Lugo v. INOVA Health Care Services

1:24-cv-00700

E.D. Va.

Mar 25, 2025

Check Treatment

Docket

PEDRO LUGO v. INOVA HEALTH CARE SERVICES

No. 1:24-cv-700 (PTG/WEF)

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Alexandria Division

March 25, 2025

MEMORANDUM OPINION AND ORDER

This matter is before the Court on Defendant INOVA Health Care Services’ Motion to Dismiss for Failure to State a Claim (Dkt. 21). In this action, Plaintiff Pedro Lugo, individually and on behalf of similarly situated individuals, sues INOVA for actions relating to the misuse and disclosure of Plaintiff‘s and other potential class action members’ personally identifiable information (“PII“) and protected health information (“PHI“). Dkt. 1 (“Compl.“) 1. Plaintiff brings claims for breach of an implied-in-fact contract, unjust enrichment, and a violation of the Electronic Communications Privacy Act (“ECPA“). Id. ¶¶ 126-169. On October 3, 2024, the Court heard oral argument on Defendant‘s Motion to Dismiss. Dkt. 32. For the reasons stated below, the Court grants Defendant‘s Motion to Dismiss as it relates to the breach of implied contract and unjust enrichment claims, and the Court denies Defendant‘s Motion to Dismiss as it relates to Plaintiff‘s ECPA claim.

I. Background

A. Factual Background

At this stage, the following facts from the Complaint are accepted as true:¹

INOVA is a non-profit hospital organized under the laws of Virginia and headquartered in Falls Church, Virginia. Id. ¶ 13. It is one of the largest health care providers in the DC metro area and provides over two million patients visits annually. Id. ¶ 13, 15. INOVA utilizes websites and its Patient Portal to connect patients to its services. Id. ¶ 16. Plaintiff was a patient at INOVA and used its websites and MyChart Patient Portal. Id. ¶ 14.

INOVA implemented software tracking pixels on its website and Patient Portal. More specifically, Google and Facebook, also known as Meta, use “pixels” to create profiles and data points on individuals to target them with more effective advertising. Id. ¶¶ 24, 34-36. Google and Facebook tracking pixels are integrated into INOVA‘s website and Patient Portal. Id. ¶¶ 28, 46. Pixel codes track a user‘s interaction with websites and apps including when a user visits the site or app, what webpage he visits, what he clicks on, and what he types. Id. ¶¶ 28, 36. These pixels collect identifiable information such as IP addresses, User IDs, and Client IDs. Id. ¶¶ 28, 46. In this case, with the use of the pixels, INOVA intercepted and transmitted a variety of private information including: (1) individuals’ status as a medical patient; (2) individuals’ communications with INOVA through its website and Patient Portal; and (3) details regarding individuals’ medical appointments, location of treatments, specific medical providers, specific medical conditions and treatments, and related information. Id. ¶ 20.

After Google pixel collects the data, it packages and transmits it to Google for processing. Id. ¶ 29. Facebook‘s pixels instantaneously duplicate and send the data to Facebook‘s servers. Id. ¶ 37. Google and Facebook‘s tracking pixels are intended to increase targeted advertising capabilities and strengthen Google and Facebook‘s marketing and sales revenue. Id. ¶ 39. Google and Facebook use the data collected from their pixels to provide clients, like INOVA, with marketing and advertising analytics and strategies. Id. ¶¶ 30-31, 41, 44. INOVA financially benefits from the use of pixels because Facebook, Google, and other third parties provide INOVA with better advertising and more cost-effective marketing in exchange for the disclosure of patient information. Id. ¶ 87. Additionally, while the data collected through the pixels is used to improve Facebook and Google‘s own advertising target capabilities, it is also used to build profiles on their users. Id. ¶¶ 31, 41.

INOVA used pixels on its website and Patient Portal without users’ consent. Id. ¶ 53. In July 2023, the Department of Health and Human Services, along with the Federal Trade Commission, warned INOVA and other hospital systems and telehealth providers that pixels and other tracking technologies could be sending information protected by the Health Insurance Portability and Accountability Act (“HIPAA“) to third parties. Id. ¶¶ 55-58. INOVA never disclosed to Plaintiff or other putative class members that INOVA was sharing confidential communications with third parties. Id. ¶ 65.

