AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.10â$0.50 per brief, depending on opinion length and retries
Full Opinion
IN THE UNITED STATES DISTRICT COURT September 22, 2025 FOR THE SOUTHERN DISTRICT OF TEXAS Nathan Ochsner, Clerk HOUSTON DIVISION EDWARD SWEAT, et al., individually and § on behalf of a class of similarly situated § individuals, § § CIVIL ACTION NO. H-24-775 Plaintiffs, § v. § § HOUSTON METHODIST HOSPITAL, § § Defendant. § MEMORANDUM AND OPINION Edward and Marie Sweat sued Houston Methodist Hospital, seeking to represent a class of individuals who had their personal health information disclosed by a tracking Pixel installed on Methodistâs website. (Docket Entry No. 1-1). The court granted Methodistâs motion to dismiss the state-law claim for invasion of privacy. (Docket Entry No. 28). The remaining claims allege that Methodist is liable for violating the Wiretap Act, 18 U.S.C. §§ 2510-2523, and for state-law unjust enrichment. (Id.). The parties conducted discovery. Methodist now moves for summary judgment on the remaining claims, arguing that its actions do not satisfy the Wiretap Actâs crime- tort exception because it did not know that it was disclosing individually identifiable health information and because its only purpose in using the Pixel was to improve the effectiveness of its advertising and public health communications. (Docket Entry No. 52). The Sweats have responded to the motion, arguing that Methodistâs acts in disclosing the information obtained by the Pixel are sufficient for liability. (Docket Entry No. 58). Based on the pleadings, the motion and response, the record, and the applicable law, this court grants Methodistâs motion for summary judgment. Final judgment is separately entered. The reasons are set out below. I. Background Methodist is a nonprofit hospital serving the greater Houston area. (Docket Entry No. 52- 6 at 8). To connect patients with doctors for medical care, its marketing department conducts community outreach, including advertising and public health campaigns. (Id. at 8â9). To track the performance of these outreach efforts, Methodist installed a Facebook tracking Pixel on public- facing pages of its website.1 (Id. at 9; Docket Entry No. 52-10 at 8, 10). Methodist was hardly the only hospital to use the Pixel; fully one-third of the nationâs top 100 hospitals did so. (Docket Entry No. 52-19 at 2). Methodistâs stated purpose in implementing the Pixel was to learn if its outreach campaigns were accomplishing its goal of attracting people to its website and taking further âintentâ actions, such as clicking a button on the site indicating that the person was going to schedule an appointment. (Docket Entry No. 52-6 at 9; Docket Entry No. 58-7 at 4, 5). Methodist first implemented the Pixel in 2017, on the advice of Rise Interactive, a digital advertising agency. (Docket Entry No. 52-16). Methodist states that Rise Interactive advised the hospital that the Pixel was âsafeâ to use. (Docket Entry No. 52-11 at 8). Methodist later changed its advertising agency from Rise Interactive to Fathom SEO, a choice driven in part by Fathomâs experience in healthcare marketing. (Docket Entry No. 52-10 at 12). Methodist states that Fathom also advised the hospital that the Pixel was safe to use. (Docket Entry No. 52-11 at 8). Fathomâs agreement with Methodist stated that Fathom would provide services âin accordance with all applicable law, industry standards, and professional requirements.â (Docket Entry No. 52-4). 1 The parties generallyâbut not alwaysârefer to âFacebookâ instead of âMetaâ when identifying the company that created the Pixel and received the sensitive information. (See generally Docket Entry Nos. 52, 58). In the first amended complaint, the Sweats stated that their information was improperly disclosed to âMeta Platforms, Inc. d/b/a Meta (âFacebookâ).â (Docket Entry No. 6 at 2). In line with the partiesâ use, the court generally refers to Facebook but refers to Meta when the underlying source (for example, a privacy policy or email chain) identifies the company as Meta. 2 As part of Fathomâs services, Methodist received reports based on aggregated data gathered from the Pixel on the performance of its advertising and public health campaigns. (Docket Entry No. 52-9). The data provided Methodist with information, including the number of impressions on a social media postâthe number of times its content was displayed on a userâs screen, regardless of whether the user engaged with it or notâand the number of âlead actionsâ (such as scheduling an appointment) taken on Methodistâs website in response to the advertised activity. (Id.). Methodist points to an example in one report showing