Medtronic & Edward-Elmhurst Health Sued Over Web Tracker Use

Posted by Steve Alder

The Minneapolis, MN-based medical device manufacturer Medtronic & the Illinois health system Edward-Elmhurst Health are facing class action lawsuits over the use of website tracking technologies, which passed sensitive customer data to third parties such as Google and Meta.

Medtronic MiniMed and MiniMed Distribution Corp

A lawsuit has been filed against Medtronic MiniMed Inc. and MiniMed Distribution Corp (Medtronic) over the use of tracking technologies in its InPen diabetes management app.

The lawsuit – A.H. v. Medtronic MiniMed Inc. and MiniMed Distribution Corp – was filed in District Court for the Central District of California on behalf of plaintiff A.H, and similarly situated individuals who had their sensitive information disclosed to third parties via Google Analytics, Firebase, and Crashlytics.

Medtronic reported the data breach to the HHS’ Office for Civil Rights in April as affecting 58,374 individuals and notified customers that email addresses, IP addresses, phone numbers, InPen App usernames and passwords, timestamp information for InPen App events, and unique identifiers tied to InPen accounts or mobile devices had been impermissibly disclosed. Medtronic no longer uses Google Analytics and is transitioning from Crashlytics and Firebase authentication to other reporting and authentication platforms.

The lawsuit claims Medtronic placed profit over privacy when it deliberately added these tools to the app to access and monetize user data and claims that Medtronic violated its own privacy policy as it maintained it would keep InPen app user data private and would not share user information with third parties for marketing purposes unless written authorization was obtained.

The lawsuit alleges common law invasion of privacy – intrusion upon seclusion, breach of confidence, breach of fiduciary duty, negligence, breach of implied contract, breach of implied covenant & fair dealing, unjust enrichment, and violations of the Electronic Communications Privacy Act (ECPA), California Invasion of Privacy Act (CIPA), and New York General Business Law.

The lawsuit seeks class action status, a jury trial, damages, extended credit monitoring services, attorneys’ fees, and equitable and injunctive relief to ensure that users of its app have their privacy protected. The plaintiffs and class are represented by attorneys from the law firms Milberg Coleman Bryson Phillips Grossman, PLLC, Markovits, Stock & Demarco, LLC, and Chestnut Cambronne PA.

Edward-Elmhurst Health

The lawsuit against Edward-Elmhurst Health – Arnold Stein and Diane Miller V. Edward-Elmhurst Health -was filed in Cook County Circuit Court and alleges patient privacy was violated due to the use of the Meta Pixel tracking tool on its web portals, which patients use for booking appointments and finding treatment facilities and other healthcare services.

According to the lawsuit, the Meta Pixel tracking code was added to the web portals without users’ knowledge, and transmitted “every click, keystroke and detail about their medical treatment” to Facebook. That information was tied to individual users through their Facebook IDs. The lawsuit alleges the information transmitted to Facebook was used for marketing purposes in an effort to bolster Edward-Elmhurst Health’s profits.

The lawsuit alleges the disclosures violated HIPAA, the Illinois Eavesdropping Statute, and the Illinois Consumer Fraud and Deceptive Business Practices Act. The lawsuit seeks actual and punitive damages, attorneys’ fees, and an injunction against Edward-Elmhurst Health preventing further patient privacy violations through tracking technologies. The lawsuit was filed by attorneys from Almeida Law Group LLC and Stephan Zouras, LLP.

The post Medtronic & Edward-Elmhurst Health Sued Over Web Tracker Use appeared first on HIPAA Journal.

CentroMed Facing 2 Class Action Lawsuits Over 350,000-Record Data Breach

Posted by Steve Alder

El Centro Del Barrio, dba CentroMed in San Antonio, TX, is facing at least two class action lawsuits over a June 2023 cyberattack in which hackers gained access to the personal and protected health information (PHI) of 350,000 patients.

The attack was detected on June 12, 2023, and the forensic investigation confirmed unauthorized access to IT systems first occurred on June 9, 2023. The information accessed in the attack included names, addresses, dates of birth, Social Security numbers, financial account information, medical record numbers, health insurance plan member IDs, and claims data. The affected individuals were notified by mail on August 11, 2023.

CentroMed patients Jasmine Grace and Dawn Leal have each taken legal action against CentroMed over the impermissible disclosure of their personal information and allege CentroMed was negligent for failing to properly secure and safeguard their personally identifiable information, which is now in the hands of cybercriminals.

They both claim they face an imminent, ongoing, and substantial risk of identity theft and fraud and have had to invest considerable time and money into protecting themselves against the misuse of their personal information. The lawsuits also take issue with the length of time it took CentroMed to issue notification letters to patients. CentroMed took two months to issue notifications, although this was within the time allowed under the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

The lawsuits allege the defendant violated HIPAA by failing to adequately protect their data and allege negligence, breach of fiduciary duty, and unjust enrichment. Jasmine Grace’s lawsuit was filed in District Court in San Antonio, and she is represented by attorney Samantha Holbrook. The lawsuit seeks $1 million in damages. Dawn Leal’s lawsuit was filed in San Antonio federal court by attorney Joe Kendall and seeks $5 million in damages.

The post CentroMed Facing 2 Class Action Lawsuits Over 350,000-Record Data Breach appeared first on HIPAA Journal.