FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years

Posted by Steve Alder

Rite Aid has been banned from using facial recognition technology for security surveillance for five years as part of a settlement with the Federal Trade Commission (FTC), which determined the pharmacy chain failed to mitigate potential risks to consumers from misidentification.

Between 2012 and 2020, Rite Aid used artificial intelligence-based facial recognition technology in hundreds of its stores to identify customers who may have been engaged in shoplifting or other problematic behaviors. While the system correctly identified many individuals who had engaged in these behaviors, the system also recorded thousands of false positives, where the facial recognition technology incorrectly matched individuals with others who had previously been identified as shoplifters or had engaged in other problematic behaviors. The misidentified individuals were then erroneously accused of wrongdoing by Rite Aid employees.

The FTC found that the facial recognition technology was more likely to record false positives in communities that were predominantly Black or Asian, compared to plurality-White communities, indicating bias in the technology and heightened risks to certain consumers because of race or gender. According to the FTC, Rite Aid contracted with two technology firms to build a database of images and videos of “persons of interest,” who were thought to have engaged in shoplifting or other problematic behaviors in Rite Aid stores, and that database was used for the AI-based facial recognition system. Tens of thousands of images and videos were collected along with names and background information, including background criminal data. Many of the images in the database were of low quality and had been collected from store security cameras, the mobile devices of employees, and in some cases, from news stories. “The technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States”, according to the FTC.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

Rite Aid was alleged to have failed to consider and mitigate risks to consumers from misidentification, failed to take into account the limitations of the technology and the high risk of misidentifying Black and Asian individuals, did not properly test, assess, measure, document, or inquire about the accuracy of the technology before deployment, failed to prevent low-quality images from being fed into the system, failed to monitor or test the accuracy of the technology after deployment, and failed to adequately train employees tasked with operating the technology and flag that it could generate false positives.

The FTC also said Rite Aid violated a previous 2010 data security order with the FTC that resolved a complaint that Rite Aid failed to protect the medical privacy of customers and employees, which required Rite Aid to implement a comprehensive information security program. As an example, the FTC alleged that Rite Aid conducted many security assessments of service providers orally and did not obtain or possess backup documentation of those assessments, including those that were considered by Rite Aid to be high-risk.

Rite Aid has been ordered to delete or destroy all photos and videos of consumers used in connection with the operation of the facial recognition or analysis system within 45 days, and within 60 days, to identify all third parties that received photos or videos as part of the facial recognition and analysis and instruct them to also delete the photos and videos.

In addition to the ban on facial recognition technology, Rite Aid is prohibited from using any automated biometric security or surveillance system that is not otherwise prohibited by the order unless a comprehensive automated biometric security or surveillance system monitoring program is established and maintained to identify and address risks that could result in physical, financial, or reputational harm to consumers, stigma, or severe emotional distress.

Rite Aid must also notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system, and must investigate and respond to consumer complaints about actions taken against them based on automated biometric security or surveillance system.

Rite Aid said it is pleased to have reached an agreement with the FTC which means the company can put the matter behind it; however, said, “We fundamentally disagree with the facial recognition allegations in the agency’s complaint.” Rite Aid also explained that the allegations related to a facial recognition technology pilot program that was deployed in a limited number of stores. “Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the Company’s use of the technology began.” All parties have agreed to the consent order but it has yet to be approved by a judge.

The post FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years appeared first on HIPAA Journal.

Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach

Posted by Steve Alder

More than half a dozen lawsuits have been filed against the Fred Hutchinson Cancer Center over a cyberattack and data breach that occurred over the Thanksgiving weekend. Unauthorized individuals gained access to its network where patient data was stored and removed files containing names, contact information, medical information, and Social Security numbers. The Hunters International hacking group claimed responsibility for the attack, and when the Fred Hutchinson Cancer Center refused to pay the ransom demand, they turned their attention to patients and started contacting them directly demanding payment of $50 to have their stolen data deleted. The hacking group claimed to have stolen the data of 800,000 patients.

Class action lawsuits are commonly filed after large data breaches, and it was inevitable that the affected individuals would take legal action given that they had been directly threatened by the individuals behind the attack. The lawsuits make similar claims, and it is therefore likely that they will be consolidated into a single class action lawsuit. The most common claims are that the Fred Hutchinson Cancer Center was negligent by failing to implement reasonable and appropriate safeguards to protect its internal networks and patient data against unauthorized access and that the breach occurred as a result of those security failures.

One of the lawsuits – Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – was filed in the Superior Court of the State of Washington in King County, and claims that the plaintiffs believed that the defendants had implemented and maintained reasonable and appropriate security practices due to the representations of the defendants, when that was not the case. Both of the named plaintiffs claim they first learned about the data breach when they were contacted directly by the hackers and threatened with the public release/sale of their sensitive data. They claim that the Fred Hutchinson Cancer Center failed to issue prompt notifications to allow them to take steps to protect themselves against identity theft and fraud.

The lawsuit claims the plaintiffs and class members now face grave and lasting consequences from the attack and have suffered injury and damages including a substantial and imminent risk of identity theft and medical identity theft, loss of confidentiality of highly sensitive PII/PHI, deprivation of the value of PII/PHI, and overpayment for services that did not include adequate data security, and other harms. In addition to negligence, the lawsuit alleges negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and a violation of the Washington Consumer Protection Act. The lawsuit seeks a jury trial and actual, statutory, and punitive damages, restitution, disgorgement, and nominal damages, and equitable, injunctive, and declaratory relief. Another lawsuit, Shawna Arneson v. Fred Hutchinson Cancer Center, was filed in the same court and makes similar claims, and alleges the actions of Fred Hutchinson Cancer Center violated HIPAA.

A third lawsuit – Doe v. Fred Hutchinson Cancer Center et al – was filed in the US District Court for the Western District of Washington by John Doe, the father of Jack Doe, and similarly situated individuals. Other defendants named in the lawsuit include UW School of Medicine, UW Medical Center, Harborview Medical Center, Valley Medical Center, UW Physicians, UW Neighborhood Clinics (dba UW Medicine Primary Care), Airlift Northwest, and Children’s University Medical Group.

Jack Doe received healthcare services from UW Medicine but was never a patient of the Fred Hutchinson Cancer Center; however, his data was shared with the Fred Hutchinson Cancer Center as both health systems work together to advance cancer research. The lawsuit alleges that the defendants failed to implement appropriate cybersecurity measures and failed to protect patients from “a flood of extortionary threats by cybercriminals.” The lawsuit alleges long-standing security failures, as the Fred Hutchinson Cancer Center also failed to prevent a breach of an employee email account in March 2022. The lawsuit seeks a jury trial and an award of damages, relief, and restitution.

Fred Hutchinson Cancer Center Data Breach Lawsuits

  • Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – The plaintiffs are represented by Alexander F. Strong of Stobaugh & Strong P.C., Ben Barnow, Anthony L. Parkhill, and Riley W. Prince of Barnow and Associates.
  • Doe v. Fred Hutchinson Cancer Center et al – The plaintiffs and class are represented by Turke & Strauss LLP.
  • Shawna Arneson v. Fred Hutchinson Cancer Center – The plaintiffs are represented by Kim D. Stephens & Cecily C. Jordan of Tousley Brain Stephens PLLC.

The post Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach appeared first on HIPAA Journal.

Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital

Posted by Steve Alder

New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.

NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.

On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations.  NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.

NY Attorney General Launches HIPAA Investigation

NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.

Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.

The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.

Commonly Used Website Tracking Tools Violate HIPAA

These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.

The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.

NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received.  The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.

OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”

A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.