Legal News

Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections

Posted by Steve Alder

In the absence of a federal privacy law, it is left to individual states to introduce consumer privacy laws and ensure that companies that collect, process, and sell personal data are adequately protecting that information. While attempts to pass a federal data privacy bill have stalled, Republican and Democratic lawmakers are continuing to push for greater privacy protections for consumers.

Congresswoman Anna Paulina Luna Introduces U.S. Data on U.S. Soil Act

Congresswoman Anna Paulina Luna (R-FL) recently introduced the U.S. Data on U.S. Soil Act, to protect the data security of Americans and prevent their personal information from being exploited by foreign adversaries. It is no secret that foreign countries are attempting to collect and use the personal data of U.S. citizens. In March 2023, the House Committee on Energy and Commerce explored the role that social media, and specifically TikTok, plays in data collection and how the Chinese Communist Party has access to the data of U.S. citizens that is collected by TikTok, through TikTiok’s parent company, ByteDance.

The European Union has a comprehensive data privacy and protection law, the General Data Protection Regulation (GDPR), which protects the rights of individuals and limits the data that can be collected and used by companies such as TikTok, but there is currently no comparable federal privacy and data protection law in the United States, only a patchwork of laws introduced by individual states.

“Americans daily face the threat of exposing their personal data to bad-actor countries who are looking for a chance to exploit us, simply by opening our phones,” said Luna. “The protections in my bill are long overdue. A military leader would never hand over his tactics and intelligence to the enemy on a silver platter, and neither should we. My bill would make sure our adversaries can’t have a free-for-all with our personal lives, national security, and strength as a country.”

The U.S. Data on U.S. Soil Act seeks to prohibit companies such as TikTok from storing the data of any U.S. national in a physical data center that is located within a foreign adversary, including China, Cuba, Iran, North Korea, Russia, and Venezuela. The bill also seeks to prevent government officials in foreign adversary countries from accessing covered data. The bill would set a national minimum standard for data privacy and would not pre-empt state law, ensuring that individual states could implement more stringent data privacy protections. The bill would seek penalties of $50,120 per violation under the Unfair or Deceptive Act under the Federal Trade Commission Act. The bill, which currently has no companion Senate bill, was co-sponsored by Reps. Mary Miller (R-IL), Ralph Norman (R-SC), and George Santos (R-NY)

Democratic Senator Reintroduces Three Data Privacy Bills

U.S. Sen. Catherine Cortez Masto (D-NV) has recently reintroduced three bills that aim at strengthening consumer data privacy protections. The first bill, The DATA Privacy Act, is concerned with improving privacy protections for consumers and ensuring that large tech firms implement data security and privacy protections. The bill would give consumers the right to request, dispute the accuracy, and transfer or delete their personal data without retribution. All data collection, processing, storage, and disclosure would require three standards to be met:

  • The data collected must be reasonable, and for a legitimate business or operational purpose that is contextual and does not subject an individual to unreasonable privacy risk.
  • The data must not be used in a discriminatory way.
  • And businesses must not engage in deceptive data practices.

The DATA Privacy Act would give new authority to state Attorneys General and the Federal Trade Commission (FTC) to impose civil penalties for violations.

Sen Cortez Mastro, along with Sen. Deb Fischer (R-Neb.), reintroduced The Promoting Digital Privacy Technologies Act, which requires the National Science Foundation (NSF) to support research into privacy-enhancing technologies (PET) to help protect consumer data. The bill also calls for the National Institute of Standards and Technology (NIST) to work with academic, public, and private sectors to establish standards for the integration of PET into business and government.

The third bill, like the U.S. Data on U.S. Soil Act, takes aim at the collection, access, and use of consumer data by foreign adversaries, specifically China. The Internet App ID Act aims to improve the digital security of Americans by requiring operators of Internet websites and mobile applications to disclose if the applications being used by consumers have been developed or store data within China, or are under the control of the Chinese Communist Party.

“Big technology companies are collecting massive amounts of Americans’ personal information, from social security numbers to health care data. It’s clear we need stronger privacy laws to make sure this information isn’t shared or sold without consumers’ permission,” said Sen. Cortez Masto. “My bills will hold corporations and foreign actors accountable, protect the data privacy of vulnerable consumers, and ensure that our emerging AI and other innovative technology industries grow responsibly.”

The post Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections appeared first on HIPAA Journal.

