Opinion
1:22-CV-727
03-01-2024
AFRIKA WILLIAMS, on behalf of herself and all others similarly situated, Plaintiff, v. DUKEHEALTH, Defendant.
MEMORANDUM OPINION, ORDER, AND RECOMMENDATION OF UNITED STATES MAGISTRATE JUDGE
Joi Elizabeth Peake, United States Magistrate Judge
This case arises from Defendant DukeHealth's use of technology called “Facebook Pixel,” on one of its webpages. Plaintiff Afrika Williams brings this proposed class action against DukeHealth alleging breach of contract, invasion of privacy, violation of the Electronic Communications Privacy Act, negligent misrepresentation, and negligence. This matter is before the Court on Defendant's Motion to Dismiss Amended Class Action Complaint [Doc. #48]. Defendant seeks to dismiss Plaintiff s claims against it on the basis of lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1) for lack of standing, and failure to state a claim pursuant to Federal Rule of Civil Procedure 12(b)(6). For the reasons set forth below, the Court recommends that Defendant's Motion be granted in part and denied in part.
I. FACTS, BACKGROUND, AND PROCEDURAL HISTORY
Plaintiff Afrika Williams is a patient in Defendant DukeHealth's healthcare system and also a user of Facebook. (Am. Compl. [Doc. #46] ¶¶ 31-32, 127.) As a patient of DukeHealth, Plaintiff utilized the “DukeMyChart” online patient portal to, among other things, review lab results, make appointments, and communicate with her DukeHealth medical providers. (Am. Compl. ¶¶ 3, 31, 127-128.)
“Facebookis a social media site and social networking service owned by Meta Platforms, Inc. f/k/a Facebook, Inc.” Sammons v. McCarthy, 606 F.Supp.3d 165, 181 n.8 (D. Md. 2022).
At some unspecified time, Defendant deployed computer code known as the Facebook Pixel tracking tool on its DukeMyChart patient portal. (Am. Compl. ¶¶ 1, 11, 32). The Facebook Pixel source code acts as a business tool that allows Facebook and the deploying entity to use customers'/patients' data and metadata to better target ads to them based on the information obtained about them. (Am. Compl. ¶¶ 15-18, 20, 58, 60.)
“When a patient communicates with a health care provider's website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient's communication with their health care provider to be re-directed to Facebook in a fashion that identifies them as a patient.” (Am. Compl. ¶¶ 2, 45, 11, 58-59, 61, 66-74, 80-81, 127.) The identity of the patient, the patient's IP address and device identifiers, and the fact that the “patient had previously been at a patient portal page about a particular health area/concern” are also re-directed to Facebook. (Am. Compl. ¶ 5.)
Defendant's privacy policy promises that Defendant “will protect the privacy of the patients' health information,” “will use and disclose their health information only for enumerated, permitted purposes,” and “will obtain the patient's/user's consent before disclosing their health information for any non-enumerated purpose.” (Am. Compl. ¶¶ 10 & n.l, 91.) Plaintiff alleges that this privacy policy formed a contract which Defendant breached by disclosing her personally identifiable information and protected health information. (Am. Compl. ¶¶ 124-126.) The disclosures enumerated in the Amended Complaint occurred without patient knowledge or consent. (Am. Compl. ¶¶ 4, 7, 13-14.)
Plaintiff was a patient at DukeHealth and used its patient portal login page during the time the Facebook Pixel was deployed. (Am. Compl. ¶¶ 3, 31-32.) The Complaint alleges that Defendant's “DukeMyChart patient portal uses the Facebook Pixel, through which it conveyed [Plaintiff s] patient status and health information to Facebook.” (Am. Compl. ¶¶ 32,127-128.) Plaintiff alleges that Defendant knew, or should have known, that the Facebook Pixel tracking tool was improperly used and resulted in the wrongful re-direction of patient communications to Facebook. (Am. Compl. ¶ 1.)
Originally Plaintiff brought this action alongside another plaintiff, Kim Naugle, alleging a total of eight claims against Defendant and two additional defendants: WakeMed and Meta Platforms, Inc. Plaintiff Williams, Plaintiff Naugle, and Defendant Meta Platforms thereafter filed a Joint Motion to Transfer and Sever [Doc. #16] which was granted [Doc. #39], after which the claims involving Meta Platforms were transferred to the United States District Court for the Northern District of California. On April 21, 2023, Kim Naugle filed a Notice of Voluntary Dismissal as to WakeMed [Doc. #44]. In an attempt to clarify which claims and which parties were still proceeding in this case, the Court directed Plaintiff Williams to file an Amended Complaint, which she did, listing herself as the sole Plaintiff and class representative and listing Defendant DukeHealth as the sole named Defendant, but seeking to sue a class of other unnamed medical providers who also deployed the Facebook Pixel.
The Amended Complaint brings five claims against Defendant: (1) Breach of Contract; (2) Invasion of Privacy; (3) Violation of Electronic Communications Privacy Act; (4) Negligent Misrepresentation; and (5) Negligence, including Negligence per se. Plaintiff seeks, among other things: certification of a Proposed Plaintiff Class, designating her as the named representative; certification of a Proposed Defendant Medical Provider Class, designating DukeHealth as the named representative; compensatory damages; statutory damages; and punitive damages.
Defendant has now moved to dismiss Plaintiff s Amended Class Action Complaint for lack of standing and failure to state a claim.
