Dinerstein v. Google, LLC, 484 F.Supp.3d 561

See case details

MATT DINERSTEIN, Individually and on behalf of all others similarly situated, Plaintiff, v. GOOGLE, LLC, a Delaware limited liability company, THE UNIVERSITY OF CHICAGO MEDICAL CENTER, an Illinois not-for-profit corporation, and THE UNIVERSITY OF CHICAGO, an Illinois not-for-profit corporation, Defendants.

Case: 1:19-cv-04311

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Filed: 09/04/20

Judge Rebecca R. Pallmeyer

MEMORANDUM OPINION AND ORDER

In 2017, Defendants The University of Chicago and The University of Chicago Medical Center (collectively “the University“) and Google began a research partnership in which they used machine-learning techniques to create predictive health models aimed at reducing hospital readmissions and anticipating future medical events. As part of this research, the University disclosed to Google the “de-identified” electronic health records of all adult patients treated at its hospital from January 1, 2010 through June 30, 2016. Plaintiff Matt Dinerstein was an inpatient at the University in June 2015 and, asserting a variety of state-law claims, brings this suit pursuant to the Class Action Fairness Act (“CAFA“) on behalf of all patients whose medical information was disclosed for Defendants’ research. The University and Google have both filed motions to dismiss [43, 45]. In addition, the University has moved to strike the class allegations [49]. For the following reasons, Defendants’ motions to dismiss are granted, and the University‘s motion to strike is terminated as moot.

BACKGROUND

The amended class action complaint (“AC“) [42] alleges the following facts, assumed true for the purposes of this analysis. Plaintiff Matt Dinerstein had two separate hospital stays as a patient at the University‘s hospital in June 2015. (AC ¶ 92.) Each stay lasted for a few days (id.), and Plaintiff paid premiums and other fees to health insurers who provided coverage for the treatment and services he received. (Id. ¶ 98.) During his stays at the hospital and throughout 2015, Mr. Dinerstein maintained an account with Defendant Google and used a smartphone with Google applications on it, which, he alleges, collected and transmitted to Google his geolocation information. (Id. ¶ 94.) Also during these stays, the University generated and maintained health records for Plaintiff, which included such sensitive information as his demographic data, vital signs, diagnoses, procedures, and prescriptions. (Id. ¶ 93.) Mr. Dinerstein received two forms relevant to this sensitive information: the Admission and Outpatient Agreement and Authorization form, and the Notice of Privacy Practices. (Id. ¶ 61.)

The Admission and Outpatient Agreement and Authorization (“the Authorization“), a copy of which was attached as an exhibit to the amended complaint, contains two paragraphs relevant to the present dispute:

I understand and agree that my medical information in any form and any tissue, fluids, cells and other specimens that may be collected during this hospitalization and/or period of treatment may be used and shared for research that has been approved by the University of Chicago Institutional Review Board (IRB) and that has been found to pose a minimal risk. I acknowledge that such research by the University of Chicago Medical Center may have commercial value and, in that event, I understand that I will not be entitled to any compensation, regardless of the value of such research or any products or inventions developed therefrom.

I understand that all efforts will be made to protect my privacy and that any use of my medical information will be in compliance with federal and state laws, including all laws that govern patient confidentiality, and the University of Chicago Medical Center Notice of Privacy Practices. I further understand that my identity and the identity of my medical records will not be included in any research findings or reports.

(Outpatient Agreement & Authorization § III, Ex. 2 to AC [42-2].) See FED. R. Civ. P. 10(c) (“A copy of a written instrument that is an exhibit to a pleading is a part of the pleading for all purposes.“).

The Notice of Privacy Practices (“the NPP“) contains the following provisions that are also important to the instant case:

We respect the privacy of your medical information. Each time you visit us, we record information about the care you receive, including external information we receive about your health care and information to seek payment for our services (your “medical information“). This medical information is also called your “Protected Health Information“) (“PHI“). These records may be kept on paper, electronically on a computer, or stored by other media.

[The University Chicago Medical Center (“UCMC“)] is required by law to:

• Maintain the privacy and security of your PHI;
• Notify you following a breach of your unsecured PHI, if required by law;
• Provide this Notice to you and describe the ways we may use and share your PHI;
• Notify you of your rights regarding your PHI;
• Follow the terms of this Notice.

. . .

We perform research at UCMC. Our researchers may use or share your information without your authorization (a) if the group that oversees research gives them permission to do so, (b) if the patient data is being used to prepare for a research study, or (c) if the research is limited to data of deceased patients.

. . .

We will not use or share your medical information for any reason other than those described in this Notice without a written authorization signed by you or your personal representative. An authorization is a document that you sign that directs us to use or disclose specific information for a specific purpose. . . .

We will obtain your written permission:

• For the sale of your medical information.

(NPP at 1-2, 4, 5, Ex. 1 to Univ. Mem. in Supp. of Mot. to Dismiss [44-1].)¹

In May 2017, Google announced that it had partnered with the University to use “machine learning” to identify patients’ health problems and predict future medical events. (AC ¶ 58.) To conduct this study, the University transferred electronic health records (“EHRs“) to Google. (Id. ¶ 59.) This transfer was made pursuant to a December 2016 Data Use Agreement (“DUA“) under which the University would transfer to Google the EHRs of every patient, age eighteen or older, who used the University‘s outpatient, inpatient, or emergency services between January 1, 2010 and June 30, 2016. (Id. ¶ 66; see DUA at 9, Ex. 1 to AC [42-1].) Google has submitted a patent application for a system that aggregates EHR data and uses machine learning on those records to predict future medical events. (AC ¶ 54.) The patent application‘s abstract further describes the invention as providing an interface for healthcare providers to see past and predicted future medical events for a patient. See U.S. Patent Publication No. US2019/0034591. According to the amended complaint, by submitting the patent application in 2017, Google “demonstrat[ed] its clear intent to commercialize the University‘s medical records prior to obtaining them.” (AC ¶ 54.)

Plaintiff alleges that while Google retains all rights to the software created using the EHRs, the DUA granted the University a perpetual license to use that software. (Id. ¶ 66.) Google disputes this characterization of the DUA. (Google Mem. in Supp. of Mot. to Dismiss [46] at 3 n.3.) In fact, it is not apparent to the court what exactly has been granted to the University. See Bytska v. Swiss Int‘l Air Lines, Ltd., No. 15 C 483, 2016 WL 792314, at *3 (N.D. Ill. Mar. 1, 2016) (explaining that if “an exhibit incontrovertibly contradicts the allegations in the complaint, the exhibit ordinarily controls, even when considering a motion to dismiss“). The DUA grants to the University, “for internal non-commercial research purposes,” “a nonexclusive, perpetual license to use the [] Trained Models and Predictions” created by Google. (DUA § 3.12.) The Trained Model refers to the model created via machine learning conducted on the EHRs, and Predictions are the results of the model‘s computations. Specifically, the DUA defines “Trained Model” as “the Model parameters arranged in accordance with the Model‘s mathematical form,” which are determined by using “the Limited Data Set“—the EHRs disclosed by the University to Google—“as Input Data” to “train” the Model. (Id. § 1.12.) Training a model means “using Model Software to create Model parameters for a Model form using Input Data.” (Id. § 1.12.) And the “Model Software” is “used to Train a Model and compute Predictions,” (id. § 1.7), where “Predictions” are the outputs “of a Model for a given set of Input Data.” (Id. § 1.6.)

In early 2018, Defendants published a study discussing the results of their research and methodology. (AC ¶ 64; see Alvin Rajkomar et al., Scalable and Accurate Deep Learning with Electronic Health Records, 1 NPJ Digital Media (January 2018), https://www.nature.com /articles/s41746-018-0029-1 (last visited Sept. 1, 2020).) The article explains that the study used EHRs provided by Defendant University and the University of California, San Francisco (“UCSF“) that included the following “de-identified” information: “patient demographics, provider orders, diagnoses, procedures, medications, laboratory values, vital signs, and flowsheet data ... from all inpatient and outpatient encounters.” (Rajkomar et al., Scalable and Accurate Deep Learning at 6.) The article notes that Defendant University—but not UCSF—included the “dates of service” as well as “free-text medical notes” in the EHRs provided to Google. (Id.) According to Plaintiff, disclosing such information is a prima facie violation of the Healthcare Insurance Portability and Accountability Act of 1996 (“HIPAA“), Pub. L. No. 104-191, 110 Stat. 1936 (1996). (AC ¶ 67.) These records were not, the amended complaint alleges, sufficiently anonymized, and therefore put patient privacy at risk. (Id. ¶ 68.) The amended complaint points out that at a 2017 conference hosted by Google, the University‘s Associate Chief Research Informatics Officer himself said that protecting patient anonymity in free-text notes requires not only making certain redactions but actually changing information like a patient‘s age and other biographical information. (Id. ¶ 69.) Yet the parties’ DUA provides that the University would share patients’ ages with Google. (Id.) And the free-text notes shared with Google are alleged to have not been sufficiently redacted or anonymized. (Id.) Plaintiff claims that free-text notes “are normally not included in de-identified medical records,” and also “create an enormous wealth of data re-identifying the patients themselves.” (Id. ¶ 88.) According to the amended complaint, whatever process was used to redact these notes was not properly audited or independently verified. (Id. ¶ 89.)

These disclosures, Plaintiff alleges, violate HIPAA because the University either did not make an expert determination that the risk of re-identifying the data was very small or, if such a determination was made, it was incorrect.² (Id. ¶ 70.) Plaintiff suggests that the risk of re-identification was in fact substantial because of the information Google already possesses about individuals through the other services it provides.³ Specifically, the amended complaint refers to Google as “one of the largest and most comprehensive data mining companies in the world, drawing data from thousands of sources and compiling information about individuals’ personal traits (gender, age, sexuality, race), personal habits, purchases, and associations.” (Id. ¶ 76). Google has “create[d] detailed profiles of millions of Americans,” including public and nonpublic information, and “possess[es] detailed geolocation information that it can use to pinpoint and match exactly when certain people entered and visited the University‘s hospital,” according to the amended complaint. (Id. ¶¶ 77-78, 80.) In fact, for a user of Google applications like Mr. Dinerstein, Google can track the specific University hospital buildings or departments he visited and the time of his visits. (Id. ¶¶ 84–85.) Plaintiff alleges that the combination of such geolocation information and the EHRs, which include the date and time of hospital services, “creates a perfect formulation of data points for Google to identify who the patients in those records really are.” (Id. ¶ 87.) The amended complaint does not allege, however, that Google has in fact used its extensive data to re-identify any EHRs.

***

Mr. Dinerstein brings this action on behalf of himself and all individuals in the United States whose EHRs were transferred by the University to Google. (Id. ¶ 99.) According to the amended complaint (id. ¶ 18), the court has jurisdiction under CAFA because at least one member of the proposed class is a citizen of a different state than Defendants and the amount in controversy exceeds $5,000,000. 28 U.S.C. § 1332(d)(2). Plaintiff asserts several causes of action on behalf of himself and the class: Against the University, he brings claims for violating the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA“), 815 ILCS 505/1 et seq. (Count I), breach of express contract (Count II), breach of implied contract (Count III), and unjust enrichment (Count VII). Against Google, he asserts claims for tortious interference with contract (Count IV) and unjust enrichment (Count VI). And he asserts a claim for intrusion upon seclusion against both Defendants (Count V).