INOVA provides patients a Notice of Privacy Practices that explains INOVA‘s legal duties regarding patients’ private health information. Id. ¶ 68. The privacy notice does not discuss disclosure of information to Google and Facebook. Id. Plaintiff claims that INOVA violated HIPAA and the Virginia Health Records Privacy Act (“VHRPA“) by disclosing patients’ protected information through pixels. Id. ¶¶ 79, 166.

B. Procedural History

On April 29, 2024, Plaintiff filed his Complaint. Dkt. 1. On July 1, 2024, INOVA filed its Motion to Dismiss. Dkt. 21. On July 29, 2024, Plaintiff filed his opposition. Dkt. 29. On August 12, 2024, INOVA filed its reply. Dkt. 31. On October 3, 2024, the Court held a hearing on this matter. Dkt. 32. On October 10, 2024, Plaintiff filed a Notice of Supplemental Authority. Dkt. 33.

II. Legal Standard

In order to survive a motion to dismiss brought under Federal Rule of Civil Procedure 12(b)(6), a complaint must set forth “a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). The plausibility requirement imposes not a probability requirement but rather a mandate that a plaintiff “demonstrate more than ‘a sheer possibility that a defendant has acted unlawfully.‘” Francis v. Giacomelli, 588 F.3d 186, 193 (4th Cir. 2009) (quoting Iqbal, 556 U.S. at 678). Accordingly, a complaint is insufficient if it relies upon “naked assertions” and “unadorned conclusory allegations” devoid of “‘factual enhancement.‘” Id. (quoting Twombly, 550 U.S. at 557) (citing Iqbal, 556 U.S. at 679). The complaint must present “enough fact to raise a reasonable expectation that discovery will reveal evidence” of the alleged activity. Twombly, 550 U.S. at 545.

When reviewing a motion brought under Rule 12(b)(6), the Court “must accept as true all of the factual allegations contained in the complaint,” drawing “all reasonable inferences” in the plaintiff‘s favor. E.I. du Pont de Nemours & Co. v. Kolon Indus., Inc., 637 F.3d 435, 440 (4th Cir. 2011) (citations omitted). “[T]he court ‘need not accept the [plaintiff‘s] legal conclusions drawn from the facts,’ nor need it ‘accept as true unwarranted inferences, unreasonable conclusions, or arguments.‘” Wahi v. Charleston Area Med. Ctr., Inc., 562 F.3d 599, 616 n.26 (4th Cir. 2009) (quoting Kloth v. Microsoft Corp., 444 F.3d 312, 319 (4th Cir. 2006)) (alterations in original).

III. Analysis

A. Breach of Implied Contract Claim

Plaintiff alleges that by providing his information to INOVA, the parties entered into an implied-in-fact contract wherein INOVA agreed to safeguard the private information that Plaintiff provided. Compl. ¶ 127. INOVA contends that Plaintiff‘s breach of implied contract claim must be dismissed because Plaintiff failed to allege consideration or mutual assent—required elements of an implied contract. Dkt. 22 at 21-23.

An “implied-in-fact-contract is a true contract, containing all of the elements that construct an enforceable agreement.” Nossen v. Hoy, 750 F. Supp. 740, 744 (E.D. Va. 1990). An implied-in-fact contract “differs from an actual contract in that the parties have not reduced it to a writing or to an oral agreement; rather, the court infers the implied-in-fact agreement from the course of conduct of the parties.” Id. Just as with an actual contract, for an implied-in-fact contract to be valid there must be consideration and mutuality of assent between the parties. Spectra-4, LLP v. Uniwest Com. Realty, Inc., 772 S.E.2d 290, 295 (Va. 2015).

“[C]onsideration is, in effect, the price bargained for and paid for a promise. It may be in the form of a benefit to the party promising or a detriment to the party to whom the promise is made.” Reynolds v. USAA Life Ins. Co., 678 F. Supp. 3d 736, 746 (E.D. Va. 2023) (alteration in original) (quoting Smith v. Mountjoy, 694 S.E.2d 598, 602 (Va. 2010)). “[A] party‘s agreement to do or refrain from doing something that it is already legally obligated to do or refrain from doing is not consideration.” Bojorquez-Moreno v. Shores & Ruark Seafood Co., 92 F. Supp. 3d 459, 468 (E.D. Va. 2015) (citation omitted).

