Duane Morris Takeaways: On September 22, 2025, in Sweat v. Houston Methodist Hospital, No. 24-CV-00775, 2025 U.S. Dist. LEXIS 185310 (S.D. Tex. Sept. 22, 2025), Judge Lee H. Rosenthal of the U.S. District Court for the Southern District of Texas granted a motion for summary judgment in favor of a hospital accused of violating the federal Wiretap Act through its use of website advertising technology. This decision is significant. In the wave of adtech class actions seeking millions – sometimes billions – in statutory damages under the Wiretap Act and similar statutes, the Court held that the Act's steep penalties (up to $10,000 per violation) were not triggered because the hospital did not knowingly transmit protected health information.
Background
This case is part of a rapidly growing line of class actions alleging that website advertising tools – such as the Meta Pixel, Google Analytics, and other similar website advertising technology, or "adtech," –secretly capture users' web-browsing activity and share it with third-party advertising platforms.
Adtech is ubiquitous, embedded on millions of websites. Plaintiffs' lawyers frequently invoke the federal Wiretap Act, the Video Privacy Protection Act (VPPA), state invasion-of-privacy statutes like the California Invasion of Privacy Act (CIPA), and even the Illinois Genetic Information Privacy Act (GIPA). Their theory is straightforward: multiply hundreds of thousands of website visitors by $10,000 per alleged Wiretap Act violation and the potential damages skyrocket. While some of these class actions have resulted in multi-million-dollar settlements, others have been dismissed (as we blogged about here), and the vast majority remain pending. With some district courts allowing adtech class actions to survive motions to dismiss (as we blogged about here), the plaintiffs' bar continues to file adtech class actions at an aggressive pace.
In Sweat, the plaintiffs sued a hospital, seeking to represent a class of patients whose personal health information was allegedly disclosed by the Meta Pixel installed on the hospital's website. The district court granted the hospital's motion to dismiss the state law invasion of privacy claim but allowed the Wiretap Act claim to proceed to discovery. The hospital then moved for summary judgment, arguing that the Wiretap Act's crime-tort exception did not apply because the hospital lacked knowledge that it was disclosing protected health information.
Under the Wiretap Act, "party to the communication" cannot be sued unless it intercepted the communication "for the purpose of committing any criminal or tortious act." 18 U.S.C. § 2511(2)(d). This provision is commonly called the "crime-tort exception." The plaintiffs pointed to alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) as the predicate crime to trigger this exception.
The Court's Decision
The Court agreed with the hospital and granted summary judgment, holding that the record contained no evidence that the hospital acted with the "purpose of committing any criminal or tortious act" that would trigger the crime-tort exception. 2025 U.S. Dist. LEXIS 185310, at *13.
As the Court explained, case law authorities have developed two different approaches to determine "purpose" under the crime-tort exception. Some courts use the "independent act" approach, under which the unlawful act must be independent of the interception itself. Other courts have used the "primary purpose" approach, under which the defendant's primary motivation must be to commit a crime or tort.
Applying the "primary purpose" approach, the Court found "no evidence that [the hospital] acted with the purpose of violating HIPAA...the evidence shows that it did not know it was doing so." Id. at *13. In so holding, the Court cited to the fact that, although the Pixel was installed on "arguably sensitive portions" of the hospital's website, the hospital received only aggregated, anonymized data, and there was no proof it knew any protected health information was being disclosed. Id. at *13-14. The Court rejected the plaintiffs' argument that anonymized aggregate data necessarily originates from identifiable data, emphasizing that Meta's algorithm could anonymize data "at the input level," preventing the hospital from receiving identifiable data in the first place. Id. at *16.
Implications For Companies
The Court's holding in Sweat is a significant win for healthcare providers and other defendants facing adtech class actions. This ruling reinforces two key principles. First, knowledge is critical. Like the Wiretap Act's HIPAA-based crime-tort exception, similar statutes such as the VPPA require a knowing disclosure of identifiable information. If a defendant lacks knowledge that data is tied to specific individuals, liability should not attach. Second, anonymization matters. Where transmissions are encrypted, anonymized, or otherwise inaccessible at the point of input, there may be no "disclosure" at all.
For example, the VPPA requires disclosure of a person's specific video-viewing activity, and GIPA requires disclosure of an identified individual's genetic information. When adtech merely sends anonymized or encrypted data to third-party algorithms—data that cannot be traced back to a specific person—there is no knowing disclosure.
Sweat provides strong authority for defendants to argue that anonymized adtech transmissions cannot satisfy the statutory knowledge requirements of the Wiretap Act's HIPAA-based crime-tort exception or similarly worded privacy statutes.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