II. STANDARDS OF REVIEW
Under Federal Rule of Civil Procedure 12(b)(1), a party may seek dismissal based on the court's lack of subject-matter jurisdiction. Fed.R.Civ.P. 12(b)(1). Defendant specifically contends that the Court lacks subject matter jurisdiction because Plaintiff does not have standing to sue. To establish standing at the motion to dismiss stage a plaintiff must plausibly allege that: (1) it has suffered an injury in fact that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by judicial refief. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992); TransUnion LLC v. Ramirez, 594 U.S. 413, 423-24 (2021). “In sum, under Article III, a federal court may resolve only a real controversy with real impact on real persons.” TransUnion, 594 U.S. at 424 (internal quotation omitted).
Defendant here brings a facial challenge under Rule 12(b)(1), asserting that the Complaint alleges facts that, even if taken as true, do not establish subject matter jurisdiction. See Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009); Doe v. United States, 381 F.Supp.3d 573, 590 (M.D. N.C. 2019). In reviewing a facial challenge under Rule 12(b)(1), a district court should afford plaintiffs the same procedural protection as they would receive under Rule 12(b)(6) consideration. Kerns, 585 F.3d at 192-93; see also Willner v. Dimon, 849 F.3d 93, 99 (4th Cir. 2017). This means that “the facts alleged in the complaint are taken as true, and the motion must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction,” and the district court should construe all reasonable inferences in the manner most favorable to the plaintiff. Kerns, 585 F.3d at 192-93.
Defendant also moves to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6), contending that Plaintiff has failed to state a claim upon which relief can be granted. “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp, v. Twombly, 550 U.S. 544, 570 (2007)). This standard does not require “detailed factual allegations,” but it demands more than “an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id. A claim is facially plausible when the plaintiff provides enough factual content to enable the court to reasonably infer that the defendant is Hable for the misconduct alleged. Id. “The plausibikty standard is not akin to a ‘probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. In this way, Rule 12(b)(6) protects against meritless litigation by requiring sufficient factual allegations “to raise a right to relief above the speculative level” so as to “nudge[] the[] claims across the line from conceivable to plausible.” Twombly, 500 U.S. at 555, 570; see Iqbal, 556 U.S. at 680. The Court must accept as true all of the factual allegations contained in a complaint, but is not bound to accept legal conclusions. Iqbal, 556 U.S. at 678. Thus, “when there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief.” Id. at 679.
III. DISCUSSION
A. Standing
Because “standing is a threshold jurisdictional question” courts should address it first before moving on to the merits of the claims. See Garey v. James S. Farrin. P.C., 35 F.4th 917, 921 (4th Cir. 2022) (internal brackets and quotation omitted). In the Motion to Dismiss, Defendant raises two separate arguments for dismissal based on standing: (1) Plaintiff fails to allege an injury necessary to have standing to bring any claim against DukeHealth, the only named Defendant; and (2) Plaintiff has alleged no facts that could confer standing to bring any claim against unnamed medical providers.
1. Standing to bring claims against named Defendant DukeHealth
Defendant argues that Plaintiff Williams' Amended Complaint should be dismissed because she fails to plausibly show that she has standing to sue. (Def.'s Br. [Doc. #49] at 3, 7-10.) As noted above, in considering this facial challenge, the Court must accept all well- pleaded facts in the Complaint as true and construe them in the light most favorable to Plaintiff. Wikimedia Found, v. Nat'l Sec. Agency, 857 F.3d 193, 208 (4th Cir. 2017).
Defendant limits its arguments for dismissal to whether Plaintiff has sufficiendy alleged an injury in fact. Defendant's motion is thus silent on whether, to the extent there is an injury, this injury would be fairly traceable to Defendant's actions and likely to be redressed by judicial relief. Based on Defendant's motion, the Court likewise focuses its analysis on whether Plaintiff has sufficiently alleged an injury in fact.
According to Defendant, the Amended Complaint alleges only four types of potential injuries: “(1) disclosure of protected health information (‘PHP); (2) ‘lost benefit of their bargain'; (3) lost value of her personally identifying information (TIP); and (4) time and money spent on mitigation efforts.” (Def.'s Br. at 7; accord Am. Compl. ¶¶ 130,139,177.) Plaintiff s briefing notes an additional injury related to the lost benefit of their bargain, based on injury arising from a breach of contract. (Pl.'s Br. [Doc. #50] at 9.) After a thorough review of the Amended Complaint, the Parties' motion papers, and the relevant case law, the Court finds that Plaintiff has alleged sufficient concrete injury to confer standing at the pleading stage in this case.
To establish injury in fact, “a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc, v. Robins, 578 U.S. 330, 339 (2016) (internal quotations omitted). In evaluating a class action complaint, the Court will “analyze standing based on the allegations of personal injury made by the named plaintiffs.” Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc., 892 F.3d 613, 620 (4th Cir. 2018) (quoting Beck v. McDonald, 848 F.3d 262, 269 (4th Cir. 2017)). A class plaintiff is unable to meet her burden to establish standing “without a sufficient allegation of harm to the named plaintiff in particular.” Id. (internal brackets omitted). “The fact that an injury may be suffered by a large number of people does not of itself make that injury a nonjusticiable generalized grievance.” Wikimedia Found., 857 F.3d at 208 (quoting Spokeo, 578 U.S. at 339 n.7). At the pleading stage “general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim.” Hutton, 892 F.3d at 620 (internal quotation omitted).
