UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
SOPHIA HARTLEY, individually and on behalf of all others similarly situated,
Plaintiff, No. 22 CV 5891
v. Judge Georgia N. Alexakis
UNIVERSITY OF CHICAGO MEDICAL CENTER,
Defendant.
MEMORANDUM OPINION AND ORDER
This case is about the University of Chicago Medical Center’s alleged use of Meta’s data collection tools on its public website. Plaintiff Alyssa Hartley brought a putative class action alleging that UCMC violated the Electronic Communications Privacy Act by using those tools to intercept individually identifiable healthcare information with the purpose of sharing it with third-party Meta, the social media company, in violation of the Health Insurance Portability and Accountability Act. After surviving a motion to dismiss her second amended complaint and engaging in limited discovery, Hartley deleted over 50 paragraphs of allegations from her complaint. UCMC now moves to dismiss Hartley’s third amended complaint. UCMC also moves for summary judgment or to strike Hartley’s class claims. For the following reasons, the motion to dismiss is denied, and the motion for summary judgment or to strike Hartley’s class claims is denied in part and granted in part. I. Procedural History Hartley filed her original complaint in late 2022, [2], and her first amended complaint in early 2023, [33]. A court previously assigned to this case dismissed each claim in the first amended complaint on November 8, 2023. [52]. Two of the claims
were dismissed without prejudice, including the ECPA claim that now remains. [150] at ¶ 7; [52]. Five days later, on Hartley’s motion, the court clarified that the case was not terminated and set a deadline for Hartley to file a second amended complaint. [150] at ¶¶ 10, 11; [53]; [56]. On December 12, 2023, Hartley filed her second amended complaint, which contained over 90 paragraphs of new allegations, compare [61] with [33], including
“allegations that are specific to herself,” [75] at 5. Another court previously assigned to this case later ordered the parties to “conduct discovery on three threshold topics: (1) ownership and control of the four web properties [at issue in the second amended complaint]; (2) installation and operation of the Meta collection tools on the MyChart patient portal; and (3) Hartley’s interactions with and use of the web properties including her review and consent to UCMC’s Terms of Use.” [91] at 2. Through that limited discovery, Hartley learned that UCMC had never installed Meta’s data
collection tools on UCMC’s MyChart patient portal. [105] at 2. She accordingly deleted 32 paragraphs of allegations, compare [126] with [61], resulting in the third amended complaint that is now at issue, [126]. II. Motion to Dismiss A. Legal Standards A complaint must contain “a short and plain statement” showing that the plaintiff is entitled to relief. Fed. R. Civ. P. 8(a)(2). A motion to dismiss under Rule
12(b)(6) challenges the sufficiency of the complaint, not its merits. See Fed. R. Civ. P. 12(b)(6); Gibson v. City of Chicago, 910 F.2d 1510, 1520 (7th Cir. 1990). To survive a Rule 12(b)(6) motion, the plaintiff need only allege facts that “allow[] the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). At this stage, the Court assumes that the facts alleged in the complaint are true and draws all reasonable inferences from those facts in the plaintiff’s favor. See Tobey v. Chibucos, 890 F.3d 634, 645 (7th
Cir. 2018). However, “[a] pleading that offers ‘labels and conclusions’ or ‘a formulaic recitation of the elements of a cause of action will not do.’” Ashcroft, 556 U.S. at 678 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). Similarly, a complaint that “tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement’” will not survive a motion to dismiss. Id. B. Allegations The defendant, UCMC, operates a non-profit hospital network and maintains
a public website (www.uchicagomedicine.org) for the purpose of communicating with its patients. [126] at ¶¶ 4, 142. Patients are encouraged to use the website to communicate with hospital staff. Id. However, unbeknownst to a patient using the website, UCMC deploys third-party computer code from Meta, id. at ¶¶ 56–64, to “capture both the ‘characteristics’ of an individual patient’s communications with the UCMC Website (i.e., their IP addresses, Facebook IDs, cookie identifiers, device identifiers and account numbers) and the ‘content’ of these communications (i.e., the URLs, buttons, pages, and tabs they click on and view),” id. at ¶ 69. Every time a
patient clicks on a page within UCMC’s public website, these collection tools link the patient’s identity to the communication and transmit the data to Meta to analyze it for the commercial use of both Meta and UCMC. Id. at ¶¶ 73–74. The plaintiff, Hartley, has been a UCMC patient since 2018, and, since then, has used UCMC’s public website to schedule appointments, request information on specific medical services, and research providers. Id. at ¶ 143. Specifically, she used the website’s “find-a-physician” page to find a primary care physician, id. at ¶ 144,
and used the website to access the login page for the MyChart patient portal, id. at ¶ 146. Through these website interactions, UCMC used the Meta collection tools to intercept information about “her status as a UCMC patient, the dates and times she logged-in to the MyChart [sic], and the webpages that she clicked and viewed related to her medical providers, conditions, and treatments.” Id. Based on these allegations, in her third amended complaint, Hartley asserts a
single claim, a violation of the ECPA, 18 U.S.C. 2510 et seq. [126] at ¶ 163. C. Analysis The ECPA imposes criminal and civil liability on persons who “intentionally intercept … any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a), (4); 18 U.S.C. § 2520. A person is not liable, however, for intercepting a communication to which it is a party, unless it does so “for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d). The parties do not dispute that UCMC was a party to any communications that
it allegedly intercepted. See [146] at 6. Hartley’s ECPA claim thus can advance only if she plausibly alleges that any interceptions were “for the purpose of committing a criminal or tortious act,” 18 U.S.C. § 2511(2)(d), such as the disclosure of individually identifiable health information in violation of HIPAA. HIPAA makes it a crime to “knowingly … disclos[e] individually identifiable health information to another person.” See 42 U.S.C. § 1320d-6(a)(3). Under 42 U.S.C § 1320d(6), “individually identifiable health information” means “any information …
that— (A) is created or received by a health care provider … ; and (B) relates to the past, present, or future physical or mental health or condition of an individual, [or] the provision of health care to an individual, … and— (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” UCMC contends that Hartley’s ECPA claim must be dismissed for the same reason that a court previously assigned to this case dismissed the ECPA claim in her first amended complaint: She has not plausibly alleged that “‘particular health or treatment information’ specific to her was disclosed.” [138] at 4 (quoting [52] at 4). As UCMC accurately points out, the third amended complaint lacks most of the factual allegations that the earlier court cited in allowing the second amended complaint to proceed. [138] at 4–5. According to UCMC, none of the remaining allegations describe information about Hartley’s “medical symptoms, conditions, or treatments” that UCMC “intercepted or disclosed to Meta.” [138] at 6.
