https://www.virginiamasonprivacyclassaction.com
I just got an email about this. My local health system was bought out by this larger one a few years back. They are being sued by some unnamed individuals for allegedly putting pixels on web pages patients use designed to scrape off patient data and send it to google and other parties. Really serious violation of HIPPA (a law to insure patient information is kept private).
"The lawsuit claims that Virginia Mason placed tracking pixels on its website that transmitted patients’ personally identifiable information, their status as patients of Virginia Mason, and their communications with Virginia Mason to Facebook, Google, Signal, and The Trade Desk. The alleged communications included medical-related information and providers patients view on Virginia Mason’s website, and when patients enter or exit the patient portal and request or set appointments."
Why would they do that? I mean what's in it for them. Are these third parties actually paying the hospitals to harvest this information or is there supposed to be some other benefit. Does Google et. al. in turn provide this information to insurance companies? My initial reaction is this is a pretty murky deal here.
I always thought it was the Health Information Privacy and Protection Act, but it is actually the Health Information Portability and Accountability Act. I am thinking these organizations are legally able to acquire the data if they are HIPAA compliant. I doubt they are though.
Nice link, Thanks eric23, I wasn't sure what a pixel could do.
I should note, "Virginia Mason Franciscan Health denies the claims raised in the lawsuit. No medical-related information, nor communications between a doctor and patient, have been transmitted to third parties," a news release from the health system reads.
Virgina Mason said it routinely reviews its practices to ensure HIPAA compliance.
But this was concerning:
From https://www.vmfh.org/terms-of-service
"To promote your interests and improve your overall experience with the Online Services, you may submit content to us, your healthcare provider, or a caregiver by posting messages, creating or modifying a home page, chatting, uploading files, inputting data, or transmitting e-mail through Your Account. When you submit content to us you provide us and our service providers an unrestricted, perpetual, worldwide license to use your content in any manner. We may translate, adapt, communicate, publish, publicly perform, publicly display, transmit and distribute your content. You warrant and represent you have the necessary rights to grant us and our service providers a license to your content. This license continues even if you stop using the Online Services."
What? "When you submit content to us you provide us and our service providers an unrestricted, perpetual, worldwide license to use your content in any manner." An email to my doctor, data I upload for my doctors use, a message I post, files I upload..."an unrestricted, perpetual, worldwide license" "This license continues even if you stop using the Online Services." I guess that means there is no deletion, once given it's theirs.
In the Health Insurance Portability and Accountability Act there is PHI (protected health information) 1. Names; 2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Phone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers;
9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
see https://cphs.berkeley.edu/hipaa/hipaa18.html.
I think they have 'universally no right' to share any content that in any way can be used to identify me. Legally, I think we do have some good protection. But are there or were there nefarious pixels around the patients web portal?
You maybe interested in this reporting on it:
Another good website I'll keep my on. Apparently, themarkup.org threw a rock in the pool and this lawsuit might be one of the ripples. Since this lawsuit mentions Facebook, Google, Signal, and The Trade Desk, I wonder if there are more than one of these pixels involved.