484 F.Supp.3d 561
N.D. Ill.2020Background
- In 2017 UChicago Medical Center and Google entered a research partnership; UChicago transferred "de-identified" EHRs for all adult patients (1/1/2010–6/30/2016) to Google under a December 2016 Data Use Agreement (DUA).
- Plaintiff Matt Dinerstein was an inpatient in June 2015 and received an Admission/Authorization form and a Notice of Privacy Practices (NPP) that promised "all efforts" to protect privacy and required written permission for sale of medical information.
- Plaintiff alleges the EHRs included dates of service and free-text notes that were insufficiently de-identified and that UChicago received a perpetual license to Google's trained models (alleged remuneration), amounting to an impermissible sale under HIPAA and the NPP.
- Plaintiff brought putative class claims (ICFA, breach of express and implied contract, intrusion upon seclusion, tortious interference, unjust enrichment) against UChicago and Google under CAFA; Defendants moved to dismiss.
- The court held Plaintiff has Article III standing to pursue contract and common-law privacy claims but dismissed most claims on Rule 12(b)(6) grounds (ICFA, express contract damages, implied contract, tortious interference, intrusion/breach of confidentiality, unjust enrichment); leave to amend granted.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing for breach-of-contract claim | Breach of express promises (Authorization/NPP) is a concrete injury even without monetary loss | Pure legal violation without concrete harm fails Spokeo concreteness | Court: breach-of-contract allegation suffices for Article III standing (Seventh Circuit precedent supports plaintiff) |
| Standing for invasion-of-privacy (intrusion) | Unauthorized disclosure of private PHI is a concrete, common-law privacy injury | Too abstract; risk of re-identification is speculative | Court: invasion of privacy supports standing for the common-law intrusion claim |
| Whether UChicago breached express contract by violating federal law (HIPAA) / NPP | Disclosure constituted an impermissible "sale" (remuneration via license); NPP forbids sale without written permission | DUA and regulatory safe harbors permit research disclosures; remuneration is not shown; safe harbors are affirmative defenses | Court: Plaintiff plausibly alleged a HIPAA/NPP "sale" (remuneration via license), and the NPP could be more stringent than HIPAA; plausible breach survives pleading stage as to federal-law/NPP compliance |
| Enforceability of "all efforts" (best-efforts) privacy clause | "All efforts" is enforceable; question of good faith for jury | Clause is too vague and indefinite to be enforceable | Court: "all efforts" language is too indefinite as a standalone enforceable obligation; clause dismissed as basis for breach |
| Damages for breach of contract (economic/royalty/overpayment) | Entitled to restitution/royalty or benefit-of-the-bargain (overpayment) | No economic loss pleaded; contractual waiver disclaims compensation; royalties not supported | Court: No plausible allegation of economic loss or property interest in PHI; overpayment and royalty theories inadequate; express contract claim dismissed for lack of damages |
| Tortious interference against Google | Google induced UChicago to breach contracts by procuring PHI | No pleaded intentional, unjustified inducement; DUA shows UChicago represented it had right to disclose | Court: Plaintiff failed to plead Google’s intentional and unjustified inducement; tortious interference dismissed |
| Intrusion upon seclusion / breach of confidentiality tort | Common-law breach-of-confidentiality recognized in other states; should be available here | Illinois has not recognized such a tort; intrusion tort traditionally covers physical/active prying | Court: Declined to recognize a new Illinois breach-of-confidentiality cause of action; intrusion claim dismissed |
| Unjust enrichment | UChicago/Google were unjustly enriched by using PHI | Plaintiff’s unjust enrichment duplicates other claims and lacks independent basis | Court: Unjust enrichment claims tied to dismissed claims and therefore dismissed |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (concreteness inquiry for intangible harms; compare to common-law analogues)
- Thole v. U.S. Bank N.A., 140 S. Ct. 1615 (2020) (absence of monetary loss may defeat standing in some contract-like suits)
- J.P. Morgan Chase Bank, N.A. v. McDonald, 760 F.3d 646 (7th Cir. 2014) (breach of contract can confer standing absent monetary loss)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach standing analysis; skepticism about overpayment theory)
- Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (overpayment theory insufficient; limits on extending standing theories)
- Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020) (privacy/statutory-BIPA standing: invasion of one’s private domain is a concrete injury)
- Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547 (7th Cir. 2012) (state-law contract claims not preempted where federal statute lacks a private right of action)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility pleading standard)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (conclusory allegations insufficient to plead intent or other elements)
- In re Facebook Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (privacy tort standing and related discussion)