MDLive faces class action suit over alleged data privacy breach

By Jonah Comstock

An Illinois-based law firm has filed a class action lawsuit against telemedicine company MDLive, alleging that the company takes screenshots of sensitive patient health information and sends them to TestFairy, an Israeli company that does quality control on apps, and that this is a violation of patient privacy. MDLive, for its part, denies that there's anything improper about its procedures.

The suit alleges that, as a quality control measure, MDLive takes up to 60 screenshots during the first 15 minutes of use of its mobile app -- time during which patients are filling out their medical histories. These screenshots, which can contain medical histories, are sent to TestFairy and can also be viewed by MDLive employees who have no medical reason to have access to patient's records.

"Our complaint alleges that the harm is complete at the point that this information is collected without permission and being used in the manner we allege it’s being used," Chris Dore, an attorney at Edelson PC, the Illinois-based law firm that filed the suit, told MobiHealthNews. "The exposure of personal medical information is itself harm. These consumers pay for this service and they rely on the fact that their information is going to be secure, and we alleged they didn't get the benefit of the bargain."

Edelson PC is a lawfirm that's somewhat notorious in Silicon Valley for filing lawsuits related to privacy and security. In the past, it's taken on Google, Facebook, Apple, Amazon, and Netflix as well as many smaller companies. According to a feature on the firm the New York Times ran in 2015, Edelson sees itself as a sort of private AG, suing companies to defend consumers and promote better behavior from the tech sector. Their detractors in the valley, on the other hand, consider them to be out for self-enrichment at the expense of well-to-do tech companies.

For its part, MDLive released both a statement and a fact sheet saying the allegations are baseless, MDLive takes privacy very seriously, and the company is filing a motion to dismiss the case.

"Protecting patient privacy and confidentiality is a top priority for MDLive," the company told MobiHealthNews in an email. "We have confirmed that patient information is safe and no HIPAA breach occurred. Our services, policies and procedures are designed to keep personally identifiable information secure and meet the strictest legal and regulatory standards. The claims of this lawsuit are entirely without merit, and we will immediately seek its dismissal."

Reading between the lines, the fact sheet seems to suggest that TestFairy and MDLive have a HIPAA business associate agreement, which would make any data sharing that occurred less of a concern, legally speaking. Furthermore, MDLive says that TestFairy "has no access to patient information that arises from patient-physician consultations." Of course, that language is carefully chosen: Patient histories, filled out before the consultation takes place, wouldn't constitute "information that arises from patient-physician consultations" but could still be considered sensitive medical information.

There are a number of hurdles to get over before the suit can get anywhere. If MDLive's motion to dismiss fails, there will be a discovery period and then a class certification process before the case can go to trial.