Jump To

Top Caption Trial Court Document

Support FLP

CourtListener is a project of Free
Law Project, a federally-recognized 501(c)(3) non-profit. Members help support our work and get special access to features.

Please become a member today.

Join Free.law Now

March 6, 2026 Get Citation Alerts Download PDF Add Note

Janice Progin, John Doe, and Lisa Colleton, individually and on behalf of others similarly situated v. UMASS MEMORIAL HEALTH CARE, INC., UMASS MEMORIAL COMMUNITY ENTITIES, INC., UMASS MEMORIAL MEDICAL CENTER, INC., UMASS MEMORIAL HEALTHALLIANCE-CLINTON HOSPITAL, INC., MARLBOROUGH HOSPITAL, and HARRINGTON MEMORIAL HOSPITAL, INC.

District Court, D. Massachusetts

• Citations: None known
• Docket Number: 4:25-cv-40003

• Precedential Status: Unknown Status

• Opinion

• Authorities (14)

• Cited By (0)

• Summaries (0)

• Similar Cases (1.2K)

• PDF

Trial Court Document

UNITED STATES DISTRICT COURT

DISTRICT OF MASSACHUSETTS

                           *                                         

JANICE PROGIN, JOHN DOE, and LISA *

COLLETON, individually and on behalf of *

others similarly situated, *

*

Plaintiffs, *

* Civil Action No. 25-cv-40003-ADB

v. *

*

*

UMASS MEMORIAL HEALTH CARE, *

INC., UMASS MEMORIAL *

COMMUNITY ENTITIES, INC., UMASS *

MEMORIAL MEDICAL CENTER, INC., *

UMASS MEMORIAL *

HEALTHALLIANCE-CLINTON *

HOSPITAL, INC., MARLBOROUGH *

HOSPITAL, and HARRINGTON *

MEMORIAL HOSPITAL, INC., *

*

Defendants. *

*

               MEMORANDUM AND ORDER                                  

BURROUGHS, D.J.

Plaintiffs Janice Progin, John Doe, and Lisa Colleton (together, “Plaintiffs”), individually 

and on behalf of all other citizens of the Commonwealth of Massachusetts similarly situated,
bring this putative class action against Defendants UMass Memorial Health Care, Inc.; UMass
Memorial Community Entities, Inc.; UMass Memorial Medical Center, Inc.; UMass Memorial
HealthAlliance-Clinton Hospital, Inc.; Marlborough Hospital; and Harrington Memorial
Hospital, Inc. (together, “Defendants”), in which they allege violations of the Electronic
Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510–2522, and the Massachusetts Right
to Privacy Act, Mass. Gen. Laws ch. 214, § 1B, as well as a breach of fiduciary duty and
confidentiality, breach of implied-in-fact contract, unjust enrichment, and negligence. [ECF No.
20 (“Am. Compl.”)]. Before the Court is Defendants’ motion to dismiss the operative
Consolidated Amended Class Action Complaint (“Amended Complaint”) pursuant to Federal
Rule of Civil Procedure 12(b)(6) for failure to state a claim. [ECF No. 26]; see also [ECF No. 27

(supporting memorandum)]. For the reasons stated below, Defendants’ motion is GRANTED.
I. BACKGROUND

The following relevant facts are taken from the Amended Complaint, the factual
allegations of which the Court assumes to be true when considering a motion to dismiss. Ruivo
v. Wells Fargo Bank, N.A., 766 F.3d 87, 90 (1st Cir. 2014). As it may on a motion to dismiss,
the Court has also considered “documents incorporated by reference in [the complaint], matters
of public record, and other matters susceptible to judicial notice.” Giragosian v. Ryan, 547 F.3d
59, 65 (1st Cir. 2008) (alteration in original) (quoting In re Colonial Mortg. Bankers Corp., 324
F.3d 12, 20 (1st Cir. 2003)).

