Opinion
22 C 5380
07-24-2023
MARGUERITE KUROWSKI and BRENDA MCCLENDON, on behalf of herself and others similarly situated, Plaintiffs, v. RUSH SYSTEM FOR HEALTH d/b/a RUSH UNIVERSITY SYSTEM FOR HEALTH, Defendant.
MEMORANDUM OPINION AND ORDER
MATTHEW F. KENNELLY, District Judge
Marguerite Kurowski and Brenda McClendon (collectively Kurowski) have filed suit on behalf of a putative class of similarly situated persons against Rush University System for Health (Rush). Kurowski alleges that Rush surreptitiously deployed third-party source code on its website and its MyChart patient portal that caused her individually identifiable health data and communications with Rush to be transmitted to Facebook, Google, and Bidtellect for advertising purposes. The Court has jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d).
Rush moved to dismiss an earlier version of Kurowski's complaint for failure to state a claim. The Court granted the motion to dismiss, except with respect to Kurowski's request for injunctive relief under the Illinois Uniform Deceptive Trade Practices Act (DTPA), 815 ILCS §§ 510/2(a). See Kurowski v. Rush Sys. for Health, No. 22 C 5380, 2023 WL 2349606 (N.D. Ill. March 3, 2023).
In her amended complaint, Kurowski asserts the same five claims she asserted in her initial complaint, plus six additional claims: (1) violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2511(1)(a), (c)-(d); (2) breach of an implied duty of confidentiality; (3) violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA), 815 ILCS 505/2; (4) violations of the Illinois Uniform Deceptive Trade Practices Act (DTPA), 815 ILCS §§ 510/2(a); (5) intrusion upon seclusion; (6) publication of private facts; (7) trespass to chattels; (8) breach of contract; (9) breach of the duty of good faith and fair dealing; (10) unjust enrichment; and (11) violations of the Illinois Eavesdropping Act 720 ILCS § 5/14-2(a)(3), (4), (5).
For the reasons discussed below, the Court denies Rush's motion to dismiss Kurowski's claims for breach of contract (count eight) and under the Illinois Eavesdropping Act (count eleven) but otherwise grants Rush's motion.
Background
The Court assumes familiarity with this case's factual background, which this Court discussed in its above-referenced, prior written opinion. In short, Kurowski alleges that as a patient of Rush, she has and continues to use Rush's web properties to obtain information related to her care and-at least with respect to MyChart- exchange communications about appointments, billing, test results, prescription refills, and other treatment with her provider. Rush's MyChart patient portal is available only to Rush patients and is password-protected.
Kurowski alleges that her reasonable expectation of privacy was violated by Rush's allegedly secret deployment of "custom analytics scripts"-for example, Google Analytics-within its web pages and within MyChart. First Am. Compl. ¶ 31. This source code, Kurowski alleges, allows for the "contemporaneous unauthorized interception and transmission of personally identifiable patient data, and redirection and disclosure of the precise content of patient communications with Rush" whenever a Rush patient uses a Rush web property, including MyChart. Id. ¶¶ 5, 32. The data Kurowski alleges was transmitted to Facebook, Google, and Bidtellect includes patient IP addresses,patient cookie identifiers,device identifiers, account numbers, URLs, other "unique identifying numbers, characteristics, or codes," and browser-fingerprints- all of which can be used to direct targeted advertising to patients. Id. ¶ 35. She also alleges that patient communications within the MyChart portal are shared with at least Google. Kurowski alleges that Rush deployed this source code without her knowledge, consent, or authorization, and that it derived a benefit from doing so.
An IP address is a number that identifies a computer connected to the Internet.
A cookie is a small text file that a web server can place on a person's web browser whenever the browser interacts with the website server. Cookies are often used and sold by data companies to identify and track Internet users to sell advertising that is customized in light of a person's communications and habits.
Discussion
In deciding a motion to dismiss for failure to state a claim, the court must accept as true all well-pleaded factual allegations in the complaint and draw all reasonable inferences in the plaintiff's favor. See NewSpin Sports, LLC v. Arrow Elecs., Inc., 910 F.3d 293, 299 (7th Cir. 2019). To survive a motion to dismiss, a plaintiff must allege "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Bissessur v. Ind. Univ. Bd. of Trs., 581 F.3d 599, 602 (7th Cir. 2009) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). The plaintiff must provide "some specific facts to support the legal claims asserted" and cannot rely on conclusory allegations to make his claim. McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011).
A. Wiretap Act claims
In count one, Kurowski alleges violations of the ECPA. The ECPA (also known as the Wiretap Act) provides that "any person who-(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral or electronic communication" may be subject to (among other things) a civil penalty. 18 U.S.C. § 2511(1)(a), (5)(a)(ii). The same is true for any person who intentionally discloses or uses, or endeavors to disclose or use, the contents of an intercepted communication. 18 U.S.C. § 2511(1)(c), (d). Section 2511(2)(d) of the statute provides an exception when the person intercepting a communication "is a party to the communication or where one of the parties to the communication has given prior consent to such interception." This so-called "party exception" does not apply, however, if the "communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State." 18 U.S.C. § 2511(2)(d).
