Atrium Health is facing a lawsuit in N.C. Business Court in which plaintiffs claim that “highly sensitive” patient information was “deliberately disclosed” to third-party media platforms, such as Google and Facebook/Meta.
The complaint is filed as Hill vs. The Charlotte-Mecklenburg Hospital Authority, which does business as Atrium. The lawsuit, with Darielle Hill as lead plaintiff, was filed Dec. 6 in Mecklenburg Superior Court.
The patient information disclosure may include:
- Demographic information, such as email address, phone number, computer IP address and contact information entered into emergency contacts or advanced care planning;
- Appointment type and date;
- Physician selected;
- Button/menu selections, and/or content typed into free text boxes.
The lawsuit was designed as a mandatory complex business case on Jan. 13, per the request of the authority.
People are also reading…
Atrium issued on Dec. 2 a news release offering an apology for a potential disclosure of patients’ personal information that predates the COVID-19 pandemic and its October 2020 acquisition of Wake Forest Baptist Medical Center.
The personal information was made available between January 2015 and July 2019.
Atrium did not disclose how many potential affected patients in the news release.
However, the lawsuit includes Atrium filed a notice of a data breach, also on Dec. 2, with the Office of Civil Rights of the U.S. Department of Health and Human Services. That notice listed the data breach affecting 585,959 patients.
“Atrium Health apologizes for any concern or inconvenience this may have caused and remains committed to protecting the confidentiality and security of its patients’ information,” according to a statement. “Only patients receiving care in our Charlotte-area facilities would have been using the portal at that point in time.”
Besides requesting compensatory damages for economic and non-economic harm and punitive damages, the lawsuit wants Atrium: prohibited from sharing class-action members’ private health information; to alert those patients whose information was shared without consent; and required to remove all patient health information from the third-party media platforms.
Atrium said the N.C. Business Court is the proper venue because it has handled similar lawsuits involving “the ownership, use, licensing, lease, installation, or performance of intellectual property, including computer software, software applications, information technology and systems, data and data security.”
The complaint alleges Atrium disclosed the patient information to the media platforms as a part of “decision to dominate the regional healthcare markets by installing tracking technologies on its website to collect its patients’ personal health information.”
The plaintiffs claim the disclosures were done for “marketing purposes.”
“Atrium encouraged and required patients to communicate their private information via its web properties … to obtain and manage their appointments, access medical forms, view medical records and test results, pay medical bills and more.”
“At all times, plaintiff and class members had a reasonable expectation that the private information they communicated via the web properties in conjunction with their medical care would remain private, secure and would only be used for their medical treatment.
“It broke this promise.”
Atrium response
Atrium said in its Dec. 2 statement that “based on the health system’s review, no Social Security number, financial account, credit card or debit card information was involved.”
“There is no evidence any information that may have been shared with these third parties has been misused in any way.
“Moreover, the nature of the information that could have been collected would be very unlikely to result in identity theft or any financial harm.”
Atrium said it determined that during the January 2015 to July 2019 time period, “certain online tracking technologies were active on its MyAtriumHealth (formerly MyCarolinas) patient portal available through both its website and mobile application.”
“These commonly used technologies were utilized to help operate certain website features and enhance the online experience for users.”
Atrium said users may have been impacted differently, based on: their choice of web browser; the configuration of their browser(s); their blocking, clearing or use of cookies; whether they had accounts with third-party vendors, such as Meta, Google or similar media platforms; and the specific actions taken on the platform by the user.
“As it is not possible to conclusively determine what data was transmitted to third parties, out of an abundance of caution, the health system has assumed that all users whose MyAtriumHealth or MyCarolinas patient portal was accessed from January 2015 to July 2019 may have been affected.”
A dedicated call center has been established to answer questions people may have at 866-676-6532 weekdays from 9 a.m. to 6:30 p.m.
This post was originally published on here
