
    Arthur STEINBERG, et al. v. CVS CAREMARK CORPORATION, et al.
    Civil Action No. 11-2428.
    United States District Court, E.D. Pennsylvania.
    Feb. 16, 2012.
    
      David S. Senoff, Richard C. Defrancesco, Caroselli Beaehler McTiernan & Con-boy, Philadelphia, PA, Jerome M. Marcus, Marcus & Auerbach LLC, Jenkintown, PA, Jonathan Auerbach, Marcus & Auerbach LLC, Wyncote, PA, for Arthur Stein-berg, et al.
    Andrea K. Zollett, Foley & Lardner, Robert H. Griffith, Chicago, IL, 0. Daniel Ansa, Roman T. Galas, Philadelphia, PA, for CVS Caremark Corporation, et al.
   MEMORANDUM

McLAUGHLIN, District Judge.

The plaintiffs, Arthur Steinberg and the Philadelphia Federation of Teachers Health and Welfare Fund (“PFTHW”), bring this action on behalf of themselves and other Pennsylvania prescription drug purchasers against CVS Caremark Corporation (“Caremark”) and CVS Pharmacy, Inc., in connection with the defendants’ sale of information they provided when having their prescriptions filled. The operative complaint was filed on May 31, 2011 and brings claims under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (“UTPCPL”) as well as theories of unjust enrichment and invasion of privacy. The defendants have moved to dismiss the complaint for failure to state a claim. The Court will grant the defendants’ motion.

I. Background

This case was initially brought in the Philadelphia Court of Common Pleas on March 7, 2011, and removed to this Court on April 7 under the Class Action Fairness Act of 2005. The plaintiffs filed their Amended Consumer Class Action Complaint (“CAC”) on May 31, which the defendants moved to dismiss on July 25, arguing under Rule 12(b)(6) of the Federal Rules of Civil Procedure that the plaintiffs had failed to state a claim.

The CAC alleges that the defendants misused “confidential prescription information” provided by the plaintiffs when filling prescriptions. The plaintiffs bring several claims under state law for the defendants’ (a) use of this data to send letters to consumers’ physicians suggesting that they prescribe alternate drugs; (b) packaging and sale of certain consumer data to third parties; and (c) failure to disclose that consumers’ data would be used in this manner. Steinberg brings UTPCPL and privacy claims against both defendants (Counts I & IV); both plaintiffs assert an unjust enrichment claim against Caremark (Counts II & III).

A. Allegations of the Complaint

Steinberg is an individual who purchased prescription medication at a CVS pharmacy located in Richboro, Pennsylvania. PFTHW is a trust providing benefits for members, retirees, spouses, and dependents of the Philadelphia Federation of Teachers Local 3 Union, including administration of prescription drug benefit plans. Through those plans, PFTHW reimbursed its members for prescriptions filled at CVS pharmacies. CAC ¶¶ 5-6, 9. The plaintiffs assert claims on behalf of a putative class of all Pennsylvania consumers and third-party payors who filled prescriptions at CVS pharmacies and were not notified that the defendants would use and sell their information in the ways described above. CAC ¶¶ 47-49. The defendants operate retail pharmacies, and Caremark operates as a pharmacy benefits manager, providing pharmacy services to numerous entities. CAC ¶ 8.

The CAC identifies several public representations that Caremark made in connection with its handling of consumer information. First, Caremark has a “Code of Conduct” for employees that it makes available on its website. The Code of Conduct states:

Our role in the health care industry requires us to collect and maintain the personal health information of those we serve. This data, also called “Protected Health Information” or PHI, is protected under federal and state privacy and security laws. These laws require that PHI, such as names, addresses, dates of birth, phone numbers, social security numbers, medical diagnoses, prescription histories and physician notations, be handled in a confidential manner.
“Personally Identifiable Information” must also be protected. PII is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. It includes the demographic information associated with PHI, as well as other unique identifiers such as credit card data, email addresses, driver’s licenses, fingerprints, or handwriting.
It is critical that those we serve ... are able to count on us to protect their personal and health information. Remember, the people we serve trust CVS Caremark to use their PHI and PII only for purposes of providing our services to them.

CVS Caremark Code of Conduct at 8-9, CAC Ex. A.