Plaintiff claims the parties exchanged valuable consideration in the form of a mutual exchange of promises. Dkt. 29 at 14-15. Plaintiff alleges that he and INOVA “entered into an implied contract pursuant to which Inova Health agreed to safeguard and not disclose [his] Private Information without consent.” Compl. ¶ 127. Accordingly, the alleged exchange consisted of Plaintiff promising to provide his private information to INOVA, and INOVA promising to safeguard that information. Courts applying Virginia law have found that a mutual exchange of promises can constitute consideration for an express contract. Price v. Taylor, 466 S.E.2d 87, 88-89 (Va. 1996) (finding that mutual promises constituted consideration for a written land sale contract); see also Reynolds, 678 F. Supp. 3d at 746-47 (finding the mutual exchange of oral promises to cancel a written life insurance policy, followed by a written confirmation of the cancellation, was valuable consideration). Plaintiff has offered no authority that suggests the mutual exchange of promises is sufficient consideration in an implied-in-fact contract, like the one at issue here.

Even if it was sufficient, to the extent Plaintiff attempts to offer INOVA‘s privacy notice as evidence of bargained for consideration, Plaintiff‘s claim for a breach of an implied-in-fact contract must fail. INOVA argues, and Plaintiff concedes in his Complaint, that the privacy notice “explains [INOVA‘s] legal duties under HIPAA.” Compl. ¶ 68; Dkt. 22 at 21-22. Thus, the privacy notice is not any more than a recitation of INOVA‘s legal obligations. Such a recitation is insufficient to show consideration. See Bojorquez-Moreno, 92 F. Supp. 3d at 468. Therefore, Plaintiff has not properly alleged that he exchanged bargained for consideration with INOVA, a required element of an implied-in-fact contract. Accordingly, Plaintiff‘s claim for breach of an implied contract should fail for this reason alone.

Even if Plaintiff had adequately pled facts showing bargained-for consideration, Plaintiff also fails to establish mutual assent to contract terms. “Mutual assent by the parties to the terms of a contract is crucial to the contract‘s validity.” AB Staffing Sols., LLC v. Asefi Cap., Inc., No. 3:22-cv-32, 2022 WL 16555707, at *9 (E.D. Va. Oct. 31, 2022) (quoting Wells v. Weston, 326 S.E.2d 672, 676 (Va. 1985)). “[T]o form an enforceable contract in Virginia, ‘there must be mutual assent of the contracting parties to terms reasonably certain under the circumstances.‘” Id. (quoting Allen v. Aetna Cas. & Sur. Co., 281 S.E.2d 818, 820 (Va. 1981)). In an express contract, “[m]utual assent is determined ‘exclusively from those expressions of [the parties‘] intentions which are communicated between them.‘” Moorman v. Blackstock, Inc., 661 S.E.2d 404, 409 (Va. 2008) (quoting Lucy v. Zehmer, 84 S.E.2d 516, 522 (Va. 1954) (alteration in original)). With an implied-in-fact contract, however, “agreement is arrived at by a consideration of [the parties‘] acts and conduct.” City of Norfolk v. Norfolk Cnty., 91 S.E. 820, 821 (Va. 1917) (quoting 2 Ruling Case Law § 6 (William Mark McKinney & Burdett Alberto Rich eds., 1914); see also Spectra-4, LLP, 772 S.E.2d at 295 (citing City of Norfolk, 91 S.E. at 821-22) (“With implied-in-fact contracts, the parties’ conduct must... establish what the terms of the contract are.“). Because conduct, and not express communication, creates an implied-in-fact contract, custom plays a large role in determining what actions imply a contract between parties. Here, Plaintiff does not allege facts to show that custom dictates that the exchange of Plaintiff‘s private information for health services creates an implied-in-fact contract between the parties.

Plaintiff also argues that INOVA‘s privacy notice constitutes mutual assent to the obligations INOVA laid out in that document. Dkt. 29 at 14. However, Plaintiff does not allege facts to show there was mutual assent between the parties to any terms in INOVA‘s privacy notice. Plaintiff does not allege that he had to agree to the privacy notice to continue using INOVA‘s website, nor does Plaintiff allege any communication between himself and INOVA that would have shown an intent to contract with regards to the privacy notice. Cf. Soucie v. Virginia Utility Protection Service, Inc., 2023 WL 2991487, at *8-9 (W.D. Va. Apr. 18, 2023) (finding that a plaintiff who checked a “mark as read” box assented to an agreement).

