A court in the Southern District of California recently dismissed for failure to state a claim a case contending that a health care corporation violated users’ privacy under California law.  See Cousin v. Sharp Healthcare, No. 22-CV-2040-MMA (DDL), 2023 WL 4484441 (S.D. Cal. July 12, 2023).

In the proposed class action suit against Sharp Healthcare, a non-profit that operates multiple hospitals and medical groups, plaintiffs alleged violations of privacy under the California Constitution and common law, as well as violations of the California Confidentiality of Medical Information Act (“CMIA”) and California Invasion of Privacy Act (“CIPA”).  Plaintiffs claimed that Sharp collected and shared patients’ personal and sensitive health information by incorporating a third-party pixel on Sharp’s website.

When addressing the plausibility of plaintiffs’ theory of their case, the court noted that plaintiffs’ allegations that Sharp disclosed personal and sensitive information to a third-party were “conclusory and devoid of any factual support.”  Plaintiffs also failed to state what particular information they provided to Sharp through browsing on the health care corporation’s website.  The court noted that even if the plaintiffs had supplied that information, their claims for invasion of privacy under the common law and the California Constitution would be subject to dismissal, as general search and browsing activity on a publicly facing website does not qualify as a “highly offensive” intrusion.  

In addition, the court found that plaintiffs’ allegations regarding information collection during the appointment booking process on Sharp’s website were based on hypothetical events.  Further, while plaintiffs claimed that they used the appointment scheduling page, which required them to enter information such as name, email, and phone number, the court noted that plaintiffs “vaguely then conclude that they entered ‘sensitive personal and health information’” on the page, an allegation which is “utterly devoid of factual enhancement.”

These factual deficiencies ultimately contributed to the court’s dismissal of plaintiffs’ CMIA and CIPA claims.  The court found that plaintiffs did not demonstrate unauthorized disclosure of medical information, or that a third-party viewed this information, as required to show a CMIA violation.  Similarly, plaintiffs did not show that their information was intercepted under CIPA.