The University and Google have both filed motions to dismiss [43, 45], contending that Plaintiff lacks standing and has failed to state a claim upon which relief can be granted. See FED. R. Civ. P. 12(b)(1), (6). The University has also filed a motion to strike Plaintiff‘s class allegations [49] on the grounds that Plaintiff‘s counsel has a conflict of interest that disqualifies him from representing the class. As the court discusses below, the court finds that Plaintiff lacks standing to pursue one of his asserted claims and dismisses the rest of the complaint under Rule 12(b)(6). The University‘s motion to strike class allegations is terminated as moot.

DISCUSSION

I. Subject Matter Jurisdiction

A motion to dismiss for lack of standing tests the jurisdictional sufficiency of the complaint. FED. R. Civ. P. 12(b)(1). Both Defendants present facial challenges to the court‘s subject matter jurisdiction (see Univ. Mem. in Supp. of Mot. to Dismiss [44] at 4–8; Google Mem. In Supp. of Mot. to Dismiss at 5–6), arguing that Mr. Dinerstein has not adequately alleged a basis for standing in his amended complaint. Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015). In reviewing such a challenge, the court must accept all well-pleaded factual allegations as true and draw all reasonable inferences in favor of Plaintiff.⁴ Id. Article III standing requires a plaintiff to “demonstrate (1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.” Thole v. U. S. Bank N.A., 140 S. Ct. 1615, 1618 (2020) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)). “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.‘” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (quoting Lujan, 504 U.S. at 560). Plaintiff has identified three injuries that he claims satisfy this standard, while Defendants contend that none is sufficient to confer him standing. The court addresses the claimed injuries in turn.

A. Breach of Contract

First, Plaintiff argues that he has standing because he alleged that the University breached a contract—namely, the promises the University made in the Authorization and NPP he received when admitted to the hospital. (See Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss [65] at 5.) An alleged breach of contract, Mr. Dinerstein insists, confers Article III standing even if the breach is not claimed to have resulted in any “monetary loss or other concrete harm.” (Id. at 4–5 (quoting J.P. Morgan Chase Bank, N.A. v. McDonald, 760 F.3d 646, 650–51 (7th Cir. 2014).) The University responds that such an injury is purely a legal one and hence neither concrete nor even an injury in fact. (Univ. Reply Mem. in Supp. of Mot. to Dismiss [71] at 1-2 (citing Spokeo, 136 S. Ct. at 1549).)

Whether alleging breach of contract—without actual damages—is enough to confer standing is a close call. There is authority on both sides of the issue, but the court concludes that Plaintiff has the better argument. The Supreme Court in Spokeo, 136 S. Ct. at 1549, wrote that for a court engaging in standing analysis, “it is instructive to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” There is common law authority for the proposition that a plaintiff may sue for breach of contract even where the breach resulted in no harm. See, e.g., RESTATEMENT (FIRST) OF CONTRACTS ch. 12, topic 2, § 328 (AM. LAW INST. 1932) (“Where a right of action for breach exists, but no harm was caused by the breach, . . . judgment will be given for nominal damages, a small sum fixed without regard to the amount of harm.“); see also Spokeo, 136 S. Ct. at 1551 (Thomas, J., concurring) (“Historically, common-law courts possessed broad power to adjudicate suits involving the alleged violation of private rights, even when plaintiffs alleged only the violation of those rights and nothing more. . . . ‘Private rights’ have traditionally included rights of personal security (including security of reputation), property rights, and contract rights.“). After the parties submitted their briefs, however, the Supreme Court issued an opinion in Thole holding that participants in a defined-benefit retirement plan, which the Court observed is “in the nature of a contract,” lack standing to sue a plan manager for breach of fiduciary duties because they had suffered no monetary injury. 140 S. Ct. at 1618, 1620. This could be construed to mean that breach of contract, without monetary harm, does not confer standing. Indeed, that appears to be how, in dissent, Justice Sotomayor interpreted that portion of the majority opinion. See id. at 1630 (Sotomayor, J., dissenting). Thole concerned a cause of action under ERISA and does not correctly control the analysis of the issue here.

There is conflicting precedent, but the Seventh Circuit seems to have endorsed Plaintiff‘s standing theory. J.P. Morgan Chase Bank, 760 F.3d at 650–652, which Plaintiff cites, is on point. In that case, the McDonalds, two customers of J.P. Morgan Chase Bank (“the Bank“), had filed an arbitration demand against an affiliate of the Bank, J.P. Morgan Securities (“JPMS“), even though the losses suffered by the McDonalds were in an account held with the Bank itself. Id. at 648-49. The McDonalds’ contract with JPMS required arbitration, but their agreement with the Bank did not have such a provision and instead included a forum-selection clause that required that disputes be litigated in federal or state court. Id. at 649. The Bank sued to enforce the forum-selection clause, and the Seventh Circuit held that the Bank had standing to enforce it:

The McDonalds’ attempt to arbitrate appears to have violated the clause of their contract with the Bank, and the Bank‘s claim of the violation is enough to give the Bank standing to bring this action to enforce the clause. Formation of a bilateral contract requires each party to take on one or more legally binding obligations in exchange for the other party doing the same. When one party fails to honor its commitments, the other party to the contract suffers a legal injury sufficient to create standing even where that party seems not to have incurred monetary loss or other concrete harm.

Id. at 650-51. True, J.P. Morgan Chase Bank was decided before Spokeo, 136 S. Ct. at 1548, where the Court made clear that for an injury to satisfy the concreteness requirement, it “must actually exist” and cannot be “abstract.” But Defendants have cited no post-Spokeo Seventh Circuit case that revisits or is at odds with J.P. Morgan Chase Bank.

The court acknowledges pre-Spokeo Seventh Circuit cases cited by the University that are in some tension with J.P. Morgan Chase Bank, but finds those cases distinguishable. In Silha, 807 F.3d at 171, students sued administrators of the ACT and SAT tests because, even though the plaintiffs had consented to the administrators sharing their personal information with educational organizations, the administrators had not told the students that their information would be sold. Among the claims asserted was an alleged breach of contract, but the Court of Appeals concluded the plaintiffs lacked standing. Id. at 172, 174–75. In contrast with the case before this court, where Mr. Dinerstein has adequately alleged the existence of a contract and identified the terms he claims were breached, the well-pleaded factual allegations in Silha included neither. Id. at 174–75. Indeed, in the district court, the Silha plaintiffs had not identified a contract breach as one of their injuries. Silha v. ACT, Inc., No. 14 C 0505, 2014 WL 11370440, at *2 (N.D. Ill. Sept. 2, 2014).

The University also relies on language from two Seventh Circuit data breach cases, but these too are inapposite. In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692–94 (7th Cir. 2015), plaintiffs, whose credit card numbers had been stolen when the defendant department store‘s servers were hacked, alleged that they had “overpaid for the products at Neiman Marcus because the store failed to invest in an adequate security system.” Id. at 694. The court found these plaintiffs had standing—but not on the basis of plaintiffs’ overpayment theory. Instead, the court noted other claims: that plaintiffs faced an increased risk of future fraudulent charges, greater susceptibility to identity theft, and lost time and money expended to protect themselves from future identity theft and fraudulent charges. The court did note that overpayment can sometimes confer standing, but “many of those cases [in which overpayment claims conferred standing] involve products liability claims against defective or dangerous products. Our case would extend that idea from a particular product to the operation of the entire store . . . . This is a step we need not, and do not, take in this case.” Id. at 695 (citation omitted). The Seventh Circuit reiterated its skepticism about such a basis for standing in Lewert v. P.F. Chang‘s China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016) (citation omitted):

Plaintiffs claim that the cost of their meals is an injury because they would not have dined at P.F. Chang‘s had they known of its poor data security. As we noted in Remijas, such arguments have been adopted by courts only where the product itself was defective or dangerous and consumers claim they would not have bought it (or paid a premium for it) had they known of the defect. The plaintiffs here make no such allegations, and we are not inclined to push this theory beyond its current scope.

The University argues that these two cases support the proposition that being denied the benefit of his bargain is insufficient to confer standing on Plaintiff. (Univ. Reply Mem. in Supp. of Mot. to Dismiss at 3.) As the University sees it, the theory rejected in Remijas and Lewert concerned breaches of implied contract, which is no different from Mr. Dinerstein‘s breach of express contract theory. (Id. at 3 n.3.) But in those cases, the Seventh Circuit appeared to doubt that the implied contract between the plaintiff patrons and defendant stores included a promise that the stores would implement better information security practices. See Lewert, 819 F.3d at 968 (noting that the plaintiffs made no allegations that they would not have dined at P.F. Chang‘s had they known of their security practices). In this case, in contrast, Plaintiff alleges that the University expressly made certain promises about privacy to Plaintiff, which he has alleged were breached.

Out-of-circuit caselaw generally—albeit not universally—confirms this court‘s view that Plaintiff has standing to pursue his contract claims. See Springer v. Cleveland Clinic Emp. Health Plan Total Care, 900 F.3d 284, 287 (6th Cir. 2018) (citations omitted) (“Like any private contract claim, his injury does not depend on allegation of financial loss. His injury is that he was denied the benefit of his bargain.... The injury therefore stemmed from traditional principles of contract law that did not depend on financial harm.“); Kuhns v. Scottrade, Inc., 868 F.3d 711, 716 (8th Cir. 2017) (quoting Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (8th Cir. 2016)) (“[A] party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged.“); In re Facebook Internet Tracking Litig., 263 F. Supp. 3d 836, 844 (N.D. Cal. 2017) (“Actual damages are not required to establish standing for contractual claims.“), aff‘d in part, rev‘d in part, 956 F.3d 589 (9th Cir. 2020). But see Case v. Miami Beach Healthcare Grp., Ltd., 166 F. Supp. 3d 1315, 1318–20 (S.D. Fla. 2016) (holding that plaintiff did not have standing even though she alleged that the defendants “breached their contractual obligation to protect her sensitive information“); Svenson v. Google Inc., No. 13 C 04080, 2016 WL 8943301, at *10 (N.D. Cal. Dec. 21, 2016).

In a footnote, the University has cited a number of cases in which courts dismissed cases for lack of standing, but none of those cases considered claims of standing based on a breach of contract theory. See Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 879 (N.D. Ill. 2014); Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 754 (W.D.N.Y. 2017); Kahn v. Children‘s Nat‘l Health Sys., 188 F. Supp. 3d 524, 533 (D. Md. 2016); In re Sci. Applications Int‘l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 24–31 (D.D.C. 2014). In fact, these were data breach cases where the courts rejected theories similar to the overpayment theory considered by the Seventh Circuit in Remijas and Lewert, which the court has already noted are not on point here. See Fero, 236 F. Supp. 3d at 754 (citation omitted) (“The Excellus Defendants argue that Plaintiffs cannot establish injury-in-fact based on their alleged overpayment for health insurance. The Court agrees.“); Kahn, 188 F. Supp. 3d at 533 (rejecting

the plaintiff‘s claim that she was deprived the full value of her bargain because she did “not allege any facts showing that she overpaid for those services or that she would have sought those services from another provider had she been aware of the hospital‘s allegedly lax data security“); SAIC, 45 F. Supp. 3d at 30 (“Plaintiffs have not alleged facts that show that the market value of their insurance coverage (plus security services) was somehow less than what they paid. Nothing in the Complaint makes a plausible case that Plaintiffs were cheated out of their premiums.“).

