In re: Group Health Plan Litigation ( 2023 )


Menu:
  • UNITED STATES DISTRICT COURT DISTRICT OF MINNESOTA In Re: Group Health Plan Litigation, Case No. 23-cv-267 (JWB/DJF) ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS Bryan L. Bleichner, Esq., Chestnut Cambronne PA; and Gary M. Klinger (Milberg Coleman Bryson Phillips Grossman PLLC), Interim Co-Lead Class Counsel. Cynthia A. Bremer, Esq., and Nathan T. Boone, Esq., Ogletree, Deakins, Nash, Smoak & Stewart, P.C.; Elizabeth Anne Scully, Esq., and Paul G. Karlsgodt, Esq., Baker & Hostetler LLP, counsel for Defendant. INTRODUCTION The digital era challenges many of our traditional understandings of rights, boundaries, and protections under the law. This lawsuit is emblematic, poised at the intersection of digital privacy and the proper use and sharing of online patient healthcare data. Plaintiffs bring this putative class action against Group Health Plan Inc. (hereinafter “HealthPartners”) alleging violations of the Electronic Communications Privacy Act, Minnesota Unfair and Deceptive Trade Practices Act, invasion of privacy, and other violations. Plaintiffs allege that HealthPartners intentionally and unlawfully transmitted personal and health information about Plaintiffs to third parties, including Meta Platforms Inc. (also known as “Facebook”). HealthPartners has moved to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). The Court conducted a hearing on October 16, 2023. Based on the papers submitted to date and oral argument, the Court grants in part and denies in part Defendant HealthPartners’ motion to dismiss. BACKGROUND HealthPartners is an integrated health care organization headquartered in Bloomington, Minnesota. HealthPartners provides healthcare-related services to more than a million patients and is the nation’s largest nonprofit health care organization. Plaintiffs, current patients of HealthPartners, have sued HealthPartners in a consolidated class action complaint. (Doc. No. 59, Consolidated Class Action Complaint (“Compl.”).) At the root of this dispute is Plaintiffs’ contention that HealthPartners utilized Pixel Code and Conversions Application Programming Interface (“CAPI”) on its website servers and websites, www.healthpartners.com and www.virtuwell.com (hereinafter the “Website(s)”). These technologies, as alleged, surreptitiously tracked users’ interactions on the Websites and transmitted those interactions to Facebook. Such interactions include, but are not limited to, duration spent on web pages, button clicks, viewed pages, and typed text or phrases. This alleged tracking and transmission of data, an undisclosed kind of “spyware” that disclosed personally identifiable and health information along with Plaintiffs’ unique Facebook ID, linked their private health information to their specific profiles on Facebook. Allegedly, this occurred without Plaintiffs’ consent or knowledge, and was done for the commercial exploitation of patient confidential health information. Plaintiffs assert nine causes of action: (1) Violation of the Minnesota Health Records Act (Minn. Stat. § 144.291, et seq.); (2) Invasion of Privacy; (3) Breach of Implied Contract; (4) Unjust Enrichment; (5) Breach of Fiduciary Duty; (6) Breach of Confidence; (7) Negligence; (8) Violations of Electronic Communications Privacy Act (18 U.S.C. § 2511(1), et seq.); and (9) Violations of the Minnesota Uniform Deceptive Trade Practice Act (Minn. Stat. § 325D.43-48). Having carefully considered the arguments and submissions of both parties, the motion to dismiss Plaintiffs’ breach of fiduciary duty and breach of confidence claims is granted. The motion is denied as to the remaining seven claims. DISCUSSION I. STANDARD OF REVIEW A dismissal under Federal Rule of Civil Procedure 12(b)(6) is proper when, even taking all complaint allegations as true and in the light most favorable to the non-movant, the claim is not legally plausible on its face. A complaint must present enough facts, if assumed true, to create a reasonable inference that the defendant is liable for the misconduct alleged. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Mere legal conclusions and unfounded inferences cannot prevent dismissal under Rule 12(b)(6). II. ANALYSIS A. Minnesota Health Records Act Claim – Count I Plaintiffs allege that HealthPartners violated the Minnesota Health Records Act (“MHRA”). The MHRA prohibits healthcare providers from “release[ing] a patient’s health records to a person” without the patient’s consent or “specific authorization in law.” Minn. Stat. § 144.293, subd. 2. HealthPartners argues Count I must be dismissed because Plaintiffs have not plausibly alleged that HealthPartners disclosed their “health records” to a third party. Under the MHRA, a “health record” includes: any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of a patient [,] the provision of healthcare of a patient [or] or the past, present, or future payment for the provision of healthcare to a patient. Minn. Stat. § 144.291, subd. 2(c) (emphasis added). Plaintiffs allege that they used the Websites to communicate private health information with healthcare providers; search for physicians; schedule appointments and procedures; receive and discuss medical diagnoses and treatment from healthcare providers; receive lab results; review medical records; review medical bills; and search symptoms and medical conditions relating to personal medical treatment. (Doc. No. 59, Compl. ¶¶ 41, 64, 85.) Plaintiffs also allege that the Websites routinely provided Facebook with this health information and other identifying information they had input into the Websites. (Id. ¶¶ 49, 71, 93.) Plaintiffs’ allegations are sufficient to plausibly plead that health records were released without their consent, considering the broad definition of health records in the statute. Cf. Doe v. Regents of Univ. of California, No. 23-cv-00598-WHO, 2023 WL 3316766, at *4 (N.D. Cal. May 8, 2023) (“[The defendant] claims that plaintiff should have pleaded ‘[f]acts showing what specific medical information was entered by Plaintiff . . . [and] which of that alleged medical information actually was transmitted to Meta and in what form.’ . . . At the motion to dismiss stage, it is not necessary for plaintiff to provide more specific medical details.”). HealthPartners’ motion with respect to Count I is denied. B. Invasion of Privacy – Count II Plaintiffs have also plausibly pled a claim for invasion of privacy based on intrusion upon seclusion. Plaintiffs state in their response to Defendant’s motion that they believe their claim is properly framed as one for intrusion upon seclusion. (Doc. No. 76, Pls.’ Mem. in Opp’n 17.) Therefore, the alternative theory of invasion of privacy (i.e., publication of private facts) will not be addressed here. Intrusion upon seclusion exists when someone “intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns . . . if the intrusion would be highly offensive to a reasonable person.” Lake v. Wal–Mart Stores, Inc., 582 N.W.2d 231, 233 (Minn. 1998) (quotations omitted). Courts evaluate various factors when assessing whether an intrusion is offensive: the extent of the intrusion, the surrounding context and conduct, the motives and goals of the intruder, the environment of the intrusion, the invaded party’s privacy expectations, and the frequency and quantity of the intrusions. See Kennedy v. City of Braham, 67 F. Supp. 3d 1020, 1035 (D. Minn. 2014). HealthPartners disputes that Plaintiffs have pled “intrusion” and “highly offensive” conduct. However, Plaintiffs have sufficiently alleged both. They claim HealthPartners deliberately integrated Facebook Pixel and CAPI into its Website and servers (Compl. ¶¶ 31, 110, 175), which intercepted and shared communications with third parties, including Facebook. (Id. ¶¶ 126, 110, 141.) At this stage, these facts are considered in the light most favorable to Plaintiffs and are suggestive of intentional intrusion by HealthPartners. Furthermore, Plaintiffs must demonstrate that such intrusion would be highly offensive to a reasonable person. Plaintiffs describe the interference as intentional and involving sensitive health information, including communications about medical records and diagnoses. (Compl. ¶¶ 20, 22, 27, 31, 41, 51, 73, 95, 110, 119, 148, 150). This goes beyond the kind of non-descript, vanilla, browsing history that HealthPartners suggests Plaintiffs have pled. The case Cousin v. Sharp Healthcare supports this, where similar disclosures were deemed “highly offensive.” No. 22-cv-2040, 2023 WL 4484441, at *6 (S.D. Cal. July 12, 2023). Thus, Plaintiffs plausibly allege HealthPartners’ actions as highly offensive to a reasonable person. HealthPartners’ motion with respect to Count II is denied. C. Breach of Implied Contract – Count III