D. v. Piedmont Healthcare, Inc.
Filing
46
OPINION AND ORDER. 24 Plaintiff's Motion to Appoint Interim Co-Lead Class Counsel is GRANTED; 25 Piedmont's Motion to Dismiss the Original Complaint is DENIED as moot; and 30 Motion to Dismiss the Amended Complaint is GRANTED. Signed by Judge Thomas W. Thrash, Jr. on 08/28/2024. (bmr)
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF GEORGIA
ATLANTA DIVISION
T.D., individually and on behalf of all
others similarly situated, et al.,
Plaintiffs,
v.
PIEDMONT HEALTHCARE, INC.,
CIVIL ACTION FILE
NO. 1:23-CV-5416-TWT
Defendant.
OPINION AND ORDER
This is a putative class action case. It is before the Court on the
Plaintiffs’ Unopposed Motion to Appoint Interim Co-Lead Class Counsel [Doc.
24], the Defendant Piedmont Healthcare, Inc.’s Motion to Dismiss the Original
Complaint [Doc. 25], and the Defendant Piedmont’s Motion to Dismiss the
Amended Complaint [Doc. 30]. For the reasons set forth below, the Plaintiffs’
Unopposed Motion to Appoint Interim Co-Lead Class Counsel [Doc. 24] is
GRANTED; Piedmont’s Motion to Dismiss the Original Complaint [Doc. 25] is
DENIED as moot; and Piedmont’s Motion to Dismiss the Amended Complaint
[Doc. 30] is GRANTED.
I.
Background 1
This case arises from the Defendant Piedmont Healthcare, Inc.’s alleged
wrongful disclosure of the Plaintiffs’ confidential health information to
The Court accepts the facts as alleged in the Amended Complaint as
true for purposes of the present Motion to Dismiss. Wildling v. DNC Servs.
Corp., 941 F.3d 1116, 1122 (11th Cir. 2019).
1
Facebook through the installation of several data collection and tracking tools
on Piedmont’s website and its MyChart patient portal. (Am. Compl. ¶¶ 2–3).
The Plaintiffs claim that a tracking tool called the Meta Pixel collected their
personally identifiable information (PII) and protected health information
(PHI) without their consent and then disclosed that information to Facebook
in violation of federal and state laws. (Id. ¶¶ 3, 15). The Plaintiffs contend that
Piedmont installed the Meta Pixel to optimize its advertising and marketing
at the expense of their privacy rights as patients. (Id. ¶¶ 1, 10). They bring
claims of (1) invasion of privacy; (2) breach of fiduciary duty; (3) negligence;
(4) breach of implied contract; (5) breach of contract; (6) unjust enrichment;
and (7) violations of the Electronic Communications Privacy Act. Piedmont
now moves to dismiss all claims against it for failure to state a claim.
II.
Legal Standard
A complaint should be dismissed under Rule 12(b)(6) only where it
appears that the facts alleged fail to state a “plausible” claim for relief. Ashcroft
v. Iqbal, 556 U.S. 662, 678 (2009); Fed. R. Civ. P. 12(b)(6). A complaint may
survive a motion to dismiss for failure to state a claim, however, even if it is
“improbable” that a plaintiff would be able to prove those facts; even if the
possibility of recovery is extremely “remote and unlikely.” Bell Atl. Corp. v.
Twombly, 550 U.S. 544, 556 (2007). In ruling on a motion to dismiss, the court
must accept the facts pleaded in the complaint as true and construe them in
2
the light most favorable to the plaintiff. See Quality Foods de Centro Am., S.A.
v. Latin Amwi. Agribusiness Dev. Corp., S.A., 711 F.2d 989, 994-95 (11th Cir.
1983); see also Sanjuan v. American Bd. of Psychiatry & Neurology, Inc., 40
F.3d 247, 251 (7th Cir. 1994) (noting that at the pleading stage, the plaintiff
“receives the benefit of imagination”). Generally, notice pleading is all that is
required for a valid complaint. See Lombard’s, Inc. v. Prince Mfg., Inc., 753
F.2d 974, 975 (11th Cir. 1985). Under notice pleading, the plaintiff need only
give the defendant fair notice of the plaintiff’s claim and the grounds upon
which it rests. See Erickson v. Pardus, 551 U.S. 89, 93 (2007) (citing Twombly,
550 U.S. at 555).
III.
Discussion
Piedmont moves to dismiss all seven of the Plaintiffs’ claims for failure
to state a claim. It contends that the Plaintiffs either fail to sufficiently plead
one or more elements of the respective claims or plead allegations that bar the
claims. (Br. in Supp. of Def.’s Mot. to Dismiss, at 1–2). The Court addresses the
claims and the parties’ arguments in support thereof in turn.