Plaintiff additionally argues that INOVA‘s Employee Code of Conduct establishes mutual assent. The Code of Conduct instructs employees to not disclose patient specific information and uphold confidentiality. Compl. ¶¶ 68-69. The Code of Conduct, however, cannot establish mutual assent between Plaintiff and INOVA because Plaintiff is not an employee of INOVA. Accordingly, Plaintiff fails to allege mutual assent between the parties to an implied contract.

Because Plaintiff does not allege facts sufficient to prove consideration or mutual assent, Plaintiff fails to allege that an implied-in-fact contract existed between himself and INOVA. Therefore, the Court dismisses Plaintiff‘s claim for breach of an implied-in-fact contract.

B. Unjust Enrichment Claim

As an alternative to Plaintiff‘s breach of implied contract claim, Plaintiff brings a claim for unjust enrichment. Compl. ¶ 133. Plaintiff argues that INOVA was unjustly enriched when it received a benefit from collecting Plaintiff‘s data without compensating Plaintiff. Id. ¶¶ 135-36. INOVA contends that Plaintiff‘s unjust enrichment claim must be dismissed because Plaintiff has not shown that INOVA should have reasonably expected to pay Plaintiff or that Plaintiff was the one who conferred a benefit on INOVA. Dkt. 22 at 25-29.

“A plaintiff asserting unjust enrichment must demonstrate the following three elements: ‘(1) he conferred a benefit on [the defendant]; (2) [the defendant] knew of the benefit and should reasonably have expected to repay [the plaintiff]; and (3) [the defendant] accepted or retained the benefit without paying for its value.‘” Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144, 165-66 (4th Cir. 2012) (quoting Schmidt v. Household Finance Corp., 661 S.E.2d 834, 838 (Va. 2008)) (alterations in original).

Plaintiff alleges that he conferred a benefit on INOVA by providing “valuable Private Information” that INOVA “distributed without authorization and proper compensation.” Compl. ¶ 135. Further, Plaintiff alleges that INOVA “used this information for its own gain, providing Inova . . . with economic, tangible, and other benefits, including substantial monetary compensation.” Id. However, Plaintiff has not alleged facts showing that Plaintiff, or other potential class members, compensated INOVA. Instead, Plaintiff alleged that INOVA was “compensated by Facebook, Google, and other third parties in the form of enhanced advertising services and more cost-efficient marketing on their platforms.” Compl. ¶ 87. Defendant contends that this forecloses Plaintiff from alleging the first element of the unjust enrichment claim. Dkt. 22 at 28.

In support of his unjust enrichment claim, Plaintiff cites In re Capital One Consumer Data Security Breach Litigation, 488 F. Supp. 3d 374 (E.D. Va. 2020). The In re Capital One plaintiffs alleged that they provided personal information to Capital One and Amazon and that Amazon received a benefit from this information because Amazon charged Capital One to use Amazon servers to store the plaintiffs’ information. Id. at 412-13. The court maintained plaintiffs’ unjust enrichment claim at the motion to dismiss stage, finding that Amazon “profited from its storage and retention of [p]laintiffs’ PII” and “[r]etaining these profits without adequately securing [plaintiffs‘] data would be ‘unjust.‘” Id. at 413. Plaintiff argues his unjust enrichment claim should not be dismissed because like Amazon in In re Capital One, INOVA retained an undue benefit from the collection and use of Plaintiff‘s private information in the form of compensation by Facebook, Google, and other third parties. Dkt. 29 at 17.

