunctory argumentation, such that the Court does not consider Exhibit A-9 nor the other exhibits like it. See, e.g., Hakim v. Safariland, LLC, 79 F.4th 861, 872 (7th Cir. 2023) (“[The defendant]’s arguments are wholly lacking, and we have made clear that such perfunctory and undeveloped arguments, and arguments that are unsupported by pertinent authority, are waived.” (quotation marks omitted)). Defendant’s healthcare, which is not a valid theory of actual damages outside of the product- liability context. Plaintiff’s lost benefit of the bargain is insufficient to maintain an ICFA claim. And for substantially similar reasons, her other two categories of actual damages, diminished value of personal information and harm to privacy interests, are also insufficient.

The same four cases cited above—Kurowski II; A.D.; Genesis I; and Loyola University Medical Center—additionally rejected these two categories as plausibly alleging pecuniary loss and Plaintiff again provides no persuasive argument as to why those cases were wrongly decided. More specifically, as to diminished value of personal information, an Illinois appellate court found that materially identical allegations were insufficient under the ICFA, noting in relevant part that “[a]ctual damages must be calculable.” Flores, 242 N.E.3d at 357 (quotation marks omitted). Moreover, Kurowski II highlighted the dearth of allegations “that would allow an inference to be drawn that she sought to monetize her own data, or that her ability to do so was diminished by [the defendant]’s practices.” Kurowski II, 683 F. Supp. 3d at 846–47. The same is true here, as Plaintiff does not allege that she ever sought to sell her own information. Any

inference that she would have participated in such a marketplace is belied by the general thrust of her lawsuit, which seeks to prevent any further disclosures of her personal information. See Am. Compl. 91. Finally, as to harm to privacy interests, the ICFA is not a statute which specifically seeks to protect privacy rights. See Khorloo v. John C. Heath Att’y at L., PLLC, No. 18-cv-01778, 2020 WL 1530735, at *2 (N.D. Ill. Mar. 31, 2020) (noting a lack of “any Illinois case law suggesting that privacy violations . . . provide a basis for actual damages under the ICFA” and that “[i]t seem[ed] unlikely that the statute allows plaintiffs to recover damages for privacy violations because the ICFA is concerned with fraudulent or unfair advertising, not with individual privacy rights”). Even if the ICFA was concerned with privacy rights, Illinois courts have made clear that such a privacy violation standing alone would be insufficient to create actual damages. When the Illinois Supreme Court found that the Biometric Information Privacy Act, 740 ILCS 14/1–99, did not require a showing “beyond violation of the rights conferred by

the statute,” it pointed to the ICFA as a counterexample, i.e., a statue requiring actual damages. Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197, 1204 (Ill. 2019). In sum, Plaintiff has not plausibly alleged that she suffered any actual damages, as required by the ICFA, such that Count VII is DISMISSED. b. Count VIII: Violation of the Illinois Eavesdropping Statute

In Count VIII, Plaintiff alleges that Defendant violated the IES. Am. Compl. ¶¶ 310–33. Of the five methods for establishing liability under section 14-2(a) of the IES, Plaintiff invokes 720 ILCS 5/14-2(a)(2) and (a)(5).9 Id. ¶¶ 311–12. The IES prohibits a person from “knowingly and intentionally” “[u]s[ing] an eavesdropping device, in a surreptitious manner, for the purpose of transmitting or recording all or any part of any private conversation to which he or she is a party unless he or she does so with the consent of all other parties to the private conversation.” 720 ILCS 5/14-2(a)(2). The IES also prohibits a person from “knowingly and intentionally” “[u]s[ing] or disclos[ing] any information which he or she knows or reasonably should know was obtained from a private conversation or private electronic communication in violation of [the IES], unless he or she does so with the consent of all of the parties.” Id. § 5/14-2(a)(5). The two subsections invoked by Plaintiff operate differently based on the type of communication at issue and whether the defendant was a party to that communication.

9 Plaintiff purports to invoke “720 Ill. Comp. Stat 5/14-2(a), -4,” but the language quoted in the Amended Complaint is found in sections 5/14-2(a)(2) and (a)(5). See [14] Am. Compl. ¶¶ 311–12. Defendant first argues that Plaintiff cannot state a claim under section 5/14-2(a)(2) because that section applies only to private conversations, i.e., oral communications, and does not apply to private electronic communications. Mem. Supp. Mot. Dismiss 17. Plaintiff responds that “the IES is not limited to literal ‘oral’ communications.” Resp. Mot. Dismiss 18.

