U.S. District Court Mostly Dismisses Wash. Pixel Tracking Privacy Case
The U.S. District Court for Western Washington partially dismissed a class-action complaint Tuesday claiming that a hospital violated the Health Insurance Portability and Accountability Act (HIPAA) and other laws. Plaintiffs alleged that Overlake Hospital Medical Center implemented the Facebook Tracking Pixel and other browser plugins on its website, then disclosed website users' information to third parties, including Facebook and Google, without consent, in violation of HIPAA and the center's privacy policies.
Sign up for a free preview to unlock the rest of this article
Case 23-01159 began in August 2023 and revolves around the medical center's alleged practice of disclosing personal health information (PHI) without consent to third parties through tracking tools installed on its website.
Plaintiff Jacq Nienaber alleged that private information was disclosed, said Judge Tana Lin in the ruling. "However, that Plaintiff has alleged the disclosure of highly sensitive information does not negate the lack of allegations regarding an intrusion in this case."
The court also dismissed claims that the medical center violated the Electronic Communications Privacy Act and Washington state's consumer protection law. The plaintiff has to allege criminal use of the acquired communications separate from their recording, interception, or transmission in order for a criminal-act exception to apply, Lin said, but the plaintiff's own argument demonstrates "that the alleged tortious or criminal use of the acquired communications is the disclosure itself."
In addition to the privacy claims, the court also granted dismissal of the plaintiff's claims of negligence, unjust enrichment and breach of implied contract. The plaintiff's second amended complaint "still does not clear the bar for her negligence claim, as she does not establish injury or damages," said Lin. The court didn't dismiss the plaintiff's claim on breach of fiduciary duty.
In May 2024, the court granted the defendant's first motion to dismiss on the grounds that the plaintiff failed to make allegations as to what specific information was shared with the medical center, what was then transmitted to third parties and what made the information identifiable. An amended complaint was filed in August 2024 with "additional allegations regarding the specific information she shared with Defendant, as well as the information she contends was shared with third parties," and "allegations regarding the inherent value of her private information and the value gained by Defendant by sharing her information," the court said Tuesday.