INOVA argues that In re Capital One is inapplicable because it stems from a data breach. Dkt. 31 at 13. INOVA instead points to In re Hackman wherein the court dismissed the plaintiffs’ unjust enrichment claim against the defendant-bank. In re Hackman, 534 B.R. 867, 878-79 (Bankr. E.D. Va. 2015). In In re Hackman, the defendant-bank was allegedly enriched due to third-party embezzling funds into an account with the defendant-bank. There, the court granted the defendant-bank‘s motion to dismiss finding (1) the enrichment was “too attenuated from the nature of the wrong” and (2) the plaintiffs did not confer the benefit. Id. However, this Court is persuaded that In re Capital One is more analogous than In re Hackman because both In re Capital One and the instant matter involve situations wherein entities retained the plaintiff‘s personal information and received a benefit as a result. Taking Plaintiff‘s allegations as true, Plaintiff has plausibly stated facts to show he conferred a benefit on INOVA by providing INOVA with his personal data for which INOVA was later compensated by Google and Facebook. Accordingly, Plaintiff has alleged facts to satisfy the first prong of an unjust enrichment claim.

The second prong of an unjust enrichment claim requires the plaintiff demonstrate that the defendant “knew of the benefit and should reasonably have expected to repay [the plaintiff].” Rosetta Stone Ltd., 676 F.3d at 166 (alteration in original). In Rosetta Stone, Google allegedly engaged in the unauthorized sale of Rosetta Stone trademarks via a program through which companies could “purchase” words to optimize Google searches. Id. at 151-52, 156-57. Rosetta Stone argued that Google was unjustly enriched through the improper sale of Rosetta Stone trademarks to other companies. Id. at 152. The Fourth Circuit dismissed Rosetta Stone‘s claim finding that Rosetta Stone did not allege that Google pays any other mark holder for the sale of words relating to their trademarks and did not allege facts to support the general allegation that “Google ‘should reasonably have expected’ to pay.” Id. at 165-66.

Rosetta Stone is instructive. Like that plaintiff, here, Plaintiff makes no allegation that INOVA should have reasonably expected to pay Plaintiff for his information that was allegedly disclosed via pixels. Plaintiff does not allege that INOVA, or other health care providers, pay other users for the same type of information. Nor does Plaintiff allege any facts to suggest that Plaintiff should have reasonably expected to be paid for his information. Therefore, Plaintiff fails to allege sufficient facts to set out the second prong of an unjust enrichment claim. As such, the Court will grant INOVA‘s Motion with respect to Plaintiff‘s unjust enrichment claim.

C. Electronic Communications Privacy Act Claim

The ECPA “prohibits intentionally intercepting any electronic communication.” Ctr. L. & Consulting, LLC v. Axiom Res. Mgmt., Inc., 456 F. Supp. 3d 765, 769 (E.D. Va. 2020) (citing 18 U.S.C. § 2511(1)(a)). The ECPA amended the federal Wiretap Act to provide data and electronic communications with the same protections that the Wiretap Act already gave to oral and wire communications. Brown v. Waddell, 50 F.3d 285, 289 (4th Cir. 1995). To state a claim under the ECPA, a plaintiff must show “that a defendant (1) intentionally (2) intercepted, . . . (3) the contents of (4) an electronic communication (5) using a device.” In re Pharmatrak, Inc., 329 F.3d 9, 18 (1st Cir. 2003).

The ECPA, however, includes an exception to liability. The “party exception” provides that a “party” to an electronic communication cannot be held liable for an interception of that communication. 18 U.S.C. § 2511(2)(d). In this case, it is not disputed that INOVA was a party to the relevant communications and intercepted electronic communications. Plaintiff contends, however, that the exception to the party exception applies.

1. Violations of HIPAA and the VHRPA as the Basis for the Crime-Tort Exception

The party exception does not apply when a party intercepts electronic communication “for the purpose of committing” a crime or tort in violation of state or federal law. Id. This exception is known as the “crime-tort” exception. Mekhail v. N. Mem‘l Health Care, 726 F. Supp. 3d 916, 927 (D. Minn. 2024). Some courts require that the “primary motivation” or “determinative factor” in a party‘s interception was tortious or criminal in order for the crime-tort exception to apply. Id. (citing United States v. Dale, 991 F.2d 819, 842 (D.C. Cir. 1993); In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 797 (N.D. Cal. 2022) (“Under this exception, plaintiffs must allege that either the ‘primary motivation or a determining factor in [the defendant‘s] actions has been to injure plaintiffs tortiously.‘” (quoting Brown v. Google LLC, 525 F. Supp. 3d 1049, 1067 (N.D. Cal. 2021))); In re DoubleClick Inc. Priv. Litig., 154 F. Supp. 2d 497, 514-15 (S.D.N.Y. 2001) (same)); see also In re Grp. Health Plan Litig., 709 F. Supp. 3d 707, 719 (D. Minn. 2023) (same). The Second and Seventh Circuits have taken a more liberal approach, finding that if the interceptor‘s plan for, or intended use of, the recording was criminal or tortious, the crime-tort exception applies. See Caro v. Weintraub, 618 F.3d 94, 100 (2d Cir. 2010) (“[T]he offender must have as her objective a tortious or criminal result.“); see also In re High Fructose Corn Syrup Antitrust Litig., 216 F.3d 621, 626 (7th Cir. 2000) (discussing defendant‘s general “purpose” and “motive” without a hierarchy of motivation).