Hartley, on the other hand, contends that UCMC disclosed her individually identifiable health information in three ways. It disclosed her status as a patient at UCMC, [146] at 9; it disclosed that she visited UCMC’s “find-a-physician” webpage when she “used UCMC’s public website … to search for a primary care physician,” [146] at 7 (quoting [126] at ¶ 144); and it disclosed information about “the webpages she clicked and viewed related to her medical providers, conditions, and treatments,” [126] at ¶ 146.
Hartley has plausibly alleged that UCMC disclosed her patient status, which constitutes individually identifiable health information. Patient status “connects an individual with a healthcare provider” and “is indicative that the individual has received or will receive health care services, and thus relates to the individual’s past, present, or future health or health care or payment for care.” In re Meta Pixel Healthcare Litig, 647 F. Supp. 3d 778, 792 (N.D. Cal. 2022) (cleaned up). It therefore
constitutes individually identifiable health information and “falls within the ambit of information protected under HIPAA.” Id. at 793. The act of logging into a healthcare provider’s patient portal, when combined with individual identifiers such as an IP address or a Facebook ID, can reveal patient status. Id. For example, in In re Meta Pixel Healthcare Litigation, the plaintiff alleged that, when users clicked on the “log in” button to access a healthcare provider’s private patient portal, the Meta Pixel (a data collection tool) transmitted the URL of the page with the button, the content of the “log in” button, the destination URL (i.e., the webpage to which the user is directed after clicking the “log in” button), and
cookies that uniquely identified each Facebook user. Id. at 791. The court thus held that “the act of clicking the ‘Log in’ button, when coupled with the … patient portal URL and the other information transmitted by the Pixel, sufficiently identifies the website user as a patient.” Id. at 791–92. Here, Hartley alleges that UCMC discloses to Meta each time “a patient clicks to log in to the patient portal,” [126] at ¶ 54, and she used the UCMC website to log in to the UCMC MyChart patient portal “many times,” id. at ¶ 146. Each time she
did, the Meta collection tools intercepted the URL of the webpage with the log in button; the content of the log in button; the URL of the destination page; and her unique identifiers, including her IP address and a variety of cookies. Id. As in In re Meta Pixel Healthcare Litigation, Hartley’s “act of clicking the ‘Log in’ button … sufficiently identif[ied] [her] as a patient.” 647 F. Supp. 3d at 791–92. These factual allegations support a plausible inference that UCMC disclosed her status as a
patient—i.e., her individually identifiable health information—to Meta. UCMC disagrees. Information relating to Hartley’s patient portal logins, it says, could not have been intercepted or disclosed using the Meta collection tools, because those tools had not been installed on the UCMC MyChart patient portal. [152] at 4. It points out that In re Meta Pixel Healthcare Litigation involved allegations that the Meta collection tools operated within defendants’ password- protected patient portals. Id. at 4 n.3 (citing In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 784). But the analysis in that case does not depend on the existence of data collection tools within the patient portal; the disclosure of plaintiffs’ log-in
button click was enough. 647 F. Supp. 3d. at 784, 791–92. And other courts have held that button-click data on public websites, as opposed to within password-protected patient portals, revealed patient status. See Nienaber v. Overlake Hosp. Med. Ctr., Case No. 2:23-cv-01159-TL, 2025 WL 692097, at *6 (W.D. Wash. Mar. 4, 2025) (plaintiff’s interactions with defendant’s public website, including using the website to log in to a private patient portal, “plausibly relate to the provision of healthcare” and “constitute protected information”); Castillo
v. Costco Wholesale Corp., Case No. 2:23-cv-01548-JHC, 2024 WL 4785136, at *7 (W.D. Wash. Nov. 14, 2024) (denying motion to dismiss an ECPA claim because plaintiffs alleged that Costco collected “information about when [they] click[ed] a ‘Refill Prescription’ button that prompts a ‘Sign In’ page,” which “‘relate[d] to’ [their] individualized health conditions even though they d[id] not allege that their data were collected while they were logged into their patient portals”).
