June 07, 2017 – The plaintiff in a patient data privacy lawsuit filed against MDLive, Inc. voluntarily dismissed the suit on June 2, 2017, according to a press release.
Joan Richards had filed the class-action lawsuit, claiming that an MDLive app asked individuals to enter sensitive health information, such as health conditions, allergies, behavioral health history, recent medical procedures, and family medical history.
The app would allegedly take screen shots for the first 15 minutes that an individual used the app.
“Although these screenshots contain patients’ sensitive and confidential health information, Defendant covertly transmits them to a third party without notifying patients and fails to restrict access to collected sensitive and confidential medical information to only those with a legitimate need to view that information (e.g., doctors and other medical providers),” the lawsuit stated.
The screen shots were then sent to the third-party Test Fairy, which is a Tel Aviv, Israel-based tech company, according to the lawsuit.
“MDLive does not disclose to patients that it captures screenshots of medical information or that it transmits screenshots to TestFairy,” stated the lawsuit. “Nor does MDLive provide any justification for the wholesale disclosure of patients’ medical information to TestFairy (likely because screenshots of patients entering medical information offers little to no value in ensuring proper app functionality or bug testing).”
Individuals “reasonably expect that MDLive will use adequate security measures,” the document maintained, adding that TestFairy is not a healthcare provider.
“Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”
MDLive explained in its statement that there was no settlement payment or any other consideration payment made in the case dismissal.
“Privacy and patient confidentiality are at the heart of everything we do, and MDLIVE will continue to rigorously review and evolve our technology and processes to safeguard member information and build trust in the telehealth industry,” MDLive CEO Scott Decker said. “We are thrilled this lawsuit was appropriately dismissed as we continue pursuing MDLIVE’s goal of enabling 24/7/365 access to affordable virtual healthcare for consumers, employers, health plans and health systems across the US.”
MDLive consistently maintained that it had never compromised patient privacy and that no HIPAA data breach occurred.
The company called the lawsuit “baseless” in a statement posted to its website in April 2017. MDLive added that that “authorized third parties are bound by contractual obligations and applicable laws,” and that third parties only use personal information “for the purposes for which we disclose it to them.”
“We have confirmed that patient information is safe, and there was no data breach or HIPAA violation,” MDLive said on its website. “The claims of this lawsuit are misleading and entirely without merit. MDLIVE is seeking immediate dismissal of the lawsuit. The lawsuit has no impact on our day-to-day business or our focus on our customers.”
It can be exceedingly difficult to prove fault in healthcare data breach lawsuits, but privacy expectations also need to be properly understood.
LeClairRyan Partner Chad Mandell stressed both of these points in a March 2017 blog post. Mandell explained that proving proper legal standing is tricky “and class certification remains an obstacle that has yet to be successfully overcome.”
Not all internet users practice smart security and privacy practices, and failing to “opt out” of certain invasive requests could also cause information to be possibly compromised, he added.
“No organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised,” Mandell wrote. “Thus, it is reasonable to ask whether alleged damages in a data-breach case truly can be traced to a given hack of a particular company or whether they stem from a prior breach or multiple prior breaches of the plaintiff’s own computer.”