Plaintiff alleged that INOVA‘s interception and disclosure of personal data were part of the criminal act of violating HIPAA and the VHRPA. Compl. ¶¶ 158-59, 165. INOVA argues that because neither HIPAA nor the VHRPA create a private right of action, a plaintiff should be precluded from using HIPAA or VHRPA violations to invoke the crime-tort exception to the ECPA.

Dkt. 22 at 18-19.² Courts around the country, however, have permitted the invocation of the ECPA‘s crime-tort exception when plaintiffs allege violations of HIPAA and other state health privacy laws. See e.g., Kurowski v. Rush Sys. for Health, 2023 WL 8544084, at *2-3 (N.D. Ill. Dec. 11, 2023) (finding allegations of a HIPAA violation sufficient to invoke the crime-tort exception); Kane v. Univ. of Rochester, 2024 WL 1178340, at *7-8 (W.D.N.Y. Mar. 19, 2024) (same); Mekhail, 726 F. Supp. 3d. at 927-28 (same); Hartley v. Univ. of Chi. Med. Ctr., 2024 WL 1886909, at *2-3 (N.D. Ill. Apr. 30, 2024) (same); Smith v. Loyola Univ. Med. Ctr., 2024 WL 3338941, at *7 (N.D. Ill. July 9, 2024) (same); Sweat v. Hous. Methodist Hosp., 2024 WL 3070184, at *4 (S.D. Tex. June 20, 2024) (same); Gay v. Garnet Health, 2024 WL 4203263, at *3-4 (S.D.N.Y. Sept. 16, 2024) (same); Murphy v. Thomas Jefferson Univ. Hosps., Inc., 2024 WL 4350328, at *4-5 (E.D. Pa. Sept. 30, 2024) (same); A.D. v. Aspen Dental Mgmt., Inc., 2024 WL 4119153, at *3 (N.D. Ill. Sept. 9, 2024) (same); In re Grp. Health Plan Litig., 709 F. Supp. 3d at 719-20 (finding claims of a HIPAA violation and invasion of privacy sufficient at the motion to dismiss stage to allege the crime-tort exception applies); B.K. v. Desert Care Network, 2024 WL 1343305, at *6 (C.D. Cal. Feb. 1, 2024) (plaintiffs’ allegations of violations of state health privacy laws and other state and federal laws sufficient to invoke the crime-tort exception). This Court agrees and finds that despite HIPAA and the VHRPA not providing individuals with a private right of action, violations of these laws can serve as the basis for a plaintiff to invoke the crime-tort exception to the ECPA.

An entity violates HIPAA when it “knowingly . . . discloses individually identifiable health information to another.” 42 U.S.C. § 1320d-6(a)(3). Individually identifiable health information is defined as any information “created or received by a health care provider” that “relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual” and “identifies the individual” or “with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” 42 U.S.C. § 1320d(6).

Plaintiff alleges that INOVA disclosed individuals’ “(1) status as medical patients; (2) communications with Inova Health through its websites and Patient Portal; and (3) information about their medical appointments, location of treatments, specific medical providers, specific medical conditions and treatments, and related information.” Compl. ¶ 20. This information “relates to the provision of health care” to Plaintiff. 42 U.S.C. § 1320d(6). Plaintiff also alleges that pixels collect identifiable information including IP addresses, names, locations, and email addresses, home addresses, and zip codes. Compl. ¶¶ 28, 40, 46. This information identifies Plaintiff. See 42 U.S.C. § 1320d(6); see also Loyal Univ. Med. Ctr., 2024 WL 3338941, at *6-7 (applying the crime-tort exception when defendant disclosed information including “medical appointments, location of treatments, specific medical providers, specific medical conditions and treatments, and other sensitive health information to third parties“). Accordingly, the Court finds that Plaintiff has properly alleged that INOVA violated HIPAA by using pixels on its website and Patient Portal.

