Maryland Lawyer Blog
A Maryland appellate court has affirmed the dismissal of a proposed class action against MedStar Health, ruling that the patient data allegedly shared with Facebook and Google does not qualify as protected “contents” under Maryland’s wiretap statute. The decision is careful, technically sound, and entirely unsatisfying if you believe that when a hospital promises to protect your information, it should actually mean something.
The plaintiff was a MedStar patient who used the myMedStar patient portal to view lab results, radiology images, COVID testing outcomes, and prescription information. He alleged that MedStar embedded tracking code on its patient portal and public website that collected IP addresses, cookie values, device attributes, URLs, and login activity and transmitted that data to Facebook and Google without patient consent. He argued this violated the Maryland Electronic Surveillance Act, the state’s version of the federal wiretap law.
The theory was straightforward. MedStar promised patients privacy. MedStar then allegedly bugged its own website with tracking software that leaked patient activity to third parties. If that is not an interception of electronic communications, what is?
Five years ago, this lawsuit would have seemed like a long shot. Today, it still is. But not for the reasons you might expect.
The Ruling
The three-judge panel, led by Judge Melanie Shaw, who wrote the opinion, ruled that the type of data allegedly shared does not constitute the “contents” of a communication under the statute. The court explained that IP addresses, cookie values, device attributes, and URLs are not the substance, purport, or meaning of a message. They are metadata. Technical byproducts of the request-response cycle that computers use to talk to each other. Routine. Automatic. And, according to the court, not protected.
The panel leaned heavily on federal precedent, which is pretty unambiguous, particularly the Ninth Circuit’s decision in In re Zynga Privacy Litigation, which held that similar data disclosures did not violate the Electronic Communications Privacy Act. The Zynga court drew a line between the content of what someone communicates and the record information generated by internet activity. Referer headers, user IDs, webpage addresses. None of that, the Ninth Circuit said, is the message. It is just the metadata that makes the message possible.
The Maryland court adopted that reasoning hook, line, and sinker. Cookie values are strings of data that identify a browser, not a person. IP addresses identify an access point to the internet, not a human being. URLs, even detailed ones, reflect activity rather than substance. Navigating through a website’s multiple pages, the court wrote, quoting a Pennsylvania case, is not the substance of a communication. It is an action taken to go to a digital location.
Plaintiff’s Argument
The plaintiff tried to argue that the URLs transmitted to Facebook and Google revealed something meaningful about his communications. But the court found that the URLs at issue were generic. They showed that someone visited the myMedStar Lab Results tab. They did not reveal which lab result the person viewed, what the result said, or anything about the patient’s medical condition. That is a far cry from a URL that contains a search term or the title of a specific document.
The court also noted that during oral argument, plaintiff’s counsel conceded that no email address or password was ever sent to Google or Facebook. Only the fact of a login. And there was no evidence in the record that a communication between the plaintiff and another person was ever transmitted to a third party. I’m sympathetic to the plaintiff here, but what exactly is the real harm then?
That concession was fatal. The Maryland Wiretap Act protects the contents of communications. If all that was shared was the fact that someone logged in, and not what they said or saw after logging in, then there is nothing for the statute to protect.
What Maryland’s Wiretap Law Protects (and What It Does Not)
The bottom line: Maryland’s wiretap law protects the message, not the metadata. If a hospital shares your browsing activity, login events, or device information with third parties, that may feel like a privacy violation. But under this ruling, it is not a wiretap violation unless the actual content of your communications was disclosed.
The Problem with Plaintiff’s Case
Here is the uncomfortable truth. The court is right on the law. The Maryland Wiretap Act, like its federal counterpart, was written to protect messages. The substance of what people say to each other. It was not written to protect the exhaust fumes of internet activity.
Plaintiff’s best point is that IP addresses may not identify a person by name, but they can be matched, correlated, and used to build profiles that follow people across the internet. The fact that a patient logged into a portal to view lab results may not be a message in the traditional sense, but it is information that most patients would consider private.
But the statute draws a line between content and metadata, and the court enforced that line. But the line itself may be the problem. It treats the message as sacred and everything else as fair game. That made sense in 1977 when the Maryland Wiretap Act was written to stop people from literally tapping phone lines. It makes less sense now, when the metadata often reveals more than the message ever could.
What Is a Meta Pixel and Why Are Hospitals Using It?