that 2,078 users saw its âmonthly reminderâ on Facebook to schedule a mammogram and that 374 visited Methodistâs website to do so. (Docket Entry No. 52 at 19) (citing Docket Entry No. 52-9). The aggregated data that Methodist received did not include information identifying the individuals who were seeking or obtaining healthcare services at Methodist. (Docket Entry No. 54-3). Methodist employees all testified that they believed that the Pixel data did not collect individually identifiable health information. (See, e.g., Docket Entry No. 52-6 at 9; Docket Entry No. 52-8 at 16; Docket Entry No. 52-10 at 7). Methodist did not embed the Pixel within MyChart, the individual patient portal. (Docket Entry No. 52-8 at 17; Docket Entry No. 52-10 at 10; Docket Entry No. 58-3 at 4). On May 18, 2022, a reporter from The Markup, a nonprofit newsroom covering the technology industry, emailed Methodist for comment about its use of the Pixel. (Docket Entry No. 52-18). The reporter explained that the Markup had conducted tests of the Pixel on Methodistâs website and the websites of other hospitals, and that these tests showed that the Pixel was potentially capturing sensitive health information in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §§ 1320d-1320d-9. (Id.). After receiving this email, Methodist promptly contacted Fathom for more information about how the Pixelâs data filter worked. (Docket Entry No. 52-12). Fathomâs privacy officer stated that the 3 Pixel captured IP addresses but that â[s]ince health information is filtered out, and all data is hashed and randomized (meaning it can no longer be used to identify an individual,) Meta isnât collectingâ protected health information. (Id.). The privacy officer added that Metaâs systems were designed to filter out sensitive health information and that such information was ânot collected.â (Id.). On May 23, 2022, following its discussion with Fathom, Methodist reached out to Meta for more information about what information the Pixel filtered out and what data it collected. (Docket Entry No. 52-20). In response, Meta âdelivered highly sanitized non-answers.â (Docket Entry No. 52 at 13). Metaâs responses emphasized that personally identifying information should be âhashed before transmissionâ and that healthcare organizations should be âespecially mindfulâ to configure Metaâs tools so as to not send personal health information. Meta also stated that it had a filtering mechanism to âprevent [potentially sensitive health-related data] from being ingested into our ads ranking and optimization systems,â and that if Metaâs filter detected such data, it would send an email alerting the organization of the issue. (Docket Entry No. 52-21 at 12â 15). Meta could not confirm if it was receiving certain health information, such as the names of patients making appointments with particular doctors. (Id. at 12). Just before the June 16, 2022, publication of The Markupâs article on hospitalsâ use of the Pixel, Methodist removed the Pixel from its website. (Docket Entry No. 52-19 at 6). Methodist told The Markup that it believed Facebook âuses tools to detect and reject any health information, providing a barrier that prevents passage of [protected health information],â but that it had elected to remove the Pixel âfor now to be sure we are doing everything we can to protect our patientsâ privacy while we are evaluating.â (Id.). That ended Methodistâs use of the Pixel. (Docket Entry No. 52-8 at 13). 4 In 2024, the Sweats filed this putative class action in Texas state court, asserting claims for invasion of privacy, violations of the Wiretap Act, and unjust enrichment based on Methodistâs use of the Pixel.2 (Docket Entry No. 1-1). Methodist removed based on federal question jurisdiction. (Docket Entry No. 1). This court later granted in part and denied in part Methodistâs motion to dismiss the Sweatsâ first amended complaint, dismissing the invasion of privacy claim with prejudice but allowing the claims for violation of the Wiretap Act and unjust enrichment to proceed. (Docket Entry No. 28 at 9). On February 19, 2025, the court granted Methodistâs motion to bifurcate discovery between the threshold issue of liability and class discovery. (Docket Entry No. 47). Extensive discovery proceeded on the issue of liability. Methodist now moves for summary judgment on the Wiretap Act and unjust enrichment claims. (Docket Entry No. 52). II. The Legal Standard âSummary judgment is appropriate where âthe movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.ââ Springboards to Educ., Inc. v. Pharr-San Juan-Alamo Indep. Sch. Dist., 33 F.4th 747, 749 (5th Cir. 2022) (quoting FED. R. CIV. P. 56(a)). âA fact is material if it âmight affect the outcome of the suit.