1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA
9 George Williams, et al., No. CV-23-00434-TUC-SHR
10 Plaintiffs, Order Granting Motion to Dismiss
11 v.
12 TMC Health,
13 Defendant. 14 15 16 Pending before the Court is Defendant’s “Motion to Dismiss Amended Complaint” 17 (Doc. 19). The Motion to Dismiss is fully briefed and the Court held oral argument on 18 August 14, 2024. (Docs. 19-1, 20, 23, 36.) For the following reasons, the Court grants the 19 Motion to Dismiss. 20 I. Background 21 Defendant TMC Health is a healthcare system in Southern Arizona serving patients 22 via several hospitals and clinics. (Doc. 13 ¶ 1.) Plaintiffs are people who have visited 23 TMC’s public website and have used the website to access the patient portal. (Id. ¶¶ 21– 24 24.) This putative class action raises six claims based on Defendant’s use of online tracking 25 technologies from Meta, LinkedIn, Snapchat, Google, CallRail, and potentially other third 26 parties (collectively, “tracking technologies”) on its public website, www.tmcaz.com (the 27 “Website”). (Id. ¶¶ 1, 9.) 28 . . . . 1 A. The Website & Technologies Involved 2 Defendant’s Website allows visitors “to search for doctors, research conditions and 3 symptoms,” “sign up for classes and events,” and “seek further information” related to 4 sensitive healthcare topics. (Doc. 13 ¶¶ 1, 82.) “The Website’s landing page has a drop- 5 down menu of options, including ‘request my medical records.’” (Id. ¶ 76.) TMC patients 6 can also access the patient portal from Defendant’s Website, but the patient portal is a 7 “user-authenticated webpage[],” which means patients are required to log in by providing 8 a user name and password before they are able to access the patient portal. (Id. ¶¶ 21–24, 9 120, 191.)1 10 Unbeknownst to the Website’s visitors, Defendant embeds code on its Website, 11 allowing third-party technology companies to “intercept and record the visitors’ activities 12 on the Website in real-time, including specific searches for sensitive health-related topics.” 13 (Doc. 13 ¶ 2.) These technologies include the Meta Pixel (“Pixel”) and similar tracking 14 technologies.2 (Id. ¶ 7.) When Pixel code is embedded on a third-party website, like 15 Defendant’s Website, Pixel “tracks the website visitor’s activity on that website and sends 16 that data,” including “mouse clicks, words typed into search bars, and pages visited on the 17 website,” to Meta. (Id. ¶ 6.) 18 Generally, Pixel and related technologies interact with communications between a 19 browser and a server. “Web browsers are software applications that allow consumers to 20 navigate the web and view and exchange electronic information and communications over 21 the internet.” (Doc. 13 ¶ 50.) “Each ‘client device’ (such as computer, tablet, or smart 22 phone) accesses web content through a web browser (e.g., Google’s Chrome browser, 23 Mozilla’s Firefox browser, Apple’s Safari browser, and Microsoft’s Edge browser).” (Id.) 24 “Every website is hosted by a computer ‘server’ that holds the website’s contents and 25 through which the entity in charge of the website exchanges communications with Internet
26 1 Plaintiffs do not allege any disclosure of data related to how they used Defendant’s private patient portal. 27 2 Although Plaintiffs include detailed descriptions of how each technology operates in their Amended Complaint, the Court will not restate those details in full here because 28 nothing about the specifics of each technology involved changes the legal analysis. Therefore, the Court will treat these technologies together for its analysis. 1 users’ client devices via their web browsers.” (Id. ¶ 51.) 2 A user’s web browser communicates with a website’s server by sending an HTTP 3 Request, most commonly in the form of a GET Request, and the server communicates back 4 by sending an HTTP Response. (Doc. 13 ¶ 52.) “In addition to specifying a particular 5 URL (i.e., web address), GET Requests can also send data to the host server embedded 6 inside the URL, and can include cookies.” (Id.) Other types of HTTP Requests send even 7 more data. For example, a POST Request “can send a large amount of data outside of the 8 URL (for instance, uploading a PDF for filing a motion to a court).” (Id.) Cookies are 9 small text files “used to store information on the client device that can later be 10 communicated to a server or servers.” (Id.) “Cookies are sent with HTTP Requests from 11 client devices to the host server.” (Id.) After receiving an HTTP Request asking the server 12 to retrieve certain information (such as a webpage), the “HTTP Response sends the 13 requested information in the form of ‘Markup.’” (Id. ¶ 53.) “This is the foundation for the 14 pages, images, words, buttons, and other features that appear on the individual’s screen as 15 they navigate” a website. (Id.) “Every website is composed of Markup and ‘Source Code.’ 16 Source Code is a set of instructions that commands the website visitor’s browser to take 17 certain actions when the web page first loads or when a specified event triggers the code.” 18 (Id. ¶ 54.) 