St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures. St. Joseph’s Medical Center will also be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

The post St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter appeared first on HIPAA Journal.

IT Security Company COO Pleads Guilty to Conducting Cyberattack to Win Business

Posted by Steve Alder

The Chief Operating Officer (COO) of the Atlanta cybersecurity firm Securolytics has pled guilty to one count of intentional damage to a protected computer after masterminding a series of attacks on Gwinnett Medical Center in Georgia in an attempt to win new business.

Vikas Singla was indicted by a federal grand jury on June 8, 2021, for a series of attacks on Gwinnett Medical Center in Duluth and Lawrenceville, GA. The September 2018 attacks disrupted the medical center’s phone and network printer services, data was stolen from a Hologic R2 digitizing device, and the attacks resulted in damage being caused to 10 protected computers. According to the indictment, Singla was aided and abetted by other (unnamed) individuals in attacks that were conducted for financial gain and commercial advantage. Singla was charged with 17 counts of causing damage to a protected computer and one count of information theft and faced a maximum jail term of 10 years for each of the damaging a protected computer counts and a maximum of 5 years in jail for the theft of data count. Singla initially entered a not guilty plea and was released on bond while he awaited his trial. An Atlanta magistrate judge recommended dismissing the criminal charges against Singla; however, in March 2023, a federal judge rejected those recommendations. Singla’s attorneys then negotiated a plea deal under which Singla would agree to plead guilty to one count of intentional damage to a protected computer.

Singla admitted to sending a command on September 27, 2018, that resulted in the modification of a configuration template on the ASCOM phone system of the Gwinnett Medical Center campus in Duluth. The command rendered all phones connected to the system at the time of the transmission inoperable, and more than 200 ASCOM handset devices were taken offline. The phone system was used internally by doctors, nurses, and other staff members for communication, including code blue emergencies, and the ASCOM devices were also used for external communications.

Also on September 27, 2023, the protected health information of 300 patients was stolen from a password-protected Hologic R2 digitizing device, including names, dates of birth, and gender. The same day, Singla sent a command to more than 200 network printers, which caused them to print out patient data obtained from the digitizer, along with the message “WE OWN YOU.” The printers were used by the hospitals in connection with patient care.

A few days after the attack, Singla caused a Twitter account to post 43 messages claiming that the Medical Center had suffered a cyberattack, with each of those messages containing the name, date of birth, and sex of a patient obtained from the digitizing device. In the days that followed, Singla attempted to create and use publicity about the attack to generate business for his company and emailed several potential clients offering them the services of Securolytics. The attacks resulted in financial harm of $817,804.12 to Gwinnett Medical Center.

According to Singla’s attorneys, incarcerating him would interfere with medical care for a rare case of terminal cancer and a dangerous vascular condition. Under the plea deal, the Department of Justice will recommend 57 months of probation, which will include home detention, and Singla has agreed to pay restitution of $817,804.12 to the medical center. The plea deal means Singla has given up his right to enter a not guilty plea and have a jury trial. The judge can impose a maximum term of 10 years imprisonment for the count of causing damage to a protected computer followed by up to 3 years of supervised release. In addition, a fine can be imposed for up to twice the loss in addition to full restitution.

Singla is due to be sentenced on February 15, 2024.

The post IT Security Company COO Pleads Guilty to Conducting Cyberattack to Win Business appeared first on HIPAA Journal.

Stricter Cybersecurity Regulations Proposed for New York Hospitals

Posted by Steve Alder

New York has proposed tighter cybersecurity regulations for hospitals throughout New York State in response to a series of crippling attacks that have caused disruption to healthcare services, delays to patient care, and have put patient safety at risk.

Governor Kathy Hochul announced the proposed measures on Monday, which are expected to be published in the State Register on December 6, 2023, provided they are adopted by the Public Health and Health Planning Council this week. The new cybersecurity requirements will then undergo a 60-day public comment period, which will end on February 5, 2033. When the new regulations are finalized, hospitals will be given a 1-year grace period to ensure full compliance.

The proposed regulations include the requirement for New York hospitals to appoint a Chief Information Security Officer if they have not done so already, implement defensive infrastructure and cybersecurity tools including multifactor authentication, and conduct regular risk analyses to identify cyber risks. Any in-house applications must be developed using secure software design principles, and processes must be developed and implemented for testing the security of third-party software. Hospitals in the state will also be required to develop and test incident response plans to ensure that care can continue to be provided to patients in the event of a cyberattack.

