A class action lawsuit has been filed following an allegation claiming that telemedicine company MDLive violated the privacy of patients by releasing sensitive medical information to a third party without informing, or obtaining consent from, subscribednpatients.
App users are asked to enter in a range of sensitive information into the MDLive app during registration. However, the complainant alleges that, during the first 15 minutes of use the app takes an average of 60 screenshots. These screenshots are then sent to an Israeli company called Test Fairy, which conducts quality control tests for MDLive.
The class action lawsuit alleges that patients are not advised that their information is disclosed to a third-party company, and that all personal data entered into the app can be viewed by MDLive employees, despite the fact that there is no reason for those employees to be able to view this personal data.
Subscribers to the app enter their medical information during setup in order to locate local healthcare providers. The types of information entered by users includes sensitive data such as current health conditions, recent medical treatments, behavioral health histories, family medical histories and details of any allergies. According to the lawsuit, the screenshots are “covertly” distributed to Test Fairy “in near real time.”
The lawsuit suggests patients using the app are likely to make the assumption that their data will be kept private and that reasonable security measures will be employed to prevent any public disclosures. However, the lawsuit states that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”
The lawsuit was filed by the Illinois law firm Edelson PC with app subscriber Joan Richards named as the plaintiff. Typically, for a class action lawsuit to succeed, an unauthorized disclosure of medical information must result in harm being caused.
Edelson PC attorney Chris Dore stated, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”
MDLive claims that the class action lawsuit is “baseless,” saying that no data breach has occurred, HIPAA Rules have not been violated and any data entered into the app is secure. While data are disclosed to authorized third parties, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any data disclosed is only used for the purpose for which that disclosure is made.
MDLive is seeking to have the class action lawsuit dismissed.