A federal judge won’t let Rush University Health System end a class action accusing it of improperly allowing tech giants like Google and Meta to monitor patient activity by installing tracking technology on MyChart patient portals.
Marguerite Kurowski and Brenda McClendon sued Rush in September 2022, alleging the medical system’s MyChart network secretly deploys technology from Facebook, Google and Bidtellect allowing real-time access to things like patient-doctor relationships and medical conditions and enabling the companies to deliver targeted advertising.
In an opinion filed July 18, U.S. District Judge Matthew Kennelly noted he has already issued two decisions on Rush’s motions to dismiss and another granting the plaintiffs leave to file a second amended complaint. That complaint, subject to Rush’s motion for judgment on the pleadings, includes an allegation of violating the federal Wiretap Act, the Illinois Eavesdropping Act and breach of contract.
According to Kennelly, the most recent version of the complaint adequately alleged Rush was both intercepting and transmitting individually identifiable health information as defined under the Health Insurance Portability and Accountability Act, and that it does so for financial gain. While Rush didn’t dispute the plausibility of an alleged HIPAA violation, it did say Kennelly was wrong to say the complaint could invoke an exception for crimes or torts.
“Specifically, Rush emphasizes that the crime-or-tort exception does not apply ‘merely because Rush allegedly violated the law,’ ” Kennelly wrote. “Instead, the exception requires that Rush acted ‘for the purpose of committing any criminal or tortious act.’ In Rush’s view, this ‘purpose’ requirement precludes application of the crime-or-tort exception to its conduct because it was not on notice that its conduct violated HIPAA.”
Kennelly said Rush’s position would require him “to read a heightened willfulness requirement” into the exception and said the fact the plaintiffs alleged Rush knew it was scraping data is sufficient to avoid judgement on the Wiretap Act claim. Taking the plaintiffs’ allegations as true, he said, means accepting Rush could “select which specific pages within its web properties would intercept and transmit patients’ communications to Facebook, Google and Bidtellect, and that it actively chose to employ the tracking technology on certain pages of its website that were likely to contain (individually identifiable health information), such as within the MyChart patient portal or on pages prompting patients to schedule appointments.”
The complaint said Rush had the option to anonymize patients’ internet protocol addresses but declined to take that step, pointing toward the conscious desire to collect and send personal information. Kennelly rejected Rush’s argument that it had only financial motives, not a plan to break a law, noting “many crimes and torts are motivated by a desire to make money.” He said the relevant HIPAA provision doesn’t mandate or eliminate motive as a factor.
Further, Kennelly said, even if the plaintiff was required to allege Rush knew its conduct was illegal, the second amended complaint meets that bar by alleging the system would know what constitutes protected data under HIPAA. Rush tried to use the timing of a U.S. Department Health and Human Services bulletin as a statutory shield, with respect to its timing in the context of the initial complaint, but Kennelly noted the amended complaint cited that bulletin as stating “it has always been true that regulated entities may not impermissibly disclose (personal health information) to tracking technology vendors.”
Kennelly said Rush couldn’t “viably contend that there is some kind of legal gray area” around the type of data the plaintiffs included in the amended complaint, although he said whether Rush actually collected that data remains to be proven at trial, which also is true of whether Rush was or wasn’t aware of the tracking technology.
He further rebuffed Rush’s effort to have the U.S. Seventh Circuit Court of Appeals certify a question regarding the Wiretap Act, finding the proposed query isn’t a pure legal question likely to advance the end of the lawsuit.
Kennelly did agree Rush was entitled to judgment on the breach of contract claim, finding the complaint doesn’t adequately allege actual damage as a result of the purported legal violations. But he rejected Rush’s challenge to the state eavesdropping law allegation, which was rooted in an argument plaintiffs can’t pursue punitive damages in the absence of legal harm.
He said the plaintiffs correctly asserted “the Eavesdropping Act does not expressly require that a plaintiff show ‘actual damage’ to seek recovery” and said privacy violations are legal injuries even without economic harm. There is no automatic entitlement, Kennelly continued, noting plaintiffs must prove a right to punitive and compensatory damages.
The complaint, Kennelly wrote, alleges “Rush intentionally programmed its web properties to intercept and transmit patients’ sensitive health data specifically even though it knew it was not authorized to do so. This conduct is therefore akin to an intentional tort, and a reasonable factfinder could conclude that it was ‘accompanied by aggravated circumstances such as wantonness, willfulness, malice, fraud or oppression, or when the defendant acts with such gross negligence as to indicate a wanton disregard for the rights of others.’ ”
With two claims remaining, Kennelly set a status hearing for July 29.
Plaintiffs are represented by attorneys Nada Djordjevic, Adam J. Levitt, Amy E. Keller, David A. Straite and Corban Rhodes, of the firm of DiCello Levitt, of Chicago and New York; and attorneys Jason ‘Jay’ Barnes, Eric Johnson and Jenny Paulson, of Simmons Hanly Conroy, of New York.
Rush is represented by attorneys Bonnie Keane DelGobbo and David Carney, of the firm of Baker & Hostetler, of Chicago and Cleveland, Ohio.
Rush’s communications team declined a request for comment.