Here, the Court finds that Plaintiff has sufficiently alleged, with all reasonable inferences drawn in Plaintiff s favor, that she has suffered a lost benefit of the bargain of what she thought she was receiving from Defendant's data-privacy policies, which were less stringent in practice than what Plaintiff bargained for, based on the facts alleged in the Amended Complaint. In addition, Plaintiff has alleged not just the disclosure of her personal health information, but its misuse by Facebook in targeted advertising. Therefore, Defendant's motion to dismiss should be denied to the extent it seeks dismissal on the ground of lack of standing.
In support of dismissal, Defendant does not contest that, properly alleged, lost benefit of the bargain may be an injury sufficient to confer standing. See In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 462-66 (D. Md. 2020) (“[I]t is enough to allege that there was an explicit or implicit contract for data security, that plaintiffs placed value on that data security, and that Defendants failed to meet their representations about data security.”); see also Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (8th Cir. 2016) (standing found where plaintiff alleged damages in the form of the difference between the value of a negotiated contract with a privacy policy in place and the same contract as performed by defendant where the privacy policy was not adhered to). Rather, Defendant argues that Plaintiff has not alleged that the services she purchased from Defendant were deficient because of the way in which Defendant handled her personal medical information or that she actually bargained for any level of data security. (Def.'s Br. at 8.) A fair reading of the Amended Complaint, with all reasonable inferences made in Plaintiff s favor, shows that she does so allege.
As acknowledged by Defendant (Def.'s Br. at 8), Plaintiff alleges that she was a patient who purchased medical care from Defendant (Am. Compl. ¶¶ 3, 31). As part of Defendant's provision of medical care, it made representations to Plaintiff about how it would handle her private information and in what situations it would, and would not, disseminate it to third parties. (Am. Compl. ¶¶ 10, 91, 124-127.) “Defendant's contracts stated that payment for their services would consist of a more limited set of collection of personal information than that which Defendant actually charged.” (Am. Compl. ¶¶ 130(f), 139(f).) Plaintiff states that she had an expectation of privacy surrounding her communications with Defendant, based in part on these promises to keep those communications private. (Am. Compl. ¶¶ 8,10, 91,124, 132-133, 136.) According to the Amended Complaint, Defendant did not honor these promises. In so doing, “[s]ensitive and confidential information including patient status and appointments that Plaintiff. . . intended to remain private are no longer private,” “Defendant eroded the essential confidential nature of the patient-provider relationship,” and “Defendant took something of value from Plaintiff.” (Am. Compl. ¶¶ 130(c)-(e), 139(c)-(e), 181(b)-(d).)
Thus, the Amended Complaint alleges that Plaintiff placed value on the level of stated medical privacy Defendant represented to her as part of the payment for its service, and that Defendant did not act in accordance with those representations, thus changing the value of what Defendant stated that the payments would provide and what they actually provided.
Plaintiff has therefore sufficiently alleged that she valued her privacy, that the contract to provide medical care included promises to maintain this privacy, that Plaintiff paid Defendant under the assumption that the payments reflected the price of care with narrowly constrained disclosure of her private information, and that Defendant more liberally disclosed private information without her knowledge or consent. Based on these allegations, she has suffered a concrete injury in fact in the form of lost benefit of the bargain. See also Carlsen, 833 F.3d at 909 (“Our court previously has held that a plaintiff who has produced facts indicating it was a party to a breached contract has a judicially cognizable interest for standing purposes, regardless of the merits of the breach alleged” and where the plaintiff “provided sufficient facts alleging that he is party to a binding contract” based on terms of service and a privacy policy, with an alleged breach based on disclosure of personal information to Facebook, the “allegation of breach is both concrete and particularized, as the breach allegedly already has occurred, and any consequences of the breach have occurred specifically to [plaintiff] as a result of the actions of [the] alleged systematic disclosure via the Facebook” (internal quotation omitted)).
Defendant cites to cases involving data breaches that had no clear impact on the value of the goods or services bargained for. See, e.g., Podroykin v. Am. Armed Forces Mut. Aid Ass'n, 634 F.Supp.3d 265, 272 (E.D. Va. 2022); Chambliss v. Carefirst, Inc., 189 F.Supp.3d 564, 572 (D. Md. 2016). In contrast, Plaintiff specifically alleges that, through its privacy notice, Defendant represented that it would not disseminate Plaintiffs private medical information without consent but nevertheless did disseminate that information without consent. Unlike an insurance company whose inadvertent data breach resulted in personal information, not directly related to the nature of the service provided, being stolen, the relationship between Plaintiff and Defendant entailed the provision of medical services and, at least in part, an agreement that information related to and necessary for this service would not be provided to a third-party without consent. Further, it was, according to the Amended Complaint, Defendant itself which chose to disseminate this information, whether actively or passively, in violation of its agreement, rather than having the information inadvertently stolen.
In this context and considering Plaintiff s allegation that Defendant's representation of what information would be kept private was at least a partial basis for the payments she made to Defendant, she has sufficiently alleged, at the pleading stage, standing from an injury resulting from the lost benefit of her bargain. See In re Marriott Inf1, 440 F.Supp.3d at 46266.