The parties do not appear to dispute that Rush may invoke the party exception to the Wiretap Act, as it was the intended recipient of the allegedly intercepted communications here. They do, however, dispute the applicability of the criminal or tortious purpose "exception to the exception" found in section 2511(2)(d).
The Court previously dismissed Kurowski's Wiretap Act claim because it found that the criminal or tortious purpose exception did not apply. Previously, Kurowski cited only to 42 U.S.C. § 1320(d)(6) as the crime or tort she contends that Rush intended to commit when engaging in the alleging wiretapping, such that it could not avail itself of the party exception. Section 1320(d)(6) provides criminal and civil penalties against a healthcare provider who "knowingly . . . discloses individually identifiable health information to another person." 42 U.S.C § 1320d(6). Section 1320(d)(6) HIPAA defines individually identifiable health information (IIHI) as:
any information, including demographic information collected from an individual, that- (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and- (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.Id. (emphasis added).
As she did during the first round of motion to dismiss briefing, Kurowski continues to contend that a 2022 guidance issued by the Department of Health and Human Services (HHS) suggests that the type of online tracking technologies deployed by Rush violate HIPAA. Specifically, Kurowski contends that-based on the HHS guidance- HIPAA prohibits disclosing patients' health information via tracking technologies on both user-authenticated webpages (such as the MyChart portal) and unauthenticated webpages. She further contends that the guidance includes IP addresses, device IDs, and unique identifying codes collected on a regulated entity's website in the definition of IIHI. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (HHS guidance).
The Court previously held that section 1320(d)(6) could not serve as a basis for the exception because Kurowski had not alleged sufficient facts "to support an inference that Rush disclosed its patients' individually identifiable health information, at least as that term is defined by the statute." Mem. Op. and Order at 9. It further held that the HHS guidance that Kurowski relied upon to expand the definition of IIHI to cover Rush's alleged conduct applied only prospectively. Id. (citing Chrysler Corp. v. Brown, 441 U.S. 281, 302 n. 31 (1979)). The Court is not convinced that there is any basis to revisit its prior ruling on this point.
First, Kurowski contends that she has cured any defect by alleging additional facts that allow an inference to be drawn that the actual content of a patients' communications that occur within the MyChart portal were being transmitted to at least Google. Of course, private, care-related communications fall squarely within the meaning of IIHI as contemplated by the statute. But the Court agrees with Rush that Kurowski still fails to allege "any particular health or treatment information disclosure specific as to them that Rush allegedly made to any third-party, whether within the portal or not." Mot. to Dismiss at 5.
Doe v. Regents of University of California, 2023 WL 3316766 (N.D. Cal. May 8, 2023) is instructive regarding the inadequacy of Kurowski's allegations. The plaintiff in that case alleged similar violations of the California analog to HIPAA, the Confidentiality of Medical Information Act. The plaintiff in Regents alleged that she "entered data relating to her heart issues and high blood pressure in MyChart and later received advertisements on Facebook, including at least one advertisement relating to high blood pressure medication." Regents of Univ. of California, 2023 WL 3316766 at *2.
By contrast, Kurowski's allegations are far too vague to allow an inference to be drawn that Rush was actually disclosing IIHI as it is unambiguously defined by HIPAA, rather than just metadata. Kurowski contends that it would be unreasonable to expect her to disclose that type of intimate information in her complaint. But that contention lacks merit. Kurowski could have requested to file the complaint under seal. Moreover, Kurowski cannot reasonably expect to bring a lawsuit related to the invasion of her medical privacy and completely evade revealing what it is that she alleges Rush disclosed to third parties.
Regarding the HHS guidance, Kurowski contends that it carries the force of law (i.e., applies retroactively) because "[a]n agency's interpretation of a statute 'is no more retroactive in its operation than is a judicial determination construing and applying a statute to a case in hand.'" Resp. at 10 (quoting Manhattan Gen'l Equip. Co. v. Comm'r, 297 U.S. 129, 135 (1936)). Even assuming that Kurowski is correct that the HHS guidance is merely interpreting HIPAA and thus applies retroactively-a question the Court need not answer definitively to resolve this issue-HHS's interpretation of the statute is not entitled to deference under Chevron, U.S.A., Inc. v. National Resources Defense Council, Inc., 467 U.S. 837 (1984). Agency interpretations-such as the HHS guidance-that are arrived at in a less formal manner (i.e., not in the course of rulemaking and adjudication) do not warrant Chevron-style deference. See United States v. Mead Corp., 533 U.S. 218, 230 (2001); see also, Christensen v. Harris Cnty., 529 U.S. 576, 587 (2000) ("Interpretations such as those in opinion letters-like interpretations contained in policy statements, agency manuals, and enforcement guidelines, all of which lack the force of law-do not warrant Chevron-style deference.") (emphasis added). The cases cited by Kurowski that even remotely touch on this point are not only outdated but relate to an agency's interpretation of its own regulations. See Kisor v. Wilkie, 204 L.Ed.2d 841, 139 S.Ct. 2400, 2425 (2019) ("[I]ssues surrounding judicial deference to agency interpretations of their own regulations are distinct from those raised in connection with judicial deference to agency interpretations of statutes enacted by Congress.").
