Table of Contents >> Show >> Hide
Privacy law used to sound like something only compliance officers argued about in windowless conference rooms with bad coffee. Then hospital websites started behaving like overfriendly sales reps, quietly passing along information to advertising tools, and suddenly the Electronic Communications Privacy Act began showing up in healthcare litigation like an uninvited but very well-prepared guest. That is where Hartley v. University of Chicago Medical Center (UCMC) became a big deal.
The UCMC litigation matters because it helps explain how courts are thinking about website tracking, health data, and the old-but-still-dangerous federal wiretap statute known as the ECPA. The core issue is simple enough to say in one sentence and complicated enough to fuel years of litigation: when a hospital uses tools like Meta Pixel on a website or patient-facing portal, can that turn ordinary digital interactions into an unlawful interception or disclosure of protected health information?
In UCMC, the answer did not arrive in one dramatic thunderclap. It developed in stages. First, the plaintiff’s allegations were considered too vague. Then, after the complaint became more specific, the court allowed the ECPA theory to proceed. Later, the court narrowed some of the plaintiff’s broader allegations but still held that certain transmissions, especially those tied to a patient login and the revelation of patient status, could plausibly support liability. In other words, the case did not say every click is a lawsuit. It said some clicks may carry legal weight when they reveal more than a hospital thinks.
Why the UCMC Case Matters
The UCMC dispute sits inside a much larger wave of healthcare website litigation. After reporting in 2022 found Meta Pixel on dozens of prominent hospital websites and even on some password-protected patient portals, hospitals and health systems across the country found themselves facing claims based on alleged sharing of sensitive information with third-party advertising or analytics vendors. That reporting changed the conversation from “this is probably a technical settings problem” to “this may be a privacy landmine with federal claims attached.”
Healthcare providers had already been on notice that online tracking tools were risky. HHS issued guidance warning regulated entities that tracking technologies on authenticated pages can access protected health information, including IP addresses, appointment data, diagnosis information, treatment details, and billing information. The FTC also showed it was willing to act when health data was shared for advertising purposes, most notably in its action against GoodRx. So by the time UCMC moved through federal court, the larger legal and regulatory weather report already said: chance of lawsuits, 100%.
What the ECPA Actually Does
The Electronic Communications Privacy Act is best known as a federal law that prohibits the intentional interception of wire, oral, or electronic communications. In plain English, it is designed to stop unauthorized eavesdropping on communications while they are being made. That sounds like a telephone-era rule, but courts have had to adapt it to websites, pixels, session replay tools, chat widgets, and other modern tracking technologies.
There is an important twist, though. The statute contains what lawyers call the party exception. A party to a communication is generally allowed to intercept it. That means a hospital, as the intended recipient of a patient’s request or message, is usually not automatically liable just because it received the communication in the first place. If that were the end of the story, many website tracking cases would collapse immediately.
But the ECPA also contains a second twist: the party exception does not protect an interception if it is done for the purpose of committing a criminal or tortious act. That is where HIPAA enters the chat, wearing steel-toed boots. If a plaintiff plausibly alleges that a healthcare provider used a tracking tool to obtain and disclose individually identifiable health information in a way that violates HIPAA’s wrongful-disclosure provisions, the plaintiff may try to use that alleged HIPAA violation to satisfy the ECPA’s crime-or-tort exception.
This is precisely the legal bridge that made UCMC so significant. The plaintiff argued that UCMC’s use of Meta tools was not just ordinary website administration. She argued that it was part of a system designed to acquire and disclose health-related communications for commercial benefit. Once that theory became plausible enough, the ECPA claim got real legs.
From Weak Allegations to a Stronger Theory
Stage One: The 2023 Dismissal
In late 2023, the court dismissed the original ECPA claim without prejudice. The problem was not the overall concept. The problem was specificity. The court concluded there was not enough concrete information showing what had actually been disclosed about this particular plaintiff. General references to IP addresses, cookies, device identifiers, URLs, and pages clicked were not enough by themselves to show that UCMC had disclosed health information specific enough to plausibly violate HIPAA. The complaint, in the court’s view, lacked the factual detail needed to connect digital metadata to identifiable health information.
That first ruling is important because it shows that courts are not treating every hospital website cookie as a per se privacy apocalypse. Vague allegations about “tracking happened” do not always survive. Plaintiffs still need to show why the specific data at issue plausibly relates to a person’s health, care, treatment, or payment, and how it identifies or can reasonably identify the person.
