The court held that the Wiretap Act's "crime-tort" exception applies because plaintiffs plausibly alleged Nourish violated HIPAA by intentionally configuring tracking pixels to collect and share appointment data.
The ruling also found that Illinois law imposes a common-law duty on data collectors to safeguard personal information, allowing a negligence claim to proceed despite the absence of a traditional data breach.
Plaintiffs Arissa Podraza, Susan Colby, and Jessica Keller sued Nourish, a telehealth company that connects patients with registered dietitians, under the Class Action Fairness Act.
They alleged that Nourish placed tracking technology on its website to record information entered on its appointment scheduling forms, including the date of the appointment, the name of the treating dietitian, and the state in which the dietitian was licensed.
The plaintiffs claimed they were unaware the information was being transmitted to Alphabet, Inc., and expected Nourish to keep their information private.
After scheduling appointments, the plaintiffs reported seeing targeted marketing related to nutrition, which they alleged resulted from Nourish transmitting their data for financial gain.
Nourish moved to dismiss for lack of personal jurisdiction and failure to state a claim. The court denied the jurisdictional challenge, finding Nourish purposefully availed itself of doing business in Illinois by targeting residents through its website.
On the merits, the court denied the motion to dismiss Count VII, the Electronic Communications Privacy Act claim. Nourish argued the Wiretap Act's one-party consent exception applied because it was a party to the communication.
However, the court held that the crime-tort exception applies if the interception is for the purpose of committing a criminal or tortious act. The court rejected Nourish's argument that the defendant must intend to commit a tort qua tort, holding instead that the statute requires only a purpose to commit an act that is criminal or tortious.
The court found plaintiffs plausibly alleged Nourish violated HIPAA by knowingly disclosing individually identifiable health information. Because HIPAA violations can trigger the crime-tort exception, the Wiretap Act claim survived.
The court also rejected Nourish's argument that plaintiffs consented to the disclosure via a browsewrap privacy policy. The court noted the policy was not affirmatively accepted and its terms were too vague to cover the specific health data disclosed.
Regarding Count IV, negligence, the court held that Illinois appellate courts have recognized a common-law duty to safeguard information following the 2017 amendment to the Illinois Personal Information Protection Act.
The court extended this duty to cover unauthorized disclosures to third parties, finding it foreseeable and consistent with Illinois law. The economic loss doctrine did not bar the claim because the alleged harms were non-pecuniary privacy injuries.
The court granted the motion to dismiss Count I, invasion of privacy, because plaintiffs failed to allege that the information was publicized to the public at large. Disclosure to Google alone did not constitute publicity.
Count III, breach of fiduciary duty, was dismissed because Illinois law limits fiduciary duties to those providing actual medical care, not websites that merely facilitate appointments.
Count V, breach of implied contract, was dismissed because plaintiffs failed to allege actionable economic damages, such as out-of-pocket losses, under Illinois contract law.
Count II, breach of confidence, was terminated because plaintiffs did not contest the motion to dismiss. Count VI, unjust enrichment, survived because it is tied to the surviving Wiretap Act claim.
Judge Iain D. Johnston ordered plaintiffs to file an amended complaint by May 4, 2026, or face dismissal with prejudice. Nourish must answer the remaining claims by May 20, 2026.