Additionally, and regardless of whether Plaintiff can state an independent claim for intrusion into seclusion, Plaintiff nevertheless independently alleges, as an injury, invasion of privacy and disclosure of private information. (Am. Compl. ¶¶ 130(b), 136, 139(b), 181(a).) “Various intangible harms can also be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion LLC, 594 U.S. at 425 (internal citation omitted). As such, the Fourth Circuit has recognized an injury in fact sufficient to establish standing where the “alleged harms are closely related to the invasion of privacy, which has long provided a basis for recovery at common law.” Garey v. James S. Farrin, P.C., 35 F.4th 917, 921 (4th Cir. 2022). As opposed to the data breach cases where plaintiffs attempted to sue not those responsible for taking the data but those responsible for allowing such a loss, Plaintiff here directly asserts that Defendant itself was the one that invaded her privacy. In addition, she does not rely on some possible future harm, such as a fear of possible identity theft. Instead, she alleges that her protected health information was specifically targeted by Facebook, was disclosed by Defendant to Facebook, and was then misused by Facebook in targeted advertising. Under these circumstances, the Amended Complaint sufficiently alleges that an injury in fact occurred as relates to the invasion of her privacy and disclosure of her private information. To the extent that there may be disputes regarding whether Plaintiff can actually show such misuse of any protected health information, that is not an issue that can be resolved on a motion to dismiss, and can instead be considered further on dispositive motions after discovery.
Therefore, having concluded that Plaintiff has pleaded an injury in fact sufficient to survive a motion to dismiss for lack of standing against DukeHealth, the Court will consider Defendant's 12(b)(6) arguments as relates to the named Defendant, DukeHealth. First, however, the Court must address Defendant's standing argument as relates to unnamed defendants.
2. Standing to bring claims against unnamed Defendants
Defendant also moves to dismiss the Amended Complaint on the ground that Plaintiff cannot bring a class action against unnamed defendants who have not harmed her. (Def's Br. at 9-10.) Plaintiff for her part concedes that “she states a personal claim against only her own Defendant Medical Provider.” (Pl.'s Br. at 2 n.2.) A review of the Amended Complaint confirms that she has not alleged any interaction with, let alone personal injury caused by, any Defendant medical provider other than Defendant DukeHealth.
The rule in federal cases is that an actual controversy must be extant at all stages of review. In the class action context, the Supreme Court has stated that Article III requirements must be met at the time the complaint is filed, and at the time the class action is certified by the District Court pursuant to Rule 23. Moreover, it is essential that named class representatives demonstrate standing through a requisite case or controversy between themselves personally and defendants, not merely allege that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.Cent. Wesleyan Coll, v. W.R. Grace & Co., 6 F.3d 177, 188 (4th Cir. 1993) (internal brackets and quotations omitted). Thus, “[i]n a multi-defendant action or class action, the named plaintiffs must establish that they have been harmed by each of the defendants.” Dash v. FirstPlus Home Loan Owner Tr. 1996-2, 248 F.Supp.2d 489, 504 (M.D. N.C. 2003).
With Plaintiff s concession in mind, and notwithstanding her desire to “represent a nationwide class of Plaintiffs against a class of Defendant Medical Providers whose patient portals deployed the Pixel,” (Pl.'s Br. at 2 n.2), she does not have standing to bring claims against such unnamed Defendants. Therefore, any purported claim made by Plaintiff against “a Defendant Class of Facebook Partner Medical Providers,” other than Defendant DukeHealth should be dismissed. See Cent. Wesleyan Coll., 6 F.3d at 188 (district courts must remain mindful that standing is a threshold, jurisdictional issue, and should attempt to resolve such issues as soon as possible).
B. Failure to State a Claim
Defendant next moves for dismissal under Rule 12(b)(6) for failure to state a claim upon which relief may be granted as to each of the individual claims asserted by Plaintiff. For the purposes of the motion before the Court, Defendant contends (Def.'s Br. at 10-11,13,1922), and Plaintiff assumes for the sake of argument, without conceding (Pl.'s Br. at 9), that North Carolina law controls Plaintiff s non-federal Breach of Contract, Invasion of Privacy, Negligent Misrepresentation, and Negligence claims. Plaintiff does not suggest any other state law that could apply or any basis to conclude that North Carolina law would not apply. Considering that Plaintiff does not contest the application of North Carolina law for the purposes of this Motion to Dismiss, the Court will analyze the non-federal claims under North Carolina law. See Allen v, Novant Health, Inc., No. 1:22-CV-697, 2023 WL 5486240, at *1-*3 & n.2 (M.D. N.C. Aug. 24, 2023) (applying North Carolina law for tort and contract claims, but noting that the Court could revisit the issue if later facts in discovery show that application of another state's law is appropriate).
In addressing these claims, the Court has relied on the analysis set out in two recent, similar cases involving challenges to the same Facebook Pixel against other healthcare providers, specifically a case involving similar claims against Novant Health, Inc. in this District (Allen v. Novant Health, Inc., L22CV697, 2023 WL 5486240 (M.D. N.C. Aug. 24, 2023) (Eagles, C.J.)) and a case involving similar claims against WakeMed in the North Carolina Business Court (Weddle v. WakeMed Health & Hosps., No. 22 CVS 13860, 2023 WL 8369786, at *2-3 ( N.C. Super. Ct. Dec. 4, 2023)). The conclusions reached here are the same as the conclusions reached in those cases.
1. Breach of Contract
The elements of a North Carolina claim of breach of contract are: “(1) existence of a valid contract and (2) breach of the terms of the contract.” Wells Fargo Ins. Servs. USA, Inc, v. Link, 372 N.C. 260, 276 (2019) (internal brackets and quotation omitted); accord Fitzgerald Fruit Farms, LLC v. Harris, 858 Fed.Appx. 625, 625 (4th Cir. 2021).