Moreover, "an agency's interpretation of a statute is not entitled to deference when it goes beyond the meaning that the statute can bear." California v. U.S. Dep't of Health & Hum. Servs., 941 F.3d 410, 425 (9th Cir. 2019). The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, "relate[] to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual." 42 U.S.C § 1320d(6) (emphasis added). The type of metadata that Kurowski alleges was transmitted via third-party source code does not in the least bit fit into that category. And while the actual substance of Kurowski's private communications related to her care-like the above-noted MyChart/blood pressure example from Regents- would likely fall under section 1320d(6)'s definition of IHII, Kurowski has failed to plausibly allege that anything of that nature was actually disclosed.
Thus, Kurowski has not alleged facts that suggest that Rush had the criminal or tortious purpose of "knowingly . . . disclos[ing] individually identifiable health information to another person." 42 U.S.C. § 1320(d)(6). Rush may therefore invoke the party exception to the Wiretap Act.
Kurowski raises a number of other possible criminal or tortious purposes for which she alleges Rush disclosed patient communication, but the Court agrees with Rush that "[w]hether or not Rush's conduct might have violated some other law does not determine the analysis." Reply at 2. Moreover, it is well established that exception only applies where the defendant allegedly committed a tortious or criminal act independent from the act of recording itself. Caro v. Weintraub, 618 F.3d 94, 99 (2d Cir. 2010). The other criminal or tortious purposes Kurowski are either duplicative of the allegedly unlawful wiretapping itself or relate to claims that the Court has determined have failed.
For these reasons, Rush cannot be held liable for interception of the alleged communications, and the Wiretap Act's criminal or tortious conduct exception to the statute's party exception does not apply. The Court dismisses count one.
B. Breach of the implied duty of confidentiality claim
In count two of her complaint, Kurowski asserts a common law claim for the breach of an implied duty of confidentiality. As with her initial complaint, Kurowski bases this claim on the theory that every patient-health care provider relationship implies a contract and that a provider's disclosure of a patient's private health information constitutes a breach of that contract. Rush challenges the sufficiency of Kurowski's allegations regarding what "particular health or treatment information" was disclosed to third parties in violation of the duty of confidentiality. Mot. to Dismiss at 5. But this claim fails for a more basic reason that Rush again raises-and which the Court did not substantively address in its previous order but now does-namely, that Illinois law does not recognize a cause of action in tort for this conduct.
In Dinerstein v. Google, LLC, 484 F.Supp.3d 561(N.D. Ill. 2020), Chief Judge Rebecca Pallmeyer held that Illinois courts have not recognized a cause of action for breach of confidentiality for the unauthorized disclosure of a patient's medical information and further declined the plaintiff's invitation to recognize one. Judge Pallmeyer explained that the Seventh Circuit "consistently ha[s] held that it is not [district courts'] role to break new ground in state law." Id. at 594-95 (citing Sabrina Roppo v. Travelers Com. Ins. Co., 869 F.3d 568, 596 (7th Cir. 2017) (internal quotation marks omitted). Judge Pallmeyer further found that the plaintiff's evidence "provide[d] little . . . for what the Illinois Supreme Court would do today. As such, it is unlikely that Illinois would recognize the breach of confidentiality tort." Id. at 595.
On appeal, the Seventh Circuit stated that it would not disturb Judge Pallmeyer's findings on this point. It said:
we see no reason to disturb the judge's decision not to recognize a novel claim for breach of medical confidentiality. Illinois courts have not yet weighed in on the issue, and 'it is not our role to break new ground in state law.' Roppo v. Travelers Com. Ins. Co., 869 F.3d 568, 596 (7th Cir. 2017) (quoting Lopardo v. Fleming Cos., 97 F.3d 921, 930 (7th Cir. 1996)). This is especially true with '[i]nnovative state law claims,' which 'should be brought in state court.' Insolia v. Philip Morris Inc., 216 F.3d 596, 607 (7th Cir. 2000).Dinerstein v. Google, LLC, No. 20-3134, 2023 WL 4446475, *8 n. 4 (7th Cir. July 11, 2023). Though Kurowski is correct that the Seventh Circuit's affirmation of Judge Pallmeyer's dismissal was predominantly based on lack of standing-and specifically lack of standing for the disclosure of anonymized data-the Court adopts the same logic that both the Seventh Circuit and Judge Pallmeyer applied to this novel issue of state law. As far as the Court is aware, a common law cause of action for breach of confidentiality remains unavailable in Illinois, and Kurowski has not offered any justification for the Court to "break new ground" here by recognizing one.
The Court therefore dismisses count two.
C. ICFA claim
In count three of her complaint, Kurowski alleges that Rush engaged in "unfair and deceptive acts and practices" in violation of the ICFA. First Am. Compl. ¶ 345. "In order to state a claim under the ICFA, a plaintiff must show: (1) a deceptive or unfair act or promise by the defendant; (2) the defendant's intent that the plaintiff rely on the deceptive or unfair practice; and (3) that the unfair or deceptive practice occurred during a course of conduct involving trade or commerce." Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 739 (7th Cir. 2014) (internal quotation marks omitted). Moreover, an individual suing under the ICFA must "plead that the deceptive or unfair act caused her to suffer actual damages, meaning pecuniary loss." Benson v. Fannie May Confections Brands, Inc., 944 F.3d 639, 647 (7th Cir. 2019).