Caremark’s website also makes available guidelines from the American Pharmacists Association’s Advisory Committee. These “Principles of Practice” describe the contours of the pharmacist-patient relationship, including how pharmacists should treat patient information. Specifically, the Principles state that “[p]atient-specifie medical information must be collected, organized, recorded, and maintained,” and that “[pjatient information must be maintained in a confidential manner.” Principles of Practice for Pharmaceutical Care, CAC Ex. B.

Caremark issues a “Notice of Privacy Practices” to customers when they fill prescriptions in Pennsylvania. This document states:

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED ....
CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information (“Protected Health Information” or “PHI”). PHI is information about you, including basic information that may identify you and relates to your past, present, or future health and the dispensing of pharmaceutical products to you....
Our Pledge Regarding Your Health Information
We are required by federal and applicable state law, regulations, and other authorities to protect the privacy of your health information and to provide you with this Notice. Our pharmacy staff is required to protect the confidentiality of your PHI and will disclose your PHI to a person other than you or your personal representative only when permitted under federal or state law.... In some circumstances, as described in this Notice, the law permits us to use and disclose your PHI without your express permission.
How We May Use and Disclose Your PHI Without Your Permission. Treatment, Payment or Health Care Operations.
Below are examples of how Federal law permits use or disclosure of your PHI for these purposes without your permission:
1. Treatment: ... Patient Contacts. We may contact you to provide treatment-related services, such as refill reminders, treatment alternatives (e.g., available generic products), and other health related benefits and services that may be of interest to you.
Other Special Circumstances.
We are permitted under federal and applicable state law to use or disclose your PHI without your permission only when certain circumstances may arise, as described below.
We are likely to use or disclose your PHI for the following purposes: Business associates: We provide some services through other companies termed “business associates”. Federal law requires us to enter into business associate contracts to safeguard your PHI as required by CVS and by law.
You have the right to request a restriction or limitation on our use or disclosure of your PHI by submitting a written request to the CVS/pharmacy Privacy Office. You must identify in this request: (i) what particular information you would like to limit, (ii) whether you want to limit use, disclosure, or both, and (iii) to whom you want the limits to apply. All requests will be carefully considered, but we are not required to agree to those restrictions. We will provide you with a written response to your request within 30 days.

Notice of Privacy Practices, CAC Ex. E (emphasis in original).

The CAC alleges that the defendants entered agreements with pharmaceutical manufacturers such as Eli Lilly and Company, Merck, AstraZeneca, and Bayer, whereby those companies funded mailings by Caremark to the physicians of the defendants’ customers, urging them to consider prescribing alternative medications. The letters identified consumers by name, birth date, and the medications they had been prescribed, stating that such information had been obtained from consumers filling prescriptions at CVS pharmacies. The defendants also sold “confidential prescription information” obtained from consumers to third parties, including pharmaceutical manufacturers and data companies. CAC ¶¶ 17, 19-26.

The defendants did not state in the Code of Conduct or Notice of Privacy Practices that “confidential prescription information” would be sold to these entities, but Care-mark executives admitted to the sale of this information in public pronouncements to investors and in other judicial proceedings. CAC ¶¶ 37-43; Change to Win Coalition, CVS Caremark: An Alarming Prescription (Nov.2008) at 15-16, CAC Ex. F (noting that Caremark’s Chief Executive Officer told investors that the company has “more information on the consumer and their behavior than anybody else, and we share it with our over-the-counter suppliers,” and that Caremark’s Director of Managed Care Operations acknowledged that “the sale of data to vendors occurred and was a source of revenue”).

The plaintiffs allege that the defendants’ actions violate the UTPCPL because although they stated to consumers that they “maintained the confidential prescription information of ... consumers,” the defendants failed to disclose their practice of packaging and selling of that information in its Notice of Privacy Practices. As a result, the plaintiffs “suffered an ascertainable loss.” CAC ¶¶ 58-63, 67.

The plaintiffs further allege that they conferred a benefit on Caremark, “namely, the receipt of confidential prescription information,” and Caremark has been unjustly enriched because it “sought to generate additional profits through the sale of confidential prescription information obtained through the benefits conferred” by the plaintiffs. The plaintiffs allege that “the circumstances identified with particularity” earlier in the CAC render Care-mark’s retention of profits from the sale of that information unjust. CAC ¶¶ 69-71, 73-75.

