By Allie Reed
View the original article on Bloomberg Law here.
-State supreme court nixed using wiretapping statute
-Plaintiffs marrying state, federal claims to salvage disputes
Massachusetts plaintiffs in more than a dozen lawsuits over hospital and health-care system website technology are pivoting to federal and state privacy laws to keep their cases alive after a state Supreme Judicial Court ruling cast doubt on their wiretap claims.
The state high court in a monumental October ruling declined to apply Massachusetts’ decades-old Wiretap Act to cover code that tracks a user’s interaction with a website, setting the state apart from other venues that have been more receptive to similar arguments.
Since Vita vs. New England Baptist Hospital , plaintiffs in other cases responded by amending existing complaints to include claims under the federal Electronic Communications Privacy Act. The suits, removed to federal court, accuse hospitals of illegally intercepting protected communications between their websites and users through tracking software, and allegedly selling that private medical information to third parties.
“It’s kind of unusual that these cases did not have federal claims in them, and that they focused only on Massachusetts,” said J. Eli Wade-Scott, global managing partner at Edelson PC, where he leads the plaintiffs’ firm’s class action group. “So it does make sense to me that they’re pivoting strategy.”
These arguments rely on the interaction between the ECPA and other privacy laws such as the Health Insurance Portability and Accountability Act and the Massachusetts Right to Privacy Act. The slew of lawsuits tests whether Massachusetts federal courts limit health-care systems’ ability to use such technology going forward.
The lawsuits, largely brought by the same law firm that lost at the Supreme Judicial Court, are among thousands of cases across the nation targeting software such as Alphabet Inc.‘s Google Analytics and Meta Platforms Inc.‘s Meta Pixel, which companies use to track user engagement and evaluate the performance of their websites. Many of those cases target health-care systems, which “ought to have a heightened obligation to disclose” that they’re going to use a patient’s information for other purposes, said Renée Landers, a professor who teaches health and privacy law at Suffolk University Law School in Boston.
“A person who goes on a hospital website and provides this information or researches questions is thinking that they’re dealing with an entity that should respect that information,” said Landers, former deputy general counsel of the US Department of Health and Human Services during the Clinton administration.
‘Hotly Contested’
Courts across the country have split on how to apply the ECPA—a 1980s statute limiting the interception of online communications—to the use of tracking software on hospitals’ sites. The First Circuit, which contains the Massachusetts federal district court, hasn’t yet extensively developed precedent on the question.
Their chances will “depend heavily on what tests the First Circuit adopts” to apply the ECPA, said Dustin Taylor, Denver-based partner at Husch Blackwell, who represents companies facing wiretapping claims.
Shapiro Haber & Urmy LLP, the firm behind most of the Massachusetts cases, didn’t respond to requests for comment on its strategy, which leans into a doorway the Vita decision cracked open.
The opinion said, “hospitals’ alleged conduct here raises serious concerns, and may indeed violate various other statutes and give rise to common-law causes of action more specifically directed at the improper handling of confidential information.” It also nodded to the ECPA, noting that law’s “broad definition of ‘electronic communication’” would appear to “cover many website browsing activities.”
Plaintiffs will likely point to that part of the decision, Taylor said, “because they’re going to say, ‘Look, the court actually distinguished the ECPA, because it said that that does cover this activity.’”
Danielle Kays, a Fisher & Phillips LLP partner who represents companies in privacy litigation, said plaintiffs are “pushing reasonable limits in testing these new theories,” to see if the state’s door remains open to such litigation. Plaintiffs still face an uphill battle pitting modern-day business practices against decades-old laws, she said, especially after failing the first time around.
Still, this approach taps into a “very hotly contested and evolving area of law” regarding when the ECPA’s crime tort exception makes the interception of communications unlawful, Taylor said.
While the ECPA generally requires only one party’s consent to make interception legal, that defense doesn’t apply if the communication is intercepted for “criminal or tortious” purposes in violation of US laws. Courts in other circuits have split on how to apply the exception—but have largely been receptive to complaints with robust allegations of harm.
“This is a bit of a stretch given that at the end of the day, what they’re alleging is a violation is just the running of a medical website,” said David Klein, a managing partner at Klein Moynihan Turco LLP who represents internet marketers. But, he said, the amended complaints may be more viable than the original wiretapping claims and “could lead to significant damage amounts.”
Philip Yannella, a partner at Blank Rome LLP who represents companies facing privacy litigation, said plaintiffs in other courts have generally been more successful alleging tracking technology is “running in private areas where there’s private communication with doctors” as opposed to alleging a public website is collecting patients’ scrolling activity.
Kays said companies can defend against allegations like these by determining whether there was any content that was intercepted. “A URL alone is not content,” she said. “There has to be substance or meaning to the conversation,” and “it has to be intentionally intercepted.”
There are also questions around whether tracking services such as Google Analytics and Meta Pixel are subject to HIPAA regulation, which applies both to “covered entities,” such as health-care providers, and “business associates” that access patient data to help them carry out health-care functions.
A Massachusetts state court judge on Jan. 15 instructed plaintiffs in nine cases to file amended complaints by Jan. 31.
They won’t be the last suits posing these questions. As the First Circuit works out its stance on the boundaries of the ECPA, “we will absolutely see more cases filed,” Taylor said.
To contact the reporters on this story: Allie Reed in Boston at areed@bloombergindustry.com; Cassandre Coyer in Washington at ccoyer@bloombergindustry.com
To contact the editors responsible for this story: Tonia Moore at tmoore@bloombergindustry.com; Adam M. Taylor at ataylor@bloombergindustry.com; Kartikay Mehrotra at kmehrotra@bloombergindustry.com
© 2025 Bloomberg Industry Group, Inc. All Rights Reserved
Photo by Philipp Katzenberger on Unsplash