HealthPartners argues that Plaintiffs have not alleged sufficient facts to claim an implied contract existed between the Plaintiffs and HealthPartners. To state a claim for breach of contract under Minnesota law, a plaintiff must allege facts showing (1) that a contract was formed, (2) the plaintiff performed any conditions precedent, (3) the defendant materially breached the contract, and (4) damages. Gen. Mills Operations, LLC v. Five Star Custom Foods, Ltd., 703, F.3d 1104, 1107 (8th Cir. 2013). An implied-in- fact contract is a contract inferred from the circumstances and conduct of the parties. Tri- State Bobcat, Inc. v. FINN Corp., 338 F. Supp. 3d 971, 982 (D. Minn. 2018). Plaintiffs assert that when they provided their private information to HealthPartners through their Website to receive services, “they entered into an implied contract” with HealthPartners by which HealthPartners “agreed to safeguard and not disclose their Private Information without consent.” (Compl. ¶¶ 281–82.) To support this allegation, Plaintiffs point to HealthPartners’ “several privacy policies that represent to patients and Website visitors that Defendant will keep sensitive information confidential and will only disclose Private Information under certain circumstances, none of which apply here.” (Id. ¶ 193; see also id. ¶ 194.) Plaintiffs specifically allege that HealthPartners’ Privacy Policy “does not permit Defendant to intercept, transmit, and/or disclose” their private information to third parties “for marketing purposes.” (Id. ¶ 195.) The Policy also acknowledges that HealthPartners “is required by law to maintain the confidentiality of Plaintiffs’ and Class Members’ Private Information” unless a specific exception applies. (Id. ¶ 196.) Plaintiffs allege HealthPartners breached their implied contract by disclosing their private information “without consent to third parties like Facebook,” and because of the breaches, Plaintiffs “sustained damages” in the form of “the loss of the benefit of their bargain and diminution in value of Private Information.” (Id. ¶¶ 285–86.) Plaintiffs allege that their Private Information had financial value. (Compl. ¶¶ 232–35.) Plaintiffs’ allegations are sufficient to state a claim. See Regents of Univ. of California, 2023 WL 3316766, at *7 (finding it “plausible that the parties entered into an implied contract” and that the “agreed upon terms . . . are those spelled out in the Notice of Privacy and Privacy Statement, providing assurances”); see also Hall v. Centerspace, LP, No. 22-CV-2028 (KMM/DJF), 2023 WL 3435100, at *7–8 (D. Minn. May 12, 2023) (concluding plaintiff adequately alleged damages sufficient to support a claim for breach of an implied contract where plaintiff “assert[ed] that the value of his PII has been diminished”). Arguments about whether Plaintiffs and HealthPartners had a meeting of the minds or debates over the value of Plaintiffs’ loss are fact disputes better left for summary judgment or trial. HealthPartners’ motion with respect to Count III is denied. D. Unjust Enrichment – Count IV To state a claim for unjust enrichment, a plaintiff must allege facts showing “(1) a benefit conferred; (2) the defendant’s appreciation and knowing acceptance of the benefit; and (3) the defendant’s acceptance and retention of the benefit under such circumstances that it would be inequitable for him to retain it without paying for it.” Christensen L. Off., PLLC v. Ngouambe, No. A17-1917, 2018 WL 2293423, at *6 (Minn. App. May 21, 2018). Plaintiffs allege they “conferred a benefit upon Defendant in the form of Private Information that Defendant collected from Plaintiffs and Class Members, without authorization and proper compensation.” (Compl. ¶ 290.) They allege HealthPartners “consciously collected and used this information for its own gain,” and “unjustly retained those benefits . . . without providing any commensurate compensation to Plaintiffs and Class Members.” (Id. ¶¶ 290–91.) Additionally, they allege it would be “inequitable” to permit HealthPartners to retain “any of the profit or other benefits wrongly derived from the unfair and unconscionable methods, acts, and trade practices alleged in this Complaint.” (Id. ¶ 292.) HealthPartners argues that Plaintiffs’ allegations are conclusory and that the Website Privacy Policy forecloses Plaintiffs’ unjust enrichment claim, citing Cleveland v. Whirlpool Corp., 550 F. Supp. 