A. Invasion of Privacy – Intrusion Upon Seclusion (Count I)
As one judge has said recently, “[t]hese days, it is widely understood that
when browsing websites, your behavior may be tracked, studied, shared, and
monetized. So it may not come as much of a surprise when you see an online
advertisement for fertilizer shortly after searching for information about
3
keeping your lawn green. But what about if you visit your hospital’s website
and browse information about a medical condition that may be of particular
concern?” Santoro v. Tower Health, 2024 WL 1773371, at *1 (E.D. Pa. Apr. 24,
2024). This is such a case where expectations of privacy may collide with
modern technology. Piedmont contends that the Plaintiffs’ intrusion upon
seclusion claim should be dismissed because they fail to plausibly plead an
intrusion or actionable intent, or that any intrusion was reasonably offensive
or objectionable. (Br. in Supp. of Def.’s Mot. to Dismiss, at 6–7). Piedmont first
argues that the Plaintiffs fail to allege an intrusion because they willingly
provided their private information to Piedmont and because Piedmont’s
alleged disclosure of that information to Facebook does not constitute an
intrusion. (Id. at 7–8). Piedmont also contends that the Plaintiffs fail to plead
that it “intended to intrude into any private concern of Plaintiffs in a manner
that would be offensive or objectionable to a reasonable person” or that any
intrusion was either offensive or objectionable. (Id. at 8–11).
In response, the Plaintiffs argue that Piedmont intruded on their
privacy when it used the Meta Pixel to secretly transmit their PII and PHI to
a third party for commercial gain. (Resp. Br. in Opp’n to Def.’s Mot. to Dismiss,
at 16). They argue that they had a reasonable expectation of privacy in the
information they disclosed. (Id. at 17). And they contend that the alleged
intrusion was highly offensive and objectionable because it included specific
4
doctors’ appointments and personal identifiers from the patient portals where
they believed their information was safe and secure. (Id. at 20–21).
“The tort of intrusion involves an unreasonable and highly offensive
intrusion upon another’s seclusion.” Summers v. Bailey, 55 F.3d 1564, 1566
(11th Cir. 1995). “The ‘unreasonable intrusion’ aspect of the invasion of privacy
involves a prying or intrusion, which would be offensive or objectionable to a
reasonable person, into a person’s private concerns.” Yarbray v. S. Bell Tel. &
Tel. Co., 261 Ga. 703, 705 (1991) (citation omitted). This tort requires “a
plaintiff [to] show a physical intrusion which is analogous to a trespass;
however, this ‘physical’ requirement can be met by showing that the defendant
conducted surveillance on the plaintiff or otherwise monitored [the plaintiff’s]
activities.” Sitton v. Print Direction, Inc., 312 Ga. App. 365, 369 (2011)
(quotation marks and citations omitted).
Cases like this have sprouted like weeds in recent years. In the Court’s
view, it seems that the weight of authority in similar pixel tracking cases is
now solidly in favor of Piedmont’s argument. There is no intrusion upon
privacy
when
a
patient
voluntarily
provides
personally
identifiable
information and protected health information to his or her healthcare provider.
See Allen v. Novant Health, Inc., 2023 WL 5486240, at *2 (M.D.N.C. Aug. 24,
2023) (“Because the plaintiffs acknowledge in the complaint that they
voluntarily provided their information directly to Novant . . . they have not
5
alleged an intrusion or unauthorized prying and this claim is dismissed.”);
Okash v. Essentia Health, 2024 WL 1285779, at *7 (D. Minn. Mar. 26, 2024)
(“Because Okash voluntarily provided his data to Essentia, Essentia did not
intrude upon his seclusion and the Court will dismiss Count I.”); Steinberg v.
CVS Caremark Corp., 899 F. Supp. 2d 331, 342–43 (E.D. Pa. 2012) (“The
plaintiffs acknowledge that they voluntarily disclosed the information later
disseminated by the defendants, and argue that their claim is premised not on
the receipt of that information but instead on its sale to third parties. . . . This
argument is unavailing. In Pennsylvania, liability for intrusion upon seclusion
cannot exist where a defendant legitimately obtains information from a
plaintiff.”); Kurowski v. Rush Sys. for Health, 659 F. Supp. 3d 931, 944 (N.D.
Ill. 2023); Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709, at *9 (W.D.
Wash. May 13, 2024) (“Because Plaintiff voluntarily shared her information
with Defendant, there was no intrusion upon Plaintiff's solitude, seclusion, or
private affairs by Defendant.”). But see, In re Grp. Health Plan Litig., 2023 WL
8850243 (D. Minn. Dec. 21, 2023) (Patients adequately alleged that health care
organization committed intentional intrusion into their seclusion, as required
to state claim for intrusion upon seclusion under Minnesota law; patients
alleged that organization deliberately integrated tracking tool into its website
and servers which intercepted and shared communications with third parties,
including social media company). The motion to dismiss should thus be granted
6
as to the intrusion upon seclusion claim.
