Next month, the New York State Department of Health (DOH) cybersecurity regulation for general hospitals comes into force, and all covered hospitals will be required to comply with all the new requirements. The cybersecurity regulation (10 NYCRR 405.46) took effect on October 2, 2024, and with immediate effect, general hospitals had to implement policies and procedures for reporting a material cybersecurity incident to the New York Department of Health’s Surge Operations Center (SOC) within 72 hours. Covered hospitals were given a year to implement compliance programs covering the other new requirements, and the deadline for compliance is now less than a month away. The compliance deadline is October 2, 2025.

Cybersecurity Requirements for General Hospitals

Hospitals in New York State already need to comply with the HIPAA Security Rule, but the cybersecurity regulation introduces many new requirements. Simply being HIPAA-compliant is no longer enough. Hospitals in the state, under HIPAA, are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, the cybersecurity regulation takes things further, as the requirements apply to electronic nonpublic information. The definition is broader than HIPAA, and applies to personally identifiable information (PII), which is information that could be used to identify a natural person, not just patients, as well as business-related records.

General hospitals are required to implement a cybersecurity program based on the hospital’s risk assessment. The cybersecurity regulation stipulates several required elements that go above and beyond those specified by HIPAA. The cybersecurity program must identify internal and external risks that may threaten the security or integrity of nonpublic information within the hospital’s systems and that may threaten the continuity of the hospital’s business and operations. Policies and procedures must be implemented to protect information systems and any nonpublic information stored within those systems from unauthorized access and other malicious acts. Defensive infrastructure is required, and systems must be in place for detecting and responding to cybersecurity events, which will allow the recovery of normal operations and services.

Policies and protocols must be implemented for limiting user access privileges to systems containing nonpublic information, and there must be regular reviews of access privileges. There is a new requirement for measures to mitigate the threat of email-based attacks, such as spoofing, phishing, and fraud, and regular reviews of email controls must be conducted to ensure they continue to be effective.

Security measures and controls include encryption of data at rest and in transit, and there are data minimization requirements. Policies and procedures are required for the secure disposal of nonpublic information that is no longer required. Multifactor authentication, risk-based authentication, or other compensating controls are required to protect against unauthorized access to nonpublic information.

In contrast to HIPAA, which requires regular risk analyses, hospitals are required to conduct an annual risk assessment to identify risks and vulnerabilities to nonpublic information, and the cybersecurity program must be assessed annually to ensure it remains effective. Testing is required, including annual penetration tests by a qualified internal or external party. Hospitals must have an incident response plan for dealing with cybersecurity incidents, and documentation demonstrating compliance must be maintained for six years.

Hospitals are required to appoint a Chief Information Security Officer (CISO), who must be a qualified senior or executive-level staff member with proper training, experience, and expertise, and the cybersecurity program must be managed by qualified cybersecurity personnel or a third-party service provider.

New Cybersecurity Requirements Likely to Be Rigorously Enforced

The HIPAA Journal has spoken with information governance strategist Matthew Bernstein, who has over 20 years’ experience helping organizations analyze risks, transform written policy into day-to-day practice, and make their data findable, compliant, and secure. Hospitals rely on his firm, Bernstein Data, to integrate retention schedules, discovery and classification, and defensible disposition into one operating model that meets HIPAA and state mandates while trimming storage costs and shrinking the ransomware “attack surface”.

Bernstein has warned that hospitals believing they are compliant with the new requirements because they are HIPAA compliant could be in for a shock, and any hospital waiting to implement the changes until the DOH starts enforcing the cybersecurity regulation could well end up paying a considerable financial penalty. The language of the regulation closely mirrors the NYS Department of Financial Services (DFS) requirements, and penalties for noncompliance can run from $1 million to $5 million.

“It’s clear that the NYS Dept of Health is taking a leaf from the NYS Department of Financial Services’ book, and that should be concerning to hospitals.  The DFS has been an aggressive regulator about cybersecurity shortcomings of NYS companies, including healthcare providers with a “financial services” business, such as its recent $2 million settlement with Healthplex,” explained Bernstein. “There are significant commonalities between the new DOH regulation and the infamous 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies, and these requirements present new challenges for hospitals. It’s not just about a small set of defined PHI and making sure breaches are reported; there’s an expansive set of “personal” and “business-related” information to protect, and new risk assessment and mitigation operations to be adopted.”