UCMC points to AHA v. Becerra, 738 F. Supp. 3d 780 (N.D. Tex. 2024), to argue that information intercepted from a public website, like the log-in click information here, can never amount to individually identifiable health information. [152] at 5; [138] at 6. But Becerra does not change the analysis. There, the court rejected guidance from the Department of Health and Human Services (“HHS”) defining information about visits to websites about health conditions or healthcare providers, in combination with the IP addresses of the visitors, as individually identifiable health information. 738 F. Supp. 3d at 788, 804 (N.D. Tex. 2024). Context matters, and the Becerra court was considering generally applicable HHS guidance about
public websites, not specific allegations about specific individuals’ use of specific websites. Thus, its holding that information collected from public healthcare websites does not always amount to individually identifiable health information does not also mean that information from public websites can never amount to such information. See 738 F. Supp. 3d at 803. Three other cases relied upon by UCMC are similarly unavailing. Smith v. Facebook, Inc., 745 Fed. App’x 8 (9th Cir. 2018), admittedly contains language that,
absent careful reading, could be misconstrued as precluding information from public websites from constituting individually identifiable health information: “The data show only that Plaintiffs searched and viewed publicly available health information that cannot, in and of itself, reveal details of an individual’s health status or medical history.” 745 Fed. App’x at 9. But, as shown by the second instance of the word “that” in the preceding sentence, which signifies the start of a restrictive clause, Smith’s
language doesn’t mean that data from public websites can never “reveal details of an individual’s health status or medical history.” Id. Rather, it means that the specific information allegedly disclosed in Smith—information about a particular doctor accessed through a healthcare provider’s “find-a-doctor” webpage and general health information, see Smith v. Facebook, Inc., 262 F. Supp. 3d 943, 954 n.5 (N.D. Cal. 2017)—could not “reveal details of an individual’s health status or medical history.” 745 Fed. App’x at 9. In contrast, Hartley alleges that she used the public website not merely to
access general health information but to access the MyChart patient portal login. [126] at ¶ 146. Information about Hartley’s access of MyChart, unlike the “general health information that is available to the public at large” at issue in Smith, 262 F. Supp. 3d at 955, “captures information that connects a particular user to a particular healthcare provider—i.e., patient status—which falls within the ambit of information protected under HIPAA,” In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 793. Nor do UCMC’s remaining two cases support its contention that information
intercepted from public websites can never be individually identifiable health information. See [138] at 6. In Kurowski v. Rush System for Health, 659 F. Supp. 3d 931 (N.D. Ill. 2023) (“Kurowski I”), the court dismissed an ECPA claim because the complaint described only hypothetical data disclosures and contained no allegations involving the disclosure of information collected from any actual patient’s website use. See id. at 939. It did not address whether specific data about specific individuals’
browsing activity on a public website can constitute individually identifiable health information. A later decision from the same matter illustrates the distinction. Kurowski v. Rush Sys. for Health, Case No. 22 C 5380, 2023 WL 8544084, at *3 (N.D. Ill. Dec. 11, 2023) (“Kurowski III”). In Kurowski III, the court allowed the plaintiff to file an amended ECPA claim based on new allegations specifying the information intercepted from the plaintiff’s web activity, including information about her personal physician’s name, location, and specialty. Id. Whether this information was collected from plaintiff’s use of defendant’s public website or its authenticated patient portal did not play into the analysis. See id.
Likewise, in Cousin v. Sharp Healthcare, 681 F. Supp. 3d 1117 (S.D. Cal. 2023) (“Cousin I”), the court dismissed a variety of privacy-related claims because the complaint did not detail plaintiff’s actual activities on defendant’s website, nor did it detail what sensitive medical information the defendant intercepted from those activities. Id. at 1123–24. Again, a later decision in the same case clarifies that the problem in Cousin I was a lack of factual support, not that the allegations only involved interceptions of data from a public website. See Cousin v. Sharp Healthcare,
702 F. Supp. 3d 967, 972–73 (S.D. Cal. 2023) (“Cousin II”). In Cousin II, the court considered an amended complaint and held that plaintiffs’ newly alleged interactions with defendant’s public website—namely, their searches for doctors specializing in their particular medical conditions—“plausibly convey[ed] information about a present medical condition and the provision of medical care covered by HIPAA.” Id. at 973.
Here, unlike in Kurowski I and Cousin I, Hartley makes factual allegations specifying how she interacted with UCMC’s public website (using it to access the MyChart patient portal on many occasions), what information UCMC intercepted from those interactions (the fact that she clicked the “Sign In” button and the URLs she was coming from and going to), and how that information constituted individually identifiable health information (by revealing patient status). [126] at ¶ 146. This information may be different from the information about plaintiffs’ doctors allegedly intercepted in Kurowski III, 2023 WL 8544084, at *3, and Cousin II, 702 F. Supp. 3d at 973, but that doesn’t matter. Neither of those cases limited the definition of
individually identifiable health information to the factual allegations before them. And information about button-click data from patient-portal logins, as allegedly intercepted and disclosed here, can plausibly amount to individually identifiable health information. See In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 793.1 Finally, UCMC argues that Hartley’s allegation that it disclosed “her status as a UCMC patient” is “conclusory.” [138] at 6 n.5. It is not. As discussed above, Hartley makes specific factual allegations related to the disclosure of her patient status: She
used the UCMC website to access UCMC’s MyChart patient portal; UCMC intercepted the associated page-view and button-click data; and that data, combined with her personal identifiers, revealed her status as a UCMC patient. [126] at ¶ 146. These factual allegations are enough to support a reasonable inference that UCMC disclosed her status as a UCMC patient. Cf. Hannant v. Culbertson, Case No. 4:24- cv-04164-SLD-RLH, 2025 WL 2413894, at *5 (C.D. Ill. Aug. 20, 2025) (dismissing
ECPA claim based on conclusory allegation that defendant disclosed plaintiff’s
1 UCMC also argues that, earlier in this case, a previously assigned court “ruled that the disclosure of ‘URLs, buttons, pages, and tabs users of UCMC’s websites click and view’ are not sufficient to state an ECPA claim.” [152] at 3 (cleaned up) (quoting [52] at 4). The court’s ruling was specifically about the allegations contained in the first amended complaint, which did not specify which URLs, buttons, pages, or tabs had been disclosed or what web activity led to their disclosure. See [52] at 4. The court was not articulating a general rule to be applied even where, as here, specific web activities led to disclosure of specific pieces of information. See [126] at ¶ 146. UCMC also cites In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014), which does not discuss and is not applicable to the question of what information constitutes individually identifiable health information under HIPAA. “status as a patient” and explaining that plaintiff “ha[d] access to her end of the equation, such as whether she used Defendant’s website to book an appointment or log into a patient portal” (emphasis added)).
As to the other two ways that Hartley believes UCMC disclosed her individually identifiable health information—by disclosing her visit to UCMC’s “find- a-physician” webpage when she used it to search for a primary care physician, see [146] at 7 (quoting [126] at ¶ 144), and by disclosing information about “the webpages she clicked and viewed related to her medical providers, conditions, and treatments,” [126] at ¶ 146—the Court agrees with UCMC. They do not plausibly amount to disclosures of individually identifiable health information.
