Kurowski v. Rush Sys. for Health

• Docket Number: 22 C 5380
• Decision Date: 24 July 2023
• Parties: MARGUERITE KUROWSKI and BRENDA MCCLENDON, on behalf of herself and others similarly situated, Plaintiffs, v. RUSH SYSTEM FOR HEALTH d/b/a RUSH UNIVERSITY SYSTEM FOR HEALTH, Defendant.
• Court: U.S. District Court — Northern District of Illinois

1

MARGUERITE KUROWSKI and BRENDA MCCLENDON, on behalf of herself and others similarly situated, Plaintiffs, v. RUSH SYSTEM FOR HEALTH d/b/a RUSH UNIVERSITY SYSTEM FOR HEALTH, Defendant.

No. 22 C 5380

United States District Court, N.D. Illinois, Eastern Division

July 24, 2023

MEMORANDUM OPINION AND ORDER

MATTHEW F. KENNELLY, District Judge

Marguerite Kurowski and Brenda McClendon (collectively Kurowski) have filed suit on behalf of a putative class of similarly situated persons against Rush University System for Health (Rush). Kurowski alleges that Rush surreptitiously deployed third-party source code on its website and its MyChart patient portal that caused her individually identifiable health data and communications with Rush to be transmitted to Facebook, Google, and Bidtellect for advertising purposes. The Court has jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d).

Rush moved to dismiss an earlier version of Kurowski's complaint for failure to state a claim. The Court granted the motion to dismiss, except with respect to Kurowski's request for injunctive relief under the Illinois Uniform Deceptive Trade Practices Act (DTPA), 815 ILCS §§ 510/2(a). See Kurowski v. Rush Sys. for Health No. 22 C 5380, 2023 WL 2349606 (N.D. Ill. March 3, 2023).

In her amended complaint, Kurowski asserts the same five claims she asserted in her initial complaint, plus six additional claims: (1) violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2511(1)(a), (c)-(d); (2) breach of an implied duty of confidentiality; (3) violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA), 815 ILCS 505/2; (4) violations of the Illinois Uniform Deceptive Trade Practices Act (DTPA), 815 ILCS §§ 510/2(a); (5) intrusion upon seclusion; (6) publication of private facts; (7) trespass to chattels; (8) breach of contract; (9) breach of the duty of good faith and fair dealing; (10) unjust enrichment; and (11) violations of the Illinois Eavesdropping Act 720 ILCS § 5/14-2(a)(3) (4), (5).

For the reasons discussed below, the Court denies Rush's motion to dismiss Kurowski's claims for breach of contract (count eight) and under the Illinois Eavesdropping Act (count eleven) but otherwise grants Rush's motion.

Background

The Court assumes familiarity with this case's factual background, which this Court discussed in its above-referenced, prior written opinion. In short, Kurowski alleges that as a patient of Rush, she has and continues to use Rush's web properties to obtain information related to her care and-at least with respect to MyChart- exchange communications about appointments, billing, test results prescription refills, and other treatment with her provider. Rush's MyChart patient portal is available only to Rush patients and is password-protected.

Kurowski alleges that her reasonable expectation of privacy was violated by Rush's allegedly secret deployment of "custom analytics scripts"-for example, Google Analytics-within its web pages and within MyChart. First Am. Compl. ¶ 31. This source code, Kurowski alleges, allows for the "contemporaneous unauthorized interception and transmission of personally identifiable patient data, and redirection and disclosure of the precise content of patient communications with Rush" whenever a Rush patient uses a Rush web property, including MyChart. Id. ¶¶ 5, 32. The data Kurowski alleges was transmitted to Facebook, Google, and Bidtellect includes patient IP addresses,^[1]patient cookie identifiers,^[2]device identifiers, account numbers, URLs, other "unique identifying numbers, characteristics, or codes," and browser-fingerprints- all of which can be used to direct targeted advertising to patients. Id. ¶ 35. She also alleges that patient communications within the MyChart portal are shared with at least Google. Kurowski alleges that Rush deployed this source code without her knowledge, consent, or authorization, and that it derived a benefit from doing so.

