Opinion
23-cv-4209-JES-JEH
08-21-2024
JANE DOE, individually and on behalf of herself, her minor son, J.D., and all others similarly situated, Plaintiff, v. GENESIS HEALTH SYSTEM, Defendant.
ORDER AND OPINION
JAMES E. SHADID, UNITED STATES DISTRICT JUDGE
Plaintiff Jane Doe brings this action on behalf of herself, her minor son, and a putative class of other individuals, who submitted personal information to the website and online platforms hosted by Defendant Genesis Health System (“Genesis”). Plaintiff, a long-time patient of Genesis, has filed an amended complaint asserting that Defendant encouraged her and other patients and potential patients (collectively, “patients”) to use the website and online platforms. Plaintiff claims that without their authorization, and unbeknownst to them, Genesis allowed third-party networking services, including Meta Platforms, Inc. d/b/a Meta (“Facebook” or “Meta”), Google, LLC (“Google”), DoubleClick, TVSquared, Adnxs, Akamai mPulse, Geonetric, and Wistia, and potentially others, access to their personally identifiable information (“PII”) and protected health information (“PHI”), through tracking technologies embedded on the Genesis website.
This matter is now before the Court on Defendant's Motion to Dismiss and accompanying Memorandum (Doc. 15), Plaintiff's Memorandum in Opposition (Doc. 17), and Plaintiff's Supplemental Authority (Doc. 18). The Court notes that in addition to its briefing, Plaintiff has filed a 41-page “Chart” of various disposition of motions to dismiss throughout the country. (Doc. 17-1). Each page contains numerous entries indicating that, in a Pixel case, defendant's motion to dismiss was denied. Plaintiff does not explain the facts, relate them to this case, or compare the law in these states to Illinois tort law. It is not the Court's job to review hundreds of cases and make Plaintiff's argument for her. In addition, this can be seen as an endrun around Local Rule 7.1(B)(4)(a), which places a page limit on responses to motions. As a result, (Doc. 17-1) was not considered by the Court.
For the reasons indicated herein, Defendant's Motion to Dismiss is GRANTED in part and DENIED in part. Plaintiff has leave to replead.
BACKGROUND
The following facts are taken from Plaintiff's amended complaint, which the Court accepts as true for the purposes of a motion to dismiss. Bible v. United Student Aid Funds, Inc., 799 F.3d 633, 639 (7th Cir. 2015). Plaintiff characterizes Genesis Health as one of the largest employers in the Quad Cities area, serving communities in Eastern Iowa and Western Illinois. Genesis provides online platforms for its patients' use; a public website and various web-based tools and services, from which patients can search for physicians, locate healthcare facilities, learn about specific health conditions and treatment options, pay bills, sign up for classes and events, and access the MyGenesis password-protected patient portal.
Plaintiff alleges that Genesis, for its own gain and without the consent of its patient users, embedded trackers from Facebook and other networking services on its online platforms. This included Facebook's Meta Pixel, a snippet of code that tracks the website interactions of users. Plaintiff claims that when a patient uses the site, the Meta Pixel tracks information about the user's device, including the IP address; and records the pages viewed, the buttons clicked, and the information submitted. The Meta Pixel transmits the information back to Facebook which can cross reference the recorded interactions with the user's Facebook ID, allowing the data to be linked with the user's Facebook profile.
Plaintiff asserts that Genesis has also used the Facebook Conversions Application Programming Interface (“CAPI”), which gathers information, not from the patient's device, but directly from Genesis's private servers. This information is relayed to Facebook and, as it does not go through the patient's web browser, it is undetectable to that individual and circumvents any ad blockers. In addition, Facebook and other networking entities place cookies in the visitors' web browsers enabling them to identify a user, track the user's internet browsing, and ultimately link the data to a Facebook ID.
Facebook and others amass large amounts of information through these processes, known as “data harvesting.” The third-party entities then build proprietary datasets, selling the information to others who use it for targeted advertising. With this information, advertisers can target a particular audience based on demographics and online activity. Plaintiff asserts that in 2019, Facebook generated nearly $70,000,000,000 in revenue by allowing targeted advertisers access to its data-harvested content. She claims that Genesis, too, benefited from this arrangement as it allowed Genesis to “retarget” viewers by directing ads specifically to Genesis patients based on information patients submitted through the online platform. This has allegedly resulted in more robust and cost-efficient advertising which, if it has not outright increased Genesis's profits, would presumably have lowered its costs.
The Plaintiff alleges that she and the putative class members used the online platforms without knowing that Genesis was disclosing their; status as medical patients, health conditions, physician searches, search queries related to symptoms and treatment options, medical treatment, class registration, and access to patient and billing portals. She pleads, specifically to herself, that Genesis has disclosed to Facebook her; identity, location, status as a patient, seeking of medical treatment, health conditions, and treatment sought. She additionally pleads that Genesis has disclosed information to Facebook related to her online activities on behalf of her minor son, J.D., in her search for doctors for J.D., her scheduling of telehealth appointments for him, and her efforts to find mental health services for him.
Plaintiff asserts that Genesis did this despite the assurances it made in its Notice of Privacy Practices, Privacy Policy, and Patient Rights and Responsibilities, which she collectively refers to as the “privacy policies.” The Notice of Privacy Practices states that Genesis may disclose PHI without authorization for: treatment purposes, payment, health care operations, and public health activities; and may disclose to law enforcement and for judicial and administrative proceedings. The Notice goes on to state that other than for these purposes, “we will only use or disclose your PHI with your written authorization” and “[m]ost uses and disclosures of PHI for marketing purposes will be made only with your written authorization.” (Doc. 1-2 at 2).
See (Doc. 1-2, 1-3 and 1-4)
The Privacy Policy informs visitors that its website and patient portal collect both personally identifiable and non-personally identifiable information, defined as follows. (Doc. 1-3).
A. Personally-Identifiable Information:
Through our website or Patient Portal application, we may collect information by which you may be personally identified, such as first and last name, home and email address, account password, telephone number, social security number, alternative names, or insurance information ("personal information"); Genesis Health System typically receives specific data about its Website visitors only when such information is provided voluntarily, such as when our visitors request information, purchase or enroll for services, arrange for scheduling, make donations, request patient portal access, provide resume information for employment opportunities, or send us e-mail. . . In most cases, you will be given the opportunity to select whether you do, or do not, want GenesisHealth System to use this information for additional purposes. You may also request that GenesisHealth System not use your
information by completing the form at genesishealth.com/dns however, Genesis Health System reserves the right, in its discretion, to send you bulletins and other important information about your Genesis Health System services.