The weight of authority supports the conclusion that Mr. Dinerstein‘s allegation that the University breached an express contract is sufficient for Article III standing purposes. Standing, however, “‘is not dispensed in gross.’ To the contrary, ‘a plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought.‘” Town of Chester, N.Y. v. Laroe Estates, Inc., 137 S. Ct. 1645, 1650 (2017) (citations omitted) (quoting Davis v. Fed. Election Comm’n, 554 U.S. 724, 734 (2008)). Plaintiff therefore has standing to pursue his contract claims, including his interference of contract claim against Google,⁵ but the court will review his other injuries independently to determine whether he has standing to pursue his intrusion-upon-seclusion and ICFA claims.

B. Invasion of Privacy

Second, Plaintiff contends that an invasion of his privacy is an injury in fact sufficient for Article III standing. (See Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 6–8.) Specifically, Mr. Dinerstein alleges that the University disclosed, at Google‘s behest, his confidential medical records. (Id. at 6.) Defendants assert that this injury is too abstract for Article III standing. (See, e.g., Univ. Mem. in Supp. of Mot. to Dismiss at 7.) Here, too, there is mixed authority with little clear appellate court guidance, but the court again finds Plaintiff‘s position to be more persuasive, at least for his common law intrusion-upon-seclusion claim.⁶

As noted in the court‘s discussion of Spokeo, courts faced with standing challenges must consider whether “the common law permitted suit in analogous circumstances.” Groshek v. Time Warner Cable, Inc., 865 F.3d 884, 887 (7th Cir. 2017). Important for the present case, many courts have observed that “[i]nvasion of privacy lawsuits are nothing new; at common law, violations of the right to privacy have been recognized as a valid basis for suit.” Dixon v. Washington & Jane Smith Cmty.–Beverly, No. 17 C 8033, 2018 WL 2445292, at *9 (N.D. Ill. May 31, 2018) (citing Cox Broad. Corp. v. Cohn, 420 U.S. 469, 488 (1975); Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017)); see also C.S. Wang & Assoc. v. Wells Fargo Bank, N.A., 305 F. Supp. 3d 864, 880 (N.D. Ill. 2018) (“Invasion of privacy is actionable at common law.“). “[T]he Supreme Court has noted that ‘both the common law and the literal understanding of privacy encompass the individual‘s control of information concerning his or her person.‘” Eichenberger, 876 F.3d at 983 (quoting U.S. Dep‘t of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 763 (1989)). In recognizing that “there is a common law tradition of lawsuits for invasion of privacy,” the Eighth Circuit has stated that “the retention of information lawfully obtained, without further disclosure, traditionally has not provided the basis for a lawsuit in American courts.” Braitberg v. Charter Commc‘ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016). That language implies that the common law would recognize suits where private information was further disclosed.

A recent Seventh Circuit case, not cited by the parties, is consistent with this understanding. Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 619–20 (7th Cir. 2020), was a suit brought under the Illinois Biometric Information Privacy Act (“BIPA“), 740 ILCS 14/1 et seq., where the plaintiff challenged use of fingerprints by the operator of “smart” vending machines, installed in her employer‘s cafeteria. The Seventh Circuit offered the following analysis regarding the plaintiff‘s Article III standing:

Justice Thomas joined the majority‘s opinion [in Spokeo], but he added a concurrence that drew a useful distinction between two types of injuries. The first, he said, arises when a private plaintiff asserts a violation of her own rights [which is permissible]; the second occurs when a private plaintiff seeks to vindicate public rights [which is not]. As examples of the first, he mentioned actions for trespass, infringement of intellectual property rights, and unjust enrichment; as examples of the second, he pointed to actions seeking to abate a public nuisance, or disputes over the use of public land.

Applying Justice Thomas‘s rubric, we have no trouble concluding that Bryant was asserting a violation of her own rights—her fingerprints, her private information—and that this is enough to show injury-in-fact without further tangible consequences. This was no bare procedural violation; it was an invasion of her private domain, much like an act of trespass would be.

Id. at 624 (citations omitted). Here, Mr. Dinerstein asserts the wrongful disclosure of his private information—a violation of his own rights. “[T]his is enough to show injury-in-fact,” according to the Seventh Circuit. Id.

This case, of course, differs from Bryant and others cited above, which involved statutes that created private rights of action. The two statutes relevant to this case—HIPAA and the Illinois’ Medical Patient Rights Act (“MPRA“), 410 ILCS 50/0.01 et seq.—do not provide a private right of action, as Plaintiff acknowledges. (See Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 14.) According to the Supreme Court, “because Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is also instructive and important. Thus, we said in Lujan that Congress may ‘elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.‘” Spokeo, 136 S. Ct. at 1549 (quoting Lujan, 504 U.S. at 578). Neither Congress nor the Illinois legislature has elevated violations of HIPAA or the MPRA to the status of concrete, de facto injuries. A plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Id. But this does not mean that a plaintiff cannot have standing—especially for a common law claim—in the absence of such an express statutory right. See Browner v. Am. Eagle Bank, 355 F. Supp. 3d 731, 735 (N.D. Ill. 2019) (”Spokeo counsels that in determining whether an intangible injury (as this clearly is) causes injury in fact, the judgment of Congress is relevant but not determinative.“). For those cases involving statutes, courts consider whether the alleged statutory violation results in the type of harm that could be adjudicated by common law courts; conversely, no statute is needed to establish standing for a common law claim. See Spokeo, 136 S. Ct. at 1551-52 (Thomas, J., concurring); see also, e.g., Browner, 355 F. Supp. 3d at 736 (discussing the common law‘s relation to the asserted claim (unauthorized access to plaintiff‘s credit record) and stating that “[h]istory in this instance leads to the same conclusion“—that the plaintiff‘s claim bore “a ‘close relationship’ to a harm that has traditionally served as a basis for suit in English and American courts“).

This court concludes that for Plaintiff‘s common law intrusion-upon-seclusion claim, an invasion of Plaintiff‘s privacy is an injury-in-fact that can support standing. See In re Facebook Internet Tracking Litig., 263 F. Supp. 3d at 843 (citations omitted) (“[A] plaintiff need not show actual loss to establish standing for common-law claims of invasion of privacy and intrusion upon seclusion. The Court finds that Plaintiffs’ alleged privacy violations are sufficient to establish standing for Plaintiffs’ privacy tort claims.“) True, other courts have denied standing for plaintiffs who alleged that their personal information was wrongfully disclosed. See, e.g., Jackson v. Loews Hotels, Inc., No. ED CV 18-827-DMG (JCx), 2019 WL 2619656, at *3–5 (C.D. Cal. Jan. 4, 2019).⁷ But the court is persuaded that Mr. Dinerstein has pleaded an injury in fact, in light of the common law tradition‘s recognition that an individual has standing to challenge an invasion of his privacy rights. See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020) (finding that a violation of the right to privacy is a concrete and particularized injury in fact); Browner, 355 F. Supp. 3d at 736 (“[A]n invasion of privacy is similar to the harm involved in the traditional tort of intrusion upon

seclusion which holds a person liable for intentionally intruding, physically or otherwise, upon the solitude or seclusion of another or his private affairs.“); see also Bryant, 958 F.3d at 624 (holding that the plaintiff had standing because the alleged injury “was an invasion of her private domain, much like an act of trespass would be“). In short, the alleged invasion of Plaintiff‘s privacy is an injury in fact that can support his claim of intrusion upon seclusion.

Defendants’ other arguments on this issue are unavailing. Both argue that this case differs from those where courts recognized invasions of privacy as injuries in fact because of the nature of the information disclosed. (Univ. Mem. in Supp. of Mot. to Dismiss at 6–8; Google Mem. in Reply in Supp. of Mot. to Dismiss [70] at 4.) This contention has some basis: those cases concerned stolen credit card information, Lewert, 819 F.3d at 965, secretly recorded phone calls, C.S. Wang & Assoc., 305 F. Supp. 3d at 873, and biometric data such as fingerprints, Dixon, 2018 WL 2445292, at *1. While Plaintiff charges the University with disclosing de-identified information such as patient demographics and diagnoses, as well as date stamps and free-text notes, Plaintiff also claims this information was not sufficiently anonymized. (See AC ¶¶ 64–69.) For many persons, disclosure of insufficiently anonymized health records is more invasive and disturbing than disclosure of credit records or fingerprints. In any case, the court is skeptical that the gravity of the information disclosed is what matters for standing; just as, for example, “trespass occurs whenever property interest is invaded” and does not require actual damages, Chicago Title Land Tr. Co. v. JS II, LLC, 2012 IL App (1st) 063420, ¶¶ 77, 977 N.E.2d 198, 218 (1st Dist. 2012), so the invasion of Mr. Dinerstein‘s privacy depends not on the magnitude of the harm but the fact that this private right was invaded at all.

Finally, Google contends that standing is not conferred by the risk that Google may effectively re-identify the EHRs because it has access to other data. Were this the only injury attributable to Google, the court would agree. See Clapper v. Amnesty Int‘l USA, 568 U.S. 398, 410 (2013) (noting that “threatened injury must be certainly impending“). Yet Plaintiff has alleged that his private information was improperly disclosed to Google, a party with whom he never authorized sharing his medical data, and that the University also disclosed this information at Google‘s behest. (See, e.g., AC ¶ 9. (“Ultimately, by getting the University to turn over these records, Google quietly pulled off a feat that other tech giants (like Facebook) have had to abandon under mounting public pressure for other gross privacy violations.“).) That is, Plaintiff claims Google participated in the University‘s invasion of his privacy, and its continued possession of his information is part and parcel of the harm. This is enough of an injury for Plaintiff to assert his intrusion-upon-seclusion claim against Google.

C. Value of EHRs

Plaintiff‘s third asserted concrete and particularized harm is the alleged theft of his medical information, which he insists has commercial value and is something he has a legal interest in. (See Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 9–10.) Plaintiff points to Lewert, 819 F.3d at 968, for support, where the Seventh Circuit noted that the statute at issue in Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014), “creates a legally protected interest in a consumer‘s personally identifiable information with respect to video rentals.” Mr. Dinerstein seems to suggest that the statutes at issue here—HIPAA and the MPRA—also create a legal interest in his health information, just as the statute in Sterk did. But the court in Lewert, 819 F.3d at 968, made clear that ”Sterk does not recognize a legal interest in personally identifiable information beyond the video-rental context.” Plaintiff has cited no authority supporting the proposition that HIPAA or the MPRA creates a property interest in health data. Plaintiff also contends, without citations, that the common law and the University‘s contractual obligations also establish his legal interest in his own medical information. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 9.) This assertion relies on little more than arguments the court has already addressed, about whether invasion of privacy and breach of contract are injuries in fact. Mr. Dinerstein has neither developed nor supported a separate argument that the common law or his contract created a legal interest in his data.

