The viability of the federal Wiretap Act as a path to recovery for consumers targeting health care providers and financial institutions with online privacy claims will likely become clearer during oral arguments April 6.
The US Court of Appeals for the First Circuit will have the opportunity to “return to first principles” on whether website operators face wiretapping liability for using data-tracking tools on their websites, according to Jason Barnes, a partner with Simmons Hanly Conroy LLP who focuses on consumer class actions.
It’s the first-ever circuit-court review of how the act—sometimes called the Electronic Communications Privacy Act after it was amended to address digital communications—applies to today’s online advertising technology, said J. Colin Knisely, a partner with Duane Morris LLP who focuses on class-action privacy litigation as a defense attorney.
The circuit court will be the first “to decide whether HIPAA violations or other privacy intrusions qualify as a predicate act to trigger ECPA liability,” Knisely said. “And that’s a welcome thing, because I have a hard time telling clients which way these are trending, it seems like it’s different every week.”
The issue has split lower courts into diverging lines of cases, with judges often “picking among the lines of cases without giving them a fresh look,” Barnes said.
Ensuring the viability of ECPA claims is “incredibly important” for plaintiffs because the act provides for statutory damages—a crucial advantage in privacy cases where damages are difficult to prove, according to David Almeida, a plaintiffs’ attorney focusing on consumer class actions and founder of Almeida Law Group.
Privacy Law
The ECPA provision at the heart of the appeal—the crime-tort exception—provides for party liability where an interception occurs “for the purpose of committing any criminal or tortious act.” Its central role in consumer privacy cases arises in part from the lack of an overarching federal privacy law, Almeida said.
Sector-specific privacy statutes that do exist—such as the Health Insurance Portability and Accountability Act for health information and the Gramm-Leach-Bliley Act for financial information—don’t provide a private right of action, he said. As a result, plaintiffs seeking to assert a privacy claim are left “shoehorning laws that weren’t specifically designed for this sort of thing,” he said.
Courts have divided over how to interpret the “purpose” element of the provision, according to Dustin L. Taylor, who is of counsel with Troutman Pepper Locke LLP.
Here, plaintiff Debra Goulart alleged that Cape Cod Healthcare Inc. violated ECPA by disclosing her personal health information to
Stearns rejected the plaintiff’s argument that the health system was liable because it intercepted her communications for the purpose of committing a criminal or tortious act—disclosing them to third parties in violation of HIPAA.
That put Stearns at odds with other district courts in recent rulings that have found liability for health care providers facing similar allegations under the Wiretap Act’s crime-tort exception.
Criminal Intent
In analyzing the exception, some courts limit liability to cases where the intent of the interception was to commit a crime or tort, but others focus on whether the act was criminal or tortious without regard to the intent of the intercepting party, said Taylor, who defends corporations in data-privacy litigation.
Stearns fell into the former camp, finding the plaintiff failed to allege that the health-care system’s primary purpose was committing a crime or tort, as opposed to commercial gain through improved marketing and advertising.
“Commercial purposes or advantages are not the stuff of which a crime-tort is made,” he said.
Almeida challenged this conclusion. “The question isn’t whether you had a purpose or intent to violate HIPAA, it’s whether you had a purpose to do the act,” he said. “You installed a tracking device, you disclosed to Meta or Google, and that disclosure is unquestionably a criminal act that violates HIPAA. This primary motivation business isn’t the right analysis.”
Judge Steven C. Seeger of the Northern District of Illinois endorsed this point of view in a February 2025 ruling denying dismissal of an ECPA claim against Chicago-based Edward Elmhurst Health.
“The existence of an underlying financial motivation does not mean that the act lacked a criminal or a tortious purpose,” Seeger said. “That’s like saying that a bank robber’s purpose was not to commit a crime—it was to make money.”
Surveillance System
According to Barnes, the case is also an opportunity for the courts to take better account of the impact of the data industry’s surveillance practices on consumers and society.
The early days of litigation over the internet saw the courts taking a wait-and-see approach out of reluctance to stifle a burgeoning industry, he said.
Courts rejecting ECPA claims may have thought the wiretapping statute was made for “spy novel type stuff,” not allegations related to data collection from a public website, Almeida said.
But those decisions “make absolutely no sense today because there was a misbegotten belief that there would be no negative consequences to this sort of model,” Barnes said. Courts have come under increasing pressure in the last 20 years as they have looked more closely at how common-law causes of action and modern privacy statutes can be used to protect privacy rights.
“And you know what? There is something here,” he said. “Because no one signed up for this type of surveillance system.”
The case is Goulart v. Cape Cod Healthcare, 1st Cir., No. 25-01672, argument scheduled 4/6/26.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.