Finally, the plaintiffs allege that the defendants’ practices worked an intentional intrusion upon their seclusion because the plaintiffs’ information was sold under false pretenses, and that this intrusion would be highly offensive to a reasonable person. CAC ¶¶ 77-79.

B. Motion to Dismiss

The CAC repeatedly refers to the defendants’ sale of “confidential prescription information” to pharmaceutical companies and third-party data firms, but does not elaborate on what “confidential prescription information” is or what parts of that data were in fact disclosed to third parties. The defendants argue that this characterization is conclusory and obscures the nature of the data they package and sell. In opposition to the defendants’ motion, the plaintiffs refer interchangeably to the defendants’ sale of “protected health information,” “individually identifiable health information,” and “confidential prescription information,” PI. Opp. 6, without identifying what that information consists of, or what factual averments in the CAC support those claims.

The plaintiffs do clarify that they allege that once the data in question is collected by the defendants, it is “merged, edited, de-identified and then sold to third party data vendors and business associates.” Id. The arguments made by the plaintiffs in opposition to the instant motion did not resolve the confusion over what data they allege was actually sold by the defendants.

C. Oral Argument on the Motion

At oral argument, the plaintiffs altered both the specificity of their factual allegations and the theory under which those facts gave rise to liability under the CAC. Specifically, the plaintiffs conceded that the information sold by the defendants to third parties was de-identified within the meaning of HIPAA. However, they argued that this information could be “re-identified,” entitling it to protection, rendering defendants’ representations misleading, and making their profiting from the information’s sale unjust.

The Court raised its concerns over the ambiguity in the CAC and plaintiffs’ briefing as to the specific information they allege was sold by the defendants to third parties. Counsel for the plaintiff agreed with the Court that the CAC’s averments relating to “confidential prescription information” were at least “ambiguous.” Tr. Hr’g 10/27/11 at 28. Counsel acknowledged that the information that the plaintiffs allege was sold to pharmaceutical companies and third party data firms did not contain patient names, birth dates, or Social Security numbers. Instead, the information sold consisted of a combination of medical history, prescription drugs given, dates of prescriptions, diagnoses, and physician names, lacking identifying information. Id. 8-11.

Counsel conceded that the information disclosed by the defendants to pharmaceutical companies and data firms was deidentified data. He stated that the plaintiffs could still articulate a theory of liability based on a contention that the information sold by the defendants is capable of being manipulated to identify individual patients, in violation of HIPAA. Id. 11-12. Counsel also requested that if the Court dismissed the operative complaint, the plaintiffs be granted leave to amend, using a re-identification theory to establish that the information the defendants disclose is entitled to HIPAA protection. Id. at 27-28. The Court was referred to the name of an article in an academic journal discussing risks associated with re-identification of data, but counsel did not explain how or whether the theory applied to this case. Id. at 12.

Ultimately, the plaintiffs conceded that the status of the information disclosed by the defendants under health information privacy laws governed the viability of the plaintiffs’ claims.

[I]f what we’re talking about here is information which is legally entitled to protection, then it seems to me all of the pieces in the complaint fall into place our way. And if ... the information isn’t protected, we ... haven’t been injured, we don’t have standing, there hasn’t been a violation of rights, there’s no unjust enrichment, everything.... I think that if ... all that the [defendants] are getting is some sort of aggregate mass of data, it says 250,000 people took a medication for diabetes ... I think we lose. If the information isn’t legally protected ... we don’t have a claim. I want to make that clear.

Id. at 5-6, 22-23.

The Court agrees with the plaintiffs’ characterization of the case at oral argument, and because it finds that the defendants have not disclosed legally protected information, will grant the defendants’ motion.

II. Discussion

The CAC alleges that the defendants misrepresented their treatment of “confidential prescription information” provided by consumers in connection with pharmacy services. The plaintiffs’ subsequent clarifications make clear that the defendants neither sold information entitled to legal protection nor made any misrepresentations on which the plaintiffs justifiably relied regarding the way that consumer information would be handled. In addition, the information the defendants sold to third parties does not carry a compensable value to the plaintiffs or constitute an invasion of privacy. The Court will, therefore, dismiss the plaintiffs’ claims. Because the plaintiffs have not articulated a viable alternative theory of liability, the Court’s dismissal will be with prejudice.

