Hartley v. University of Chicago Medical Center
This text of Hartley v. University of Chicago Medical Center (Hartley v. University of Chicago Medical Center) is published on Counsel Stack Legal Research, covering District Court, N.D. Illinois primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.
Opinion
IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
SOPHIA HARTLEY, individually and on behalf of all others similarly situated,
Plaintiff, Case No. 22 C 5891
v. Judge Harry D. Leinenweber
UNIVERSITY OF CHICAGO MEDICAL CENTER and META PLATFORMS, INC.,
Defendants.
MEMORANDUM OPINION AND ORDER
The Plaintiff, Sophia Hartley (“Plaintiff”), brings this putative class action against the University of Chicago Medical Center seeking damages for the unauthorized disclosure of her Individually Identifiable Health Information. I. BACKGROUND The Defendant, University of Chicago Medical Center (“UCMC”), operates a non- profit hospital network and maintains a website for the purpose of communicating with its patients. The patients are encouraged to use the site to communicate with the hospital staff for such activities as scheduling appointments, requesting information about test results, and in general support for the provision of healthcare to patients. However, according to the Complaint, unbeknownst to a patient using the website, UCMC deploys a third-party computer code from Facebook called Meta Pixel. This piece of computer code is defined by Facebook as:
The Meta Pixel is a piece of code on your web site that can help you better understand the effectiveness of your advertising and the actions people take on your site, like visiting a page or adding an item to their cart. You’ll also be able to see when customers take an action after seeing your ad on Facebook and Instagram which can help you with retargeting and when you use the conversion API alongside the pixel, it creates a more reliable connection that helps the delivery system decrease your costs.
( ). Last viewed November 1, 2023)
Further, according to the Complaint, this meta pixel is used to “capture both the characteristics of an individual patient’s communications with UCMC’s web site such as IP addresses, Facebook IDs, cookie identifiers, device identifiers, account numbers and the content of these communications, such as URLs, buttons, pages, and tabs they click on and view.” Such information is considered Individually Identifiable Health Information under HIPAA, 42 U.S.C. § 1320(d)(6). In summary, every time a patient clicks on to a web page, UCMC links the patient’s identity to the communication and transmits the data to Facebook to analyze it for UCMC’S commercial use. Thus, this commercial use, according to Plaintiff, arises from UCMC’s disclosures to Facebook of the precise healthcare a specific patient is requesting information on. Based on the foregoing, the plaintiff has asserted the following claims against UCMC: Count I – Violation of the Electronic Communications Privacy Act (“ECPA”) 18 U.S.C. § 2510 ; Count IV – Breach of implied Duty of Confidentiality; and Count V – Invasion of Privacy by Intrusion upon Seclusion. The Defendant has moved to dismiss each of these counts (Dkt. No. 27.)
II. DISCUSSION A. Count I – Electronic Communication Privacy Act This statute, commonly known as the “Wire Tap Act” makes it illegal intentionally to intercept or endeavor to intercept any wire, oral or electronic communication (§ 2511(1)(a)); and to disclose or use the contents of an unlawfully intercepted communication (§ 2511(1)(c) and (d). Plaintiff’s theory is that UCMC disclosed Plaintiff’s personal health information via the Meta Pixel to Facebook when she communicated with
UCMC via the web portal. However, as UCMC points out, the Wire Tap Act has a provision that it is lawful for a person to intercept an electronic communication where such person is a party to the communication. § 2511(2)(d). Therefore, since UCMC is a necessary party to any communication from a patient concerning the provision of healthcare, it cannot be liable to the receipt of the communication. This conclusion was reached and affirmed by a court of this district in 2023 WL
2349606 (N.D. Ill. Mar. 3, 2023), , 2023 WL 4707184 (N.D. Ill. Jul. 24, 2023). Plaintiff however relies on Section 2511(2)(d) which provides an exception to the party exception where the purpose of the interception is the commission of a criminal or tortious act in violation of the Constitution or laws of the United States or the constitution or laws of any State. Plaintiff asserts that 42 U.S.C. § 1320(d)(6) of HIPAA makes it a federal crime knowingly to disclose “individually identifiable health information” (“IIHI”) to third parties. This statute defines IIHI as
any information, including demographic information collected from an individual, that – (A) is created or received by a health care provider . . . and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and – (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
According to Plaintiff, a notification to Facebook via meta pixel without her permission that a patient has viewed her treatment records or checked her test results, such disclosures clearly violate Section 1320 (d)(6). However, Judge Kennelly pointed out in that the plaintiff there had failed to allege “any particular health or treatment information disclosure specific as to them that Rush allegedly made to any third-party whether within the portal or not.” , 2023 WL 4707184, at *3. He found that Kurowski’s allegations were “far too vague to allow an inference to be drawn that Rush was actually disclosing IIHI as it is unambiguously defined by HIPAA rather than just meta data.” . Here the situation is the same: Plaintiff’s allegations in her Complaint are similar generalizations as to what UCMC was communicating to Facebook, IP addresses, Facebook IDs, cookie identifiers, device identifiers and account numbers and the contents of thee communications, “URLs, buttons, pages, and tabs they click and view.” Here as in there is an absolute dearth of information specific to Plaintiff as what was disclosed to Facebook that would plausibly be in violation of HIPAA. Accordingly, Count I is dismissed without prejudice. B. Count IV – Breach of Implied Duty of Confidentiality The parties spar over whether there is a fiduciary duty and from where it arises.
However, at this stage the Plaintiff has not alleged any specific breach of any confidentiality committed by UCMC, the same problem as in Count I. Accordingly, Count IV is dismissed without prejudice. C. Count V – Tort of Intrusion Upon Seclusion According to the Restatement (Second) of Torts, this tort is described as follows: One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person. Restatement (Second) of Torts § 652B, at 378 (1977).
While the Illinois Supreme Court in 126 Ill. 2d 411, 417 (1989) took some pains to point out that it was not at that time recognizing the tort as viable in Illinois, nevertheless if there was a such a tort in Illinois, the facts in that case did not constitute the tort of Intrusion upon Seclusion because the offensive conduct in that case was caused by the defendant’s act of publication and not from the act of intrusion.
Free access — add to your briefcase to read the full text and ask questions with AI
Related
Cite This Page — Counsel Stack
Hartley v. University of Chicago Medical Center, Counsel Stack Legal Research, https://law.counselstack.com/opinion/hartley-v-university-of-chicago-medical-center-ilnd-2023.