   A.   Factual Background                                            
 Defendants, health care and hospital entities located in Massachusetts, operate public-

facing websites where users can research medical providers and treatments. [Am. Compl. ¶¶ 23–
25]. Patients can also log in to a password-protected portal to communicate with providers,
manage appointments, and access medical records. [Id. ¶¶ 26, 28, 31–32, 34]. Progin and
Colleton have been patients of Defendants for several years, [id. ¶¶ 28, 32], and Doe was a
patient for over ten, [id. ¶ 30]. All three Plaintiffs regularly used Defendants’ websites and the
patient portal, including numerous times in 2022. [Id. ¶¶ 28–33]. For example, Doe used one of
Defendants’ websites to research providers and treatment for his spinal injury in or around 2021

                            2                                         

and 2022, [id. ¶ 30], and used the patient portal to schedule appointments, pay bills, and review
visit summaries and physicians’ instructions, [id. ¶ 31].

Across their webpages and patient portal, Defendants installed tracking tools in the form
of “invisible” source code that allegedly funneled patients’ individually identifiable health
information, including that of Plaintiffs, to third parties without patients’ knowledge or consent.

[Am. Compl. ¶¶ 17–213]. These third parties include Facebook and Google, as well as Twitter,
New Relic, Acquia, and ShareThis.com. [Id. ¶ 181].

With respect to tracking tools, the allegations focus on Defendants’ use of Facebook’s
Meta Pixel, a snippet of code that tracks granular user interactions—such as each webpage a user
visits (including how far down the user scrolls and the content they view), each button the user
clicks (including buttons to search for doctors and log in to the patient portal), and text the user
inputs (including search box queries about specific medical conditions and treatments)—and
automatically discloses the resulting user interaction logs to Facebook. [Am. Compl. ¶¶ 39, 58–
61, 64–101, 111–81, 186–87, 190–92]. Plaintiffs similarly highlight Defendants’ use of the

Google Analytics pixel across their websites. [Id. ¶¶ 58–101, 181–85, 188–89]. In particular,
Defendants’ installation of the Google Analytics pixel within the patient portal resulted in the
disclosure of Plaintiffs’ patient status and their viewings of in-portal pages containing sensitive
data like test results and prescription information. [Id. ¶ 62].

In addition to specific patient communications, the Meta Pixel and Google Analytics
pixel tracked and disclosed unique personal identifiers via internet cookies, which are tiny text
files that record user data and can be collected by tracking pixels, [Am. Compl. ¶¶ 72–93
(describing Defendants’ use of cookies and the “cookie syncing” technique to accelerate
information sharing with Facebook, Google, and other third parties)], as well as Internet Protocol

                           3                                         

(“IP”) addresses, geolocation, and browser fingerprints. [Id. ¶¶ 63, 69–71, 94–101, 182]. The
upshot of Defendants’ use of tracking tools was that

every time that Defendants’ patients like Plaintiffs visited its website, Defendants
disclosed not only who those patients were, but also what medical treatments they
reviewed on the website, what doctors they reviewed on the website, what search
terms they typed into online forms, and whether they had logged into the
Defendants[’] patient portal.

[Id. ¶ 148].

Facebook and Google use the granular, individualized data they collect to power their
targeted online advertising businesses. See [Am. Compl. ¶¶ 102–24 (“Tracking information
about users’ habits and interests is a critical component of Facebook’s business model because it
is precisely this kind of information that allows Facebook to sell advertising to its customers. . . .
Facebook . . . compiles . . . browsing histories into personal profiles which are sold to advertisers
to generate profits.”)]; [id. ¶¶ 54, 73, 95, 198 (describing Google’s advertising business)]. And,
in turn, website owners like Defendants who install tracking tools receive advertising services
and analytic metrics providing insight into their websites’ functionality and users. [Id. ¶¶ 124–
27, 141, 144]. For example, “by sharing its patients’ Personal Health Information with
Facebook, Defendants gained the ability to utilize Facebook’s customized audiences and targeted
advertising features, which saved Defendants substantial revenues by making advertising far less
expensive than it would have been otherwise.” [Id. ¶ 371].

Google warns web developers that its tracking tools can send personally identifiable
information to Google, [Am. Compl. ¶ 53], and that “Google marketing products are not
appropriate for health-related webpages and websites,” [id. ¶ 184]. Facebook warns developers
that the Meta Pixel allows it “to match . . . website visitors to their respective Facebook User
accounts.” [Id. ¶ 128]. Further, privacy risks associated with the Meta Pixel are well known

                           4                                         

within the health care community, given the history of data breaches suffered by hospital
systems where their data, collected by the Meta Pixel, was stolen by cybercriminals. [Id. ¶ 112].

