In June, we discussed a putative class action filed in the Eastern District of Pennsylvania concerning a data breach involving COVID-contact tracing data.  Following the Plaintiff’s filing of an amended complaint, the remaining Defendant has now moved to dismiss on both standing and substantive grounds.  Read on below.

To recap the alleged facts underlying this litigation: Plaintiff alleges that a contractor was retained by the Pennsylvania Department of Health (“DOH”) in the midst of the COVID pandemic to contact individuals who were either diagnosed with or in close proximity to individuals diagnosed with COVID-19. Plaintiff alleges that notwithstanding representations that all protected health information (“PHI”) “obtained in connection with COVID-19 contact tracing would be kept private and confidential, Defendants (including the contractor and Pennsylvania DOH) failed to take “appropriate or even the most basic steps to protect the PHI of Plaintiff and other class members from being disclosed.”  This included the contractor purportedly having employees who used “unsecure data storage and communications methods,” that resulted in the disclosure of Plaintiff’s and class members’ PHI.

After the original complaint was filed, Plaintiff amended the pleadings to remove the Commonwealth of Pennsylvania as a defendant, leaving only the private company contracted to do contact tracing.  She likewise abandoned her negligence per se claim and added a claim for breach of implied warranty, premised on the theory each person who gave their personally identifying information (“PII”) to the Defendant had an implied agreement and/or warranty from the Defendant to keep that information private.

The Defendant’s motion to dismiss first attacks the complaint on standing.  As readers of CPW are aware, one of the most hotly litigated areas in consumer privacy is standing—namely, the existence of a concrete, particularized injury.  Following the Supreme Court’s decisions in Clapper v. Amnesty International, 568 U.S. 398 (2013), Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) and TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), plaintiffs may no longer predicate liability under privacy laws on the fear of future events or precautionary steps taken to avoid injury.  Instead, they must show that they have actually been harmed by a data event in a cognizable and concrete way.

Plaintiff’s amended complaint alleges a variety of common alleged harms in data breach litigation: time, energy, and money devoted to monitoring accounts, substantial risks of future identity theft, the receipt of unwanted phone calls in messages in the days after the breach occurred, and the diminishment of the value of PII.  And Defendant raises the arguments that have resulted, fairly often, in full dismissal of claims on standing grounds: plaintiffs cannot generate harm for the purposes of standing by relying steps taken to avoid harm, the fear of future harm, or spam communications that cannot be fairly attributed to the breach, and cannot imbue an independent monetary value to information that, presumably, a plaintiff would never actually sell.

Defendant also argues that Plaintiff’s negligence, publicity given to private life, and breach of implied warranty claims fail.  The most interesting of these arguments concerns the breach of implied warranty claim, in which Plaintiff alleges that her provision of PII and Defendant’s acceptance of it creates an implied contract and/or warranty to keep the information private.  Defendant’s primary argument is that the scope of the contract, including the scope of Defendant’s duties, is simply undefined.  Plaintiff’s claim also runs into an issue not normally present in data breach litigation: her PII was submitted for COVID contact tracing, the entire purpose of which is to ensure that the information is shared so that a network of contacts can be established.  If PII given to a contact tracer cannot be shared, it is difficult to see why it was given in the first place.

We’ll keep an eye on future briefing in this case, as well as any resolution issued by the Court.  Stay tuned.  CPW will be there to keep you in the loop.

 

Last month, a putative class action lawsuit was filed in federal court concerning a data breach resulting from the alleged improper disclosure of COVID-contact tracing data.  Read on to learn more, and how this case fits more broadly into a trend of data breaches involving the healthcare industry.  Chapman v. Commonwealth of Pennsylvania, et al., No. 1:21-cv-00824 (M.D. Pa.)

As readers of CPW already know from developments this past year, “contact tracing” is used to notify individuals of exposure to COVID-19.  In this case, Plaintiff alleges that a contractor was retained by the Pennsylvania Department of Health (“DOH”) in the midst of the COVID pandemic to contact individuals who were either diagnosed with or in close proximity to individuals diagnosed with COVID-19.

