- Allegations were recently filed against a telehealth provider, claiming that the company committed patient privacy violations and disclosed customer information to a third-party organization.
MDLive, Inc. is facing a class-action lawsuit filed by app user Joan Richards. The lawsuit states that an MDLive app asked individuals to enter sensitive health information, such as health conditions, allergies, behavioral health history, recent medical procedures, and family medical history.
The app then would take screen shots for the first 15 minutes that an individual used the app, according to the lawsuit.
“Although these screenshots contain patients’ sensitive and confidential health information, Defendant covertly transmits them to a third party without notifying patients and fails to restrict access to collected sensitive and confidential medical information to only those with a legitimate need to view that information (e.g., doctors and other medical providers),” the document explained.
The lawsuit also noted that the 15 minutes in which the screenshots are taken are also the exact amount of time that “MDLive purports it takes to set up an account and connect with a physician.”
In that time, MDLive takes an average of 60 screenshots of a patient’s screen, the lawsuit alleged. The screenshots are then sent to the Tel Aviv, Israel-based Test Fairy, which is a third-party tech company.
“Test Fairy works to ‘insert the necessary hooks to gather information’ about an app’s user experiences and to possibly identify bugs,” the lawsuit stated. “TestFairy claims that by directly tracking user interactions within an app, it can eliminate the need to obtain feedback from beta testers (e.g., users who test the functionality of an app before it’s released) which tend to be a “mixed bag” in terms of quality.”
Test Fairy is not a healthcare provider, the lawsuit noted. MDLive patients were also not aware that their medical information would be sent to the tech company “in near real time.”
“MDLive does not disclose to patients that it captures screenshots of medical information or that it transmits screenshots to TestFairy,” the document explained. “Nor does MDLive provide any justification for the wholesale disclosure of patients’ medical information to TestFairy (likely because screenshots of patients entering medical information offers little to no value in ensuring proper app functionality or bug testing).”
Individuals provide their information to MDLive to find necessary healthcare services and “reasonably expect that MDLive will use adequate security measures.” This includes utilizing data encryption and restricted permissions.
“Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties,” the lawsuit stated.
MDLive posted a statement on its website on April 24, 2017, in response to what it called a “baseless” lawsuit.
There was no data breach, and MDLive remains in compliance with all applicable privacy laws, the company explained. It also dismissed the claim that patient data was shared with a third party, and said that “authorized third parties are bound by contractual obligations and applicable laws.”
Third parties keep personal information safe and “use it only for the purposes for which we disclose it to them.”
“We have confirmed that patient information is safe, and there was no data breach or HIPAA violation,” MDLive maintained. “The claims of this lawsuit are misleading and entirely without merit. MDLIVE is seeking immediate dismissal of the lawsuit. The lawsuit has no impact on our day-to-day business or our focus on our customers.”
MDLive CEO Scott Decker explained in his own statement that the recent allegations against the MDLive app are meritless, and that patient privacy and confidentiality is a top priority for the company.
“Our services, policies and procedures are designed to keep personally identifiable information secure and meet the strictest legal and regulatory standards,” Decker said. “The claims of this lawsuit are entirely without merit, and we will immediately seek its dismissal.”