Even if Mr. Dinerstein has a property interest in medical information, his allegations do not support an inference that the value of that property has been diminished by the University‘s or Google‘s actions. See Remijas, 794 F.3d at 695 (finding that the loss of personal information, which the plaintiffs “characterize[d] as an intangible commodity,” did not support standing, “particularly since the complaint does not suggest that the plaintiffs could sell their personal information for value“); Welborn v. Internal Revenue Serv., 218 F. Supp. 3d 64, 78 (D.D.C. 2016) (“Courts have routinely rejected the proposition that an individual‘s personal identifying information has an independent monetary value.“). Trying to circumvent this obstacle, Plaintiff argues that even if his personal information suffered no diminution in value, he still has an injury in the form of a lost royalty—that is, he suggests that Google or the University would have agreed to pay him a royalty if they had negotiated in good faith for his medical records. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 9–10.) In support, Mr. Dinerstein cites a patent case, Zegers v. Zegers, Inc., 458 F.2d 726, 730 (7th Cir. 1972), and a case concerning the theft of proprietary information, Vojdani v. Pharmasan Labs, Inc., 741 F.3d 777 (7th Cir. 2013). But the court agrees with the University that these are inapposite because the aggrieved parties in those cases, unlike Plaintiff, had recognized legal interests in the information in question. (See Univ. Reply Mem. in Supp. of Mot. to Dismiss at 5 n.5.) Moreover, the Seventh Circuit foreclosed this theory in Silha, 807 F.3d at 174–75 (citation omitted), where it reasoned that “a plaintiff‘s claim of injury in fact cannot be based solely on a defendant‘s gain; it must be based on a plaintiff‘s loss.”⁸ Here, as in Silha, Plaintiff “ha[s] not alleged that [he] lost anything of value as a result of the alleged misconduct.” Id. at 175.

***

Plaintiff has pleaded two concrete and particularized injuries in fact to support his contract and common law claims asserted against the University and Google. The other requirements for Article III standing are met for those claims as well, because the alleged breach of contract and invasion of privacy are fairly traceable to the University‘s and Google‘s conduct and could be redressed by some of the relief that Mr. Dinerstein seeks.

Plaintiff‘s ICFA claim differs. A claim under that statute requires a showing of actual damages, 815 ILCS 505/10a(a), which has been interpreted by state courts to refer only to economic or pecuniary harm. See Kim v. Carter‘s Inc., 598 F.3d 362, 365 (7th Cir. 2010) (quoting Mulligan v. QVC, Inc., 382 Ill. App. 3d 620, 628, 888 N.E.2d 1190, 1197 (1st Dist. 2008)) (“The actual damage element of a private ICFA action requires that the plaintiff suffer ‘actual pecuniary loss.‘“); Cooney v. Chicago Pub. Sch., 407 Ill. App. 3d 358, 365, 943 N.E.2d 23, 31 (1st Dist. 2010). Quoting a recent Seventh Circuit opinion, Mr. Dinerstein insists that the actual damages requirement for an ICFA claim is satisfied wherever “a defendant‘s deception ‘deprives the plaintiff of “the benefit of her bargain.“‘” (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 23 (quoting Benson v. Fannie May Confection Brands, Inc., 944 F.3d 639, 647 (7th Cir. 2019)). Plaintiff‘s quotation from Benson stops there, but the language that that follows is significant: “Actual loss may occur ‘if the seller‘s deception deprives the plaintiff of “the benefit of her bargain” by causing her to pay “more than the actual value of the property.“‘” Benson, 944 F.3d at 647 (emphasis added) (quoting Kim, 598 F.3d at 365). Plaintiff contends that had he known about the University‘s privacy practices, he may have gone to a different hospital or paid less for his treatment. But this merely restates the overpayment theory that was rejected in Remijas, 794 F.3d at 694–95, and Lewert, 819 F.3d at 968. Cf. Benson, 944 F.3d at 648 (dismissing under 12(b)(6) the plaintiffs’ claim that they would have paid less for a box of chocolates had they known there was so much empty space in the box because they had not alleged the box was worth less than the price paid

or that they could have obtained a better price elsewhere). Plaintiff‘s ICFA claim (Count I) is therefore dismissed.

II. Failure to State a Claim upon which Relief Can Be Granted

A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) tests the sufficiency of the complaint, not the merits of the case. See, e.g., Bell v. City of Country Club Hills, 841 F.3d 713, 716 (7th Cir. 2016). To survive such a motion, the complaint must provide “a short and plain statement of the claim showing that the pleader is entitled to relief,” FED. R. CIV. P. 8(a)(2), sufficient to provide a defendant with “fair notice” of the claim and the basis for it. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). In ruling on a Rule 12(b)(6) motion, the court accepts all well-pleaded facts in a plaintiff‘s complaint as true and views them in the light most favorable to the plaintiff. See, e.g., Boucher v. Fin. Sys. of Green Bay, Inc., 880 F.3d 362, 365 (7th Cir. 2018). Defendants argue that Plaintiff‘s claims fail as a matter of law. As discussed here, the court agrees.

A. Express Contract Claim

“Under Illinois law, the elements of a breach of contract cause of action are ‘(1) offer and acceptance, (2) consideration, (3) definite and certain terms, (4) performance by the plaintiff of all required conditions, (5) breach, and (6) damages.‘” Ass‘n Ben. Servs., Inc. v. Caremark RX, Inc., 493 F.3d 841, 849 (7th Cir. 2007) (quoting MC Baldwin Fin. Co. v. DiMaggio, Rosario & Veraja, LLC, 364 Ill. App. 3d 6, 14, 845 N.E.2d 22, 30 (1st Dist. 2006)). Three elements are at issue for Mr. Dinerstein‘s contract claim: whether he has pleaded that the University breached the contract, whether the agreement was supported by valid consideration, and whether he has alleged damages.

1. Alleged Breaches

Plaintiff asserts that the University‘s disclosure of his medical information to Google violated four terms of the contract: (1) that “all efforts” would be made to protect his privacy, (2) that any use of his medical information would comply with federal law, (3) that any use of his medical information would comply with state law, and (4) that it would comply with the NPP. (AC ¶¶ 130–32; Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 11.)

a. “All Efforts”

To begin, the parties disagree about whether an “all efforts” or “best efforts” clause is enforceable in Illinois. (Compare Univ. Mem. in Supp. of Mot. to Dismiss at 9, with Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 15–16.) Having reviewed the case law on this question, the court concludes that while Mr. Dinerstein is correct that Illinois courts have enforced all-efforts or best-efforts clauses in certain circumstances, Res. Dealer Grp., Inc. v. Exec. Servs., Ltd., No. 97 C 4343, 1997 WL 790737, at *3 (N.D. Ill. Dec. 18, 1997) (“Illinois courts have enforced best efforts clauses in a variety of contracts.“), this is not one of those circumstances.

Wald v. Chicago Shippers Ass‘n, 175 Ill. App. 3d 607, 529 N.E.2d 1138 (1st Dist. 1988), is instructive. The Wald plaintiffs sued to enforce a clause in a contract that required the defendant shipping association to use its best efforts to route the largest possible volume of freight through the plaintiffs’ facilities. Id. at 610–14, 529 N.E.2d at 1140–43. That clause, the court found, was “too indefinite to be enforceable” because it failed to set forth any specific terms regarding, for example, the contract‘s duration or the quantity of freight to be shipped through those facilities. Id. at 617, 529 N.E.2d at 1145. No other part of the contract contained terms clarifying this obligation, either. Id. Though the court noted that ambiguities in contracts may be resolved by extrinsic evidence or prior course of dealings, such evidence did not effectively clarify the “best efforts” clause. Id. at 618–20, 529 N.E.2d at 1146–47; see also Beraha v. Baxter Health Care Corp., 956 F.2d 1436, 1441 (7th Cir. 1992) (holding that the defendant‘s “statement that it would ‘do [its] very best to make this project a success’ is merely a vague expression of goodwill; it is not an enforceable contractual promise“); Penzell v. Taylor, 219 Ill. App. 3d 680, 688, 579 N.E.2d 956, 961 (1st Dist. 1991) (stating that “this court has held that the phrase ‘best efforts’ is too indefinite and uncertain to be an enforceable standard” and finding that “[the counter-claimant‘s] claim for breach of contract fails because the best effort required to be expended by [the counter-defendant] is too vague to ascertain“).

As in Wald, the “all efforts” language in the Authorization is too indefinite to enforce. It does not include or refer to essential terms, such as what efforts the University was expected to engage in. And no other parts of the contract provide terms that could be construed to supply the definiteness necessary for this clause to be enforceable. Moreover, Mr. Dinerstein has not pointed to any extrinsic evidence or other facts that would help the court determine what all efforts is supposed to mean. Cf. Res. Dealer Grp., 1997 WL 790737, at *3–4 (declining to dismiss a contract claim concerning “best efforts” language in a “detailed, nineteen page contract” where that clause was one of “four separate and specific obligations that the parties intended [the counter-defendant] to perform, not merely precatory language“).

In the court‘s view, Plaintiff‘s “best efforts” claim is an odd fit in this context. When such clauses are held to be enforceable, they are most typically used to impose affirmative obligations in commercial contracts in which one party is obliged to promote the business of another. See, e.g., id. at *3 (concerning a clause that required the plaintiff to use “best efforts” in marketing the defendant‘s business); Ralph v. Karr Mfg. Co., 20 Ill. App. 3d 450, 453–54, 314 N.E.2d 219, 221–23 (1st Dist. 1974) (analyzing a clause that required the plaintiff to “put forth his best efforts and to diligently provide the management of [the defendant‘s] sales and marketing program and with such efforts to increase [the defendant‘s] sales“). In such cases, the party so obliged must “diligently direct[] his efforts on [his counterparty‘s] behalf.” Ralph, 20 Ill. App. 3d at 454, 314 N.E.2d at 222. Here, in contrast, Plaintiff does not claim that the University failed to take appropriate affirmative actions to protect his privacy. He instead contends that the University‘s conduct actually violated his privacy.

Plaintiff argues that a best-efforts clause is just an obligation to act in good faith and that whether a party has acted in good faith is a question of fact. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 16.) Plaintiff may well be technically correct about this, see, e.g., Coleman v. Madison Two Assocs., 307 Ill. App. 3d 570, 578, 718 N.E.2d 668, 674 (1st Dist. 1999), but the argument is still inapt. “The obligation of good faith and fair dealing primarily is used to determine the intent of the parties where a contract is susceptible to two conflicting constructions. Parties to a contract are entitled to enforce the terms of the contract to the letter and an implied covenant of good faith cannot override or modify the express terms of that contract.” Id., 718 N.E.2d at 675 (emphasis added) (citation omitted); see also M.S. Distrib. Co. v. Web Records, Inc., No. 00 C 1436, 2003 WL 21087961, at *9 (N.D. Ill. May 13, 2003) (the “best efforts undertaking . . . does not form the basis for an independent cause of action“). The court does not read the Authorization as permitting two conflicting constructions; indeed, Plaintiff advances no argument that it does. And the Authorization expressly permits sharing Plaintiff‘s medical information in at least some circumstances. Plaintiff agreed that his “medical information in any form . . . may be used and shared for research that has been approved by the University of Chicago Institutional Review Board (IRB) and that has been found to pose a minimal risk.” (Outpatient Agreement & Authorization § III.) The Authorization also provides, immediately after the “all efforts” language, that “any use of medical information will be in compliance with federal and state laws.” (Id.) Notably, both HIPAA and the MPRA expressly permit disclosures of personal information in certain contexts. See, e.g., 45 C.F.R. § 164.512 (identifying when protected health information may be disclosed without written authorization); 410 ILCS 50/3(d)(8) (information may be disclosed when “otherwise permitted, authorized, or required by State or federal law“).