Merely browsing and searching UCMC’s website does not convey individually identifiable health information. See Nguyen v. Abbott Labs., Inc., No. 24 CV 8289, 2025 WL 2299753, at *5 (N.D. Ill. Aug. 8, 2025). “Information available on publicly accessible websites stands in stark contrast to the personally identifiable patient records and medical histories protected by [HIPAA]—information that unequivocally provides a window into an individual’s personal medical history.” Smith, 745 Fed.
App’x at 9.2 In Smith, Plaintiffs alleged that Facebook intercepted information showing that one of them had accessed information about a specific doctor through a
2 Although Smith is helpful for delineating the boundary between information that is protected by HIPAA and information that is not, UCMC’s contention that Smith means that information collected from a public website can never qualify as individually identifiable health information, see [138] at 6, is incorrect. More fairly construed, Smith emphasized that what matters is whether the information “provides a window into an individual’s personal medical history.” 745 Fed. App’x at 9. healthcare provider’s public “find-a-doctor” webpage. See Smith, 262 F. Supp. 3d at 954 n.5. The district court dismissed the claim, and the court of appeals affirmed, holding that HIPAA did not protect “publicly available health information that
cannot, in and of itself, reveal details of an individual’s health status or medical history.” Smith, 745 Fed. App’x at 9. Here, UCMC’s alleged disclosure of Hartley’s visit to its “find-a-doctor” webpage is even less revealing than the information at issue in Smith: Unlike the plaintiffs there, Hartley doesn’t allege that UCMC disclosed that she accessed information about specific doctors. See [126] at 144.3 Hartley also contends that information about “the webpages she clicked and viewed related to her medical providers, conditions, and treatments” should be
considered individually identifiable health information, [126] at ¶ 146, because “communications on a healthcare provider’s unauthenticated webpage can contain IIHI as defined by HIPAA.” Id. To be sure, it is possible for information collected from an unauthenticated webpage to amount to individually identifiable health
3 The Court recognizes that the memorandum opinion advancing the ECPA claim in Hartley’s second amended complaint held that Hartley plausibly alleged interception and disclosure of individually identifiable health information. [75] at 5. By way of example, the previous court mentioned an allegation that “UCMC disclosed that [Hartley] was seeking specific medical specialists,” in combination with allegations that, after researching specific prescriptions and sexually transmitted diseases on UCMC’s website, she saw related advertisements. Id. But, here, the Court must review the operative complaint, Seeks v. Boeing Co., 752 F. Supp. 3d 992, 1012–13 (N.D. Ill. 2024), and the third amended complaint does not contain most of the pertinent allegations cited in the earlier opinion, see [105-1] at 39–42. Thus, any previous analysis of a paragraph resembling paragraph 144 of the third amended complaint is in a different factual context and is not relevant to this complaint or this motion to dismiss. Cf. Fletcher v. OneWest Bank, FSB, No. 10-cv-4682, 2012 WL 5199632, at *2 (N.D. Ill. Oct. 222, 2012) (quoting Brengettcy v. Horton, 423 F.3d 674, 680 (7th Cir. 2005) (“A judge should not reconsider a preceding judge’s rulings when presented with ‘precisely the same question in precisely the same way’ as the preceding judge.”) (emphasis added). information. See Castillo, 2024 WL 4785136, at *7. But Hartley’s allegation that she “clicked and viewed” webpages “related to her medical providers, conditions, and treatments” nevertheless does not plausibly amount to individually identifiable
health information. [126] at ¶ 146. The problem is not that the information was allegedly intercepted from an unauthenticated public website; it is that the allegations lack the factual support needed to infer that the information “relates to the … health or condition of an individual, [or] the provision of health care to an individual.” 42 U.S.C. § 1320d(6)(B). Other than the lone allegation that she used the UCMC website to search for a primary care physician, [126] at ¶ 144, Hartley does not allege which webpages she
viewed, when she viewed them, why she viewed them, or what information UCMC intercepted from those views. Thus, the allegation that UCMC used Meta collection tools to intercept “the webpages she clicked and viewed related to her medical providers, conditions, and treatments,” [126] at ¶ 146, is “devoid of any factual support” raising inference that UCMC intercepted her individually identifiable health information. Cousin I, 681 F. Supp. 3d at 1123 (dismissing claims based on
similar allegations). A comparison of Hartley’s allegations with those in similar cases illustrates the problem. In each case, the court held that the plaintiff stated an ECPA claim based in part on the defendant’s disclosure of individually identifiable health information. And in each case, the factual allegations supporting that inference were more specific than those here. In Mayer v. Midwest Physician Administrative Services, LLC, No. 23-cv-3132, 2025 WL 963779 (N.D. Ill. Mar. 31, 2025), multiple plaintiffs alleged that after using a healthcare provider’s website to conduct searches and submit information regarding their specific medical conditions, they began to
receive spam and advertisements on their Facebook accounts related to those medical conditions. Id. at *3. In Smith v. Loyola University Medical Center, No. 23 CV 15828, 2024 WL 3338941 (N.D. Ill. Jul. 9, 2024), one plaintiff alleged that she began receiving advertisements on her social media account for a certain type of surgery after scheduling a surgical appointment through a hospital’s online platform. Id. at *2. Another plaintiff allegedly began receiving similar targeted advertisements after using the platform to research providers who treat certain medical conditions,
communicate with those providers, schedule appointments with those providers, and review her personal health information. Id. In Kurowski III, the plaintiff alleged that a hospital transmitted the name, location, and specialty of her personal physician to Facebook, which then used that information to target her with advertising related to her particular health condition. 2023 WL 8544084, at *3. Each of these cases involved the type of specific factual allegations that are lacking from Hartley’s vaguer
allegation that UCMC intercepted “the webpages she clicked and viewed related to her medical providers, conditions, and treatments.” [126] at ¶ 146. Nonetheless, and for the reasons already set forth above, Hartley has plausibly alleged that UCMC disclosed her individually identifiable information by disclosing each time that she logged into MyChart, which reveals her status as a patient and “relates to … the provision of health care to an individual.” 42 U.S.C. § 1320d(6)(B). UCMC maintains that Hartley’s ECPA claim still must fail because she has not sufficiently alleged that UCMC “intercepted” any information in the first place or that any alleged interception had a criminal or tortious purpose. See [138] at 8–15.
