Kurowski v. Rush Sys. for Health

659 F.Supp.3d 931

Marguerite KUROWSKI and Brenda McClendon,on behalf of herself and others similarly situated, Plaintiffs, v. RUSH SYSTEM FOR HEALTH d/b/a Rush University System for Health, Defendant.

Case No. 22 C 5380

United States District Court, N.D. Illinois, Eastern Division

Filed March 3, 2023

Signed March 2, 2023

Adam J. Levitt, Nada Djordjevic, Amy Elisabeth Keller, Sharon Denise Cruz, Di-Cello Levitt Gutzler LLC, Chicago, IL, Corban Rhodes, David Straite, Pro Hac Vice, DiCello Levitt LLC, New York, NY, Eric S. Johnson, Jennifer Marie Paulson, Simmons Hanly Conroy, Alton, IL, Jay O. Barnes, Simmons Hanly Conroy, St. Louis, MO, for Plaintiffs.

David A. Carney, Baker & Hostetler, LLP, Cleveland, OH, Bonnie Keane Del-Gobbo, Baker & Hostetler LLP, Chicago, IL, for Defendant.

MEMORANDUM OPINION AND ORDER

MATTHEW F. KENNELLY, District Judge:

Marguerite Kurowski and Brenda McClendon (collectively Kurowski) have filed a complaint against Rush University System for Health (Rush) on behalf of a putative class of similarly situated persons. Kurowski alleges that Rush non-consensually and deceptively embedded third-party source code on its website and its MyChart patient portal. She further alleges that this source code, which is not visible to users of the website and portal, causes transmissions of her personally identifiable patient data to Facebook, Google, and Bidtellect for advertising purposes.

Kurowski filed this suit in federal court under the Class Action Fairness Act, 28 U.S.C. § 1332(d). She asserts claims for: (1) violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2511(1)(a), (c)-(d) and 18 U.S.C. § 2511(3)(a); (2) breach of an implied duty of confidentiality; (3) violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA), 815 ILCS 505/2; (4) violations of the Illinois Uniform Deceptive Trade Practices Act (DTPA), 815 ILCS §§ 510/2(a); and (5) intrusion upon seclusion. Rush has moved to dismiss under Fed. R. Civ. P. 12(b)(6) for failure to state a claim upon which relief may be granted. For the reasons discussed below, the Court dismisses all of Kurowski's claims other than her DTPA claim.

Background

Rush is a non-profit health system headquartered in Chicago. Kurowski and McClendon are both Illinois residents. The complaint states that Kurowski has been a Rush patient since approximately 2017 and that McClendon has been a Rush patient since approximately 1999. Both allege that they have been MyChart patient portal users since 2017.

Rush maintains web properties for its patients to obtain information related to care at Rush and—at least with respect to MyChart—exchange communications about appointments, billing, test results, prescription refills, and other treatment. For example, the homepage of Rush's website offers tools to patients such as "Find a Doctor," or "Schedule Appointment." Rush's website is publicly available. Rush's MyChart patient portal, however, is available only to Rush patients. On MyChart, patients can, among other functions, access their test results or directly message their provider. The MyChart portal "is a software system designed and licensed to Rush by Epic Software Systems," a privately owned, third-party software company. Compl. ¶ 25.

Kurowski alleges that she has a reasonable expectation of privacy "in [her] personally identifiable data and communications exchanged with Rush" that derives from her status as a patient, Rush's common law obligation to maintain patient confidentiality, state and federal laws and regulations, and Rush's express and implied promises of confidentiality. Id. ¶ 20. Kurowski alleges that the latter category, the express and implied promises of confidentiality, came via Rush's "Web Privacy Statement." The statement, which is linked at the bottom of Rush web properties, declares that "[Rush] do[es] not share information collected through the website with any third-party advertisers." Mot. to Dismiss, Ex. B. It also states:

This website uses cookies to track how visitors use the website . . . . Users should be able to change browser settings to disable cookies . . . . Like many websites, www.rush.edu uses Google Analytics to gather information about how visitors use the website. Users may opt out if they do not want their data to be used by Google Analytics. Visit Google to learn how.

Id.