B. Non Personally-Identifiable Information:
Genesis Health System gathers some information automatically about the Internet address assigned to your computer, the number and frequency of visitors, and the Genesis Health System sites visited. Genesis Health System gathers this information for the limited purpose of determining customer service and Web site needs. . . Genesis Health System does not combine information collected in this way with any personally-identifiable information. You can set your browser to notify you when you receive a cookie and you can refuse it. You can manage your local data storage settings in your in Options in your browser. If you disable or refuse cookies, please note that you may not be able to access portions of our Website.
The Privacy Policy also informs visitors that Genesis may disclose site visitors' aggregate non-identifying information “without restriction or authorization.” Id. at 3. It further informs that personal information can be disclosed:
•To comply with any court or administrative order, law, or legal process, including to respond to any government or regulatory request, demand, or subpoena.
•To enforce or apply our Terms of Use and other agreements, including for billing and collection purposes.
•If we believe disclosure is necessary or appropriate to protect the safety, rights, property of Genesis, our employees, or patients, including in an effort to work with third parties in mitigating fraud and credit risk.
We may disclose information to our successors, subsidiaries and affiliates, and to third parties who are contractually obligated to keep personal information confidential and use it only for the purposes set forth in the underlying contract.
The Patients' Rights and Responsibilities publication advises that patients may “expect that treatment records are confidential unless you have given permission to release information or reporting is required or permitted by law. (Doc. 1-4 at 2) (emphasis in original).
Plaintiff asserts that in addition to violating these policies, Genesis violated the Health Information Portability and Accountability Act (“HIPAA”), 42 U.S.C. § 1320(d) et seq. and Federal Trade Commission (“FTC”) regulations, 15 U.S.C. § 45(a). HIPAA provides in pertinent part, that it is a federal crime to knowingly disclose individually identifiable health information (“IIHI”) to third parties. IIHI is defined as information that:
relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and - (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individuals.1320(d)(6). Plaintiff also notes that the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights has published a Bulletin advising covered entities that the linking of PHI to identifying information, such as names, addresses, and phone numbers, violates HIPAA. The Guidance also instructs that a covered entity may not disclose an individual's status as a patient and may not sell PHI to a third party for the benefit of that third party.
See (Doc. 13 at 30), citing U.S. Department of Health and Human Services, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/hipaa-online-tracking/index.html.
Plaintiff claims that because of Genesis's conduct she and the putative class have suffered monetary damages due to: loss of privacy; unauthorized disclosure of private information; unauthorized access to private information by third parties; and the use of her private information for advertising purposes, decreasing the value of the private information. She also alleges a lost benefit of the bargain; that the health care services for which she and the class members paid included reasonable privacy and data security protections which they did not receive. She pleads that since using Defendant's website she has been targeted with Facebook ads for Genesis Health and that she and class members have otherwise suffered embarrassment, humiliation, frustration, emotional distress; the decreased value of the private information; a lost benefit of the bargain; and increased risk of future harm resulting from further unauthorized use and disclosure of her information.
Plaintiff invokes the Court's subject matter jurisdiction under 28 U.S.C. § 1332(d) as a class action with more than one hundred (100) members in the proposed Class, where at least one member of the class is a citizen of a state different from Defendant and the amount in controversy exceeds the value of $5,000,000, exclusive of interest and costs. Plaintiff's amended complaint alleges Negligence (Count I); Negligence Per Se (Count II); Invasion of Privacy -Intrusion upon Seclusion (Count III); Invasion of Privacy - Disclosure of Private Facts (Count IV); Breach of Implied Contract (Count V); Unjust Enrichment (Count VI); Breach of Fiduciary Duty (Count VII); and Violation of the Illinois Consumer Fraud and Deceptive Practices Act (ICFA), 815 ILCS § 505/1 et seq. (Count VIII). Plaintiff requests compensatory and punitive damages, fees and costs, and a variety of equitable relief, including an injunction that Genesis cease the allegedly unauthorized disclosure of personally identifiable information.
Plaintiff seeks to represent a Nationwide Class (“Class”) of “All individuals who suffered the unauthorized disclosure of their Private Information to third parties through the Meta Pixel and related technology.” She also seeks to represent a Subclass of “All Illinois citizens who suffered the unauthorized disclosure of their Private Information to third parties through the Meta Pixel and related technology.”
Genesis has filed a motion to dismiss under Fed.R.Civ.P. 10(a), 12(b)(1) and 12(b)(6). The Rule 10(a) motion asserts that Plaintiff should not be allowed to proceed pseudonymously. In the Rule 12(b)(6) motion, Genesis claims that: Plaintiff's common law contract and implied contract claims are preempted by Illinois law; Plaintiff's negligence, negligence per se, breach of implied contract, and unjust enrichment claims are insufficiently pled and barred by the existence of an express contract; Plaintiff fails to sufficiently plead a claim for invasion of privacy; Genesis owed no fiduciary duty to Plaintiffs and the class to be liable for a breach; and Plaintiffs ICFA claim must be dismissed for several reasons, including the absence of actual damages. This lack of damages is also implicated in Genesis's' § 12(b)(1) claim that Plaintiff cannot allege an injury in fact to establish standing.
Rule 10(a)
This Rule requires that each case contain a caption, identifying the parties by name. “Anonymous litigation is disfavored and should be permitted only under exceptional circumstances.” Doe v. ProHealth Care, No. 23-0296, 2023 WL 2760644, at *1 (E.D. Wis. Apr. 3, 2023) (quoting Doe ex rel. Doe v. Elmbrook Sch. Dist., 658 F.3d 710, 722 (7th Cir. 2011) (internal citations omitted), overruled on other grounds by Doe ex rel. Doe v. Elmbrook Sch. Dist., 687 F.3d 840 (7th Cir. 2012). This, however, is a rebuttable presumption, and “fictitious names are allowed when necessary to protect ... particularly vulnerable parties.” Id. (quoting Doe v. Blue Cross & Blue Shield, 112 F.3d 869, 872 (7th Cir. 1997)).
In ProHealth Care, 2023 WL 2760644, at *1, the court allowed the Doe defendant to proceed under a fictitious name as the “publication of his real name alongside any of his improperly released PII and PHI would make him a prime target for ‘identity theft, medical identity theft, fraud and financial loss, discrimination, stigma, mental anguish and other negative consequences.'” The decision cited guidance from HHS where it warned that “an impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual's PHI.” Id. (citing Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates).
