Hospitals may track patients online and sell their data without violating state wiretap law, high court rules

Mike MacKenzie (via Flickr) CC BY 2.0

State wiretap law does not prevent hospitals from tracking patients on the web and selling their data, the Massachusetts Supreme Judicial Court ruled last week.

The plaintiff is a patient at two hospitals in the Beth Israel Lahey Health network. As the court explained the facts, the plaintiff "reviewed information available to the public on the hospitals' websites regarding doctors (including their credentials and backgrounds) and medical symptoms, conditions, and procedures." Without her consent, the hospitals shared the plaintiff's browsing data with third parties to generate revenue from targeted advertising.

The plaintiff sued under state wiretap law and got some traction in the lower courts, where the theory has bubbled up in other cases, too. The high court ended the trend, though, ruling that the state wiretap law, which threatens criminal penalties such as imprisonment, while reaching interpersonal communications such as telephone calls and email and text exchanges, was not intended to reach persons' interactions with websites.

The 47-page majority opinion by Justice Scott L. Kafker, drew a vigorous and almost as lengthy dissent from Justice Dalila Argaez Wendlandt, who accused the hospitals of lying to patients in their pledges of confidentiality and argued that the alleged misconduct falls squarely within legislative intent in prohibiting the interception of electronic communication.

I won't belabor the back and forth, as ample commentary already has been published about the case (e.g., JD Supra, Commonwealth Beacon, Bloomberg, National Law Review, Law360 (subscription), Massachusetts Lawyers Weekly (subscription)), and there is plenty more to come. Rather, I will comment only that the decision reflects the sorry state of privacy law in the United States.

The majority and dissent both make defensible arguments. I come down with the dissent on the technical merits of what the wiretap law was designed to prevent, i.e. "the spirit of the law," regardless of whether the legislature could have foreseen web surveillance. At the same time, the majority is right that the legislature likely would not have wanted to imprison every actor engaging in the kind of web surveillance that has become pervasive in our online society.

The missing link between the two positions is the meaningful data protection law that the United States still doesn't have, and which Americans want and expect, while almost three decades have passed since the European Union Data Protection Directive. The later General Data Protection Regulation (GDPR) has been in force for six years.

Wiretap law was once the stuff of political intrigue, à la Watergate. The Massachusetts statute characteristically dates to the 1960s. Just as the advent of the internet made media law again hotly relevant to society, so wiretap law found new life in the electronic era. Courts had little difficulty transposing the law of wired telephone surveillance to wireless cell phones and electronic communication media such as email and texts. Even the U.S. Supreme Court got in on the action.

That's why I think Wendlandt has the better argument on the technical merits, by the way. The majority's distinction of interaction with a person or a website, when there are persons receiving surveillance data from the website, seems meaninglessly formalistic.

With electronic communication burgeoning in the internet era and electronic interception easier to accomplish without the need for specialized hardware, wiretap laws have been repurposed to do more work than they were designed for, becoming a key tool in the personal privacy arsenal.

The problem in tort law, to oversimplify modestly, always has been what Professor Daniel Solove termed "the secrecy paradigm." The common law of privacy torts, which also emerged largely in the 1960s, was not designed to handle the nuances of an online world. Rather, tort law, like the Fourth Amendment right against search and seizure, focused on secrets kept. A person might resort to the law to protect an intimate secret shared with a spouse. But the person who discloses financial information to a bank has forfeit legal privacy. 

Intimate space is not the theory of privacy that animates data protection in Europe and most of the rest of the world. In the theory abroad, the human right of privacy flows forward with personal data as they are handed off from person to person and corporation to corporation. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) provides a modicum of privacy protection in this vein, but the circumstances in which it pertains are extremely narrow—web activity is not protected health information, and a web host is not a healthcare provider—and it authorizes no private right of action for violation.

In the absence of a legal model of downstream privacy preservation in the United States—notwithstanding a perplexing emerging plethora of competing state laws, if usually limited to commercial contexts; Massachusetts has been working on joining the pack, but has not yet—wiretap law has been unexpectedly instrumental to protect personal privacy in a narrow class of cases, because wiretap law focuses on the misconduct of clandestine surveillance rather than on the purportedly private nature of the intercepted content.

To be fair to the Massachusetts majority, though, such use of anachronistic wiretap law takes us down a road of ever more speculative application as the electronic avatar increasingly becomes an embodiment of personal identity. Electronic tools such as Google Analytics watch our every word. And we don't necessarily want to stop that wholesale. The other day, I watched a dated TV movie that Amazon thought I would like, and it was right. Time travel, Ireland, and Jane Seymour? Drop everything.

Notwithstanding which side in the instant case has the better argument in statutory interpretation, the legal response to the problem presented, that is, surveillance of web usage for the relatively innocuous if mercantile purpose of advertising, would arise better from business regulation than from common law or statutory torts.

Alas, if I had the magic potion that would make our broken Congress favor consumer protection over corporate profits, I would be running for President.

The case is Vita v. New England Baptist Hospital, No. SJC-13542 (Mass. Oct. 24, 2024).