Discussion

In deciding a motion to dismiss for failure to state a claim the court must accept as true all well-pleaded factual allegations in the complaint and draw all reasonable inferences in the plaintiff's favor. See NewSpin Sports, LLC v. Arrow Elecs., Inc., 910 F.3d 293, 299 (7th Cir. 2019). To survive a motion to dismiss, a plaintiff must allege "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Bissessur v. Ind. Univ. Bd. of Trs., 581 F.3d 599, 602 (7th Cir. 2009) (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). The plaintiff must provide "some specific facts to support the legal claims asserted" and cannot rely on conclusory allegations to make his claim. McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011).

A. Wiretap Act claims

In count one, Kurowski alleges violations of the ECPA. The ECPA (also known as the Wiretap Act) provides that "any person who-(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral or electronic communication" may be subject to (among other things) a civil penalty. 18 U.S.C. § 2511(1)(a), (5)(a)(ii). The same is true for any person who intentionally discloses or uses, or endeavors to disclose or use, the contents of an intercepted communication. 18 U.S.C. § 2511(1)(c), (d). Section 2511(2)(d) of the statute provides an exception when the person intercepting a communication "is a party to the communication or where one of the parties to the communication has given prior consent to such interception." This so-called "party exception" does not apply, however, if the "communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State." 18 U.S.C. § 2511(2)(d).

The parties do not appear to dispute that Rush may invoke the party exception to the Wiretap Act, as it was the intended recipient of the allegedly intercepted communications here. They do, however, dispute the applicability of the criminal or tortious purpose "exception to the exception" found in section 2511(2)(d).

The Court previously dismissed Kurowski's Wiretap Act claim because it found that the criminal or tortious purpose exception did not apply. Previously, Kurowski cited only to 42 U.S.C. § 1320(d)(6) as the crime or tort she contends that Rush intended to commit when engaging in the alleging wiretapping, such that it could not avail itself of the party exception. Section 1320(d)(6) provides criminal and civil penalties against a healthcare provider who "knowingly . . . discloses individually identifiable health information to another person." 42 U.S.C § 1320d(6). Section 1320(d)(6) HIPAA defines individually identifiable health information (IIHI) as:

any information, including demographic information collected from an individual, that- (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and- (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Id. (emphasis added).

As she did during the first round of motion to dismiss briefing, Kurowski continues to contend that a 2022 guidance issued by the Department of Health and Human Services (HHS) suggests that the type of online tracking technologies deployed by Rush violate HIPAA. Specifically, Kurowski contends that-based on the HHS guidance- HIPAA prohibits disclosing patients' health information via tracking technologies on both user-authenticated webpages (such as the MyChart portal) and unauthenticated webpages. She further contends that the guidance includes IP addresses, device IDs, and unique identifying codes collected on a regulated entity's website in the definition of IIHI. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (HHS guidance).

The Court previously held that section 1320(d)(6) could not serve as a basis for the exception because Kurowski had not alleged sufficient facts "to support an inference that Rush disclosed its patients' individually identifiable health information, at least as that term is defined by the statute." Mem. Op. and Order at 9. It further held that the HHS guidance that Kurowski relied upon to expand the definition of IIHI to cover Rush's alleged conduct applied only prospectively. Id. (citing Chrysler Corp. v. Brown, 441 U.S. 281, 302 n. 31 (1979)). The Court is not convinced that there is any basis to revisit its prior ruling on this point.

First, Kurowski contends that she has cured any defect by alleging additional facts that allow an inference to be drawn that the actual content of a patients' communications that occur within the MyChart portal were being transmitted to at least Google. Of course, private, care-related communications fall squarely within the meaning of IIHI as contemplated by the statute. But the Court agrees with Rush that Kurowski still fails to allege "any particular health or treatment information disclosure specific as to them that Rush allegedly made to any third-party, whether within the portal or not." Mot. to Dismiss at 5.

Doe v. Regents of University of California, 2023 WL 3316766 (N.D. Cal. May 8, 2023) is instructive regarding the inadequacy of Kurowski's allegations. The plaintiff in that case alleged...