September 9, 2020

Illinois federal court dismisses putative privacy class action challenging data sharing partnership between the University of Chicago Medical Center and Google

On September 4, 2020, the US District Court for the Northern District of Illinois dismissed a putative class action complaint challenging a data sharing partnership between and among the University of Chicago Medical Center, the University, and Google, LLC.  The plaintiff, a Medical Center patient, claimed that the University of Chicago’s partnership, which involved disclosure of certain “de-identified” medical records to Google for the purpose of developing software to help predict future medical events, breached two outpatient agreements that the University provided to the plaintiff during his stays at the hospital that required (1) “any use of [the plaintiff’s] medical information will be in compliance with federal and state laws” and (2) the University to “[m]aintain the privacy and security” of the plaintiff’s medical information. 

According to the plaintiff, the University’s disclosure of “de-identified” information—including “dates of service” as well as “free-text medical notes”—constituted a prima facie violation of HIPAA because the University either did not make an expert determination that the risk of re-identifying the data was very small, or, if such a determination was made, it was incorrect.  Thus, the plaintiff claimed that the University breached its obligations under the relevant agreements.  The plaintiff also brought claims under the Illinois Consumer Fraud and Deceptive Business Practices Act (the “ICFA”), as well as claims for tortious interference with contract (against Google), intrusion upon seclusion, and unjust enrichment.     

The court first dismissed the plaintiff’s ICFA claim on standing grounds because he did not demonstrate that he suffered any actual economic harm.  The court then considered whether the plaintiff’s remaining claims were viable as pled.  First, the court considered the alleged HIPAA violations could give rise to a breach of contract at all, given that the statute does not provide for a private right of action.  The court answered in the affirmative, ultimately holding that HIPAA did not preempt the plaintiff’s state law claims, and concluding that the plaintiff had plausibly alleged that the University breached its contractual promises when it exchanged protected health information for the license to use certain Google software.  However, the court held that the plaintiff had not adequately pleaded that the University’s breach of contract caused him any economic damages, and so dismissed his breach of contract claims on this ground.
The court then dismissed the tortious interference claim because the plaintiff did not sufficiently plead that Google engaged in intentional conduct.  It also dismissed the intrusion claim, reasoning that the University and Google sharing information was not comparable to “offensive prying” like “invading someone’s home” or “eavesdropping by wiretapping.”  Finally, the court dismissed the unjust enrichment claim on the grounds that it is not a separate cause of action under Illinois law. 

Memorandum opinion and order