A. UTPCPL Claim

Steinberg argues that the defendants’ failure to disclose their sale of his prescription information in the “CVS Care-mark Code of Conduct,” made available online, and “Notice of Privacy Practices,” disclosed to Pennsylvania consumers when filling prescriptions, constitutes a deceptive practice under the UTPCPL. He alleges that the defendants’ failure to disclose this practice is “fraudulent or deceptive conduct which creates the likelihood of confusion or misunderstanding.” CAC ¶¶ 62, 64. This language invokes the “catch-all” provision of the UTPCPL. See 73 Pa. Stat. § 201-2(4)(xxi).

1. Status of the Plaintiffs’ Information

The substantive basis for the plaintiffs UTPCPL claim is that the defendants made material misrepresentations in their Notice of Privacy Practices and Code of Conduct as to how the plaintiffs information would be used. Specifically, Stein-berg alleges that the defendants disclosed “Protected Health Information,” as defined by HIPAA, to third parties despite their representations to the contrary.

Steinberg does not bring a claim directly under HIPAA, and indeed the federal appellate courts that have passed on the issue have held that HIPAA does not provide for a private right of action in connection with the misuse of PHI. Rather, Steinberg brings claims under the UTPCPL based on the defendants’ representations that they protect PHI and disclose information only in accordance with applicable law.

The “Privacy Rule,” promulgated under HIPAA, governs the gathering and disclosure of healthcare information, including prescription data. 45 C.F.R. § 164.502(d)(l)-(2). These regulations define Protected Health Information by reference to their definition of “individually identifiable health information,” as follows:

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

45 C.F.R. § 160.103.

Under' the Privacy Rule, healthcare providers are permitted to “de-identify” Protected Health Information. Once information is de-identified, it is no longer considered Protected Health Information. 45 C.F.R. §§ 164.502(d)-(e), 164.514(a) (“Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.”). Further, federal regulations permit the disclosure of Protected Health Information under certain circumstances, including for “treatment, payment, or health care operations.” The term “health care operations” is defined to include “contacting of health care providers and patients with information about treatment alternatives.” 45 C.F.R. §§ 164.506, 164.501.

The CAC’s allegations suggest two types of disclosures of customer data in this case. First, the defendants, at the request of pharmaceutical companies, include information in letters to consumers’ physicians — including patient names and prescriptions — in order to suggest the provision of alternate medications. CAC ¶¶ 19-22. The plaintiffs do not allege that this type of information is disclosed to any parties other than patients’ existing health care providers or used for any purpose other than for informing patients of treatment alternatives. This is a permissible disclosure of PHI under HIPAA; it falls within the “health care operations” exception of Section 164.501 because it is a communication made to a health care provider with information about treatment alternatives.

The second type of disclosure is made to pharmaceutical companies and data vendors. The plaintiffs contend that this information is covered by the Privacy Rule. Although they admit that the information the defendants disclose to third parties is de-identified within the meaning of HIPAA, the plaintiffs have argued that it can be “re-identified.” There is no such contention in the CAC, and plaintiffs’ counsel admitted that the basis for such an argument comes from a single journal article and would take the form of expert testimony that a re-identification risk exists with respect to de-identified information generally,- not as to the plaintiffs in this case. Tr. Hr’g 7,12-13.

The plaintiffs’ allegations, as clarified, show that the defendants’ practice of deidentifying and packaging consumer information for sale to third parties is consistent with the representations in the Code of Conduct and Notice of Privacy Practices. The Caremark Code of Conduct states that PHI is to be handled in a confidential manner. The Notice of Privacy Practice states that PHI will be disclosed “only when permitted under federal or state law.”

The plaintiffs do not allege that the defendants disclose Protected Health Information to third parties. Rather, they disclose de-identified information, which (a) federal regulations do not prohibit; and (b) is consistent with the defendants’ statements that they safeguard information that “may identify” consumers. The plaintiffs argue that the defendants “deliberately and intentionally sold confidential prescription information in direct contradiction to their representations,” CAC ¶ 59, but the facts the plaintiffs have pled regarding the defendants’ actions are consistent with the representations the plaintiffs claim to be deceptive. Therefore, as a matter of pleading sufficiency, the plaintiffs allegations do not raise a plausible claim for relief under the UTPCPL.