ââ Thomas v. Tregre, 913 F.3d 458, 462 (5th Cir. 2019), as revised (Jan. 25, 2019) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)). âA factual dispute is genuine âif the evidence is such that a reasonable jury could return a verdict for the nonmoving party.ââ Id. (quoting Anderson, 477 U.S. at 248). When considering a motion for summary judgment, the court âmust consider all facts and evidence in the light most favorable to the nonmoving partyâ 2 The Sweats also asserted a claim for breach of implied contract. (Docket Entry No. 1-1 at 42). This claim was not included in their first amended complaint. (Docket Entry No. 6). 5 and âmust draw all reasonable inferences in favor of the nonmoving party.â Ion v. Chevron USA, Inc., 731 F.3d 379, 389 (5th Cir. 2013). The moving party âalways bears the initial responsibility of informing the district court of the basis for its motionâ and pointing to record evidence demonstrating that there is no genuine dispute of material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986); see also FED. R. CIV. P. 56(c). âWhen âthe non-movant bears the burden of proof at trial,â a party moving for summary judgment âmay merely point to the absence of evidence and thereby shift to the non-movant the burden of demonstrating by competent summary judgment proof that there is a dispute of material fact warranting trial.ââ MDK Sociedad De Responsabilidad Limitada v. Proplant Inc., 25 F.4th 360, 368 (5th Cir. 2022) (alteration adopted) (quoting Nola Spice Designs, L.L.C. v. Haydel Enterprises, Inc., 783 F.3d 527, 536 (5th Cir. 2015)). âOnce the moving party has initially shown that there is an absence of evidence to support the non-moving partyâs cause, the non-movant must come forward with specific facts showing a genuine factual issue for trial.â Houston v. Tex. Depât of Agric., 17 F.4th 576, 581 (5th Cir. 2021) (quotation marks and quoting reference omitted). â[A] party cannot defeat summary judgment with conclusory allegations, unsubstantiated assertions, or only a scintilla of evidence.â Jones v. Gulf Coast Rest. Grp., Inc., 8 F.4th 363, 368 (5th Cir. 2021) (quotation marks and quoting reference omitted). Rather, the nonmovant âmust identify specific evidence in the record and articulate the precise manner in which that evidence supports [its] claim.â Shah v. VHS San Antonio Partners, L.L.C., 985 F.3d 450, 453 (5th Cir. 2021) (alteration adopted) (quotation marks and quoting reference omitted). The movant is entitled to judgment as a matter of law when âthe nonmoving party has failed to make a sufficient showing on an essential element of [its] case with respect to which [it] 6 has the burden of proof.â Celotex Corp., 477 U.S. at 323. But â[i]f âreasonable minds could differâ on âthe import of the evidence,â a court must deny the motion.â Sanchez v. Young County, 956 F.3d 785, 791 (5th Cir. 2020) (quoting Anderson, 477 U.S. at 250). III. Analysis A. The Wiretap Act A plaintiff pleads a prima facie case under the Wiretap Act, 18 U.S.C. §§ 2510-2523, by alleging facts âshowing that the defendant â(1) intentionally (2) intercepted . . . (3) the contents of (4) an electronic communication, (5) using a device.â Brown v. Learfield Commcâns., LLC, No. 1:23-cv-00374, 2024 WL 3676709, at *3 (W.D. Tex. June 27, 2024) (quoting In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 135 (3d Cir. 2015)). One exception is § 2511(2)(d), which provides that ordinarily no cause of action will lie against a person who is a âparty to the communicationâ unless âsuch communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.â 18 U.S.C. § 2511(2)(d). This provision is often called the âcrime-tort exception.â Brown, 2024 WL 3676709, at *4. The critical issue on summary judgmentâas opposed to the motion to dismiss stageâis whether there are disputed factual issues material to determining whether Methodist used the Pixel âfor the purpose of committing any criminal or tortious act.â As relevant here, under HIPAA, it is a crime to âknowingly . . . disclose[] individually identifiable health information.â 42 U.S.C. § 1320d-6(a). Methodist makes two arguments for why the crime-tort exception does not apply. First, it argues that that because the summary judgment evidence shows that it did not âknowinglyâ disclose individually identifiable health information, it âcommitted no crime that could subject it 7 to liability under the Wiretap Act.