19 Specifically, when a person visits Defendant’s Website, i.e. the person’s web 20 browser sends an HTTP Request to Defendant’s server, “the server sends an HTTP 21 Response including the Markup that displays the webpage visible to the user along with 22 the invisible Source Code that includes the Pixel.” (Doc. 13 ¶ 56.) After this initial 23 communication, the source code containing Pixel then operates to transmit data back to 24 Meta’s servers and Defendant’s server. (Id.) This data “is also linked to a specific IP 25 address, which Meta may use in combination with other cookies and tracking technologies 26 to associate the web activity to a specific Facebook user.” (Id. ¶ 57.) “Meta does this by 27 placing cookies,” like the “c_user” cookie, which “contains a numerical value known as 28 the Facebook ID” that “uniquely identifies a Facebook user,” in the web browsers of users 1 logged into their services. (Id. ¶ 58.) Therefore, “[w]hen a Facebook user visits the 2 Defendant’s Website while logged-in to their Facebook account,” Pixel sends the 3 user’s “web communications with the Defendant along with the ‘c_user’ cookie” to Meta. 4 (Id.) “Meta can then use this information to match the web communications with the user’s 5 Facebook ID.” (Id.) 6 By embedding these technologies into the Website’s source code, data about a user’s 7 visits to the Website, “including the URL, referrer, IP address, device and browser 8 characteristics (User Agent),” and searched terms, are shared with third parties including 9 Meta, LinkedIn, Snapchat, Google, and CallRail. (Doc. 13 ¶¶ 56, 70–76, 80–84, 86–89, 10 91–94.) Defendant embedded these technologies into the Website and shared the data with 11 third parties “to increase its own profits through sophisticated and targeted advertising and 12 to improve its website analytics.” (Id. ¶ 2; see also id. ¶¶ 12, 73, 83, 89, 108, 187.) 13 Plaintiffs never consented to share their data with these third parties. (Id. ¶¶ 65, 77, 85, 90, 14 95.) 15 B. Regulatory Landscape 16 Pursuant to the Health Insurance Portability and Accountability Act of 1996 17 (HIPAA), the Secretary of the Department of Health and Human Services has promulgated 18 various regulations to ensure the confidentiality of individuals’ health information and 19 protect against “unauthorized uses or disclosures of the information.” 42 U.S.C. § 1320d- 20 2; see also 45 C.F.R. §§ 160, 164. The Standards for Privacy of Individually Identifiable 21 Health Information (the “Privacy Rule”), (Doc. 13 ¶ 118), establishes standards for the 22 protection of certain health information, broadly defining “[p]rotected health information” 23 (PHI) as “individually identifiable health information” (IIHI) that is “[t]ransmitted by 24 electronic media,” “maintained in electronic media,” or “transmitted or maintained in any 25 other form or medium.” 45 C.F.R. § 160.103. 26 In December 2022, the Department of Health and Human Services Office for Civil 27 Rights issued guidance on the use of tracking technologies. (Doc. 13 ¶ 11.) This guidance 28 explained regulated entities are not permitted to use tracking technologies if the use results 1 in “impermissible disclosures of PHI to tracking technology vendors or any other violations 2 of the HIPAA Rules.” (Id.) “The OCR’s guidance also made clear that, ‘disclosures of 3 PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA- 4 compliant authorizations, would constitute impermissible disclosures.’” (Id.) 5 C. Notice of Privacy Practices 6 Defendant’s Website contains a “Notice of Privacy Practices,” which explains the 7 measures Defendant will take to protect patient PHI under HIPAA. (Doc. 13 ¶ 29.) The 8 Notice states “TMC Health is required by law to provide notification to affected individuals 9 or their representatives and to the [Office for Civil Rights] for [Health and Human 10 Services] following the discovery of a breach of unsecured PHI.” (Id. (alteration in 11 original) (quoting https://www.tmcaz.com/notice-of-privacy-practices).) Additionally, the 12 Notice states “TMC Health will obtain your authorization to use or disclose your PHI in 13 the following circumstances: . . . disclosures for marketing purposes.” (Id. ¶ 30 (quoting 14 https://www.tmcaz.com/notice-of-privacy-practices).) However, the Notice did not 15 mention Defendant’s use of tracking technologies on its Website. (Id. ¶ 31.) 