3d 660, 671 (D. Minn. 2021). In Cleveland, the court ultimately concluded that the claim for unjust enrichment failed because there was “no dispute that a written contract governs the at-issue conduct.” Id. There, the written contract was in the form of an express warranty, and its existence was undisputed. Here, there is no similar express warranty. Plaintiffs do not allege that the Privacy Policy was an express written contract governing the conduct at issue; instead, Plaintiffs assert the Privacy Policy is indicative of the implied contract between the parties. Viewing the Complaint and factual allegations in the light most favorable to Plaintiffs, Plaintiffs have sufficiently pled facts supporting each element of an unjust enrichment claim. HealthPartners’ motion with respect to Count IV is denied. E. Breach of Fiduciary Duty – Count V HealthPartners argues that Plaintiffs’ claim for breach of fiduciary duty should be dismissed because there was no fiduciary relationship between HealthPartners and Plaintiffs when Plaintiffs accessed the Websites. Plaintiffs, conversely, assert it is “axiomatic that the handling of sensitive patient information involves a fiduciary duty for a health care provider.” (Doc. No. 76 at 27–28.) The existence of a legal duty is for the court to determine as a matter of law. Larson v. Larson, 373 N.W.2d 287, 289 (Minn. 1985). A fiduciary relationship may be created when one party places its confidence in a second party, which obtains superiority and influence over the first party. Vacinek v. First Nat’l Bank, 416 N.W.2d 795, 799 (Minn. App. 1987) (citing Stark v. Equitable Life Assurance Soc’y, 285 N.W. 466, 470 (Minn. 1939)). The relationship between the parties can be legal, moral, social, domestic, or personal. Id. Plaintiffs allege that HealthPartners “became a fiduciary by its undertaking and guardianship” of Plaintiffs’ private information, and that it had a fiduciary duty “to keep private and not disclose” the private information of its patients. (Compl. ¶¶ 295–96.) However, under Minnesota common law physicians or hospital staff members do not have a fiduciary duty toward their patients. See Hemmerlin-Stewart v. Allina Hosps. & Clinics, No. A05-100, 2005 WL 2143691, at *3 (Minn. App. Sept. 6, 2005). Nor is there Minnesota caselaw holding that hospitals or health care providers in general have a fiduciary duty to keep patient information entered through its websites private. The MHRA (or HIPAA) do not create a fiduciary duty on health care providers either, because a fiduciary duty is not expressly present. See Minn. Stat. § 144.293, subd. 2; see also Adams v. Eureka Fire Prot. Dist., 352 F. App’x 137, 139 (8th Cir. 2009) (stating HIPAA does not create a private right); Reed v. Highlands of Edinburgh Sixth Ass’n, No. A19-1345, 2020 WL 3042109, at *7 (Minn. App. June 8, 2020) (rejecting breach of fiduciary duty claim based on Minnesota statute that did not discuss the fiduciary duties owed). Plaintiffs’ reliance on Tucker v. Marietta Area Health Care, Inc., No. 2:22-CV- 184, 2023 WL423504, at *6 (S.D. Ohio Jan. 26, 2023), where a court found that medical providers in Ohio hold a fiduciary duty to keep patients’ medical information confidential, is not persuasive. That case is from outside this district and not precedential. Law will not be borrowed from another state to create a fiduciary duty that Minnesota has yet to recognize. See Ashley Cnty. Ark. v. Pfizer, Inc., 552 F.3d 659, 673 (8th Cir. 2009) (“[I]t is not the role of a federal court to expand state law in ways not foreshadowed by state precedent.”) (quotations omitted). HealthPartners’ motion to dismiss with respect to Count V is granted. F. Breach of Confidence – Count VI Plaintiffs assert a general “breach of confidence” claim against HealthPartners, based on HealthPartners’ alleged disclosure of Plaintiffs’ private medical information. HealthPartners asserts this claim should be dismissed because Minnesota has not recognized this cause of action. Plaintiffs cite two cases for the proposition that Minnesota has recognized a cause of action for breach of confidence. Neither case gets them there. In the first case, Mahoney & Hagberg v. Newgard, 729 N.W.2d 302, 309 (Minn. 2007), the issue was whether the defendant had absolute privilege. The court found the “breach of confidence” claim sounded in defamation, and concluded the absolute privilege barred the