A federal judge has almost entirely dismissed a class action lawsuit accusing Rush University Health System of exposing private patient information through use of the MyChart digital service.
Marguerite Kurowski and Brenda McClendon alleged Rush, with deceit and without consent, embedded third-party source code on both its website and the MyChart patient portal, a widely used website and smartphone application for medical records, appointments, prescriptions, test results and other information. The women further alleged the source code transmits personal patient data to Facebook, Google and Bidtellect for advertising.
Their federal lawsuit includes claims for violation of the federal Wiretap Act — as amended in 1986 by the Electronic Communications Privacy Act — and breach of implied duty of confidentiality, as well as violating both the Illinois Consumer Fraud and Deceptive Business Practices and Uniform Deceptive Trade Practices acts and intrusion upon seclusion.
The technical aspect of allegations involve Rush’s use of Google Tag Manager on its website, which the plaintiffs said is a nested frame that “funnels web bugs for third parties to secretly acquire the content of patient communications without any knowledge, consent, authorization or further action of patients.” Rush insisted the “bugs” in question are metadata commonly transmitted during routine website use.
In an opinion filed March 3, U.S. District Judge Matthew Kennelly granted Rush’s motion to dismiss everything aside from the Deceptive Trade Practices Act allegation.
In arguing for dismissal, Rush said the Wiretap Act is a party to the communications with its patients and therefore can’t be held liable for alleged data interception on the part of Facebook, Google or Bidtellect. Kennelly said federal appeals courts have split on arguments about the so-called “party exception” clause, but noted none have answered whether a defendant is legally considered a party to an intercepted communication.
Because he determined Rush was the intended recipient of information, such as an appointment scheduling request, Kennelly said the nonprofit hospital company can’t be liable under the Wiretap Act. He further explained the complaint doesn’t have enough allegations “to support an inference that Rush disclosed its patients’ individually identifiable health information.”
While the complaint relies on U.S. Department of Health and Human Services guidance suggesting online tracking technology can violate the Health Insurance Portability and Accountability Act, he agreed with Rush “that such regulatory guidance only applies prospectively.” He said the complaint includes hypothetical suggestions regarding what might happen when anyone clicks on certain parts of Rush’s website, not what happens when an actual Rush patient uses MyChart.
Kennelly further rejected plaintiffs’ argument that Rush, by providing access to MyChart, reaches the legal definition of an electronic communication service. Rush is a licensee, he explained, buying MyChart service through its creator, Epic, which isn’t a party to the lawsuit. He also agreed with Rush that Illinois law doesn’t allow breach of the implied duty of confidentiality lawsuits for disclosing private health information. Even if that were the case, he added, scope is limited to legal violations of doctor-patient privilege.
“Rush's privacy notice contemplates the protection of care-related patient information,” Kennelly wrote. “It does not contemplate the protection of a patient's name, IP address, cookie identifier or other device-related identifying information unconnected with information about the patient's care.”
The complaint also failed to alleged the type of “actual, pecuniary loss” the Illinois Consumer Fraud and Deceptive Business Practices Act requires, Kennelly said, finding no basis under the state law to allow a lawsuit based only on a “privacy injury.”
Regarding the Uniform Deceptive Trade Practices Act claim, Kennelly said the law’s only remedy is an injunction, meaning the women can’t pursue financial damages, at least in part because they didn’t allege financial loss. Although Rush argued it isn’t deceiving patients, Kennelly said the women remain Rush patients, must use the hospital’s online services to obtain medical care and none of Rush’s legal defenses suggest it stopped using the contested source code. As such, the alleged future harm does support a claim for injunctive relief.
Finally, Kennelly tossed the invasion of privacy claim, based on intrusion upon seclusion, by restating his assertion Rush was the intended recipient of the communications supporting the lawsuit.
“Patients trusted that communications and queries directed at Rush, their health care provider, would be kept private,” Kennelly wrote. “In other words, harm for which Rush is responsible, if any, is its disclosure of patient data (which, as alleged, is not protected private health information) — not the obtaining of that data. The actual intrusion upon patients' seclusion, via interception of their communications, is carried out by third parties.”
Kennelly gave Rush until March 24 to respond to the surviving claim for injunctive relief and set a telephone status hearing for April 10.
Plaintiffs are represented in the case by attorneys Adam J. Levitt, Amy E. Keller, Nada Djordjevic, Sharon Cruz, David A. Straite and Corban Rhodes, of the firm of DiCello Levitt, of Chicago and New York; and Jason ‘Jay’ Barnes, Eric S. Johnson and Jennifer Marie Paulson, of Simmons Hanly Conroy, of New York and Alton.
Rush is represented by attorneys David A. Carney and Bonnie Keane DelGobbo, of the firm of Baker & Hostetler, of Cleveland and Chicago.