Hospital's use of Meta's Pixel, despite promise to keep data private, plausibly deceptive

Mekhail v. North Memorial Health Care, --- F.Supp.3d ---- , 2024 WL 1332260, No. 23-CV-00440 (KMM/TNL) (D. Minn. Mar. 28, 2024)

Mekhail alleged that North’s use of a piece of hidden software on its websites (a pixel developed by Meta) surreptitiously tracked, collected, and monetized various aspects of her online activity, including sensitive medical information protected by law. Although she alleged violations of the federal and Minnesota wiretap statutes and the Minnesota health records statute (which all survived the motion to dismiss), I’ll focus on claims under the Minnesota consumer fraud statute, the Minnesota deceptive trade practices statute, and common law claims of invasion of privacy and unjust enrichment.

Mekhail alleged that North’s public-facing website, which publicly offers information about medical issues and the health care resources provided by North, and its password-protected “patient portal,” which contains personal medical information, including patient records, appointment booking, and test results, both used the pixel to surreptitiously track, collect, and transmit her online activity, including page views, clicks, search terms, and so forth. This information was then allegedly collated by Meta and eventually used to craft targeted advertising to Mekhail related to her web activity.

Minnesota Consumer Fraud Act: The MCFA prohibits the “act, use, or employment by any person of any fraud, false pretense, false promise, misrepresentation, misleading statement or deceptive practice, with the intent that others rely thereon in connection with the sale of any merchandise.” Mekhail has failed to allege a misrepresentation in connection with merchandise, as required by the statute. The alleged misrepresentation was North’s statement that it “protect[s] health and medical information as required by federal and state privacy law.” At oral argument, counsel offered the theory that the “exchange of data” between Mekhail and North represented an intangible good or commodity, but the complaint only referred to North’s medical services. And Mekhail didn’t allege that there was a misrepresentation made by North in connection with its provision of any medical services. She alleged a misrepresentation related to data privacy, “but North is not in the business of providing data privacy services.”

The Minnesota Unfair and Deceptive Trade Practices Act  prohibits the use of “deceptive trade practices” in the course of business, vocation, or occupation, which include “caus[ing] likelihood of confusion or of misunderstanding as to ... certification of goods or services,” “engag[ing] in (i) unfair methods of competition, or (ii) unfair or unconscionable acts or practices,” and “engag[ing] in any other conduct which similarly creates a likelihood of confusion or misunderstanding.”

North allegedly made numerous statements that it protected patients’ medical privacy and health data. North disputed that anything shared with Meta was protected health data and also argued that some of allegedly deceptive statements are linked to the Privacy Policy, which (allegedly) states that North “may disclose information to third parties who act for us or on our behalf.” But that wasn’t enough at the pleading stage to overcome the allegations of the complaint.

Article III standing: MUDTPA’s only remedy was injunctive relief for a “person likely to be damaged by a deceptive trade practice.” This showing of likely future harm that is seemingly “indistinguishable from Article III’s threat-of-future-harm requirement for injunctive relief.”

Mekhail alleged that there were two likely future harms: where new data is taken from her by the Pixel, and where the data already taken by the Pixel is used in newly harmful ways. This first scenario was “in obvious tension” with the fact that she was, by her own allegation, a “former patient” of North. However, she argued that she could become a patient again, especially in an emergency situation. This was somewhat tenuous, but nonetheless,

there are real and undeniable scenarios in which Ms. Mekhail, despite her best efforts, becomes a patient again of North. And it is not clear to the Court that Ms. Mekhail could ever truly quantify the likelihood of such a scenario. After all, a medical emergency, like that contemplated in the pleadings, can arise as real and immediately as tomorrow or, with any luck, may never occur. It is simply not within Ms. Mekhail’s capacity to plead the kind of concrete likelihood typically required by our standing cases.

In addition, because she was once a patient, North allegedly has records of past treatment and appointments. Thus, she may have to use the patient portal even if she does not return as a patient. “If she needs to obtain or review her own medical records from North using the portal (surely the quickest and least burdensome way) she would once again be exposed to harm from the allegedly deceptive practices.”

But the second theory was stronger: “her data, already collected by the Pixel, remains beyond her control and may be used in harmful ways.” The complaint sufficiently pled a likelihood of future harm, if not a likelihood of future deception. To find no standing would deprive federal plaintiffs of the remedy the statute set out. Nonetheless, she would need to do more to actually obtain injunctive relief.

Invasion of privacy based on publication of private facts and intrusion upon seclusion: There wasn’t a sufficiently public dissemination of her health data for the first theory. But an intrusion by North cannot be plausibly alleged because Mekhail conceded that it was Meta (or Meta’s Pixel), rather than North, that made the interception.

Unjust enrichment claims survived.