OPINION & ORDER Plaintiffs Dolores Gay (“Gay”) and Corrine Jacob (“Jacob”), on behalf of themselves and all others similarly situated (“Plaintiffs”), initiated this action on August 7, 2023 (ECF No. 1), alleging violations of the Electronic Communications Privacy Act 18 U.S.C. §2511(1) (“ECPA”), New York Civil Rights Law §§50, 51, New York Consumer Law General Business Law §349, as well as bringing common law claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment and negligence against Garnet Health (“Garnet” or “Defendant”). Presently before the Court is the Defendant’s Motion to Dismiss Plaintiffs’ claims pursuant to Federal Rule of Civil Procedure 12(b)(6). For the following reasons, Defendant’s Motion to Dismiss is DENIED IN PART and GRANTED IN PART. BACKGROUND The following facts are derived from the Complaint and are taken as true and construed in the light most favorable to the Plaintiffs at this stage. Plaintiffs Dolores Gay and Corine Jacob bring this action as individuals and on behalf of all others similarly situated against Garnet. Plaintiffs are current patients of Garnet. (Compl.
35, 47.) Garnet is a not-for-profit New York corporation. (Id. 59.) Defendant is headquartered at 706 East Main Street, Middletown, New York 10940. (Id.) Defendant is a covered entity under the Health Insurance Portability and Accountability Act of 1996. (Id. 62.) Defendant is a provider of healthcare services to approximately 450,000 patients across Orange, Sullivan and Ulster Counties, and has over 4,000 healthcare professionals and 850 medical staff members. (Id. 61.) Defendant owns and operates the website https://www.garnethealth.org/, along with the Garnet Health MyChart Account portal (collectively, the “Website”), which is accessible from Garnet’s website. Plaintiffs use the Website to obtain information about different conditions and treatment opportunities, Defendant’s locations and the available clinicians at each location, and the services offered to patients. (Id. 2.) Patients are also able to use a search bar on the Website where they can enter questions, symptoms, conditions, clinician names and other queries to obtain responsive information. (Id.) Patients also access their MyChart Patient Account through the Website; the MyChart Patient Account contains the patient’s personally identifiable information (“PII”) and protected health information (“PHI”) (together, “Private Information”). Defendant installed the Facebook Tracking Pixel (“Pixel”) on its Website. (Id. 2.) The Pixel enables the transmission of Plaintiffs’ and Class Members’ PII and PHI. (Id.) Defendant also allegedly installed the Facebook Conversion Application Programming Interface (“Conversions API”) on its Website. (Id. 4.) By doing so, Defendant facilitated additional unauthorized transmission of Plaintiffs’ and Class Members’ PII and PHI. (Id. 5.) Where the Tracking Pixel and Conversions API are installed on Defendant’s Website, the information Plaintiffs submit through use of Defendant’s Website is unlawfully disclosed to Facebook alongside the Plaintiffs’ unique and persistent Facebook ID (“FID”). (Id.
