A class action was filed in Fort Lauderdale, Florida this week against a national telehealth provider, MDLive Inc. (MDLive) for its mobile app’s alleged secret capture of screenshots containing sensitive patient information without restricting access to medical providers who have a legitimate need to view the information. The lawsuit was filed by Utah resident, Joan Richards, who is seeking class certification of a class that she estimates will include thousands of other MDLive users and more than $5 million damages.
In Richards’ complaint, she alleges, “Patients provide their medical information to MDLive in order to obtain health care services and reasonably expect that MDLive will use adequate security measures, including encryption and restricted permissions, to transmit patients’ medical information to treating physicians [. . .] Contrary to those expectations, MDLive fails to adequately restrict access to patient’s medical information and instead grants unnecessary and broad permissions to its employees, agents and third parties.” Richards’ complaint further alleges that MDLive programmed its app to capture an average of 60 screenshots during the first 15-minutes that the app is open on a user’s device –this is the same amount of time it takes a new user to register for an account, enter their medical history and connect with a doctor. During this timeframe, the app also prompts the user to enter sensitive information such as details about allergies, past medical procedures and behavioral health history including conditions such as obsessive compulsive disorder, bipolar disorder, schizophrenia, depression and substance abuse.
Richards’ complaint also states that MDLive sends these screenshots to TestFairy, a third-party technology company based in Tel Aviv, Israel, that works with MDLive to “insert the necessary hooks to gather information” about the user’s experiences with the app to improve the app and detect bugs. However, Richards’ concern is that TestFairy is not a health care provider and MDLive patient users have not been informed that MDLive intends to send their medical information to TestFairy in near real time.
The class action includes claims for breach of contract, intrusion upon seclusion, fraud, unjust enrichment, violation of the Utah Truth in Advertising law, and violation of the Utah Consumer Sales Practices Act.
This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.