Defendant asserts, however, that Plaintiff's proceeding pseudonymously will “impedes public access to the facts of the case, which include the parties' identity,” citing Doe v. Rosalind Franklin Univ., 685 F.Supp.3d 684, 687-88 (N.D. Ill. 2023), where the court did not allow the moving party, an individual who had been expelled from the defendant university for sexual misconduct, to proceed under a fictitious name.
The Court has found Doe v. Cook Cnty., Ill., 542 F.Supp.3d 779, 784-85 (N.D. Ill. 2021), particularly instructive as the court identified more than a dozen issues to be considered in such a motion. Two of these considerations are particularly germane here; whether the case concerned a “highly sensitive and personal matter” and whether there was risk of prejudice to the opposing party. This case involves highly sensitive information, particularly Plaintiff's inquiries regarding her son's mental health treatment. As Plaintiff was the one who undertook these searches on Genesis's online platform, the disclosure of her identity would likely result in the disclosure of her minor son's identity as well. In addition, the Court notes that, while Genesis has objected to Plaintiff proceeding under a fictitious name, it has failed to identify any particular prejudice. As a result, Plaintiff will be allowed to proceed pseudonymously. Defendant will have leave to reassert, however, in the event this grant of leave impedes discovery or otherwise interferes with the proceedings.
STANDARDS
Rule 12(b)(1)
“Rule 12(b)(1) is the means by which a defendant raises a defense that the court lacks subject-matter jurisdiction.” Bazile v. Fin. Sys. of Green Bay, Inc., 983 F.3d 274, 279 (7th Cir. 2020); see also Fed.R.Civ.P. 12(b)(1). To establish standing, Plaintiff must sufficiently plead an “‘injury in fact'-an invasion of a legally protected interest which is (a) concrete and particularized;” an injury that is “fairly traceable to the defendant”; and likely to be “redressed by a favorable decision.” Lujan v. Defenders of Wildlife, 505 U.S. 555, 560-61 (1992); Sweeney v. Raoul, 990 F.3d 555, 559 (7th Cir. 2021). Genesis asserts that Plaintiff has not sufficiently pled an injury in fact or one fairly traceable to Genesis. This is a facial challenge to standing, as opposed to a factual challenge which alleges the lack of subject matter jurisdiction even where the pleadings are “formally sufficient.” Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015) (citation omitted). In a facial challenge, the court “accept[s] all well-pleaded factual allegations as true and draw[s] all reasonable inferences in favor of the plaintiff.” Prairie Rivers Network v. Dynegy Midwest Generation, LLC, 2 F.4th 1002, 1007 (7th Cir. 2021) (citation omitted);
To confer standing an injury must be “‘concrete'. . . ‘must actually exist' . . . ‘must be real,' not ‘abstract,' but not necessarily tangible.” Groshek v. Time Warner Cable, Inc., 865 F.3d 884, 886 (7th Cir. 2017) (quoting Spokeo, Inc., v. Robins, 578 U.S. 330, 340 (2016)). “Concrete' is not, however, necessarily synonymous with ‘tangible.' Although tangible injuries are perhaps easier to recognize, we have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete.” Id. In TransUnion, LLC v. Ramirez, 594 U.S. 413, 424-25 (2021), the Supreme Court found that intangible injuries may confer standing where they have “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” (internal citations omitted). See Florence v. Order Express, Inc., 674 F.Supp.3d 472, 480 (N.D. Ill. 2023) (‘“Certainly, a ‘disclosure of private information' is a concrete, albeit intangible, harm-one that has been traditionally recognized as providing a basis for lawsuits in American courts.'”) (quoting Lueck v. Bureaus, Inc., No. 20-2017, 2021 WL 4264368, at *4 (N.D. Ill. Sept. 20, 2021), in turn quoting TransUnion, 594 U.S. at 424-25; Smith v. Loyola Univ. Med. Ctr., No. 23-15828, 2024 WL 3338941, at *4 (N.D. Ill. July 9, 2024) (finding an injury in fact as “[t]he alleged disclosure of the plaintiffs' sensitive health information ‘has a close relationship to disclosure of private information, a common-law theory of harm.'”) (quoting Florence, 674 F.Supp.3d at 480).
Defendant asserts, however, that Plaintiff has not established an injury in fact as she has failed to specify what personal information of hers or her son's was transmitted from the Genesis website. In support, Defendant cites In re BPS Direct, LLC, __F.Supp.3d__, 2023 WL 8458245, at *13 (E.D. Pa. Dec. 5, 2023), where the court had found that consumers lacked standing for their claim that the defendant retailers had tracked their computer keystrokes and the webpages they visited. That court, however, specifically noted that the facts did not involve allegations that the retailers “shared highly sensitive personal information such as medical diagnosis information or financial data from banks or credit cards.” Id. at * 1. Defendant cites other cases where the transmittal of metadata was not found actionable. Smith v. Facebook, Inc., 262 F.Supp.3d 943, 954-55 (N.D. Cal. 2017), aff'd Smith v. Facebook, Inc., 745 Fed.Appx. 8, 9 (9th Cir. 2018); Kurowski v. Rush Sys. for Health, 683 F.Supp.3d 836, 843 (N.D. Ill. July 24, 2023). These citations are not persuasive as the Plaintiff here has alleged that in addition to metadata, Genesis disclosed class members' PII and PHI and that this could be linked to their Facebook IDs.
Standing has been found where plaintiffs' personal identifying information “including names, social security numbers, and driver's license numbers” had been disclosed in a data breach. Florence, 674 F.Supp.3d at 480. There, the court found that plaintiffs' alleged loss of privacy and need to pay mitigation costs conferred standing while their “emotional distress, anxiety, and annoyance” was not a concrete harm that gave rise to standing. Id. at 482. See Loyola, 2024 WL 3338941, at *4, (finding standing where the plaintiffs were targeted with ads after the unauthorized disclosure of their medical information).
The Court finds that the alleged disclosure of Plaintiff's status as a patient, her physician searches, her scheduling of telehealth appointments, and her identification of health conditions and the treatment sought for those conditions, on behalf of herself and her minor son; as well as her claims that she was subject to targeted ads as a result of the knowing and unauthorized transmission of her personal information, is sufficient to establish an injury in fact fairly traceable to Defendant. Id. at *4. As a result, she has standing to seek money damages and to move for injunctive relief as to any “risk of future harm.” Id. at *3 (quoting Ewing v. MED-1 Sols., LLC, 24 F.4th 1146, 1151(7th Cir. 2022) in turn citing TransUnion, 594 U.S. 435-36).
