HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients.

App users are required to enter in a range of sensitive information into the MDLive app; however, the complainant alleges that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are sent to an Israeli company called Test Fairy, which conducts quality control tests for MDLive.

The lawsuit alleges patients are not informed that their information is disclosed to a third-party company, and that all data entered into the app can be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data.

Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories, family medical histories and details of allergies. According to the lawsuit, the screenshots are “covertly” sent to Test Fairy “in near real time.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit suggests patients using the app are likely to assume their data will be kept confidential and that reasonable security measures will be employed to prevent disclosures. However, the lawsuit states that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”

The lawsuit was filed by the Illinois law firm Edelson PC with app user Joan Richards named as the plaintiff. Typically, for a lawsuit to succeed, an unauthorized disclosure of medical information must result in harm being caused.

Edelson PC attorney Chris Dore said, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”

MDLive says the lawsuit is “baseless,” that no data breach has occurred, HIPAA Rules have not been violated, and any data entered into the app is safe. While data are disclosed to authorized third parties, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any information disclosed is only used for the purpose for which that disclosure is made.

MDLive is seeking to have the lawsuit dismissed.

UPDATE: June 6, 2017: All claims made in the lawsuit have been voluntarily dismissed by the plaintiff.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.