Stage Two: The 2024 Revival
In April 2024, things changed. The plaintiff filed a more detailed complaint, and the court denied UCMC’s motion to dismiss the ECPA count. This time, the court held it was plausible that UCMC could have used Meta’s tools to acquire the information that was later disclosed to Meta for mutual financial benefit. That was a big deal because it addressed a defense hospitals often raise: “We legally got the information ourselves, so any later disclosure is different from interception.”
The court was not persuaded that the story ended there. It reasoned that if the only way the information was acquired and shared was through the Meta tools embedded by UCMC, then UCMC could plausibly be responsible not only for the disclosure, but also for the acquisition itself. That matters under the ECPA because the statute is about interception, not just disclosure. The plaintiff also added more personal and specific allegations, including claims that UCMC disclosed she was seeking specific medical specialists, researching prescriptions, and viewing information related to sexually transmitted diseases. Suddenly the complaint looked less like a general privacy rant and more like a map.
Stage Three: The 2025 Narrowing and Expansion
By October 2025, the court added even more nuance. On one hand, it narrowed the case. It rejected broad allegations that the plaintiff merely clicked or viewed webpages related to providers, conditions, and treatments, holding that those statements were still too vague. The court made clear that simply browsing a public website does not always amount to disclosure of individually identifiable health information.
On the other hand, the court also clarified why the case still survived. It held that each time the plaintiff logged into MyChart, the disclosure plausibly revealed her status as a patient and therefore related to the provision of healthcare to an individual. That point is subtle but powerful. A login event can seem harmless from a marketing perspective. In privacy litigation, however, a login to a patient portal may communicate a lot more than a hospital wants to admit. It may reveal that the person is not just browsing wellness content, but actually receiving care.
That is where the title of this article earns its keep: ECPA liability was expanded in UCMC not because the court declared every healthcare webpage legally radioactive, but because it accepted a broader and more realistic view of how digital actions can reveal patient status and healthcare relationships.
How UCMC Expands Potential Liability
1. Patient Status Can Be Inferred From Website Activity
The most important lesson from UCMC is that a digital interaction does not need to include a diagnosis in flashing neon letters to become sensitive. If a hospital website event reveals that a person logged into a patient portal, requested a test result, or interacted with a specific treatment-related pathway, a court may view that event as health-related information when combined with identifiers.
That is a meaningful expansion because many organizations have historically treated event-level tracking as harmless operational data. UCMC suggests that courts may look beyond the label on the dashboard and ask what the event actually communicates about the user.
2. The Party Exception Is Not a Silver Bullet
Hospitals often argue, with some logic, that they are a direct party to communications between patients and the hospital. UCMC shows that this defense may not end the case if the plaintiff plausibly alleges that the communication was intercepted for the purpose of committing a criminal or tortious act, such as wrongful disclosure under HIPAA. The court’s willingness to let that theory proceed gives plaintiffs a roadmap.
3. Commercial Benefit Makes the Story Worse
Courts pay attention to motive. When a complaint alleges that tracking tools were used for advertising, retargeting, analytics tied to commercial value, or other mutual financial benefits between the hospital and vendor, the privacy narrative becomes more dangerous. It stops looking like a technical accident and starts sounding like monetization by JavaScript.
4. Public Websites Are Not Always “Safe” Just Because They Are Public
UCMC also undercuts the comfortable idea that only authenticated portals are risky. While authenticated environments remain more obviously sensitive, public-facing pages can still generate legal exposure if a user’s interactions disclose healthcare-related information in an identifiable way. A public website is not a legal car wash. Data does not come out magically sanitized just because the page was not behind a login.
What UCMC Does Not Mean
To be fair, UCMC does not hand plaintiffs a universal victory badge. The case repeatedly shows limits. Vague allegations can fail. Generalized claims about pages viewed may not be enough. Courts still want factual detail. And later rulings in the case also show that defendants may have powerful contractual defenses, including class-action waivers and dispute-resolution terms.
That makes UCMC a plaintiff-friendly case, but not a limitless one. The better reading is that it expands risk where the facts are specific, the data is identifiable, and the alleged purpose of the tracking looks commercial rather than purely clinical or security-related.