B. Breach of Fiduciary Duty (Count II)
Piedmont next contends that the Plaintiffs’ breach of fiduciary duty
claim should be dismissed because they fail to plausibly plead a breach of any
fiduciary duty, causation, or damages. (Br. in Supp. of Def.’s Mot. to Dismiss,
at 11–14). It argues that Georgia law does not recognize a health provider’s
duty to refrain from sending encrypted versions of private patient information
to third parties or to notify the patient of such disclosures. (Id. at 11). Piedmont
also claims that “the provision of encrypted information only to Facebook was
caused by Plaintiffs’ own provision and consent to such, not by any alleged
breach of fiduciary duty by Piedmont.” (Id. at 12). Finally, Piedmont contends
that the Plaintiffs fail to plausibly plead any damages, framing their
“overpayment,
underpayment,
and
mitigation
damages”
theories
as
insufficient to state a claim. (Id. at 12–14). In response, the Plaintiffs argue
that “Piedmont has a well-recognized fiduciary duty as a healthcare provider
and covered entity under HIPAA to safeguard its patients’ Private
Information.” (Resp. Br. in Opp’n to Def.’s Mot. to Dismiss, at 6–7). The
Plaintiffs also contend that they plausibly allege both causation and damages
sufficient to state a claim for breach of fiduciary duty. (Id. at 8–9, 13–16).
Under Georgia law, “a claim for breach of fiduciary duty requires proof
of three elements: (1) the existence of a fiduciary duty; (2) breach of that duty;
7
and (3) damage proximately caused by the breach.” Bedsole v. Action Outdoor
Advert. JV, LLC, 325 Ga. App. 194, 201 (2013) (citation omitted). Fiduciary
duties exist “where one party is so situated as to exercise a controlling
influence over the will, conduct, and interest of another or where, from a
similar relationship of mutual confidence, the law requires the utmost good
faith, such as the relationship between partners, principal and agent, etc.” Id.
(citing O.C.G.A. § 23-2-58).
The existence of a confidential or fiduciary relationship is a
question for the jury. Such relationship may be created by law,
contract, or the facts of a particular case. Moreover, because a
confidential relationship may be found whenever one party is
justified in reposing confidence in another, the existence of this
relationship is generally a factual matter for the jury to resolve.
Id. (citation omitted). This court has recognized that a defendant’s provision of
medical care to a plaintiff could suggest a confidential relationship sufficient
to state a claim for breach of fiduciary duty. Purvis v. Aveanna Healthcare,
LLC, 563 F. Supp. 3d 1360, 1383 (N.D. Ga. 2021). But this court has also
foreclosed certain types of damages claims, like the ones the Plaintiffs make
here, in cases involving alleged data privacy breaches. See, e.g., Everhart v.
Colonial Pipeline Co., 2022 WL 3699967, *2–5 (N.D. Ga. July 22, 2022); Provost
v. Aptos, Inc., 2018 WL 1465766, at *4 (N.D. Ga. Mar. 12, 2018).
The Court finds that the Plaintiffs have failed to state a plausible claim
for breach of fiduciary duty against Piedmont. Although this court in Purvis
noted that a defendant’s provision of medical care to a plaintiff could support
8
a claim for breach of fiduciary duty, the Plaintiffs here fail to plausibly plead
damages to support their claim. The Plaintiffs identify their damages as
including the following:
(i) invasion of privacy, including increased spam and targeted
advertising they did not ask for; (ii) loss of confidentiality;
(iii) embarrassment, emotional distress, humiliation and loss of
enjoyment of life; (iv) lost time and opportunity costs associated
with attempting to mitigate the consequences of the disclosure of
their Private Information; (v) loss of benefit of the bargain;
(vi) diminution of value of Private Information and (vii) the
continued and ongoing risk to their Private Information.
(Resp. Br. in Opp’n to Def.’s Mot. to Dismiss, at 13). These damages are alleged
in the identical conclusory fashion for each of the identified Plaintiffs. No facts
are alleged that any of the Plaintiffs have actually suffered any of these
damages. No facts are alleged that would explain how receiving targeted
advertisements from Facebook and Piedmont would plausibly cause any of the
Plaintiffs to suffer these damages. This is not a case where the Plaintiffs’
personal information was stolen by criminal hackers with malicious intent.
The Plaintiffs received targeted advertisements because they are Facebook
users and have Facebook IDs. The Court finds the Plaintiffs’ damages theories
untenable. Indeed, this court has rejected many identical theories arising
under similar circumstances. See Everhart, 2022 WL 3699967, *2–5; Provost,
2018 WL 1465766, at *4. The better view from other courts around the country
is that these types of damage claims are not actionable. See Steinberg v. CVS
Caremark Corp., 899 F. Supp. 2d 331, 339–40 (E.D. Pa. 2012) (“Other district
9
courts examining the issue have found that the collection and sale of this kind
of information does not carry a compensable value to consumers, and cannot
sustain a finding of injury without a specific showing that the plaintiff has
sustained a resulting loss.”). Accordingly, the Plaintiffs’ claim for breach of
fiduciary duty should be dismissed without prejudice.
