[BreachExchange] MDLive hit with class-action lawsuit over patient privacy issues

Tue Apr 25 19:11:44 EDT 2017

http://medcitynews.com/2017/04/mdlive-hit-class-action-
lawsuit-patient-privacy-issues/

MDLive, a Sunrise, Florida-based telehealth company, is facing a
class-action lawsuit over allegations it does not protect the privacy of
patients’ healthcare information.

The lawsuit was filed earlier this week in Florida federal court by
plaintiff Joan Richards, an MDLive user. One of Richards’ attorneys, Dillon
Brozyna, is with Edelson PC, a Chicago, Illinois-based firm.

Richards is seeking $5 million in damages.

The suit alleges MDLive takes screenshots during the first 15 minutes
patients use its app, during which they are prompted to enter their health
information. The suit claims MDLive takes an average of 60 screenshots
during that time period.

According to the complaint, MDLive then sends these screenshots to a third
party tech company, Tel Aviv, Israel-based TestFairy, without notifying
patients. TestFairy tracks users’ experience and finds potential bugs
within the MDLive app.

“[TestFairy] is a company that promotes itself as doing user analytics,”
Christopher Dore, a partner at Edelson PC, told MedCity in a phone
interview. “But of course, by using it in this type of app, the data that’s
being captured is highly sensitive medical information and is then being
shown to potential app developers and other employees that should never
have access to this type of information.”

The suit also alleges patients’ information is accessible to certain MDLive
employees via an unrestricted database.

“Despite the sensitive nature of patients’ medical history, MDLive fails to
adequately secure or restrict access to the screenshots,” the complaint
reads. “Specifically, MDLive grants its own developers and/or designers
(and possibly third parties like TestFairy) unfettered access to patients’
medical history, without regard for whether those individuals require
access in order to provide and/or improve the healthcare services provided
by MDLive.”

MDLive did not respond to MedCity’s request for comment. However, an MDLive
spokesperson told FierceHealthcare:

"Protecting patient privacy and confidentiality is a top priority for
MDLIVE. We have confirmed that patient information is safe and we have
located no evidence of any breach of HIPAA. Our services, policies and
procedures are designed to keep personally identifiable information secure
and meet the strictest legal and regulatory standards. The claims of this
lawsuit are entirely without merit, and we will immediately seek its
dismissal."

This lawsuit also has broader implications for the field of telehealth.
“Consumers need to be wary and concerned and companies need to be much more
proactive in protecting information and informing consumers about what’s
happening with that information,” Dore told MedCity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170425/be7e8d60/attachment.html>