Chilivis Grubman’s Chicago office defeated a putative class action brought against a rural Illinois hospital alleging privacy violations in the operation of its website. The case marked the latest of numerous nationwide copycat class action suits filed against health care providers which allege privacy violations.
In Noftz v. KSB Hospital, Case No. 2023LA00026 in the Circuit Court of Lee County, Illinois, the Plaintiffs—patients of KSB—alleged that, by installing the Meta Pixel and other third party source codes on its website, the hospital tracked and disclosed their personal health information (“PHI”) to Meta and other third parties in violation of HIPAA’s Privacy Rule and Section 5 of the Federal Trade Commission (“FTC”) Act. The Plaintiffs brought state law claims for negligence, invasion of privacy, breach of fiduciary duty, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), among other causes of action.
KSB Hospital was represented by Sanjay Karnik and Brittany Cambre. After KSB moved to dismiss the complaint, the Plaintiffs decided to amend their complaint to attempt to add more factual allegations. KSB then moved to dismiss the Amended Complaint. KSB first argued that because their personal allegations fell far short of alleging injury, each of the Plaintiffs lacked standing to bring suit. As to each cause of action, KSB similarly argued that the Amended Complaint contained several pleading failures, most important of which was that the Plaintiffs failed to allege any facts which would allow KSB or the Court to determine whether the information they allegedly entered on KSB’s public website even constitutes PHI.
Following briefing and oral argument on July 9, 2024, the Plaintiffs voluntarily dismissed their lawsuit. This dismissal comes on the heels of a decision by the U.S. District Court for the Northern District of Texas to vacate HHS-OCR guidance concerning “online tracking technologies” – which we wrote about earlier this month.
Time will tell if the recent surge of these copycat class action suits against HIPAA covered entities will continue. In the meantime, hospitals and other HIPAA entities and business associates should continue to monitor their website data practices and seek data privacy compliance advice from qualified counsel.
Chilivis Grubman regularly advises hospitals, doctors’ groups, and other HIPAA-covered entities and business associates on HIPAA compliance and data privacy issues and defends lawsuits arising out of data breaches and online advertising uses.