Illinois Southern District Judge Nancy Rosenstengel
EAST ST. LOUIS, ILLINOIS - A Southern Illinois federal judge will allow portions of a class action complaint alleging Deaconess Health Systems violated privacy laws by deploying tracking pixels on patient portals.
Deaconess sought to dismiss all 12 counts of a complaint from named plaintiff Joel Juenger. In an order filed Sept. 30, U.S. District Judge Nancy Rosenstengel said the lawsuit regarding Illinois Red Bud Regional Hospital “is nearly identical to another case” in her court, though the plaintiff in the other litigation has retained anonymity.
Deaconess is based in Evansville, Indiana, and operates hospitals in Indiana, Kentucky and Illinois, including seven in the southern Illinois communities of Red Bud, Anna, Fairfield, Marion, Mt. Vernon, Eldorado and Lawrenceville.
Juenger claimed the hospital’s website used tools to collect and transmit data to companies like Google and Facebook without patients’ knowledge or permission. Even if a customer isn’t logged in to the hospital website, according to the complaint, software can link activity to a Facebook profile. The trackers allow the hospital to target marketing, Juenger alleged, while the companies that provide the tracking technology can sell data to third parties.
Rosenstengel said the hospital defendants sought dismissal on the same grounds as used to challenge the earlier lawsuit, while also separately challenging the Illinois law aspects unique to Juenger’s complaint: the implied duty of confidentiality and the Consumer Fraud and Deceptive Business Practices Act.
Deaconess failed to convince Rosenstengel the contested information didn’t meet the legal definition of protected personal health information and said Illinois law allows people to sue for loss of privacy, without showing they were harmed financially.
“Juenger alleges that he and the putative class suffered ‘decreased value of private information, emotional harm, loss of privacy, the revenues, profits and savings attributable to defendant’s unauthorized sale of private information, and increased risk of future harm,’ ” Rosenstengel wrote, “as well as ‘embarrassment, humiliation, frustration and emotional distress.’ These damages are also cognizable in a negligence action.”
However, she said that reasoning doesn’t apply to a claim of implied breach of contract, for which a plaintiff in Illinois must allege actual financial harm. Although Juenger alleged his information had diminished in value, she continued, that “cannot sustain a contract action because it is entirely speculative.” Further, there is not yet a finding in Illinois that someone can assert a property right in their personal information.
Rosenstengel also dismissed a privacy claim based on alleged intrusion upon seclusion, noting Juenger didn’t claim the hospital “surreptitiously intruded into a private domain (whether physically or virtually) where it had no business being.” She also tossed the unjust enrichment claim as improperly advanced as a standalone argument and said a common law claim for breach of the implied duty of confidentiality isn’t allowable in Illinois.
Juenger’s ICFA claim also failed as none of his legal theories, related to privacy rights, state a claim for actual damages as that law demands. However, Rosenstengel said Juenger did adequately allege violation of the Illinois Eavesdropping law because the complaint references a “device for the purpose of transmitting all or part of a private conversation to which defendants were a party, without the consent of all other parties to the conversation.”
A claim under the federal Electronic Communications Privacy Act survived, Rosenstengel said, because of Juenger’s allegations the hospital’s conduct constituted a violation of the Health Insurance Portability and Accountability Act through unauthorized disclosure of personal data. However, another claim under the ECPA failed along with a Stored Communications Act claim, because the judge found a hospital, despite operating a website, is not “a provider of an ‘electronic communications service’ under” either law.
Finally, Juenger alleged violation of the Computer Fraud and Abuse Act, but Rosenstengel said the claim failed based on established precedent regarding illegal access to personal computers.
“Defendants were the recipients of information that Juenger provided,” Rosenstengel wrote. “As argued by RBR, there are no allegations in the Complaint that this browser-server interaction amounts to the acquisition of ‘information located in particular areas of the computer — such as files, folders or databases — that are off limits to RBR.’ … Defendants did not obtain any information that was ‘off limits’ to them.”
Juenger and the possible plaintiffs' class are represented in the action by attorneys Lynn A. Toops and Amina A. Thomas, of the firm of Cohen & Malad, of Indianapolis; J. Gerard Stranch IV, Andrew E. Mize and Emily E. Schiller, of Stranch Jennings & Garvey, of Nashville, Tennessee; and Samuel J. Strauss and Raina C. Borrelli, of Strauss & Borelli, of Chicago.
Deaconess is represented by attorney Jousef M. Shkoukani, of Shook Hardy & Bacon, of Chicago.