claim. There, (1) the “breach of confidence” claim was not the type of “breach of confidence” claim alleged here; and (2) the Minnesota Supreme Court did not recognize a “breach of confidence” claim as a legitimate cause of action. Plaintiffs’ other cited case—Goldberg v. Medtronic, Inc., 686 F.2d 1219, 1227 (7th Cir. 1982)—also does not support finding that Minnesota has recognized a “breach of confidence” cause of action. The Seventh Circuit, applying Minnesota law, looked to Cherne Industrial, Inc. v. Grounds & Associates, Inc., 278 N.W.2d 81 (Minn. 1979), an employment case, for an analogous claim. Id. However, Cherne involved a breach of an employment contract’s covenant not to compete and misappropriation of trade secrets. While confidential customer information was at issue, the claims were analyzed under causes of action based on contractually created duties, not under a general “breach of confidence” claim. Neither of the cases Plaintiffs rely on demonstrate Minnesota courts have affirmatively recognized a common law “breach of confidence” claim of the sort alleged here. Accordingly, Plaintiffs’ breach of confidence claim is dismissed with prejudice. G. Negligence – Count VII Plaintiffs claim common law negligence against HealthPartners, which requires pleading the following elements: the existence of a duty of care, breach, an injury, and breach of the duty as the proximate cause of the injury. See Lubbers v. Anderson, 539 N.W.2d 398, 401 (Minn. 1995). They also assert negligence per se, alleging that in failing to keep patient information confidential HealthPartners deviated from the standard of care established by the Minnesota Patients’ Bill of Rights and the Minnesota Health Records Act. (Doc. No. 67, Def.’s Mem. 28); see, e.g., Scott v. Indep. Sch. Dist. No. 709, Duluth, 256 N.W.2d 485, 488 (Minn. 1977). HealthPartners counters by asserting that the browsing metadata at issue are not confidential medical records and challenging the foreseeability of injury. Plaintiffs, however, have sufficiently alleged HealthPartners’ breach in protecting private communications and health data (Compl. ¶¶ 36–37, 41–42, 49, 64–65, 71, 80, 85, 93, 184–191), and the foreseeability of harm. (Compl. ¶¶ 234, 274.) In addition, Plaintiffs have alleged loss of privacy, mental anguish, diminished value of private information, and other forms of harm. (See Compl. ¶¶ 56–57, 77–78, 100–01, 324.) The forms of damages sought by Plaintiffs are cognizable. See Hall, 2023 WL 3435100, at *8 (stating the court was not persuaded that the forms of damages— diminished value of personal identifying information, anxiety, sleep disruption, stress, fear, or frustration—were foreclosed under Minnesota law). Thus, Plaintiffs’ allegations are sufficient, and HealthPartners’ motion with respect to Count VII is denied. H. Violation of Electronic Communications Privacy Act – Count VIII Plaintiffs allege HealthPartners violated the Electronic Communications Privacy Act (otherwise known as the Wiretap Act) by intentionally (1) intercepting; (2) disclosing; and (3) using, or endeavoring to use, the contents of Plaintiffs’ electronic communications, knowing they were obtained in violation of the Wiretap Act. The Wiretap Act prohibits the unauthorized interception of electronic communication and the intentional disclosure or use of the contents of an intercepted communication. 18 U.S.C. § 2511(1)(a), (c), (d). Section 2511(2)(d) of the statute provides a “party exception” when the person intercepting a communication “is a party to the communication or where one of the parties to the communication has given prior consent to such interception.” This “party exception” does not apply, however, if the “communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State”—known as the “criminal or tortious exception” or the “crime-tort exception.” 