C. Negligence, Breach of Contract, and Unjust Enrichment (Counts III–VI)
Piedmont also moves to dismiss the Plaintiffs’ claims for negligence,
negligence per se, breach of implied contract, breach of express contract, and
unjust enrichment. (Br. in Supp. of Def.’s Mot. to Dismiss, at 14–22). For the
same reasons as discussed above, the Court concludes that the Plaintiffs fail to
state a claim for negligence, breach of contract, or unjust enrichment because
they fail to plead actionable damages or unjust enrichment of Piedmont.
Accordingly, their negligence, breach of implied/express contract, and unjust
enrichment claims should be dismissed without prejudice.
D. Violations of the Electronic Communications Privacy Act (Count VII)
Finally, Piedmont moves to dismiss the Plaintiffs’ claim for violations of
the Electronic Communications Privacy Act, arguing that they fail to plausibly
allege an interception or a purpose to commit a crime or tort. (Br. in Supp. of
Def.’s Mot. to Dismiss, at 22–25). It argues that Piedmont could not have
intercepted the same transmission it received on its website, nor could it have
acted with a tortious or criminal purpose in seeking to drive marketing and
10
revenue. (Id. at 23–24). In response, the Plaintiffs contend that they state a
plausible ECPA claim, arguing that Piedmont intercepted the contents of their
PII and PHI when it acquired such information through the Meta Pixel on its
website and that the party exception is inapplicable because Piedmont acted
with criminal and tortious intent in “wiretapping” their PII and PHI. (Resp.
Br. in Opp’n to Def.’s Mot. to Dismiss, at 27–30).
The ECPA “prohibits the unauthorized interception of electronic
communication and the intentional disclosure or use of the contents of an
intercepted communication.” In re Grp. Health Plan, 2023 WL 8850243, at *6
(citing 18 U.S.C. § 2511(1)(a), (c), (d)).
Section 2511(2)(d) of the statute provides a “party exception”
when the person intercepting a communication “is a party to the
communication or where one of the parties to the communication
has given prior consent to such interception.” This “party
exception” does not apply, however, if the “communication is
intercepted for the purpose of committing any criminal or tortious
act in violation of the Constitution or laws of the United States or
of any State”—known as the “criminal or tortious exception” or
the “crime-tort exception.”
Id. (citation omitted). As was the case in the invasion of privacy context, the
weight of persuasive authority in similar pixel tracking cases supports
Piedmont’s position. See In re Google Inc. Cookie Placement Consumer Priv.
Litig., 806 F.3d 125, 142-43 (3d Cir. 2015) (“Because the defendants were the
intended recipients of the transmissions at issue—i.e. GET requests that the
plaintiffs’ browsers sent directly to the defendants’ servers—we agree that
11
§ 2511(2)(d) means the defendants have done nothing unlawful under the
Wiretap Act.”); Allen v. Novant Health, Inc., 2023 WL 5486240, at *4
(M.D.N.C. Aug. 24, 2023); Kurowski v. Rush Sys. for Health, 659 F. Supp. 3d
931, 938 (N.D. Ill. 2023) (“The Court concludes that Rush—and not Facebook,
Google, or Bidtellect—was the intended recipient of the allegedly intercepted
communications here. Rush is therefore a party to those communications and
cannot be liable under the Wiretap Act for its alleged interception of them, if
such an interception even occurred.”); Nienaber v. Overlake Hosp. Med. Ctr.,
2024 WL 2133709, at *15 (W.D. Wash. May 13, 2024); Santoro v. Tower Health,
2024 WL 1773371, at *3-4 (E.D. Pa. Apr. 24, 2024); Crowley v. Cybersource
Corp., 166 F. Supp. 2d 1263, 1268-71 (N.D. Ca. 2001); Okash v. Essentia
Health, 2024 WL 1285779, at *3-4 (D. Minn. Mar. 26, 2024). Accordingly, the
ECPA claim should be dismissed.
IV.
Conclusion
For the foregoing reasons, the Plaintiffs’ Unopposed Motion to Appoint
Interim Co-Lead Class Counsel [Doc. 24] is GRANTED; Piedmont’s Motion to
Dismiss the Original Complaint [Doc. 25] is DENIED as moot; and Piedmont’s
Motion to Dismiss the Amended Complaint [Doc. 30] is GRANTED.
SO ORDERED, this
28th
day of August, 2024.
______________________________
THOMAS W. THRASH, JR.
United States District Judge
12
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?