â3 (Docket Entry No. 52 at 17â18). Second, Methodist argues that because the evidence shows that its only purpose was to gather aggregate data for digital marketing, rather than to commit any crime or tort, it cannot be liable under the Act. (Id. at 26). In response, the Sweats argue that the evidence shows a genuine factual dispute material to determining whether Methodist knew that the Pixel was disclosing individually identifiable health information to Facebook, in violation of HIPAA.4 (Docket Entry No. 58 at 10â12, 14â16). The Sweats also appear to argue that disclosing individually identifiable health information for a commercial purposeâeven without knowledge of the disclosure of such informationâviolates HIPAA, meaning that Methodistâs commercial purpose is sufficient to trigger the crime-tort exception to the Wiretap Act and resulting liability. (Id. at 17). Although the parties largely frame the inquiry as whether there is a triable fact issue necessary to determine whether Methodist violated HIPAA, the threshold issue is not whether Methodist violated HIPAA, but whether it acted with the purpose of violating HIPAA. âUnder section 2511, âthe focus is not upon whether the interception itself violated another law; it is upon whether the purpose for the interceptionâits intended useâwas criminal or tortious.ââ Sussman v. Am. Broadcasting Cos., Inc., 186 F.3d 1200, 1202 (9th Cir. 1999) (quoting Payne v. Norwest 3 Methodist largely does argue that it did not disclose individually identifiable health information. (See generally Docket Entry Nos. 52, 62). While it asserts in passing that â[e]ven viewing Plaintiffsâ evidence in the most favorable light, it is far from evident that the Pixel did routinely interceptâ individually identifiable health information, it makes this argument only in a footnote. (Docket Entry No. 52 at 25 n.18). â[A]n argument raised in a footnote is insufficient and may be disregarded by the Court.â Gate Guard Servs. L.P. v. Perez, 14 F. Supp. 3d 825, 833 (S.D. Tex. 2014). 4 In their amended complaint, the Sweats alleged violations of HIPAA, two Texas state statutes, and invasion of privacy as the bases for liability under the crime-tort exception to the Wiretap Act. (Docket Entry No. 6 at 37). The court dismissed the invasion of privacy claim with prejudice, (Docket Entry No. 28), and in their response brief, the Sweats rely only on HIPAA as the basis for the crime-tort exception and do not mention the previously asserted Texas state statutes. (See generally Docket Entry No. 58). The court reviews only the alleged HIPAA violation as the basis for the crime-tort exception. 8 Corp., 911 F. Supp. 1299, 1304 (D. Mont. 1995), affâd in part and revâd in part, 113 F.3d 1079 (9th Cir. 1997)) (affirming summary judgment for the defendants because while ABCâs taping of the plaintiffs âmay well have been a tortious invasion of privacy under state law, plaintiffs have produced no probative evidence that ABC had an illegal or tortious purpose when it made the tapeâ); see also Caro v. Weintraub, 618 F.3d 94, 100 (2d Cir. 2010) (âCongress chose the word âpurposeâ for a reason. Therefore, the offender must have as her objective a criminal or tortious result.ââ); Cohen v. Casper Sleep Inc., No. 17 Civ. 9325, 2018 WL 3392877, at *4 (S.D.N.Y. July 12, 2018) (â[Plaintiff] fails to demonstrate that Defendantsâ primary purpose was to commit a tort. Instead, he claims that Defendantsâ conduct amounted to a tort. But whether a tort was committed is irrelevantâthe test is whether Defendants intended to commit a tort.â (citation and emphasis omitted)). Courts have taken two different approaches to the issue of âpurposeâ under the crime-tort exception. âSeveral circuits have determined that, to plead the crime-tort exception, the allegedly unlawful act must be independent of the allegedly unlawful interception.â See Brown, 2024 WL 3676709, at *4. Some courts have dismissed similar HIPAA-based Wiretap Act cases on the ground that the alleged HIPAA violation was not independent of the interception itself.5 See, e.g., 5 Methodist urges this court to find that, under the âindependent actâ approach, the crime-tort exception does not apply because the act of transmission is the same as the purported violation of HIPAA. (Docket Entry No. 52 at 23). Methodist points out that HIPAA does not allow a private right of action and that argues that âif the Wiretap Act becomes a back door to civil liability based on a purported HIPAA violation, then hospitals will be mired in the exact kind of private litigation that Congress meant to avoid.â (Id. at 24). At least one court has stated that a plaintiffâs âassertion of [a Wiretap Act] violation based on an alleged HIPAA violation may be reasonably viewed as an attempted end run around HIPAAâs limitations to seek relief for the same alleged harm.