With the compliance deadline fast approaching, hospitals need to ensure they have the policies, procedures, and protocols in place to comply with the new requirements. “New York hospitals don’t need to solve everything overnight, but they do need to demonstrate governance and intent,” Bernstein said. “Drafting a preliminary compliance roadmap with specific roles, accountability structures, and implementation priorities can go a long way in signaling good faith to regulators, board members, and insurers. Think of it as the scaffolding on which everything else will be built.”

The post NYS DOH Cybersecurity Regulation Deadline Fast Approaching appeared first on The HIPAA Journal.

The Department of Health and Human Services (HHS) has announced it will start cracking down on healthcare entities that engage in information blocking. On September 3, 2025, HHS Secretary Robert F. Kennedy Jr. directed the HHS to increase resources dedicated to the enforcement of the health data information blocking provisions of the 21st Century Cures Act. The 21st Century Cures Act of 2016 established penalties, termed disincentives, for healthcare entities that engage in information blocking practices, which is “any practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.”

The disincentive for information blocking by developers of certified health IT, Health Information Exchanges (HIEs), and Health Information Networks (HINs) is a civil monetary penalty of up to $1 million, which took effect on September 1, 2023. Developers with products certified under the ONC Health IT Certification Program could have their certifications terminated and be banned from the Certification Program.

In 2023, the HHS proposed a rule that established a range of disincentives for healthcare providers determined by the HHS Office of Inspector General (HHS-OIG) to have engaged in information blocking practices. Those disincentives took effect on July 31, 2024, with the exception of the penalties for ACO participants, which became effective on January 1, 2025.

Those disincentives include:

• The denial of eligibility to hospitals or critical access hospitals (CAHs) as meaningful electronic health record (EHR) users in an applicable EHR reporting period, resulting in the loss of 75 percent of the annual market basket increase, and a reduction in Medicare payments to CAHs to 100 percent of reasonable costs rather than 101 percent. The amount of the disincentive would be dependent on a hospital’s Medicare payments. The HHS previously calculated the median disincentive amount to be $394,353.
• Information blocking by eligible clinicians would result in them losing eligibility as meaningful users of certified EHR technology in a performance period, resulting in a zero score under Medicare’s Merit-based Incentive Payment System (MIPS) payments to physicians.
• Providers or suppliers that are Accountable Care Organization (ACO) participants would be ineligible to participate in the Medicare Shared Savings Program for a period of at least one year.

In a September 3, 2025, press release, the HHS said it will be cracking down on information blocking, whereby patients’ engagements in their care are restricted by the blocking of access, exchange, and use of electronic health information. The HHS said information blocking was not a priority for the Biden administration, but it is a priority under President Trump and Secretary Kennedy.

“Patients must have unfettered access to their health information as guaranteed by law. Providers and certain health IT entities have a legal duty to ensure that information flows where and when it’s needed,” said Acting Inspector General Juliet T. Hodgkins. “HHS-OIG will deploy all available authorities to investigate and hold violators accountable. We are committed to enforcing the law and protecting patients’ access to health information.”

Empowering individuals to take control of their health is a key element of Secretary Kennedy’s Make America Healthy Again promise, which requires them to have easy access to their electronic health information, either through zero-cost access through their healthcare providers or their chosen health apps. Access to health information allows patients to monitor chronic conditions, adhere to treatment plans, track progress in wellness and disease management plans, and find errors in their health records.

“We have already begun reviewing reports of information blocking against developers of certified health IT under the ONC Health IT Certification Program and are providing technical assistance to our colleagues at OIG for investigations,” said Tom Keane, MD, Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology. The HHS is encouraging patients and innovators who have experienced or observed information blocking to report it through the ASTP/ONC Report Information Blocking Portal.

The post HHS Announces Crackdown on Information Blocking in Healthcare appeared first on The HIPAA Journal.

Healthcare providers in Florida could have new data breach reporting requirements if a recently proposed Florida Administrative Code Regulation Rule is adopted. The rule was proposed by the Agency for Health Care Administration (AHCA) to improve healthcare data breach transparency and preparedness for security incidents. If adopted, healthcare providers will be required to have a contingency plan for information technology incidents, to ensure that critical operations and patient care services can continue during an interruption to normal operations.

The contingency plan must consist of a written policy containing procedures and information regarding the maintenance of critical operations and essential patient care; a procedure for ensuring regular, secure, redundant on-site and off-site data backups (within the continental United States) and verification of the restorability of backed-up data.

An information technology incident is defined as “an observable occurrence or data disruption or loss in an information technology system or network that permits or is caused by unauthorized access of data in electronic form.” The definition covers cyberattacks and insider breaches, including good-faith authorized access by an employee if the data accessed by the employee is used in an unauthorized manner or for an unauthorized purpose.

