LitLand is a monthly feature that reviews developments in litigation as they relate to privacy matters and highlight any past, current, and future cases about which you should know.
Dinerstein v. Google is the latest high profile privacy case to be dismissed by a federal district court due to the plaintiff’s failure to show quantifiable harm or damages. Interestingly, and unlike the majority of predecessor privacy lawsuits, the court here found that plaintiff had sufficiently alleged injury to support standing on all but one of his claims—notwithstanding the absence of any tangible harm—but ultimately dismissed the case in large part for failure to state a claim that adequately alleged that defendants caused him economic damage.
The mixed decision by the court extends the line of plaintiff-friendly Article III decisions for privacy lawsuits that we have seen emerging from the 7th Circuit and further widens the circuit split on evaluating standing that has not been adequately addressed by the U.S. Supreme Court.
The class action (which we previously covered here) arose out of the events surrounding a partnership between Google and University of Chicago (U. Chicago) to research machine learning as a mechanism to “identify patients’ health problems and predict future medical events.” As part of the project, U. Chicago shared de-identified electronic health records (EHRs) of every adult patient “who used the University’s outpatient, inpatient, or emergency services between January 1, 2010 and June 30, 2016.”
Plaintiff was treated twice by U. Chicago during that period. He alleged that among the data shared with Google were “free-text notes” which were not sufficiently redacted or anonymized, in violation of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) which limits the sharing of “individually identifiable health information” referred to as protected health information (PHI), thereby risking re-identification by Google which possessed information obtained through its other services about individuals.
Dinerstein “assert[ed] several causes of action on behalf of himself and the class: Against [U. Chicago] . . . claims for violating the Illinois Consumer Fraud and Deceptive Business Practices Act [“ICFA”] (Count I), breach of express contract (Count II), breach of implied contract (Count III), and unjust enrichment (Count VII). Against Google . . . claims for tortious interference with contract (Count IV) and unjust enrichment (Count VI). And a claim for intrusion upon seclusion against both Defendants (Count V).”
Google and U. Chicago both filed motions to dismiss in August 2019 contending that Dinerstein lacked standing and had failed to state a claim upon which relief can be granted
The court found that plaintiff had met the standing requirement for his contract and common law claims, pled insufficient injury for the statutory claim, but ultimately dismissed all the claims on state law grounds.
Dinerstein alleged three specific injuries:
- (1) Violation of an express contract which guaranteed that “all efforts” would be made to protect his privacy with notice given prior to the lawful (state and federal) use of his information;
- (2) Invasion of privacy for the sharing of his information with Google; and
- (3) “[T]he alleged theft of his medical information, which he insist[ed] ha[d] commercial value and is something he has a legal interest in.”
With respect to the contract claims, while it was a “close call” whether “alleging breach of contract—without actual damages—is enough to confer standing,” ultimately the decisions in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) and J.P. Morgan Chase Bank, N.A. v. McDonald, 760 F.3d 646 (7th Cir. 2014) supported the common law “proposition that a plaintiff may sue for breach of contract even where the breach resulted in no harm.”
Similarly, with the invasion of privacy claims, the court relied on a 7th Circuit case brought under the Illinois Biometric Information Privacy Act (BIPA) that was not cited by the parties, Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020), to find that the common law permitted such invasion upon privacy suits where private information was revealed to a third party, satisfying the injury requirement for standing. This is an interesting argument by the court since, as we discussed in our initial coverage of this case, HIPAA and the Illinois’ Medical Patient Rights Act (MPRA) do not confer a private right of action, unlike BIPA.
“Neither Congress nor the Illinois legislature has elevated violations of HIPAA or the MPRA to the status of concrete, de facto injuries. A plaintiff does not ‘automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right,’” citing Spokeo. However, here the court determined “invasion of Plaintiff’s privacy is an injury-in-fact that can support standing” for plaintiff’s common law intrusion-upon-seclusion claim.
The court also dismissed the ICFA claim because the statute requires a showing of actual damages, and the most plaintiff could assert was that “he may have gone to a different hospital or paid less for his treatment” (an “overpayment theory” insufficient for standing in the 7th Circuit).
Finally, the court rejected the value of medical information as an element of his claimed damages because neither HIPAA, the MPRA, nor common law “create a property interest in health data.”
Failure to State a Claim
After the standing analysis, the court conducted a 12(b)(6) analysis for each remaining claim and dismissed them all.
- Express Contract, Implied Contract, and Tortious Interference: Dinerstein alleged that U. Chicago’s disclosure to Google “violated four terms of the express contract:
(1) that ’all efforts’ would be made to protect his privacy, (2) that any use of his medical information would comply with federal law, (3) that any use of his medical information would comply with state law, and (4) that it would comply with the” Notice of Privacy Practices furnished by the hospital.
Although the court found that Dinerstein adequately alleged a material breach of contract, “none of his theories for money damages is adequate.” The court rejected his damage theory that he “overpaid” for services or, alternatively, that he was owed a “reasonable royalty for the use of his PHI.”
The implied contract claim was dismissed because of well-established precedents that an implied contract claim “cannot coexist with an express contract on the same subject.” And the tortious interference claim was dismissed because plaintiff failed to show any intent on the part of Google to harm him, one of the elements of the tort.
- Intrusion Upon Seclusion: The court dismissed this claim because Dinerstein’s assertions regarding U. Chicago’s disclosures to Google were unlike past examples of the tort as established by the Illinois Supreme Court: “the core of this tort is the offensive prying into the private domain of another” and that “[t]he basis of the tort is not publication or publicity,” unlike an “offensive prying,” “invading someone’s home; an illegal search of someone’s shopping bag in a store; eavesdropping by wiretapping; peering into the windows of a private home; and persistent and unwanted telephone calls.”
Recognizing that disclosures of private information does not support his theory, the plaintiff reframed his intrusion-upon-seclusion claim as “breach-of-confidentiality.” While some courts in states other than Illinois have recognized such a tort, Illinois has not, and the court “decline[d] the invitation” to recognize the claim while sitting in diversity.
- Unjust Enrichment: The unjust enrichment claim was dismissed as it rested upon the same alleged improper conduct as in the other claims. Because those claims were dismissed, his unjust enrichment claims were dismissed as well.
The Dinerstein decision serves as a reminder to potential plaintiffs of the difficulty of prevailing in privacy lawsuits. Standing may not be the death knell it once was, but so long as the harm remains intangible and statute does not confer a private right of action, potential plaintiffs will still face a hurdle in recovering for alleged injuries.
That said, sharing de-identified health data may still cause problems under HIPAA which, as stated by the Dinerstein court, does not provide a private right of action, so the Office for Civil Rights within the U.S. Department of Health & Human Services would have to take up the fight.
Per his attorney, the plaintiff intends to appeal the court’s decision.