A federal judge in the Western District of Washington recently dismissed a class action complaint accusing Overlake Hospital Medical Center of unlawfully disclosing the health data of patients who accessed its websites to third parties.  See Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709 (W.D. Wash. May 13, 2024).  Plaintiff Jacq Nienaber, an Overlake patient, alleged that the hospital shared her private data with Meta and other third parties through the use of the Meta Pixel and Meta’s Conversions Application Programming Interface on its public website and private patient portal. 

As a threshold matter, the court held that Plaintiff did not plausibly allege the disclosure of her personally identifiable information or protected health information.  The complaint included just two sentences describing Plaintiff’s own activities on Overlake’s websites, supported by hypothetical examples of how patient data could have been shared.  Considering these threadbare allegations, the court first found that Plaintiff had not plausibly alleged that any of her data was disclosed from the patient portal.  The complaint referred to the two websites collectively as “the Website,” but did not allege that analytics technologies were deployed on the portal or identify specific data that Plaintiff provided through the portal.  Likewise, Plaintiff also failed to show that any of her sensitive data was captured and transmitted to third parties from Overlake’s public website. 

With this finding in mind, the court then proceeded to dismiss the complaint on multiple grounds:

  • Electronic Communications Privacy Act (“ECPA”):  The court dismissed the ECPA claims as barred by the statute’s one-party consent exemption, reasoning that Overlake, as owner and operator of the website, could not unlawfully intercept its own communications with Plaintiff.  
  • Computer Fraud and Abuse Act (“CFAA”):  The court dismissed the CFAA claim because Plaintiff was unable to establish that Overlake exceeded authorized access to her computer.
  • Invasion of Privacy:  The court found that Plaintiff could not state an intrusion upon seclusion claim because any alleged intrusion was carried out by a third party, not Overlake.  It further rejected Plaintiff’s public disclosure of private facts claim, finding she had failed to allege disclosure of her data to the public at large or any highly offensive conduct.
  • Negligence:  Though the court found that Overlake had a duty to safeguard medical data under Washington law, it dismissed the negligence claim because Plaintiff did not show a breach of that duty.
  • Breach of Confidence:  The court dismissed this claim with prejudice because breach of confidence is not a recognized cause of action under Washington law.
  • Breach of Implied Contract:  The court dismissed the claim for failure to establish the existence of a valid contract to safeguard Plaintiff’s data.
  • Unjust Enrichment:  Even assuming Plaintiff had plausibly alleged that she conferred a benefit on Overlake by sharing her health data, the court held that she had also failed to show that she suffered a concrete detriment, or that Overlake’s retention of the benefit would be unjust.
  • Washington Consumer Protection Act:  The court dismissed the claim for failure to adequately allege an injury to Plaintiff’s business or property, as required to state a claim under the statute.

Plaintiff was granted leave to amend all but the breach of confidence claim.  Nonetheless, this decision should encourage defendants facing similar lawsuits to carefully scrutinize complaints for specific allegations describing how the plaintiff’s own information was captured or shared with third parties and evaluate whether such allegations are sufficient to state a claim.