A “[p]rivate conversation” is defined as “any oral communication between 2 or more persons, whether in person or transmitted between the parties by wire or other means, when one or more of the parties intended the communication to be of a private nature under circumstances reasonably justifying that expectation,” 720 ILCS 5/14-1(d) (emphasis added), whereas a “[p]rivate electronic communication” is defined as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or part by a wire, radio, pager, computer, electromagnetic, photo electronic or photo optical system, when the sending or receiving party intends the electronic communication to be private under circumstances reasonably justifying that expectation,” id. § 5/14-1(e). Multiple courts have attributed significance to the separate definitions and varying

methods of imposing liability for private conversations as compared to private electronic communications, dismissing claims asserted under section 14-2(a)(2) which did not involve any oral communications. See Mayer v. Midwest Physician Admin. Servs., LLC, No. 23-cv-3132, 2025 WL 963779, at *4 (N.D. Ill. Mar. 31, 2025) (“Because [p]laintiffs complain about typed communications and not oral ones, they have not alleged a Section 14-2(a)(2) violation.”); see also Chestnut Health Sys., 2025 WL 1616635, at *9; Stein, 2025 WL 580556, at *6–7; A.D., 2024 WL 4119153, at *4. Plaintiff does not allege that Defendant intercepted any out-loud, verbal communications but rather the records and contents of the pages she viewed and other silent interactions with Defendant’s Website and Online Platforms. See Am. Compl. ¶¶ 132–42. These allegations do not support finding that a private conversation, as that term is used by the IES, was transmitted, recorded, used, or disclosed. See, e.g., A.D., 2024 WL 4119153, at *4 (“The difference in these definitions suggests legislative intent to distinguish between the disclosure of conversations, like those occurring in-person or over the phone, and electronic

communications, like the private user data and appointment scheduling information at issue here.”). Plaintiff’s response fails to address Defendant’s argument that she insufficiently alleges the transmission, recording, use, or disclosure of a private conversation. She argues that “[t]he IES explicitly states that the civil cause of action applies to ‘[a]ny or all parties to any conversation or electronic communication.’” Resp. Mot. Dismiss 18 (second and third alteration in original) (quoting 720 ILCS 5/14-6). And she cites to cases for the proposition that “Illinois has implicitly recognized the applicability of the IES to electronic, written messages.” Id. But no one is arguing that the IES in its entirety is limited to solely out-loud, verbal communications. Instead, Defendant is arguing that Plaintiff fails to state a claim under one of the specific

subsections that she invokes in her complaint—section 14-2(a)(2)—which is limited to “private conversations.” Plaintiff fails to directly engage with this argument and her cited authorities do not address the question.10 The Court finds that Plaintiff does not plausibly allege that

10 Plaintiff’s reliance upon section 14-6 as defining the scope of section 14-2(a)(2) puts the cart before the horse because section 14-6 still requires allegations of a “conversation or electronic communication upon which eavesdropping is practiced contrary to th[e IES].” 720 ILCS 5/14-6. Plaintiff still needs to plausibly allege liability under the IES, and the general usage of “conversation or electronic communication” in the remedial provision that is section 14-6 does not override the delineated subsections for liability within section 14-2(a) nor the definitions in sections 14-1(d)–(e). Plaintiff’s cited cases also miss the mark. See Resp. Mot. Dismiss 18 (first citing People v. Gariano, 852 N.E.2d 344, 348 (Ill. App. Ct. 2006)); and then citing Peters v. Mundelein Consol. High Sch. Dist. No. 120, No. 21 C 0336, 2022 WL 393572, at *11 (N.D. Ill. Feb. 9, 2022)). Gariano sheds no light on the scope of “private conversation”—that decision interpreted an older version of the IES, finding that certain AOL chatlogs were not “electronic communications” because the because the undercover police officer who was party to the communications “had no intention of keeping the conversations private.” Gariano, 852 N.E.2d at 345, 349. Gariano is now outdated in light of the 2014 amendments to the IES. See, e.g., Cook Au Vin, LLC v. Mid-Century Ins. Co., 226 N.E.3d 694, 703 (Ill. App. Ct. 2023) (noting the 2014 amendment to the IES expanded liability under the IES to situations where “one or more of the parties intended the communication to be of a private nature” as Defendant surreptitiously recorded any private conversations as defined by the IES, such that her section 14-2(a)(2) claim fails. Defendant’s second argument concerns section 14-2(a)(5) and its relationship with the other subsections of 14-2(a). For context, section 14-2(a)(5) prohibits using or disclosing

information that “was obtained from a private conversation or private electronic communication in violation of th[e IES].” 720 ILCS 5/14-2(a)(5). Stated differently, there must be adequate allegations of a violation of another subsection of section 14-2(a) to invoke section 14-2(a)(5). Sections 14-2(a)(1) and 14-2(a)(2) concern private conversations, and as explained above, Plaintiff’s allegations regarding private conversations are insufficient. Nor is section 14-2(a)(4) implicated here.11 Thus, to invoke section 14-2(a)(5), Plaintiff must first adequately allege a violation 14-2(a)(3). Defendant asserts that Plaintiff cannot invoke section 14-2(a)(3) because Defendant was undisputedly a party to the at-issue conversations. Mem. Supp. Mot. Dismiss 17–18; Reply Mot. Dismiss 11, ECF No. 23-1. Plaintiff’s only response is that section 14-2(a) as a whole may apply