18 U.S.C. § 2511(2)(d). (i) Intercepting Contents of Communication HealthPartners argues Plaintiffs cannot show that an unlawful interception occurred or that the contents of a communication was intercepted. “Intercept” is defined under the Wiretap Act as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). Here, Plaintiffs have plausibly pled that an interception occurred. They allege that whenever they interacted with HealthPartners’ Websites, HealthPartners, through the Pixel imbedded in and run on the Websites, “contemporaneously and intentionally” redirected and disclosed the contents of Plaintiffs’ electronic communications to third parties. (Compl. ¶¶ 334, 336.) This is sufficient to allege interception at this stage. See United States v. Szymuszkiewicz, 622 F.3d 701, 703–04 (7th Cir. 2010) (holding defendant had intercepted communications when copies of e-mails were sent contemporaneously with the original e-mail); In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 22 (1st Cir. 2003) (finding an interception occurred because the communication and the interception were contemporaneous). Plaintiffs have also adequately pled that “content” was transferred. The Wiretap Act broadly defines “content” to include “any information concerning the substance, purport, or meaning of [a] communication.” 18 U.S.C. § 2510(8). With respect to URL data, courts have concluded that a URL with only basic identification and address information is not content. However, a URL that discloses a “search term or similar communication made by the user” can be considered a communication under the statute. Doe v. Meta Platforms, Inc., No. 22-cv-03580-WHO, 2023 WL 5837443, at *3 (N.D. Cal. Sept. 7, 2023) (quoting In re Zynga Priv. Litig., 750 F.3d 1098, 1108–09 (9th Cir. 2014)). Plaintiffs allege the communications intercepted included content regarding Plaintiffs’ private information, including “symptoms, medical conditions, physician lookup, treatment, medication, and scheduling.” (Compl. ¶ 337; see also id. ¶¶ 21, 140, 147, 184–91.) This is sufficient to allege covered “content” was transmitted. (ii) Exceptions HealthPartners contends that because it was the intended recipient of the communication from Plaintiffs, it was a party to those communications and cannot be liable under the Wiretap Act for its alleged interception of the communications. Plaintiffs contend that because the disclosure was through a simultaneous duplication of the communication, HealthPartners should not be exempt from liability under the party exception. Plaintiffs further contend that even if the party exception did apply, HealthPartners would be precluded from invoking the exception because its conduct falls within the “criminal or tortious exception” to the party exception. The Eighth Circuit has not addressed the question of whether an intended recipient party to a communication could be held liable under the Wiretap Act when there is simultaneous duplication and forwarding of information to a third party, or whether the intended recipient still falls under the party exception in that circumstance. The Third and Ninth Circuits have weighed in on the issue, each deciding differently. The Third Circuit’s reasoning is most persuasive. The Third Circuit’s focus is on whether the defendant is the intended recipient of a communication. If they are, then they are “necessarily one of its parties” and “have done nothing unlawful under the Wiretap Act,” even when they procured the conversation through a fraud in the inducement or through deceit. In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 142–43 (3d Cir. 2015); see also Kurowski v. Rush System for Health, No. 22 C 5380, 2023 WL 2349606, at *3–4 (N.D. Ill. Mar. 3, 2023) (following the Third Circuit’s reasoning and applying the party exception). The Third Circuit examined the Wiretap Act’s history and considered the Sixth and Fifth Circuits’ interpretation of that history, and concluded that having no language in the statute “by which the defendants’ various alleged deceits would vitiate their claims to be parties to the relevant communications” was by design. In re Google Inc., 806 F.3d at 144. The Ninth Circuit’s view—finding that an entity’s simultaneous, unknown duplication and forwarding of communications made to a web page’s server does not qualify for the party exemption—is not supported by the very cases it found persuasive. See Kurowski, 2023 WL 2349606, at *4 (finding the First and Seventh Circuit cases relied upon by the Ninth Circuit in In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 608 (9th Cir. 2020), unpersuasive). The First and Seventh Circuit cases relied on by the Ninth Circuit focused on the interception of the communication at issue, not on the intended recipient of the communication. The plain language of the statute indicates that the party exception applies to the party who was the intended recipient of the communication. Here, it indisputably was