The court declines to interpret the phrase “all efforts” to impose some indefinite obligation on the University that could conflict with other, more specific portions of the Authorization. See Beraha, 956 F.2d at 1441 (“[Courts] do not lightly find implied obligations of any kind unless those implied obligations serve to effect the clear intentions of the parties derived from the express terms of the contract.“); Alberto-Culver Co. v. Aon Corp., 351 Ill. App. 3d 123, 135, 812 N.E.2d 369, 380 (1st Dist. 2004) (“Where an inconsistency arises between a clause that is general and one that is more specific, the latter prevails.“). Because the clause in question is not independently enforceable, there is no issue of fact to be resolved later in the proceedings. Compare Res. Dealer Grp., 1997 WL 790737, at *4 (declining to dismiss a claim that one party failed to use best efforts to market the other party‘s services, concluding that the best efforts clause was reasonably specific), with Wald, 175 Ill. App. 3d at 617, 529 N.E.2d at 1145 (finding that the best effort clause “is ambiguous as a matter of law” and that “[i]ts terms are obscure and indefinite in meaning“).

b. Compliance with Federal Law

Plaintiff asserts that the University‘s disclosure of his medical information to Google violated HIPAA and, therefore, breached the Authorization‘s requirement that “any use of medical information will be in compliance with federal . . . laws.” (Outpatient Agreement & Authorization § III.)

An initial matter is whether an alleged violation of HIPAA can support a breach of contract claim at all. The statute does not create a private right of action. See Carpenter v. Phillips, 419 F. App‘x 658, 659 (7th Cir. 2011). The University is correct that courts in other jurisdictions have held that a HIPAA claim cannot be pursued as a breach of contract claim—that is, a contract claim cannot be used to create a right of action that Congress declined to establish. See Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1368 (S.D. Fla. 2017) (“Plaintiff cannot mask a HIPAA claim as a breach of contract claim.“); Cairel v. Jessamine Cty. Fiscal Court, No. 5:15-CV-186-JMH, 2015 WL 8967884, at *4 (E.D. Ky. Dec. 15, 2015) (“Plaintiff attempts to circumvent the fact that no private right of action exists under HIPAA by characterizing her claim thereunder as one for breach of contract. Regardless of whether the contract included a HIPAA provision, there simply is no private right of action for violations of HIPAA, at the state or federal level.“); Sheldon v. Kettering Health Network, 2015-Ohio-3268, ¶¶ 30, 40 N.E.3d 661, 674 (Ohio Ct. App. 2015) (“[T]o the extent that HIPAA universally has been held not to authorize a private right of action, to permit HIPAA regulations to define per se the duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded.“). Those opinions, however, lack in-depth analysis of the issue and are not binding on this court; as discussed below, the court concludes that HIPAA does not preempt a state common law claim like that asserted here by Mr. Dinerstein.

The Seventh Circuit has dealt with similar issues with other statutes and found that the fact that there is no right of action under a federal statute does not preempt or otherwise bar a viable state law claim. Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547, 554–55 (7th Cir. 2012), concerned several Illinois state law claims, including a contract claim, brought against the plaintiff‘s mortgage servicer, Wells Fargo, for violating the federal Home Affordable Mortgage Program. Wells Fargo argued that the plaintiff should not be able to use a contract claim to make an “end run” around the lack of a private right of action in the relevant federal law. The court rejected this reasoning:

The end-run theory is built on the novel assumption that where Congress does not create a private right of action for violation of a federal law, no right of action may exist under state law, either. . . . The absence of a private right of action from a federal statute provides no reason to dismiss a claim under a state law just because it refers to or incorporates some element of the federal law. To find otherwise would require adopting the novel presumption that where Congress provides no remedy under federal law, state law may not afford one in its stead.

Id. at 581 (citations omitted). In fact, “[w]hen the federal court‘s jurisdiction over state-law claims is based on diversity of citizenship . . . the absence of a private right of action in a federal statute actually weighs against preemption.” Id. at 582 (emphasis in original); see also Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (noting that in a case “invoking CAFA‘s special rules for diversity jurisdiction,” the court‘s duty with respect to state law is the same “as in every diversity case“). The Seventh Circuit considered a similar issue with respect to the Higher Education Act and reached the same conclusion. Bible v. United Student Aid Funds, Inc., 799 F.3d 633, 652–54 (7th Cir. 2015) (holding that the lack of a private cause of action did not displace the plaintiff‘s contract claim and calling the defendant‘s theory “mistaken at its core“). The logic of Wigod and Bible applies here: that HIPAA lacks a private right of action does not foreclose Plaintiff‘s ability to pursue a contract claim. HIPAA also does not preempt Plaintiff‘s claim. See Wigod, 673 F.3d at 576–80 (finding that the Home Owners Loan Act did not preempt a state law claim); Bible, 799 F.3d at 652 (determining that the plaintiff‘s contract claim did not conflict with the Higher Education Act). The University cites 42 U.S.C. § 1320d-5, which provides for enforcement by state attorneys general and the Secretary of Health and Human Services, apparently to argue that HIPAA occupies the field and thereby preempts a related contract claim. “In all preemption cases, ‘we start with the assumption that the historic police powers of the States were not to be superseded by the Federal Act unless that was the clear and manifest purpose of Congress.‘” Wigod, 673 F.3d at 576 (quoting Wyeth v. Levine, 555 U.S. 555, 565 (2009)). The portions of the statute cited by the University express no such clear and manifest purpose.

Moreover, Plaintiff is correct that HIPAA addresses only conflict preemption. See 42 U.S.C. § 1320d-7(a)(1) (“. . . a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of State law . . .“). Conflict preemption exists only where (1) “it is impossible for a private party to comply with both state and federal requirements,” or (2) “state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.” Wigod, 673 F.3d at 577–78 (quoting Freightliner Corp. v. Myrick, 514 U.S. 280, 287 (1995)); see also 45 C.F.R. § 160.202 (defining “contrary” to mean “(1) A covered entity or business associate would find it impossible to comply with both the State and Federal requirements; or (2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act, section 264 of Public Law 104-191, or sections 13400-13424 of Public Law 111-5, as applicable.“). Neither clearly applies here, and the University offers no argument that Plaintiff‘s claim would make it impossible for it or other parties to comply with HIPAA or that such a claim frustrates HIPAA‘s object. Furthermore, HIPAA regulations specifically provide that “more stringent” state rules are not preempted, 45 C.F.R. § 160.203(b), and “more stringent” is defined to include a state law that “provides greater privacy protection for the individual who is the subject of the individually identifiable health information,” § 160.202. A contract claim incorporating HIPAA is such a “more stringent” measure and is thus not preempted by the federal statute.

Now to the substance of the contract claim: Has Plaintiff actually pleaded that Defendants breached the contract by violating HIPAA? Three parts of the HIPAA Privacy Rule are at issue here. Two of these are safe harbors that permit the disclosure of medical information under certain circumstances: First, a covered entity, such as the University, may disclose a “limited data set” if it excludes certain direct identifiers;⁹ is used for “research, public health, or health care operations“; and the disclosure is made pursuant to a “data use agreement” that includes certain provisions governing the use of the medical information.¹⁰ 45 C.F.R. § 164.514(e). Second, a covered entity may disclose protected health information for research when approved by an Institutional Review Board (“IRB“), whose documentation is subject to numerous other requirements, so long as the recipient has made certain representations to the covered entity about its use of the data. 45 C.F.R. § 164.512(i). Plaintiff has not pleaded that Defendants failed to comply with the requirements of such regulations. Instead, he argues that he need not do so at this stage because the safe harbors are affirmative defenses and Defendants’ compliance with

their requirements can be determined only after discovery. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 17.)

The parties have devoted little attention to this procedural question; that is, they have barely addressed whether a HIPAA regulation permitting disclosure is an affirmative defense, which Defendants must prove, or an element of a violation that Mr. Dinerstein must establish. Nor could the court find case law on this issue, likely owing to the fact that HIPAA does not have a private right of action and thus has not generated private suits. Yet the court believes that Defendants have the better view. Plaintiff‘s claim is an action for breach of contract, and none of the affirmative defenses to such a claim resemble the safe harbors that that Plaintiff asks the court to recognize as defenses. See III. Pattern Jury Instr.-Civ. 700.12 (affirmative defenses for incompetence, duress, misrepresentation, fraud, frustration of purpose, impossibility of performance, and undue influence). Moreover, the court agrees with Google that there is a Twombly-like concern in Plaintiff‘s pleading; his allegations are equally consistent with compliance with HIPAA as with an alleged HIPAA violation. (Google Mem. in Reply in Supp. of Mot. to Dismiss at 7.) In order to meet pleading standards, allegations must “plausibly suggest[ ]” a claim for relief—not be “merely consistent with” one. Twombly, 550 U.S. at 557.

Indeed, even reading his allegations as consistent with a violation, the amended complaint also appears to “set forth everything necessary to satisfy the affirmative defense.” Hyson USA, Inc. v. Hyson 2U, Ltd., 821 F.3d 935, 939 (7th Cir. 2016) (quoting United States v. Lewis, 411 F.3d 838, 842 (7th Cir. 2005)). As noted, § 164.514(e) permits a covered entity to disclose a limited data set that has been stripped of certain identifiers listed in § 164.514(e)(2), so long as the disclosure is made for research purposes, and the disclosure is made pursuant to a data use agreement. Although Plaintiff has alleged that free text notes were not sufficiently anonymized (AC ¶ 68), he never alleges that they, or any other part of the EHRs, included the identifiers that are not allowed under this safe harbor. The amended complaint itself affirmatively asserts that the disclosure was made for research. (Id. ¶¶ 4, 64.) And Plaintiff included with his amended complaint the DUA, which appears on its face to comply with the requirements in § 164.514(e)(4). As for the second safe harbor, documents referenced in the pleading confirm that the disclosure met those requirements as well. (Rajkomar et al., Scalable and Accurate Deep Learning at 6 (“Ethics review and institutional review boards approved the study with waiver of informed consent or exemption at each institution.“).) With respect to these two safe harbors, Plaintiff has not presented allegations “that raise[ ] a suggestion” of a HIPAA violation. Twombly, 550 U.S. at 557.

The third relevant part of the Privacy Rule is more complicated. This component requires written authorization for the “sale of protected health information.” 45 C.F.R. §§ 164.502(a)(5)(ii), 164.508(a)(4). Sales made pursuant to the research safe harbors discussed above are not prohibited sales if “the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes.” Id. § 164.502(a)(5)(ii)(B)(2)(ii). Putting “sale” and “remuneration” to the side for the moment, the court must first consider whether Plaintiff has alleged that his protected health information (“PHI“) was shared at all. The rule defines PHI to mean “individually identifiable health information“—that is, health information “[t]hat identifies the individual” or “[w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” Id. § 160.103. A covered entity like the University “may determine that health information is not individually identifiable health information” in one of two ways. Id. § 164.514(b). An expert may determine that the risk of re-identification is “very small” by applying “generally accepted statistical and scientific principles and methods” and “[d]ocument[ing] the methods and results of the analysis that justify such determination.” Id. § 164.514(b)(1). Alternatively, eighteen specific identifiers can be removed from the data, including—critically—“[a]ll elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death.” Id. § 164.514(b)(2)(i) (emphasis added). Plaintiff alleges that an expert determination concerning the risk of re-identification of his data either was not made or was incorrect. (AC ¶ 70.) And of course, he has alleged (and the published study appears to confirm) that the data turned over to Google did include the dates on which services were provided. (Id. ¶ 64; Rajkomar et al., Scalable and Accurate Deep Learning at 6 (“dates of services were maintained in the [University] data set“).)