16 II. Legal Standard 17 A. Motion to Dismiss 18 The Court can dismiss a complaint or the claims in it under Federal Rule of Civil 19 Procedure 12(b)(6) if the claims lack a cognizable legal theory or if insufficient facts are 20 alleged to support the theory. Balistreri v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th 21 Cir. 1988). A complaint must “contain sufficient factual matter, accepted as true, to ‘state 22 a claim to relief that is plausible on its face.’” Glazer Cap. Mgmt., L.P. v. Forescout Techs., 23 Inc., 63 F.4th 747, 763 (9th Cir. 2023) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 24 (2009)). Moreover, Rule 8(a) requires “a complaint to contain ‘a short and plain statement 25 of the claim showing . . . the pleader is entitled to relief.’” Id. (quoting Fed. R. Civ. P. 26 8(a)(2)). While “[a]ll allegations of material fact are taken as true and construed in the 27 light most favorable to the nonmoving party,” Silvas v. E*Trade Mortg. Corp., 514 F.3d 28 1001, 1003 (9th Cir. 2008), “[t]hreadbare recitals of the elements of a cause of action, 1 supported by mere conclusory statements, do not suffice,” Plaskett v. Wormuth, 18 F.4th 2 1072, 1083 (9th Cir. 2021) (quoting Iqbal, 556 U.S. at 678). 3 B. Leave to Amend 4 Leave to amend should be freely given “when justice so requires.” Fed. R. Civ. P. 5 15(a)(2). “This policy is ‘to be applied with extreme liberality.’” Eminence Cap., LLC v. 6 Aspeon, Inc., 316 F.3d 1048, 1051 (9th Cir. 2003) (quoting Owens v. Kaiser Found. Health 7 Plan, Inc., 244 F.3d 708, 712 (9th Cir. 2001)). Generally, a “district court should grant 8 leave to amend even if no request to amend the pleading was made, unless it determines 9 that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. 10 Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc) (citation omitted). 11 III. Analysis3 12 The Court will dismiss all of Plaintiffs’ claims but will grant leave to amend as 13 detailed below. 14 A. Count One: Electronic Communications Privacy Act 15 The Electronic Communications Privacy Act (ECPA) provides a private right of 16 action against any person who intentionally intercepts, endeavors to intercept, or procures 17 any other person to intercept or endeavor to intercept, any wire, oral, or electronic 18 communication. 18 U.S.C. §§ 2511(1)(a), 2520. A person who is a “party” to the 19 communication is generally exempt from liability for “intercept[ing] a wire, oral, or 20 electronic communication.” § 2511(2)(d). However, there is an exception to this 21 exemption if a party to the communication intercepts it “for the purpose of committing any 22 criminal or tortious act in violation of the Constitution or laws of the United States or of 23 any State.” Id. “[T]he focus is not upon whether the interception itself violated another 24 law; it is upon whether the purpose for the interception—its intended use—was criminal 25 or tortious.” Sussman v. Am. Broad. Cos., 186 F.3d 1200, 1202 (9th Cir. 1999) (citation
26 3 Both parties cite many District Court cases, including in numerous notices of supplemental authority. The Court is not bound by these decisions, nor will it rule based 27 on “trends” in cases not before it. See Camreta v. Greene, 563 U.S. 692, 709 n.7 (2011) (“A decision of a federal district court judge is not binding precedent in either a different 28 judicial district, the same judicial district, or even upon the same judge in a different case.” (citation omitted)). 1 omitted). “This criminal or tortious purpose must be separate and independent from the 2 act of the recording.” Planned Parenthood Fed’n of Am., Inc. v. Newman, 51 F.4th 1125, 3 1136 (9th Cir. 2022). 4 Additionally, under subsection (1)(c), it is unlawful to “intentionally disclose[], or 5 endeavor[] to disclose, to any other person the contents of any wire, oral, or electronic 6 communication, knowing or having reason to know that the information was obtained 7 through the interception of a wire, oral, or electronic communication in violation of this 8 subsection.” § 2511(1)(c) (emphasis added). Under subsection (1)(d), it is unlawful to 9 “intentionally use[], or endeavor[] to use, the contents of any wire, oral, or electronic 10 communication, knowing or having reason to know that the information was obtained 11 through the interception of a wire, oral, or electronic communication in violation of this 12 subsection.” § 2511(1)(d) (emphasis added). 13 Plaintiffs allege Defendant violated subsections (1)(a), (c), and (d) of the ECPA by 14 intercepting information searched for by Plaintiffs on its public website, sharing it with 15 third parties, and having an improper purpose while doing so. (Doc. 13 ¶¶ 183, 186–88.) 