HIPAA and AdTech class actions

Martin Meritt, Esq.

On Sept. 22, in Sweat v. Houston Methodist Hospital, No. 24-CV-00775, 2025 U.S. Dist. LEXIS 185310 (S.D. Tex. Sept. 22, 2025) Texas Federal Court Judge Lee H. Rosenthal in the Southern District granted summary judgment in favor of a hospital which had been sued for money damages for violating the federal Wiretap Act 18 U.S.C. § 2511 because the hospital had used advertising technology (“AdTech”) to collect data from its website.

Let’s unpack this to discover what’s going on here.Businesses, including hospitals and medical practice groups have been using Meta Pixel, Google Analytics, and other similar website advertising technology to secretly capture users’ web-browsing activity and share it with third-party advertising platforms.

Plaintiffs’ lawyers have realized that HIPAA does not create a private cause of action, meaning the patient whose data has been shared, cannot sue for money damages for the breach. The remedy is said to be “public” – meaning the government gets all the money from fines, not the victim’s lawyers.

This irritates plaintiffs’ class action lawyers. As a workaround, these lawyers have been attempting to use the federal Wiretap Act, state invasion of privacy laws and other types of laws in an attempt to create a private cause of action with a big payday at the end.

The federal Wiretap Act, for example, creates steep statutory damages up to $10,000 per violation, which has resulted in millions of dollars in settlements. I would suspect that a large chunk of this money goes to the plaintiffs’ law firm, if these follow the pattern of other class action notices you may have received, where each victim may receive a check worth a gallon of fuel at the local convenience store.

But many courts, including the Southern District of Texas, have dismissed these cases on the grounds that under the federal Wiretap Act a “party to the communication” cannot be sued successfully unless the party intercepted to communication for the purpose of committing a “crime or tort” under 18 U.S.C. § 2511(2)(d). The alleged “crime” being the violation of HIPAA.

On this point, Judge Rosenthal disagreed with the plaintiffs in Sweat v. Houston Methodist Hospital. Although the hospital might have possibly accidentally violated HIPAA, the “primary purpose” of the interception was not to violate HIPAA.

While “intent” is usually a question for the jury, it helps that the hospital only received aggregated, anonymized data from Meta or Google. Simply put, if the hospital or other healthcare defendant lacks knowledge that data is tied to specific individuals, liability should not attach.

Meanwhile, practices should be very careful about how data is collected and used. Many states have privacy laws and state versions of HIPAA that can be more restrictive than the federal versions. Texas for example, has Health & Safety Code 181.001 et seq.

If you have any questions, you should always consult and attorney for legal advice before you decide upon a particular course of action.

Martin Merritt is a health lawyer and health care litigator at Martin Merritt PLLC, as well as past president of the Texas Health Lawyers Association and past chairman of the Dallas Bar Association Health Law Section. He can be reached at Martin@martinmerritt.com.