2. Private-Plaintiff Standing Under the UTPCPL

The UTPCPL claims are independently dismissible because the plaintiff lacks standing to bring them. The UTPCPL gives a private right of action to plaintiffs who “suffer[ ] any ascertainable loss of money or property ... as a result of the use or employment [of a deceptive practice].” 73 Pa. Stat. § 201-9.2. The United States Court of Appeals for the Third Circuit has held that this provision of the UTPCPL requires an individual to plead facts showing that the plaintiff (a) justifiably relied on the defendant’s wrongful conduct or representation and (b) suffered harm as a result of that reliance. Hunt v. U.S. Tobacco Co., 538 F.3d 217, 221-23 (3d Cir.2008).

a. Ascertainable Loss

Steinberg’s allegation that he “suffered an ascertainable loss as a direct and proximate result” of the defendants’ conduct, CAC ¶ 67, is a legal conclusion the Court need not accept. See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 564, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). No other facts are pled to suggest the nature of Steinberg’s loss. Construing the allegations of the CAC liberally, the loss Stein-berg claims to have suffered appears to be the loss of the value of his demographic information, or the loss of an opportunity to pay less for his prescriptions with the understanding that the defendants would be profiting from the sale of his information.

Other district courts examining the issue have found that the collection and sale of this kind of information does not carry a compensable value to consumers, and cannot sustain a finding of injury without a specific showing that the plaintiff has sustained a resulting loss. See LaCourt v. Specific Media, Inc., No. 10-1256, 2011 WL 1661532, at *4 (C.D.Cal. Apr. 28, 2011) (noting that the defendant’s practice of collecting the plaintiffs’ web browsing histories could not give rise to a finding that they suffered injury, and rejecting the argument that the practice “deprived [them] of this information’s economic value”); In re JetBlue Airways Corp. Privacy Litig., 379 F.Supp.2d 299, 327 (E.D.N.Y.2005) (finding that the personal information of individual airline passengers has no “compensable value in the economy”); In re Doubleclick Inc. Privacy Litig., 154 F.Supp.2d 497, 525 & n. 35 (S.D.N.Y.2001) (“[AJlthough demographic information is valued highly ..., the value of its collection has never been considered an economic loss to the subject---- [W]e are unaware of any court that has held the value of this collected [demographic] information constitutes damage to consumers or unjust enrichment to collectors.”).

As in those cases, the plaintiffs claim that he suffered a loss as a result of the sale of his information is without factual support in the complaint. Without specific factual allegations as to the injury Stein-berg sustained by the defendant’s collection and sale of his information, he lacks standing to bring a claim under the UTPCPL. The CAC contains no allegations that Steinberg would have sought to fill his prescriptions elsewhere had he known of the defendants’ practices. Nor does Steinberg allege that the defendants’ actions deprived him of the opportunity to sell his information to data aggregation firms directly. In short, Steinberg has not shown that he was harmed by the defendants’ actions, which Pennsylvania law requires for a private plaintiff to bring a UTPCPL action. See Hunt, 538 F.3d at 225 (the UTPCPL’s standing provision exists “to separate private plaintiffs (who may sue for harm they actually suffered as a result of the defendant’s deception) from the Attorney General (who may sue to protect the public from conduct that is likely to mislead)”).

b. Justifiable Reliance

Steinberg also lacks standing to bring a claim under the UTPCPL because of his failure to plead facts showing that he justifiably relied on the defendants’ representations. The Hunt court noted that a 1996 amendment to the catch-all provision added the words “or deceptive” to its prohibition of “fraudulent” conduct. There, the appellant had argued that after the amendment, a plaintiff suing under that provision need not allege all the elements of common-law fraud. See id. at 225. Steinberg makes similar arguments here. See Pis.’ Opp. III.C.l.

The Hunt court did not address that issue, but assumed it for the sake of argument and found that the plaintiff had still failed to plead his claim adequately because he had not alleged justifiable reliance. Hunt, 538 F.3d at 225. The court found that the justifiable reliance requirement derived from the standing provision of the UTPCPL private-plaintiff provision, not its substantive prohibitions. Id. (citing Yocca v. Pittsburgh Steelers Sports, Inc., 578 Pa. 479, 854 A.2d 425, 438-39 (2004) and Weinberg v. Sun Co., 565 Pa. 612, 777 A.2d 442, 445 (2001)).

