The Federal Trade Commission (FTC) has announced its first settlement with a data broker over the sale of the precise geolocation data of consumers. Under the terms of the settlement, X-Mode Social is prohibited from selling or sharing sensitive location data with third parties unless it obtains consent from consumers or de-identifies the data.

Virginia-based X-Mode Social, now Outlogic LLC, works with app developers and provides a software development kit (SDK) that can be integrated into smartphone apps that allows data to be collected via the apps, including precise geolocation data. Precise geolocation data can identify where an individual lives and works, the residences of friends and family members, and other locations they visit. Some of those locations may be highly sensitive, such as places of worship, domestic violence centers, addiction treatment centers, places offering services to the LGBTQIA+ community, and reproductive health facilities. If precise geolocation data is collected that confirms consumers’ visits to sensitive locations such as reproductive health clinics and places of worship, they could face discrimination, physical violence, emotional distress, and other harms. Sen Ron Wyden determined that X-Mode had sold sensitive location data to U.S. military contractors in 2020, and another customer, a private clinical research company, paid X-Mode for access to consumer information that included visits to medical facilities, pharmacies, and specialty infusion centers across Columbus, Ohio, according to the FTC complaint.

FTC Alleges X-Mode Social Engaged in Unfair and Deceptive Practices

The FTC launched an investigation to determine whether the data broker had engaged in unfair or deceptive acts or practices. The FTC alleged that X-Mode sold raw data to third parties that did not have sensitive locations removed. X-Mode is also alleged to have failed to implement reasonable and appropriate safeguards against downstream use of that data. In addition to purchasing geolocation data from third-party apps, X-Mode also has its own apps – Drunk Mode and Walk Against Humanity. The FTC alleges users of those apps were not fully informed about how precise geolocation data would be used.

According to the FTC, X-Mode did not have policies and procedures in place to remove sensitive locations from its raw data before it was sold, and users of its own apps were not informed about who would receive their data, and safeguards were not put in place to ensure that they could honor requests by users to opt out of the tracking of movements and the serving of personalized advertisements.  The FTC alleged these failures constituted violations of section 5 of the FTC Act.

“With this action, the commission rejects the premise so widespread in the data broker industry that vaguely worded disclosures can give a company free license to use or sell people’s sensitive location data,”  said FTC chair Lina M. Khan.

Settlement Reached to Resolve FTC Complaint

Under the terms of the settlement, X-Mode and Outlogic are required to implement a program for maintaining a comprehensive list of sensitive locations and that information cannot be shared, sold, or transferred unless consent is obtained from consumers. X-Mode and Outlogic are also prohibited from using location data when they cannot determine if a consumer has provided consent.

X-Mode and Outlogic must develop a supplier program to ensure that all companies it purchases data from are obtaining consent from consumers covering the collection, sale, and use of data, and all precise geolocation data that indicates visits to sensitive locations that has been collected without consent must be deleted or destroyed, unless the data has been de-identified.

X-Mode and Outlogic are also required to implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people, such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual.

Consumers must also be provided with a simple and easy-to-find method of withdrawing their consent to collect and use their location data and request that data be deleted, and also provide a clear and concise way for consumers to request that any businesses or individuals that have been provided with personal data remove location data from commercial databases.

Outlogic’s public relations firm provided a statement in response to the FTC complaint and settlement. “We disagree with the implications of the FTC press release. After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities. Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products.”

The agreement will be published in the Federal Register and comments will be accepted for 30 days, after which the FTC will decide whether to make the proposed consent order final.

The post FTC Prohibits Data Broker from Selling Sensitive Location Data appeared first on HIPAA Journal.

On Monday, three Democratic Senators wrote to the Secretary of the Department of Health and Human Services (HHS) Xavier Becerra to express their concern about pharmacies disclosing prescription records to the police without a warrant.

Sen. Ron Wyden (D-OR) and Reps. Pramila Jayapal (D-WA) and Sara Jacobs (D-CA) launched an investigation following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to an abortion and left it to individual states to set their own laws on abortion. Many states have implemented bans or severe restrictions on abortions, which has resulted in women, and in some cases, children, traveling to more permissive states to receive the reproductive care they need, and there are growing fears that individuals who seek legal reproductive health care out of state may face prosecution in their home state.

The HHS issued guidance on HIPAA and reproductive healthcare following the overturning of Roe v Wade, stressing that while the HIPAA Privacy Rule permits disclosures of PHI to law enforcement, the disclosures are not required by the HIPAA Privacy Rule. It is up to each HIPAA-covered entity to decide whether they provide records to the police.

One of the easiest places to obtain patient records to check who has been prescribed abortion medications is national pharmacy chains, which maintain records for patients no matter which location they visit. The records of the prescriptions of each patient can be accessed from any pharmacy, which means that if a patient in a state where abortion is illegal (e.g. Idaho) crosses the border to get abortion medication legally in a more permissive state (e.g. Oregon), police in the home state can obtain the prescription records because a digital trail is maintained.