16 The success of Plaintiffs’ allegations hinges on whether the crime-tort exception to the 17 party exemption applies because Plaintiffs do not allege Defendant was not a party to the 18 communications.4 Specifically, Plaintiffs allege Defendant intercepted the 19 communications with the purpose of committing a tort or crime and assert five grounds for 20 the crime-tort exception. Namely, Plaintiffs allege Defendant committed the tort of 21 intrusion upon seclusion and violated the Arizona Consumer Fraud Act (ACFA), 42 U.S.C. 22 § 1320d-6, HIPAA, and A.R.S. § 13-2316(A)(1). (Doc. 13 ¶¶ 188–89.) Defendant 23 contends the party exception applies—arguing it could not intercept a communication 24 when it was the intended recipient (Doc. 19-1 at 6–7)—and the crime-tort exception does 25 not apply because, first, Plaintiffs pled insufficient facts, and second, any allegedly 26 criminal or tortious act resulting from the interception was not the purpose of the
27 4 Plaintiffs explicitly argued the party exemption applies at oral argument. (See Oral Arg. Tr. at 38:14–18 (“[TMC is] a party to the communication. They can tap that 28 conversation through their website all they want. . . . No liability [under ECPA] for that unless they’re intending to use it for some tortious or criminal purpose.”).) 1 intercepting act. (Doc. 19-1 at 7–8.) 2 Plaintiffs fail to state a claim under the ECPA because they have not sufficiently 3 alleged a criminal or tortious purpose. According to the Amended Complaint, Defendant 4 uses these technologies “to obtain valuable personal data about visitors to its 5 Website, . . . to increase its own profits through sophisticated and targeted advertising[,] 6 and to improve its website analytics.” (Doc. 13 ¶ 2.) Another reason Defendant uses these 7 technologies is for “marketing purposes.” (Id. ¶¶ 4, 39.) Therefore, Plaintiffs’ allegation 8 Defendant intended to commit various torts or violate various state and federal laws is 9 conclusory and unsupported by any facts. Instead, all the facts Plaintiffs alleged regarding 10 Defendant’s purpose in intercepting the communications point to one conclusion—a non- 11 criminal, non-tortious purpose. Even if Defendant had an improper purpose, Plaintiffs’ 12 ECPA claim would fail for an independent reason—the Website cannot distinguish 13 between who is a patient and who is not a patient clicking on the “patient portal” link. 14 Therefore, the disclosure of data regarding what healthcare information someone searches 15 for and whether someone clicks on the patient portal link does not necessarily implicate 16 HIPAA. Thus, Plaintiffs fail to state a claim under § 2511(1)(a). 17 Next, the Court must address what this means for Plaintiffs’ § 2511(1)(c) and (d) 18 claims. (See Doc. 13 ¶¶ 186–87.) Because this Court finds no violation of subsection 19 (1)(a), Plaintiffs’ subsection (1)(c) and (d) claims also fail. Defendant could not have 20 disclosed or used the contents of a communication while “knowing or having reason to 21 know that the information was obtained through [an] interception . . . in violation of this 22 subsection” if there is no violation of subsection (1)(a). § 2511(1). This alone dooms 23 Plaintiffs’ secondary ECPA claims. 24 Even if the Court were to disregard this fatal flaw, the allegations are otherwise 25 insufficient because it is unclear to the Court what “content” required under these 26 subsections of the statute Plaintiffs allege was “disclosed” or “used.” (See Doc. 13 ¶¶ 186– 27 87.). In sum, Plaintiff fails to allege how the technology at issue here violates the 28 requirements of these subsections of ECPA. Therefore, Plaintiffs’ § 2511(1)(c) and (d) 1 claims fail. Accordingly, Plaintiffs’ ECPA claim is dismissed. 2 B. Count Two: Arizona Consumer Fraud Act 3 The ACFA provides: The act, use or employment by any person of any deception, 4 deceptive or unfair act or practice, fraud, false pretense, false 5 promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on 6 such concealment, suppression or omission, in connection with 7 the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged 8 thereby, is declared to be an unlawful practice. 9 A.R.S. § 44-1522(A). “‘Advertisement’ includes the attempt by publication, 10 dissemination, solicitation or circulation, oral or written, to induce directly or indirectly 11 any person to enter into any obligation or acquire any title or interest in any merchandise.” 12 A.R.S. § 44-1521(1). “‘Merchandise’ means any objects, wares, goods, commodities, 13 intangibles, real estate or services.” § 44-1521(5). “‘Sale’ means any sale, offer for sale 14 or attempt to sell any merchandise for any consideration.” § 44-1521(7). 