New York hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement the HIPAA Security Rule and include similar requirements, but while the HIPAA Security Rule is largely technology agnostic, the proposed regulations in New York include specific measures that hospitals must implement. “Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Governor Hochul. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

There has been a massive increase in healthcare cyberattacks in recent years. The HHS’ Office for Civil Rights recently announced there has been a 77% in hacking incidents in 2023 and a 278% increase in ransomware attacks over the past 4 years. While reported data breaches of 500 or more records are down slightly from 2022, more than 79 million healthcare records have been exposed in those attacks – almost twice the number of compromised records in 2022.

These attacks clearly show that hospitals and health systems are struggling to prevent unauthorized access to their systems and that more needs to be done to improve cybersecurity than complying with the HIPAA Security Rule. There are often competing priorities in healthcare, and while investment in cybersecurity has increased, some hospitals have struggled to find the necessary funding to improve cybersecurity. To help ease the financial burden, Governor Hochul’s FY24 budget includes $500 million in funding for healthcare facilities to enable them to upgrade their technology systems to comply with the proposed regulations and pay for necessary cybersecurity tools, electronic health records, advanced clinical technologies, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.

“When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach,” said New York State Chief Information Officer Dru Rai. “We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”

The post Stricter Cybersecurity Regulations Proposed for New York Hospitals appeared first on HIPAA Journal.

Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach

Posted by Steve Alder

Postmeds, Inc., a company that does business as Truepill and fulfills mail order prescriptions for pharmacies, has recently announced that it has suffered a massive data breach that has affected 2,364,359 individuals. According to the company’s breach notice, an unauthorized third party gained access to files used for pharmacy management and fulfillment services. The forensic investigation confirmed the unauthorized access occurred between August 30, 2023, and September 1, 2023, and the exposed files were found to contain information such as names, medication types, and, for certain patients, demographic information and prescribing physician names. Highly sensitive information such as Social Security numbers were not compromised, as Postmeds does not receive that information.

Postmeds said it has enhanced its security protocols and technical safeguards in response to the incident and has provided its workforce with additional cybersecurity training to raise awareness of cybersecurity threats. Affected individuals started to be notified about the breach by mail on October 30, 2023.

A breach of this magnitude was certain to result in class action lawsuits, the first of which has already been filed in the U.S. District Court for the Northern District of California. The lawsuit, Rossi, et al. v. Postmeds Inc. d/b/a Truepill, names John Rossi, Michael Thomas, and Marissa Porter as plaintiffs, who are represented by attorneys Kyle McLean, Mason Barney, and Tyler Bean of Siri and Glimstad LLP. The lawsuit alleges Truepill failed to implement appropriate systems to prevent unauthorized access to patient data. The lawsuit claims the plaintiffs and class members have been placed at significant risk of identity theft and other forms of personal, social, and financial harm, and that the elevated risks will be present for a lifetime.

Class action lawsuits are commonly filed after healthcare data breaches and seek damages due to negligence, breach of contract, and invasion of privacy. It is not sufficient to allege violations of federal or state laws, as a concrete injury must have been caused as a result of those violations for the lawsuit to be granted standing.

The post Postmeds & Truepill Sued Over 2.3 Million-Record Data Breach appeared first on HIPAA Journal.

Costco Pharmacy Patients Sue for Website Tracking Technology Disclosures of PHI to Third Parties

Posted by Steve Alder

Costco is one of the latest companies to be sued over the use of website tracking technologies. Many retailers use tracking code on their websites such as Meta Pixel and Google Analytics to gain information about the interactions of website visitors. These tools provide valuable information that can be used to improve websites and increase sales. The data collected by these tools is sent to the providers of the code, and in some cases, may be used to serve targeted advertisements.

Two lawsuits have recently been filed against Costco Wholesale over the use of these trackers on the Costco Pharmacy pages of the Costco website, which has allegedly impermissibly disclosed information protected under the Health Insurance Portability and Accountability Act (HIPAA).  Both lawsuits claim that Costco encourages patients and prospective patients to use its pharmacy webpages, communicate about their prescriptions, conduct research on medications, order new prescriptions, request refills for current medications, inquire about specific immunizations, search for local Medicare supplemental insurance, and sign up for its Rx mail order program.

