Claims that telemedicine company MDLive violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining official consent from patients have resulted in a class action lawsuit has being filed.
App users must enter in a range of private information into the MDLive app; however, the complainant claims that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are transmitted to an Israeli company called Test Fairy, which carries out quality control tests for MDLive.
The lawsuit claims patients are not told that their information is disclosed to a third-party company, and that all data entered into the app can be seen by MDLive employees, even though there is no valid reason for those members of staff to have access to the data.
Subscribers to the app enter their medical data during registration in order to find local healthcare suppliers. The types of information entered by users includes sensitive data such as known health conditions, recent medical procedures, behavioral health histories, family medical histories and specific details of allergies. According to the lawsuit, the screenshots are “covertly” transmitted to Test Fairy “in near real time.”
The lawsuit alleges subscribers using the app are likely to believe their data will be kept confidential and that reasonable security procedures will be employed to stop disclosures. However, the filed lawsuit makes the claim that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”
The lawsuit was f by submitted by the Illinois law firm Edelson PC with app subscriber Joan Richards named as the plaintiff. Typically, for a lawsuit to succeed, an unauthorized disclosure of private medical information must lead to harm being caused.
Edelson PC attorney Chris Dore stated, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”
MDLive says the lawsuit is “baseless,” that no data breach has happened, HIPAA Rules have not been breached, and any data entered into the app is secure. While data are disclosed to authorized third party companies, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any data accessed is only used for the purpose that disclosure is made.
MDLive is seeking to have the lawsuit thrown out.
UPDATE: June 6, 2017: All claims filed in the lawsuit have been voluntarily dismissed by the plaintiff.