As for whether Mr. Dinerstein‘s PHI was subject to a “sale,” his claim appears to be on firm ground here as well. According to the rule, a sale of PHI means “a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.” 45 C.F.R. § 164.502(a)(5)(ii)(B)(1) (emphasis added). The amended complaint asserts that the University made the disclosure in exchange for a perpetual license to use Google‘s software. (AC ¶ 66.) That assertion may overstate the DUA, which actually grants the University “a nonexclusive, perpetual license to use the [ ] Trained Models and Predictions” created by Google “for internal non-commercial research purposes.” (DUA § 3.12.) But it is not clear that this distinction matters because even indirect compensation may be part of a sale. Moreover, other parts of the rule confirm that “remuneration” includes in-kind exchanges: while a sale occurs when a covered entity has directly or indirectly received remuneration, other sections specifically speak of “financial remuneration” only. See id. §§ 164.501, 164.508(a). Whatever a perpetual license for “Trained Models and Predictions” actually means, it appears to qualify as direct or indirect remuneration. This form of remuneration is also not “a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes,” which is the only type of remuneration permitted for disclosures made pursuant to the two research safe harbors analyzed above. Id. § 164.502(a)(5)(ii)(B)(2)(ii).

The University‘s arguments that Plaintiff has not pleaded that it engaged in an impermissible sale are unsatisfying. The University notes that the amended complaint contains no allegations about “a reasonable cost-based fee.” (Univ. Reply Mem. in Supp. of Mot. to Dismiss at 7 n.9.) That is true, but it is also irrelevant; what matters is that the amended complaint has alleged that the University received something other than a reasonable cost-based fee, which it plainly does. The University also notes that, in Black‘s Law Dictionary, “sale” involves a payment of money. (Id. at 9.) But the HIPAA regulation in question includes a broader definition of sale: “a disclosure of [PHI] by a covered entity . . . where the covered entity . . . directly or indirectly receives remuneration from or on behalf of the recipient of the [PHI] in exchange for the [PHI].” 45 C.F.R. § 164.502(a)(5)(ii)(B)(1). This definition controls, not the traditional one the University cites. As already noted, other parts of the rule confirm that “remuneration” does not refer only to payments of money. Lastly, the University emphasizes that its right to use the “Trained Models and Predictions” developed by Google is limited to “internal non-commercial research purposes.” (Univ. Reply Mem. in Supp. of Mot. to Dismiss at 9.) But it is not clear why such a limitation would mean the license does not constitute direct or indirect remuneration.

Google‘s contentions on this point are no more compelling. Google notes that the DUA “allows the University to share in the medical advancements that Google develops from the research data,” which “confirms the primary purpose of the parties’ relationship—the mutual exchange of research information.” (Google Mem. in Reply in Supp. of Mot. to Dismiss at 8.) Like the University, however, Google fails to explain why this exchange of research information must be understood to constitute a reasonable cost-based fee rather than direct or indirect remuneration. Google also correctly notes that under the DUA, the University retains the right to have the EHRs returned or destroyed by Google. (Id.) But again, “sale” refers to a disclosure of protected health information made in exchange for direct or indirect remuneration. 45 C.F.R. § 164.502(a)(5)(ii)(B)(1). The court reads this provision to mean that the exchange can be a sale even if the University retains ultimate ownership rights in the PHI; disclosure and remuneration are the essential elements here. Plaintiff has sufficiently alleged both.

In sum, Mr. Dinerstein has plausibly alleged that the University breached its contractual promise to comply with federal law when it exchanged protected health information for the license to use Trained Models and Predictions developed by Google.

C. Compliance with State Law

Next, Plaintiff asserts that the University breached the promise to comply with state law.¹¹ (AC ¶ 132.) Specifically, Plaintiff alleges that the University violated § 3.1 of the MPRA. See 410 ILCS 50/3.1. That section states: “Any patient who is the subject of a research program or an experimental procedure . . . shall have, at a minimum, the right to receive an explanation of the nature and possible consequences of such research or experiment before the research or experiment is conducted, and to consent to or reject it.” Id. § 3.1(a). The Hospital Licensing Act regulations define “research program” to mean “any organized activity intended to establish new medical or scientific information, involving medical, surgical, manipulative, or psychiatric diagnosis or treatment of human subjects who are inpatients or outpatients of a hospital and who are subjects at risk.” 77 Ill. Admin. Code § 250.130(b)(1)(B). And “subject at risk” refers to:

any individual who may be exposed to the possibility of injury, including physical, psychological, or social injury, as a consequence of participation as a subject in any research, development, or related activity that significantly departs from the application of those established and accepted methods necessary to meet his or her needs, or that increases the ordinary risks of daily life, including the recognized risks inherent in a chosen occupation or field of service

Id. § 250.130(b)(1)(C).

Plaintiff‘s allegations do not establish a violation of these state law provisions. The research conducted by the University and Google was not a research program as defined in the above regulation. The project did concern the creation of “new medical or scientific information,” but it did not “involve[e] medical, surgical, manipulative, or psychiatric diagnosis or treatment of human subjects who are inpatients or outpatients of a hospital.” Id. § 250.130(b)(1)(B). Plaintiff argues otherwise, noting that the study involved patient information like diagnoses and procedures. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 19 (citing AC ¶ 65).) But the court

does not read the phrase “involving . . . diagnosis or treatment of human subjects” to include review of health records comprising information about diagnosis or treatment. That is, “research program” refers only to the direct diagnosis or treatment of a patient, not research on records concerning past diagnoses or treatments. Because Defendants’ study in question does not qualify as a “research program” under the relevant regulation,¹² Plaintiff has not pleaded that the University failed to comply with state law.

d. Compliance with the Notice of Privacy Practices

Finally, the Authorization states that “any use of [Plaintiff‘s] medical information will be in compliance with . . . the University of Chicago Medical Center Notice of Privacy Practices.” (Outpatient Agreement & Authorization § III.) The NPP promises that the University would obtain Plaintiff‘s “written permission” “[f]or the sale of your medical information.” (NPP at 5.) As discussed in relation to HIPAA, Plaintiff contends that the University and Google engaged in a sale of his medical information that violates the NPP and, therefore, the Authorization. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 15, 18.)

The parties spent little time discussing what this provision means in relation to the HIPAA Privacy Rule‘s prohibition on the sale of PHI. Should this section of the NPP be interpreted to be consistent with, or more or less stringent than, the HIPAA Privacy Rule? On the one hand, the NPP does not include any definition of “sale“; if the HIPAA Rule‘s broad definition, which covers disclosures in exchange for direct or indirect remuneration, does not apply, there may be no violation of NPP. On the other hand, the NPP bans all sales; it makes no exceptions, as HIPAA does, for sales in connection with research where the only consideration is a reasonable cost-based fee. The NPP could therefore be understood as imposing a stricter requirement than the HIPAA regulation. Indeed, were the NPP to be interpreted as merely consistent with preexisting regulatory requirements, the Authorization‘s statement that the University would comply with the NPP would be mere surplusage because the University also promises to comply with federal law in the Authorization. See Premier Title Co. v. Donahue, 328 Ill. App. 3d 161, 166–67, 765 N.E.2d 513, 518 (2nd Dist. 2002) (noting the “principle that requires that a contract be construed such that none of its terms are regarded as mere surplusage“). The court finds this latter view more persuasive. Hence, as analyzed above with respect to the University‘s compliance with federal law, Plaintiff has plausibly alleged that his information was sold without his prior authorization in violation of the NPP and, therefore, in breach of the Authorization.

2. Consideration

Next, the University insists that the agreement with Plaintiff lacked consideration because it obligated the University to do no more than comply with state and federal law, which are preexisting duties. “As a general rule, a promise to perform an act which the promisor is already bound to perform cannot constitute consideration to support an enforceable contract.” 17A AM. JUR. 2D CONTRACTS § 149. That is, because the University is already obligated to comply with HIPAA, any agreement promising to follow HIPAA lacks consideration. (See Univ. Mem. in Supp. of Mot. to Dismiss at 10 (“[A]ny purported contractual obligation to comply with HIPAA (or to comply with ‘federal and state law‘) merely parrots a pre-existing legal duty and is therefore not an enforceable contractual promise as a matter of law.“).) In response, Plaintiff contends that a promisor under a preexisting duty still breaches a contract when it fails to comply with its promise; the rule only precludes such a promisor from using its preexisting duty as consideration to extract an enforceable promise from the promisee. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 13.) In other words, as Plaintiff sees it, while the rule apparently could preclude the University from enforcing the contract against him, it does not prevent him from asserting a breach of contract claim against the University. There is some authority for this proposition. See, e.g., 17A AM. JUR. 2D CONTRACTS § 149 (“Some authority holds that although a promise to do a thing that the promisor is legally bound to do is not generally sufficient consideration to support a reciprocal undertaking by the promisee, such promise may be enforced against the promisor, notwithstanding that its enforcement compels the performance of what is already a legal obligation“); 3 WILLISTON ON CONTRACTS § 7:41 (4th ed.) (“[I]f A is under contract to B to do a certain act, and C gives (and does not merely promise) A extra compensation in return for a promise by A to do that act, A has on any theory made a binding contract with C, since C has given valid consideration for A‘s promise, and it is not necessary that A‘s promise should be valid consideration.“).

Indeed, this is, again, an argument (this time, made by the University) that makes for an odd fit in this case. Typically, the preexisting duty rule is raised by the party who claims its obligations are excused because its opponent failed to give valid consideration. See, e.g., White v. Vill. of Homewood, 256 Ill. App. 3d 354, 357, 628 N.E.2d 616, 618 (1st Dist. 1993) (citations omitted) (“The pre-existing duty rule provides that where a party does what it is already legally obligated to do, there is no consideration as there is no detriment. For example, where a guest was by statute entitled to use a hotel safe to store valuables, a promise by the guest to limit the liability of the hotel in exchange for using the safe is not supported by consideration because of the pre-existing duty rule.“). There is, however, Illinois case law suggesting that a preexisting duty means that a contractual promise to carry out that duty may not be challenged as a breach of contract. See, e.g., Marque Medicos Fullerton, LLC v. Zurich Am. Ins. Co., 2017 IL App (1st) 160756, ¶ 67, 83 N.E.3d 1027, 1044 (1st Dist. 2017) (citation omitted) (“Plaintiffs’ own complaints therefore concede that defendants’ purported consideration for any asserted implied-in-fact contracts was to be performed pursuant to preexisting legal duties. Because valid consideration, on the part of both parties, is one of the essential requirements for the formation of a contract, and because consideration cannot flow from an act performed pursuant to preexisting legal duty, the circuit court properly dismissed plaintiffs’ claims that that defendants breached an implied-in-fact contracts to comply with the interest provision of section 8.2(d)(3) of the Act.“).

Regardless, the court agrees with Mr. Dinerstein that there was consideration for this contract because the contract requires the University to meet a higher standard than simply meeting its preexisting duty to comply with the law. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 14.) As noted above, the NPP‘s provision regarding the sale of a patient‘s medical information appears more stringent than the rule regarding sales in HIPAA‘s regulations because the NPP makes no exception for sales related to research made in exchange only for a reasonable cost-based fee. A court in this district has previously held that a defendant‘s privacy pledge was enforceable because, although it pledged to comply with federal law, it also “contain[ed] other provisions unrelated to Defendant‘s compliance with federal law.” Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2016 WL 754731, at *9 (N.D. Ill. Feb. 23, 2016); see also, e.g., In re: Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2017 WL 539578, at *17 (D. Or. Feb. 9, 2017) (“Premera‘s argument, however, overlooks Plaintiffs’ allegations that include promises other than compliance with HIPAA, such as promises that Premera will restrict access to Plaintiffs’ Sensitive Information and will train and discipline employees.“).