to communications to which the defendant was not a party. Resp. Mot. Dismiss 18–19. Plaintiff does not engage with relationship between the different subsections of 14-2(a). Section 14- 2(a)(3) only applies to “private electronic communication[s] to which [the defendant] is not a party,” 720 ILCS 14-2(a)(3), and Defendant was undisputedly party to the at-issue communications. Plaintiff cannot rely upon section 14-2(a)(3), nor any of the other first four

opposed to requiring that all parties intended as such (quoting 720 ILCS 5/14-1(d))). While Peters at least construes the current version of the IES, it is inapposite because it analyzed whether a teacher had a reasonable expectation of privacy in her lectures, not whether the online Zoom class counted as a private conversation. See Peters, 2022 WL 393572, at *11–12. 11 Section 14-2(a)(4) imposes liability against any person who “knowingly and intentionally” “[m]anufactures, assembles, distributes, or possesses any electronic, mechanical, eavesdropping, or other device knowing that or having reason to know that the design of the device renders it primarily useful for the purpose of [violating the IES].” Plaintiff does not allege that Defendant violated section 14-2(a)(4) by utilizing the at-issue tracking technologies. See Am. Comp. ¶¶ 310–33; Stein, 2025 WL 580556, at *8 (reaching the same conclusion). subsections of 14-2(a), and therefore cannot rely upon section 14-2(a)(5). See Mayer, 2025 WL 963779, at *4 (“Plaintiffs must first allege a violation of Section 14-2(a)(1), (a)(2), (a)(3), or (a)(4) to plead a claim under Section 14-2(a)(5)”); see also Chestnut Health Sys., 2025 WL 1616635, at *10; Stein, 2025 WL 580556, at *7–8. In sum, Plaintiff has not adequately alleged a

violation of any part of section 14-2(a) and Count VIII is DISMISSED. 3. Common Law Claims a. Counts I–II: Damages for Negligence and Negligence Per Se Plaintiff alleges in Count I that Defendant negligently handled her and other class members’ Private Information, Am. Compl. ¶¶ 225–34, and alleges in Count II that Defendant is liable under a negligence per se theory for the same conduct, id. ¶¶ 235–46. To state a negligence claim, a plaintiff must plead “that the defendant owed a duty of care to the plaintiff, that the defendant breached that duty, and that the breach was the proximate cause of the plaintiff’s injuries.” Cowper v. Nyberg, 28 N.E.3d 768, 772 (Ill. 2015). For a negligence per se claim, the plaintiff must plead that the defendant violated a statute or ordinance designed to

protect human life, that she is in the class of people protected by the statute, and that her injury is of the type the statute was intended to protect against; she must also plead that “the defendant’s violation of the statute proximately caused the injury.” See, e.g., Wittmeyer v. Heartland All. for Hum. Needs & Rts., No. 23 CV 1108, 2024 WL 182211, at *3 (N.D. Ill. Jan. 17, 2024) (citing Kalata v. Anheuser-Busch Cos., Inc., 581 N.E.2d 656, 434 (Ill. 1991)). Defendant argues that both Counts I and II should be dismissed for inadequate allegations of compensable injury. Mem. Supp. Mot. Dismiss 18–22. Plaintiff disagrees. Resp. Mot. Dismiss 19–23.12

12 Defendant does not argue that Plaintiff fails to sufficiently allege the existence of a duty to properly safeguard the Private Information or that Defendant breached such a duty—i.e., unlike Defendant’s arguments against Plaintiff’s attempt to invoke HIPAA as part of her ECPA claim, here Defendant does not argue that the alleged disclosures related to insufficiently private information. Cf. Kurowski II, 683 F. Supp. 3d at 851 (finding that the plaintiff Plaintiff invokes five categories of harms: (i) increased risk of future harm and “lost time and money incurred to mitigate and remediate the effects of use of her information” for targeted advertisements; (ii) diminution in value of her personal information, which is purportedly worth less due to [Defendant’s] conduct; (iii) “lost benefit of her bargain”; (iv) “embarrassment, humiliation, frustration, and emotional distress” from loss of privacy or control of her personal information; and (v) use of her private information for advertising purposes.

Mem. Supp. Mot. Dismiss 18–19 (quoting Am. Compl. ¶¶ 231–32, 244). The Court need only consider the fourth category—emotional harms—because the Court finds that such harms are compensable injuries under Illinois law in this pixel tracker context. The Court in Loyola University Medical Center found that allegations that the plaintiffs “suffered fear, anxiety and worry about the status of, and the loss of control over, their private health information” were “sufficient to state a negligence claim under Illinois law, including in the data privacy context.” Loyola Univ. Med. Ctr., 2024 WL 3338941, at *7 (quotation marks omitted). Other courts have reached similar conclusions. See In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 587 (N.D. Ill. 2022) (“There can be no dispute that [the p]laintiffs have alleged present injuries or damages; for instance, all allege experiencing emotional harms such as anxiety and increased concerns for the loss of privacy. These types of non-economic damages are recoverable under Illinois law.” (citations omitted)); see also M.C. v. E. Side Health Dist., No. 3:24-CV-01336-NJR, 2025 WL 435992, at *4 (S.D. Ill. Feb. 7, 2025). Defendant asserts that these cases were incorrectly decided because those courts “overlooked a longstanding principle of Illinois law.” Reply Mot. Dismiss 12–13 & n.7. A careful