As noted above, Plaintiff alleges that, through its privacy notice and other promises, Defendant represented to its patients that “payment for [Defendant's] services would consist of a more limited set of collection of personal information” than what Defendant actually collected and that Defendant would not disclose certain patient health information without consent. (Am. Compl. ¶¶ 10, 90-91, 117-126, 130(f), 139(f).) Despite these promises, Defendant disclosed, through the deployment of the Facebook Pixel on its patient login page, Plaintiffs patient status, the nature of the health concerns Plaintiff was visiting Defendant about, and, according to the Amended Complaint, the content of communications about those health concerns as well. (Am. Compl. ¶¶ 2, 4-5,11, 58-59, 61, 66-74, 80-81,127-129.) These allegations sufficiently state a claim for breach of contract when taken in the light most favorable to Plaintiff. See Allen, 2023 WL 5486240, at *3; In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 411 (E.D. Va. 2020)
In response, Defendant argues categorically that “hospital privacy notices do not give rise to contractual obligations because those notices memorialize a hospital's preexisting obligations under HIPAA” which Defendant offered to all patients, without consideration, because it is “required to provide [it] under federal law.” (Def.'s Reply [Doc. #51] at 6; Def. Br. at 11-12.) However, the Amended Complaint-the factual allegations of which the Court must accept as true-does not allege, or give factual support to, a finding that Defendant's privacy notice was merely a recitation of preexisting statutory obligations offered to all comers. The Amended Complaint sufficiently alleges at this stage of the proceeding that the privacy policy formed a contract or a part of the contract which detailed how Defendant would treat Plaintiff s private information. See Allen, 2023 WL 5486240, at *3 (concluding that for breach of contract claim based on privacy pohcies, “[d]rawing all inferences in favor of the plaintiffs, the plaintiffs have sufficientiy pled a valid implied contract and breach of the same to the extent required at this stage”); Weddle v. WakeMed Health & Hosps., No. 22 CVS 13860, 2023 WL 8369786, at *2-3 ( N.C. Super. Ct. Dec. 4, 2023) (denying motion to dismiss breach of contract claim, and noting that “[a]s alleged, WakeMed offered health services to Plaintiffs, who accepted and paid for those services. Plaintiffs also provided their personal information; in return, WakeMed agreed to safeguard and protect such information and to timely and accurately notify Plaintiffs if their information was compromised and or accessed without authorization” (internal ellipses, citation, and quotations omitted)); In re Marriott Int'l, Inc., 440 F.Supp.3d at 485 (privacy policy offered to all customers may form basis of contractual agreement where there is evidence of acceptance by a particular customer). Based on the allegations in the Amended Complaint, Defendant failed to adhere to those obligations and thus breached the contract with Plaintiff. Any argument that this privacy notice merely reflected Defendant's statutory duties and was offered to all comers without exception will need to be developed through discovery, as the facts necessary to make such a finding are outside of the allegations in the Amended Complaint itself.
While Defendant is correct that Plaintiff alleges that Defendant's privacy notice is very similar to those of other medical providers, because they are “largely dictated by law,” (Am. Compl. ¶ 10 & n.l), the Amended Complaint does not concede that Defendant's privacy notice is entirely dictated by, or merely coextensive with, federal law, but rather that, in addition to these common elements, the privacy notice also “make[s] substantively identical or extremely similar promises” to the privacy promises Facebook makes (Am. Compl. ¶¶ 90-91,117-126), terms which Defendant recognizes, without conceding, could conceivably form a contract under the allegations in the Amended Complaint (see Def.'s Br. at 11).
Finally, Defendant argues that, even if a contract between the Parties existed, Plaintiff has failed to allege that Defendant breached it by disclosing her “past, present or future health or condition, healthcare provide to [her], or the past, present, or future payment for healthcare provided to flier].” (Def.'s Br. at 12-13.) However, regardless of whether Plaintiff will be able to support her facial allegations with evidentiary support, she sufficiently alleges that the Facebook Pixel was configured and deployed in such a way that it transmitted to Facebook potentially all of her communications with Defendant, including patient status and the “particular health area/concern” for which she was seeking care. (Am. Compl. ¶¶ 2, 4-5, 11, 58-59, 61, 66-74, 80-81,127-129.)
For these reasons, Plaintiff has sufficiently alleged a claim of breach of contract and Defendant's Motion to Dismiss should be denied as relates to this claim.
2. Invasion of Privacy - Intrusion upon Seclusion
Under North Carolina law, “[t]he tort of invasion of privacy by intrusion into seclusion is defined as the intentional intrusion physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns where the intrusion would be highly offensive to a reasonable person.” Maynard v. Crook, 289 N.C.App. 357, 363 (2023) (internal ellipsis, brackets, and quotation omitted); accord Hartford Cas. Ins. Co. v. Ted A. Greve & Assocs., PA, 742 Fed.Appx. 738, 741 (4th Cir. 2018).
There can be no intrusion upon seclusion where a plaintiff voluntarily discloses the information to a defendant, even if the defendant later further discloses that information to others not authorized to receive it. See Allen, 2023 WL 5486240, at *2 (“Because the plaintiffs acknowledge in the complaint that they voluntarily provided their information directly to Novant, they have not alleged an intrusion or unauthorized prying and this claim is dismissed.” (internal citation omitted)); Weddle, 2023 WL 8369786, at *4-5 (granting dismissal of claim for invasion of privacy because under North Carolina law, “unauthorized disclosure of confidential information to a third party is not an intrusion into Plaintiffs' private affairs”); see also Alexander v. City of Greensboro, 762 F.Supp.2d 764, 815-16 (M.D. N.C. 2011) (“Because Wade properly received this information, her disclosure of it did not constitute intrusion into seclusion . . . .”); Miller v. Brooks, 123 N.C.App. 20, 25 (1996) (North Carolina courts have refused to recognize invasion of privacy by disclosure of private facts as a tort).
