In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025). However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.
ECPA and HIPAA Background
The ECPA imposes criminal and civil liability on persons who “intentionally intercept[] . . . any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a), (4); § 2520. A party is not liable under the ECPA unless they intercept the communication “for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State,” such as disclosing individually identifiable health information in violation of HIPAA. § 2511(2)(d). HIPAA criminalizes “knowingly . . . disclos[ing] individually identifiable health information to another person.” 42 U.S.C. § 1320d-6(a)(3). Individually identifiable health information includes “any information” that “is created or received by a health care provider” and “relates to the past, present, or future physical or mental health or condition of an individual, [or] the provision of healthcare to an individual” and “identifies the individual” or “with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” § 1320d(6).
Plaintiff’s Allegations
Plaintiff alleges that the University of Chicago Medical Center (UCMC) disclosed her individually identifiable health information and therefore violated HIPAA, subjecting UCMC to liability under the ECPA. UCMC operates a non-profit hospital network and maintains a public website to communicate with patients. Patients can log in to UCMC’s MyChart patient portal from its public website.
In her Complaint, Plaintiff claims that UCMC deploys third-party computer code from Meta Platforms on its public website. Every time a patient clicks on a page within UCMC’s public website, the collection tools link the patient’s identity to the communication and transmit the data to Meta for commercial use. The tools capture and transmit a website visitor’s IP address, Facebook ID, cookie identifiers, device identifiers, and account numbers, among other things.
Clicks on the login button for the MyChart patient portal from the public website are captured in this button-clicking data transmitted to Meta as well. Plaintiff claims that UCMC disclosed her individually identifiable health information when it transmitted that she used UCMC’s website to log in to the MyChart patient portal, revealing her status as a patient at UCMC. Plaintiff also alleges that UCMC disclosed her individually identifiable health information by disclosing her visit to UCMC’s “find-a-physician” page and by disclosing general information about the webpages she viewed related to her medical providers, conditions, and treatments.
Court Denies UCMC’s Motion to Dismiss, finding that UCMC Disclosed Individually Identifiable Health Information
The court denied Defendant’s Motion to Dismiss, holding that the plaintiff plausibly alleged that UCMC intentionally intercepted her communications with UCMC’s public website. The court held that Plaintiff’s act of clicking the login button on the public website for the MyChart patient portal sufficiently identified her as a patient. The act of clicking “login” on the public website, when combined with individual identifiers such as an IP address or a Facebook ID, can reveal patient status, qualifying as individually identifiable health information and falling within the ambit of HIPAA. Although UCMC argued that Meta’s data collection tools were not installed on the MyChart portal itself, the court found the presence of data collection tools on the public website alone were enough to identify Plaintiff as a patient.
The court limited its holding to the button-click data from the MyChart portal. In finding that Plaintiff did not plausibly allege that UCMC disclosed her individually identifiable health information through the disclosure of the “find-a-physician” click and her general browsing of webpages related to her providers and conditions, the court reasoned that the transmission of this button-click data did not convey individually identifiable health information. The court explained that general information accessed on a publicly accessible website stands in “stark contrast” to patient records, patient status, and medical histories. Plaintiff failed to allege that UCMC disclosed that she accessed information about specific doctors or conditions, breaking the connection between her sensitive medical status and the information actually disclosed. The court emphasized that “what matters is whether the information ‘provides a window into an individual’s medical history.’” Here, mere disclosure of data revealing that Plaintiff clicked and viewed non-specific webpages related to her providers, conditions, and treatments does not amount to individually identifiable health information. The court also denied UCMC’s Motion for Summary Judgment and granted UCMC’s Motion to Strike Plaintiff’s class allegations based on contractual issues.
Ultimately, given the court’s holding regarding the MyChart patient portal button-click data, this decision broadens liability under the ECPA. The disclosure of a single click on a login button on a public website can subject a website operator to ECPA liability because that click can reveal an individual’s patient status. The court also explicitly left the door open for future claims under the ECPA, warning that information collected from a webpage—like clicks related to a patient’s medical providers, conditions, and treatments—could amount to the disclosure of individually identifiable health information if more specifically pled. Although a fact-specific decision, the principles set forth in this opinion will undoubtedly guide consumer privacy litigations going forward.