As Plaintiff has sufficiently pled facts to establish standing, Defendant's motion to dismiss is denied as to this issue. The Court will now consider Defendant's motion to dismiss under Rule 12(b)(6).
Rule 12(b)(6) Motion to Dismiss
“A Rule 12(b)(6) motion tests the complaint's sufficiency, not the merits of the case. Experiential Sys., Inc., v. Michael Reddish, No. 22-4789, 2023 WL 6311694, at *9 (N.D. Ill. Sept. 28, 2023) (citing Skinner v. Switzer, 562 U.S. 521, 529-30 (2011); McReynolds v. Merrill Lynch & Co., 694 F.3d 873, 878 (7th Cir. 2012)). When considering such motions, courts “view the complaint in the light most favorable to [plaintiff], accepting all well-pleaded facts as true and drawing all reasonable inferences in his favor.” Smith v. First Hosp. Labs., Inc., 77 F.4th 603, 607 (7th Cir. 2023) (citing Burke v. 401 N. Wabash Venture, LLC, 714 F.3d 501, 504 (7th Cir. 2013)). A court may grant a motion to dismiss under Rule 12(b)(6) only if a complaint lacks sufficient facts to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 679.
Although a facially plausible complaint need not give “detailed factual allegations,” it must allege facts sufficient “to raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555. “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678. These requirements ensure that a defendant receives “fair notice of what the . . . claim is and the grounds upon which it rests.” Twombly, 550 U.S. at 555. The required level of factual specificity rises with the complexity of the claim. “A more complex case ... will require more detail, both to give the opposing party notice of what the case is all about and to show how, in the plaintiff's mind at least, the dots should be connected.” Swanson v. Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010).
In addition, fraud claims, including those brought under the ICFA, must meet the heightened pleading standard of Federal Rule of Civil Procedure 9(b): “Fraud or Mistake; Conditions of Mind. In alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person's mind may be alleged generally.” See Benson v. Fannie May Confections Brands, Inc., 944 F.3d 639, 646 (7th Cir. 2019); Greenberger v. GEICO Gen. Ins. Co., 631 F.3d 392, 399 (7th Cir. 2011). In practice, this means that a plaintiff “must identify the ‘who, what, when, where, and how' of the alleged fraud.” Benson, 944 F.3d at 646 (quoting Vanzant v. Hill's Pet Nutrition, Inc., 934 F.3d 730, 738 (7th Cir. 2019)).
III. ANALYSIS
Claim of Breach of Contract and Breach of Implied Contract
Genesis suggests that Plaintiff has not pled the existence of an express contract, stating, “[i]nstead of alleging a breach of an express contract-i.e. a violation of the Privacy Policies and terms and conditions-Plaintiff's Complaint includes a litany of flawed claims against Genesis.” (Doc. 15-1 at 9). While Plaintiff's amended complaint contains an implied contract claim at Count V and does not have a dedicated express contract count, Plaintiff's amended complaint goes into great detail recounting the alleged promises made in the privacy policies. She has further pled that Genesis “made express and implied promises to protect Plaintiff and Class Members' Private Information and maintain the privacy and confidentiality of communications that patients exchanged with Defendant, including in its privacy policies and elsewhere.” (Doc. 13 at ¶ 22). In her briefing, Plaintiff references her “common law and implied contract claims” (Doc. 17 at 10) and asserts that she may plead express and implied contract as “alternative claims or theories,” id. at 19. In addition, Plaintiff appears to agree with Genesis that the privacy policies constituted a contract between them. Id. at 9 (“Moreover, Defendant made these unauthorized disclosures in violation of its express promises to Plaintiff contained in its privacy policies posted to its website . . .”. This is enough for the Court to recognize Plaintiff as asserting express, as well as implied, contract claims.
‘“Under Illinois law, the elements of a breach of contract cause of action are ‘(1) offer and acceptance, (2) consideration, (3) definite and certain terms, (4) performance by the plaintiff of all required conditions, (5) breach, and (6) damages.'” Dinerstein v. Google, LLC, 484 F.Supp.3d 561, 579 (N.D. Ill. 2020) (citations omitted), aff'd as modified, 73 F.4th 502 (7th Cir. 2023). Plaintiff has pled that as a result of the breach of these contractual promises, she and class members suffered injury including: “(i) invasion of privacy; (ii) loss of benefit of the bargain; (iii) diminution of value of the Private Information; (iv) statutory damages; and (v) the continued and ongoing risk to their Private Information.” (Doc. 13 at ¶ 27).
The parties do not dispute that Genesis's privacy policies amount to a contract and other courts have accepted this as well. See In re Arthur J. Gallagher Data Breach Litig., 631 F.Supp.3d 573, 598-99 (N.D. Ill. 2022) (finding an express contract where Plaintiff alleged that she “was offered and accepted the Terms of Use and Privacy Policy”); Kowalski v. Rush System for Health, 683 F.Supp.3d 836, 850-51 (7th Cir. 2023) (finding an express contract based on the “promises” Defendant made its portal's “terms and conditions). Genesis alleges, however, that Plaintiff's express contract claims cannot proceed as they are preempted by the Illinois Personal Information Protection Act (“PIPA”), 815 ILCS 530/1 et seq.
PIPA is a data breach statute that requires a covered entity, in the case of a data breach of “medical” and “personal” information, to send notice to the Illinois Attorney General and affected consumers. See §§ 530/5 and 530/10. Defendant asserts that the legislature's enactment of PIPA preempts Plaintiff's common law contract claims. (Doc. 15-1 at 17) (citing Cramer v. Ins. Exch. Agency, 675 N.E.2d 897 (Ill. 1996)). The controversy in Cramer arose in an insurance context. There, the court considered whether policyholders, alleging vexatious behavior on the part of an insurer, could proceed on a common law bad faith claim where 215 ILCS 5/155 of the Illinois Insurance Code provided a remedy for such behavior. There, the court determined it would not “recognize a new common law [bad faith] tort where the legislature has passed a statutory scheme providing a limited remedy.” Cramer, 675 N.D. 2d at 904. While the court in Cramer would not recognize a “new” common law tort redundant to the remedy provided under the Insurance Code, the contract claim presented here can hardly be characterized as a “new”
15 common law tort. Furthermore, the Illinois Appellate Court in Flores v. Aon Corp., __N.E.3d__, 2023 WL 6333957, at *5, found that PIPA does not preempt common law.