15 The ACFA “imposes the actionable duty—to refrain from a ‘deceptive act or 16 practice’ or an ‘omission of any material fact with intent that others rely’ thereon.” State 17 ex rel. Horne v. AutoZone, Inc., 275 P.3d 1278, 1281 (Ariz. 2012) (quoting A.R.S. § 44- 18 1522(A)). “[T]o succeed on a claim of consumer fraud, a plaintiff must show (1) a false 19 promise or misrepresentation made in connection with the sale or advertisement of 20 ‘merchandise,’ and (2) consequent and proximate injury resulting from the 21 misrepresentation.” Watts v. Medicis Pharm. Corp., 365 P.3d 944, 953 (Ariz. 2016); see 22 also Nataros v. Fine Arts Gallery of Scottsdale, Inc., 612 P.2d 500, 504 (Ariz. Ct. App. 23 1980) (noting that damage is an element of an ACFA claim). Claims under the ACFA’s 24 omission clause “require[] proof that the omission is material and made with intent that a 25 consumer rely thereon.” Horne, 275 P.3d at 1281. Furthermore, “a false or deceptive 26 ‘advertisement’ must have been related to a sale between the parties.” Sullivan v. Pulte 27 Home Corp., 290 P.3d 446, 454 (Ariz. Ct. App. 2012), vacated in part on other grounds, 28 306 P.3d 1 (Ariz. 2013). 1 Plaintiffs allege Defendant concealed, suppressed, and omitted material facts 2 regarding its use of tracking technologies on the Website to intercept and disclose 3 Plaintiffs’ information. (Doc. 13 ¶ 201.) In its Motion, Defendant asserts the ACFA does 4 not apply because “there is no merchant-consumer transaction at issue,” and it owes no 5 duty to a visitor of a public website. (Doc. 19-1 at 11.) Finally, to the extent Plaintiffs 6 attempt to allege an omission under the ACFA, Defendant argues the omission was not 7 material and Defendant did not intend for consumers to rely upon it. (Id. at 12.) 8 Here, Plaintiffs fail to state a claim under the ACFA. As a preliminary matter, it is 9 unclear whether Plaintiffs allege a deceptive “practice” or “omission.” Instead, Plaintiffs 10 seem to blend the two together. (See Doc. 13 ¶ 201 (“Defendant committed unfair or 11 deceptive acts and practices in and from Arizona, in violation of the [ACFA], by 12 concealing, suppressing, and omitting material facts regarding its use of tracking 13 technologies.”).) Insofar as Plaintiffs attempt to allege a deceptive practice of concealing 14 relevant facts, Plaintiffs’ claim is conclusory because they allege no more than omissions 15 of material fact subject to the omissions clause of the ACFA. (Id.) 16 Having determined Plaintiffs fail to state a claim based on a deceptive practice, 17 Plaintiffs’ only remaining cognizable legal theory is under the omission clause. This too 18 fails. Plaintiffs do not sufficiently allege they relied on the Website’s omission of facts in 19 connection with seeking healthcare services, nor do they allege an independent sale or 20 advertisement of the Website itself. Plaintiffs claim “Defendant was selling or advertising 21 merchandise (including services) as those terms are defined in A.R.S. § 44-1521” and “[a]s 22 part of its healthcare services to patients and prospective patients, Defendant offered the 23 Website as a means for Plaintiffs” to research healthcare matters. (Doc. 13 ¶ 200.) 24 However, these allegations conflate whether Plaintiffs are claiming the Website is an 25 advertisement for Defendant’s healthcare services or claiming the Website itself is a 26 service. Assuming the former, Plaintiffs fail to allege how the Website’s failure to disclose 27 its use of tracking technologies impacted Plaintiffs’ decision to seek Defendant’s 28 healthcare services after using the Website. In other words, Plaintiffs fail to show any 1 relationship between this omission and Defendant’s sale of healthcare services to Plaintiffs. 2 See Sullivan, 290 P.3d at 454. Assuming the latter, meaning the Website is a service in 3 and of itself, then Plaintiffs fail to allege any independent sale or advertisement related to 4 the Website. Nevertheless, even assuming these problems with Plaintiffs’ complaint could 5 be resolved, Plaintiffs still fail to allege Defendant intended Plaintiffs rely on the omission 6 in either choosing to use the Website or choosing to use Defendant’s healthcare services. 7 Therefore, the Court will dismiss Plaintiffs’ ACFA claim. 