The new rule will require all covered providers to report an information technology incident to AHCA within 24 hours of the provider determining that an information technology incident has occurred. While not required to be provided in the information technology incident report to AHCA, on request, providers must give AHCA a copy of the police report, incident report, computer forensics report, policies regarding information technology incidents, a list of the information disclosed, the steps taken in response to the incident, and a copy of the contingency plan.

Since healthcare providers are likely also HIPAA-covered entities, these new requirements will be in addition to any requirements under HIPAA. The AHCA will be holding a rule development workshop on September 17, 2025, about the proposed rule.

The post Florida Considers Rule to Improve Healthcare Data Breach Transparency appeared first on The HIPAA Journal.

On August 26, 2025, Robert F. Kennedy Jr., Secretary of the U.S. Department of Health and Human Services (HHS), delegated the authority to administer and enforce the Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (Part 2) to the HHS’ Office for Civil Rights (OCR).

OCR is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA), which, among other things, ensures the confidentiality, integrity, and availability of personally identifiable health information collected, stored, maintained, or transmitted by HIPAA-regulated entities. The HIPAA Rules have provisions concerning data security and uses and disclosures of personally identifiable information related to past, present, and future health; however, due to the high level of sensitivity of SUD records, they are afforded greater protection under the Part 2 regulations.

The Part 2 regulations were promulgated in 1975 to ensure that patients receiving treatment for a SUD in a Part 2 Program do not face adverse consequences related to criminal proceedings and domestic proceedings such as child custody, divorce, or employment. The Part 2 regulations restrict uses and disclosures of SUD records, which are kept separate from other health records, such as those regulated by HIPAA. Generally, Part 2 Programs are prohibited from disclosing any information that could identify a person as having or having had a SUD without written consent.

While there are important reasons for greater protections for SUD records, having two sets of regulations for different types of health information creates compliance challenges. The two sets of regulations hamper care coordination, stifle information sharing, and may put patients at risk. For instance, the separation of SUD records from general health records could result in a physician making a treatment decision based on incomplete information, such as prescribing opioids to a patient recovering from opioid addiction.

There have been growing calls for the Part 2 regulations to be more closely aligned with HIPAA to improve care coordination and address some of the current compliance challenges. In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was enacted, which directed the HHS to engage in further rulemaking to better align the Part 2 regulations with HIPAA. The HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR, issued a Final Rule in 2024 implementing changes to better align the two sets of regulations to improve care coordination, strengthen confidentiality protections through civil enforcement, and align certain requirements of the Part 2 regulations with HIPAA. The compliance deadline for the Final Rule is February 16, 2026.

Two of the changes relate to privacy violations and data breaches. The Final Rule gives individuals the right to file complaints about violations of the Part 2 regulations, and the subject of SUD records must be notified about breaches of their Part 2 records, as is the case for violations of HIPAA and breaches of HIPAA-covered data. RFK Jr. has now delegated the administration and enforcement responsibilities of the Part 2 regulations to OCR. The Director of OCR has the authority to redelegate those responsibilities.

Specifically, per the Secretary’s Statement of Delegation of Authority published in the Federal Register on August 27, 2025, OCR will be able to:

• Enter into resolution agreements, monetary settlements, and corrective action plans, or impose civil money penalties for failures to comply with the requirements of Part 2 regulations, as amended by the Final Rule
• Issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with the Part 2 regulations, as amended by the Final Rule
• Make decisions regarding the interpretation, implementation, and enforcement of the Part 2 regulations, as amended by the Final Rule

The post Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations appeared first on The HIPAA Journal.

Texas Governor Greg Abbott has signed a bill into law that provides physicians in the state with a 3-day window to review sensitive medical test results and communicate the findings to patients before they are notified electronically, and the test result is added to their electronic medical record.

Senate Bill 922, titled Relating to the disclosure of certain medical information by electronic means, was introduced by Sen. Kelly Hancock (R-North Richland Hills) and Rep. Caroline Fairly (R-Amarillo) in response to calls from physicians in the state to give them time to review sensitive test results and communicate that information to patients.

The bill was in response to a provision of the 21st Century Cures Act that required the immediate release of health information to patients’ information portals. Since the spring of 2021, test results have been sent to patients’ information portals immediately. While rapid access to health information has its benefits, there have been many cases where patients have received a cancer diagnosis via their smartphone rather than have the results explained by a physician in an informative and compassionate manner.

