Judge Dena Coggins from the Eastern District of California denies health care defendants’ motion to dismiss privacy claims based on website tracking technology.
Plaintiffs, all patients of the defendant healthcare system, alleged that when they used the provider’s websites and patient portals to search for doctors, make appointments, and access medical records, tracking pixels embedded on those sites intercepted and transmitted sensitive health and personal information to Meta, Google, and other third parties for advertising purposes—without patient knowledge or consent. The information allegedly shared included details about medical conditions, treatments, and provider identities, as well as PII such as names, IP addresses, and Facebook IDs, enabling targeted advertising on social media platforms. Plaintiffs specifically alleged that after using Defendants’ websites, they received advertising through Facebook for the same medical conditions.
CIPA Section 631(a)
On the question of confidential communications:
The court agrees with Plaintiffs that they have alleged the “contents” of their communications that were allegedly intercepted in violation of CIPA. Plaintiffs’ alleged communications with Defendants’ Web Properties, which were intercepted and disclosed to Meta, go beyond “keystrokes, mouse clicks, [and] pages viewed” on Defendants’ Web Properties. Plaintiffs allege that their search queries were disclosed to Meta in the form of “full-string URLs” containing their PHI and PII, more than “basic identification and address information.” (Doc. No. 19 at ¶¶ 202–03, 250–55); In re Zynga Priv. Litig., 750 F.3d at 1106. Moreover, Plaintiffs plead facts supporting these allegations. Specifically, in the FAC, Plaintiffs detail the searches they conducted regarding their personal health conditions, treatment options, and doctors. (Id. at ¶¶ 265–295).
The Court agreed that Plaintiffs sufficiently alleged interception as well.
Here too, the court agrees with Plaintiffs that they have alleged their communications were “intercepted” within the meaning of CIPA. Importantly, the court must accept as true Plaintiffs’ allegations that Defendants simultaneously intercepted their data in real time using Meta Pixel. (See Doc. No. 19 at ¶ 307) (alleging “Plaintiffs and Class Members had no idea when they interacted with Defendants’ websites that their personal data, including sensitive medical data, was being collected and simultaneously transmitted to Facebook”). Contrary to Defendants’ arguments, Plaintiffs do not allege independent communications occurred between Plaintiffs and their browsers, and their browser and Facebook. Courts have held allegations of simultaneous duplication and interception of communications sufficient to plead “interception” while “in transit” under CIPA at the motion to dismiss stage. See M.G. v. Therapymatch, Inc., No. 3:23-cv-04422-AMO, 2024 WL 4219992, at *4 (N.D. Cal. Sept. 16, 2024) (rejecting the defendant’s argument that the plaintiff failed to plead “interception” under CIPA because two separate communications occurred because the plaintiff had actually pled that the interception was “simultaneous”); Mitchell v. Sonesta Int’l Hotels Corp., No. 2:24-cv-2603-GW-SSC, 2024 WL 4471772, at *8 (C.D. Cal. Oct. 4, 2024), adopted as modified, No. 2:24-cv-2603-GW-SSC, 2024 WL 4474491, at *8 (C.D. Cal. Oct. 4, 2024) (denying motion to dismiss Section 631(a) CIPA claim on the grounds that plaintiff did not plausibly allege communications were intercepted in transit because plaintiff alleged “simultaneous duplication” via tracking technologies on defendant’s website); Cousin v. Sharp Healthcare, 681 F. Supp. 3d 1117, 1130–31 (S.D. Cal. 2023) (“Cousin I”) (same).
As to aiding and abetting, Plaintiffs got over that hurdle too.
As an initial matter, the plain text of CIPA imposes liability on any person “who aids, agrees with, employs, or conspires” with another party. Cal. Penal Code § 631(a). The statute “does not require that a party aid and abet.” Tate v. VITAS Healthcare Corp., 762 F. Supp. 3d 949, 959 (E.D. Cal. 2025) (citation omitted); see also Cousin I, 681 F. Supp. 3d at 1130 (explaining that the “contention that ‘aids’ means ‘aiding and abetting’ ignores the ‘agrees with, employs, or conspires with’ language of the clause”). Because “[t]he statute as worded does not include an intent standard,” the court considers whether Plaintiffs have alleged that Defendants “aided, agreed with, employed, or conspired with [Meta].” See St. Aubin, 2024 WL 4369675, at *7. Plaintiffs allege that Defendants chose to install Meta Pixel on their Web Properties and by installing Meta Pixel, Defendants assisted Meta with intercepting the PHI and PII of Defendants’ patients without their authorization.
California Confidentiality of Medical Information Act (CMIA)
The court allowed claims under the CMIA to proceed, finding that the plaintiffs plausibly alleged the disclosure of “individually identifiable” medical information—such as specific health conditions and treatments—alongside PII, in violation of the statute’s confidentiality requirements.
Invasion of Privacy (California Constitution)
The court held that plaintiffs had a reasonable expectation of privacy in their health information and that the alleged unauthorized disclosure to third parties for advertising purposes could constitute a “highly offensive” intrusion under California law.
Other Claims
- The court dismissed claims under the Comprehensive Computer Data Access and Fraud Act (CDAFA), the California Consumer Records Act (CRA), and for trespass to chattels, but granted plaintiffs leave to amend these claims.
- Claims for unjust enrichment and under California’s Unfair Competition Law (UCL) were allowed to proceed, as plaintiffs plausibly alleged they paid for medical services with the expectation of confidentiality, which was not provided.
- The court found that the ECPA’s “party exception” did not bar the claim because plaintiffs plausibly alleged the provider intercepted communications for the purpose of violating HIPAA, triggering the statute’s “crime-tort exception.”
Statute of Limitations
The court declined to dismiss claims as time-barred, finding that the plaintiffs’ allegations supported application of the delayed discovery rule, given the alleged surreptitious nature of the data disclosures.
JANE DOE, et al., Plaintiffs, v. TENET HEALTHCARE CORPORATION, et al., Defendants. Additional Party Names: Desert Reg’l Med. Ctr., Inc., Drs. Med. Ctr. of Modesto, Inc., Meta Platforms, Inc., Twin Cities Cmty. Hosp., Inc., No. 1:23-CV-01106-DC-CKD, 2025 WL 1635956, at *13-15 (E.D. Cal. June 9, 2025).