Plaintiff alleges that notwithstanding representations that all protected health information (“PHI”) “obtained in connection with COVID-19 contact tracing would be kept private and confidential, Defendants (including the contractor and Pennsylvania DOH) failed to take “appropriate or even the most basic steps to protect the PHI of Plaintiff and other class members from being disclosed.”  This included the contractor purportedly having employees who used “unsecure data storage and communications methods,” that resulted in the disclosure of Plaintiff’s and class members’ PHI.

The Complaint alleges that Defendants failed to comply with the obligations imposed on them under the Health Insurance Portability and Accountability Act (“HIPAA”).  [Note: HIPAA does not contain a private right of action, so while the Complaint alleges violation of HIPAA, Plaintiff’s claims are not predicated on HIPAA.]  Plaintiff seeks to certify a class consisting of “[a]ll persons in the United States whose PHI was compromised in the Data Breach disclosed by DOH and Insight between March 16, 2020 and April 29, 2021.”

A press release discussing the Data Breach stated that information disclosed may have included: (1) names of individuals who may have been exposed to COVID-19 (and if they experienced symptoms), (2) information about the number of members in their households and their emails and telephone numbers, and (3) information needed for social-support services pertaining to COVID-19 related issues.  However, the information impacted by the breach did not include Social Security numbers, financial account information or payment card information.

The Breach evidently occurred, based on media reports because certain employees of the contractor set up and used several Google accounts for sharing information as part of an “unauthorized collaboration channel” that bypassed the contractor’s network security.

In many ways, notwithstanding the unique factual allegations, the claims and relief sought by Plaintiff are typical of those raised in other data breach and data event litigations.  The Complaint includes claims for: (1) negligence, (2) negligence per se, and (3) publicity given to private life.  The damages sought by the Plaintiff includes, among other things, “equitable relief compelling Defendants to utilize appropriate methods and policies with respect to consumer data collection, storage, and safety, and to disclose with specificity the type of PHI compromised during the Data Breach.”

As the number of data breaches and data events involving entities in the healthcare sector continues to rise, so will the number of lawsuits alleging the improper disclosure of PHI.  For more information on this litigation and other data privacy developments, stay tuned.  CPW will be there.

No supply chain is immune from cyberattacks.  This includes, unfortunately, in regards to the COVID-19 vaccine.

Yesterday the US Homeland Security Department issued a warning that a series of cyberattacks is underway aimed at the companies and government organizations that will be distributing coronavirus vaccines around the world.  Specifically, the attacks target the COVID-19 cold chain (an integral part of delivering and storing a vaccine at safe temperatures).

The warning cautions that “[i]mpersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials.  The emails have been posed as requests for quotations for participation in a vaccine program.”  It is unclear at this time whether these attacks are for purposes of stealing the technology for keeping the vaccines refrigerated in transit or for sabotaging distribution of the vaccine.

Josh Corman, the chief strategist for healthcare at the US Cybersecurity and Infrastructure Security Agency (“CISA”) commented that this underscored the need for all “all organizations involved in vaccine storage and transport to harden attack surfaces, particularly in cold storage operation, and remain vigilant against all activity in this space.”

Although this warning was specific to the COVID cold supply chain, all organizations should take note as the core strategies utilized by cybercriminals cut across industries.  As CPW’s Elliot Golding and Kristin Bryan have previously commented “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program.  However, many of the most common vulnerabilities can be addressed without complex technical solutions.”  You can read their top five list of practical recommendations to reduce cyber risk here.

 

One of the biggest developments this year in the area of healthcare data privacy concerns information blocking.  What is information blocking?  Good question.  Generally, it refers to a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

In March, HHS finalized two transformative rules with the purpose of providing patients unprecedented safe, secure access to their health data.  In conjunction with this effort, HHS identified eight categories of reasonable and necessary activities that do not constitute information blocking, provided certain conditions are met.