A Meta pixel, formerly called a Facebook pixel, is a small piece of code that websites embed to track visitor activity. When you visit a website with a Meta pixel installed, the code collects information about your device, your browsing behavior, and sometimes your identity, and sends that data back to Facebook. Businesses use this information to microtarget advertising, measure ad performance, and build audience profiles.
Hospitals and healthcare systems have been using Meta pixels on their websites and patient portals for the same reasons. The problem, of course, is that healthcare websites are not like retail websites. When a patient logs into a portal to view lab results, schedule an appointment, or message a doctor, the data generated by that activity is far more sensitive than a shopping cart full of shoes.
Investigative reports have found Meta pixels on the websites of major hospital systems across the country, including on pages where patients enter symptoms, search for doctors, and schedule appointments. In some cases, the pixels were installed on patient portals behind login screens. That means Facebook may have received data showing that a specific person visited a specific medical page at a specific time.
The MedStar case is one case of many around the nation trying to challenge this practice.
Hospital Pixel Tracking Lawsuits: Where the Litigation Stands
The MedStar case is one of dozens of lawsuits filed against hospitals and healthcare systems over the use of Meta pixels and similar tracking technologies. The litigation exploded after a 2022 investigation by The Markup found that hundreds of hospital websites, including many patient portals, were transmitting sensitive data to Facebook.
Some of these cases have survived early motions. Others have been dismissed. The outcomes depend heavily on the specific facts, the state where the case is filed, and the legal theories the plaintiffs pursue.
Key cases to watch include:
- Doe v. MedStar Health (Maryland 2026) – Dismissed. The court ruled that tracking data is not protected “contents” under state wiretap law.
- In re Meta Pixel Healthcare Litigation (N.D. Cal.) – Consolidated MDL involving claims against Meta and multiple hospital systems. Still pending.
- Doe v. Advocate Aurora Health (Wisconsin) – Settled for $12.25 million in 2023 after allegations that patient portal data was shared with Facebook.
Courts have reached different conclusions depending on the statute at issue and the type of data allegedly disclosed. Plaintiffs who can show that actual communications, such as messages to doctors or search queries, were intercepted may have stronger claims than those whose cases rest on metadata alone.
Does HIPAA Protect Patients from Hospital Data Sharing with Facebook?
Where is HIPAA in all of this? Many patients understandably assume that HIPAA, the federal health privacy law, prohibits hospitals from sharing their information with third parties like Facebook. That assumption is understandable. But it is often dead wrong.
HIPAA restricts how covered entities, including hospitals, handle protected health information. But HIPAA enforcement is handled by the federal government, not by private lawsuits. There is no private right of action for victims to sue under HIPAA. That means you cannot sue a hospital directly for violating HIPAA. You can file a complaint with the Office for Civil Rights. But you cannot go to court and recover damages under the statute itself.
That is why plaintiffs in cases like MedStar have turned to state wiretap laws, consumer protection statutes, and common law privacy claims. These are the tools available when HIPAA does not provide a remedy.
The MedStar court did not address HIPAA at all. The case turned entirely on whether the data shared with Facebook and Google qualified as protected “contents” under Maryland’s wiretap statute. The court said it did not. That ruling has nothing to do with whether the same conduct might violate HIPAA or other privacy laws. It simply means that this particular statute, in this particular case, did not apply.
Take Home Message
This ruling makes it harder to bring wiretap claims in Maryland based on website tracking pixels and similar technologies. If you want to sue under the Maryland Electronic Surveillance Act, you need to show that the actual contents of a communication were intercepted. Browsing activity, login events, and device fingerprints do not count.
For plaintiffs pursuing healthcare data privacy claims, this decision is a warning. The wiretap statute may not be the right vehicle unless actual patient communications, the words someone typed, the messages they sent, the documents they opened, were disclosed. Metadata alone will not get you there.
And for patients? Your hospital can promise privacy in bold letters on its website. It can tell you that your information is protected. But if it turns around and leaks your browsing activity to Facebook, and if that activity does not technically qualify as the contents of a communication, then you may have no remedy at all under this statute.
If you have questions about whether you have a claim, consult with a lawyer who handles healthcare privacy litigation. (We do not.)
The case is John Doe II v. MedStar Health Inc., No. 1033, September Term 2024, in the Appellate Court of Maryland. The opinion is unreported.