Weitz & Luxenberg has reached a $2.85 million settlement with the University of Rochester Medical Center (URMC) in a data privacy class action lawsuit. The lawsuit was over URMC violating patient trust by collecting personally identifiable information and nonpublic personal information. Facebook could use the information URMC collected for monetary gain.
“Patients must trust medical institutions to guard not only their health, but also their personal data. When that trust is violated, the organizations responsible must be held accountable. Weitz & Luxenberg does just that,” emphasizes W&L attorney James Bilsborrow. He spearheads W&L’s consumer protection team, with a focus on liability due to emerging technologies.
A Win for Patients
Mr. Bilsborrow and the W&L team once again demonstrate one of our law firm’s founding principles. We want to champion the cause of people unjustly harmed and to obtain justice for them.
In this legal case, it was the use of technology in an unethical and illegal manner that was doing harm to people who sought medical help.
Mr. Bilsborrow observes, “Today, people are rightfully concerned about their data privacy because they’re tired of companies selling their sensitive information without consent. A patient shouldn’t have to worry about their healthcare provider monetizing their data this way. My team and I are proud to help patients fight back and force large institutions to justly compensate victims for violating their privacy.”
What Happened to Patient Data?
Every time a patient shared medical information at URMC, that information was illegally disclosed to Facebook through the use of the Facebook Tracking Pixel. The lawsuit alleged URMC:
- Invaded their patients’ privacy.
- Breached their contract by sharing patients’ confidential information with a third party.
- Breached their implied contract with patients.
- Secured unjust financial enrichment.
The potential harms of what the URMC has done are significant. Personal, intimate, or confidential medical information provided on the URMC web based properties, such as the URMC MyChart, was potentially accessible to Facebook. But patients did not agree to share their confidential medical information with Facebook.
Facebook uses that information for targeted marketing of products and services directly at individual customers. Even worse, employers might use this information to discriminate against individuals. And insurance companies may increase the patient’s premiums.
Data Privacy Laws
Data privacy laws are there to protect patient rights regarding use of their information. “Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others.” (1)
These laws exist at state and federal levels as well. Businesses and governments must comply with these laws. (2)
Governments and businesses must protect: (3) (4)
- Personal information.
- An individual’s personal autonomy.
- The trust patients put in their health care systems and financial institutions.
- A person’s livelihood and daily living against fraud.
Mr. Bilsborrow says, “By holding medical institutions responsible for violations of data privacy laws, W&L seeks to deter further abuses. When they occur, we help mitigate the harm inflicted upon patients.”
Settlement Avoids More Litigation
URMC initially filed a motion to dismiss the lawsuit. However, the court determined it was plausible that URMC had violated the Wiretap Act. (5)
The Wiretap Act is also known as the Omnibus Crime Control and Safe Streets Act of 1968. This act “prohibits the unauthorized, nonconsensual interception of ‘wire, oral, or electronic communications’ by government agencies as well as private parties.” (6)
URMC denies any use of tracking technology in the patient portal or electronic medical record system. It says it is settling the case only to avoid the risk of continuing litigation. (7)
Think your medical data was shared without consent? Find out if you’re eligible to file a claim under this settlement.
(917) LAWYERSClaims Eligibility
Under the terms of the settlement, people who used URMC’s MyChart Patient Portal between January 11, 2021 and January 11, 2023 may submit claims. Also eligible are people who filled out forms on URMC’s website between January 2018 and June 12, 2023. Claims must be filed by July 21, 2025. (8) (9)
A settlement website was established to provide information to class members. The website should facilitate class members in receiving benefits from the settlement. (10)