What Healthcare Organizations Should Learn
First, privacy review can no longer be a side quest for the legal department. Marketing, IT, compliance, cybersecurity, procurement, and patient experience teams all need to know what trackers are installed, what data they collect, where the data goes, and whether there is a business associate agreement or another defensible legal basis for the disclosure.
Second, healthcare entities should stop thinking about trackers as single tools and start thinking about them as ecosystems. A pixel rarely acts alone. It may interact with cookies, APIs, forms, session data, conversion tools, tag managers, and identity resolution features. The real risk often lies in the combination, not the logo on the script.
Third, hospitals should inventory user journeys with special care around appointment scheduling, portal login, provider search, test result access, prescription information, payment workflows, and condition-specific content. The more a journey signals an active relationship with care, the more likely a court may see the data as individually identifiable health information.
Finally, UCMC shows that “we did not mean to share anything sensitive” is not a magical legal spell. Courts care about what the technology plausibly did and what information it communicated, not just about whether the organization had a friendly internal PowerPoint calling it “analytics optimization.”
Experiences From the Front Lines of Tracking-Tech Privacy Risk
If you want to understand why cases like UCMC resonate, it helps to think about how these disputes feel in the real world. For patients, the experience is often unsettling in a very modern way. A person logs into a portal, looks up a provider, checks results, or reads about a condition, and then later notices eerily relevant ads, unusual recommendations, or a sudden sense that something private has leaked into the commercial bloodstream of the internet. Even when the patient cannot prove exactly what happened, the experience feels like a betrayal. Healthcare is supposed to be the place where data is handled with the delicacy of a surgeon, not the enthusiasm of an ad exchange.
For in-house counsel, the experience is different but equally stressful. A complaint lands, the words “Meta Pixel” appear about four paragraphs in, and suddenly the team is trying to reconstruct years of website configuration decisions made by marketing vendors, web developers, and analytics consultants who have long since disappeared into the digital mist. Someone says, “I thought that tag was removed.” Someone else says, “It was only on public pages.” Then discovery starts, and the distinction between “public page” and “health-related page” becomes a lot less comforting.
For compliance officers, these cases are a reminder that privacy programs fail in ordinary ways before they fail in spectacular ways. Usually it is not one villain twirling a mustache and selling patient data by the pound. It is a stack of small assumptions. A vendor says the tool is industry standard. Marketing says the script is needed for campaign measurement. IT says the tag manager is already in place. Legal is consulted late, if at all. Everyone assumes someone else checked the settings. That is how “routine optimization” turns into federal litigation.
Marketing teams also learn a painful lesson: context matters more than intent. In retail, tracking a button click may be about selling sneakers. In healthcare, the same technical event may reveal a care relationship, a treatment path, or a search for a specialist. The code may be identical, but the legal meaning is not. That is one of the reasons UCMC matters so much. It treats digital context as legally meaningful. The same click on two different websites is not always the same click in the eyes of the law.
And then there is the practical experience of remediation. Once an organization starts reviewing its tracking environment, it often discovers more complexity than expected: duplicate tags, old pixels, vendor scripts layered through plugins, historical settings no one remembers approving, and data flows that are not fully documented. Fixing that mess is less like flipping a switch and more like cleaning out an attic where every box contains another smaller box labeled “miscellaneous.”
That is why UCMC is more than a headline-friendly case name. It captures a real operational truth. Digital health privacy risk is not only about statutes and motions to dismiss. It is about what happens when healthcare institutions borrow the internet’s advertising machinery and assume it will behave politely in a space where patients expect confidentiality. Courts are increasingly skeptical of that assumption, and honestly, they probably should be.
Conclusion
The UCMC litigation shows how ECPA claims in healthcare tracking cases have matured. Early complaints that relied on broad suspicions and generic metadata struggled. More detailed allegations tied to identifiable patient actions, commercial disclosure, and HIPAA-based theories have fared better. Most importantly, the later UCMC rulings show that digital events like patient-portal logins can plausibly reveal patient status and therefore support an ECPA claim even when the broader browsing allegations are too weak.
That is the real expansion. The case does not say hospitals can never use online tracking technologies. It says hospitals cannot assume that ordinary web analytics logic will protect them when those tools communicate something legally sensitive about a person’s healthcare relationship. In privacy law, context is king, details are everything, and one innocent-looking login button can suddenly become the most expensive button on the page.