These are arguments UCMC has made before, see [65] at 4–10, and which the court previously assigned to this case already considered and rejected. In its order denying UCMC’s motion to dismiss the ECPA claim from Hartley’s second amended complaint (referred to in the excerpt below as the “SAC”), the previous court wrote: UCMC claims that these allegations are irrelevant, because the ECPA makes it illegal to “intercept,” i.e., to acquire the communications for tortious or criminal reasons. Plaintiff’s Complaint is based on alleged illegal disclosure of legally acquired information, i.e., and thus it was acquired through Plaintiff’s own action accessing the website. Plaintiff’s Complaint therefore is based on her objection to the disclosures of the IIHI, not in its acquisition. In essence, Defendant’s position is that it acquired information legally from Plaintiff; and that her complaint in the SAC is that, at most, Defendant disclosed information to Meta that it had legally acquired. Defendant asks Court to distinguish the verbs “to acquire” and “to disclose,” the former a requirement for an ECPA violation, but not the latter. However, the allegations in the SAC include charges that UCMC utilized Meta’s “tools” in order to “acquire” the information that was allegedly disclosed to Meta. See, e.g., SAC, ¶¶ 51, 54 and 56, which allege that the only way Plaintiff’s IIHI could be disclosed to Meta is by utilizing Meta’s tools. Therefore, it is plausible that Defendant could be responsible for acquiring Plaintiff’s IIHI with the purpose of disclosing it to Meta for their mutual financial benefits. [75] at 4–5. The third amended complaint contains the same allegations pertinent to the previous court’s reasoning, save for one (immaterial) modification which the Court acknowledges further below. Compare [61] ¶¶ 51, 54, and 56 with [126] ¶¶ 51, 54, and 56; see also [105] at 11–13. So, now, the Court adopts that reasoning. “When a case is transferred between district judges midway through litigation, the [law-of-the- case] doctrine discourages the new judge from reconsidering rulings made by the original judge.” Flynn v. FCA US LLC, 39 F.4th 946, 954 (7th Cir. 2022). Here, the court previously assigned to this case considered and rejected UCMC’s arguments,
which UCMC copied almost verbatim from its motion to dismiss Hartley’s second amended complaint. Compare [138] at 8–15 with [65] at 4–10. Thus, the Court should not revisit Judge Leinenweber’s ruling absent “significant differences in the legal landscape since the prior ruling.” Flynn, 39 F.4th at 954. UCMC argues that the Court should ignore Judge Leinenweber’s ruling for three reasons: (1) there are significant differences in the legal landscape since the prior ruling, since “numerous decisions regarding similar allegations have been
issued”; (2) the precise issue presented here differs from the one decided earlier, since the second amended complaint, unlike the third amended complaint at issue here, involved allegations about Meta collection tools installed not only on UCMC’s public website but also on its MyChart Patient Portal; and (3) the law-of-the-case doctrine is discretionary. [152] at 10. None of these arguments are persuasive. There is no significant difference in
the legal landscape since the prior ruling, as UCMC makes clear by citing only two new cases—both out-of-circuit and unpublished—in its seven pages of copy-pasted argument. Compare [138] at 8–15 with [65] at 4–10. Nor are the issues presented here different from the issues presented to the court previously assigned to this case; now, as then, the issues are whether UCMC’s use of Meta collection tools involved the interception of information and whether any interception was for the purpose of committing a criminal or tortious act. [138] at 8–15; [65] at 4–10. Those issues are not changed by the fact that Hartley alleges now that UCMC installed Meta collection tools only on its public website. (The previous version of the complaint alleged that
UCMC installed the Meta collection tools on additional “web properties.” [126] at ¶ 54(i).) Finally, that the law-of-the-case doctrine is discretionary is immaterial. The Court finds Judge Leinenweber’s reasoning persuasive and would adopt it even if not required to do so. Certainly, UCMC does offer a few new arguments the previous court did not consider. First, it believes that Hartley failed to allege that UCMC had a criminal or tortious purpose independent of the interception. [138] at 13. It cites Nienaber, 2025
WL 692097, to argue that, because UCMC’s alleged interception and disclosure were concurrent, they are not independent acts. The disclosure, then, can’t be the interception’s “independent” criminal or tortious purpose. [138] at 13–14. In Nienaber, the court dismissed an ECPA claim because “the alleged tortious or criminal use of the acquired communications [was] the disclosure itself.” 2025 WL 692097, at *13. But Nienaber is an outlier; courts in this district and nationwide have
held that “[a] disclosure that violates HIPAA is a violation of law that is independent of a violation of the ECPA.” Stein v. Edward-Elmhurst Health, Case No. 23-cv-14515, 2025 WL 580556, at *4–*5 (N.D. Ill. Feb. 21, 2025) (collecting cases). Here, Hartley alleges that UCMC’s disclosure of her health information violated HIPAA, so she has alleged a criminal or tortious purpose independent of the interception of her information. Second, UCMC offers what amounts to a repackaged version of its argument that data collected from public websites cannot amount to individually identifiable health information: “If UCMC’s purpose in installing and operating Meta Collection
Tools was to engage in an intentional criminal and/or tortious plot to intercept and disclose patients’ personal medical information … there is no conceivable reason to limit the installation and operation of the Meta Collection Tools solely to UCMC’s Public Website, where no personal medical information is communicated.” [138] at 15. Since data collected from public websites can amount to individually identifiable health information, see Cousin II, 702 F. Supp. 3d at 973, this argument, built on a faulty premise, fails.
