“Patients trusted that communications and queries directed at Rush, their health care provider, would be kept private,” Kennelly wrote. As such, the alleged future harm does support a claim for injunctive relief.įinally, Kennelly tossed the invasion of privacy claim, based on intrusion upon seclusion, by restating his assertion Rush was the intended recipient of the communications supporting the lawsuit. Although Rush argued it isn’t deceiving patients, Kennelly said the women remain Rush patients, must use the hospital’s online services to obtain medical care and none of Rush’s legal defenses suggest it stopped using the contested source code. Regarding the Uniform Deceptive Trade Practices Act claim, Kennelly said the law’s only remedy is an injunction, meaning the women can’t pursue financial damages, at least in part because they didn’t allege financial loss. The complaint also failed to alleged the type of “actual, pecuniary loss” the Illinois Consumer Fraud and Deceptive Business Practices Act requires, Kennelly said, finding no basis under the state law to allow a lawsuit based only on a “privacy injury.” “It does not contemplate the protection of a patient's name, IP address, cookie identifier or other device-related identifying information unconnected with information about the patient's care.” “Rush's privacy notice contemplates the protection of care-related patient information,” Kennelly wrote. Even if that were the case, he added, scope is limited to legal violations of doctor-patient privilege. He also agreed with Rush that Illinois law doesn’t allow breach of the implied duty of confidentiality lawsuits for disclosing private health information. Rush is a licensee, he explained, buying M圜hart service through its creator, Epic, which isn’t a party to the lawsuit. Kennelly further rejected plaintiffs’ argument that Rush, by providing access to M圜hart, reaches the legal definition of an electronic communication service. Department of Health and Human Services guidance suggesting online tracking technology can violate the Health Insurance Portability and Accountability Act, he agreed with Rush “that such regulatory guidance only applies prospectively.” He said the complaint includes hypothetical suggestions regarding what might happen when anyone clicks on certain parts of Rush’s website, not what happens when an actual Rush patient uses M圜hart. He further explained the complaint doesn’t have enough allegations “to support an inference that Rush disclosed its patients’ individually identifiable health information.” Kennelly said federal appeals courts have split on arguments about the so-called “party exception” clause, but noted none have answered whether a defendant is legally considered a party to an intercepted communication.īecause he determined Rush was the intended recipient of information, such as an appointment scheduling request, Kennelly said the nonprofit hospital company can’t be liable under the Wiretap Act. In arguing for dismissal, Rush said the Wiretap Act is a party to the communications with its patients and therefore can’t be held liable for alleged data interception on the part of Facebook, Google or Bidtellect. District Judge Matthew Kennelly granted Rush’s motion to dismiss everything aside from the Deceptive Trade Practices Act allegation. The technical aspect of allegations involve Rush’s use of Google Tag Manager on its website, which the plaintiffs said is a nested frame that “funnels web bugs for third parties to secretly acquire the content of patient communications without any knowledge, consent, authorization or further action of patients.” Rush insisted the “bugs” in question are metadata commonly transmitted during routine website use. Their federal lawsuit includes claims for violation of the federal Wiretap Act - as amended in 1986 by the Electronic Communications Privacy Act - and breach of implied duty of confidentiality, as well as violating both the Illinois Consumer Fraud and Deceptive Business Practices and Uniform Deceptive Trade Practices acts and intrusion upon seclusion. The women further alleged the source code transmits personal patient data to Facebook, Google and Bidtellect for advertising. Marguerite Kurowski and Brenda McClendon alleged Rush, with deceit and without consent, embedded third-party source code on both its website and the M圜hart patient portal, a widely used website and smartphone application for medical records, appointments, prescriptions, test results and other information. A federal judge has almost entirely dismissed a class action lawsuit accusing Rush University Health System of exposing private patient information through use of the M圜hart digital service.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |