A new federal case is examining how far health insurers can go with web tracking tools without breaking privacy laws. In Adair v. Cigna, the plaintiffs claim that Cigna’s use of cookies and pixels on its public websites led to the unauthorized sharing of protected health information (PHI). Cigna’s motion to dismiss, filed on July 11, 2025, argues otherwise—and could provide a clear path for how courts handle similar lawsuits in the future.
The Case at a Glance
- Claims: The plaintiffs have filed a class action lawsuit under Pennsylvania’s wiretapping statute (WESCA) along with common law claims like invasion of privacy, breach of fiduciary duty, and unjust enrichment.
- Cigna’s Defense: Cigna argues there’s no basis for the lawsuit, no actual interception of PHI on the tracked pages, and that users gave full consent. Specifically, Cigna contends:
- The plaintiffs never alleged that PHI was entered on any public webpage where the tracking technologies (which included tools from Pinterest, Snapchat, The Trade Desk, LiveRamp, Demandbase, MediaMath, and Meta) were present; these public sites simply don’t collect PHI, distinguishing them from secure member portals.
- Despite this, Cigna’s websites clearly disclosed their use of cookies and other trackers through their Terms of Use and Website Privacy Notice, which the plaintiffs actively agreed to.
- Website users, including the plaintiffs, had to specifically consent before they could access secure account features.
- The plaintiffs haven’t shown a real injury, as the online tools did not actually collect personal or private information from them.
Legal Takeaways
- Standing Still Matters: Courts are closely examining whether privacy plaintiffs can show a concrete injury. Vague claims of “data interception” or the sharing of nonsensitive data may not be enough to proceed.
- Consent Is Crucial: Cigna’s arguments strongly suggest that clear notice and acceptance of website terms—including privacy policies that explain data collection and sharing with third-party ad networks—are legally binding and could defeat privacy claims.
- Location and “Contents” of Interception Are Key Issues: Since none of the plaintiffs live in Pennsylvania, Cigna argues that WESCA should not apply, particularly under the Third Circuit’s Popa decision. Furthermore, Cigna challenges the plaintiffs’ failure to claim that the information allegedly intercepted was “contents” as defined by WESCA.
- Common Law Claims Under Scrutiny: Cigna is also challenging the common law claims, arguing, among other points, that the alleged conduct wasn’t “extreme” or “highly offensive,” and that plaintiffs didn’t adequately show confidential information was shared or that they suffered actual harm.
What to Watch
If the court agrees with Cigna’s arguments, this could be a major win for companies defending against privacy class actions related to common web analytics tools.
What You Should Do
- Review your website disclosures and how users provide consent.
- Understand exactly where tracking technologies are used and what data they gather.
- Ensure your Terms of Use and Privacy Notices are up-to-date, easy to find, and consistently enforced.
If you have any questions regarding this alert, please contact Kevin Szczepanski, Data Security & Technology Practice Area co-chair, at kszczepanski@barclaydamon.com; Celine Dorsainvil, associate, at cdorsainvil@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.