Third, UCMC argues that Hartley hasn’t sufficiently alleged that it intended to violate HIPAA because “a criminal HIPAA violation requires the defendant to ‘knowingly’ disclose individually identifiable health information.” [152] at 9. But under HIPAA’s “knowingly” requirement, “the defendant need only know that he obtained [or disclosed] individually identifiable health information relating to an individual.” United States v. Huping Zhou, 678 F.3d 1110, 1115 (9th Cir. 2012). In
other words, it “merely requires proof of knowledge of the facts that constitute the offense, not a culpable state of mind or knowledge of the law.” Id. at 1114 (quoting Dixon v. United States, 548 U.S. 1, 5 (2006)). Here, Hartley alleges that UCMC installed Meta collection tools on its public website, and those tools operated by automatically transmitting individuals’ website- use data to Meta for analysis and commercial use. [126] at ¶¶ 4, 72–74. The data UCMC disclosed using those tools include page-view and click data related to Hartley’s MyChart logins, and that data revealed her patient status. [126] at ¶ 146. Together, these allegations support the reasonable inference that UCMC “knowingly
… disclose[d]” her “individually identifiable health information to another person.” 42 U.S.C. § 1320d-6(a)(3). Hartley has thus plausibly alleged that UCMC used the Meta Collection tools to “intentionally intercept” her “communication[s]” with UCMC’s public website, 18 U.S.C. § 2511(1)(a), and it did so “for the purpose of committing [a] criminal … act in violation of [HIPAA].” 18 U.S.C. § 2511(2)(d). The Court therefore denies UCMC’s motion to dismiss Hartley’s third amended complaint.
III. Motion for Summary Judgment A. Legal Standards Summary judgment is appropriate when “the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law.” Fed. R. Civ. P. 56(c). In determining whether a genuine issue of fact exists, the Court must view the evidence and draw all
reasonable inferences in favor of the party opposing the motion. See Bennington v. Caterpillar Inc., 275 F.3d 654, 658 (7th Cir. 2001). A genuine issue of triable fact exists only if “the evidence is such that a reasonable jury could return a verdict for the nonmoving party.” Pugh v. City of Attica, 259 F.3d 619, 624 (7th Cir. 2001). The party seeking summary judgment has the burden of establishing that there is no genuine dispute as to any material fact. See Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). “A nonmovant’s failure to respond to a summary judgment motion … does not, of course, automatically result in judgment for the movant.” Raymond v. Ameritech Corp., 442 F.3d 600, 608 (7th Cir. 2006). “The ultimate burden of
persuasion remains with [the movant] to show that it is entitled to judgment as a matter of law.” Marcure v. Lynn, 992 F.3d 625, 631 (7th Cir. 2021) (quoting Raymond, 442 F.3d at 608). B. Facts Based on the limited discovery done to date, the parties do not dispute the following facts. According to UCMC’s records, Hartley logged in to the UCMC MyChart patient
portal approximately 86 times between November 2019 and December 2023. [147] at ¶ 15; [142-1]. When Hartley used the UCMC MyChart patient portal, she was occasionally presented with a copy of The University of Chicago Medicine Terms of Use while logging in. [147] at ¶ 16; [142-2]. On those occasions, she was also presented with the option to “Accept” or Decline” those Terms. [147] at ¶ 18. UCMC’s records indicate that, on December 5, 2023, Hartley viewed UCMC’s Terms and clicked the “accept” button. Id. at ¶¶ 19–20; [142-1] at rows 1153–54.
Those Terms had an effective date of August 31, 2023. [147] at ¶ 22; [142-3] at 1. They stated that they applied to the use of both UCMC’s public website and its MyChart patient portal, defined as “Digital Services.” [147] at ¶¶ 23–24; [142-3] at 1. They also stated that “[b]y clicking ‘I Accept” or by accessing our Digital Services … you agree to the Terms,” and they conditioned access and use of the Digital Services on agreement to the Terms. See [147] at ¶¶ 25–27; [142-3] at 1–2. The Terms are to be “governed by and construed in accordance with the laws of the State of Illinois, without regard to its conflict-of-law provisions.” [147] at ¶ 38; [142-3] at 11. The Terms contained language purporting to limit users’ remedies “in the
event of certain disputes related to the operation or use of the Digital Services, including agreeing to file any dispute on an individual basis (and not as part of a class or collection action) and to waive a jury trial.” [147] at ¶ 31; [142-2] at 1. Section 15(C) of the Terms lays out a mandatory informal dispute resolution process: “You and UCMC agree that each party will notify the other party in writing of any Dispute within thirty (30) days of the date it arises so that the parties can attempt in good faith to resolve the Dispute informally,” and “[i]f you and UCMC cannot agree how to
resolve the Dispute within thirty (30) days after the date notice is received by the receiving party, then either you or UCMC may … commence a formal proceeding.” [147] at ¶ 35; [142-3] at 10. Section 15(A) includes a class-action waiver: You and UCMC agree that each may bring claims or otherwise resolve Disputes against the other party only on an individual basis, and you waive any right to pursue any claims as a plaintiff of class member in any purported class or representative action or proceeding, whether on behalf of you or any other individual or group of individuals.
[147] at ¶ 37; [142-3] at 9. Hartley styled all iterations of her complaint as putative class actions. [147] at ¶ 45; [2]; [33]; [61]; [126]. She never attempted to comply with the notification requirement described in Section 15(C) of UCMC’s Terms. [147] at ¶ 44; [142-4] at 72:9–24. C. Analysis UCMC argues that it is entitled to summary judgment (or to having Hartley’s class claims struck) because the undisputed facts above show that Hartley breached her contractual obligations by filing her second and third amended complaints. The
argument goes as follows: UCMC made an offer to Hartley in the form of the Terms of Service that it presented to Hartley on December 5, 2023, and Hartley accepted the offer, both by clicking “I accept” and by using UCMC’s Digital Services after being presented with the Terms. [141] at 9–10. And, since UCMC allowed Hartley to use the Digital Services in exchange for agreeing to the Terms, the agreement was supported by consideration. Id. at 11. Further, Hartley’s ECPA claim is a “Dispute”
falling within the scope of the Terms’ purported class-action waiver and dispute resolution provisions, and those provisions apply to her ECPA claim even though it accrued before she accepted the Terms on December 5, 2023. Id. at 10–11. Thus, UCMC urges the Court to grant summary judgment against Hartley or to strike her class claims because, under the Terms, she may not “commence a formal proceeding” until after providing UCMC with the required written notice and failing to resolve the dispute, and, even then, she may bring her claims “only on an individual basis.”