In the Court's order on Rush's first motion to dismiss, it determined that Kurowski failed to allege actual, pecuniary loss as required by the ICFA. In her amended complaint, Kurowski alleges three, arguably related theories of damages. First, Kurowski again invokes the same "benefit of the bargain" theory of damages she invoked in her initial complaint, namely, that she and other patients suffered monetary loss by "overpaying for Rush's health care services." First Am. Compl. ¶ 367. Second, Kurowski alleges that "Rush overcharged patients by granting itself a license to use and disclose valuable patient health data beyond the license and limitations specifically stated in the Notice of Privacy Practices." Id. ¶ 259. Finally, Kurowski alleges "loss of value of [her] personally identifiable patient data and communications." Id. ¶ 367. None of these theories are sufficient to state a claim for pecuniary damages under the ICFA.
First, nothing about Kurowski's amended complaint cures the defect with her "benefit of the bargain" theory of damages. Because the Court previously rejected Kurowski's claim that she somehow overpaid to use Rush's free web properties, Kurowski now contends that "the web property is not a standalone service but part of Rush's portfolio of healthcare services provided to patients, for which patients pay money." Resp. at 12. She further alleges that Rush provided a less valuable service than it promised when it breached her privacy. But the Seventh Circuit has repeatedly rejected the benefit of the bargain theory of damages for non-products liability claims such as this one. Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 912-13 (7th Cir. 2017); Remijas v. Nieman Marcus Grp., LLC, 794 F.3d 688, 694-95 (7th Cir. 2015); Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 969 (7th Cir. 2016). In Lewert, the Seventh Circuit explained:
As we noted in Remijas, such arguments have been adopted by courts only where the product itself was defective or dangerous and consumers claim they would not have bought it (or paid a premium for it) had they known of the defect. Remijas, 794 F.3d at 695; see, e.g., In re Aqua Dots Prods. Liab. Litig., 654 F.3d 748, 751 (7th Cir.2011) (acknowledging financial injury when plaintiffs 'paid more for the toys than they would have, had they known of the risks the beads posed to children'). The plaintiffs here make no such allegations, and we are not inclined to push this theory beyond its current scope.Lewert, 819 F.3d at 969 (emphasis added). The Court adopts the same logic here and declines to expand the benefit of the bargain theory to the conduct Kurowski alleges.
The other theories of pecuniary loss that Kurowski alleges fare no better. She alleges that Rush deprived her of her right to exclusively determine how her personal information is used and disseminated. The Court does not see-and Kurowski fails to explain-how this differs in any meaningful way from the exact kind of abstract, nonmonetary injuries to her privacy that the Court has already ruled cannot provide a basis for actual damages under the ICFA. Mem. Op. and Order at 16; see also, Khorloo v. John C. Heath Attorney at Law, No. 18 C 1778, 2020 WL 1530735, at *2 (N.D. Ill. Mar. 31, 2020) ("[T]he Court could not locate any Illinois case law suggesting that privacy violations . . . provide a basis for actual damages under the ICFA. It seems unlikely that the statute allows plaintiffs to recover damages for privacy violations because the ICFA is concerned with fraudulent or unfair advertising, not with individual privacy rights.").
Finally, regarding her allegation that Rush exceeded its "data license price," the Court agrees with Rush that Kurowski fails to "connect these dots to any actual, pecuniary loss allegedly suffered by [her]." Reply at 7. No such "price" is found anywhere in the Notice of Privacy Practices, as Kurowski contends. Nor has Kurowski alleged sufficient facts that would allow an inference to be drawn that she sought to monetize her own data, or that her ability to do so was diminished by Rush's practices. Mount v. PulsePoint, Inc., 2016 WL 5080131, at *6 (S.D.N.Y. Aug. 17, 2006), aff'd 684 Fed.Appx. 32, 36 (2d Cir. 2017) ("While we recognize that browsing information may have possess value in the abstract, absent allegations suggesting that plaintiffs' ability to monetize their browsing information was diminished, this harm remains too conjectural."); see also, In re Google, Inc. Cookie Placement, 806 F.3d 125, 149 (3d Cir. 2015) (same where plaintiffs "allege no facts suggesting that they ever participated or intended to participate in the market they identify, or that the defendants prevented them from capturing the full value of their internet usage information for themselves").
In sum, because Kurowski does not plausibly allege a monetary loss, she cannot state a claim under the ICFA. For these reasons, the Court dismisses count three.
It is therefore unnecessary for the Court to address the parties' arguments regarding the sufficiency of Kurowski's allegations of personal deception.
D. DTPA claims
In count four of Kurowski's complaint, she alleges that Rush engaged in deceptive trade practices that violate the DTPA. More specifically, Kurowski alleges that Rush represented that "good or services have characteristics that they do not have"-or were "of a particular standard, quality, or grade," when in fact they were "of another." First Am. Compl. ¶ 340. She further alleges that Rush's practice of disclosing patients' data without their knowledge or consent also violates the DTPA.
