Four federal courts issued decisions in August involving claims that healthcare companies violated the Electronic Communications Privacy Act (ECPA) by deploying tracking technologies—such as the Meta Pixel and Google Analytics—on their websites.[1] The decisions highlight an emerging split on what it takes to invoke the ECPA’s “crime-tort exception,” and provide important guidance for healthcare organizations operating online.

ECPA’s Crime-Tort Exception in Healthcare Tracking Litigation

The ECPA generally prohibits intercepting electronic communications but contains an exception for parties to the communication—unless the interception is “for the purpose of committing any criminal or tortious act.” Plaintiffs in these cases typically allege that healthcare providers violate HIPAA by disclosing individually identifiable health information to third parties, thereby triggering the crime-tort exception and exposing themselves to ECPA liability.

Illinois Courts: Split Outcomes on the Crime-Tort Exception

In two of the three Illinois cases, the court found the plaintiffs had pleaded enough to invoke the crime-tort exception. One court denied a motion to dismiss where the plaintiff alleged that an urgent care provider’s website transmitted her protected health information—such as her patient status, health conditions, and treatment locations—to Meta and Google, and that the provider did so to gain financial benefit from targeted advertising. The court found the complaint adequately alleged a HIPAA violation (the underlying “crime” or “tort” for ECPA purposes) and rejected arguments that financial motivation negated the crime-tort exception.

Another Illinois court, however, dismissed the ECPA claim for lack of specificity. The court provided a “rough analogy” to explain what action is lawful and what is actionable:

“When deciding whether a plaintiff has plausibly alleged that IIHI was obtained and improperly disclosed via a pixel tracker, courts seek to distinguish between tracking data derived from healthcare provider websites generally and tracking data which both relates to a specific individual’s health and reasonably can be used to identify that individual. As a rough analogy, the dividing line is somewhere between precise geolocation data showing that an individual ate in a hospital’s cafeteria and such data showing that an individual was in their primary care physician’s examination room—the latter could be the basis of a HIPAA violation; the former is probably just lunch.”

Turning to the facts of the case before it, the court found the plaintiff’s allegations about using a hospital’s website to find physicians, research treatments, or use a patient portal were too vague. The court emphasized that to plausibly allege a HIPAA violation, plaintiffs were required to provide details about what information was actually disclosed and how it related to their individual health status. The plaintiff’s general assertions that patient status or portal usage was shared, without specifics, were insufficient.

A third Illinois decision—this time involving a medical device manufacturer—also dismissed the ECPA claim. This court found simply browsing a website or requesting a free trial of a device did not plausibly allege disclosure of protected health information under HIPAA. The court distinguished between patients interacting with their healthcare provider’s portal and consumers seeking product information and held that the latter scenario was too attenuated to support ECPA liability, noting expressing interest in a free trial is “a step removed from the kind of medical information disclosed between a patient and their healthcare provider.”

Washington Decision: Some Claims Survive, But Specificity Remains Key

The fourth decision, from Washington, involved a medical provider specializing in addiction treatment. The plaintiff alleged they visited the website to both to complete an online assessment and request an appoint and that these events were sent to Meta. The court found the plaintiff’s allegations sufficient to invoke the crime-tort exception, finding the “results of Plaintiffs’ addiction survey are plausibly PHI when coupled with Plaintiffs’ requests for appointments.” The court rejected arguments that the plaintiffs’ claims failed for lack of “consumer transaction” or because the privacy policy provided adequate notice, and allowed the ECPA claim to proceed. The court nevertheless dismissed the negligence and implied contract claims where the allegations did not support actionable damages or contract formation.

Takeaways for Healthcare Website Operators

These decisions reinforce that the outcome of ECPA claims in the healthcare context often turns on the specifics of what is alleged: what information was disclosed, how it was linked to individual users, and whether the facts plausibly allege a HIPAA violation. Healthcare website operators can reduce litigation risk—and strengthen their defenses—by:

• Auditing tracking technologies: Periodically check what third-party cookies, pixels, and other tools are on your website and what information you get from those tools. Consider limiting the use of third-party pixels or analytics tools on pages where patients may share health or identifying information, especially appointment scheduling or patient portal functions.
• Enhancing consent and disclosures: Ensure privacy policies and cookie banners clearly disclose what information is collected, how it is used, and with whom it is shared. Make users actively consent to data sharing, especially for sensitive information.
• Segmenting website content: Separate general informational pages from patient-specific functions and avoid embedding tracking tools on pages where users enter or access health information.
• Maintaining robust documentation: Keep records of privacy policy versions, user flows, and technical configurations to support arguments about user notice and consent if challenged.
• Responding to complaints with specificity: If sued, work with your outside counsel to scrutinize the plaintiff’s allegations for vagueness or lack of detail regarding what information was disclosed and how it constitutes protected health information.

As the wave of pixel and tracking litigation continues, these recent decisions provide a roadmap for both risk mitigation and early litigation strategies for healthcare companies operating online. If you have questions about these developments or want to discuss proactive compliance strategies, please reach out to our team. For more updates on privacy litigation, subscribe to our blog or follow us on LinkedIn.

[1] Notably, three of these decisions came from Illinois, suggesting that plaintiffs’ counsel may be experimenting with the Illinois courts for these types of privacy class actions.