Steinberg has failed to allege that he was aware of the defendants’ representations in the Notice of Privacy Practices and Code of Conduct, nor has he alleged that he relied on those statements in electing to fill his prescriptions at CVS. Under the Third Circuit’s interpretation of Pennsylvania law, such a failure requires dismissal of the plaintiffs UTPCPL claim for lack of standing.

B. Unjust Enrichment Claims

The plaintiffs have not shown that the information disclosures by the defendants caused them to suffer an ascertainable loss. For related reasons, they cannot show that they conferred a benefit on the defendants or that retention of any benefit would be unjust under the circumstances.

Unjust enrichment is an equitable doctrine, but a prima facie showing of unjust enrichment in Pennsylvania includes facts demonstrating that (a) the plaintiff conferred a benefit on the defendant; (b) the defendant appreciated those benefits; and (c) acceptance and retention of those benefits would be inequitable under the circumstances without payment of value. See Lackner v. Glosser, 892 A.2d 21, 34 (Pa.Super.Ct.2006).

The “confidential prescription information” alleged to have been disclosed to third parties consists of de-identified patient information, and any disclosures of PHI were made to consumers’ own physicians and for the purpose of recommending treatment alternatives. Regardless of the information disclosed, the plaintiffs have raised no facts or argument to suggest that Steinberg or the PFTHW disclosed information to the defendants for which they could reasonably have expected compensation.

The relationship between the plaintiffs and defendants was one wherein the plaintiffs provided certain information in exchange for the provision of pharmacy services. Under the circumstances the plaintiffs could have no reasonable expectation of being compensated for the information related to that transaction, because that information carries with it no compensable value at the individual level. See, e.g., Boring v. Google Inc., 362 Fed. Appx. 273, 282 (3d Cir.2010) (information regarding the appearance of the plaintiffs’ driveway did not give rise to a reasonable expectation of compensation); see also In re JetBlue, 379 F.Supp.2d at 327; In re Doubleclick, 154 F.Supp.2d at 525 & n. 35; LaCourt, 2011 WL 1661532 at *4.

The plaintiffs allege that Caremark’s “receipt of profits is unjust under the circumstances identified with particularity above.” CAC ¶ 75. Such pleading is conclusory and inadequate, particularly because the “unjust” element of an unjust enrichment claim is the “most significant” one under Pennsylvania law. Northeast Fence & Iron Works, Inc. v. Murphy Quigley Co., 933 A.2d 664, 668-69. (Pa.Super.Ct.2007). The plaintiff paid the defendants to fill prescriptions, and the defendants did so. Retention of any benefit accruing to the defendants from the deidentification, aggregation, or sale of patient information could not be considered unjust under the circumstances. “[T]he doctrine does not apply simply because the defendant may have benefitted as a result of the actions of the plaintiff.” Id. Because the plaintiffs have not pled facts showing that they have conferred a benefit on the defendants or that the retention of such benefits would be unjust under the circumstances, the plaintiffs’ claims for unjust enrichment will be dismissed.

C. Privacy Claim

Unlike the UTPCPL and unjust enrichment claims discussed above, Steinberg’s privacy claim does not' depend on whether the information he provided to the defendants was something of value to him. Instead, Steinberg’s claim fails because he voluntarily disclosed that information to the defendants. Under the circumstances, he cannot state a claim for intrusion upon seclusion in Pennsylvania.

“Under Pennsylvania law, invasion of privacy involves four separate torts: (1) unreasonable intrusion upon the seclusion of another; (2) appropriation of another’s name or likeness for commercial purposes; (3) publicity given to another’s private life; and (4) publicity that unreasonably places another in a false light before the public.” Doe v. Wyoming Valley Health Care Sys., Inc., 987 A.2d 758, 765 (Pa.Super.Ct.2009). The plaintiffs allege that the defendants intruded upon their seclusion by making the third-party data sales. CAC ¶ 77.

Although the Pennsylvania Supreme Court has not expressly adopted the Restatement (Second) of Torts definition of intrusion upon seclusion, Pennsylvania courts rely upon its definition to parse such claims. See Tagouma v. Investigative Consultant Svcs., Inc., 4 A.3d 170, 174 (Pa.Super.Ct.2010). Intrusion upon seclusion is defined by the Restatement as follows: “One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement (Second) of Torts § 652B. “The defendant is subject to liability under this Section only when he has intruded into a private place, or has otherwise invaded a private seclusion that the plaintiff has thrown about his person or affairs.” Id. cmt. c.