Yet Defendants “knowingly” funneled its patients’ individually identifiable health information to
Facebook via the Meta Pixel. [Id. ¶ 111]. In sum, “Defendants affirmatively made the decision
to . . . install[] source code . . . designed to secretly share patients’ Personal Health Information

with third parties,” [id. ¶ 190], “choosing . . . to benefit at those patients’ expense,” [id. ¶ 111].
B. Procedural History

Progin initially filed a complaint in Suffolk Superior Court on December 20, 2022. [ECF
No. 1 ¶ 2]. Defendants filed a notice of removal to the United States District Court on January
17, 2023. [ECF No. 1-5]. The case was remanded back to the state court on July 13, 2023.

[ECF No. 1-14]. On January 22, 2024, the parties jointly stipulated to stay all proceedings
pending appeals related to the interpretation of a Massachusetts statute. [ECF No. 1 ¶¶ 8–9].

On December 13, 2024, Progin filed an amended complaint which, as relevant here,
included a new ECPA claim against Defendants. [ECF No. 1-29 ¶¶ 163–83]. Defendants again

removed the case to federal court, this time based on federal question jurisdiction under 28
U.S.C. § 1441 (c). [ECF No. 1].

On May 2, 2025, pursuant to Federal Rule of Civil Procedure 42(a)(2), the parties filed a
joint motion to consolidate Progin’s case with Doe v. UMass Memorial Health Care, Inc., 25-cv-
40022, which involved common party defendants and also included an ECPA claim. [ECF No.
14]. This Court granted the consolidation, [ECF Nos. 16–17], and Plaintiffs filed the Amended
Complaint against Defendants on June 16, 2025, [ECF No. 20]. On July 16, 2025, Defendants
filed the instant motion to dismiss the Amended Complaint, [ECF No. 26], which Plaintiffs

                           5                                         

opposed on August 15, 2025, [ECF No. 34]. Defendants replied on September 5, 2025. [ECF
No. 42].

II. LEGAL STANDARD

On a motion to dismiss pursuant to Rule 12(b)(6), the Court must accept as true all well-
pleaded facts, analyze them in the light most favorable to the plaintiff, and draw all reasonable

inferences from those facts in favor of the plaintiff. United States ex rel. Hutcheson v.
Blackstone Med., Inc., 647 F.3d 377, 383 (1st Cir. 2011). In addition to “the facts alleged in the
complaint,” the Court may also consider “documents incorporated by reference therein and facts
susceptible to judicial notice.” MIT Fed. Credit Union v. Cordisco, 470 F. Supp. 3d 81, 84 (D.
Mass. 2020) (citing Haley v. City of Bos., 657 F.3d 39, 46 (1st Cir. 2011)). “[A] complaint must
provide ‘a short and plain statement of the claim showing that the pleader is entitled to relief,’”
Cardigan Mountain Sch. v. N.H. Ins. Co., 787 F.3d 82, 84 (1st Cir. 2015) (quoting Fed. R. Civ.
P. 8(a)(2)), and set forth “factual allegations, either direct or inferential, respecting each material
element necessary to sustain recovery under some actionable legal theory,” Pitta v. Medeiros, [90

F.4th 11, 17](https://www.courtlistener.com/opinion/9457435/pitta-v-medeiros/#17) (1st Cir. 2024) (quoting Gagliardi v. Sullivan, 513 F.3d 301, 305 (1st Cir. 2008)).

Although detailed factual allegations are not required, a complaint must set forth “more than
labels and conclusions,” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007), and
“[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory
statements, do not suffice,” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Rather, a complaint
“must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is
plausible on its face.’” Id. (quoting Twombly, 550 U.S. at 570). “[A]ssessing plausibility is ‘a
context-specific task that requires the reviewing court to draw on its judicial experience and

                             6                                         

common sense.’” Frith v. Whole Foods Mkt., Inc., 38 F.4th 263, 270 (1st Cir. 2022) (quoting
Rodríguez-Reyes v. Molina-Rodríguez, 711 F.3d 49, 53 (1st Cir. 2013)).

III. DISCUSSION

Count I of the Amended Complaint asserts a violation of the ECPA and provides the sole
basis for federal jurisdiction. [Am. Compl. ¶¶ 262–83].

