The court found Teladoc's use of tracking technology created an independent criminal purpose (HIPAA violations) that defeated traditional consent-based defenses under the Electronic Communications Privacy Act. 

On June 25, 2025, the Southern District of New York denied Teladoc Health's motion to dismiss in a website privacy class action, allowing eight of 12 claims to proceed, including federal wiretapping and multiple state privacy violations. The decision reinforces growing judicial hostility toward healthcare entities using website tracking technologies without explicit patient consent.

The Allegations

Plaintiffs alleged Teladoc installed a tracking pixel and Conversions API on its telehealth platform, transmitting protected health information to third parties for advertising purposes. Patients subsequently received targeted medical advertisements based on their confidential health conditions.

Why the Defense Failed

Fatal Flaw

The court found Teladoc's use of tracking technology created an independent criminal purpose (HIPAA violations) that defeated traditional consent-based defenses under the Electronic Communications Privacy Act. Specifically, the court adopted the reasoning of Garnet Health, holding that plaintiffs sufficiently alleged that Teladoc intended to use their personal health information for marketing purposes, which is prohibited by HIPAA, and “[s]uch allegations are enough to invoke the criminal-tortious exemption to the one-party consent rule of the ECPA.”

Other Significant Holdings

• Teladoc functioned as a healthcare provider, not merely a "technology platform."
• Privacy policy promises could be construed as material misrepresentations under state unfair trade practices statutes.
• Medical conditions constitute "contents" of communications, not mere tracking data under the Florida Security Communications Act.
• The HIPAA violation allegations supported multiple state law theories.

Claims That Survived

• Federal: Electronic Communications Privacy Act
• State privacy: New York Deceptive Practices, Florida Security of Communications Act, California Invasion of Privacy Act, California Confidentiality of Medical Information Act
• Business torts: Breach of confidentiality, unfair competition, consumer protection violations

What Healthcare Industry Organizations Need to Do

Audit All Tracking Technologies  

Review website analytics, marketing pixels and third-party integrations.

Revise Privacy Policies  

Ensure explicit disclosure of all data sharing practices.

Implement HIPAA-Compliant Analytics  

Consider healthcare-specific tracking alternatives.

Document Consent Processes  

Establish clear, granular consent for any data sharing.

Broader Trend

The decision follows other recent decisions from courts willing to entertain privacy claims related to the use of tracking technologies without explicit patient consent. While these claims have survived early motions to dismiss, it is not clear whether they will ultimately succeed. Healthcare providers should closely review their privacy policies and consider how disclosures are made and the implications of using tracking technologies on their websites.

For More Information

If you have any questions about this Alert, please contact J. Colin Knisely, Erin M. Duffy, Michael S. Zullo, any of the attorneys in our Privacy and Data Protection Group, any of the attorneys in our Health Law Practice Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.