A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption). 

The plaintiff, Utah resident Joan Richards, seeks to certify a class that she estimates will number in the thousands. The complaint includes counts for breach of contract, intrusion upon seclusion, fraud, unjust enrichment, violation of the Utah Truth in Advertising Law and Consumer Sales Practices Act, and seeks injunctive relief, damages over $5 Million and attorney’s fees. 

MDLive’s website states that its “industry-leading HIPAA and PHI-compliant, cloud-based platform helps consumers, health plans, health systems and self-insured employers obtain better, faster care that’s more convenient than visiting a doctor’s office and far more cost-effective than going to the ER or Urgent Care for routine ailments.” 

According to the complaint, MDLive created the MDLive App which promises consumers “Virtual Healthcare, Anywhere”, and through this App offers patients remote access to healthcare providers via telephone or video chat for a fee of $49. Patients must first download the App and must enter their medical history, including their allergies, health conditions, behavioral health history, family medical history, and any recent procedures. Under the “Behavioral Health History” category, patients are asked to specify what health conditions they suffer from, such as bipolar disorder, substance abuse, schizophrenia, depression, etc.

The App claims that it can connect users with a doctor within 15 minutes and that all personal medical information will remain confidential. During these first 15 minutes of access, the App “continuously takes screenshots of patients’ screens”, alleged to be, “an average of 60 screenshots”. The App is programmed to transmit those screenshots to an overseas third party tech company, Test Fairy. Test Fairy claims that by directly tracking user interactions within an app, it can eliminate the need to obtain feedback from beta testers.

This class action suit lawsuit underscores that companies must be mindful not only of the potential applicability of HIPAA but also state privacy, consumer protection and other laws. For example, a privacy policy may be used to support a breach of contract or fraudulent misrepresentation claim. As new technologies and practices emerge, companies should continue to periodically verify that their collection, use, and disclosure of personal information are in accordance with their published privacy policies and notices.