8 C. Count Three: Negligence 9 To state a claim for negligence, a plaintiff must allege: “(1) a duty requiring the 10 defendant to conform to a certain standard of care; (2) breach of that standard; (3) a causal 11 connection between the breach and the resulting injury; and (4) actual damages.” Quiroz 12 v. ALCOA Inc., 416 P.3d 824, 827–28 (Ariz. 2018). Under Arizona law, a duty can arise 13 either from the parties’ special relationship or public policy. Avitia v. Crisis Preparation 14 & Recovery Inc., 536 P.3d 776, 782 (Ariz. 2023). When determining whether a duty exists, 15 the Court looks primarily to statutes and common law. Id. The Arizona Supreme Court 16 has recognized HIPAA and internal privacy practices can inform the standard of care in a 17 negligence claim but do not give rise to a per se duty. Shepherd v. Costco Wholesale Corp., 18 482 P.3d 390, 396 (Ariz. 2021). The existence of a duty is a matter of law for the Court to 19 decide. Gipson v. Kasey, 150 P.3d 228, 230 (Ariz. 2007). 20 Plaintiffs allege a duty arises from Defendant’s special relationship with its “patients 21 and prospective patients” and contractual obligations arising from the Privacy Policy on its 22 Website. (Doc. 13 ¶ 214.) Defendant contends it owes no duty to safeguard public online 23 browsing information. (Doc. 19-1 at 13.) In response, Plaintiffs cite a variety of sources 24 as purported bases of this duty, including the Restatement (Second) of Torts § 551 (Am. L. 25 Inst. 1977) and A.R.S. §§ 12-2235 and 12-2291 through 2297. (See Doc. 20 at 20.) For 26 the following reasons, the Court finds Plaintiffs fail to state a claim for negligence under 27 Arizona law because Defendant owed no duty to Plaintiffs. 28 First, although healthcare providers like Defendant may have a duty under HIPAA 1 to protect unauthorized disclosure of sensitive information, that duty only extends to 2 patients. Plaintiffs do not sufficiently allege, nor is the Court independently aware of, any 3 portion of HIPAA or the regulations promulgated by the Department of Health and Human 4 Services requiring healthcare providers who maintain websites to protect website visitors 5 from having their interactions with the webpage logged and shared for advertising 6 purposes. Such an interpretation would stretch HIPAA and federal guidance implementing 7 HIPAA to an extent completely divorced from the text. 8 Second, the Arizona statutes cited by Plaintiffs do not support a duty between a 9 healthcare provider and people visiting its free, public website. Section 12-2235 does not 10 create a special relationship because the statute only applies to communications between a 11 physician and patient and Plaintiffs do not allege any communications via the Website 12 occurred between Defendant’s physicians and patients. Additionally, § 12-2291 does not 13 create any duty related to the data disclosure at issue here because it discusses only medical 14 records and payment records, neither of which are alleged to have been disclosed. 15 Third, the Restatement section Plaintiffs cite involves liability for nondisclosure in 16 a “business transaction.” Restatement § 551. Here, Plaintiffs fail to explain how browsing 17 a free informational website gives rise to a “business transaction.” Therefore, the Court 18 finds Defendant did not owe Plaintiffs a duty under § 551. 19 Lastly, as discussed below in Section III.E, there is no contractual relationship 20 between Defendant and Plaintiffs to support a duty based on a contract. Therefore, the 21 Court concludes Plaintiffs fail to sufficiently allege Defendants owed them a duty, and, 22 thus, the Court dismisses their negligence claim. 23 D. Count Four: Invasion of Privacy – Intrusion Upon Seclusion 24 A plaintiff asserting a claim for intrusion upon seclusion must allege an intentional 25 intrusion, physical or otherwise, “upon the solitude or seclusion of another or his private 26 affairs or concerns” that “would be highly offensive to a reasonable person.” Hart v. Seven 27 Resorts Inc., 947 P.2d 846, 853 (Ariz. Ct. App. 1997) (quoting Restatement (Second) of 28 Torts § 652B). “The defendant is subject to liability [for intrusion upon seclusion] only 1 when he has intruded into a private place[] or has otherwise invaded a private seclusion 2 that the plaintiff has thrown about his person or affairs.” Id. (quoting Restatement § 652B 3 cmt. c). 4 Plaintiffs allege “Defendant intruded upon and permitted unauthorized third parties 5 to intrude upon Plaintiffs’ and the Class’s private communications with Defendant 6 regarding sensitive medical information” by “intentionally embedding and implementing 7 the tracking technologies on its Website.” (Doc. 13 ¶ 226.) Defendant contends “the 8 intrusion, if any, was carried out by a third party,” the conduct was not highly offensive, 9 and “the transmission of Plaintiffs’ public website browsing data” cannot amount to an 10 invasion of privacy. (Doc. 19-1 at 15–17.) 