Privacy Case Against Telehealth App Vendor DismissedLawsuit Alleged MDLive Unlawfully Shared Data with Another Vendor
A class action lawsuit alleging that a telehealth app vendor MDLive violated consumers' privacy by sharing health information with a third-party contractor has been voluntarily dismissed by the lead plaintiff.
The lawsuit filed on April 18 by Joan Richards, a resident of Utah, alleged that MDLive, without notifying patients, programmed its telehealth app to transmit screenshots of consumers' personal and sensitive health information to an Israel-based tech company, TestFairy, that provides application performance testing on Android and iOS mobile apps.
But in a notice of dismissal filed on June 2 in a Florida federal district court, Richards, through her attorney, voluntarily dismissed all claims in the lawsuit without prejudice, which means it could be reintroduced. On June 5, however, a federal judge dismissed the case with prejudice - or permanently.
MDLive in May had filed a motion to dismiss the case, arguing that the lawsuit "falsely accuses MDLive of deception and contract breaches. The complaint also intimates that a widespread data breach occurred when, in fact, (even based on the allegations) no data breach - large or small - happened. Nor did an unauthorized disclosure occur." (See Telehealth App Vendor Filed Motion to Dismiss Privacy Case.)
In a June 5 statement, MDLive announced the "successful resolution of a meritless privacy class action lawsuit filed against the company." The Sunrise, Florida-based vendor says no settlement payment or any other consideration was paid by MDLive or its management.
"The company has consistently maintained that patient information is safe and no HIPAA breach occurred, MDLive says.
"Privacy and patient confidentiality are at the heart of everything we do, and MDLive will continue to rigorously review and evolve our technology and processes to safeguard member information and build trust in the telehealth industry," said Scott Decker, CEO of MDLive in the statement.
Sharing Data with Contractors
Privacy attorney Kirk Nahra of the law firm Wiley Rein, who was not involved in the case, says the MDLive lawsuit appeared to be baseless because "the allegation seemed to be that it was somehow a violation of law or a breach of some kind to use a vendor. That just isn't the law," he says.
"Companies use vendors all the time. If the behavior is regulated - for example [under] HIPAA - those vendor contracts have specific requirements," he notes. "Otherwise, most companies tend to include appropriate restrictions on what the vendor can do. Generally, there is no prohibition on using vendors, and no requirement to disclose specifics about any vendors."
Because the MDLive suit "is such an unusual case - where there really wasn't anything 'wrong' - the main lesson would be to make sure you have appropriate restrictions for vendors in any contracts," Nahra says.
The lawsuit filed by Richards alleged that MDLive committed intrusion of privacy, breach of contract, fraud and other violations related to consumers who downloaded the company's telehealth app. Court documents note that although the app is free to download, patients pay $49 for a virtual doctor consult.
The complaint alleged that MDLive, without notifying patients, programmed its app to transmit screenshots of consumers' personal and sensitive health information to an overseas third-party Israel-based tech company, TestFairy, that provides application performance testing on Android and iOS mobile apps.
"MDLive takes an average of 60 screenshots of a patient's screen," the lawsuit says. "By design, the screenshots capture all the sensitive medical history information entered by the patient," including health conditions, medications, allergies, behavior health history and family history, according to the now-dismissed suit.
"Without notifying patients, MDLive programmed the app to transmit those screenshots to TestFairy ... [which] works to 'insert the necessary hooks to gather information' about an app's user experiences and to possibly identify bugs," the suit said.
The lawsuit claimed that MDLive secretly monitored, collected and transmitted consumers' usage of the MDLive App "by taking consecutive screenshots of patients' screens, which revealed specific details regarding their personal health and medical information."
However, MDLive's website indicates that MDLive may disclose personal information that the company collects "to contractors, service providers and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them."
Lessons to Learn
Privacy attorney David Holtzman, vice president of compliance of CynergisTek, says the dismissed case offers lessons.
"Consumers care about the privacy of their personal information and savvy health app vendors understand the importance of being clear with what is done with their data," he says. "It is important to bake good privacy and security safeguards into the development of your healthcare app. And, it is just as important to communicate to consumers in simple, easy-to-understand terms what personal information is collected and how it is shared. When consumers have confidence and trust in your data privacy and security practices they are less likely to file a lawsuit when there is a misunderstanding."
The Department of Health and Human Services' Office of the National Coordinator for Health IT has announced winners in its competition to create model privacy notice generators that produce a customizable notice for developers, Holtzman notes.
An attorney representing Richards in the lawsuit did not immediately respond to an ISMG request for comment on the dismissal.