Id. at 13–14. Hartley offers no response to UCMC’s arguments that she entered into a valid and enforceable contract when she agreed to UCMC’s Terms, that those Terms include a mandatory dispute resolution provision and a class-action waiver, that her ECPA claim is a “Dispute” under the Terms, or even that the Terms apply retroactively to claims that accrued before her purported agreement on December 5, 2023. See generally [148]. “Failure to respond to an argument … results in waiver.” Bonte v. U.S. Bank, N.A., 624 F.3d 461, 466 (7th Cir. 2010). “It is not the responsibility of this court to make arguments for the parties.” Vaughn v. King, 167 F.3d 347, 354
(7th Cir. 1999). “This leaves [the Court] no choice but to accept [UCMC]’s assertions— supported as they are by pertinent legal authority”—that she entered into a valid and enforceable contract by agreeing to UCMC’s Terms and that her ECPA claim is a “Dispute” governed by the Terms’ requirements even though it accrued before she entered the agreement, [141] at 8–13. Bonte, 624 F.3d at 467. That leaves the disputed question of whether Hartley breached her obligations under the Terms by filing her second and third amended complaint. The parties do
not dispute the language of UCMC’s Terms, that Hartley did not follow the dispute resolution process described in the Terms, or that Hartley brought her suit as a putative class action. See [142] at ¶¶ 35, 37, 44, 45. Thus, whether Hartley breached her agreement with UCMC turns on how the Terms are construed. The parties agree that they are governed by Illinois law. See [147] at ¶ 38; [142-3] at 11; Beach Forwarders, Inc. v. Serv. by Air, Inc., 76 F.4th 610, 613 (7th Cir. 2023) (giving effect
to contract’s choice-of-law provision). “In Illinois, the construction, interpretation, or legal effect of a contract is a matter to be determined by the court as a question of law.” Id. (cleaned up) (quoting Horne v. Elec. Eel Mfg. Co., 987 F.3d 704, 718 (7th Cir. 2021)). “Under Illinois law, the goal of contract interpretation is to ascertain the parties’ intent and, in doing so, we first look to the plain and ordinary meaning of the contract language.” Id. (cleaned up) (quoting Selective Ins. Co. of S.C. v. Target Corp., 845 F.3d 263, 267 (7th Cir. 2016)). “We interpret the contract as a whole, viewing each part in light of the others.” Id. (cleaned up) (quoting Aeroground, Inc. v. CenterPoint Props. Tr., 738 F.3d 810, 813 (7th Cir. 2013)).
Hartley contends that UCMC’s argument “relies on a narrative … that Plaintiff’s filing of the Second Amended Complaint is a ‘new’ lawsuit.” [148] at 1. That narrative is false, she argues, because the two claims asserted in her second amended complaint had been dismissed without prejudice, and the court previously assigned to this case clarified that the dismissal did not terminate the case. [148] at 5. Thus, “none of the contractual promises she may have made with respect to filing a future class action lawsuit precluded her from proceeding with the claims that she had
already been pursuing since October 2022.” Id. UCMC contends that Hartley breached both the dispute resolution provision and the class-action waiver. Starting with the dispute resolution provision, UCMC explains that it applies to all “Disputes,” which the Terms define as including “claims” and “causes of action.” And since there were no pending claims on December 5, 2023, when Hartley agreed to the Terms, UCMC maintains that she was obligated to follow
the mandatory dispute resolution process before filing her second amended complaint on December 12, 2023. [149] at 4–5. Further, UCMC argues, the analysis is not changed by the fact that Hartley filed the original and first amended complaints before she agreed to the Terms, since “[t]he nature and scope” of the dispute “has shifted dramatically” since she filed her original complaint. Id. at 5. The claims in the original complaint were largely based on Hartley’s use of the UCMC MyChart patient portal, but the claims in the third amended complaint are based solely on her use of UCMC’s public website. Id. at 5. In UCMC’s view, the third amended complaint is therefore a new “claim or cause of action for which Plaintiff was required to provide
UCMC with written notice.” Id. at 6. Section 15 of the Terms contains the dispute resolution provision. At the outset, it defines “Disputes” as “disputes, claims, suits, actions, causes of action, demands, or proceedings against any UCMC Parties that in any way arise out of or relate to the operation, or your use, of the Digital Services or Content.” [142-3] at 10.4 Hartley has already waived any argument that her ECPA claim against UCMC is not a “Dispute” under this definition. See supra. But even if she hadn’t, the plain
language of the definition clearly encompasses Hartley’s ECPA claim: it is a “claim, suit, action, [or] cause[] of action,” and it “relate[s] to” her “use[] of the Digital Services.” [142-3] at 10. UCMC’s argument runs aground, however, when we reach the dispute resolution provision itself: You and UCMC agree that each party will notify the other party in writing of any Dispute within thirty (30) days of the date it arises so that the parties can attempt in good faith to resolve the Dispute informally. … If you and UCMC cannot agree how to resolve the Dispute within thirty (30) days after the date notice is received by the receiving party, then either you or UCMC may, as appropriate and in accordance with this section, commence a formal proceeding. [142-3] at 10–11 (emphasis added).
4 Page citations are to the blue CM/ECF numbers at the upper right of the Terms at [142-3]. This language simply does not apply to the facts of this case. Under Illinois law, “the date on the contract is ordinarily the effective date, and … its contractual terms … are effective from the date of the contract if such coverage is clear from the
face of the contract.” Asset Recovery Contracting, LLC v. Walsh Constr. Co. of Ill., 2012 IL App (1st) 101226, ¶ 63 (2012). The Terms here have an explicit “effective date” of August 31, 2023. [142-3] at 2. Hartley commenced formal proceedings in this case when she filed her original complaint on October 25, 2022, 10 months before that effective date. See [2]; Fed. R. Civ. P. 3 (“A civil action is commenced by filing a complaint with the court.”). Hartley was therefore under no contractual obligation to follow the Terms’ dispute resolution process before “commenc[ing]” this “formal
proceeding” when she did so in October 2022. [142-3] at 10. It does not matter that Hartley agreed to the Terms on December 5, 2023, after the dismissal of her first amended complaint on November 8, [52], but before she filed her second amended complaint on December 12, [61]. “When a district court grants a plaintiff leave to amend his pleading, the court signals that the action has not been fully and finally adjudicated on the merits, and that further proceedings will follow.”
