It’s all about personal health data–sharing, bad sharing, and bad transfers in this roundup.
VillageMD takes another hit, this time on Meta Pixel ad tracker issues. A class-action lawsuit filed on 10 April charges VillageMD (formally Village Practice Management Company), via its Village Medical website, of using the Meta Pixel ad tracker for disclosing user-protected health information (PHI) and other identifiable information generally classified as PII. This included visitors to their website villagemedical.com seeking information and patient users of Village Medical’s web-based tools for scheduling and the patient portal. The lawsuit by a “John Doe”, a patient since January 2023 resident in Quincy, Massachusetts but brought by three Midwest law firms in the US District Court for the Northern District of Illinois, states that VillageMD used trackers that transferred this personal information to Meta Networks’ Facebook and Instagram, as well as other third parties like Google, for use in targeted advertising, in violation of HIPAA and other regulations. The lawsuit seeks 1) an injunction stopping Village Medical from using ad trackers and 2) monetary redress via damages–actual, compensatory, statutory, and punitive for the entire affected class. The suit also alleges that VillageMD violated its own internal procedures. Crain’s Health Pulse, Healthcare Dive
Readers will recall that in June 2022, STAT and The Markup published a study and follow-ups on Meta Pixel and ad tracker use by healthcare organizations. Ostensibly, the ad trackers were there to better track website performance and to tailor information for the patient [TTA 17 June, 21 June 2022], but they sent information to third parties that violated HIPAA and privacy guidelines. Ad trackers were also monetized. Meta blamed the health systems [TTA 16 May 2023] for misuse though they used the data for ad serving. Congressional hearings, FTC, and DOJ followed later in 2022 and 2023. Multiple class action lawsuits against providers large and small have ensued. Providers have pushed back on FTC and HHS rules on ad trackers, stating the restrictions hamper their ability to build better websites based on customer usage and to serve individuals with useful information.
Another ‘oversharing’ company, troubled telemental Cerebral, whacked with $7.1 million FTC fine on disclosing consumer information via ad trackers plus ‘negative option’ cancellation policy. The proposed order for a permanent injunction filed by the Department of Justice (DOJ) and docketed on 15 April has to be approved by the Federal District Court for the Southern District of Florida. The fine for the company only penalized the following:
- Cerebral released 3.2 million consumers’ information to third parties such as practices, LinkedIn, and TikTok. This included PHI and PII such as names, medical histories, addresses, IP addresses, payment methods including insurance, sexual orientation, and more. Even more outrageously, they also used the mail for postcards that had sensitive information such as diagnosis printed on them. The insult on injury was that Cerebral failed to disclose or buried information on data sharing to consumers signing up for their ‘safe, secure, and discreet’ services. Cerebral now has to restrict nearly all information to third parties.
- Cerebral also set up their service cancellation as a ‘negative option’ cancellation policy, which in reality meant that it was renewed indefinitely unless the customer took action to cancel. It was not adequately disclosed in violation of the federal Restore Online Shoppers’ Confidence Act (ROSCA). Then Cerebral made it extremely difficult to cancel by instituting a complex procedure that required multiple steps and often took several days to execute. They even eliminated a one-step cancel button at their then-CEO Kyle Robertson’s direction. The order requires this to be corrected including deleting the negative option.
- Former employees were not blocked from accessing patient medical records from May to December 2021. It also failed to ensure that providers were only able to access their patients’ records.
Cerebral’s settlement with the FTC and DOJ breaks down to $5.1 million to provide partial refunds to consumers impacted by their deceptive cancellation practices. They also levied a civil penalty of $10 million, reduced to $2 million as Cerebral was unable to pay the full amount. The decision and fine do not cover charges to be decided by the court against the former Cerebral CEO Robertson due to his extensive personal involvement in these practices. Those have not been settled and apparently were severed from the company as a separate action (FTC case information). Since 2022, Mr. Robertson has consistently blamed company management and investors for pushing for bad practices such as prescribing restricted stimulant drugs. Cerebral countersued him for defaulting on a $49.8 million loan taken in January 2022 to buy 1.06 million shares of Cerebral common stock. More to come, as the order also does not address other Federal violations under investigation, such as those under the Controlled Substances Act. FTC release, FierceHealthcare
VA to possibly resume Oracle Cerner EHR implementation at VA sites before the end of FY 2025, even if not in budget. During House Veterans’ Affairs Committee hearings on FY 2025 and 2026 budgets, VA Secretary Denis McDonough last Thursday (11 April) said that the VA intends to resume deploying the Oracle Cerner EHR as part of VA’s Electronic Health Records Modernization (EHRM) before the end of FY 2025. As Federal years go from October to September, FY 2025 starts October 2024 and ends September 2025. When asked if VA plans to maintain the “program reset” as they termed it in April 2023 for all of FY25, Secy. McDonough said that “we do not.”However, there is no budget allocated for additional implementations in either FY. The plan is to use carryover funding.
Oracle Cerner’s Millenium EHR was implemented at five VA locations before suspending in April 2023 for a massive re-evaluation which involved reworking systems such as the Health Data Repository which created critical scheduling and pharmacy problems detailed by the Office of Inspector General (OIG) [TTA 28 Mar]. The joint VA and MHS/Genesis Lovell FHCC implementation, which went live in March, is not included. NextGov/FCW, Healthcare Dive
And in another dispute about data sharing, leading EHR Epic cut off requests made by some Particle Health customers, expressing concern about privacy risks. Particle Health is a health data exchange API platform for developers. Both Epic and Particle are part of Carequality, a large scale data exchange group that connects 600,000 care providers, 50,000 clinics, and 4,200 hospitals to facilitate the exchange of patient medical records On 21 March, Epic filed a dispute with Carequality that some of Particle’s users “might be inaccurately representing the purpose associated with their record retrievals.” and stopped responding to some Particle Health customer queries. This has now degenerated into a ‘who said what‘ dispute, with Particle and their CEO alleging that Epic implied that it completely disconnected Particle Health and its customers from Epic’s data, while Epic has said that after a review by its 15-member Care Everywhere Governing Council, they flagged three companies who were using Particle’s Carequality connection to access data not related to patient care or treatment. There’s also a larger concern being brought up by providers on the use of these mass data exchanges for fraudulent extraction of data or use that would violate HIPAA guidelines. FierceHealthcare, CNBC, Becker’s, Morningstar
Leave a Reply