Hello CIPAWorld! We have a new Electronic Communications Privacy Act (“ECPA”) case to break down for you from this week where plaintiffs allege that defendant Edward-Elmhurst Health (“EEH”) shared their personal medical information with Facebook without their consent—Stein, et al., v. Edward-Elmhurst Health, No. 23-CV-14515, 2026 WL 594752 (N.D. Ill. Mar. 3, 2026).
EEH is one of the larger health systems in Illinois, operating three hospitals in the state. The plaintiffs claimed that they shared their medical information with EEH using a web portal called MyChart. However, MyChart contains embedded software that automatically transmitted their information to Facebook. The plaintiffs alleged that EEH violated the Health Insurance Portability and Accountability Act (“HIPAA”) when they shared this personal information.
After the plaintiffs brought their complaint, EEH moved to dismiss, arguing that their actions had fallen under the ECPA’s one-party consent rule. The one-party consent exception excludes a party to the communication from liability unless the interception was undertaken for the purpose of committing a crime or tort. In turn, the plaintiffs invoked the “crime-tort exception,” arguing EEH had intercepted their communications for the purpose of sharing their personal information in violation of HIPAA. The District Court denied EEH’s motion to dismiss, and they sought reconsideration, or, as the court put it, “an early trip to the Seventh Circuit.”
The court noted that EEH’s motion for reconsideration “repeats arguments that it made before, and offers a few more cases.” Having noted this, the court looked again at the ECPA, specifically 18 U.S.C. § 2511. The statute makes it unlawful to intentionally intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication. The term “intercept” by the court’s interpretation of the ECPA means to acquire. Accordingly, the one-party consent exception allows any part to intercept their own communications, which would include communications made with a third party. The crime-tort exception to this rule is that a party cannot intercept their own communications with someone else if it is doing so for the purpose of committing a crime or tort. The court rejected EEH’s argument that the crime-tort exception required an unlawful purpose. EEH asserted that it sent information to Facebook for marketing purposes. This interpretation, by the court’s reasoning, would change the meaning of the statute. All that was required for the plaintiffs to be able to assert the crime-tort exception was the fact that EEH sent the plaintiff’s personal information to Facebook.
In the words of the court—”[t]here is a difference between a chef making a sloppy sandwich, and a sloppy chef making a sandwich.”
Having addressed EEH’s arguments and rejected them, the court certified the issue for an interlocutory appeal to the Seventh Circuit. The Seventh Circuit has not previously spoken on this issue. Additionally, court’s nationally are split on the issue of the crime-tort exception. Some have accepted EEH’s argument that their actions require a criminal or tortious purpose. Because of this split, the court resolved that there was value in an early resolution to the issue by the Court of Appeals.
We’ll continue to keep you updated in the event that there are fresh developments with EEH’s appeal. In the meantime, if you’d like to get some in-depth guidance on the latest developments and defense/compliance strategies in CIPAWorld, you’ll want to join Troutman Amin, LLP at the Law Conference of Champions IV in May.
CIPAWorld 