The cases the University cites are distinguishable. In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *4 (D. Ariz. Dec. 20, 2017), held that a contract lacked consideration because the defendant‘s privacy notice “cannot be read as a promise to do anything above and beyond what is already required by law.” Here, in contrast, the NPP‘s provision mandating that the University obtain written permission before selling Plaintiff‘s PHI did not merely restate HIPAA‘s requirements. For the same reason, another opinion the University cites, in which the privacy notice merely “inform[ed] patients of their rights under federal law” and thus was “not contractual in nature,” is distinguishable as well. Brush, 238 F. Supp. 3d at 1367.

The University‘s other arguments are also unpersuasive. Citing Brush, 238 F. Supp 3d at 1367, the University insists that even if had made “extra-statutory promises,” the pre-existing duty rule would still bar a contract claim based on noncompliance with HIPAA. (Univ. Reply Mem. in Supp. of Mot. to Dismiss at 8.) But Brush says no such thing; there, the court held that the contract lacked consideration and did not consider whether the plaintiff could pursue a contract claim if the privacy notice had included extra-statutory promises. The University is correct that other parts of the parties’ agreement, such as the “all efforts” clause, may not be enough to find valid consideration. Yet it is incorrect that the NPP‘s representation that it would obtain written authorization before selling Plaintiff‘s PHI merely arises under HIPAA, as already explained.

Because at least part of the University‘s promises to Plaintiff went beyond its obligations under federal law, the Authorization, which incorporated the NPP, was supported by valid consideration.

3. Damages

As discussed above the court has concluded that Plaintiff‘s allegations state a claim for breach of a contract that was supported by consideration. Has he plausibly alleged that this breach caused him damages? In the amended complaint, Plaintiff alleges that he has suffered non-economic damages, such as anxiety and emotional distress. (AC ¶ 136.) His response to Defendants’ motions does not characterize these harms as part of his contract damages, however. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 19–21). As the University notes, Illinois does not recognize emotional distress damages for breaches of contract, “except where the breach was wanton or reckless and caused bodily harm, or where defendant had reason to know, when the contract was made, that its breach would cause mental suffering for reasons other than mere pecuniary loss.” Parks v. Wells Fargo Home Mortg., Inc., 398 F.3d 937, 940–41 (7th Cir. 2005) (quoting Maere v. Churchill, 116 Ill. App. 3d 939, 944, 452 N.E.2d 694, 697 (3d Dist. 1983)). Plaintiff has not pleaded that the University‘s conduct meets that standard.

As for money damages, the Authorization contained the following provision in which Plaintiff disclaimed the right to receive compensation from the University‘s research: “I acknowledge that such research by the University of Chicago Medical Center may have commercial value and, in that event, I understand that I will not be entitled to any compensation, regardless of the value of such research or any products or inventions developed therefrom.” (Outpatient Agreement & Authorization § III.) The University argues that this provision bars his claim for economics damages. (Univ. Mem. in Supp. of Mot. to Dismiss at 12.)

Plaintiff responds that the University cannot take advantage of that provision because Illinois courts have said that “[a] party who materially breaches a contract cannot take advantage of the terms of the contract that benefit him.” James v. Lifeline Mobile Medics, 341 Ill. App. 3d 451, 455, 792 N.E.2d 461, 464 (4th Dist. 2003). For its part, the University argues that Plaintiff has not pleaded that the University‘s breach was a material one. See InsureOne Indep. Ins. Agency, LLC v. Hallberg, 2012 IL App (1st) 092385, ¶ 43, 976 N.E.2d 1014, 1027 (1st Dist. 2012) (citation omitted) (quoting Vill. of Fox Lake v. Aetna Cas. & Sur. Co., 178 Ill. App. 3d 887, 900–01, 534 N.E.2d 133 (2d Dist. 1989)) (“The test of whether a breach is ‘material’ is whether it is ‘so substantial and fundamental as to defeat the objects of the parties in making the agreement, or whether the failure to perform renders performance of the rest of the contract different in substance from the original agreement.’ ‘The breach must be so material and important to justify the injured party in regarding the whole transaction at an end.‘“) The University may be right that its exchange of Plaintiff‘s PHI for Trained Models and Predictions for internal non-commercial research purposes was not a material breach and that it substantially performed its contract with Plaintiff. Nevertheless, according to Illinois law, “[t]he determination of what constitutes a material breach is a question of fact which involves a fairly detailed inquiry, which should be left for the trial.” Enter. Warehousing Sols., Inc. v. Capital One Servs., Inc., No. 01 C 7725, 2002 WL 406976, at *3 (N.D. Ill. Mar. 15, 2002).

For pleading purposes, the court will therefore assume Plaintiff has alleged a material breach on the part of the University. The court concludes the claim nevertheless fails for another reason: none of his theories for money damages is adequate. He asserts that he is entitled to “restitution on the basis that he did not receive the full benefits of his payments to the University.” (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 20.) At most, this allegation suggests that some indeterminate amount of the price he paid for his treatments represents the cost of the University‘s privacy practices. This court agrees with others that have found such allegations to be insufficient. See Attias v. CareFirst, Inc., 365 F. Supp. 3d 1, 13 (D.D.C. 2019) (citations and quotation marks omitted) (rejecting the plaintiffs’ theory that they had been denied the benefit of their bargain by “broadly alleg[ing] that some indeterminate amount of their health insurance premiums went towards providing data security” and “alleg[ing] only in a conclusory fashion that the services they received were of a diminished value“); SAIC, 45 F. Supp. 3d at 30 (“To the extent that Plaintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing. . . . Plaintiffs have not alleged facts that show that the market value of their insurance coverage (plus security services) was somehow less than what they paid. Nothing in the Complaint makes a plausible case that Plaintiffs were cheated out of their premiums.“). Furthermore, an Illinois appellate court has said (albeit in an unpublished, nonprecedential opinion) that the “‘overpayment’ theory of damages is not a cognizable measure of a breach of contract damages in Illinois.” Lozada v. Advocate Health & Hosps. Corp., 2018 IL App (1st) 180320-U, ¶ 32 (1st Dist. 2018). And the Seventh Circuit has repeatedly held this same overpayment theory is not a sufficient injury even for standing purposes. See Lewert, 819 F.3d at 968; Remijas, 794 F.3d at 694.

Alternatively, Mr. Dinerstein claims that the University owes him a reasonable royalty for the use of his PHI. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 21.) For the reasons discussed in its standing analysis, the court disagrees. A royalty is normally appropriate only for interference with a property right. See, e.g., RESTATEMENT (THIRD) OF RESTITUTION AND UNJUST ENRICHMENT § 42 cmt. f (AM. LAW INST. 2011) (emphasis added) (“In the context of intellectual property, what is ‘taken’ is often an unauthorized use; the value of the use may often be determined—depending on the nature of the property—by a reasonable royalty or by the market price of a license.“). And Plaintiff has not plausibly alleged that he has any such right in his PHI. See Remijas, 794 F.3d at 695 (rejecting the plaintiffs’ argument that federal law recognizes a property right in their private information). That is why his reliance on Vojdani, 741 F.3d at 784–86, a Seventh Circuit case applying Wisconsin law, is misplaced. In that case, the court suggested that a reasonable royalty could be a remedy for the breach of a confidentiality agreement. Id. at 786. But Vojdani concerned intellectual property, unlike this case. Furthermore, in Vojdani, the stolen confidential information had been “used by the defendant for its own commercial purposes,” id., while the University received only a license to use Trained Models and Predictions for internal non-commercial research purposes. Finally, Plaintiff has not cited, nor did the court find, any Illinois cases in which a reasonable royalty was awarded or considered an appropriate remedy for breach of contract. Cf. Innovation Ventures, LLC v. Custom Nutrition Labs., LLC, 912 F.3d 316, 346 (6th Cir. 2018) (“[The plaintiff] does not, however, cite any Michigan cases, federal cases applying Michigan law, or even secondary sources that contemplate using a reasonable royalty to calculate damages in breach of contract cases.“). And the only state statute authorizing the award of a reasonable royalty is the Illinois Trade Secrets Act, 765 ILCS 1065/4, which is not pertinent here and illustrates that this remedy is available only for intellectual property disputes.

Plaintiff has not adequately pleaded that the University‘s breach of contract caused him economic damages. His theories in support of his claim for money damages are inadequate. Because Mr. Dinerstein has not pleaded that the University‘s breach caused him economic damage, his express contract claim (Count II) is dismissed for failure to state a claim for relief.

B. Implied Contract Claim

As an alternative to his express breach of contract claim, Mr. Dinerstein asserts a claim against the University for breaching an implied contract to keep his medical information private. (AC ¶ 139.) In Illinois, the elements of an implied contract “substantially overlap” with those of an express contract. Landale Signs & Neon, Ltd. v. Runnion Equip. Co., 274 F. Supp. 3d 787, 792 (N.D. Ill. 2017); New v. Verizon Commc’ns, Inc., 635 F. Supp. 2d 773, 782–83 (N.D. Ill. 2008) (“In Illinois, in order to prove an implied contract the party asserting the contract must show the same elements as an express contract, as well as a meeting of the minds and a mutual intent to contract.“). The implied contract claim was barely mentioned in the parties’ briefs,¹³ and for good reason: “an implied contract cannot coexist with an express contract on the same subject.” Marcatante v. City of Chi., 657 F.3d 433, 440 (7th Cir. 2011) (quoting Maness v. Santa Fe Park Enters., Inc., 298 Ill. App. 3d 1014, 1022, 700 N.E.2d 194, 201 (1st Dist. 1998)). An express contract governing Plaintiff‘s medical information existed between him and the University; indeed, Plaintiff alleges that the terms of the implied contract are the promises in the NPP and Authorization (see AC ¶ 139)—which are the terms of the express contract. And the damages Plaintiff alleges he suffered as a result of the University‘s breach of the implied contract are the same damages claimed for breach of the express contract, which the court already found to be inadequate. (Id. ¶¶ 148–50.) The implied contract claim (Count III) is therefore dismissed.

C. Tortious Interference Claim

“To state a claim for tortious interference with contract, [Plaintiff] must allege enough facts to establish: ‘(1) a valid contract, (2) defendant‘s knowledge of the contract, (3) defendant‘s intentional and unjustified inducement of a breach of contract, (4) a subsequent breach of contract caused by defendant‘s wrongful conduct, and (5) damages.‘” Gen. Elec. Co. v. Uptake Techs., Inc., 394 F. Supp. 3d 815, 834 (N.D. Ill. 2019) (quoting Webb v. Frawley, 906 F.3d 569, 577 (7th Cir. 2018)). The parties have not addressed the question whether Plaintiff may pursue this claim absent an adequate claim for damages for breach of contract. But the court need not address the issue, as it concludes he has not sufficiently pleaded that Google engaged in the intentional conduct needed to state a tortious interference claim.

