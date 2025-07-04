On June 25, 2025, the Southern District of New York denied Teladoc Health's motion to dismiss in a website privacy class action, allowing eight of 12 claims to proceed, including federal wiretapping and multiple state privacy violations. The decision reinforces growing judicial hostility toward healthcare entities using website tracking technologies without explicit patient consent.

The Allegations

Plaintiffs alleged Teladoc installed a tracking pixel and Conversions API on its telehealth platform, transmitting protected health information to third parties for advertising purposes. Patients subsequently received targeted medical advertisements based on their confidential health conditions.

Why the Defense Failed

Fatal Flaw

The court found Teladoc's use of tracking technology created an independent criminal purpose (HIPAA violations) that defeated traditional consent-based defenses under the Electronic Communications Privacy Act. Specifically, the court adopted the reasoning of Garnet Health, holding that plaintiffs sufficiently alleged that Teladoc intended to use their personal health information for marketing purposes, which is prohibited by HIPAA, and "[s]uch allegations are enough to invoke the criminal-tortious exemption to the one-party consent rule of the ECPA."

Other Significant Holdings

Teladoc functioned as a healthcare provider, not merely a "technology platform."

Privacy policy promises could be construed as material misrepresentations under state unfair trade practices statutes.

Medical conditions constitute "contents" of communications, not mere tracking data under the Florida Security Communications Act.

The HIPAA violation allegations supported multiple state law theories.

Claims That Survived

Federal : Electronic Communications Privacy Act

: Electronic Communications Privacy Act State privacy : New York Deceptive Practices, Florida Security of Communications Act, California Invasion of Privacy Act, California Confidentiality of Medical Information Act

: New York Deceptive Practices, Florida Security of Communications Act, California Invasion of Privacy Act, California Confidentiality of Medical Information Act Business torts: Breach of confidentiality, unfair competition, consumer protection violations

What Healthcare Industry Organizations Need to Do

Audit All Tracking Technologies

Review website analytics, marketing pixels and third-party integrations.

Revise Privacy Policies

Ensure explicit disclosure of all data sharing practices.

Implement HIPAA-Compliant Analytics

Consider healthcare-specific tracking alternatives.

Document Consent Processes

Establish clear, granular consent for any data sharing.

Broader Trend

The decision follows other recent decisions from courts willing to entertain privacy claims related to the use of tracking technologies without explicit patient consent.While these claims have survived early motions to dismiss, it is not clear whether they will ultimately succeed. Healthcare providers should closely review their privacy policies and consider how disclosures are made and the implications of using tracking technologies on their websites.

