Telehealth App Vendor Files Motion to Dismiss Privacy Case
Experts: Consumers Need to Read Fine Print, Assess Privacy Risk
MDLive has filed a motion to dismiss a class action lawsuit that alleges the telehealth application vendor violated users’ privacy by “secretly monitoring, collecting, and transmitting their usage of the app, and sharing it with a third-party vendor.”
In its motion to dismiss, filed in a Florida federal district court, MDLive says the lawsuit “falsely accuses MDLIVE of deception and contract breaches. The complaint also intimates that a widespread data breach occurred when, in fact, (even based on the allegations) no data breach – large or small – happened. Nor did an unauthorized disclosure occur.”
The lawsuit filed on April 18 by lead plaintiff Joan Richards, a resident of Utah, alleges that MDLive, without notifying patients, programmed its telehealth app to transmit screenshots of consumers’ personal and sensitive health information to an Israel-based tech company, TestFairy, that provides application performance testing on Android and iOS mobile apps.
“MDLive takes an average of 60 screenshots of a patient’s screen,” the lawsuit contends. “By design, the screenshots capture all the sensitive medical history information entered by the patient,” including health conditions, medications, allergies, behavior health history and family history, according to the suit.
“Without notifying patients, MDLive programmed the app to transmit those screenshots to TestFairy … [which] works to ‘insert the necessary hooks to gather information’ about an app’s user experiences and to possibly identify bugs,” the suit says.
Motion to Dismiss
Attorney Dillon Brozyna of law firm Edelson PC, which is representing plaintiffs in the lawsuit, tells Information Security Media Group that the firm is working on a response to MDLive’s motion to dismiss and declined to comment on the case.
Read the Fine Print
Some legal experts say the MDLive case spotlights regulatory gaps and other murky privacy and security issues related to the growing use of consumer health applications.
“Consumers are on their own to assess and interpret the privacy risks posed by disclosing information through these apps because many healthcare apps are not subject to government oversight or regulation,” says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. “Consumers have to be diligent in understanding what information they are disclosing through the app, how it is being collected and what will be done with it.”
Many consumers don’t realize that developers and vendors offering products or services through the internet operate largely unregulated when it comes to how they approach the privacy and security of information that they collect about consumers, Holtzman adds. “Some voluntary industry self-regulation programs – TRUSTe, Better Business Bureau – are beginning to fill the void to help consumers identify sites and vendors who have pledged to safeguard consumer information.”
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the issue of MDLive’s transmission of consumer data to Test Fairy involves the question of whether there is permission/disclosure about MDLive’s use of a vendor. “That is a pretty benign issue. Vendors are used all the time, they are factored into most existing rules, and it isn’t usually viewed as any kind of breach to use a [third-party] vendor.”
Further, many privacy notices “won’t really talk about that at all – or will have a general sentence that they will disclose to service providers with appropriate protections – usually contract terms,” he notes. “That’s reasonable and appropriate in context. If the vendor did something inappropriate, that is a different issue. But that doesn’t seem to really be alleged here.”
Although MDLive’s privacy practices notice tells users that their personal information may be disclosed to “contractors, service providers and other third parties to support MDLive’s business,” that can be easily misinterpreted by consumers, contends attorney Steven Teppler of Abbott Law Group. “It’s so broad you can drive a semi- truck through it.”
Nahra says he expects to see “lots more of these cases, although I would expect that they will involve practices that are more troubling than the use of a [third-party] vendor. “
To address potential regulatory issues, the Federal Trade Commission has created a web-based tool in conjunction with the Food and Drug Administration and Department of Health and Human Services’ Office for Civil Rights and Office of the National Coordinator for Health IT to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.
“The guidance tool asks developers a series of questions about its function, the data it collects, and the services it provides to users,” Holtzman says. “Based on the developer’s answers to those questions, the guidance tool will point the app developer toward detailed information about federal laws that might apply to the app.”
Source: SANS ISC SecNewsFeed @ May 4, 2017 at 03:48PM