The plaintiffs acknowledge that they voluntarily disclosed the information later disseminated by the defendants, and argue that their claim is premised not on the receipt of that information but instead on its sale to third parties. Pis.’ Opp. 16. This argument is unavailing. In Pennsylvania, liability for intrusion upon seclusion cannot exist where a defendant legitimately obtains information from a plaintiff. Burger v. Blair Med. Assocs., Inc., 600 Pa. 194, 964 A.2d 374, 378 (2009). This is so even where those facts voluntarily offered are later disclosed to a third party, even by such highly visible means as newspaper publication. See Harris by Harris v. Easton Publ’g Co., 335 Pa.Super. 141, 483 A.2d 1377, 1383 (1984). Thus, the plaintiffs cannot state a claim for intrusion upon seclusion under Pennsylvania law, and Count IV of the CAC will be dismissed.

D. Dismissal with Prejudice

The plaintiffs have raised a number of concerns about the ways in which the defendants used their information after providing them with pharmacy services. Indeed, commentators have called for a variety of statutory approaches to the collection and sale of consumer-information databases. See Jeff Sovern, Opting In, Opting Out, or No Options at All: The Fight for Control of Personal Information, 74 Wash. L.Rev. 1033, 1094-1116 (1999) (reviewing the merits of proposed voluntary and government-imposed systems by which consumers might actively permit or prohibit use of their information). The facts the plaintiffs are able to allege, however, fail to give rise to a cognizable claim under current law.

This case was filed in the Court of Common Pleas of Philadelphia County on March 7, 2011, and removed to this Court on April 7, 2011. The plaintiffs then amended their complaint on May 31, 2011. The plaintiffs filed their brief in opposition to the instant motion on August 19, 2011. Yet it was not until oral argument in October 2011 that the plaintiffs stated their new theory of “re-identification” as the basis for an amended pleading. Even at that time, the plaintiffs could not state what allegations an amended pleading would contain.

The Court must conclude under the circumstances that amendment would be futile. The defendants point out that they already have incurred the time and expense of responding to the instant complaint, and that the “re-identification” theory hinted at by the plaintiffs cannot salvage their claims. The defendants argue that the time to present alternative theories of recovery was before the motion to dismiss had been fully briefed, and that the manner in which to present those theories was in the form of a proposed amended pleading, which the plaintiffs have not provided. Tr. Hr’g 18, 32.

The Court agrees. This case was filed nearly one year ago, and despite multiple opportunities to clarify how Steinberg or PFTHW could plead their claims adequately, the plaintiffs have been unable to do so. As currently amended, the factual allegations of the complaint fail to state a claim, and the plaintiffs have proposed neither an alternative pleading nor even an alternative theory that would state a plausible claim for relief. Granting leave to amend the complaint would be futile. See Phillips v. County of Allegheny, 515 F.3d 224, 245 (3d Cir.2008) (leave to amend should be granted following 12(b)(6) dismissal unless the district court finds that amendment would be inequitable or futile).

An appropriate order follows.

ORDER

AND NOW, this 15th day of February, 2012, upon consideration of the defendants’ Motion to Dismiss Plaintiffs’ Amended Complaint (Docket No. 28), the plaintiffs’ response thereto, the defendants’ brief in reply, after oral argument, and for the reasons stated in a memorandum bearing today’s date, IT IS HEREBY ORDERED the defendants’ motion is GRANTED. The plaintiffs’ Amended Complaint is dismissed WITH PREJUDICE. This case is CLOSED. 
      
      . HIPAA is the Health Insurance Portability and Accountability Act of 1996. Pub.L. No. 104-191, 110 Stat.1936 (1996).
     
      
      . In evaluating a motion to dismiss under Rule 12(b)(6), a court must accept all well-pleaded facts as true, and must construe the complaint in the light most favorable to the plaintiff. Fowler v. UPMC Shadyside, 578 F.3d 203, 210 (3d Cir.2009). When evaluating a motion to dismiss, the court should disregard any legal conclusions. The court must then determine whether the facts alleged are sufficient to show that the plaintiffs have a “plausible claim for relief.” Id', at 210. If the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, then the complaint has alleged, but it has not shown, that the pleader is entitled to relief. Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 1950, 173 L.Ed.2d 868 (2009).
     