But how easy is it to access those records? According to the Senators’ investigation, CVS Health, Kroger, and Rite Aid, allow their staff to hand over pharmacy records in-store. Each of the pharmacy chains confirmed that their staff face extreme pressure to comply with law enforcement requests and they have been instructed to process them on the spot.

The Senators found that the top 8 pharmacy chains, Walgreens Boots Alliance, Amazon Pharmacy, Kroger, Walmart, CVS, Cigna, and Optum Rx, only require a subpoena to provide the records and not a warrant. A subpoena can be issued without a sign-off from a judge, whereas a warrant requires approval from a judge, which means the police must convince the judge that the medical records are essential to the investigation of a crime.

What is not clear is how many requests for medical records have been issued in relation to investigations of individuals seeking abortions. The pharmacy chains confirmed they receive tens of thousands of requests every year to provide medical records to law enforcement, although most are related to civil lawsuits. Only one pharmacy chain, Amazon Pharmacy, said its policy was to notify individuals if there has been a law enforcement request for their medical records and does so unless that action is prevented by law. Most requests for medical records include a gag order, which prevents pharmacies from alerting individuals about disclosures to law enforcement.

The Senators have called for the HHS to make an urgent update to HIPAA to require law enforcement to obtain a warrant or a judge-issued subpoena in order to access medical records and also request that pharmacies proactively notify customers if their records have been requested by law enforcement.

The post Investigation Highlights Ease at Which Police Can Access Pharmacy Records appeared first on HIPAA Journal.

23andMe has updated its terms and conditions in an attempt to prevent its customers from joining class action lawsuits following a massive data breach that affected 6.9 million of its customers. In October 2023, a collection of the data was uploaded to a dark web forum that was allegedly stolen from 23andMe. The dataset contained information on around 1 million Ashkenazi Jews and 100,000 individuals of Chinese descent, then the hacker advertised a further dataset a couple of weeks later that contained the information of a further 4.1 million individuals.

23andMe investigated and determined that approximately 14,000 accounts were compromised in a credential stuffing attack, which was made possible due to password reuse by those customers. The compromised accounts were used to access the ancestry data of 6.9 million users through the DNA Relatives feature (5.5 million users) and the Family Tree feature (1.4 million users). Per its financial reports, 23andMe has around 14 million customers, which means almost half were affected by the data breach. 23andMe maintains that there was no breach of its systems.

Several lawsuits have already been filed against 23andMe over the data breach. One such lawsuit was filed in the Supreme Court in British Columbia with the lead plaintiff claiming that his personal data was stolen and listed for sale on the dark web. The lawsuit alleges 23andMe engaged in “willful, knowing or reckless conduct” by failing to implement and maintain proper data retention and data protection practices. The lawsuit seeks monetary damages, including the price that affected customers paid for 23andMe’s services. Thousands of Canadians have already added their names to the class action lawsuit. Another lawsuit was filed in California that alleges negligence, invasion of privacy, unjust enrichment, and breach of implied contract. The plaintiffs claim that 23andMe implemented inadequate safeguards to protect sensitive user data, did not do enough to prevent intrusions, and did not provide adequate training to staff.

In response, 23andMe has updated its terms of service to force its customers into a binding arbitration, which requires all disputes to be resolved out of court. The updated terms prohibit customers from joining class action lawsuits against the company. The terms of service apply to all new customers, but also to all existing customers unless they opt out. 23andMe emailed its customers on November 30, 2023, about the update to its terms of service and gave them 30 days to opt out. If they do not opt out they will be assumed to have agreed to the new terms of service. Customers hoping to join a class action over the recent data breach must opt out of the new terms of service by December 30, 2023.

The change, which is now prominently displayed in its terms of service in full caps, states, “TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, YOU AND WE AGREE THAT EACH PARTY MAY BRING DISPUTES AGAINST THE OTHER PARTY ONLY IN AN INDIVIDUAL CAPACITY, AND NOT AS A CLASS ACTION OR COLLECTIVE ACTION OR CLASS ARBITRATION.”

The new terms of service mean cases must be arbitrated by a neutral third-party arbitrator, who would decide on the validity of each case. Any decision made by the arbitrator is legally binding and must be accepted by both parties and the arbitrator’s decision cannot be appealed. Since arbitration requires cases to be dealt with on an individual basis, it takes away the power of a group. The new terms and conditions are likely to reduce the number of individuals eligible to participate in class action lawsuits and will thus limit the costs for 23andMe should those lawsuits prove successful.

Arbitration is generally a faster process that could see any payments or refunds issued much more rapidly than a class action. 23andMe explained that the new terms of service will encourage prompt resolution; however, they also include a new 60-day initial dispute resolution period, during which time both parties agree to a delay to arbitration. While the new terms of service will help to prevent class action lawsuits, they do permit mass arbitration. If 25 or more customers issue similar demands for arbitration based on the same or similar subject matter or if they share common issues of law or fact, they can be dealt with through mass arbitration. In such cases, mass arbitration would be handled by National Arbitration and Mediation (NAM), a nationally recognized provider of alternative dispute resolution services.