“alleged a claim for breach of contract irrespective of whether the disclosures she alleges [the defendant] made to the third parties contained confidential health information as contemplated by the laws that protect the disclosure of such information”). examination of Illinois negligence law reveals that those cases are still consistent with the principle that Defendant discusses. Under Illinois law, the requirements for a plaintiff to assert a cause of action for negligent infliction of emotional distress (“NIED”) differ depending upon whether the plaintiff was a

direct victim or a bystander—a direct victim “must include an allegation of contemporaneous physical injury or impact,” i.e., allegations satisfying the impact rule, Schweihs v. Chase Home Fin., LLC, 77 N.E.3d 50, 59 (Ill. 2016), whereas “a bystander must show physical injury or illness as a result of the emotional distress, caused by the defendant’s negligence and not a contemporaneous physical injury or impact,” i.e., allegations satisfying the zone-of-danger rule, id. at 58. Defendant correctly notes “there was confusion in the courts,” Reply Mot. Dismiss 12 n.7, regarding the differing standards for direct victims and bystanders asserting a cause of action for NIED, see Cochran v. Securitas Sec. Servs. USA, Inc., 93 N.E.3d 493, 499 (Ill. 2017) (noting this confusion but stating that the Illinois Supreme Court “ha[d] since clarified that the impact rule remains the law for direct victims of a defendant’s negligence, whereas bystanders’ claims

are now governed by the zone-of-danger rule.” (citing Schweihs, 77 N.E.3d at 61)). Defendant asserts that the courts that decided emotional damages were available for negligence claims in pixel tracker cases relied on cases deciding during this period of confusion, such that the Court should decline to follow their reasoning. See Reply Mot. Dismiss 12–13 & n.7. However, Defendant concedes that the Illinois Supreme Court has also recognized that “certain actionable wrongs that carry with them the right to recover damages for the resulting emotional distress even without any physical harm.” Id. at 13 (citing Cochran, 93 N.E.3d at 502). Thus, the question presented by the parties’ briefing is best understood as whether Plaintiff has sufficiently alleged an actionable wrong that allows her to recover emotional damages without alleging physical harm. In Cochran, the Illinois Supreme Court noted that a direct victim of negligence who does not satisfy the impact rule may still recover emotional damages if “the infliction of emotional

distress is not itself the wrong that was committed but rather is part and parcel of the damage that results from the wrong that was committed.” Cochran, 93 N.E.3d at 502. Cochran discussed the tort for negligent interference with the right to possess a corpse, see id. at 503, and Defendant asserts that Plaintiff has not identified an “Illinois state court case holding that a pixel case constitutes” a similar harm, Reply Mot. Dismiss 13. But Defendant is the party seeking to dismiss Plaintiff’s claim. Plaintiff has pointed to pixel tracker cases rejecting Defendant’s initial argument. It is not Plaintiff’s burden to have anticipated Defendant’s reply and located cases refuting Defendant’s overbroad statement of what is required to recover emotional damages under Illinois law. Here, Plaintiff asserts that Defendant negligently handled her private information, and as a result she suffered emotional damages. In other words, the infliction of

emotional distress was not itself the wrong, but rather the damage that resulted from the mishandling of her private information. Therefore, under a proper understanding of the longstanding principle of Illinois law identified by Defendant, Plaintiff’s alleged emotional damages may be sufficient to maintain a cause of action for negligence. See Cochran, 93 N.E.3d at 502. The Court is unpersuaded by Defendant’s reliance on Manley v. Law, 889 F.3d 885, 892 (7th Cir. 2018). Reply Mot. Dismiss 12–13. In Manley, the Seventh Circuit rejected the suggestion that there was a freestanding liberty interest in emotional wellbeing for purposes of a procedural due process claim. Manley, 889 F.3d at 892. Defendant points to Manley as setting forth a general principle under Illinois law for any allegations of emotional harms stemming from tortious conduct which do not include an allegation of physical harm. Reply Mot. Dismiss 12–13 (“[W]hen a tortious act causes no physical harm, emotional damages are available only if the act was extreme or outrageous and undertaken with the knowledge and intent that the action

would likely result in severe emotional harm.” (quoting Manley, 889 F.3d at 892 (citing Schweihs, 77 N.E.3d at 59, 63))). Yet Defendant’s quote from Manley is based upon what is required under Illinois law to maintain a cause of action for intentional infliction of emotional distress (“IIED”), not negligence generally. See Schweihs, 77 N.E.3d at 63 (reciting the same elements—(1) extreme and outrageous conduct; (2) intent or knowledge of high probability to cause emotional distress; and (3) causation of severe emotional distress—for maintaining an IIED cause of action, not just torts generally). The Court is unpersuaded that intentional conduct is a prerequisite to recovering emotional damages for direct victims who were not physically harmed because Cochran establishes that such damages may still be available if they are the result of a wrongful act, as opposed to the wrongful act itself.