As the Court finds the common law contract claim is not preempted, it considers whether Plaintiff has sufficiently pled the claim. In the cited Kowalski case, the court found plaintiff had adequately pled a breach of contract where it was alleged that defendant made “a series of promises not to share or sell patients' personally identifiable information or their confidential health information without their consent . . . [but] routinely made such disclosures through its deployment of third-party source code on its web properties.” 683 F.Supp.3d. at 851 (finding that plaintiff “stated a claim for breach of contract whether or not those disclosures violate other privacy laws.”) (emphasis in original).
The Court finds that here, too, Plaintiff has sufficiently pled a breach of express contract as to the promises made in Genesis's privacy policies. This is enough for this claim to proceed, although the availability of non-economic damages may be in dispute. Dinerstein, 484 F.Supp.3d at 590-91 (“Illinois does not recognize emotional distress damages for breaches of contract, ‘except where the breach was wanton or reckless and caused bodily harm, or where defendant had reason to know, when the contract was made, that its breach would cause mental suffering for reasons other than mere pecuniary loss.” (quoting Parks v. Wells Fargo Home Mortg., Inc., 398 F.3d 937, 940-41 (7th Cir. 2005) (in turn quotingMaere v. Churchill, 452 N.E.2d 694, 697 (Ill.App.Ct. 3d Dist. 1983)).
Plaintiff also pleads the breach of an implied contract, the implied promise “to protect Plaintiff and Class Members' Private Information and maintain the privacy and confidentiality of communications that patients exchanged with Defendant[.]” (Doc. 13 at 8). Plaintiff alleges that she and the class members would not have provided their confidential PII to Genesis without this implied contract. Plaintiff also pleads an unjust enrichment claim in the alternative to the breach of implied contract.
Genesis responds that the implied contract claim must be dismissed as the privacy policies constitute an express contract between the parties. (Doc. 15-1 at 18) (citing Marcatante v. City of Chi., Ill., 657 F.3d 433, 440 (7th Cir. 2011) (“[A]n implied contract cannot coexist with an express contract on the same subject . . . [P]romises should not be found by process of implication if they would be inconsistent with express provisions that there is no reason to set aside or to hold inoperative.”) in turn quoting Maness v. Santa Fe Park Enters., Inc., 700 N.E.2d 194, 200 (Ill.App.Ct. 1st Dist. 1998) and Barry Mogul & Assocs., Inc. v. Terrestris Dev. Co., 643 N.E.2d 245, 253 (1994)). See also In re VTech Data Breach Litig., No. 15-10889, 2018 WL 1863953, at *3 (N.D. Ill. Apr. 18, 2018) (dismissing implied contract claim where the express contract's “online services terms cover[ed] the same subject-matter as the alleged implied contracts[.]”).
In response, Plaintiff cites Langston v. Mid-Am. Intercollegiate Athletics Ass'n, 448 F.Supp.3d 938, 954 (N.D. Ill. 2020) to support that she may plead breaches of express and implied contract in the alternative. However, Langston allowed an express contract claim based on a signed NCAA form agreement while the implied contract was based on the NCAA Constitution, bylaws and rules and regulations. Id. Plaintiff does not cite an Illinois case allowing claims for express and implied contracts arising from the same documents or promises. Defendant's motion to dismiss is GRANTED as to this claim.
Unjust Enrichment
Plaintiff asserts a claim for unjust enrichment, pled alternatively to the implied contract claim. “The theory of unjust enrichment is based on a contract implied in law. To recover under a claim for unjust enrichment, the plaintiff must allege that the defendant voluntarily accepted a benefit which would be inequitable for him to retain without payment.” Ramirez v. Smart Corp., 863 N.E.2d 800, 813-14 (Ill.App.Ct. 3d Dist. 2007) overruled on other grounds by McIntosh v. Walgreens Boots All., Inc., 135 N.E.3d 73 (Ill. 2019) (internal citations omitted). ‘“[A] plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit violates the fundamental principles of justice, equity, and good conscience.'” Lozada v. Advocate Health & Hosps. Corp., 2018 IL App (1st) 18-0320-U, ¶ 35, 2018 WL 7080045, at *7 (quoting HPI Health Care Servs., Inc. v. Mt. Vernon Hosp.,, Inc., 131 Ill.2d 145, 160 (1989)). ‘“Under Illinois law, unjust enrichment is not a separate cause of action. Rather, it's a condition brought about by fraud or other unlawful conduct.'” Gardner v Ferrara Candy Co., No. 22-1272, 2023 WL 4535906, at *8 (N.D. Ill. Mar. 22, 2023) (quoting Vanzant v. Hill's Pet Nutrition, Inc., 934 F.3d 730, 739-40)).
However, like the implied contract claim, an unjust enrichment claim cannot proceed where there exists an express contract. Lozada, 2018 WL 7080045, at *7. “While a plaintiff is permitted to plead unjust enrichment in the alternative to a breach of contract claim, unjust enrichment ‘is inapplicable where an express contract, oral or written, governs the parties' relationship.” (quoting Gagnon v. Schickel, 983 N.E.2d 1044, 1052 (Ill.App.Ct. 1st Dist. 2012)). ‘“[W]here there is a specific contract which governs the relationship of the parties, the doctrine of unjust enrichment has no application.'” Ramirez, 863 N.E.2d at 813-14. See also Dib v. Quincy Physicians & Surgeons Clinic, S.C., No. 21-1339, 2023 WL 4843997, at *3 (C.D. Ill. Apr. 19, 2023). “Because both parties have judicially admitted the existence of a written contract, plaintiff's proposed claims for breach of a contract implied in fact, quantum meruit, and unjust enrichment fail to state valid causes of action.”
Furthermore, “if an unjust enrichment claim rests on the same improper conduct alleged in another claim, then the unjust enrichment claim will be tied to this related claim-and, of course, unjust enrichment will stand or fall with the related claim.” See Loyola, 2024 WL 3338941, at *9 (quoting Cleary v. Philip Morris Inc., 656 F.3d 511, 517 (7th Cir. 2011) and citing Flores, 2023 WL 6333957 at *7. To the extent Plaintiff's unjust enrichment claim is tied to the implied contract claim or the ICFA claim which will also be dismissed, as discussed later, it must “fall” with these claims. “Because that is the same improper conduct alleged in their ICFA claim, the plaintiffs' unjust enrichment claim cannot stand.” Id. at *9 (citing Ramirez v. LexisNexis Risk Sols., __F.Supp.3d__, 2024 WL 1521448, at *8 (N.D. Ill. Apr. 8, 2024)). Defendant's motion to dismiss is GRANTED as to this claim.