HealthPartners that was the intended recipient of the communications. HealthPartners is therefore a party to those communications and cannot be liable under the Wiretap Act for its alleged interception of them—unless the “criminal and tortious” exception to the party exception applies. The party exception does not apply where the interceptor acts “for the purpose of” committing any crime or tort in violation of state or federal law. 18 U.S.C. § 2511(2)(d). The crime-tort exception therefore focuses on whether “the purpose for the interception—its intended use—was criminal or tortious.” In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 796 (N.D. Cal. 2022) (emphasis in original) (quoting Sussman v. Am. Broad. Companies, Inc., 186 F.3d 1200, 1202 (9th Cir. 1999)). “The existence of a lawful purpose does not sanitize an interception that was also made for an illegitimate purpose.” Id. For Plaintiffs’ Wiretap Act claim to survive a motion to dismiss, they must allege that either the “primary motivation or a determining factor in [HealthPartners’] actions has been to injure [P]laintiffs tortiously.” Brown v. Google LLC, 525 F. Supp. 3d 1049, 1067 (N.D. Cal. 2021) (quotations and citation omitted). HealthPartners contends that Plaintiffs have not pled facts showing that it intercepted any alleged communication for the purpose of committing a tortious or criminal act, and that any allegations in this regard by Plaintiffs are conclusory. Not so. Plaintiffs allege the primary motivation in HealthPartners’ interception and disclosure was to commit wrongful and tortious acts, “namely, the use of patient data for advertising in the absence of express written consent,” and the use “for marketing and revenue generation was in violation of HIPAA and an invasion of privacy.” (Compl. ¶ 228; see also id. ¶ 340 (alleging HealthPartners used the communications “for its own business purposes . . . for its own gain”).) Plaintiffs also allege that HealthPartners “would not have been able to obtain the information or the marketing services if it had complied with the law.” (Id. ¶ 359.) Plaintiffs specifically list the various laws they allege HealthPartners purposefully violated and then continue for multiple paragraphs explaining how these laws were violated. (See Compl. ¶¶ 347–57 (listing HIPAA, Minnesota’s Unauthorized Computer Access statute, Minnesota’s Patient’s Bill of Rights, MHRA, Minnesota Unfair Deceptive Trade Practices Act, and Invasion of Privacy).) As previously explained, Plaintiffs’ claims for invasion of privacy and violations of the MHRA are viable claims. And, unlike the other districts HealthPartners cites to, this district has not found that the crime-tort exception to the Wiretap Act is inapplicable where the defendant’s primary motivation was to make money. Cf. In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 796–97 (citing cases from the Ninth Circuit and the Northern District of California). “There is a not-insignificant chance, then, that plaintiffs may be able to show that the crime-tort exception applies.” Id. at 797 (citing Brown, 525 F. Supp. 3d at 1067) (finding the crime-tort exception may apply where plaintiffs “adequately alleged that Google’s association of their data with preexisting user profiles violated state law, including . . . intrusion upon seclusion, and invasion of privacy”)). This case is at the pleading stage. While Plaintiffs have alleged HealthPartners’ motivations, determination of HealthPartners’ actual purpose for installing and using the Pixel Code requires a factual undertaking. Plaintiffs, without the benefit of discovery, have met the pleading requirements to plausibly allege the crime-tort exception applies. Therefore, the Wiretap Act claim moves forward. I. Minnesota Uniform Deceptive Trade Practices Act – Count IX Plaintiffs’ final claim in their Complaint is for violation of the Minnesota Unfair and Deceptive Trade Practices Act (“MUDTPA”). The MUDTPA describes conduct that constitutes deceptive trade practices, including “caus[ing] likelihood of confusion or of misunderstanding as to . . . certification of goods or services,” “engag[ing] in (i) unfair methods of competition, or (ii) unfair or unconscionable acts or practices,” and “engag[ing] in any other conduct which similarly creates a likelihood of confusion or misunderstanding.” Minn. Stat. § 325D.44, subd. 1(2), (13), (14). HealthPartners argues