Defendant also points to cases relying on Wadsworth v. Kross, Lieberman & Stone, Inc., 12 F.4th 665, 668 (7th Cir. 2021), to argue that Plaintiff’s “general allegations that the incident may cause loss of privacy and emotional distress are . . . insufficient to support the damages element of her claim.” Mem. Supp. Mot. Dismiss 21. But those cases are distinguishable. Wadsworth concluded that “anxiety and embarrassment are not injuries in fact” sufficient to confer Article III standing in the context of a bare procedural violation of the Fair Debt Collection Practices Act, 15 U.S.C. §§ 1692–1692p. Wadsworth, 12 F.4th 667–68. Wadsworth is distinguishable because it does not speak to whether similar harms are cognizable under Illinois negligence law. See M.C., 2025 WL 435992, at *4 (“If Plaintiff alleged that Defendants failed to comply with a federal data protection statute, without a data breach ever having taken place, then Wadsworth may be more analogous. But that is not the case here.”). Finally, Defendant points to Maglio v. Advocate Health & Hospitals Corporation, 40 N.E.3d 746, 756 (Ill. App. Ct. 2015), and two other cases discussing Maglio. Mem. Supp. Mot.

Dismiss 19. Maglio found that emotional distress due to an increased risk that the plaintiffs’ data was “being viewed and used in a malicious way” was too “speculative and conclusory” to support standing. Maglio, 40 N.E.3d at 755. But Illinois courts have understood Maglio to mean that “the risk of identity theft or fraud can create standing . . . if the risk of identity theft is imminent or certainly impending.” Flores, 242 N.E.3d at 351. “A mere increased risk of identity theft is not enough.” Id. The court in Flores found that the plaintiffs’ allegations of injury were sufficient under Maglio because the plaintiffs “allege[d] that they ha[d] already experienced fraudulent charges and spam messaging.” Id. Similarly, here, Plaintiff alleges that her and other class members’ Private Information was affirmatively shared with advertisers and that she has already received advertisements based on the Private Information that she shared

with Defendant. E.g., Am. Compl. ¶¶ 134–35. Such a risk is sufficiently imminent and impending, not merely speculative and conclusory. In sum, Plaintiff’s allegations of emotional distress due to Defendant’s mishandling of her private information are sufficient to withstand Defendant’s Motion to Dismiss. b. Count II: Liability for Negligence Per Se Plaintiff alleges in Count II that Defendant is liable under a negligence per se theory, pointing to a litany of statutes and regulations which Defendant allegedly violated. Am. Compl. ¶¶ 235–46. Specifically, Plaintiff invokes the following laws: FTC Act, HIPAA, the HIPAA Privacy Rule and Security Rule, 45 C.F.R. Part 160 and Part 164, Subparts A and E (“Standards for Privacy of Individually Identifiable Health Information”), and Security Rule (“Security Standards for the Protection of Electronic Protected Health Information”), 45 C.F.R. Part 160 and Part 164, Subparts A and C and the other sections identified above, and Illinois law, including the Illinois Medical Patient Rights Act (“MPRA”), 410 Ill. Comp. Stat. 50/3(d), and the Illinois Personal Information Protection Act (“IPIPA”), 815 Ill. Comp. Stat. 530/5, /45, et seq., . . . .

Id. ¶ 237. Defendant argues that Count II must be dismissed because “Plaintiff does not identify any statute or regulation that imposes strict liability or sufficiently allege [that Defendant] violated such statute.” Mem. Supp. Mot. Dismiss 22–23. Plaintiff responds that she “does not assert a standalone negligence per se claim, but one that runs alongside her negligence claim.” Resp. Mot. Dismiss 23–24. Sufficient allegations that a “statute or ordinance designed to protect human life or property” was violated “is prima facie evidence of negligence” and recovery is allowed if the plaintiff also alleges “that ‘the violation proximately caused his injury and the statute or ordinance was intended to protect a class of persons to which he belongs from the kind of injury that he suffered.’” Flores, 242 N.E.3d at 354 (quoting Kalata, 581 N.E.2d at 661). Negligence per se is distinct from prima facie evidence of negligence based on the violation of a statute: “A violation of a statute only constitutes negligence per se (which would mean strict liability) if the legislature clearly intends for the act to impose strict liability.” Id. at 355 (citing Abbasi ex rel. Abbasi v. Paraskevoulakos, 718 N.E.2d 181, 186 (Ill. 1999)). Because Plaintiff makes no attempt to argue that the sources of law which she identified were intended to impose strict liability, the Court construes Count II as another negligence claim that is based on violation of a statute. c. Count III: Invasion of Privacy—Intrusion upon Seclusion Plaintiff alleges in Count III that Defendant invaded her and other class members’ privacy via a theory of intrusion upon seclusion. Am. Compl. ¶¶ 247–58. Defendant argues that this claim must be dismissed because Plaintiff’s allegations concern an unauthorized disclosure of information, as opposed to an unauthorized intrusion to obtain information. Mem. Supp. Mot. Dismiss 23–24. Plaintiff’s response collapses the distinction between intrusion and disclosure, asserting that Defendant “intruded on her solitude, seclusion, and private affairs by utilizing