Negligence and Negligence Per Se
“To state a claim for negligence in Illinois, a plaintiff must allege facts showing that (1) the defendant owed a duty of care to the plaintiff, (2) that the defendant breached that duty, and (3) that the breach was the proximate cause of the plaintiffs injuries.” Wittmeyer v. Heartland All. for Human Needs & Rights, No. 23-1108, 2024 WL 182211, at *2 (N.D. Ill. Jan. 17, 2024) (citing Flores, 2023 WL 6333957 at *4 in turn citing Cowper v. Nyberg, 28 N.E.3d 768, 772 (Ill. 2015)). “The first element-duty of care-may be derived from statute or common law.” Id. (internal citations omitted). In a negligence per se claim, a plaintiff must allege the violation of a particular statute. In this case, Plaintiff alleges per se violations of the Federal Trade Commission Act, 15 U.S.C. § 45(a) and HIPAA. (Doc. 13 at 32). Genesis responds that Plaintiff's negligence and negligence per se claims cannot proceed as Illinois does not recognize a common law duty to safeguard personal information, Plaintiff has not alleged compensable damages, and that the Genesis policies limit Plaintiff to a recovery under contract.
In support of the claim that Illinois does not recognize a data collector's common law duty to safeguard personal information, Genesis cites Cooney v. Chicago Public Schools, 943 N.E.2d 23 (Ill.App.Ct. 1st Dist. 2010). There, a third party employed by the defendant school district inadvertently disclosed employees' personal insurance information. The data collector school district timely sent notice of the breach as required under PIPA. However, Plaintiffs asserted that in addition to breach notification, PIPA placed an affirmative duty on the school district to safeguard the information. The court disagreed, noting that PIPA required only that the data collector give notice of the breach. The court found that neither PIPA nor common law negligence theories established in Illinois a duty to safeguard such personal information. Id. at 28-29.
The landscape changed in 2017 when PIPA was amended, and it now provides an affirmative duty to safeguard personal information. See Gallagher, 631 F.Supp.3d at 590 (discussing the PIPA amendment which “now requires data collectors to ‘implement and maintain reasonable security measures to protect' records from ‘unauthorized access, acquisition, destruction, use, modification, or disclosure.'” (quoting § 530/45(a)). While the Court has found that PIPA does not apply to preempt the contract claim, it is notable that the PIPA amendment has been interpreted as establishing “a data security duty under Illinois law.” Id. at 590 (finding support for a common law duty to protect personal information). See In re Mondelez Data Breach Litig., No. 23-3999, 2024 WL 2817489, at *4 (N.D. Ill. June 3, 2024) (determining that the PIPA amendment cut the ground from under Cooney, and “the Court is in no position to conclude that, as a matter of law, defendants had no duty to safeguard plaintiffs' personal information.”). See Flores, 2023 WL 6333957, at *5, where the Illinois Appellate Court affirmatively found a common law duty to safeguard private information. The Court hereby finds that Genesis had a common-law duty to protect Plaintiff's PII and PHI, establishing the first element of negligence.
Genesis further asserts that the negligence claims cannot proceed for lack of damages; that the unauthorized disclosures did not cause her injury, and that her recovery is limited to a contractual claim for actual economic loss. As to the former, the Court has already found that Plaintiff has adequately pled an injury in fact to confer standing. See Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (“To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if they have suffered an injury then damages are available.”). Furthermore, in Dieffenbach, the court found that plaintiffs who suffered the theft of their credit card data had alleged damages based, in part, on the time spent in “set[ting] things straight.” This was so, as “the value of one's own time . . . is a loss from an opportunity-cost perspective. These injuries can justify money damages, just as they support standing.” Here, while Plaintiff has not alleged that she needed to take any particular remedial action, she has alleged that her wrongfully disclosed PII has been used to subject her to unwanted targeted ads, impinging on the value of her time.
Genesis further claims Plaintiff is limited to damages for actual economic loss under a contract theory and thus may not pursue damages in the negligence and negligence per se claims. Genesis cites the Moorman Illinois economic loss doctrine, Moorman Manf. v. Nat'l Tank Co., 435 N.E.2d 443 (1997), which “generally bars tort liability ‘for purely economic losses ... where [the parties] have already ordered their duties, rights, and remedies by contract.” Mondelez, 2024 WL 2817489, at *5 (quoting Comty. Bank of Trenton v. Schnuck Mkts., 887 F.3d 803, 812-13 (7th Cir. 2018). “The rationale underlying this doctrine is that tort law affords the proper remedy for loss arising from personal injury or damages to one's property, whereas contract law and the Uniform Commercial Code provide the appropriate remedy for economic loss stemming from diminished commercial expectations without related injury to person or property.” In re Michaels Stores Pin Pad Litig., 830 F.Supp.2d 518, 528 (N.D. Ill. 2011) (citing In re Ill. Bell Switching Station Litig., 641 N.E.2d 440, 444 (1994)).
Plaintiff responds that damage to “property” such as personally identifiable information “is not a purely economic harm, but a personal injury.” (Doc. 17 at 18-19) (citing Krupa v. TIC Int'l Corp., No. 22-1951, 2023 WL 143140, at *5 (S.D. Ind. Jan. 10, 2023), and Gallagher, 631 F.Supp.3d at 587 (“emotional harms such as anxiety and increased concerns for the loss of privacy” are “non-economic damages [that] are recoverable under Illinois law” in the data breach context). However, Krupa was decided under an Indiana bailment theory to which the Indiana economic loss doctrine did not apply. Id. at *4 n.3 (“as generally understood, the economic loss doctrine has no application” to bailment). (citation omitted). While Gallagher allowed claims for express contract and negligence to proceed, there was no Moorman challenge there.
“To determine whether the Moorman doctrine bars tort claims, the key question is whether the defendant's duty arose by operation of contract or existed independent of the contract.” Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547, 567-68 (7th Cir. 2012) (citing Catalan v. GMAC Mortg. Corp., 629 F.3d 676, 693 (7th Cir. 2011)). A duty will be considered independent of contract in the following three exceptions: “(1) where a plaintiff sustains personal injury or property damage resulting from a sudden or dangerous occurrence; (2) where plaintiff's damages were proximately caused by defendant's intentional, false representation; and (3) where plaintiff's damages were proximately caused by the negligent misrepresentation of a defendant in the business of supplying information for the guidance of others in business transactions.” Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 761 (C.D. Ill. 2020) (citing Moorman, 435 N.E.2d at 450-52, and dismissing plaintiffs' negligence claims in a data breach case).
