In a class-action complaint filed this week in Sacramento Superior Court, two plaintiffs allege that Sutter Health is secretly sharing their medical information with Facebook, Google, Twitter and other third parties, impinging on their privacy and opening them up to targeted internet advertising.
Sutter “commandeers the web-browsers of patients and other users and causes personally identifiable data to be sent to third-partis, as well as the exact contents of communications exchanged” between Sutter and its patients, according to the court filing by two plaintiffs identified only as Jane Doe I and Jane Doe II.
Sutter spokeswoman Amy Thoma Tan said the company had not yet been served the complaint but that Sutter takes the safety and security of its patients’ information very seriously.
Essentially, third-party companies can compile a detailed dossier on patients because cooperating websites share the identification numbers that they provide to each site user, according to the plaintiffs’ attorneys at Beverly Hills’ Kiesel Law and New York’s Simmons Hanly Conroy. With those numbers, the attorneys said, the companies can exchange information on individual patients.
“The purpose of defendant’s disclosures to third-parties is marketing,” they stated in the legal filing. “Facebook and Google offer defendant a method by which they can target Internet advertising to specific individuals who are patients or potential patients.”
To do so, Sutter has employed source code on its website that causes disclosures of personally identifiable information “despite explicit privacy promises to the contrary,” the lawsuit alleged. The plaintiffs’ attorneys say Sutter is violating California’s Confidentiality of Medical Information Act, its Invastion of Privacy Act and its Unfair Competition Law. They also allege negligence and other other criminal acts.
In order to use any patient’s medical information, the plaintiff’s lawyers said, a health provider must disclose in a clear and conspicuous manner that it is acquiring the information for that purpose. Jeffrey A. Koncious, the primary attorney on the case, said he would have nothing further to add to the lawsuit at this time.
Los Angeles attorney Carol Scott, who specializes in health care and business law, said that if she were a patient of Sutter Health, she would be upset if her movements on a patient portal were being shared with a third party.
“Patients assume these sort of portals are private,” Scott said. “You’re sharing health care information on those portals. The portal would need to be set up....The fact that you go on it indicates you’re a patient, and that’s the first step to individually identifiable information, confidential information.”
The plaintiffs’ attorneys stated that Sutter shares information such as Internet cookies, the patient’s IP address, unique device identifiers and browser fingerprints. All this electronic data would open up patients’ activities to various types of monitoring and information-sharing, the attorneys said:
- Internet cookies, for instance, are basically bits of information saved by a web browser that allow an individual’s device to be recognized when he or she signs in later.
- IP addresses, short for Internet Protocol addresses, are similar to a home or business address, providing a physical location for a computer or handheld device.
- Browser fingerprinting allows websites to obtain enough information about users to be able to distinguish them from all other visitors to that site.
- And, Apple-manufactured devices also have unique device identifiers that track users according to their demographics, their activity in Apple’s App Store and more.
By tracking users online, the attorneys said, third-party companies can build a better advertising profile for them, but none of these elements are necessary to operate a patient portal.