The VHRPA prohibits the disclosure of an individual‘s heath records without their permission or legal authorization. Va. Code Ann. § 32.1-127.1:03. A health record is defined as “any written, printed or electronically recorded material maintained by a health care entity in the course of providing health services to an individual concerning the individual and the services provided.” Va. Code Ann. § 32.1-127.1:03(B). Plaintiff alleges that INOVA disclosed information related to medical treatments and conditions. Compl. ¶ 20. Accepting these allegations as true, Plaintiff has properly alleged a violation of the VHRPA. Accordingly, Plaintiff has properly alleged violations of HIPAA and the VHRPA which can serve as a criminal or tortious act sufficient to invoke the crime-tort exception to the ECPA.

2. A Commercial Purpose and the Crime-Tort Exception

INOVA has argued that because there was a commercial purpose behind the collection and disclosure of Plaintiff‘s private health information, irrespective of any intent to violate HIPAA or the VHRPA, the crime-tort exception does not apply. Dkt. 22 at 14-17.

Some courts have dismissed ECPA claims wherein the plaintiff alleged violations of HIPAA or state health privacy laws finding that the main purpose of the interception at issue was not to commit a statutory violation, but instead for commercial gain. These courts found that a commercial or marketing related motive is not criminal or tortious such that the crime-tort exception can be invoked. See e.g., Rodriguez v. FastMed Urgent Care, P.C., 2024 WL 3541582, at *6 (E.D.N.C. July 24, 2024); In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 797; Roe v. Amgen Inc., 2024 WL 2873482, at *6 (C.D. Cal. June 5, 2024). However, other courts around the country have upheld ECPA claims using the crime-tort exception where the alleged criminal purpose for the interception was a violation of HIPAA or a state health privacy law, despite the healthcare provider having an additional commercial, marketing, or advertising purpose behind the interception. See e.g., Sweat, 2024 WL 3070184, at *3-4; Kurowski, 2023 WL 8544084, at *3; Kane, 2024 WL 1178340, at *7; Loyola Univ. Med. Ctr., 2024 WL 3338941, at *7; In re Grp. Health Plan Litig., 709 F. Supp. 3d at 719-20; Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 381-82 (S.D.N.Y. 2024); Aspen Dental Mgmt., Inc., 2024 WL 4119153, at *3; Hartley, 2024 WL 1886909, at *1-3.

Plaintiff alleged that INOVA used pixels to “increase the success of its profitability, advertising, and marketing.” Compl. ¶ 17; see also id. ¶ 86. According to Plaintiff, INOVA “intentionally intercepted the contents of Plaintiff‘s and the other Class Members’ electronic communications for the purpose of committing a tortious or criminal act in violation of the Constitution or laws of the United States or of any State.” Id. ¶ 155.

The Fourth Circuit has not determined whether the crime-tort exception applies when a health care provider‘s purpose for disclosing patients’ private information is commercial. INOVA asks this Court to follow the decision in Rodriguez v. FastMed Urgent Care, P.C., which dismissed an ECPA claim based on a HIPAA violation finding that FastMed disclosed patient information for commercial use, and not to commit a crime or tort. Rodriguez, 2024 WL 3541582, at *5-6. In support of this finding, the Eastern District of North Carolina cited to three cases that involve the ECPA, but do not involve the use of pixels to gather and disclose private health care information. Id. at *5 (citing In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 145 (3d Cir. 2015); Caro, 618 F.3d at 99-101; Sussman v. Am. Broad. Cos., 186 F.3d 1200, 1202-03 (9th Cir. 1999)).