Well, like the rest of this year, COVID has complicated things.  In a significant shift impacting all developers of certified Health IT and health care providers, HHS, Office of the National Coordinator for Health Information Technology (“ONC”) announced an Interim Final Rule with Comment Period (“IFC”) delaying compliance dates and timeframes for information blocking and the health IT certification program. Read CPW’s Kristin Bryan’s and Elliot Golding’s analysis below.

ONC Delays Timeframes for Information Blocking and Changes To Health IT Certification Program

Consulting helpAs businesses in the UK begin to re-open, as the lockdown lifts, they must ensure that they have effective measures in place to combat the spread of the virus within their workplace. This may include physical measures, such as the use of personal protective equipment and restructuring the office or site to enable social distancing. It may also include measures such as the use of temperature testing or thermal imaging cameras, rolling out a ‘track and trace’ app to employees or testing employees for the virus, all of which raise data privacy issues, as they involve the processing of ‘personal data’, which is governed by strict data protection laws. Continue Reading COVID-19: Key Privacy Concerns Raised by the UK’s “Back-to-Work” COVID-19 Safety Measures

United States Capitol

On April 30, 2020, four Republican Senators[1],including the Chairman of the U.S. Senate Committee on Commerce, Science & Transportation, announced that they intend to introduce federal privacy legislation to regulate the collection and use of personal information in connection with the Coronavirus pandemic.  According to the Senators’ press release, the COVID-19 Consumer Data Protection Act (the “Act”) would:

[1] US Sens. John Thune (R-S.D), Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.).

Continue Reading Senate to Introduce “COVID-19 Consumer Data Protection Act”

The use of data is a critical tool in the fight against COVID-19. In some cases, this will necessarily involve the use of personal data, which relates to identified individuals and of course, due to the nature of the current crisis, sensitive health data. The UK data protection regulator, the ICO, has made it clear that data protection laws do not seek to prevent the use of data in order to combat the spread of this dreadful disease, but are intended to work in the public interest and enable health and safety to be prioritised where necessary. However, there remains a need to ensure that personal data is used in a proportionate manner with due respect to privacy rights, wherever possible. Continue Reading Data Privacy & COVID-19 in the UK: Q&A on Key Privacy Issues

A coalition of 23 attorneys general are upset with the Consumer Financial Protection Bureau (“CFPB”).

Really upset.

On April 1, 2020, the CFPB issued a policy statement that it intended to relax certain oversight priorities during the current COVID-19 pandemic, and this sent the attorneys general into something of a panic.  Indeed, in a heated letter delivered to the CFPB, the coalition demanded the CFPB retract its position, enforce the law under the Fair Credit Reporting Act (“FCRA”) and not take perceived leniency on Credit Reporting Agencies (“CRAs”) and furnishers during the current pandemic.  But was the loud alarm justified?  Maybe not if one considers the whole picture and collaborative approach the CFPB has taken well before the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) was enacted to protect both consumers and credit reporting operations alike.

Continue Reading Unfair Attack?: 23 State AGs Blast CFPB’s COVID-19 FCRA Response—But is the Criticism Justified?

As the world struggles to deal with the spread of coronavirus disease 2019 (COVID-19), governments are turning to technology to help “flatten the curve” and slow the rate of transmissions. Although Australia has been relatively successful in mitigating the widespread health impacts of COVID-19, the federal government has encouraged all Australians to download its COVIDSafe digital contact-tracing app (the App), citing that the relaxation of COVID-19 restrictions may depend on the App’s take-up by the Australian public. Due to privacy concerns, support for a contact-tracing app has, unsurprisingly, been mixed, even within the government itself.

Australia is not the first country to offer contact-tracing apps as a solution to the current pandemic. In fact, the App is based on Singapore’s TraceTogether app, which launched in late March 2020 and has been released as “open-source” code so that it can be used by other countries. However, contact-tracing is not the only technological measure being introduced to try and stop COVID-19. In Europe, some mobile operators are sharing data with Italian, German and Austrian health authorities to map movements and the concentration of individuals. Some overseas governments have implemented more invasive measures. For example, the South Korean government is using smartphone location data, surveillance footage and credit card records to monitor whether people have been complying with self-isolation measures, while the Chinese government is using surveillance apps to track its citizens’ locations and to prohibit entry into prescribed locations under certain conditions.

