In a trio of recent website tracking decisions, the District of Massachusetts resolved motions to dismiss privacy claims related to third-party tracking technologies on healthcare websites: Progin v. UMass Memorial Health Care, Caine v. Sturdy Memorial Hospital, and Doe v. Baystate Health System. The court granted motions to dismiss in Progin and Caine but allowed claims to proceed in Baystate. These decisions underscore the ongoing evolution of wiretapping and data privacy litigation in the First Circuit.
Nearly Identical Federal Wiretapping Claims Asserted in Three Separate Cases
Each case arose from the alleged deployment of website tracking technologies that captured and transmitted user interactions with healthcare websites to third parties such as Meta and Google. Plaintiffs claimed that these technologies intercepted communications, including searches for medical conditions, provider selection, appointment scheduling, and patient portal activity, and disclosed that information without user consent.
All three cases centered on the applicability of the crime-tort exception of the federal wiretapping statute, the Electronic Communications Privacy Act (ECPA). That exception overcomes the defense that one party to the communication (the defendant) consented to interception but only when the “communication is intercepted for the purpose of committing any criminal or tortious act.” In 2025, in Goulart v. Cape Cod Healthcare, Inc., Judge Stearns held the crime-tort exception does not apply when website browsing data is collected for commercial purposes. That decision is currently on appeal before the First Circuit.
In Progin, Caine, and Baystate, the plaintiffs alleged that the communications in question were intercepted to commit tortious acts, namely to violate HIPAA (Progin), collect information without authorization and intrude on patient privacy (Caine) and deceive patients (Baystate). The Progin and Caine plaintiffs focused on website tracking tools on public webpages and patient portals, alleging the tools transmitted PII and health-related information to third-parties. The Baystate complaint included these allegations and emphasized that specific data from sensitive health-related interactions were transmitted despite express privacy commitments.
In all three cases, the pleadings required the Court to conduct a fact-specific analysis of allegations about the use of Meta Pixel, Google Analytics, and similar website tools and their alignment with the defendants’ privacy disclosures.
The Court’s Analysis: Progin and Caine Dismissed While Baystate Survives
All three decisions set forth a consistent formulation of the crime-tort exception: a commercial, lawful purpose for interception does not inoculate a defendant from liability; profitable aims may align with unlawful acts. The decisions were also consistent that plaintiffs need not demonstrate a specific intent to commit a crime or tort. In other words, if a defendant intends to commit an act, and the act is a crime or tort, that intent suffices to satisfy the crime-tort exception. Importantly, however, the criminal or tortious act must be purposeful, not merely knowing or negligent.
From here, the decisions diverged.
In Progin and Caine, both decided by Judge Burroughs, the court granted motions to dismiss based on plaintiffs’ failure to allege facts necessary for the crime-tort exception to apply. Although the allegations supported an inference that the defendants purposefully installed certain tracking tools or enabled the disclosure of certain categories of information to third-parties, that intent was not directly connected to the allegedly tortious act. The court observed, “it is not enough that a crime or tort may have been a side effect of the interception.” Because the complaints were devoid of alleged facts that the defendants purposefully configured or deployed the website tools to acquire information without consent or to intrude on patient privacy, the court dismissed both ECPA claims.
By contrast, Judge Kobick denied a motion to dismiss ECPA claims, finding the crime-tort exception applied. In Baystate, the plaintiff alleged not just an intent to deploy website tools that would intercept communications, but a specific intent to disclose medical information via those tools to third-parties without patient consent. To support the exception, the complaint included detailed, plaintiff-specific allegations regarding the types of information transmitted, including searches for particular medical conditions, appointment scheduling activity, and identifiers.
Judge Kobick further relied on allegations that the defendant’s privacy policies expressly limited disclosure of patient information absent consent or legal obligation. The complaint plausibly alleged the challenged tracking practices were inconsistent with those representations, supporting not only statutory claims but also common law theories such as breach of implied contract and fiduciary duty. This contractual and fiduciary overlay distinguished Baystate from Progin and Caine, where the pleadings did not anchor the alleged conduct to specific, enforceable privacy commitments.
The divergence between the decisions reflects, in part, a difference in emphasis. Judge Burroughs focused on the technical and statutory framework, requiring precise factual allegations connecting the operation of tracking tools to intentional unlawful conduct. Judge Kobick, while applying the same legal standards, credited detailed factual allegations concerning data transmission and website representations. The result signals that outcomes in website tracking cases will turn on the level of pleaded factual detail and how they are framed.
Looking Ahead
These decisions confirm that website tracking litigation remains highly fact-dependent at the pleading stage. Courts in the District of Massachusetts continue to scrutinize whether plaintiffs have plausibly alleged interception, contemporaneity, and lack of consent, and will dismiss claims that rely on generalized or conclusory allegations regarding tracking technologies. The Baystate decision demonstrates that detailed and technically specific allegations tying identifiable and intentional disclosures to contradicted privacy policies will have a stronger chance of surviving a motion to dismiss. With argument recently held in Goulart, the First Circuit may soon be weighing in and offering additional clarity on top of these recent rulings about when the ECPA and its crime-tort exception will apply to website tracking.