invisible pixel trackers to disclose her Private Information.” Resp. Mot. Dismiss 24–25 (emphasis added). Illinois recognizes intrusion upon seclusion as a tort. See Lawlor v. N. Am. Corp. of Ill., 983 N.E.2d 414, 425 (Ill. 2012). “The basis of the tort is not publication or publicity. Rather, the core of this tort is the offensive prying into the private domain of another.” Lovgren v. Citizens First Nat. Bank of Princeton, 534 N.E.2d 987, 989 (Ill. 1989); see also Brown, 2025 WL 81340, at *8 (“It is the intrusion itself that creates liability, not any subsequent publication or disclosure.” (quotation marks omitted)). As with the issues inherent in Plaintiff’s CFAA claim, the issue here is that Plaintiff’s allegations concern a subsequent disclosure of information, not a wrongful initial acquisition of information. Plaintiff voluntarily utilized Defendant’s Online Platforms, thereby volunteering

the information which she asserts was wrongfully disclosed. Courts in Illinois have routinely found that such subsequent disclosures cannot support an intrusion upon seclusion claim. See Brown, 2025 WL 81340, at *8; Genesis I, 2024 WL 3890164, at *12–13; In re Mondelez Data Breach Litig., Nos. 23 C 3999, 23 C 4249, 2024 WL 2817489, at *8 (N.D. Ill. June 3, 2024); Hartley I, 2023 WL 7386060, at *2–3. Plaintiff asserts that her allegations are distinct because Defendant sought out and embedded the pixel trackers and could have made different decisions about how they were configured. Resp. Mot. Dismiss 25. This is a distinction without a difference—that Defendant allegedly automated its wrongful disclosures of Plaintiff’s information does not make Defendant’s acquisition of that information intrusive.13 Because Plaintiff fails to adequately allege a wrongful intrusion under Illinois law, Count III is DISMISSED. d. Count IV: Breach of Implied Contract

Plaintiff alleges in Count IV that Defendant breached an implied contract between the parties. Am. Compl. ¶¶ 259–69. Defendant advances three arguments in favor of dismissing Count IV: (1) lack of mutual assent; (2) lack of consideration; and (3) lack of actual money damages. Mem. Supp. Mot. Dismiss 24–26. Plaintiff responds that she provided monetary compensation in exchange for medical care, and an implied condition of that care’s provision was a promise to keep secure her private information. Resp. Mot. Dismiss 26–27. Additionally, she asserts that her alleged damages are cognizable in a breach of implied contract action. Id. Defendant’s first two arguments are improper attempts to impose express-contract requirements onto an implied contract. Plaintiff alleges that Defendant’s Privacy Policy states that it would not share a patient’s information for marketing purposes nor sell such information without first

obtaining written permission. See, e.g., Am. Compl. ¶ 85. Multiple courts have rejected arguments similar to those advanced by Defendant under these circumstances, noting that in today’s technological age it is implied that entrusting another with private information comes with a commensurate expectation that such information will be kept secure. See Flores, 242 N.E.3d at 355–56; In re Mondelez Data Breach Litig., 2024 WL 2817489, at *7; Wittmeyer, 2024 WL 182211, at *5; M.C., 2025 WL 435992, at *5.

13 The Court is not persuaded by Plaintiff’s citation to Lamarr v. Goshen Health System, Inc., 2024 Ind. Super. LEXIS 107, *17, which applied Indiana law and did not address the voluntary nature of the plaintiff’s utilization of the defendant’s online offerings. See Resp. Mot. Dismiss 25; Lamarr, 2024 Ind. Super. LEXIS, at *17 (“The [c]ourt is not convinced that . . . Indiana case law forecloses [the p]laintiff’s ability to assert a claim for intrusion upon seclusion on the facts alleged.”)). However, Plaintiff’s allegations of monetary damages are insufficient to support a claim for breach of implied contract. “To successfully make a breach of implied contract claim, a plaintiff must allege actual monetary damages.” Flores, 242 N.E.3d at 356. Sufficient allegations of actual monetary damages require “an actual loss or measurable damages resulting

from the breach.” Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 832 (Ill. 2005). Plaintiff describes her damages as: [M]onetary damages; loss of privacy; unauthorized disclosure of Private Information; unauthorized access to Private Information by third parties; use of the Private Information for advertising purposes; embarrassment, humiliation, frustration, and emotional distress; decreased value of Private Information; lost benefit of the bargain; and increased risk of future harm resulting from further unauthorized use and disclosure of their information.