The Court previously held that the only remedy available to Kurowski under the DTPA is injunctive relief, but it denied Rush's first motion to dismiss count four because "Kurowski remain[ed] a patient of Rush and thus [had to] engage with Rush web properties to continue receiving medical care." Mem. Op. and Order at 18. Despite the Court's previous order, Kurowski still seeks both monetary and injunctive relief for her alleged injuries under the statute. The Court stands on its prior decision regarding the unavailability of monetary relief for Kurowski under the DTPA.Regarding injunctive relief, Rush contends that because Kurowski acknowledges that "Google transmissions from within MyChart seem to have ceased, and Facebook transmissions have ceased altogether from both MyChart and www.rush.edu," First Am. Compl. ¶ 4 n.1., there is no threat of future harm to Kurowski that is sufficient to support her claim for injunctive relief under the DTPA. The Court agrees with Rush.
"The IDTPA does not support a claim of actual or punitive damages, however, as the 'only remedy under the [IDTPA] is injunctive relief.'" Kljajich v. Whirlpool Corp., No., No. 15 C -5980, 2015 WL 12838163, at *5 (N.D. Ill. Sept. 25, 2015) (quoting Vara v. Polatsek, No. 1-11-2504, 2012 WL 6962887, at *13 (Ill.App.Ct. Oct. 5, 2012)).
Kurowski contends that Rush's voluntary "discontinuation of unlawful conduct does not make the dispute moot." BMG Music v. Gonzalez, 430 F.3d 888, 893 (7th Cir. 2005).The Seventh Circuit has held that "[i]n a situation such as this one, in which the challenged conduct has been discontinued . . . the district court will have to determine whether injunctive relief is still appropriate." Milwaukee Police Ass'n v. Jones, 192 F.3d 742, 748 (7th Cir. 1999); United Air Lines, Inc. v. Air Line Pilots Ass'n, Int'l, 563 F.3d 257, 275 (7th Cir. 2009) ("We agree that a voluntary cessation of wrongful conduct is a factor for the court to consider in deciding whether an injunction is necessary.") (emphasis added). The Court concludes that injunctive relief is no longer necessary or appropriate in this case.
Rush contends that it is not raising a mootness argument but rather an argument that Kurowski has failed to state a claim under Rule 12(b)(6). But Rush itself posited that "'[t]he likelihood of future harm occurring absent an injunction is an element of liability on the claim, not merely a separate element of damages.'" Mot. to Dismiss at 15 (quoting ATC Health. Servs., Inc. v. RCM Techs., Inc., 282 F.Supp.3d 1043, 1050 (N.D. Ill. 2017)). Rush therefore cannot escape its voluntary cessation problem by trying to frame its motion to dismiss count four as being wholly unrelated to standing.
The Court acknowledges that Kurowski's amended complaint alleges that there may still be ongoing disclosures to Bidtellect. See First Am. Compl. ¶ 4 n.1 ("To be clear, as of the date of this filing, data transmissions alleged as to Bidtellect . . . still appear to be ongoing."). But as Rush points out, those disclosures to Bidtellect-even they are even still occurring-do not involve any protected IIHI, as the Court has sufficiently addressed above.The Court is persuaded that "the [injurious] effects of [Rush's use of third-party cookies] have been eradicated or never existed." EEOC v. Flambeau, Inc., 846 F.3d 941, 949 (7th Cir. 2017). Nor is there any "reasonable expectation now that [Rush] will reinstitute its [transmissions to Facebook or Google]." Id.; see also, EEOC v. North Gibson School Corp., 266 F.3d 607, 621 (7th Cir. 2001) (affirming mootness determination where "EEOC has not identified a currently discriminatory plan nor . . . has a reasonable expectation that a discriminatory plan will be adopted"). The Court takes from Kurowski's allegations describing what happens on the backend of Rush's web properties that the programming involved with undoing or eliminating third-party tracking technologies from them is likely extensive and timeconsuming, and thus not "reasonably [] expected to recur," or be easily undone. Friends of the Earth, Inc. v. Laidlaw Env't Servs. (TOC), Inc., 528 U.S. 167, 190 (2000).
Moreover, as Rush points out, "[Kurowski] do[es] not allege [] that Bidtellect has any users or members .... [thus,] [her] allegations of claimed injury based on the alleged disclosure of [her] personally identifiable patient data do[es] not apply in th[at] situation, much less [is] [Kurowski] injured as the result of any claimed deception." Mot. to Dismiss at 19.
Thus, Kurowski has not plausibly alleged that she and other similarly situated Rush patients face future harm via their continued use of Rush web properties, which dooms her claim for injunctive relief under the DTPA.
E. Intrusion upon seclusion claim
In count five of the complaint, Kurowski alleges that Rush invaded her and other patients' privacy by intrusion upon seclusion. The arguments that the parties raise regarding this claim largely track those made on Rush's first motion to dismiss Kurowski's initial complaint. Kurowski again alleges that Rush intruded by deploying third-party source code that caused her personally identifiable patient data to be disclosed to third parties. And Rush again contends that Kurowski does not state a claim for intrusion upon seclusion because she fails to satisfy the first element of the claim: an unauthorized intrusion. Kurowski contends that she has now cured any deficiencies with her initial complaint because she alleges that Rush surreptitiously "bugs" its own web properties by placing third-party cookies on them that are disguised as belonging to Rush. The Court continues to agree with Rush on this point.
