As with many websites, hospitals often deploy third-party analytics tools to measure browser traffic in order to increase awareness of their websites, ensure website optimization and provide health care information to the public. But recently there has been a proliferation of class action lawsuits alleging that through those analytics tools, hospitals actually disclose patients’ identities and online activities without their knowledge and consent (“Hospital Website Pixel Cases”).
The BakerHostetler Privacy and Digital Risk Class Action and Litigation team is currently defending numerous hospital systems in Hospital Website Pixel Cases across various jurisdictions, including but not limited to California, Florida, Illinois, Louisiana, Maryland, Massachusetts, Minnesota, Missouri, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Washington and Wisconsin. The purpose of this blog post is to shed light on the current litigation landscape, present high-level strategic considerations and promote best practices to mitigate litigation risk.
Litigation landscape
Since June 2022, over 100 Hospital Website Pixel Cases have been filed against hospitals in federal and state courts around the country. Despite the growing number of cases, there is limited precedent regarding potential liability. None of the cases have gone to trial, and we are unaware of any summary judgment or summary adjudication rulings. In most instances, motions to dismiss have successfully disposed of certain claims but not entire cases. One state court in Washington certified a class, while another state court in Maryland denied class certification. Only two settlements have been made public. The first, in Massachusetts state court, was settled for $18.4 million. More recently, a Wisconsin state court granted preliminary approval of a $2 million settlement. In short, the ultimate question of liability and potential settlement exposure is unknown to date.
Pleading-stage motions
Plaintiffs in Hospital Website Pixel Cases have asserted (a) contract claims based on website privacy policies or notices; (b) state law privacy claims (statutory, common law or constitutional) based on unauthorized disclosures of patients’ personal and/or medical information; and (c) Federal Wiretap Act or analogous state law claims based on interceptions of communications. Other types of claims, including those based on statutes that have traditionally targeted “computer hacking,” have also been asserted. See, e.g., California Comprehensive Computer Data Access and Fraud Act – Cal. Penal Code § 502.
On July 12, 2023, the Southern District of California granted a motion to dismiss a Hospital Website Pixel Case in its entirety, with leave to amend. Plaintiffs had asserted state common law and constitutional privacy claims, a breach of fiduciary duty claim, a California state wiretap act claim, and a California Medical Information Act claim. The Court held, among other notable rulings, that as a matter of law, “Plaintiffs cannot maintain their claims based upon the theory that Defendant’s sharing of their browsing activity, collected on its publicly facing website, is a disclosure of their sensitive medical information.”
Considerations for hospitals facing website pixel litigation
As noted, motions to dismiss have been successful in disposing of certain claims, depending on the particular allegations in the complaint and the controlling law. Multiple courts, for instance, have held that HIPAA-required privacy notices cannot form the basis of plaintiffs’ contract claims. Rather, these notices are merely provided to patients in order to comply with federal law. Another argument to consider is whether plaintiffs have alleged specific contract provisions that a hospital defendant allegedly breached (e.g., to not disclose patient data).
With respect to state law privacy claims, one item to consider is whether plaintiffs consented to the alleged analytics practices. For instance, at least one Ninth Circuit decision has affirmed dismissal of plaintiffs’ claims on the ground that plaintiffs’ consent to analytics and data disclosure practices on a hospital website barred their statutory and common-law privacy claims.In other cases, courts have dismissed intrusion upon seclusion claims, finding that plaintiffs failed to allege that hospital defendants obtained patient data.
Additionally, a subsumption argument may enable hospitals to successfully defeat some tort claims if their state has created a common-law tort for the unauthorized disclosure of nonpublic medical information to a third party. For instance, a state court in Ohio agreed with this subsumption argument and dismissed a plaintiff’s breach of confidence, negligence and breach of fiduciary duty claims.
Other defenses will depend on the precise statutes implicated and facts alleged. For instance, courts have rejected statutory claims requiring disclosure of “medical information” where none was identified. Additionally, courts have dismissed state consumer protection act claims for failure to identify damages sufficient to state an identifiable loss.
With respect to statutory wiretap-related claims, depending on the precise statute at issue, hospital defendants have successfully defeated these claims by arguing that, as parties to the communications, hospitals cannot be held liable for interception, and wiretap acts’ criminal or tortious conduct exceptions do not apply. Courts have also dismissed wiretap act claims because, among other reasons, some statutes contain no private right of action, hospitals are not “electronic communication service” providers, and plaintiffs failed to establish that the “contents” of any communications were transmitted, that any “interception” occurred or that an interception occurred “in transit.”
Lastly, hospital defendants may find that plaintiffs’ claims are subject to binding arbitration and/or class action waivers, which may form the basis of a successful motion to compel arbitration and/or a motion to strike class allegations, respectively.
Plaintiffs have also brought motions for preliminary injunction at the outset. To date, these motions have been unsuccessful, in part because plaintiffs can always disable the collection of their data through various opt-out tools, or refrain from using the hospital website at issue.
Opposing class certification
In opposing class certification, hospitals may raise various arguments to support the conclusion that the issues are too individualized to support class treatment. For instance, there may be key differences in putative class members’ experiences (including but not limited to their purpose for visiting the website, the pages they visited, and their browser and device settings). We are aware of one state court to date that has granted class certification and one that has denied class certification. In denying class certification, the court held that plaintiffs failed to show that common issues of law and fact predominated over individual issues. Moreover, the court held that because plaintiffs raised novel questions under state law, their claims were ill-suited for class certification.
The only class certification rulings issued so far in cases brought against hospitals have been unpublished state court decisions. In an instructive ruling involving similar alleged tracking technology, the Northern District of California denied class certification, holding that substantial issues about remaining logged into Facebook and clearing and blocking cookies meant that individualized issues predominated over any common issues. The court also held that the proposed class was not identifiable because class status turned on whether c_user cookies were sent to Facebook, which could not be easily determined.
In addition to individualized issues that may preclude class certification, plaintiffs’ proposed classwide damages theories may be unreliable because they do not reflect the economic realities of website interactions and/or do not fit with plaintiffs’ classwide claims. Lastly, depending on plaintiffs’ particular circumstances, discovery may show that the named plaintiffs are inadequate class representatives because their claims are subject to unique defenses.
Moving for summary judgment or summary adjudication
As noted, we are unaware of any summary judgment or summary adjudication rulings in Hospital Website Pixel Cases yet. From a merits standpoint, hospitals may consider (a) whether patients consented to the use of analytics technology that was deployed, and to what extent; (b) whether the analytics technology was deployed on the online patient portal (as opposed to the public-facing website), as that is often not the case and may be case-dispositive; (c) whether state law prohibits the disclosure of the specific information that was allegedly disclosed; and (d) the precise information allegedly disclosed and to whom, among other considerations.
Mitigating the risk of a lawsuit
Often the best litigation strategy is to mitigate the risk of litigation in the first place. While our Privacy and Digital Risk Class Action and Litigation team is experienced in litigating the Hospital Website Pixel Cases, our Digital Assets and Data Management (DADM) colleagues specialize in privacy compliance and have substantial experience advising hospital clients on issues related to tracking technologies on their websites. This typically involves conducting an investigation, evaluating the privacy policy or notices in place, and advising on best compliance practices in light of the law and litigation landscape.