Hospital BAC disclosure prompts tort privacy claims

Photo by Marco Verch (CC BY 2.0)

The federal district court in Montana in December refused to dismiss an informational privacy claim against police, highlighting the space for state law to effect personal privacy protection in the United States.

Plaintiff Harrington was hospitalized after police found her unresponsive in her parked car. In the complaint, she alleged that sheriff's deputies "joked about her incapacitated condition and played along when nurses asked them to guess her blood alcohol content" (BAC). A nurse thereby disclosed Harrington's BAC, and, the complaint alleged, deputies then coaxed the record from a doctor. Harrington was charged with driving under the influence.

Subsequently, Harrington sued county officials and Madison Valley Hospital, the latter on theories of state statutory information privacy and common law invasion of privacy, negligence, and negligent infliction of emotional distress. The hospital sought dismissal on grounds that the federal Health Insurance Portability and Accountability Act (HIPAA), cited by the plaintiff in the complaint, affords no private right of action.  The federal district court, per Chief Judge Brian Morris, denied the motion to dismiss, recognizing that while HIPAA does not itself authorize private enforcement, it also does not preclude state law from providing greater privacy protection.

The case caught my attention because its facts point to something for which I've advocated, the use of tort law to fill gaps in informational privacy protection in the United States.  The law has not kept up with Americans' expectations of privacy, much less the norms of the world, but the common law should be sufficiently dynamic to reflect the evolving social contract.  I see drift in this direction in the expansion of medical fiduciary duty in emerging precedents in the states, such as Connecticut's Byrne v. Avery Center for Obstetrics & Gynecology, P.C., in 2018.

A theory as tenuous as negligent infliction of emotional distress, "NIED," can't usually stand on its own.  And tortious invasion of privacy has a poor track record in protecting personal information that is already in limited circulation.  However, paired with a medical provider's fiduciary duty and bolstered by a privacy violation recognized in regulation, either tort theory might be ripe for redefinition.

The case is Harrington v. Madison County, No. 2:21-cv-00015 (D. Mont. Dec. 6, 2021).  Hat tip to Linn Foster Freedman at Robinson+Cole's Data Privacy + Cybersecurity Insider.

First Circuit dismisses Mount Ida student class action, incidentally limits emerging data protection theory

Holbrook Hall, Mount Ida College, Newton, Mass. John Phelan CC BY 3.0

An angle in a recent First Circuit decision deserves a mention in U.S. data protection circles.  I hadn't been aware of this angle of the case, so hat tip to attorney Melanie A. Conroy at Pierce Atwood in Boston for analyzing the case carefully in the The National Law Review.

The First Circuit affirmed dismissal in the ugly and unfortunate matter of Mount Ida College students' class action against the school after its abrupt closure and sale to the University of Massachusetts system.  Conroy's rundown on the case is thorough.  I want only to highlight one important point: the court refused to recognize, in Massachusetts law, a fiduciary duty owed by university to student.

The decision comports with multistate norms, but is nonetheless important in limiting an emerging doctrine of data protection in U.S. common law tort.  State courts that have recognized something like a data protection right in civil cases have used fiduciary duty to bootstrap their way there.

American common law invasion of privacy is too stringent to get the job done, that is, to articulate a data protection right, for various reasons.  One reason is its incorporation of what Professor Daniel Solove termed "the secrecy paradigm": information must be kept secret to remain secret.  Thus, I cannot complain when my bank tells someone about my financial transactions, because I already let my bank know about them.  My resort must be to banking privacy law, by statute.  And there arises the second problem for privacy plaintiffs: statutes are too stringent to get the job done.  I might be unhappy if my employer divulges information about my psychiatric condition to my insurer, but neither one of them is a healthcare provider covered by the federal patient privacy law ("HIPAA"), which does not (directly) provide for a cause of action anyway.

In 2018, the Connecticut Supreme Court bridged the common law gap from statutory insufficiency to actionable privacy claim by relying on the physician-patient duty of confidentiality.  In short, the court held, HIPAA + duty of confidentiality = protectible common law interest.  The court thereby allowed a woman to sue her ObGyn provider upon an allegation of breached confidentiality.  That duty of confidentiality is a form of fiduciary duty.  So a theory emerged of how U.S. common law might stumble its way to recognition of what the rest of the world, especially Europe, calls "data protection."

There are a lot of ways for us to start catching up with the rest of the world in recognizing people's right to personal data integrity; this is just one.  And it remains.  But it is limited by the scope of duties that might stand in for that second piece of the equation.  The Mount Ida case shows correctly that it will be harder for a plaintiff to get there against a business defendant that is not a professional, and the data held are financial information tangential to the nature of the relationship, here, educational.

The First Circuit aptly instructed Mount Ida students that if they wanted better protection for their personal information in state law, their remedy was with the state legislature.  The same can be said for Americans, data protection, and our torpid Congress.

The case is Squeri v. Mount Ida College, No. 19-1624 (1st Cir. Mar. 25, 2020).  U.S. Circuit Judge Lynch wrote for the panel, which also included Stahl and Kayatta, JJ.