The parties appear to agree that "'the core of this tort is the offensive prying into the private domain of another' and that '[t]he basis of the tort is not publication of publicity.'" Dinerstein v. Google, LLC, 484 F.Supp.3d 561, 594 (N.D. Ill. 2020) (quoting Lovgren v. Citizens First Nat. Bank of Princeton, 126 Ill.2d 411, 417, 534 N.E.2d 987, 989 (1989)). Thus, "disclosures of private personal information 'do not support a claim for unauthorized intrusion.'" Id. (citing In re Trans Union Corp. Privacy Litig., 326 F.Supp.2d 893, 902 (N.D. Ill. 2004)) (emphasis added).
Despite Kurowski's attempts to reframe her amended complaint as sufficiently alleging intrusion on Rush's part, Kurowski did not cure the defect with her initial complaint. The harm caused by Rush, if any, continues to be its alleged disclosure of the Kurowski's private health information. Even drawing all inferences in Kurowski's favor, the only plausible conclusion the Court can arrive at is that the allegedly harmful intrusion here, if any, was accomplished by third parties. According to Kurowski's allegations, third-party cookies are the mechanism by which the intrusion is carried out. And, much like Kurowski's Wiretap Act claim, Rush cannot plausibly be considered to have intruded on, intercepted, or "bugged" private communications that it was always the intended recipient of. Any harm here continues to flow from the alleged disclosure of Kurowski's private health information, not from Rush's deployment of someone else's source code. See Thomas v. Pearl, 998 F.2d 447, 452 (7th Cir. 1993) ("a plaintiff fails to state a claim for invaded seclusion if the harm flows from publication rather than intrusion").
Because Kurowski has still failed to allege sufficient facts to support a claim for intrusion upon seclusion upon which relief can be granted, the Court dismisses count 5.
F. Publication of private facts claim
In count six, Kurowski asserts a claim for invasion of privacy by publication of private facts. In Illinois, to state a claim for public disclosure of private facts, a plaintiff must allege that: "(1) publicity was given to the disclosure of private facts; (2) the facts were private and not public facts; and (3) the matter made public would be highly offensive to a reasonable person." Johnson v. K Mart Corp., 311 Ill.App.3d 573, 579, 723 N.E.2d 1192, 1197 (2000). Rush contends, and the Court agrees, that Kurowski has not alleged that publicity was given to the disclosure of private facts.
For liability to attach to the publication of private facts, "the Restatement indicates that the required communication must be more than that made to a small group; rather, the communication must be made to the public at large." Miller v. Motorola, Inc., 202 Ill.App.3d 976, 980, 560 N.E.2d 900, 903 (1990). In Illinois, "the public disclosure requirement may [also] be satisfied by proof that the plaintiff has a special relationship with the 'public' to whom the information is disclosed." Miller, 202 Ill.App.3d at 981, 560 N.E.2d at 903. Kurowski has not alleged that Rush disclosed her private health information to the public at large or to anyone with whom she has a special relationship.
The only disclosures allegedly made were to Facebook, Google, and/or Bidtellect, which are private companies with whom Kurowski does not share a special relationship.
Kurowski contends that this is an issue of first impression and the only court to decide it found in favor of the plaintiff. See In re Facebook, Cons. Priv. User Profile Lit., 402 F.Supp.3d 767, 796 (N.D. Cal. 2019). But unlike in In re Facebook, there is no allegation here that Facebook, Google, or Bidtellect took the private facts that Rush allegedly disclosed to them, turned around, and "communicat[ed] the matter to the public at large or to so many persons that the matter must be regarded as one of general knowledge." Roehrborn v. Lambert, 277 Ill.App.3d 181, 184, 660 N.E.2d 180, 184 (1995) (quoting Restatement (Second) of Torts, § 652D, comment a, at 384. (1977)). Thus, Kurowski has failed to allege publicity, a required element of her publication of private facts claim, and count six must be dismissed.
G. Trespass to chattels claim
In count seven, Kurowski asserts a claim for trespass to chattels. "Trespass to personal property involves an injury to or interferences with possession of chattel, with or without physical force." Zissu v. IH2 Prop. Ill., L.P., 157 F.Supp.3d 797, 803 (N.D. Ill. 2016). "A trespass to a chattel may be committed by intentionally (a) dispossessing another of the chattel, or (b) using or intermeddling with a chattel in the possession of another.'" Id. Kurowski alleges that Rush "intermeddled, interfered with, and dispossessed [Kurowski] of [her] computing devices without [her] consent by placing the fbp, ga, and gid cookies on [her] computing devices, which caused [her] to suffer damages." First Am. Compl. ¶ 410.
Rush contends that that Kurowski's trespass claim fails because she has not sufficiently alleged "any physical disruption in the actual performance of [her] physical computer," and that, "[t]o the contrary, the whole point of [her] claim is that Rush's source code is an alleged 'modern day web bug' that allegedly operates in complete and utter secrecy." Mot. to Dismiss at 12 (quoting First. Am. Compl. ¶ 421).The Court agrees with Rush.
Rush also contends that count seven fails because "'there is no recognized cause of action in Illinois for a trespass to chattel claim based on trespass to an intangible such as digital information contained on a USB drive.'" Mot. to Dismiss at 12 (quoting Ogbolumani v. Young, 2015 WL 1284064, 2015 IL App (1st) 141930-U, ¶ 33). The Court declines to address this contention because it misstates Kurowski's allegations on this claim, which relate not to interference with her personal health information but with her physical devices.