The post 23andMe Updates Terms of Service to Prevent Class Action Lawsuits appeared first on HIPAA Journal.

Washington University (WU) is seeking confirmation from the court about whether Missouri Attorney General Andrew Bailey has the legal authority to obtain the electronic health records of patients of the WU Transgender Center. AG Bailey issued civil investigative demands to WU on February 23, 2023, requesting documents and electronic health records of patients of the Transgender Center be provided as part of an investigation into the practices of the center.

The investigation was initiated after a whistleblower, Jamie Reed, provided a signed affidavit to the Attorney General about her employment as a case worker at the WU Transgender Center at St. Louis Children’s Hospital. Reed claimed that the Transgender Center had caused permanent harm to many of its patients through prescribed treatments. She claimed healthcare providers at the Transgender Center lied to the public and patients about treatment or lack of treatment and the effects treatment would have. She alleged staff at the center prescribed puberty blockers and cross-sex hormones after two hour-long visits, without complete, informed parental consent or an appropriate and accurate assessment of the needs of the child. She claimed that children had experienced “shocking injuries” from the medications, and there was no attempt or effort to track adverse outcomes. Reed also claimed that the Transgender Center had used incorrect treatment codes to get public and private insurance plans to pay for treatments. The families of several patients of the Transgender Center disputed the claims of Reed, as did another former employee, Jess Jones, who maintained her experience working at the center was different from that of Reed and many patients were told they had to wait for years before they could have treatments.

AG Bailey launched an investigation, with assistance provided by the Missouri Department of Social Services and Division of Professional Registration, and issued civil investigative demands for documentation. AG Bailey claimed that the Missouri Merchandising Practice Act (MMPA) gave him the authority to demand access to the electronic medical records of patients of the WU Transgender Center as part of the investigation. The MMPA is a consumer protection law that pertains to false advertising.  WU partially complied with the civil investigative demand and has handed over documents that relate to advertising but has taken legal action over the demand for electronic medical records, which WU claims is outside the scope of the MMPA.

“Certain statements have been made by the attorney general that have caused Washington University to further question whether all of the requests (including those at issue now) are properly within the scope of the MMPA,” said WU attorney, James Bennett. “The statements suggested that the investigation was directed at medical decision making as much if not more than it was directed to sales or advertising.” The disclosure of patient records has caused anxiety in some patients who do not want their records to be provided to the Attorney General and potentially the public. The lawsuit requests clarification from Judge Jason Sengheiser about whether AG Bailey’s investigative demands are legal, and if so to what extent, to allow WU to modify the request.

The post Lawsuit Seeks Clarification on Legality of Missouri AG Request for Medical Records of Transgender Patients appeared first on HIPAA Journal.

On December 5, 2023, the Joint Commission launched the Responsible Use of Health Data (RUHD) Certification program for U.S. hospitals and critical access hospitals. The voluntary program will provide an objective evaluation of how well hospitals are maintaining privacy best practices for transferring health data to third parties – Known as secondary use of health data.

Hospitals often transfer health data for reasons other than clinical care, such as to support the development of artificial intelligence systems and for quality and operations improvement purposes. The HHS’ Office of the National Coordinator for Health Information Technology (ONC) reports that 85% of hospitals in the United States have the capability to export patient data for reporting and analysis purposes. While the HIPAA Privacy Rule stipulates the methods that should be used when de-identifying protected health information, currently there is no standard approach for using de-identified data nor validating best practices.

The certification program includes an evaluation of whether a hospital is committed to using privacy and security best practices in its secondary use of data and will promote the responsible use of data by demonstrating established protocols for transparency, limitations on use, and patient engagement. The RUHD Certification program is based on principles adopted from the Health Evolution Forum’s “The Trust Framework for Accelerating Responsible Use of De-identified Data in Algorithm and Product Development” framework. Under the program, a hospital will receive an objective evaluation of whether they are de-identifying protected health information in accordance with HIPAA, whether they have established a governance structure for the use of the data, and how the organization communicates with patients about the secondary use of de-identified data. The certification program also assesses data controls, limitations on use, and algorithm variation. Hospitals that achieve RUHD Certification will be recognized publicly for establishing an objective and rigorous process for meeting the necessary privacy requirements.

“As more healthcare organizations are leveraging clinical data for secondary purposes, there have been increased calls to assure responsible data stewardship,” says Jonathan B. Perlin, MD, PhD, MSHA, MACP, FACMI, president and chief executive officer, The Joint Commission Enterprise. “The Joint Commission recognizes it can play an important role in validating that robust policies and procedures are in place to help protect, govern and accountably use secondary data. We believe our Responsible Use of Health Data Certification will help healthcare organizations use data responsibly to improve the safety, quality and equity of care, develop new technologies, and discover new therapies benefitting all patients.”

The program will officially commence on January 1, 2024, when applications will be accepted; however, hospitals can begin working toward RUHD Certification immediately.

The post Joint Commission Launches Certification Program for Responsible Secondary Use of Health Data appeared first on HIPAA Journal.