that Plaintiffs’ MUDTPA claim fails to satisfy the heightened pleading standards of Federal Rule of Civil Procedure 9(b), with respect to the alleged “fraud” and any future damages. Rule 9(b) provides that “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake.” Fed. Rule. Civ. P. 9(b). MUDTPA claims are subject to this heightened pleading standard, and therefore must contain “factual allegations explaining the who, what, when, where and how,” of the allegedly deceptive conduct. E–Shops Corp. v. U.S. Bank Nat’l Ass’n, 678 F.3d 659, 665–66 (8th Cir. 2012). However, a complaint need not be filled with precise detail to satisfy Rule 9(b); a main purpose of the rule is to “facilitate a defendant’s ability to respond and to prepare a defense to charges of fraud.” Commercial Prop. Invs., Inc. v. Quality Inns Int’l, Inc., 61 F.3d 639, 644 (8th Cir. 1995). The level of particularity required depends on the nature of the case. BJC Health Sys. v. Columbia Cas. Co., 478 F.3d 908, 917 (8th Cir. 2007). The Complaint identifies with adequate particularity the fraudulent conduct. Plaintiffs allege that HealthPartners: (1) promis[ed] to protect Plaintiffs’ and Class Members’ Private Information via its Privacy Policies and then, in fact, knowingly, transmit[ed] Plaintiffs’ and Class Members’ Private Information to third parties, such as Facebook; (2) unlawfully disclos[ed] Plaintiffs’ and Class Members’ Private Information to Facebook; (3) fail[ed] to disclose or omit[ed] material facts that the Plaintiffs’ and Class Members’ Private Information would be disclosed to third parties; (4) fail[ed] to obtain Plaintiffs’ and Class Members’ consent in transmitting Plaintiffs’ and Class Members’ Private Information to Facebook; and (5) knowingly violat[ed] industry and legal standards regarding the protection of Plaintiffs’ and Class Members’ Private Information. (Compl. ¶ 366; see also id. ¶¶ 192–97.) The Complaint provides the years that each named Plaintiff began using HealthPartners’ Website and includes examples of nine specific dates that HealthPartners’ Pixel transmitted one of the named Plaintiffs’ communications to Facebook. (Id. ¶¶ 38, 61, 82, 189.) Plaintiffs also allege that HealthPartners’ actions constitute “deceptive and unfair acts or practices because Defendant knew its Website contained the Pixel and CAPI and also knew the Pixel and CAPI would be unknown and/or not easily discoverable by Plaintiffs and Class Members.” (Id. ¶ 367; see also id. ¶¶ 22, 31, 51, 141 (stating that HealthPartners installed the Pixel and CAPI to “secretly track patients”). Plaintiffs’ allegations contain information indicating the who, what, when, where, and how of the alleged fraud, and are sufficient to allow HealthPartners to understand what is alleged and respond. See McGregor v. Uponor, Inc., No. CIV 09-1136 (ADM/JJK), 2010 WL 55985, at *4 (D. Minn. Jan. 4, 2010) (finding allegations sufficient and stating that “a plaintiff is not required to plead the exact dates on which misrepresentations were made”). Plaintiffs’ allegations in support of the MUDTPA claim are in compliance with Rule 9(b). HealthPartners also contends Plaintiffs’ MUDTPA claim must be dismissed because there are no allegations of future or prospective damages. This is not correct. Plaintiffs do allege future harms. They allege that because of HealthPartners’ conduct, Plaintiffs face “the continued and ongoing risk to their Private Information.” (Compl. ¶ 34.) And, as to each Plaintiff, they allege that they will suffer “the continued and ongoing risk of harassment, spam, and targeted advertisements specific to [their] medical conditions and other confidential information [they] communicated to Defendant via the Website.” (Id. ¶¶ 56, 77, 100.) Thus, Plaintiffs’ MUDTPA allegations are sufficient, and HealthPartners’ motion with respect to Count IX is denied. ORDER IT IS HEREBY ORDERED that: 1. Defendant HealthPartners’ Motion to Dismiss Under Fed. R. Civ. P. 12(b)(6) (Doc. No. 65) is GRANTED IN PART and DENIED IN PART. Counts V (breach of fiduciary duty) and VI (breach of confidence) of the Consolidated Class Action Complaint are DISMISSED WITH PREJUDICE. The motion is otherwise denied. Date: December 21, 2023 s/ Jerry W. Blackwell JERRY W. BLACKWELL United States District Judge

Document Info

Docket Number: 0:23-cv-00267

Filed Date: 12/21/2023

Precedential Status: Precedential

Modified Date: 6/24/2024