Kurowski relies primarily on Sotelo v. DirectRevenue, LLC, 384 F.Supp.2d 1219, 1229 (N.D. Ill. 2005). But, as Rush points out, the plaintiff in Sotelo alleged that the Spyware that was placed on his/her computer effectively destroyed it and made it unusable. Here, Kurowski says the opposite, namely, that Rush's placement of cookies was so invisible and surreptitious that she was completely unaware of it. Thus, Kurowski has not plausibly alleged any injury to or interference with her devices that could conceivably diminish their value. The Court dismisses count seven.
H. Breach of contract claim
In count eight of Kurowski's amended complaint, she asserts a claim for breach of contract. Kurowski alleges that Rush breached twenty-one promises it made in the MyChart portal's Terms and Conditions by redirecting confidential patient health information, identifiers, and communications to Facebook and Google. Rush's challenge to count eight largely tracks its challenge to other counts, namely, that Kurowski "do[es] not make any specific allegation of any particular piece of 'confidential health information' that is allegedly disclosed within the portal. To the contrary, also as before, [her] claim is based on the alleged transfer of internet metadata that is not confidential health information on its face." Mot. to Dismiss at 13. Rush also contends that the T&Cs limitation of liability and hold harmless provisions bar Kurowski's breach of contract claim.
Ten of the promises come directly from the MyChart T&Cs, and the remainder come from Rush's Notice of Privacy Practices and Rush's Website Privacy Statement, which are incorporated by reference in the T&Cs.
To prevail on a breach of contract claim under Illinois law, a party must prove that a contract existed, it performed all conditions required under the contract, the other party breached the contract, and the party asserting the claim suffered damages as a result of the breach. Shubert v. Fed. Express Corp., 306 Ill.App.3d 1056, 1059, 715 N.E.2d 659, 661 (1999). The parties do not appear to dispute that a valid contract existed between them in the form of the MyChart portal T&Cs, or that the agreement is governed by Illinois law.
First, the Court agrees with Kurowski that she has sufficiently alleged a claim for breach of contract irrespective of whether the disclosures she alleges Rush made to the third parties contained confidential health information as contemplated by the laws that protect the disclosure of such information. In both the T&Cs and the various privacy policies and statements incorporated within them, Rush makes a series of promises not to share or sell patients' personally identifiable information or their confidential health information without their consent. Kurowski alleges that Rush has routinely made such disclosures through its deployment of third-party source code on its web properties. Thus, Kurowski has stated a claim for breach of contract whether or not those disclosures violate other privacy laws.
Next, the relevant language from the limitation of liability provision in the T&Cs that Rush contends precludes Kurowski's breach of contract claim provides:
In no circumstances will Rush, Rush Copley and their affiliates be liable to you or any other person for direct, indirect, special, incidental or consequential damages of any type, even if informed of the possibility of such damages.
Mot. to Dismiss at 14. And the relevant language from the hold harmless provision provides:
By downloading or viewing the information on MyChart, you agree to hold Rush, Rush Copley and their affiliates harmless and indemnify it any damages or claims asserted against Rush, Rush Copley and their affiliates arising out of, or in any way connected with, your utilization of MyChart or the information, material or content contained therein.Id. "Absent fraud or willful and wanton negligence, a contract's exculpatory clause will be valid and enforceable unless (1) the bargaining position of the parties reflects a substantial disparity, (2) enforcement violates public policy, or (3) the social relationship between the parties militates against upholding the clause." Hawkins v. Cap. Fitness, Inc., 2015 IL App (1st) 133716, ¶ 17, 29 N.E.3d 442, 446-47. The Court agrees with Kurowski that all three of these exceptions are present here.
As healthcare provider and patient, the bargaining position between Rush and Kurowski is unquestionably disparate. Moreover, that special provider-patient relationship between them militates against enforcing the MyChart T&Cs' exculpatory clauses because, as Kurowski points out, "that relationship carries duties that go beyond a traditional arms-length contract negotiation between businesses - or even between business and consumers." Resp. at 16. Finally, the Court is also persuaded that it would violate public policy to allow healthcare providers to "shirk important security and privacy promises of medical records via contracts of adhesion that providers force on patients merely seeking access to their own medical records." Id. Thus, the Court declines-for the purposes of Rush's motion to dismiss-to enforce the exculpatory clauses found in the MyChart portal T&Cs.
The Court thus denies Rush's motion to dismiss count eight.
I. Breach of the duty of good faith and fair dealing claim
In count nine, Kurowski asserts a claim for breach of the duty of good faith and fair dealing. But this duty does not give rise to an independent cause of action under Illinois law and is instead used to guide contract interpretation. Beraha v. Baxter Health Care Corp., 956 F.2d 1436, 1443 (7th Cir. 1992). The parties therefore agree that count nine should be dismissed as a standalone claim.
J. Unjust enrichment claim
In count ten of her complaint, Kurowski asserts a common law claim of unjust enrichment. Though Kurowski purports to plead the claim in the alternative to counts eight and nine, the Court agrees with Rush that she failed to properly do so.