â Roberts v. Charlotte Mecklenburg Hosp. Auth., No. 3:24-CV- 00382, 2025 WL 880538, at *3 n.1 (W.D.N.C. Mar. 20, 2025), appeal docketed No. 25-1420 (4th Cir. Apr. 21, 2025). While there is merit to this argument, the court need not consider it because the summary judgment record evidence does not support an inference that Methodist acted with the necessary criminal or tortious purpose. 9 Doe v. Kaiser Found. Health Plan, Inc., No. 23-cv-02865, 2024 WL 1589982, at *10 (N.D. Cal. Apr. 11, 2024). Courts using the second, âprimary purpose,â approach âfind that the crime-tort exception applies only where either the âprimary motivationâ or âdeterminative factorâ in a partyâs interception was to commit a crime or tort.ââ Brown, 2024 WL 3676709, at *4. Relying on this approach, some courts have dismissed similar HIPAA-based Wiretap Act cases because the defendantâs primary motivation was to obtain a commercial advantage, not to commit a crime or a tort. See, e.g., Roe v. Amgen, Inc., No. 2:23-cv-07448, 2024 WL 2873482, at *6 (C.D. Cal. June 5, 2024). Courts also sometimes blend these approaches. See, e.g., Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 378â82 (S.D.N.Y. 2024) (applying both the independent act and primary purpose approaches). But to find liability under any of these approaches, the plaintiff must plead or, on summary judgment, present evidence raising a factual dispute as to whether the defendant intended to commit a crime or tort. See, e.g., Brown, 2024 WL 3676709, at *5. Taking the summary judgment evidence in the light most favorable to the non-moving parties, the summary judgment record shows that Methodist did not act with the âpurpose of committing any criminal or tortious actâ that would trigger the crime-tort exception to the Wiretap Act. First, there is no evidence that Methodist acted with the purpose of violating HIPAA by disclosing individually identifiable health information; the evidence shows that it did not know it was doing so. Second, the evidence shows that Methodistâs only purpose was to improve its marketing and outreach, which is devoid of the intent to commit a crime or a tort and is therefore insufficient to allow the Sweatsâ claims to proceed under the crime-tort exception. As to the first issue, Methodist received reports of aggregated information that did not show any individually identifiable data. Although these reports were based on interactions with arguably sensitive portions of Methodistâs website, such as pages indicating if patients were going 10 to schedule appointments, the information collected was reported to Methodist only as collective, anonymous data. (Docket Entry No. 58-3 at 4). Houston Methodistâs digital marketing director testified that Fathom, which ran the hospitalâs advertising campaigns, worked with other large healthcare systems âas to th[e] common practiceâ of using the Pixel, which is why she did not have a reason to look further into how the Pixel functioned. (Docket Entry No. 58-3 at 8). Her understanding is borne out by the fact that the one-third of the nationâs top 100 hospitals used the Pixel during the relevant period. (Docket Entry No. 52-19 at 2). Methodist employees uniformly testified that they did not believe that the Pixel was collecting or disseminating any individually identifiable health information. (Docket Entry No. 52-5 at 10; Docket Entry No. 52-6 at 9; Docket Entry No. 52-7 at 10; Docket Entry No. 52-8 at 16; Docket Entry No. 52-10 at 7). This testimony is supported by facts showing that, on learning of The Markupâs inquiry, Methodist immediately reached out to Fathom and Meta asking whether Meta was capturing personally identifiable health information and what filters it had in place to prevent it from receiving such information. (Docket Entry No. 52-14). Metaâs own privacy policy at the time stated that â[i]f Metaâs signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.â (Docket Entry No. 52-34 at 2). Methodist states that it never received a promised email from Meta alerting the hospital that Meta was receiving sensitive personal health information. (Docket Entry No. 62 at 4). The Sweats argue that there is a genuine factual dispute material to determining Methodistâs knowledge because: (1) aggregate data can only be created from individual data; (2) Methodistâs privacy policy and Facebookâs filter disclosure âmake[] clearâ that the hospital knew 11 that it was sending Facebook sensitive data; and (3) Methodist âfailed to take basic measures to ensure that it was not disclosingâ protected health information. (Docket Entry No. 58). These assertions all fail to show that there is a triable issue as to whether Methodist knowingly disclosedâor was willfully blind to its disclosure ofâprotected health information.6 Instead, these assertions essentially