Plaintiff has not alleged that Defendant DukeHealth intruded upon her seclusion. The basis of Plaintiffs claim is that she voluntarily provided information to Defendant and, whether actively or passively, Defendant's website transmitted that information to a third party. (Am. Compl. ¶¶ 2-3, 10, 31,124, 127,133,136.) While Plaintiff alleges that Defendant disseminated that information beyond what was permitted, she does not allege that Defendant itself, as the healthcare provider to which she was directly communicating, accessed any information that it was not permitted to access or receive. For this reason, Plaintiff s claim of invasion of privacy should be dismissed.
3. Violation of Electronic Communications Privacy Act
Plaintiff s claim that Defendant violated the Electronic Communications Privacy Act (hereinafter “ECPA”), 18 U.S.C. § 2510, etseq., by receiving and transmitting her private health information to Facebook fails for the same reason as her invasion of privacy claim: Defendant was a party to the communications Plaintiff alleges it subsequently disseminated. 18 U.S.C. § 2520(a) (private right of action under ECPA is premised on violation of Chapter 119); Id. § 2511(d) (“It shall not be unlawful under [Chapter 119] for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication . . . .”); accord Bryant v. Wagoner, No. 1:98CV00110, 1998 WL 1037922, at *2 (M.D. N.C. Dec. 14, 1998). Plaintiff does not allege that Defendant unlawfully received the communications at issue in this case, but rather that, after receiving them as a party to the communications, Defendant subsequently transmitted them to another entity. “Courts interpreting this statute have held that mere receipt of a communication does not constitute a violation of § 2511(1).” Allen, 2023 WL 5486240, at *4; see also Ultimate Outdoor Movies, LLC v. FunFlicks, LLC, No. SAG-18-2315, 2019 WL 2233535, at *21 (D. Md. May 23, 2019) (defendants did not “intercept” communications that were sent directly to them).
The Complaint brings this cause of action based on the “interception” of communications. To the extent that it could also be read as a claim for divulging of the information under 18 U.S.C. § 2511(3)(a), such a claim against DukeHealth would fail to state a claim because DukeHealth is not an entity providing an electronic communication service to the public. Allen, 2023 WL 5486240, at *4.
Because the Amended Complaint alleges that the Defendant was a party to the communications and Plaintiff voluntarily sent them to Defendant, her claim of a violation of the ECPA should be dismissed.
4. Negligent Misrepresentation
“It has long been held in North Carolina that the tort of negligent misrepresentation occurs when (1) a party justifiably reties, (2) to his detriment, (3) on information prepared without reasonable care, (4) by one who owed the relying party a duty of care.” Brinkman v. Barrett Kays & Assocs., P.A., 155 N.C.App. 738, 742 (2003) (internal brackets and quotation omitted); accord Fitzgerald Fruit Farms LLC v. Aseptia, Inc., 527 F.Supp.3d 790, 799 (E.D. N.C. 2019), afpd sub nom. Fitzgerald Fruit Farms, LLC v. Harris, 858 Fed.Appx. 625 (4th Cir. 2021).
“Federal courts have repeatedly found that the North Carolina tort of negligent misrepresentation sounds in fraud and have applied Rule 9(b) to it.” Top shelf Mgmt., Inc, v. Campbell-Ewald Co., 117 F.Supp.3d 722, 727-28 (M.D. N.C. 2015) (collecting cases); accord Thomasson v. Greensboro News & Rec., Inc., No. 1:19CV1164, 2020 WL 5821045, at *6 (M.D. N.C. Sept. 30, 2020); see also Macregen, Inc, v. Burnette, No. 1:19CV591, 2021 WL 2682050, at *6 (M.D. N.C. June 30, 2021) (“North Carolina state and federal courts have applied Rule 9(b) to claims of negligent misrepresentation . . . .”); Packrite, LLC v. Graphic Packaging Int'l, Inc., No. 1T7CV1019, 2018 WL 4112827, at *6 (M.D. N.C. Aug. 29, 2018).
Rule 9(b) of the Federal Rules of Civil Procedure states that, “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake.” “To satisfy Rule 9(b), a plaintiff must plead the time, place, and contents of the false representations, as well as the identity of the person making the misrepresentation and what he obtained thereby.” Edmonson v. Eagle Nat'l Bank, 922 F.3d 535, 553 (4th Cir. 2019) (internal quotation omitted).
Plaintiff has not pleaded with particularity the circumstances constituting the alleged misrepresentation. Plaintiff merely alleges that, at some unspecified time, Defendant as an entity represented that Defendant would not disclose her protected health information outside of the terms of the privacy policy and that Defendant had no reasonable grounds for believing this was true at the time. (Am. Compl. ¶¶ 159-161.) Plaintiff does not allege when this representation took place, who in particular made it to her, or even when or if it became clear that the representation was not true.
In fact, in response to Defendant's argument that Plaintiff has failed to allege with particularity the supporting facts of the negligent misrepresentation claim or any allegation of fraud (Def.'s Br. at 19-20), Plaintiff again points to a general, conclusory allegation of negligent misrepresentation without any particularity and without even a facial allegation of an actual misrepresenation (Pl.'s Br. at 20 (“If Defendant claims it did not know the Pixel would permit Facebook to intercept patient communications, this statement is a negligent misrepresentation within the requirements of Rule 9(b).”)).