In Australia, the App is designed to digitise the manual contact tracing process that already occurs when an individual tests positive to COVID-19. The App uses a “Bluetooth digital handshake”, which logs Bluetooth connections between users’ phones by recording the encrypted hash code of other App users, as well as the date, time, duration and proximity of the contact. This enables the App to record who you were near to for a certain length of time (provided they also have the App installed and running). This data is encrypted at all times while held on a user’s phone (not accessible even to them) and will only be held for a period of 21 days before being automatically deleted. Importantly, the App cannot ascertain where you were, as the App does not collect geolocation data.

In the event that an individual tests positive for COVID-19, they will be asked to upload the history of “digital handshakes” recorded by the App to a secure information storage system. If they consent, their information will then be assessed by state and territory public health officials who will review the data for the purposes of contacting individuals who have recently been in close contact with the infected individual. Individuals notified as a result of contact-tracing through the App will only be informed that they have been in close contact with an individual who has contracted COVID-19. They will not be notified who that individual is, or when and where the contact occurred. The government has committed to shutting down operation of, and deleting all data collected by, the App at the conclusion of the pandemic.

The federal government released the App for download on 26 April 2020. So far, downloads have exceeded expectations, surpassing 1.13 million within the first 12 hours. The government has indicated that the App requires at least 40% uptake in order to be successful. Despite the App’s early success, there are still privacy concerns among the general public, creating a large hurdle in reaching the targeted 40% adoption rate.

The federal government has attempted to alleviate the public’s concerns with the App’s privacy policy, frequently asked questions and summary information reiterating that the data is encrypted, is only used on a consensual basis and will not be used for law enforcement purposes, such as enforcing lockdown restrictions or for general surveillance. To support these claims, the Federal Minister of Health, Greg Hunt, issued a determination under the Biosecurity Act 2015 (Cth) (the Determination) preventing the App’s data from being used for purposes other than contact tracing and limited associated purposes, such as investigating whether a breach of the Determination has occurred. According to Mr Hunt, the new laws will provide that “not even a court order during an investigation of an alleged crime” can access the data. The Determination also ensures that the data remains within Australia, that individuals cannot be required to use the App (for example, to enter a shopping centre or restaurant) and generally supports the limitations contained within the App’s privacy policy and FAQ, including that the data will be deleted after 21 days, that it cannot be uploaded without consent and that the government must delete all App data after the pandemic has concluded, among others).

By enacting the Determination, the government has proactively limited its data use rights further than would have applied had they merely complied with the Privacy Act 1988 (Cth) (the Privacy Act). Despite this, while the Determination’s restrictions are a positive for those concerned, there are a number of matters that still need to be further enshrined in legislation. Unfortunately, the federal government is currently not slated to return to parliament until August; however, the government is attempting to be flexible during this time and has flagged the potential of a May sitting. As such, those not satisfied with the level of protections currently offered by the App, for example the currently ambiguous end date of when the pandemic has “concluded”, may have to wait to have those concerns alleviated.

Regardless of the legislative and legal framework in place, the federal government has historically not had an ideal record on protecting data privacy within its organisations and agencies. For example, in 2016 the OAIC found breaches of the Privacy Act by the Department of Health for weak encryption techniques when protecting public health records and the federal government’s My Health Records system has suffered 115 data breaches across the last three years. These incidents serve as a useful reminder that, despite all the safeguards put in place, there is always the potential risk of data breaches arising from use of the App.

Australian FlagVery few of us in a democratic society, such as Australia, expect our government to trace us through our smartphones. However, the ability for smartphone technology to outpace the spread of COVID-19 means it is a valuable tool that should be considered in the defence against this pandemic. It is clear that the key to success for the government is to address any potential data privacy risks and to educate people on the privacy safeguards of the App, in order to ensure a higher uptake among the populous. Moving forward, it will be the government’s obligation to enforce these protections, protect data from misuse and data breaches and, when it is no longer necessary, roll back the App’s usage in order to return Australian society back to normality as soon as possible.