“As an oncologist, I’ve had many conversations with patients about their cancer-related tests. It is always a confusing and scary time for them, as the results can be life-changing. Oncologists are trained to convey this information in a timely, informative, and supportive manner so that patients understand not only what the test means but what options they have. This is an opportunity to offer hope and reassurance to the patient,” explained David Gerber, MD, on behalf of the Texas Medical Association in testimony provided to the House Public Health Committee.

Dr. Gerber testified about many horror stories, such as patients being alerted about a cancer diagnosis via a smartphone notification during a business dinner, while reading a bedtime story to a young child, and during the commute to work. Dr. Gerber estimated that as many as three in four patients received pathology test results before the physician who ordered the test had viewed them. “Although this bill places a brief pause on the electronic transfer of some test results to a patient, it allows for a physician to call a patient with the results at any time,” Dr. Gerber said. “Giving the right information, rather than just the fastest information.”

The new law will take effect on September 1, 2025, and applies to pathology and radiology reports that have a reasonable likelihood of showing a finding of a malignancy, and any test result that may reveal a genetic marker. The new law will ensure that patients continue to receive timely medical information; however, there will be a 3-day delay from the finalization of the test results before they can be disclosed to a patient or the patient’s representative by electronic means.

The post New Texas Law Gives Physicians 3 Days to Communicate Sensitive Test Results to Patients appeared first on The HIPAA Journal.

The Federal Trade Commission (FTC) has announced settlements with two healthcare companies to resolve claims that they misled consumers seeking health insurance. In both cases, the companies were alleged to have deceived consumers seeking comprehensive health insurance into purchasing plans that did not provide the claimed level of coverage. The companies will pay a total of $145 million to the FTC to resolve the two complaints.

The biggest financial penalty was imposed on Assurance IQ, LLC, a Seattle-based company that sells short-term medical (STM) plans, limited benefit indemnity (LBI) plans, and supplemental healthcare plans, including vision and dental discount plans. According to the FTC complaint, Assurance’s telemarketers overstated the coverage provided by its policies. Most of the plans were sold on behalf of Benefytt Technologies, which was a third-party distributor of healthcare products for various carriers. Assurance received over $100 million in commissions for selling the policies on behalf of Benefytt. The FTC previously filed a complaint against Benefytt alleging deceptive acts and practices, which was resolved in 2022.

Assurance generated leads through its website, offering free quotes for affordable health insurance, as well as obtaining leads from third-party lead generators, and its outbound telemarketers contacted those consumers to sell them insurance products.  The Assurance website stated that its insurance products were equivalent to comprehensive health insurance and that it worked with leading health insurers such as Aetna, Humana, and Kaiser Permanente, but it did not sell any of their insurance products, and the policies sold to consumers did not provide comprehensive insurance coverage.

Its telemarketers were alleged to have misrepresented the features of the plans, leading consumers to believe they were purchasing comprehensive health insurance, when that was not the case. Consumers were also told they had coverage for pre-existing health conditions, when that was not the case, and there were other significant coverage restrictions. Consumers were also told there were no caps on benefits, but the policies had significant restrictions. The $100 million judgment resolves claims that Assurance violated the Telemarketing Sales Rule (TSR). Assurance has been prohibited from making express and implied misrepresentations to consumers and must have competent and reliable evidence to substantiate any claims about coverage.

The second settlement resolves a complaint against Los Angeles, CA-based MediaAlpha, Inc. and its operating subsidiary QuoteLab, which uses websites and online ads claiming to provide health insurance quotes. The leads generated are sold to telemarketers. According to the FTC, MediaAplpha sold 119 million consumer leads in 2024.

The FTC alleged the company used website domains with names that implied they were associated with the government, and claimed consumers could buy low-cost, comprehensive health insurance that complies with the Affordable Care Act. The company hired actors, celebrities, and a doctor for product promotion, including a fictitious government “Health Insurance Give Back Program,” and claimed that millions of Americans qualified for a health plan that cost $1 per day.

MediaAlpha’s partners used robocalls and telemarketing calls, including to people on the Do Not Call Registry, offering comprehensive low-cost health insurance coverage, but the health care plans provided by its partners rarely included the low-cost, comprehensive health insurance plans that consumers were promised.

The FTC alleged that MediaAlpha was in violation of the FTC Act, TSR, and Impersonation Rule, and obtained a $45 million consent judgment. MediaAlpha is prohibited from making misleading and false claims about the products it offers, must hand over the misleading domains it used, must monitor its partners to ensure they comply with the law in the future, and must obtain consent from consumers before selling or disclosing their personal information.

The post Companies Ordered to Pay $145 Million for Alleged Deceptive Health Insurance Marketing appeared first on The HIPAA Journal.

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
• Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
• Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.