Thus, because Plaintiff has not alleged negligent misrepresentation with particularity or identified an actual alleged misrepresentation on which the claim is based, her negligent misrepresentation claim should be dismissed as falling below the standards of Rule 9(b) required to state such a claim in federal court.
5. Negligence
In North Carolina, “[t]o state a claim for common law negligence, a plaintiff must allege: (1) a legal duty; (2) a breach thereof; and (3) injury proximately caused by the breach.” Fussell v. N.C. Farm Bureau Mut. Ins. Co., 364 N.C. 222, 226 (2010) (internal quotation omitted); accord Nadendla v. WakeMed, 24 F.4th 299, 307 n.4 (4th Cir. 2022). The North Carolina Business Court recentiy considered similar negligence claims against WakeMed, and held that:
Plaintiffs have, however, adequately stated a claim for common-law negligence. The gist of their claim is that WakeMed owed a duty to exercise reasonable care when handling its patients' confidential information and that it breached that duty by using the Pixel and giving Meta unauthorized access to the information. That unauthorized disclosure led to foreseeable, avoidable harm, compounded by WakeMed's delay in notifying its patients of the breach of confidence.
WakeMed argues that North Carolina law does not recognize a duty of care in these circumstances. Not so. “It is well established that hospitals and doctors in their employ owe their patients a duty to exercise the degree of care that a reasonable person would in similar circumstances to prevent an unreasonable risk of harm to their patients.” Demarco v. Charlotte-Mecklenburg Hosp. Auth., 268 N.C.App. 334, 338, 836 S.E.2d 322 (2019). Our courts have applied that “general duty of reasonable care” in proper circumstances to the maintenance and dissemination of patient records. Id. at 339, 836 S.E.2d 322; see also Acosta v. Byrum, 180 N.C.App. 562, 568, 638 S.E.2d 246 (2006) (holding that plaintiff had adequately alleged the existence of a “duty to maintain privacy in her confidential medical records”).Weddle, 2023 WL 8369786, at *3 (internal paragraph numbers and citation to record omitted).
Defendant moves for dismissal of the negligence claim solely on the ground that such a claim is barred by the economic loss rule. (Def.'s Br. at 22.)
North Carolina's economic loss rule provides that ordinarily, a breach of contract does not give rise to a tort action by the promisee against the promisor.
A tort action must be grounded on a violation of a duty imposed by operation of law, not a violation of a duty arising purely from the contractual relationship of the parties. Thus, a tort action does not He against a party to a contract who simply fails to properly perform the terms of the contract. It is the law of contract, not tort law, which defines the obfigations and remedies of the parties in such a situation. Accordingly, North CaroHna law requires courts to limit plaintiffs' tort claims to only those claims which are identifiable and distinct from the primary breach of contract claim.Legacy Data Access, Inc, v. Cadrillion, LLC, 889 F.3d 158, 164 (4th Cir. 2018) (internal brackets, emphasis, and quotations omitted); accord Boone Ford, Inc, v. IMF Scheduler, Inc., 262 N.C.App. 169, 174 (2018) (“Where parties were privy to a contract, a viable tort action must be grounded on a violation of a duty imposed by operation of law, and the right invaded must be one that the law provides without regard to the contractual relationship of the parties, rather than one based on an agreement between the parties.” (internal quotation omitted)).
Here, the Amended Complaint alleges that, in addition to contractual obligations to protect patients' health data privacy, Defendant had a duty of care to protect Plaintiff s privacy in her medical records and that HIPAA, among other statutes, informed that standard of care. (Am. Compl. ¶¶ 33-44,166-178.) See also Demarco, 268 N.C.App. at 339; Acosta, 180 N.C.App. at 568; Weddle, 2023 WL 8369786, at *4. As mentioned in the discussion of Plaintiffs breach of contract claim, the extent to which Defendant's purported duty to Plaintiff arose under a general duty of care, or HIPAA, or the contract exclusively, or neither, will be more appropriately addressed with the development of the record. See Farley v. Eye Care Leaders Holdings, LLC, No. L22-CV-468,2023 WL 1353558, at *5 (M.D. N.C. Jan. 31,2023) (plaintiffs “met the minimal standard of plausibility for each of their claims” in data breach case and “[a]ny weaknesses of those claims will be better evaluated on a more developed factual record”). At this stage, at least, Plaintiff has plausibly alleged under North Carolina law that Defendant owed a duty of care apart from or in addition to its contractual obligations. Therefore, Defendant's motion to dismiss the negligence claim should be denied. See generally Weddle, 2023 WL 8369786, at *2-3.
However, Plaintiff also asserts negligence per se as a basis for this claim. On this point, Defendant argues that neither HIPAA nor the Federal Trade Commission Act (hereinafter “FTCA”) can establish a basis for a negligence perse claim. (Def.'s Br. at 22.) Despite alleging in the Amended Complaint that these statutes can both form a basis for negligence perse (Am. Compl. ¶ 178), in response to the Motion to Dismiss Plaintiff appears to acknowledge that Defendant is correct (Pl.'s Br. at 19). At the very least, Plaintiff fails to contest Defendant's argument that neither HIPAA nor the FTCA may be the basis for a negligence per se claim, and therefore appears to concede the point. In any event, the Court finds that neither of these statutes, nor the ECPA, can form the basis of a negligence per se claim in North Carolina.
