Governance & Risk Management , Privacy , Standards, Regulations & Compliance

Telehealth App Vendor Files Motion to Dismiss Privacy Case

Experts: Consumers Need to Read Fine Print, Assess Privacy Risk
Telehealth App Vendor Files Motion to Dismiss Privacy Case

MDLive has filed a motion to dismiss a class action lawsuit that alleges the telehealth application vendor violated users' privacy by "secretly monitoring, collecting, and transmitting their usage of the app, and sharing it with a third-party vendor."

See Also: How Enterprise Browsers Enhance Security and Efficiency

In its motion to dismiss, filed in a Florida federal district court, MDLive says the lawsuit "falsely accuses MDLIVE of deception and contract breaches. The complaint also intimates that a widespread data breach occurred when, in fact, (even based on the allegations) no data breach - large or small - happened. Nor did an unauthorized disclosure occur."

The lawsuit filed on April 18 by lead plaintiff Joan Richards, a resident of Utah, alleges that MDLive, without notifying patients, programmed its telehealth app to transmit screenshots of consumers' personal and sensitive health information to an Israel-based tech company, TestFairy, that provides application performance testing on Android and iOS mobile apps.

"MDLive takes an average of 60 screenshots of a patient's screen," the lawsuit contends. "By design, the screenshots capture all the sensitive medical history information entered by the patient," including health conditions, medications, allergies, behavior health history and family history, according to the suit.

"Without notifying patients, MDLive programmed the app to transmit those screenshots to TestFairy ... [which] works to 'insert the necessary hooks to gather information' about an app's user experiences and to possibly identify bugs," the suit says.

Motion to Dismiss

In its motion to dismiss, however, MDLive notes: "At the heart of this case is the contract - MDLIVE's Terms of Use and incorporated Privacy Policy, the 'Terms of Use Contract.' But Richards ignores the Terms of Use Contract altogether, opting instead to allege non-existent contract terms and representations. Indeed, the Terms of Use Contract allows MDLIVE to share the limited information Richards allegedly provided with third-party contractors - who are under confidentiality obligations with MDLIVE - to assist MDLIVE in developing and improving its app."

MDLive's motion to dismiss also notes: "In light of her numerous citations to other materials on MDLIVE's website, Richards's failure to rely on the actual Terms of Use Contract available on that site, to which every user must affirmatively assent in order to gain access to MDLIVE, is ironic and telling. The reason for her avoidance of the contract is clear: MDLIVE's Terms of Use Contract exposes her lawsuit as baseless."

Attorney Dillon Brozyna of law firm Edelson PC, which is representing plaintiffs in the lawsuit, tells Information Security Media Group that the firm is working on a response to MDLive's motion to dismiss and declined to comment on the case.

Read the Fine Print

Some legal experts say the MDLive case spotlights regulatory gaps and other murky privacy and security issues related to the growing use of consumer health applications.

"Consumers are on their own to assess and interpret the privacy risks posed by disclosing information through these apps because many healthcare apps are not subject to government oversight or regulation," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "Consumers have to be diligent in understanding what information they are disclosing through the app, how it is being collected and what will be done with it."

Holtzman suggests that users research apps thoroughly before downloading. "Look to see if the app has a privacy policy and terms of use agreement. Look for answers to how is your sensitive health information collected, used and disclosed. Will the information be shared with third parties? Will it be stored, for how long and how will it be used."

Many consumers don't realize that developers and vendors offering products or services through the internet operate largely unregulated when it comes to how they approach the privacy and security of information that they collect about consumers, Holtzman adds. "Some voluntary industry self-regulation programs - TRUSTe, Better Business Bureau - are beginning to fill the void to help consumers identify sites and vendors who have pledged to safeguard consumer information."

Privacy attorney Kirk Nahra of the law firm Wiley Rein says the issue of MDLive's transmission of consumer data to Test Fairy involves the question of whether there is permission/disclosure about MDLive's use of a vendor. "That is a pretty benign issue. Vendors are used all the time, they are factored into most existing rules, and it isn't usually viewed as any kind of breach to use a [third-party] vendor."

Further, many privacy notices "won't really talk about that at all - or will have a general sentence that they will disclose to service providers with appropriate protections - usually contract terms," he notes. "That's reasonable and appropriate in context. If the vendor did something inappropriate, that is a different issue. But that doesn't seem to really be alleged here."

Although MDLive's privacy practices notice tells users that their personal information may be disclosed to "contractors, service providers and other third parties to support MDLive's business," that can be easily misinterpreted by consumers, contends attorney Steven Teppler of Abbott Law Group. "It's so broad you can drive a semi- truck through it."

Nahra says he expects to see "lots more of these cases, although I would expect that they will involve practices that are more troubling than the use of a [third-party] vendor. "

Help Available

To address potential regulatory issues, the Federal Trade Commission has created a web-based tool in conjunction with the Food and Drug Administration and Department of Health and Human Services' Office for Civil Rights and Office of the National Coordinator for Health IT to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.

"The guidance tool asks developers a series of questions about its function, the data it collects, and the services it provides to users," Holtzman says. "Based on the developer's answers to those questions, the guidance tool will point the app developer toward detailed information about federal laws that might apply to the app."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.