A plaintiff in federal court is allowed at the pleading stage to assert claims in the alternative. Fed.R.Civ.P. 8(d)(2), (3). "But a party may not incorporate by reference allegations of the existence of a contract between the parties in the unjust enrichment count." Gociman v. Loyola Univ. of Chicago, 41 F.4th 873, 887 (7th Cir. 2022). That is precisely what Kurowski did here. See First Am. Compl. ¶ 458 (Kurowski "reallege[s] and incorporate[s] by reference each allegation in the preceding and succeeding paragraphs" into the count ten). The Seventh Circuit considered this exact scenario in Gociman and concluded that the plaintiffs had pled themselves out of court by incorporating by reference allegations of a breach of an express contract.
Kurowski disagrees and cites to Hernandez v. Illinois Institute of Technology, 63 F.4th 661 (7th Cir. 2023), wherein the 7th Circuit excused a similar pleading error. But the Seventh Circuit in Hernandez agreed that "plaintiffs may not 'incorporate by reference allegations of the existence of a [valid] contract between the parties in the unjust enrichment count,' because this would seek relief that Illinois does not offer." Id. at 671 (quoting Gociman, 41 F.4th at 887). The court in Hernandez excused the pleading error only because the plaintiffs in that case had further alleged "to the extent it is determined a contract does not exist or otherwise apply." Hernandez, 63 F.4th at 672. Kurowski contends that this phrase should be considered implied by her complaint. But this key phrase was not implied in Hernandez, and in fact, its express inclusion in the complaint is what led the Seventh Circuit to distinguish it from Gociman:
There is a critical difference, however, between the Gociman complaint and Hernandez's complaint: Hernandez expressly states that the unjust enrichment claim 'is pled in the alternative to, and to the extent it is determined a contract does not exist or otherwise apply, the contract based claim set forth in the First Cause of Action above.'Id. (quoting the complaint in that case) (emphasis added). Thus, because Kurowski "incorporated by reference allegations of the existence of a contract between the parties," Gociman, 41 F.4th at 887, count ten must be dismissed.
The Court therefore need not address the parties' arguments regarding the sufficiency of Kurowski's allegations regarding detriment.
K. Illinois Eavesdropping Act claim
Finally, in count eleven of her amended complaint, Kurowski asserts a claim under the Illinois Eavesdropping Act. The Act creates a civil cause of action against an eavesdropper and "his principal" for the interception, recording, or transcription, "in a surreptitious manner, [of] any private electronic communication" by a non-party without "the consent of all parties to the private electronic communication." 720 Ill. Stat. §§ 5/14-2(a)(3); 5/14-6 (emphasis added). Because, unlike the federal Wiretap Act, the Illinois statute does not have a criminal or tortious exception to the party exception-and because Kurowski apparently acknowledges that Rush was a party to the allegedly intercepted communications-Kurowski instead alleges that Rush acted as Facebook, Google, and Bidtellect's "principal," which under the Illinois statute, would subject Rush to liability. Rush, of course, disagrees and contends that the plain text of the Act does not apply.
Under the language of the Act, a "principal" is "any person who: (1) knowingly employs another who illegally uses an eavesdropping device in the course of such employment; or (2) knowingly derives any benefit or information from the illegal use of an eavesdropping device by another; or (3) directs another to use an eavesdropping device illegally on his or her behalf." 720 Ill. Stat. § 5/14-1(c).
The Court finds that Kurowski has not plead sufficient facts to support an inference that Rush "[k]nowingly employ[ed] another who illegally uses an eavesdropping device in the course of such employment," 720 Ill. Stat. § 5/14-1(c)(1), or "direct[ed] another to use an eavesdropping device illegally on his or her behalf." 720 Ill. Stat. § 5/14-1(c)(3) (emphasis added). Despite Kurowski's efforts to contort Rush's relationship to the third parties at issue in this case into that of employee/employer, there is no rational basis to conclude that such a relationship exists. Morris v. Ameritech Illinois, 337 Ill.App.3d 40, 47, 785 N.E.2d 62, 67 (1st Dist. 2003) ("we find that the General Assembly meant to impose liability only if the employer knows that its employee is eavesdropping."). Nor has Kurowski sufficiently alleged that Rush directed the third parties here to do anything. As previously discussed, the cookies that allegedly caused the redirection of confidential information to third parties belong to those third parties and, as alleged by Kurowski, are used by them to direct more targeted advertising to users.
The Court does find, however, that Kurowski has she alleged sufficient facts that Rush "knowingly derive[d] a[] benefit or information from the illegal use of an eavesdropping device by another." 720 Ill. Stat. § 5/14-1(c)(2) (emphasis added). This is, in some ways, the inverse of the intrusion upon seclusion claim. In other words, because the Court has previously concluded that it was the third parties and not Rush doing the intruding or eavesdropping, Rush can plausibly be considered the principal that earned a profit ("derive[d] a benefit") from the use of cookies ("eavesdropping device") on Rush's web properties by Facebook, Google, and Bidtellect's ("by another").
The Court therefore declines to dismiss count eleven.
Conclusion
For the reasons stated above, the Court grants defendant's motion to dismiss [dkt. no. 49] as to counts one, two, three, four, five, six, seven, nine, and ten of the complaint but denies the motion as to counts eight and eleven. Defendant is directed to answer the remaining claims by no later than August 14, 2023. A telephonic status hearing is set for August 23, 2023 at 8:50 a.m., using call-in number 888-684-8852, access code 746-1053. A joint status report concerning the status of discovery and any settlement discussions is to be filed on August 16, 2023.