There might be an argument that Genesis's duty was extracontractual, evading the application of Moorman, but Plaintiff does not make it. Plaintiff does not discuss any of the Moorman exceptions and merely cites cases where the unauthorized disclosure of PII or PHI was found sufficient to sustain a claim for negligence damages. She does not identify any case that held that where there was an express contract between the parties, a claim for negligence damages would preclude the application of Moorman. Accordingly, Plaintiff's negligence and negligence per se claims are dismissed as the Moorman Doctrine precludes the recovery of tort damages, an essential element of a negligence claim. See In re Michaels Stores, 830 F.Supp.2d at 531 (finding that economic loss doctrine barred plaintiff's tort claim); Loyola, 2024 WL 3338941, at *7 n.5 (N.D. Ill. July 9, 2024) (finding Moorman did not apply as there was no express contract).
Invasion of Privacy - Intrusion upon Seclusion and Disclosure of Private Facts
Plaintiff alleges that Genesis committed the Illinois torts of intrusion upon seclusion and disclosure of private facts. Defendant denies that there was an intrusion and claims, that even if one occurred, the alleged intrusion was not highly offensive. (Doc. 15-1 at 21).
“To state a claim for intrusion upon seclusion, a plaintiff must allege: ‘(1) an unauthorized intrusion or prying into the plaintiff's seclusion; (2) an intrusion that is offensive or objectionable to a reasonable person; (3) the matter upon which the intrusion occurs is private; and (4) the intrusion causes anguish and suffering.' An actionable intrusion may arise from opening a person's mail, searching his or her wallet, or inspecting personal documents.” Rucker v. Moventas, Inc., No. 16-11169, 2017 WL 11717042, at *2 (N.D. Ill. Aug. 18, 2017) (internal citations omitted). Here, the third element is the most significant as the intrusion must be based on facts which are private, not merely personal. “Without private facts, the other three elements of the tort need not be reached.” Busse v. Motorola, Inc., 813 N.E.2d 1013, 1017 (Ill.App.Ct. 1st Dist. 2004). See id., finding that personal information such as names, addresses, telephone numbers, social security numbers, or dates of birth are not considered to be private facts. See Flores, 2023 WL 6333957, at *9 (“[t]he names, driver's license numbers, and social security numbers that plaintiffs have alleged were accessed due to the data breach are not private facts necessary to establish a claim for intrusion upon the seclusion of another.”).
Genesis asserts that Plaintiff has not actually pled an intrusion but, rather, an unauthorized disclosure. ‘“It is the intrusion itself that creates liability, not any subsequent publication or disclosure.'” Ramirez, 2024 WL 1521448, at *6 (N.D. Ill. Apr. 8, 2024) (quoting In re Trans Union Corp., Priv. Litig., 326 F.Supp.2d 893, 901 (N.D. Ill. 2004)). Genesis asserts that there cannot have been any “offensive prying” into Plaintiff's private information as she voluntarily provided it. This was similarly considered in Kowalski, 683 F.Supp.3d at 836, where a putative class of patients alleged that the Rush health system had embedded third-party source code on its website, surreptitiously transmitting their personally identifiable data to Facebook, Google, and Bidtellect. The court found there was no intrusion upon seclusion, as Rush was the intended recipient of the private personal information and it could not “plausibly be considered to have intruded on, intercepted, or “bugged” [the] private communications[.]”
In Hartley v. Univ. of Chi. Med. Ctr., No. 22-5891, 2023 WL 7386060, at *3 (N.D. Ill. Nov. 8, 2023), the court found there was no intrusion upon seclusion where the offensive conduct was “caused by the defendant's act of publication and not from the act of intrusion.” See also Kurowski, 683 F.Supp.3d at 848-49 (finding that the actual intrusion, the interception of patient communications, was “carried out by third parties.”). As a result, Rush's alleged liability was for unauthorized disclosure, not “offensive prying.” While Plaintiff disputes this, she does not cite any caselaw in support. Defendant's motion to dismiss is GRANTED as to this claim.
Plaintiff also alleges a privacy violation in Genesis's alleged disclosure of private facts, an issue recently examined in Nabozny v Optio Sol. LLC, 84 F.4th 731, 736 (7th Cir. 2023). There, the Seventh Circuit affirmed that a party commits this tort where the party ‘“gives publicity' to a matter that concerns the ‘private life of another,' is highly offensive to a reasonable person, and is not of legitimate public concern. Id. (citing RESTATEMENT (SECOND) OF TORTS § 652D (AM. LAW INST. 1977)). To give publicity “means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Id. (finding no publicity where a creditor wrote to a debtor's employer) (citing RESTATEMENT § 652D cmt. a.).
In Kowalski, the court explained that for publicity to occur, “the required communication must be more than that made to a small group; rather, the communication must be made to the public at large.” 683 F.Supp.3d at 849, (finding no publication of private facts in the absence of allegations that Facebook, Google, and/or Bidtellect, “turned around, and ‘communicat[ed] the matter to the public at large.'” Id. at 849-50 (quoting Roehrborn v. Lambert, 660 N.E.2d 180, 184 (1995)). Plaintiff tries to distinguish Kowalski, stating that there, plaintiff alleged that Rush had ‘“allowed' third parties to collect Private Information,” while she claims that Genesis installed the tracking technology. (Doc. 17 at 23). This is a distinction without a difference and does not change the fact that disclosures to Facebook and the other entities did not amount to a disclosure to the public at large. “Indeed, ‘having some finite number of people know (true) details about your life is fundamentally different than having that information disseminated to the general public.'” Nabozny, 84 F.4th at 736 (citing Hunstein v. Shields, 48 F.4th 1236, 1249) (7th Cir. 2022)). Defendant's motion to dismiss as to the privacy claims is GRANTED.
Breach of Fiduciary Duty
“To recover for a breach of fiduciary duty, Illinois law require[s] the plaintiff [ ] to establish the existence of a fiduciary duty, a breach of that duty, and damages proximately caused by the breach.” Doe v. Fertility Ctrs. of Ill., S.C., No. 21-579, 2022 WL 972295, at *5 (N.D. Ill. Mar. 31, 2022) (quoting Alonso v. Weiss, 932 F.3d 995, 1001 (7th Cir. 2019)). Genesis asserts that the existence of a duty is not to be presumed as “Illinois law only recognizes a fiduciary duty where the parties share a specific legal relationship (such as those between attorneys and their clients); or where one party places trust in another so that the latter gains superiority and influence over the former.” (Doc. 15-1 at 24). Genesis cites Landale Signs and Neon, Ltd. v. Runnion Equip. Co., No. 16-7619, 2016 WL 7409916, at *5 (N.D. Ill.Dec. 22, 2016), where the plaintiff alleged that defendant has carelessly allowed plaintiff's electronic payment to be intercepted by another. The court denied that there was a breach of fiduciary duty, finding it could not “justify a departure from the established Illinois rule that neither the exchange of confidential information nor the existence of a formal business relationship gives rise to fiduciary obligations.” Id.
