U.S. Court in Washington Won’t Nix Action Against Microsoft, Qualtrics over Health Care Data Collection
- January 12, 2024
The U.S. District Court for the Western District of Washington refused December 19, 2023 to dismiss a proposed class action against Microsoft Corporation and Qualtrics International Inc. alleging they improperly acquired confidential health information through proprietary computer code installed on Kaiser Permanente’s website.
The court said the unnamed plaintiff, a California resident who is a ten-year member of Kaiser, could proceed with some privacy, unjust enrichment, and other claims against the two tech companies.
Plaintiff alleged that Microsoft and Qualtrics, through software development kits (SDKs) installed on Kaiser’s website, “repeatedly and systematically” extracted private health care and other information from Kaiser members without their knowledge when they used the website. According to plaintiff, the information collected included Kaiser members’ “medical conditions, immunizations, prescriptions, physician information, and other private data, including healthcare search terms, videos watched, and links accessed.”
As a threshold matter, the court found plaintiff sufficiently alleged standing and denied defendants’ challenge to the general adequacy of the complaint under Fed. R. Civ. P. 8. Plaintiff alleged she was a Kaiser member for ten years and used its website throughout that time. Plaintiff also alleged while logged into her account, she used the search function, accessed her medical records, made appointments, and reviewed other information that defendants unlawfully intercepted and collected along with her personal identifiers. These allegations were sufficient to avoid dismissal under Rule 8, the court said.
The court also rejected the argument that members’ agreement to accept Kaiser’s terms and conditions and privacy statement when logging into the website amounted to consent for the data collection at issue.
The court pointed out that plaintiff’s claims did not depend on Kaiser users being logged into their accounts. The court also was skeptical that a reasonable user who viewed Kaiser’s policies would have understood that protected health information was being collected by third parties.
The court agreed to dismiss plaintiff’s claim for violating the California Invasion of Privacy Act’s (CIPA) wiretap provision, Section 631(a), against both defendants to the extent it was based on intentional wiretapping. The court also dismissed the CIPA claim under the recording provision, Section 632, against Microsoft because software is not a “device” under the statute. This claim against Qualtrics could go forward, however, because plaintiff alleged it used software and “receiving servers”—which did constitute a “device” under the CIPA. The court said plaintiff could move forward with her remaining CIPA claims against the companies.
The court also refused to dismiss plaintiff’s intrusion upon seclusion claim under California common law and for invasion of privacy under the California Constitution, finding the complaint sufficiently pleaded a “reasonable expectation of privacy” and “highly offensive” elements needed to state the claims.
Plaintiff also could move forward with her unjust enrichment claim that defendants intercepted and collected her private data without consent and benefited from advertising revenue they received from targeted advertising using that data.
In addition, the court found plaintiff sufficiently alleged an injury in fact and a loss of money or property under California’s Unfair Competition Law to avoid dismissal of that claim as well.
The court did dismiss plaintiff’s U.S. Computer Fraud and Abuse Act claim and statutory larceny and conversion claims under California law.
The court also dismissed, without prejudice and with leave to amend, plaintiff’s request for punitive damages against Microsoft because the complaint did not allege facts showing the company was guilty of “oppression, fraud, or malice,” or “evil motive against her” as required under California law.
Doe v. Microsoft Corp., No. C23-0718-JCC (W.D. Wash. Dec. 19, 2023).