Luevano v. Wal-Mart Stores, Inc., 722 F.3d 1014, 1021 (7th Cir. 2013). The dismissal of her ECPA and Breach of Implied Duty of Confidentiality claims by the court previously assigned to this case was without prejudice, [52] at 4–5, and the court further clarified on November 13 that the case was still open despite the dismissal, [56]. In its clarification order, the previous court implicitly granted Hartley leave to amend her complaint by setting a filing deadline for a second amended complaint. See [56]. The court later explained that, when it dismissed the first amended complaint, it “did not intend to terminate the case.” [75] at 2. Because the court signaled that “further proceedings [would] follow” its dismissal of the first amended
complaint, Luevano, 722 F.3d at 1021, Hartley’s filing of the second amended complaint did not amount to the “commence[ment]” of “a formal proceeding,” [142-3] at 10. It also does not matter that the ECPA claim in Hartley’s third amended complaint was based on allegations that UCMC had installed Meta collection tools only on its public website, whereas, in previous complaints, that claim was based on allegations that the tools had been installed not only on UCMC’s public website, but
also its MyChart patient portal and two other websites. Contrary to UCMC’s contention, the ECPA claim in her third amended complaint is not a “new” claim. See [149] at 7. “Simply alleging a few additional facts does not establish a new claim.” Daza v. State, No. 21-3247, 2022 WL 3226173, at *2 (7th Cir. 2022); see also In re Mut. Fund Mkt.-Timing Litig., 468 F.3d 439, 442 (7th Cir. 2006) (“Amendments that delete some legal theories, while leaving the parties’ identities untouched, relate back
to the original complaint and hence do not commence new litigation.”). Every iteration of Hartley’s complaint contained an ECPA claim based on UCMC’s alleged use of Meta collection tools on one or more of its web properties, and the first amended complaint—like the second and third—explicitly described their use on its public website; only the details of the underlying factual allegations varied. See [2] at 17; [33] at 19; [61] at 46; [126] at 43. Hartley thus did not “commence a formal proceeding” when she filed her second or third amended complaints, so those filings did not amount to a breach of the Terms’ dispute resolution provision. See [142-3] at 10. Hartley did, however, breach the Terms’ class-action waiver. The waiver
states: You and UCMC agree that each may bring claims or otherwise resolve Disputes against the other party only on an individual basis, and you waive the right to pursue any claims as a plaintiff of [sic] class member in any purported class or representative action or proceeding. [142-3] at 10. UCMC contends that, since the waiver “is not merely a limitation on filing a new claim, but also applies to any effort by [Hartley] to ‘pursue’ such a claim,” she “waived her ability to litigate any claim, whether pending or not, against UCMC on a class basis.” [149] at 6. The Court agrees. “Under Illinois law, undefined terms”—such as “pursue,” here—“are generally given their ‘plain, ordinary, and popular meaning’ as found in dictionary definitions.” Hess v. Kanoski & Assocs., 668 F.3d 446, 453 (7th Cir. 2012) (quoting Outboard Marine Corp. v. Liberty Mut. Ins. Co., 154 Ill.2d 90, 180 (1993)). According to Black’s Law Dictionary, to “pursue” is to “prosecute or sue.” Pursue, Black’s Law Dictionary (12th ed. 2024), Westlaw. The Oxford English Dictionary likewise defines “pursue” as “to prosecute.” Pursue, Oxford English Dictionary, https://www.oed.com/dictionary/pursue_v (last visited Sept. 24, 2025). And to “prosecute” is to “commence and carry out (a legal action).” Prosecute, Black’s Law Dictionary (12th ed. 2024), Westlaw (emphasis added). A party prosecutes a case
when it advances the case toward trial by, for example, meeting deadlines, participating in conferences, and engaging in discovery. See, e.g., Next Millennium Telecom Co. v. Am. Signal Corp., 112 F.4th 481, 484 (7th Cir. 2024); Dorsey v. Varga, 55 F.4th 1094, 1104–05 (7th Cir. 2022). The class-action waiver, then, unlike the dispute resolution provision, applies not only to new claims but to ongoing litigation.
Since Hartley’s ECPA claim against UCMC is a “Dispute” to which the class-action waiver applies, she may not pursue (or prosecute, or litigate) her claim “as a plaintiff o[r] class member in any purported class or representative action or proceeding.” [142-3] at 9. In short, because the dispute resolution provision in UCMC’s Terms of Service does not apply to this litigation, UCMC has not shown that it is entitled to judgment as a matter of law. But because the Terms’ class-action waiver is applicable, the Court
grants UCMC’s motion to strike Hartley’s class allegations. See Kasalo v. Harris & Harris, Ltd., 656 F.3d 557, 563 (7th Cir. 2011) (under Rule 23(c)(1)(A), “a court may deny class certification even before the plaintiff files a motion requesting class certification” and “[i]t need not delay a ruling on certification if it thinks that additional discovery would not be useful in resolving the class determination”). IV. Conclusion For the foregoing reasons, UCMC’s motion to dismiss the third amended
complaint [137] is denied, UCMC’s motion for summary judgment [140] is denied, and UCMC’s motion to strike Hartley’s class allegations [140] is granted. The parties are directed to meet and confer on how the Court’s order affects ongoing discovery proceedings and the possibility of settlement and to report on the outcome of those discussions in their 10/28/25 status report. [159]. If the parties would like the Court to schedule a status hearing on the topics of discovery and/or settlement, they may contact the Courtroom Deputy via email and propose dates for such a hearing. W) = /f{/ f Z| poagye. / / Ul Aub ha Georgia N. Alexakis United States District Judge Date: 10/1/25