Imagine having your HIV-positive status disclosed to everyone in your small town — or everyone in the world. This recently happened to thousands of people who had their status disclosed through two separate privacy breaches.
CVS Health inadvertently revealed the HIV status of approximately 6,000 Ohio residents by mailing out letters in envelopes that displayed their participation in an HIV drug-assistance program. Three people have already filed a class-action lawsuit against CVS for the disclosure.
Both disclosures come with significant ediscovery implications. As to CVS, expect litigation to center on who approved the mailings and what process was used to create them. “It’s surprising that a company that regularly deals with medical records and HIPAA penalties wouldn’t have a heavily vetted, very rigorous process for mailings,” said Charles N. McGee III, a lawyer in the strategic discovery and information management practice of Murphy & McGonigle PC. It’s all the more surprising given that Aetna recently paid over $17 million for making the same mistake last year.
If litigation follows the Grindr disclosure, there will be myriad challenges. “Anytime you’re dealing with an app, the collection process can be very difficult. It’s definitely not one-size-fits-all,” McGee stated. Determining whether data is stored on the individual’s phone or in the cloud is the first hurdle, although in this situation, it’s likely that individual collections would be bypassed in favor of collecting data directly from Grindr and its vendors.
“Situations like the Grindr disclosure reinforce the fact that there’s no true privacy on the internet,” McGee warned. “Companies need to adopt the strictest standard applicable in their field for how they deal with personal data” to avoid repercussions, particularly in an age of increasing international data privacy concerns.
The Grindr situation also highlights a concern that is common with ediscovery: it’s not just the privacy screening measures of the company you provide data to that you have to worry about — it’s also the security of any third parties that company may share data with. This is true whenever data is shared, even with ediscovery vendors. Choose wisely!