      
      . See Acara v. Banks, 470 F.3d 569, 570 (5th Cir.2006) (per curiam); Carpenter v. Phillips, 419 Fed.Appx. 658, 658 (7th Cir.2011); Dodd v. Jones, 623 F.3d 563, 569 (8th Cir.2010); Seaton v. Mayberg, 610 F.3d 530, 533 (9th Cir.2010), cert. denied, - U.S. -, 131 S.Ct. 1534, 179 L.Ed.2d 309 (2011); Wilkerson v. Shinseki, 606 F.3d 1256, 1267 n. 4 (10th Cir.2010).
     
      
      . 45 C.F.R. § 164.514(b)(2)(i) details the specific information that must be removed from PHI to render it de-identified information. The United States Department of Health and Human Services makes clear on its website that "[t]here are no restrictions on the use or disclosure of de-identified health information.” See U.S. Dep't of Health & Hum. Servs., Summary of the HIPAA Privacy Rule, http://www.hhs.gov/ocr/privacy/hipaa/ understanding/summaiy/index.html.
     
      
      . Federal regulations dictate the specific form and content of the Notice of Privacy Practices that entities such as the defendants provide to customers. See 45 C.F.R. § 164.520.
     
      
      . At least one district court has found that similar allegations cannot give rise to injury-in-fact sufficient to confer even Article III standing. Low v. Linkedln Corp., No. 11-1468, 2011 WL 5509848, at *4-*5 (N.D.Cal. Nov. 11, 2011) (Koh, J.) (where defendant tracked the plaintiff's browsing data and sold it to third party data aggregators, allegations that the plaintiff was economically harmed by the practice were insufficient to show injury, absent a showing that "he was foreclosed from capitalizing on the value of his personal data”). But see Fraley v. Facebook, Inc., 830 F.Supp.2d 785, 798-800 (N.D.Cal.2011) (Koh, J.) (finding, unlike Low, that the plaintiffs had standing to assert an injury to their statutory right of publicity where they alleged the defendant "misappropriated] their names, photographs, and likenesses for use in paid commercial endorsements targeted not at themselves, but at other consumers, without their consent”).
     
      
      . The plaintiffs argue that Steinberg is not required to plead justifiable reliance because a fiduciary relationship existed between him and the defendants, entitling him to a presumption of reliance. Pis.’ Opp. 11-12; see also Hunt, 538 F.3d at 227 n. 17 (acknowledging this "narrow exception”). Steinberg has not pled facts giving rise to a fiduciary relationship between himself and the defendants. He only alleges that he filled prescriptions at a CVS retail pharmacy and that a fiduciary relationship arose upon the defendants’ receipt of confidential information. CAC ¶¶ 10, 62, 65. However, the mere receipt of confidential information, even by an agent, does not create a fiduciary relationship. See, e.g., Washington Steel Corp. v. TW Corp., 602 F.2d 594, 599 (3d Cir.1979), overrruled on other grounds, Clark v. K-Mart Corp., 979 F.2d 965 (3d Cir.1992). The burden of proof for establishing a fiduciary relationship is on the party asserting it. Kees v. Green, 365 Pa. 368, 75 A.2d 602, 603 (1950). The Court must reject the plaintiffs’ otherwise bare legal conclusion that a fiduciary relationship existed between the plaintiff and the defendant. See Twombly, 550 U.S. at 564, 127 S.Ct. 1955.
      The plaintiffs' additional argument that a fiduciary relationship existed as part of the defendants’ role as a "pharmacy benefits manager,” Pis.’ Opp. 11-12, is inapplicable here because only Steinberg brings a UTPCPL claim and the CAC does not allege that either defendant1 acted as his pharmacy benefits manager.
     
      
      . A Delaware Superior court case similarly found that where a consumer voluntarily disclosed prescription information to a pharmacy, she could not recover under an intrusion upon seclusion theory. That claim, as here, was premised expressly on the intentional dissemination of prescription information and not on its acquisition. See Fanean v. Rite Aid Corp. of Del., Inc., 984 A.2d 812, 827 (Del.Super.Ct.2009).
     