Is Website Metadata Really Controlled by HIPAA
The HHS’ Office for Civil Rights introduced guidance in 2022 about HIPAA and website tracking technologies and stated that protected health information (PHI) disclosure to third parties through website tracking technologies is a HIPAA violation except if the patient’s authorization is obtained or if a business associate agreement (BAA) is in place. OCR and the Federal Trade Commission likewise warned 130 healthcare and telehealth companies regarding tracking technologies they put on their websites as OCR has prioritized enforcement of HIPAA violations associated with website tracking tools.
Nevertheless, an Illinois court questioned the interpretation of OCR that metadata is controlled under the Health Insurance Portability and Accountability Act during its ruling on a class action lawsuit involving a healthcare company’s patient data disclosure through website tracking technologies.
The Marguerite Kurowski and Brenda McClendon versus Rush System for Health d/b/a Rush University System for Health lawsuit was submitted in the District Court for the Northern District of Illinois, Eastern Division. It was alleged that the defendant put a third-party tracking code on its website and on its MyChart patient portal. That resulted in the disclosure of the plaintiffs’ individually identifiable health information (IIHI) to Facebook, Bidtellect, and Google for marketing purposes.
The lawsuit was at first dismissed for the inability to assert a claim besides requesting injunctive relief, then a corrected complaint was filed that stated similar 5 claims and also another 6. The lawsuit claimed breach of an implied duty of confidentiality; violations of the federal Wiretap Act as modified by the Electronic Communications Privacy Act of 1986, the Illinois Uniform Deceptive Trade Practices Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Illinois Eavesdropping Act; intrusion upon seclusion; trespass to chattels; breach of contract; breach of the duty of good faith and fair dealing; publication of private facts; and unjust enrichment.
Rush filed a motion to dismiss the modified lawsuit and the court approved the motion for all counts apart from the breach of contract and Illinois Eavesdropping Act claims. The lawsuit stated that according to the OCR guidance, IIHI disclosure to Meta, Bidtellect, and Google was a violation of HIPAA violation; nevertheless, in the decision dismissing the wiretapping allegation, the court refused to use as basis the HHS bulletin for evaluating liability as per federal wiretapping rules and likewise asked if website metadata is considered as IIHI.
District Judge, Matthew F. Kennelly, said that the interpretation of IIHI provided by HHS in its guidance goes over the meaning of what the statute can keep. As simply described, based on section 1320d(6), IIHI refers to the past, present, or future physical or mental wellness or ailment of a person, the giving of health care to a person, or the past, present, or future payment for medical care given to a person. The kind of metadata, which Kurowski claims was transmitted through third-party source code doesn’t at all fit into that classification.
Although it is likely that data exposed in personal communications between the plaintiff and the defendant through the website could have been sent to third parties and the sent data may be eligible as IIHI, the plaintiff asserted that it was irrational to expect her to expose that kind of intimate data she sent to the accused in her complaint. Kurowski may have asked to file the complaint under seal wrote Kennelly. “Kurowski cannot fairly expect to file a lawsuit associated with the attack of her healthcare privacy and totally avoid exposing what is alleged that Rush exposed to third parties.
Orrick, Herrington & Sutcliffe Faces Lawsuit Because of Ransomware Attack and Data Breach
The law agency, Orrick, Herrington & Sutcliffe LLP based in San Francisco, CA, is facing a class action lawsuit due to a ransomware attack and data breach that was discovered on March 13, 2023. The law agency found out that a section of its system was breached by an unauthorized third party, which acquired access to a file share for storing client files. It immediately blocked the unauthorized access; nevertheless, the forensic investigation revealed that files made up of personal data were extracted from its servers from February 28 to March 13, 2023. The exposed data contained names, addresses, birth dates, and Social Security numbers. The law agency provided the impacted persons with free identity theft protection and credit monitoring services.
On August 11, 2023, the filing of a lawsuit in the U.S. District Court for the Northern District of California was made on behalf of plaintiff Dennis R Werley, and over 152,818 likewise situated people whose personal data was exposed in the attack. The lawsuit claims the law agency didn’t use sufficient and acceptable measures to safeguard its computer solutions, didn’t take enough steps to avoid and stop the security breach, didn’t discover the breach promptly, didn’t expose material details that enough system security steps weren’t in place to stop data breaches, didn’t respect promises and representations to safeguard the data of the breach victims, then didn’t give prompt notices. Based on the lawsuit, because of the Defendant’s inability to safeguard the Breach Victims’ Personal Data, cybercriminals had stolen everything they could possibly need to carry out almost any imaginable type of identity theft and cause problems in the financial and private lives of possibly millions of people.
The lawsuit claims the plaintiff and class members who suffered privacy violations and were affected by identity theft and fraudulence or were subjected to an increased and impending risk of identity theft and fraud, and have and will keep incurring out-of-pocket expenses for credit freezes, credit monitoring services, and other safety measures. The lawsuit consists of a long listing of cybersecurity actions that the law agency could and must have carried out to stop the data breach yet didn’t do so.
The lawsuit claims breach of implied contract, negligence, negligence per se, invasion of privacy, breach of confidence, breach of fiduciary duty, and wants a jury trial, sufficient credit monitoring services, compensatory damages, and injunctive relief, which include a court order demanding the law agency to carry out security steps to stop potential data breaches.