  The key issue here is the applicability of the ECPA’s crime-tort exception.  The ECPA 

prohibits any person from intentionally intercepting, endeavoring to intercept, or procuring any
other person to intercept or endeavor to intercept any wire, oral, or electronic communication;
intentionally disclosing or endeavoring to disclose to any other person the contents of any
electronic communication, knowing or having reason to know that the information was obtained
through the interception of an electronic communication in violation of 18 U.S.C. § 2511 (1); or
intentionally using or endeavoring to use the contents of any electronic communication, knowing
or having reason to know that the information was obtained through the interception of an
electronic communication in violation of 18 U.S.C. § 2511 (1). 18 U.S.C. § 2511 (1)(a), (c)–(d).

Generally, a party can avoid liability under the ECPA if they are “a party to the communication”
that they intercept or if “one of the parties to the communication has given prior consent to such
interception.” Id. § 2511(2)(d). That said, these defenses are not available if, under what is
known as the crime-tort exception, the “communication is intercepted for the purpose of
committing any criminal or tortious act in violation of the Constitution or laws of the United
States or of any State.” Id. Here, Plaintiffs argue that Defendants are liable under the crime-tort
exception “because they intercepted and then disclosed Plaintiffs’ communications and personal
information to third parties without consent and for criminal and tortious purposes.” [Am.
Compl. ¶ 273]. Plaintiffs allege that these “criminal and tortious acts” include, among other acts,

                             7                                         

Defendants’ violation of the Health Insurance Portability and Accountability Act (“HIPAA”), 42
U.S.C. § 1320d-6; invasion of privacy in violation of Mass. Gen. Laws ch. 214, § 1B; breach of
confidentiality of medical records in violation of Mass. Gen. Laws ch. 111, § 70E; and breach of
the common law duty of confidentiality. [Am. Compl. ¶ 274]. Defendants counter that the
crime-tort exception is inapplicable because they did not install tracking tools “for the distinct

purpose of violating HIPAA or perpetrating a tort.” [ECF No. 42 at 9].

Relying on the text of § 2511(2)(d), specifically the phrase “for the purpose of
committing any criminal or tortious act,” Defendants contend that Plaintiffs must allege that
Defendants had the specific intent to commit a crime or tort, or to “harm or injure Plaintiffs or
any other user of its website.” See [ECF No. 27 at 17–18]; cf. In re DoubleClick Inc. Priv. Litig., 154 F. Supp. 2d 497, 518–19 (S.D.N.Y. 2001) (finding § 2511(2)(d) inapplicable when the
defendant’s “purpose [was] plainly not . . . to perpetuate torts on . . . Internet users” and when the
allegations did not “articulate . . . [the defendant’s] . . . ‘insidious’ intent to harm plaintiffs or
others”). This Court disagrees. Rather, “[t]he purpose must be to commit an act, and that act

must be criminal or tortious. If the purpose is to do X, and if X is a crime or a tort, then the
crime-tort exception . . . applies. A desire to commit a crime qua crime, or a tort qua tort, isn’t
necessary.” Stein v. Edward-Elmhurst Health, No. 23-cv-14515, 2025 WL 580556, at *6 (N.D.
Ill. Feb. 21, 2025); see also Doe v. Lawrence Gen. Hosp., No. 25-cv-10081, 2025 WL 2808055,
at *20 (D. Mass. Aug. 29, 2025), report and recommendation accepted in relevant part, No. 25-
cv-10081, 2025 WL 2807673 (D. Mass. Sept. 30, 2025) (“The statute does not, by its terms,

                           8                                         

require proof of intent to ‘harm.’”).1 Therefore, given what Plaintiffs allege Defendants’ specific
“criminal and tortious acts” to be, see discussion supra pp. 7–8; [Am. Compl. ¶¶ 274–79],2 to
satisfy § 2511(2)(d), Plaintiffs must plausibly allege that Defendants purposefully used or caused
to be used Plaintiffs’ unique health identifiers, such as cookie identifiers, without authorization;
purposefully disclosed Plaintiffs’ individually identifiable health information to Facebook and

Google without authorization; or purposefully invaded Plaintiffs’ privacy or “breach[ed] the
confidentiality of their private communications and medical information,” [id. ¶ 281]. It is not
enough to allege that Defendants knowingly committed such acts, because that omits the
requirement that the acts be done for criminal and tortious purposes as required by the language
of the statute. In other words, “‘purpose’ is an essential element of ECPA, distinct from the
minimal intent [of knowingness] required under HIPAA, and the [c]omplaint must therefore
plead sufficient facts to satisfy this heightened intent requirement under ECPA.” Doe, 2025 WL
2808055, at *12.