accuse Methodist of being negligent in its use of the Pixel, which is clearly insufficient to show that Methodist acted with the purpose of violating HIPAA. First, aggregate data can be created from individual data that is anonymized at the input level. The fact that Methodist received reports showing aggregate data does not raise an inference that Methodist knew that it was collecting and disclosing individually identifiable personal health information. No Methodist employee understood the reports to be based on protected health information. Although the Sweats argue that the employeesâ credibility is a matter for the jury, (Docket Entry No. 58 at 22), the Sweats have not presented or pointed to any summary judgment evidence contravening the employeesâ consistent testimony. See In re Pharmatrak, Inc. Privacy Litig., 292 F. Supp. 2d 263, 268 (D. Mass. 2003) (granting summary judgment to the defendants in part because Pharmatrakâs chief of technology testified that the company did not intend to collect sensitive information, that he did not know it was doing so, and the plaintiffs âoffer[ed] no evidence to contradict these statementsâ). Second, the Sweatsâ single-sentence excerpt from Methodistâs privacy policy does not demonstrate that Methodist must have known it was sending individually identifiable health information to Facebook.7 Third, the wording of the filter 6 Willful blindness requires that a defendant have a subjective awareness of a high probability of the existence of illegal conduct and purposefully contrived to avoid learning of that conduct. See United States v. Lee, 966 F.3d 310, 234 (5th Cir. 2020). 7 As Methodist points out, the Sweats excerpt a single sentence from a section of the privacy policy on âAdvertisements.â (Docket Entry No. 62 at 3). The thorough section of the privacy policy on âShar[ing] Information with Third Partiesâ states that Methodist shared ânon-Personal Information, such as aggregated 12 disclosureâwhich does not make clear how, when, or other details as to whether Facebookâs filter rejected sensitive health dataâat most supports an inference that Methodist should have looked more closely at the filterâs functioning. But Methodistâs arguable negligence is insufficient to raise a genuine factual dispute as to whether it acted with the purpose of violating HIPAA. See In re Doubleclick Inc. Priv. Litig, 154 F. Supp. 2d 497, 515 (S.D.N.Y. 2001) (concluding that âthe legislative record suggests that the element of âtortiousâ or âcriminalâ mens rea is required to establish a prohibited purpose under § 2511(2)(d)â). The uncontroverted summary judgment evidence is that Methodist used the information received from its use of the Pixel only for the purpose of improving its marketing and outreach. (Docket Entry No. 52-6 at 9; Docket Entry No. 52-7 at 5; Docket Entry No. 52-10 at 8). Although the Fifth Circuit has not yet ruled on the disputed question of whether the crime-tort exception applies when a medical providerâs primary purpose in disclosing information is commercial, (see Docket Entry No. 28 at 8), the court need not reach this question because a commercial purpose must still be tethered to a criminal or tortious purpose. As detailed above, the record does not show that Methodist acted with the purpose of violating HIPAA. Even the cases the Sweats cite emphasize that there must be an unlawful purpose in addition to a lawful purpose to trigger the crime-tort exception in cases in which there may be dual motives. (Docket Entry No. 58 at 21); see Lugo v. Inova Health Care Servs., No. 1:24-cv-700, 2025 WL 905191, at *8 (E.D. Va. Mar. 25, 2025) (denying a motion to dismiss because âmany crimes and torts are committed for financial user statistics, with third partiesâ but that it âd[id] not share your Personal Information that we have collected directly from you on our Service with third parties for those third partiesâ direct marketing purposes unless we have given you the choice to consent or withhold consent.â (Docket Entry No. 52-17 at 3). The policy adds that â[i]f we de-identity data about you, it is not treated as Personal Information by us, and we may share it with others freely.â (Id.). The Sweatsâ single excerpted line from a different section of the policy does not demonstrate a genuine issue of material fact as to whether Methodist knew it was disclosing individually identifiable health information. 