However, unbeknown to website visitors, their activities are being tracked and their sensitive data is being transferred to third parties. The information transferred is tied to individuals by identifiers such as their IP address and Facebook ID and allows the third parties to infer that an individual is being treated for a specific type of medical condition such as cancer, pregnancy, HIV, mental health conditions, and they may be serviced targeted advertisements based on that information. Both lawsuits were filed in the U.S. District Court for the Western District of Washington at Seattle (R.S. v. Costco Wholesale Corporation and Castillo et al v Costco Wholesale Corporation). The lawsuits make similar claims, that the use of the tracking code without obtaining consent violates HIPAA, the Federal Trade Commission (FTC) Act, and federal and state wiretapping laws.

As a pharmacy operator, Costo is a HIPAA-covered entity and is required to comply with the HIPAA Rules. In December 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on HIPAA and website tracking technologies, prohibiting the use of these tools unless consent was obtained – in the form of a HIPAA-compliant authorization – or a business associate agreement was in place with the providers of these tools. Most providers of tracking technologies do not sign business associate agreements. The FTC has taken action against non-HIPAA-covered entities that have used tracking code on websites that collects and discloses health data for violations of the FTC Act. The FTC and OCR jointly sent letters to 130 entities this year warning them about the use of tracking tools on their websites and the compliance risks associated with these tools. The guidance issued by OCR makes it clear that the use of these tools violates HIPAA; however, that position is being challenged by the American Hospital Association and others who recently filed a lawsuit against the Secretary of the HHS and the Director of OCR that seek confirmation from the court that the guidance is unlawful and to prevent OCR from ever enforcing it.

The two lawsuits seek class action certification, a jury trial, financial damages for the imminent and ongoing harm caused, and injunctive relief prohibiting Costco from using these tools and engaging in further unlawful behavior. These are just two of many lawsuits that have been filed against healthcare organizations and Meta over these tracking tools, which have disclosed the data of tens of millions of individuals to third parties without consent. Recently, Advocate Aurora Health settled its Pixel-related class action lawsuit for $12.225 million.

Plaintiffs and class members in the R.S. v. Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC, and Gary M. Klinger, Alexandra M. Honeycutt & Glen L. Abramson of Milberg Coleman Bryson Phillips Grossman PLLC. Plaintiffs and class members in the Castillo et al v Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC and Ryan J. Ellersick and Hart L. Robinovitch of Zimmerman Reed LLP.

The post Costco Pharmacy Patients Sue for Website Tracking Technology Disclosures of PHI to Third Parties appeared first on HIPAA Journal.

New York AG Settles Data Breach Investigation of U.S. Radiology Specialists for $450,000

Posted by Steve Alder

New York Attorney General, Letitia James, has announced a $450,000 settlement with U.S. Radiology Specialists Inc. to resolve allegations it failed to protect patients’ personal and health information. U.S. Radiology Specialists is one of the largest private radiology groups in the country and acts as a service provider for healthcare facilities throughout the United States. It also partners with other radiology groups, including the Windsong Radiology Group, which operates 6 facilities in Western New York. Windsong, like other partner companies, relies on U.S. Radiology Specialists for numerous services, including network management and protection. The Office of the Attorney General of the State of New York opened an investigation of U.S. Radiology Specialists into a large data breach that was reported in 2021 to determine whether it was caused by a failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) and state laws.

U.S. Radiology Specialists protected the networks of its partners with a SonicWall firewall. On January 22, 2021, SonicWall alerted its customers about a coordinated cyberattack on its internal systems. Highly capable threat actors were thought to have exploited a zero-day vulnerability in SonicWall products that are used for remote access. A few days later on January 31, 2021, researchers at NCC Group identified the likely vulnerability and SonicWall issued a patch three days later.

U.S. Radiology Specialists used SonicWall hardware that was approaching end-of-life and, as a result, SonicWall did not provide a patch that could be applied to its hardware. The hardware needed to be upgraded before the patch could be applied to fix the vulnerability. Even though the vulnerability was known to have been exploited in attacks on SonicWall customers, U.S. Radiology Specialists scheduled the hardware upgrade for July 2021, and the hardware replacement project was then delayed due to competing priorities and resource restraints.

On December 8, 2021, an unauthorized individual gained access to US Radiology’s SonicWall device with valid credentials, accessed the VPN, and then leveraged 101 additional credentials to access various network data folders over the following week. While the investigation into the breach did not confirm how the credentials were stolen, the SQL injection vulnerability identified by NCC Group and patched by SonicWall could have been exploited to obtain the necessary credentials to access the SonicWall VPN.