Under North Carolina law, a claim of negligence perse requires that a plaintiff show:
(1) a duty created by a statute or ordinance; (2) that the statute or ordinance was enacted to protect a class of persons which includes the plaintiff; (3) a breach of the statutory duty; (4) that the injury sustained was suffered by an interest which the statute protected; (5) that the injury was of the nature contemplated in the statute; and, (6) that the violation of the statute proximately caused the injury.Hardin v. York Mem'l Park, 221 N.C.App. 317, 326 (2012). In addition to these elements, North Carolina courts have routinely held that “negligenceperse applies only when the statu[t]e violated is a public safety statute.” Id.; see also Hart v. Ivey, 332 N.C. 299, 303 (1992) (statute that was not one meant to protect public safety could not be basis for negligence per se). “A public safety statute is one imposing upon the defendant a specific duty for the protection of others.” Stein v. Asheville City Bd. of Educ., 360 N.C. 321, 326 (2006) (internal brackets and quotation omitted).
Plaintiff has not argued that HIPAA, the FTCA, or the ECPA-all relevant portions of which were designed to merely maintain privacy or protect confidential information, even by Plaintiff s own allegations (Am. Compl. ¶¶ 33-44, 141-145,169)-could reasonably be read to relate to the protection of public safety. See generally Weddle, 2023 WL 8369786, at *2-3 (finding that neither HIPAA nor the FTCA were public safety statutes and thus could not form the basis for a claim for negligence per se'y Therefore, Plaintiff s claim for negligence per se should be dismissed.
IV. REMAINING CLAIMS AND FEDERAL JURISDICTION
For the reasons set out, the Court will recommend that Defendant's Motion to Dismiss for lack of standing be granted only as to any claims against a purported class of medical providers other than Defendant Duke Health. In addition, the Court will Recommend that Defendant's Motion to Dismiss for failure to state a claim be granted only as to Plaintiff s claims for Intrusion upon Seclusion'-Invasion of Privacy, Violation of the Electronic Communications Privacy Act, Negligent Misrepresentation, and Negligence perse. The Court recommends that the Motion to Dismiss otherwise be denied, leaving Plaintiff s claims against Defendant DukeHealth for breach of contract and negligence.
Having so concluded, the only remaining basis for federal jurisdiction is the Class Action Fairness Act (“CAFA”). (Am. Compl. ¶ 28 (citing 28 U.S.C § 1332(d).) Cf. 28 U.S.C § 1332(d)(2)(A) (describing CAFA diversity as existing where “any member of a class of plaintiffs is a citizen of a State different from any defendant”). However, the sole named Parties-Plaintiff and Defendant-are both North Carolina citizens. (Am. Compl. ¶¶ 3132.) Plaintiffs only alleged diversity in the case arises from the conclusory statement, essentially quoting the statute, that “a member of the Class is a citizen of a State different from any Defendant,” without alleging that any specific member of the class is diverse. (Am. Compl. ¶ 28.) See Thompson v. Ciox Health, LLC, 52 F.4th 171, 173 n.l (4th Cir. 2022) (finding diversity jurisdiction in Class Action Fairness Act claim where there was diversity between the named parties, and noting that this “jurisdictional tangle . . . could have been avoided by more careful pleading”); Haynes v. Blue Ridge Paper Prod., Inc., No. 1:09cv321, 2010 WL 3075738, at *1 (W.D. N.C. Aug. 5, 2010) (plaintiff, who shared citizenship with defendant, alleged that “any member of a class of plaintiffs is a citizen of a State different from any defendant,” resulting in an immediate motion to dismiss and a subsequent amendment that clarified “that sixty-nine members of the class reside outside North Carolina”); see also Dancel v. Groupon, Inc., 940 F.3d 381,385 (7th Cir. 2019) (positing that “some ‘undetermined number' of class members are” diverse from defendant was insufficient where party failed to allege, even on information and belief, that “a specific member of the putative class had ‘a particular state of citizenship'”); Ehrman v. Cox Commc'ns, Inc., 932 F.3d 1223, 1227 (9th Cir. 2019) (allegation, based on information and belief, that a named party was a citizen of a diverse state sufficient to establish diversity and pleading stage); Sanchez v. Ameriflight, LLC, 724 Fed.Appx. 524, 526 (9th Cir. 2018) (allegation that “some members of the putative class included” diverse members failed to establish minimal diversity where pleadings did not identify any specific diverse class member).
Because subject matter jurisdiction may be raised at any time, even by the Court sua sponte, the Court will stay this case for 45 days to give Plaintiff the opportunity to identify an out-of-state Plaintiff with these claims against Defendant DukeHealth, or otherwise address the basis for subject matter jurisdiction in this case. Plaintiff should file its position statement by April 15, 2024, and Defendant may respond by May 6, 2024.
V. CONCLUSION
IT IS THEREFORE RECOMMENDED THAT Defendant's Motion to Dismiss [Doc. #48] be GRANTED IN PART AND DENIED IN PART, specifically that the Motion to Dismiss be granted to the extent that any claims against a purported class of medical providers other than Defendant DukeHealth should be dismissed without prejudice, and that Plaintiffs claims for Intrusion upon Seclusion-Invasion of Privacy, Violation of the Electronic Communications Privacy Act, Negligent Misrepresentation, and Negligence per se should be dismissed without prejudice, but otherwise denied, such that the claims against Defendant DukeHealth for breach of contract and negligence remain.
IT IS ORDERED that this case is STAYED for 45 days to allow Plaintiff the opportunity to address the issue of federal jurisdiction under the Class Action Fairness Act, in light of the dismissal of any federal claims. By April 15, 2024, Plaintiff should file her position statement identifying an out-of-state class member plaintiff or otherwise addressing the basis for subject matter jurisdiction in this case. Defendant may respond by May 6, 2024.