13 gain. Therefore, having a commercial purpose in addition to the purpose of violating HIPAA or [a state privacy law] does not immunize INOVA from Plaintiffâs [Wiretap Act] claimsâ); Cooper, 742 F. Supp. 3d at 378 (stating that âthe mere existence of a lawful purpose alone does not sanitize an interception that was also made for an illegitimate purposeâ (citation modified)). The Sweats seemingly attempt to avoid the issue that a commercial purpose alone cannot suffice by arguing that âthe fact that [Methodist], as admitted to in its own Motion, implemented the Meta Pixel for a âcommercial advantageâ of operating its marketing campaigns, is itself evidence that [Methodist] intentionally violated HIPAA.â (Docket Entry No. 58 at 6). That is, the Sweats argue that Methodistâs commercial purpose is sufficient to trigger the crime-tort exception because HIPAA makes disclosing information for a âcommercial advantageâ unlawful. (See also id. at 17, 21â22). But this misconstrues HIPAA. The statute does not criminalize the mere disclosure of protected information with the intent to use that information for commercial advantage. Rather, HIPAA states that a person is criminally liable for âknowingly . . . disclos[ing] individually identifiable health informationâ and then increases the penalties if the offense was committed with intent to use the information âfor commercial advantageâ or âpersonal gain.â 42 U.S.C. § 1320d-6 (a)(3), (b)(3). The disclosure of what was not known to be personally identifiable health information, but instead believed to be aggregate data, for a commercial purpose, is not a crime or a tort. It cannot trigger the crime-tort exception, which requires the purpose of committing a criminal or tortious âact.â 18 U.S.C. § 2511(2)(d). âSection 2511(2)(d)âs legislative history and caselaw make clear that the âcriminalâ or âtortiousâ purpose requirement is to be construed narrowly, covering only acts accompanied by a specific contemporary intention to commit a crime or tort.â In re DoubleClick Inc. Privacy Litig., 154 F. Supp. at 515. Taking the evidence in the light most favorable to the Sweats, they have not 14 met their burden of showing that Methodist had a contemporaneous intent to commit a crime or a tort. Summary judgment is granted to Methodist on the Sweatsâ Wiretap Act claim. B. Unjust Enrichment The Sweats do not dispute that Methodist did not sell the individually identifiable health information it collected for profit and so have dropped their claim for unjust enrichment. (Docket Entry No. 58 at 6 n.1). Summary judgment is granted to Methodist on this claim as well. IV. Conclusion Courts have long recognized the importance of privacy in the context of health information. See, e.g., Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260, 1269 (9th Cir. 1998) (âOne can think of few subject areas more personal and more likely to implicate privacy interests than that of oneâs health or genetic make-up.â).8 Methodistâs use of the Pixel is a good example of the careful line hospitals must draw between efforts to raise money and promote public health awareness on the one hand and the importance of maintaining privacy for those who seek or obtain medical care on the other. The summary judgment evidence demonstrates that Methodist did not use the Pixel with the purpose of committing a crime or a tort. There is no basis for liability under 8 In addition to the splintered approaches to the crime-tort exception in the context of HIPAA discussed above, courts have also had difficulty determining what kinds of pleading allegations suffice to show that a defendant disclosed individually identifiable health information in violation of HIPAA. See, e.g. Castillo v. Costco Wholesale Corp., No. 2:23-cv-01548, 2024 WL 4785136, at *6â*7 (W.D. Wash. Nov. 14, 2024). Moreover, the question of what constitutes individually identifiable health information has gotten even more complicated with the recent decision in Am. Hospital Assân v. Becerra vacating a guidance from the Department of Health and Human Services adding to the termâs definition. 738 F. Supp. 3d 780, 803 (N.D. Tex. 2024). The treacherous terrain is even further evidenced by the recent access given to the Department of Government Efficiency to Social Security information, which includes health information. See Soc. Sec. Admin. v. Am. Fedân of State, Cnty., and Mun. Emps., 605 U.S. ----, 145 S. Ct. 1626 (2025) (reversing an en banc Fourth Circuit Court of Appeals ruling that had enjoined the Social Security Administration from granting Department of Government Efficiency personnel access to certain personally identifiable information). 15 the crime-tort exception to the Wiretap Act. Summary judgment for Methodist is granted. Final judgment is entered by separate order. SIGNED on September 22, 2025, at Houston, Texas. LW Crt Lee H. Rosenthal Senior United States District Judge 16
Case Information
- Court
- S.D. Tex.
- Decision Date
- September 22, 2025
- Status
- Precedential