The Amended Complaint falls short of the required showing. Although the allegations

may support the inference that Defendants purposefully committed certain acts, such as the

1 Further, as this Court has stated previously, “[t]he existence of a financial motivation (on the
one hand) and a criminal or tortious motivation (on the other hand) are not mutually exclusive.
After all, lots of crimes and torts are moneymakers.” McManus v. Tufts Med. Ctr., Inc., No. 25-
cv-10008, 2025 WL 2778025, at *3 n.1 (D. Mass. Sept. 29, 2025) (quoting Stein, 2025 WL
580556, at *6). Defendants’ business-related motives, which are emphasized in the Amended
Complaint, do not negate the purpose requirement.

2 The Amended Complaint specifies that HIPAA makes it “a criminal violation for a person to
‘use[] or cause[] to be used a unique health identifier’ or to ‘disclose[] individually identifiable
health information to another person . . . without authorization’ from the patient,” [Am. Compl. ¶
275 (quoting 42 U.S.C. § 1320d-6)], and that “Defendants’ conduct violated 42 U.S.C. § 1320d-
6 in that it . . . [u]sed and caused to be used cookie identifiers associated with specific patients
without patient authorization; and . . . [d]isclosed individually identifiable health information to
Facebook and Google without patient authorization,” [id. ¶ 277].

                           9                                         

installation of the at-issue tracking tools or even the disclosure of certain forms of information to
Facebook and Google, they do not support the inference that Defendants purposefully committed
the “criminal and tortious acts” specified by Plaintiffs.3 “It is not enough that a crime or tort
[may have been] a . . . side-effect of the interception.” Doe, 2025 WL 2808055, at *11. Because
the Amended Complaint fails to assert that Defendants intercepted communications “for the

purpose of committing [a] criminal or tortious act,” 18 U.S.C. § 2511 (2)(d), the ECPA claim
must fail. Accordingly, Count I is DISMISSED.4

The Court declines to exercise supplemental jurisdiction over the remaining claims, all of
which arise under state law. See 28 U.S.C. § 1367 (c) (stating that “district courts may decline to
exercise supplemental jurisdiction” when “the district court has dismissed all claims over which
it has original jurisdiction”); United Mine Workers of Am. v. Gibbs, 383 U.S. 715, 726 (1966)
(“It has consistently been recognized that pendent jurisdiction is a doctrine of discretion, not of
plaintiff’s right. . . . Needless decisions of state law should be avoided both as a matter of comity
and to promote justice between the parties, by procuring for them a surer-footed reading of

applicable law. Certainly, if the federal claims are dismissed before trial . . . the state claims
should be dismissed as well.”).

3 More specifically, the facts related to individually identifiable health information are
insufficient to support the conclusion that Defendants purposefully “accessed, obtained, and
disclosed” such information because they knew they had to in order to receive marketing
benefits. Cf. [Am. Compl. ¶ 278]. Nor do the facts support the inference that Defendants
purposefully invaded Plaintiffs’ privacy.

4 The Court does not reach Defendants’ argument that “the intended criminal or tortious purpose
must be ‘independent’ of the intentional act of recording or interception,” [ECF No. 27 at 17
(citing Goulart v. Cape Cod Healthcare, Inc., No. 25-cv-10445, 2025 WL 1745732, at *3 (D.
Mass. June 24, 2025))], but notes that the act of disclosure might be construed as independent
from the act of interception, even if the acts occur simultaneously.

                          10                                         

IV. CONCLUSION

For the reasons stated above, Defendants’ motion to dismiss the Amended Complaint is
GRANTED without prejudice and with leave to amend within 21 days.

SO ORDERED.

March 6, 2026 /s/ Allison D. Burroughs

ALLISON D. BURROUGHS

U.S. DISTRICT JUDGE

                            11