11 Here, Plaintiffs fail to state a claim for intrusion upon seclusion because their 12 Complaint is devoid of factual allegations supporting an intrusion by Defendant. As 13 discussed above, these tracking technologies are only employed when Defendant’s server 14 receives an HTTP Request from a user’s web browser. Then, the source code containing 15 the tracking technologies essentially allows the technology companies to “listen in” on the 16 communications between Plaintiffs and Defendant. If this is the case, as the Plaintiffs 17 allege, the only intrusion is perpetrated by the technology companies, not Defendant. 18 Plaintiffs specifically request Defendant to intrude, i.e. respond, by providing answers to 19 healthcare questions on the Website. Plaintiffs cannot then turn around and bring a legal 20 claim based on an interaction with a public website they not only invited but also requested. 21 Moreover, Plaintiffs do not develop a cognizable legal argument that Defendant’s 22 communication with Plaintiffs via a public website with knowledge that third parties may 23 be “intruding” constitutes an intrusion upon seclusion. Any acts Plaintiffs allege constitute 24 an “intrusion” arise either from Plaintiffs’ HTTP Requests or from the third-party 25 technology companies themselves. Even assuming this were not the case, Plaintiffs fail to 26 allege “solitude or seclusion.” Although Plaintiffs assert a privacy interest in 27 communications regarding “sensitive medical information,” they do not explain how the 28 sensitivity of their communications can transform public communications into “solitude or 1 seclusion.” Even assuming these allegations support some level of intrusion from 2 Defendant into Plaintiffs’ solitude by allowing third parties access to browsing data for 3 analytical purposes, Plaintiffs do not plead facts to support their conclusory allegations 4 regarding whether this intrusion would be highly offensive to a reasonable person. (Doc. 5 13 ¶ 229.) Thus, the Court will dismiss Plaintiffs’ intrusion upon seclusion claim. 6 E. Count Five: Breach of Implied Contract 7 An implied contract is inferred by law, not evidenced by an explicit agreement, 8 “from the acts and conduct of the parties and circumstances surrounding their transaction.” 9 Carroll v. Lee, 712 P.2d 923, 926 (Ariz. 1986). To succeed on a breach of implied contract 10 claim, Plaintiffs must allege facts establishing (1) the existence of a contract through the 11 parties’ acts or conduct; (2) breach; and (3) resulting damages. See First Am. Title Ins. Co. 12 v. Johnson Bank, 372 P.3d 292, 297 (Ariz. 2016). 13 Plaintiffs allege when they “paid money and provided their Sensitive Information 14 to Defendant as consideration in exchange for services, they entered implied contracts 15 pursuant to which Defendant agreed to safeguard and not disclose their Sensitive 16 Information without Plaintiffs’ and Class Members’ consent.” (Doc. 13 ¶ 236.) 17 Furthermore, as “[a]n implicit part of the agreement,” “Defendant would safeguard 18 Plaintiffs’ and Class Members’ Sensitive Information consistent with industry and 19 regulatory standards and Defendant’s privacy policy and would timely notify Plaintiffs in 20 the event of a disclosure to third parties.” (Id. ¶ 237.) Defendant asserts Plaintiffs’ 21 allegations fail because they are conclusory and fail to plead facts showing the parties 22 shared the requisite mutuality of assent. (Doc. 19-1 at 18.) Specifically, Defendants 23 contend “there are [neither] facts that plausibly show that TMC Health agreed to not use 24 pixels or similar technology on its website . . . [n]or are there facts pled demonstrating any 25 mutual understanding between the parties that payment for medical treatment somehow 26 meant that TMC Health would not use pixels on its public website.” (Id. (emphasis 27 added).) 28 Here, Plaintiffs do not make sufficient, non-conclusory factual allegations about 1 Defendant’s conduct to establish an implied-in-fact contract between the parties nor do 2 they sufficiently allege any supposed contract terms. To the extent Plaintiffs attempt to 3 allege Defendant breached an implied contract by not complying with its own written 4 Privacy Policy (see Doc. 13 at ¶ 237), the attempt fails. The Privacy Policy cannot serve 5 as the basis for an implied contract because there would be no consideration for any such 6 contract. See In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 7 WL 6763548, at *3 (D. Ariz. Dec. 20, 2017) (concluding no contract was formed where 8 the defendant “was already under a preexisting legal duty to protect [the plaintiff’s] 9 information” because the privacy policy could not “be read as a promise to do anything 10 above and beyond what is already required by law”). Based on the allegations in Plaintiffs’ 11 complaint, Defendant was already required under HIPAA to protect patients in the ways 12 that it promised. Accordingly, Plaintiffs’ allegations fail to state a breach of implied 13 contract claim. 