A new federal court decision denied a motion to dismiss in a case alleging Federal Electronic Communications Privacy Act (ECPA) claims arising from the sharing of health information through a website’s online tracking technology. What does this case teach and what should healthcare companies be doing about it?

Recap of ECPA Online Tracker Claims

Over the past several months, plaintiffs have been increasingly filing claims, both individual and class action, under a theory of breach of the Federal Electronic Communications Privacy Act (ECPA), alleging that website tracking technologies constitute an interception of online communications without consent, in violation of federal wiretapping law.

In general, a party to a communication is exempt from ECPA liability under the statute’s “party exception.” However, an important limitation on this exception is the “crime-tort exception”: a party to a communication may still be liable if the communication “is intercepted for the purpose of committing any criminal or tortious act.” This exception has become a critical battleground in online tracker litigation, particularly in the healthcare context, where plaintiffs allege that sharing health information through trackers constitutes a criminal violation of HIPAA.

What Are Some New Points in the Case?

Applicability of Crime Tort Exception

In this case, the court allowed the case to proceed beyond a motion to dismiss, finding that the crime-tort exception could apply where a plaintiff shows that the website publisher intended to violate HIPAA’s criminal prohibition against unauthorized disclosure of “individually identifiable health information.”. The court acknowledged that courts around the country, including courts within the same circuit, are divided on this issue, but adopted the position that an alleged violation of HIPAA can constitute an independent act for purposes of ECPA’s crime-tort exception.

The court reiterated the position that protected health information (PHI) does not include a user’s browsing activity on a public-facing website that generates only general search queries. The court held, however, that booking a consultation for a particular medical treatment, for example, by navigating through a treatment-specific subpage and submitting personal information through a consultation booking form, could rise to the level of PHI, even where the plaintiff did not access a password-protected page.

Additionally, the court held that the plaintiff must provide sufficient evidence to show that the shared data led to targeted marketing. The court considered plaintiff’s allegations including: that the only search for the relevant medical treatment online was through this particular website, the plaintiff had an active account with the third party tracker provider (advertiser) and that such advertiser relies exclusively on its own first-party tracking technologies. Based on these facts, the court found a sufficient inference that the plaintiff received targeted advertisements related to the medical services at issue due to the defendant’s use of the tracking technology.

Contents of Communication

The court held that personal details, including full name, email address, phone number, date of birth, city, state, and zip code, entered through a consultation booking form on a medical treatment-specific subpage, together with the act of booking a consultation for a specific medical treatment, can be sufficient to constitute “contents of communications” under ECPA. ECPA defines “contents” as “any information concerning the substance, purport, or meaning” of a communication, and this has been held before to refer to the intended message conveyed by a communication, as distinguished from mere record information regarding the characteristics of a message.

The court also considered whether a descriptive URL for a specific medical treatment subpage, from which the consultation was booked, constituted “contents of communications,”

Another factor the court considered was proof of what information had been intercepted, rather than a general allegation to that effect. The court distinguished prior cases where plaintiffs failed to specify what information was intercepted, noting that this plaintiff identified in detail the specific data points captured by the tracking technology.

Negligence and Breach of Confidence

The court allowed a claim of negligence to proceed. It held that a healthcare provider’s duty to protect PHI from unauthorized disclosure is not strictly limited to treatment records or medical records and can apply to other health and medical information. The court noted that applicable state law provides that individuals have the right to have protected health information safeguarded from unlawful use or disclosure, and that this protection is not strictly limited to “medical records.”

The court also allowed a claim of breach of confidence to proceed for similar reasoning, finding that the plaintiff had sufficiently alleged that confidential information, including medical appointment information, was transmitted to the third-party platform through the tracking technology.

Unjust Enrichment

The court allowed a claim of unjust enrichment to proceed. It found the plaintiff’s allegation that the healthcare company disclosed and used the plaintiff’s medical and health information for its own gain, providing the defendant with economic, intangible, and other benefits, including substantial monetary compensation, and retained those benefits without providing any commensurate compensation to the plaintiff, sufficient to state a claim at the pleading stage.

What This Means for Healthcare Companies

This decision underscores several important takeaways for healthcare companies that maintain consumer-facing websites.

First, healthcare companies should carefully evaluate any third-party tracking technologies embedded on their websites, including social media tags and analytics pixels. Where these trackers capture user activity that goes beyond general browsing, such as booking a consultation for a specific medical treatment or submitting personal information through a form, courts may find that the information rises to the level of PHI, even on a public-facing website that does not require a password-protected login.

Second, the crime-tort exception to ECPA’s one-party consent rule remains a viable theory for plaintiffs in the healthcare space, and courts continue to be split on whether HIPAA violations can serve as the predicate act for this exception. Healthcare companies should not assume that the party exception to ECPA will insulate them from liability where tracking technologies share health-related data with third parties for advertising purposes.

Third, healthcare companies face heightened risk where trackers capture granular, identifiable information tied to specific treatments or services. As this case shows, plaintiffs who can specifically identify the data points captured by tracking technologies, and connect that data to targeted advertising they received, are more likely to survive a motion to dismiss.

Fourth, the exposure is not limited to ECPA claims, or, to medical records. As this case demonstrates, healthcare companies may also face state law claims for negligence, breach of confidence, and unjust enrichment based on the same underlying conduct. Notably, the court aso held that a healthcare provider’s duty to protect health information is not strictly limited to medical records, broadening the scope of potential liability.

Fifth and beyond the scope of this case itself, healthcare companies face closer scrutiny that others because of the sensitive nature of the data they process, even if it does not constitute PHI. If the information is deemed to be “sensitive information” under state privacy laws, or “consumer health data” under laws such as Washington State’s My Health My Data Act, similar conduct could give rise to claims or enforcement actions under other causes of action.

If you are a healthcare company, the information collected and shared through your website could give rise to potential liability through multiple legal avenues. Healthcare companies should conduct a thorough audit of all tracking technologies deployed on their websites, consult with privacy counsel regarding whether the data captured by those technologies could constitute PHI or sensitive data or otherwise trigger legal obligations, and ensure that appropriate consents and disclosures are in place before sharing any health-related data with third-party platforms.