Plaintiff counters that a fiduciary relationship existed as “Defendant is not just any public website receiving data in the course of its business; it is a health provider that facilitates treatment for patients through its website.” (Doc. 17-1 at 25). She cites orders from an Indiana state case and an Ohio Southern District case denying defendants' motions to dismiss a breach of fiduciary duty claim; In re Comty. Health Data Incident Litig. No. 49D01-2211-PL-041242, at *18 (Oct. 25, 2023) and Tucker v. Marietta Area Health Care, Inc., No. 22-221, 2023 WL 423504, at *18 (S.D. Ohio Jan. 26, 2023). None of these, however, were based on Illinois law and do not carry the weight of authority. See Cooney, 943 N.E.2d at 29 (finding no support for the claim that entrusting an entity with confidential information established a fiduciary duty). Plaintiff fails to support that any court in Illinois has found that a healthcare facility has a fiduciary duty in relation to patients' private information. Defendant's motion to dismiss the fiduciary duty claim is GRANTED.
ICFA Claim
The ICFA safeguards “consumers, borrowers, and business persons against fraud, unfair methods of competition, and other unfair and deceptive business practices.” Siegel v. Shell Oil Co., 612 F.3d 932, 934 (7th Cir. 2010) (internal citation and quotation marks omitted). “In order to state a claim under the ICFA, a plaintiff must show: ‘(1) a deceptive or unfair act or promise by the defendant; (2) the defendant's intent that the plaintiff rely on the deceptive or unfair practice; and (3) that the unfair or deceptive practice occurred during a course of conduct involving trade or commerce.'” Loyola, 2024 WL 3338941, at *8 (quoting Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 739 (7th Cir. 2014), in turn quoting Wigod, 673 F.3d at 574). The plaintiff must also “plausibly plead that the deceptive or unfair act caused her to suffer actual damages, meaning pecuniary loss.” Id. (quoting Benson, 944 F.3d at 647 (citing Kim v. Carter's Inc., 598 F.3d 362, 365 (7th Cir. 2010)). ‘“The failure to allege specific economic damages precludes a claim brought under the [ICFA].”' Id. (quoting Flores, 2023 WL 6333957, at *7).
Here, Plaintiff asserts that she has suffered damages in the “loss of privacy, unauthorized disclosure of and access to her Private Information to third parties, use of her Private Information for advertising purposes, embarrassment, humiliation, frustration, and emotional distress, diminution of the value of her Private Information, lost benefit of her bargain, and increased risk of future harm from further unauthorized use and disclosure of her information.” (Doc. 13 at ¶¶ 106, 181-82). While Plaintiff pleads the loss of privacy and emotional distress, these do not, as the ICFA requires, amount to economic or pecuniary loss. As an example, in Gallagher, 631 F.Supp.3d at 587-88, the court found the plaintiff had alleged ICFA economic injury where she pled that there were “fraudulent charges on her credit card which rendered her unable to purchase furniture;” and difficulty in making large credit card purchases “due to the prior fraudulent charges.” Plaintiff here does not claim that she has suffered such harm.
Plaintiffs claim of the lost benefit of the bargain, that she paid for medical services which included maintaining the privacy of her personal information and would not have paid had she known third parties would have access to the information, must also fail. “This type of ‘benefit of the bargain' theory of damages, however, has been repeatedly rejected for non-products liability claims such as this.” Loyola, 2024 WL 3338941, at * 8; see also Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016), (noting that benefit of the bargain theories “have been adopted by courts only where the product itself was defective or dangerous and consumers claim they would not have bought it (or paid a premium for it) had they known of the defect.'”) citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 696 (7th Cir. 2015). See also Kowalski, 683 F.Supp. at 846 (finding that the plaintiff could not claim to have overpaid to use Rush's “free web properties”) (emphasis in original).
The Kowalski court also found that damages of the type alleged here; embarrassment, humiliation, frustration, emotional distress, and diminution of the value of the private information, were “abstract, non-monetary injuries to her privacy” that could not provide a basis for ICFA actual damages. See id. quoting Khorloo v. John C. Heath Attorney at Law, No. 181778, 2020 WL 1530735, at *2 (N.D. Ill. Mar. 31, 2020) (‘“[T]he Court could not locate any Illinois case law suggesting that privacy violations ... provide a basis for actual damages under the ICFA. It seems unlikely that the statute allows plaintiffs to recover damages for privacy violations because the ICFA is concerned with fraudulent or unfair advertising, not with individual privacy rights.'”). See also Flores, 2023 WL 6333957, at *8 (“Flores's alleged injuries are her emotional distress due to her loss of privacy, her lost time dealing with the consequences of the data breach, the increase in spam messages she has received, and the imminent risk of fraud and identity theft. None of these are the specific economic damages required for a claim under the Consumer Fraud Act.” (citing Williams v. Manchester, 888 N.E.2d 1 (Ill. 2008), (‘“an increased risk of future harm is an element of damages that can be recovered for a present injury-it is not the injury itself” (emphasis in original)). Id. citing Morris v. Harvey Cycle and Camper, Inc., 911 N.E.2d 1049, 1053 (Ill.App.Ct. 1st Dist. 2009) for the proposition that “emotional damages are not specific economic injuries under the Consumer Fraud Act.” For these reasons, Defendant's motion to dismiss the ICFA claim is GRANTED.
CONCLUSION
The Court hereby GRANTS in part and DENIES in part Genesis's Motion to Dismiss. The Court DENIES the Rule 10 objection to Plaintiff proceeding pseudonymously; the 12(b)(1) challenge to standing; and the 12(b)(6) challenge to Plaintiff's Express Contract claims. The Court GRANTS the 12(b)(6) motion dismissing the Negligence, Negligence Per Se, Intrusion upon Seclusion, Disclosure of Private Facts, Breach of Implied Contract, Unjust Enrichment, Breach of Fiduciary Duty, and ICFA claims. Plaintiff will have 14 days in which to file a second amended complaint, should she wish.