“A necessary prerequisite to the maintenance of an action for tortious interference with contract is a defendant‘s intentional and unjustified inducement of a breach of contract.” Illinois Bell Tel. Co. v. Plote, Inc., 334 Ill. App. 3d 796, 806, 778 N.E.2d 1203, 1211 (1st Dist. 2002) (quoting Strosberg v. Brauvin Realty Servs., Inc., 295 Ill. App. 3d 17, 33, 691 N.E.2d 834, 845 (1st Dist. 1998)). That is, Plaintiff must plead that Google ”intentionally caused” the University to breach its contract or that Google ”intended to cause [Plaintiff] harm.” Id. (emphasis in original). He has not done so. Instead, Mr. Dinerstein merely states that “Google intentionally and without justification interfered with the University‘s contracts with its patients.” (AC ¶ 157.) Such “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Nor is Plaintiff‘s allegation that Google had “actual or constructive knowledge of Plaintiff‘s and the Class members’ contracts” adequate to plead that Google intended to induce the University‘s breach of contract. (AC ¶ 156.) Undermining any inference that could be made about intentionality is the fact that the University specifically represented to Google in the DUA that it had “the right to disclose the [PHI] . . . and is in compliance with applicable laws and regulations.” (DUA § 2.2.)

Plaintiff does not respond to these issues in his brief. In a footnote, he argues only that his tortious interference claim does not require pleading wrongful or malicious intent. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 11 n.4.) That is true, but it does not obviate the need to plead intent at all. See Illinois Bell Tel., 334 Ill. App. 3d at 806, 778 N.E.2d at 1211 (citation omitted) (while a plaintiff “does not need to prove that the defendant‘s conduct was malicious or unjustified unless that defendant‘s conduct was privileged,” the plaintiff is still “required to plead that [the defendant] acted intentionally“). “The essential thing is the purpose to cause the result.” RESTATEMENT (FIRST) OF TORTS § 766 cmt. d (AM. LAW INST. 1939). Because Plaintiff has not pleaded that Google acted with such a purpose, this claim (Count IV) is dismissed.

D. Intrusion upon Seclusion / Breach of Confidentiality

Next, Plaintiff asserts a common law claim for intrusion upon seclusion against both Defendants because of the University‘s disclosure and Google‘s receipt of his PHI. (AC ¶¶ 161–64.) The Illinois Supreme Court has explained that “the core of this tort is the offensive prying into the private domain of another” and that “[t]he basis of the tort is not publication or publicity.” Lovgren v. Citizens First Nat. Bank of Princeton, 126 Ill. 2d 411, 417, 534 N.E.2d 987, 989 (1989). Examples of such “offensive prying” are “invading someone‘s home; an illegal search of someone‘s shopping bag in a store; eavesdropping by wiretapping; peering into the windows of a private home; and persistent and unwanted telephone calls.” Id. The “intrusion” that Plaintiff alleges took place here is unlike these examples. In fact, a court in this district has held that such disclosures of private personal information “do[ ] not support a claim for unauthorized intrusion.” In re Trans Union Corp. Privacy Litig., 326 F. Supp. 2d 893, 902 (N.D. Ill. 2004).

Likely recognizing that this case law forecloses his ability to pursue this claim, Mr. Dinerstein abandons his intrusion-upon-seclusion theory in his brief and tries to reframe it as a breach-of-confidentiality tort. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 24.) There is a consensus among many state courts, he argues, that a common law cause of action for breach of confidentiality exists for the unauthorized disclosure of a patient‘s medical information. (Id.) In fact, a number of state courts have recognized such a tort. See, e.g., Lawson v. Halpern-Reiss, 212 A.3d 1213, 1217–18 (Vt. 2019); Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 175 A.3d 1, 15 (Conn. 2018). Illinois courts have not, as Plaintiff acknowledges. He instead invites this court to recognize such a cause of action, but the court declines the invitation.

Courts sitting in diversity and facing an unsettled state law question are tasked with predicting how the Illinois Supreme Court would decide the issue. Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 811 (7th Cir. 2018) (citing Erie R.R. Co. v. Tompkins, 304 U.S. 64 (1938)). Yet the Seventh Circuit “consistently ha[s] held that ‘it is not our role to break new ground in state law.‘” Sabrina Roppo v. Travelers Commercial Ins. Co., 869 F.3d 568, 596 (7th Cir. 2017) (quoting Lopardo v. Fleming Cos., Inc., 97 F.3d 921, 930 (7th Cir. 1996)). None of Plaintiff‘s arguments persuade the court to ignore this counsel. First, Plaintiff notes that the Seventh Circuit has said, “When state law on a question is unclear, which is surely the proper characterization here, the best guess is that the state‘s highest court, should it ever be presented with the issues, will line up with the majority of the states.” Vigortone AG Prods., Inc. v. PM AG Prods., Inc., 316 F.3d 641, 644 (7th Cir. 2002). But Plaintiff has not shown that this tort is the majority rule; indeed, he refers to it only as a “general consensus.” (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 25.) Second, he cites an Illinois appellate court opinion from 1986—Petrillo v. Syntex Labs., Inc., 148 Ill. App. 3d 581, 499 N.E.2d 952 (1st Dist. 1986)—as evidence that Illinois courts would recognize the breach of confidentiality claim in question. Though the opinion includes some language on “the confidential and fiduciary relationship existing between a patient and his physician,” id. at 587, 499 N.E.2d at 957, the case concerned a defense lawyer who had been found in contempt because of his ex parte communications with the plaintiff‘s physician. Id. at 585, 499 N.E.2d at 955. Petrillo is inapposite and, considering it is more than three decades old, provides little evidence for what the Illinois Supreme Court would do today. As such, it is unlikely that Illinois would recognize the breach of confidentiality tort. Plaintiff has not stated an intrusion-on-seclusion claim, and the court declines to recognize a cause of action for breach of confidentiality. Count V is dismissed.

E. Unjust Enrichment

Finally, Plaintiff‘s unjust enrichment claims are dismissed as well. “Unjust enrichment is not a separate cause of action under Illinois law.” Horist v. Sudler & Co., 941 F.3d 274, 281 (7th Cir. 2019). “[I]f an unjust enrichment claim rests on the same improper conduct alleged in another claim, then the unjust enrichment claim will be tied to this related claim—and, of course, unjust enrichment will stand or fall with the related claim.” Cleary v. Philip Morris Inc., 656 F.3d 511, 517 (7th Cir. 2011). Plaintiff acknowledges that his unjust enrichment claims depend on the other theories he asserted against the University and Google. (See Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 10 n.3.) Because Plaintiff‘s other claims have been dismissed, so should his unjust enrichment claims. Counts VI and VII are dismissed.

CONCLUSION

For the reasons stated above, the court grants Defendant University‘s and Defendant Google‘s motions to dismiss [43, 45] Plaintiff Matt Dinerstein‘s amended class action complaint [42] pursuant to Rule 12(b)(6). The court also dismisses as moot the University‘s motion to strike class allegations [49]. Plaintiff has leave to file an amended complaint, if any, on or before October 15, 2020.

ENTER:

REBECCA R. PALLMEYER

United States District Judge

Dated: September 4, 2020

Notes

1

Unlike the Authorization, Plaintiff did not include the NPP as an exhibit to the amended complaint. The court may nevertheless consider the document as part of the pleadings because Plaintiff referred to it in the amended complaint and the University has included it with the motion to dismiss. See Feigl v. Ecolab, Inc., 280 F. Supp. 2d 846, 848–49 (N.D. Ill. 2003).

2

Under HIPAA regulations, one method for a “[a] covered entity [to] determine that health information is not individually identifiable health information” is if “[a] person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable: (i) [a]pplying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) [d]ocuments the methods and results of the analysis that justify such determination.” 45 C.F.R. § 164.514(b)(1).

3

In fact, the amended complaint cites studies showing that researchers without Google‘s extensive resources are able to re-identify medical records at high rates. (AC ¶¶ 72-73 (discussing Latanya Sweeney, Matching Known Patients to Health Records in Washington State, HARVARD UNIV., http://dataprivacylab.org/projects/wa/1089-1.pdf (last visited Sept. 1, 2020) (re-identifying 43 percent of patients); then discussing Linda Carroll, Anonymous Patient Data May Not Be as Private as Previously Thought, REUTERS (Dec. 21, 2018), http://news.yahoo.com/anonymous-patient-data-may-not-private-previously-thought-190248280.html (last visited Sept. 1, 2020) (reporting on a study that re-identified 95 percent of adult patient EHRs based on physical activity data collected via movement trackers like Fitbit).)

4

In contrast, for a factual challenge, which questions whether a plaintiff actually has standing even if the pleadings are sufficient, the court may look beyond the pleadings to determine whether subject matter jurisdiction exists. Silha, 807 F.3d at 173.

5

Neither Plaintiff nor Google clearly addressed whether, if Mr. Dinerstein has standing to pursue his contract claims, he also has standing to pursue his tortious interference of contract claim against Google. But the claims are so closely related that standing for the former implies there is standing for the latter, at least in this case. See Hess v. Kanoski & Assocs., 668 F.3d 446, 454 (7th Cir. 2012) (stating the elements of tortious interference claim in Illinois).

6

As discussed infra Part II.D, Plaintiff reframes his intrusion-upon-seclusion claim as a common law breach of confidentiality claim. This does not affect the analysis provided here.

7

The University also cites Strautins, 27 F. Supp. 3d at 879–81. But in that case, the plaintiff, who claimed to be the victim of a data breach, lacked standing because she had not adequately alleged that her own personal information had been stolen. In this case, Plaintiff has alleged (and, indeed, the DUA indicates) that the University disclosed his information to Google.

8

Plaintiff attempts to distinguish Silha because the plaintiffs in that case expressly consented to the disclosure of their information. (See Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 10 n.2.) But the portion of Silha cited above did not depend on that fact. Besides, the Seventh Circuit‘s statement that a defendant‘s gain by itself does not support a plaintiff‘s standing was supported by court precedent, McNamara v. City of Chi., 138 F.3d 1219, 1221 (7th Cir. 1998) (“A plaintiff who would have been no better off had the defendant refrained from the unlawful acts of which the plaintiff is complaining does not have standing under Article III of the Constitution to challenge those acts in a suit in federal court.“), and has been embraced by courts post-Silha, see, e.g., Leung v. XPO Logistics, Inc., 164 F. Supp. 3d 1032, 1039 (N.D. Ill. 2015).

9

Specifically, the following identifiers must be excluded from the limited data set: “(i) Names; (ii) Postal address information, other than town or city, State, and zip code; (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic mail addresses; (vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers; (x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device identifiers and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric identifiers, including finger and voice prints; and (xvi) Full face photographic images and any comparable images.” 45 C.F.R. § 164.514(e)(2).

10

The data use agreement must provide that the recipient will: “(1) Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; (2) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; (3) Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; (4) Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and (5) Not identify the information or contact the individuals.” 45 C.F.R. § 164.514(e)(4)(ii)(C).

11

As with HIPAA, Plaintiff acknowledges that the MPRA does not provide a private right of action. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 14.) The University argues that Plaintiff cannot use a contract claim to vindicate his rights under that statute. (Univ. Mem. in Supp. of Mot. to Dismiss at 11.) Plaintiff offered no argument on this point, but because the court concludes Plaintiff has not alleged a violation of MPRA, it need not address the issue further.

12

The parties also disagree about whether Mr. Dinerstein was a “subject at risk.” Again, the court need not reach the issue.

13

Plaintiff‘s argument that an implied contract exists because of the fiduciary relationship between him and the University, his medical provider, appears only in a footnote. (Pl.‘s Mem. in Opp‘n to Defs.’ Mots. to Dismiss at 26–27 n.9.)

Case Details

Case Name: Dinerstein v. Google, LLC

Court Name: District Court, N.D. Illinois

Date Published: Sep 4, 2020

Citations: 484 F.Supp.3d 561; 1:19-cv-04311

Docket Number: 1:19-cv-04311

Court Abbreviation: N.D. Ill.