A proposed class action lawsuit claims that Rush System for Health violated the medical privacy rights of its patients by disclosing their data to third parties without their consent.
The 65-page complaint alleges that the healthcare provider, which does business as Rush University System for Health in Chicago, violated multiple state and federal laws by transmitting personally identifiable information about patients to Facebook, Google and digital advertising company Bidtellect.
As applicable, information shared about patients includes their patient status and communications with Rush regarding conditions, treatments, payments and physicians. The lawsuit also claims that third parties can access patient IP addresses, cookie and device IDs, account numbers, URLs and browser fingerprinting.
The complaint states that Rush may track patient information when a consumer interacts with its home page or MyChart patient portal. MyChart is an online platform where patients can access their medical records and communicate with Rush about “bill payments, doctors, services, treatments, conditions, appointments,” the case relays.
As the case shows, Rush embedded code on its websites to collect and transmit consumer data. The complaint alleges that Rush deploys invisible “third-party source code” like Google Analytics and the Facebook tracking pixel to secretly collect personally identifiable information.
The lawsuit alleges that Rush profits from selling user data to third parties, who use the valuable information for targeted advertising. According to the suit:
“Medical information from healthcare providers derives even more value from not being available to third-party data marketing companies due to strict restrictions on provider disclosures under [the Health Insurance Portability and Accountability Act]state laws and vendor standards, including the Hippocratic Oath. »
The complaint alleges that Rush’s practice of transmitting consumer data without consent violates the Electronic Communications Privacy Act (ECPA), which prohibits anyone from intentionally intercepting any electronic communication and disclosing it to an “unintended recipient.” “.
Additionally, the case alleges that Rush violated his federal duty to protect the confidentiality of his patients. Under the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA), a healthcare provider cannot disclose a patient’s personal health information without their express written consent.
With respect to state law, the lawsuit alleges that Rush violated the Illinois Consumer Fraud and Deceptive Deals Act and the Illinois Uniform Deceptive Marketing Practices Act, which are both designed to protect consumers against deceptive marketing practices.
The lawsuit seeks to represent anyone who, for the full period permitted by law, is or was a patient of Rush University System for Health or any of its affiliates and who accessed Rush’s MyChart patient portal, which caused the transmission of personally identifiable data and communications. to third parties.
Get class action news delivered to your inbox – sign up for ClassAction.org’s free weekly newsletter here.