The third-party investigation of the attack was complicated and required extensive analysis and took until August 2022 to complete. The investigation confirmed that the threat actor gained access to the protected health information (PHI) of 198,260 patients, including 92,540 Windsong patients who were New York residents, and it was confirmed that sensitive data had been exfiltrated by the attackers. The PHI that was exposed in the attack included names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and health insurance ID numbers, as well as the private information of 82,478 New Yorkers, which included names, driver’s license numbers, passport numbers, and Social Security numbers.

The New York Attorney General’s Office determined that U.S. Radiology Specialists had failed to adopt reasonable and appropriate data security practices to protect patient information when it failed to address a known vulnerability in a reasonable time frame. The investigation was settled with no admission of liability and U.S. Radiology Specialists agreed to pay a $450,000 financial penalty, update its IT infrastructure, ensure its networks are secured, update its data security policies, and implement and maintain a comprehensive information security program.

“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”

The New York Attorney General has imposed financial penalties on several organizations over the past few months for data security failures. Personal Touch recently settled alleged HIPAA and state law violations for $350,000, the New York Attorney General participated in a multi-state investigation of Blackbaud and received a share of the $49.5 million settlement, and PracticeFirst Medical Management Solutions settled its investigation with the New York AG and paid a $550,000 penalty.

The post New York AG Settles Data Breach Investigation of U.S. Radiology Specialists for $450,000 appeared first on HIPAA Journal.

Federal Judge Unseals FTC Amended Complaint Against Kochava

Posted by Steve Alder

On Friday, an Idaho federal court unsealed a Federal Trade Commission (FTC) amended complaint against the Idaho-based data broker Kochava, which the FTC alleges collected and disclosed enormous amounts of sensitive consumer data in violation of federal law.

The FTC filed its first complaint against Kochava in August 2022, which alleged Kochava was acquiring consumers’ precise geolocation data and was selling the data in a format that allowed entities to track consumers’ movements to and from sensitive locations, including but not limited to, medical centers, reproductive healthcare facilities, places of worship, mental health facilities, temporary shelters such as centers for survivors of domestic violence, and other sensitive locations, such as addiction recovery centers.

The FTC said Kochava sold access to its data feeds on online data marketplaces that are publicly accessible. Customers who pay a monthly subscription fee can access its location data feed, and a free sample containing a subset of the data feed was available free of charge, with minimal requirements for accessing the sample and no restrictions on usage. The FTC alleged that Kochava’s business practices cause and are likely to cause substantial injury to consumers, such as allowing individuals to be located who had visited abortion clinics.

The FTC alleged Kochava’s business practices violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce. Acts or practices under Section 5 of the FTC Act are unfair if they cause or are likely to cause substantial injury to consumers, that consumers cannot reasonably avoid themselves, and that is not outweighed by countervailing benefits to consumers or competition.

Kochava moved to have the initial lawsuit dismissed, and on May 4, 2023, the lawsuit was dismissed by Judge B. Lynn Winmill of the US. District Court for the District of Idaho, as the FTC was determined to have relied too much on the inference that consumers are injured by the data broker’s business practices. The FTC was allowed 30 days to file an amended complaint, as the FTC’s concerns about consumer privacy were found to be legitimate. The amended lawsuit was filed under seal on June 5, 2023, and was three times as long as the initial complaint and ran to 33 pages.

The amended lawsuit includes details about the alleged violations not stated in the first lawsuit. Kochava is alleged to have collected and disclosed precise geolocation data, including details of consumers’ movements, such as visits to sensitive locations. In some cases, geolocation data spans days, months, and even years. In some cases, Kochava linked the geolocation data with other sensitive consumer data, such as name, gender, age, ethnicity, yearly income, marital status, education level, political affiliation, apps installed on users’ mobile devices, interests, behaviors, Mobile Advertising ID, and contact information, which may include address, phone number, and email address.

According to the FTC, the data accessible to Kochava customers allowed individuals to be tracked and served targeted ads. Kochava offered the data in several formats, including a Kochava Collective product, which includes precise geolocation data. This product included granular facts about users, including precise geolocation data, allowing precise targeting of those individuals, and Kochava is alleged to have advertised that product as such.

The FTC alleged the data would allow individuals who received an abortion or were planning on having an abortion to be tracked. The FTC provided an example from the free sample offered by Kochava, which included the data of a woman who visited an abortion clinic. The FTC was able to trace that visit to a mobile device in a single-family residence, and the mobile device was present in the same location three times in one week, allowing the user’s routines to be determined. The FTC alleges that in addition to allowing individuals to be targeted who have sought reproductive care, providers who offer reproductive health services could also be tracked and targeted.

It remains to be seen if the amended lawsuit sufficiently alleges that individuals are likely to suffer substantial injury as a result of Kochava’s business practices, and whether invasion of privacy constitutes an unfair practice under the FTC Act. In the absence of a federal privacy law, the FTC is in the best position to hold companies to account that are determined to have violated consumer privacy. While there have been bipartisan efforts to introduce a federal privacy law, all efforts thus far have failed to get the necessary backing. Earlier this year, three Democratic Senators proposed a bill that would prohibit sensitive health data from being used for advertising purposes. The proposed bill,  The Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act, sought to prevent data brokers such as Kochava from selling geolocation data and to limit the ability of companies to collect and use personal health information without express consent from consumers.

The post Federal Judge Unseals FTC Amended Complaint Against Kochava appeared first on HIPAA Journal.

AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies

Posted by Steve Alder

The American Hospital Association (AHA), Texas Hospital Association, United Regional Health Care System, and Texas Health Resources have filed a lawsuit against Department of Health and Human Services (HHS) Secretary, Xavier Becerra, and HHS’ Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, over the December 2022 guidance issued by OCR on website tracking technologies.

OCR issued guidance for HIPAA-regulated entities on the use of third-party tracking technologies on public-facing websites and applications following revelations that these tools were disclosing the individually identifiable information of website visitors to third-party companies such as Meta (Facebook), Google, social media platforms, and other third parties. The information disclosed by these tools, which include Meta Pixel and Google Analytics code, could potentially include health information, depending on the interactions of users on the websites and apps where the code is used.

A study of the websites of the 100 top hospitals by The Markup found one-third had used these tracking tools on their websites without obtaining consent from website visitors. A more comprehensive study of hospitals that was published in Health Affairs, found that 99% of the 3,747 U.S. hospitals studied were using these tools on their websites. Several of the hospitals reported the use of these tools as data breaches, including Advocate Aurora Health, Novant Health, WakeMed Health, and Cerebral, Inc., some of which involved the data of millions of patients. Many lawsuits have since been filed against healthcare providers in response to the use of these tools. Advocate Aurora Health recently settled Pixel-related litigation for $12.225 million.

In July 2023, OCR and the Federal Trade Commission (FTC) jointly issued warning letters to 130 healthcare organizations over the use of tracking tools and then published those letters – which name the organizations involved – in September 2023, signaling both OCR and the FTC are actively enforcing the guidance.  The AHA has publicly criticized OCR for its position on tracking technologies. In the AHA’s response to Senator Bill Cassidy’s request for information on healthcare data privacy and HIPAA, the AHA called for the HHS to drop its new website tracking technology rule, which it claimed harmed hospitals and negatively affected patients.

The AHA has now taken the issue a step further with legal action. The AHA claims that it had no alternative other than to take legal action due to several months of unsuccessful attempts to communicate its concerns to the HHS. The lawsuit was filed in the U.S. District Court for The Northern District of Texas Fort Worth Division and alleges the new rule is unlawful, and claims that the HHS is actively enforcing its new rule against hospitals but the federal government’s own healthcare providers are continuing to use the prohibited tracking technologies on their websites.

Lawsuit Seeks Court Order Preventing OCR from Enforcing Tracking Technology Guidance

The lawsuit alleges the decision to class the metadata collected and transmitted by tracking technologies as individually identifiable health information subject to HIPAA is, “a gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it.” The AHA explains that “the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.” While the lawsuit does not go as far as seeking the rescindment of the guidance, an order is requested from the court that prohibits OCR from enforcing its rule to prevent members from being unlawfully penalized.

The AHA’s position is that website tracking technologies that collect information such as IP addresses are critical to the function of websites and apps, and many web tools are rendered ineffective without that information, including analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps, to name only a few. By prohibiting tracking technologies, these vital website tools will no longer feature on hospital websites, and that ultimately harms the patients that OCR’s rule seeks to protect.

“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites,” said Rick Pollack, AHA President and CEO. “We cannot understand why HHS created this ‘rule for thee but not for me.’”

The post AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies appeared first on HIPAA Journal.