14 F. Count Six: Unjust Enrichment 15 An unjust enrichment claim allows the Court to grant “a flexible, equitable remedy” 16 where a defendant is “obliged by the ties of natural justice and equity” to compensate 17 plaintiff for benefits received. Murdock-Bryant Constr., Inc. v. Pearson, 703 P.2d 1197, 18 1202 (Ariz. 1985) (quoting Dan B. Dobbs, Law of Remedies § 4.2 at 235 (1973)). “An 19 unjust enrichment claim requires proof of ‘(1) an enrichment, (2) an impoverishment, (3) 20 a connection between the enrichment and impoverishment, (4) the absence of justification 21 for the enrichment and impoverishment, and (5) the absence of a remedy provided by law.’” 22 Perdue v. La Rue, 474 P.3d 1197, 1205 (Ariz. Ct. App. 2020) (quoting Wang Elec., Inc. v. 23 Smoke Tree Resort, LLC, 283 P.3d 45, 49 (Ariz. Ct. App. 2012)). Plaintiff need not have 24 suffered a “loss corresponding to the defendant’s gain for there to be a valid claim for an 25 unjust enrichment.” John A. Artukovich & Sons, Inc. v. Reliance Truck Co., 614 P.2d 327, 26 329 (Ariz. 1980). 27 Plaintiffs allege an unjust enrichment claim “in the alternative in the event 28 Plaintiffs . . . have an inadequate remedy at law.” (Doc. 13 ¶ 248.) To support this claim, 1 Plaintiffs allege they provided information to Defendant via the Website “for the purposes 2 of receiving healthcare services or healthcare-related information and knowledge.” (Doc. 3 13 ¶ 244.) Plaintiffs also allege “Defendant receives a benefit” by using Plaintiffs’ 4 information “for its own gain, without consent or authorization,” to save on marketing and 5 advertising costs and to increase profits by acquiring new patients and using the 6 information to get existing patients to seek more services. (Id.) Additionally, Plaintiffs 7 allege they were “not compensated by Defendant for the data they provided,” and 8 “Defendant unjustly retained those benefits at the expense of Plaintiffs.” (Id. ¶ 245.) In its 9 Motion, Defendant asserts Plaintiffs’ allegations are conclusory and no benefit was 10 conferred upon TMC Health through cost savings for marketing and advertising and 11 increased profits from this advertising. (Doc. 19-1 at 20.) 12 Here, Plaintiffs have not plead facts sufficient to support an unjust enrichment claim. 13 Specifically, Plaintiffs never state facts supporting a cognizable impoverishment. Plaintiffs 14 attempt to plead an impoverishment based on the perceived value of their data. But, first, 15 this ignores the benefit they received by being able to use the Website to seek healthcare 16 information. And, second, the complaint is devoid of allegations indicating Plaintiffs ever 17 intended to profit from their data or even had some other avenue of profiting from their 18 data. Therefore, the allegations do not suggest it would be unjust for Defendant to use the 19 data for analytics and advertising purposes because, in the absence of Defendant’s use, 20 Plaintiffs would still be in the same position, i.e. those benefits were not retained at the 21 expense of Plaintiffs. Therefore, the Court will dismiss Plaintiffs’ unjust enrichment claim. 22 G. Leave to Amend 23 Plaintiffs specifically request leave to amend their complaint in the event the Court 24 finds their allegations deficient or lacking specificity. (Doc. 20 at 27 n. 11.) Defendant 25 requests all the claims be dismissed with prejudice and specifically mentions amendment 26 would be futile for the ECPA and intrusion upon seclusion claims. (Doc. 19-1 at 7, 16.) 27 Although it is difficult for the Court to see how Plaintiffs could successfully allege these 28 claims, it is not impossible for the Court to envision a set of facts sufficient to state the || claims. Therefore, the Court will dismiss the claims without prejudice and provide an 2 || opportunity for Plaintiffs to amend their complaint. 3 IV. Conclusion 4 IT IS ORDERED Defendant's Motion to Dismiss (Doc. 19) is GRANTED. 5 IT IS FURTHER ORDERED Plaintiffs’ First Amended Complaint is 6|| DISMISSED WITHOUT PREJUDICE. 7 IT IS FURTHER ORDERED Plaintiffs may file an amended complaint no later 8 || than Thursday, October 31, 2024. 9 IT IS FURTHER ORDERED, if Plaintiffs do not file a second amended complaint by Thursday, October 31, 2024, the Clerk of Court shall close this case. 11 Dated this 30th day of September, 2024. 12 ‘ Aut: Lead Honorable Scott H. Rash 15 □□□ United States District Judge 16 17 18 19 20 21 22 23 24 25 26 27 28
-17-