Kurowski alleges that her reasonable expectation of privacy was violated by Rush's allegedly secret deployment of "custom analytics scripts"—for example, Google Analytics—within its web pages and within MyChart. Id. ¶ 29. Kurowski alleges that Rush deployed this source code without her knowledge, consent, or authorization. This source code, she alleges, allows for the "contemporaneous unauthorized interception and transmission of personally identifiable patient data and redirection of the precise content of patient communications with Rush" whenever a Rush patient uses a Rush web property. Id. ¶¶ 5, 30. The data Kurowski alleges was transmitted to Facebook, Google, and Bidtellect includes patient IP addresses,¹ patient cookie identifiers,² device identifiers, account numbers, URLs, other "unique identifying numbers, characteristics, or codes," and browser-fingerprints. Id. ¶ 33.

According to the complaint, the following is a shorthand description of how Kurowski alleges such patient data is transmitted in the background of Rush patients' day-to-day use of Rush web-properties.³ Web browsers use two basic commands to communicate with website servers: a GET request (typically used to retrieve data via a search or a click) and a POST request (typically used to send data that is entered onto a website and then submitted). Third parties often acquire the content of user communications through something called a web bug, which is either camouflaged directly on the page or funneled through an invisible tag manager. Kurowski alleges that "Rush deploys Google Tag Manager on its websites through an 'iframe,' a nested 'frame' that exists within the Rush web property that is, in reality, an invisible window through which Rush funnels web bugs for third parties to secretly acquire the content of patient communications without any knowledge, consent, authorization, or further action of patients." Id. ¶ 53.

Thus, when a patient clicks on a button that says "Schedule Your Appointment Now," Rush "causes the transmission of the patient's personally identifiable data and redirects the content of the patient's click of the 'Schedule Your Appointment Now' button to [third parties such as] Facebook." Id. ¶ 61. The complaint includes screenshots of the kinds of data that would hypothetically be disclosed to third parties during this interaction, namely, that "the patient engaged in an event ('ev') labeled 'SubscribedButtonClick,' that the 'button-Text' was 'Schedule Your Appointment Now,' that the button was clicked from https://www.rush.edu, and the details of the first-party fbp cookie assigned by Rush." Id. ¶ 62. Rush refers to this data as purely metadata that is commonly transmitted during routine Internet usage. Kurowski disputes that characterization and alleges that the data does include identifying information (such as a patient's IP address, cookie identifiers, and—if the first two are blocked—browser fingerprints) that can be used to direct targeted advertising to patients.

Kurowski alleges that the value of data extracted "from people who use the Internet is well understood and generally accepted in the e-commerce industry." Id. ¶ 134. She therefore alleges that Rush profited from the patient data it disclosed to Facebook, Google, and Bidtellect without obtaining the patients' authorization.

Discussion

To survive a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), the complaint must state a claim to relief that is plausible on its face. Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). The court must view the complaint "in the light most favorable to the plaintiff, taking as true all well-pleaded factual allegations and making all possible inferences from the allegations in the plaintiff's favor." AnchorBank, FSB v. Hofer, 649 F.3d 610, 614 (7th Cir. 2011). Even so, the plaintiff must provide "some specific facts to support the legal claims asserted" and cannot rely on conclusory allegations to make his claim. McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011).

A. Wiretap Act claims

In count one, Kurowski alleges violations of the ECPA. The ECPA (also known as the Wiretap Act) provides that "any person who—(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral or electronic communication" may be subject to (among other things) a civil penalty. 18 U.S.C. § 2511(1)(a), (5)(a)(ii). The same is true for any person who intentionally discloses or uses, or endeavors to disclose or use, the contents of an intercepted communication. 18 U.S.C. § 2511(1)(c), (d). Section 2511(2)(d) of the statute provides an exception when the person intercepting a communication "is a party to the communication or where one of the parties to the communication has given prior consent to such interception." This so-called "party exception" does not apply, however, if the "communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State." 18 U.S.C. § 2511(2)(d). In addition, section 2511(3)(a) provides that "a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication . . . while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication . . . ." 18 U.S.C. § 2511(3)(a) (emphasis added).

1. Party exception

Rush contends that, as a...