The Rodriguez court also cited to one case that involved a technology similar to the pixels alleged to be used in this case and similar facts to the case at issue, Kurowski v. Rush Sys. For Health, 659 F. Supp. 3d 931, 936-40 (N.D. Ill. 2023).³ In that iteration of Kurowski, the Northern District of Illinois found that the plaintiff had not alleged sufficient facts “to support an inference that Rush disclosed its patients’ individually identifiably health information” in violation of HIPAA. Id. at 938. Following this ruling, the plaintiff was then given leave to amend her complaint, and the Northern District of Illinois took the case up again. Kurowski, 2023 WL 8544084, at *1. Thereafter, the plaintiff alleged that Rush used pixels to collect and transmit “the name and location of her personal physician, as well as her physician‘s specialty” to Facebook so that Facebook could target her with specific advertising. Id. at *2-3. The plaintiff further alleged that Rush disclosed this data to third parties, including Facebook, “for the purpose of financial gain.” Id. at *3. The Northern District of Illinois found that this version of Kurowski‘s complaint “unlike the previous versions, plausibly states a claim for relief under the Wiretap Act.” Id. These are exactly the facts that are before this Court.

The Court declines to follow Rodriguez because its logic is based on three factually dissimilar cases and a previous iteration of Kurowski. Instead, the Court is persuaded that a plaintiff who has alleged the defendant engaged in a statutory violation, even if for a financial or commercial purpose, has stated a claim for relief under the ECPA and its crime tort exception. “[T]he mere existence of [a] lawful purpose alone does not ‘sanitize a[n interception] that was also made for an illegitimate purpose.‘” Cooper, 742 F. Supp. 3d at 378 (first quoting DoubleClick, 154 F. Supp. 2d at 514; and then quoting Sussman, 186 F.3d at 1202) (alteration in original). Indeed, many crimes and torts are committed for financial gain. Therefore, having a commercial purpose in addition to the purpose of violating HIPAA or the VHRPA, does not immunize INOVA from Plaintiff‘s ECPA claims.

Accordingly, the Court finds that Plaintiff‘s allegations that INOVA intercepted and disclosed patient‘s personal health information in violation of HIPAA and VHRPA in order to increase the success of INOVA‘s marketing are sufficient to invoke the crime-tort exception to the ECPA at the motion to dismiss stage. See Compl. ¶¶ 17, 86, 155, 158-59, 165. Discovery is needed to reveal whether INOVA had a criminal or tortious intent. See In re Grp. Health Plan Litig., 709 F. Supp. 3d at 720 (noting that a determination of a health care provider‘s actual purpose for using pixels “requires a factual undertaking” and permitting an ECPA claim to continue); see also Gay, 2024 WL 4203263, at *4 (“It may be discovery reveals that Defendant had neither a criminal nor tortious intent, but at the motion to dismiss stage Plaintiffs have met their burden for their ECPA claim to survive.“).

IV. Conclusion

For these reasons, the Court grants Defendant‘s Motion to Dismiss as it relates to Count I (Breach of Implied Contract) and Count II (Unjust Enrichment) and the Court denies Defendant‘s Motion to Dismiss as it relates to Count III (Electronic Communication Privacy Act).

Accordingly, it is hereby

ORDERED that Defendant‘s Motion to Dismiss is GRANTED in part and DENIED in part; it is further

ORDERED that Defendant‘s Motion to Dismiss as to Count I and Count II is GRANTED; it is further

ORDERED that Plaintiff is GRANTED leave to amend his Complaint with respect to Counts I and II. Plaintiff shall file any amended complaint within twenty-one (21) days of this Order; it is further

ORDERED that Defendant‘s Motion to Dismiss as to Count III is DENIED.

Entered this 25th day of March, 2025

Alexandria, Virginia

Patricia Tolliver Giles

United States District Judge

Notes

In considering a motion to dismiss for failure to state a claim, as is the case here, “a court accepts all well-pled facts as true and construes these facts in the light most favorable to the plaintiff[.]” .

The Fourth Circuit has found that HIPAA does not provide a private right of action. . Nor can individuals bring negligence per se claims based on alleged HIPAA violations. . Similarly, this Court has found that the VHRPA does not provide a private right of action under state law. , aff‘d, .

The defendant in Kurowski described the technology at issue there as “cookies [used] to track how visitors use the [Rush University System for Health] website.” (quoting the Motion to Dismiss). The plaintiff alleged that this technology “allow[ed] for the ‘contemporaneous unauthorized interception and transmission of personally identifiable patient data‘” that “was transmitted to Facebook, Google, and Bidtellect.” (quoting the Complaint). This type of technology and alleged use are factually similar to the pixels at issue here and Plaintiff‘s allegations.

Read the detailed case summary