Am. Compl. ¶ 268.14 These allegations can be grouped into six categories: (1) emotional harms; (2) overpayment; (3) diminution in value of Plaintiff’s data; (4) privacy harms; (5) increased risk of future harm; and (6) advertising-usage harms. The first three categories are plainly insufficient. Emotional harms are not cognizable contract damages absent allegations that “the breach was wanton or reckless and caused bodily harm, or where defendant had reason to know, when the contract was made, that its breach would cause mental suffering for reasons other than mere pecuniary loss.” Dinerstein v. Google, LLC (Dinerstein I), 484 F. Supp. 3d 561, 590–91 (N.D. Ill. 2020) (quoting Parks v. Wells Fargo

14 Plaintiff mischaracterizes the Amended Complaint in her briefing when she invokes damages due to “lost time and money incurred to mitigate and remediate the effects of use of Private Information.” Resp. Mot. Dismiss 26–27 (citing Am. Compl. ¶¶ 142, 268). Allegations of money expended in response to the wrongful disclosures may have been sufficient. See Olson v. Ferrara Candy Co., 2025 IL App (1st) 241126, ¶¶ 11, 63 (finding that the plaintiff’s allegation that he bought a credit monitoring service and incurred monthly charges after a data breach was sufficient to plead actual monetary damages under an implied-contract theory); M.C., 2025 WL 435992, at *1, *6 (finding that the plaintiff’s allegations related to “out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance, and/or other Breach risk mitigation products” as well as “the cost of placing a credit freeze” were sufficient to supply the necessary damages for a claim of breach of implied contract). But the cited paragraphs of the Amended Complaint are devoid of allegations that she spent any money or time to “mitigate and remediate” Defendant’s allegedly wrongful disclosures, see Am. Compl. ¶¶ 142, 268, despite Plaintiff’s contrary assertion in her briefing. Home Mortg., Inc., 398 F.3d 937, 940–41 (7th Cir. 2005)), aff’d as modified, 73 F.4th 502 (7th Cir. 2023). Plaintiff’s allegations do not satisfy either condition, such that her emotional harms are insufficient to maintain her contract claim. And the Court’s reasoning for rejecting both the overpayment and diminished-data-value theories under the IFCA applies similarly to this implied

contract claim. See supra Section II.B.2.a; accord Wittmeyer, 2024 WL 182211, at *5–6. As to the privacy harms and increased risk of future harm, the Court finds that these intangible harms are not the sort of “actual or measurable damages” which can support an implied contract claim. Cf. M.C., 2025 WL 435992, at *1, *6 (denying motion to dismiss as to implied contract claim where the plaintiff had sufficiently alleged “‘out-of-pocket’ costs” like expenditures to prevent identity theft). Finally, it is unclear what unique harm to Plaintiff allegedly stems from the “use of the Private Information for advertising purposes,” which is not already addressed by the categories discussed above. Am. Compl. ¶ 268. To the extent this harm is premised upon the gains Defendant allegedly received by improperly disclosing her data, as opposed to her losses stemming from that same conduct, it cannot support her claim for

breach of implied contract. See Dinerstein II, 73 F.4th at 518 (“[A] plaintiff's claim of injury in fact cannot be based solely on a defendant's gain; it must be based on a plaintiff's loss.” (quotation marks omitted)). In sum, Plaintiff fails to sufficiently allege actual monetary damages to support her claim for breach of implied contract and Count IV is DISMISSED. e. Count V: Unjust Enrichment Plaintiff alleges in Count V that Defendant was unjustly enriched because it “collected, used, and disclosed” her and other class members’ Private Information “for its own gain, for marketing purposes, and for sale or trade with third parties.” Am. Compl. ¶¶ 270–77. This claim is “pleaded in the alternative to Plaintiff’s breach of implied contract claim.” Id. ¶ 271. Defendant asserts that this claim should be dismissed because the unjust enrichment claim: (1) must rise and fall with Plaintiff’s IFCA claim; (2) is “improperly ple[ade]d in the alternative because it incorporates by reference the existence of a contract between the parties”; or (3) fails to adequately allege that Plaintiff and other class members conferred a benefit upon Defendant.

Mem. Supp. Mot. Dismiss 26–28. Plaintiff asserts that “it would be inequitable for Defendant to retain the benefit” of Plaintiff and other class members’ Private Information because that information was obtained “under the premise of confidentiality,” but otherwise does not meaningfully respond to Defendant’s arguments. Resp. Mot. Dismiss 27–28. “Under Illinois law, unjust enrichment is not a separate cause of action. Rather, it’s a condition brought about by fraud or other unlawful conduct.” Vanzant v. Hill’s Pet Nutrition, Inc., 934 F.3d 730, 739–40 (7th Cir. 2019) (quotation marks omitted). Courts therefore dismiss claims for unjust enrichment when such fraud or other unlawful conduct is inadequately pleaded. See Cleary v. Philip Morris Inc., 656 F.3d 511, 517 (7th Cir. 2011). Plaintiff allegations that Defendant’s conduct in disclosing her Private Information for its own financial gain was

wrongful are also the subject of either her now-dismissed IFCA claim or breach-of-implied- contract claim. See supra Section II.B.2.a; Section II.B.3.d. Therefore, Plaintiff’s claim for unjust enrichment must also be dismissed. See A.D., 2024 WL 4119153, at *9 (dismissing the plaintiffs’ unjust enrichment claim when their ICFA claim based on the same conduct was also dismissed); Genesis Health Sys., 2024 WL 3890164, at *10; (same) Loyola Univ. Med. Ctr., 2024 WL 3338941, at *9 (same). Count V is DISMISSED. f. Count VI: Breach of Implied Duty of Confidentiality Finally, Plaintiff asserts in Count VI that Defendant is liable for breaching the implied duty of confidentiality inherent in a doctor-patient relationship. Am. Compl. ¶¶ 278–88. The parties dispute both whether Plaintiff has sufficiently alleged a breach of this duty and whether such a cause of action is even recognized under Illinois law. Mem. Supp. Mot. Dismiss 28–30; Resp. Mot. Dismiss 28–30. When a court sitting in diversity is presented with an unsettled question of state law, it

must predict how the state supreme court would decide the issue. Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 811 (7th Cir. 2018). It is not a federal court’s “role to break new ground in state law.” Sabrina Roppo v. Travelers Commercial Ins. Co., 869 F.3d 568, 596 (7th Cir. 2017) (quotation marks omitted). Facing the exact question presented here, a court in the Northern District of Illinois concluded that “it is unlikely that Illinois would recognize [a] breach of confidentiality tort.” Dinerstein I, 484 F. Supp. 3d at 595. While the Seventh Circuit found it unnecessary to address this ruling on appeal, it noted that it saw “no reason to disturb” it. Dinerstein II, 73 F.4th at 516 n.4. Plaintiff fails to present anything that persuades the Court to break with Dinerstein I. She asserts that “Illinois already recognizes this cause of action per Geisberger [v. Willuhn, 390

N.E.2d 945 (Ill. App. Ct. 1979)].” Resp. Mot. Dismiss 29. But the Illinois Appellate Court in Geisberger did not affirmatively recognize a distinct tort for breach of implied duty of confidentiality. Instead, it: (1) noted that the privilege for communications between a doctor and a patient is based on state statutes, not the common law; (2) found that other jurisdictions with similar statutes had held that disclosure of a patient’s name, standing alone, did not violate those statutes; and (3) joined those other jurisdictions by holding “that the disclosure of the name alone of the patient by a doctor or his agents does not violate the patient-doctor privilege established by [Illinois statutes].” Geisberger, 390 N.E.2d at 946–47. In the remainder of its opinion, the Geisberger court concluded that the plaintiff failed to state a claim “for the breach of an implied contract not to disclose confidential information acquired through the physician-patient relationship” because “the breach of a confidential relationship and the breach of contract [we]re probably co-extensive,” id. at 947–48, and that the plaintiff failed to state a claim for invasion of privacy, id. at 948. The Court agrees with Defendant that Geisberger did not affirmatively find

that the tort of breach of implied duty of confidentiality exists under Illinois law, Reply Mot. Dismiss 17, and joins the other federal courts that have declined to break new ground in this area of state law, see Kurowski I, 659 F. Supp. 3d at 940–41; Dinerstein I, 484 F. Supp. 3d at 595 (“[I]t is unlikely that Illinois would recognize the breach of confidentiality tort.”).15 Count VI is DISMISSED. CONCLUSION Accordingly, Defendant Sarah D. Culbertson Memorial Hospital’s Motion to Dismiss Amended Class Action Complaint, ECF No. 16, is GRANTED IN PART and DENIED IN PART, and its Unopposed Motion for Leave to File Reply in Support of Defendant’s Motion to Dismiss Amended Class Action Complaint, ECF No. 23, is GRANTED. The Clerk is directed to

file the reply, ECF No. 23-1, on the docket. All counts except Counts I and II, construed as negligence claims, are DISMISSED. Plaintiff may seek the Court’s leave to file another amended complaint by September 10, 2025. Entered this 20th day of August, 2025. s/ Sara Darrow SARA DARROW CHIEF UNITED STATES DISTRICT JUDGE

15 Some aspects of Plaintiff’s briefing suggest that Count VI sounds in contract, not tort. See, e.g., Resp. Mot. Dismiss 28 (“Disclosures which violate the statutory privilege between a patient and their healthcare provider define what is actionable under a contract theory.” (citing Geisberger, 390 N.E.2d at 947–48)). To the extent that Count VI is a contract-based claim, it would not withstand dismissal for the reasons explained in the Court’s dismissal of Count IV, Plaintiff’s claim for breach of implied contract. See supra Section II.B.3.d.