Telehealth provider MDLive is facing allegations that the company failed to maintain patient privacy by sharing screenshots of confidential medical information with a third party.
The class action lawsuit, filed earlier this week by MDLive app user Joan Richards, alleges the telehealth provider took continuous screenshots during the first 15 minutes of use as patients were prompted to enter personal medical information regarding allergies, procedures and behavioral health history. The company took an average of 60 screenshots during that time frame, according to the complaint.
Unbeknownst to the patients, MDLive transmitted those screenshots to a third-party tech company called TestFairy, based in Israel, contracted to identify potential bugs and track user experience. The suit alleges that the screenshots are also accessible to MDLive employees through an unrestricted database.
“MDLive does not disclose to patients that it captures screenshots of medical information or that it transmits screenshots to TestFairy,” the complaint states. “Nor does MDLive provide any justification for the wholesale disclosure of patients’ medical information to TestFairy (likely because screenshots of patients entering medical information offers little to no value in ensuring proper app functionality or bug testing).”
MDLive did not respond to a request for comment.
According to the company’s website, the MDLive has “the nation’s largest telehealth network.” For a flat fee of $49, patients can access telehealth physicians on-demand who treat minor health conditions like allergies, cough, flu and respiratory problems and send e-prescriptions to local pharmacies. The company expanded its behavioral health unit last year to treat depression, addiction and panic disorders.
A study published last year found the quality of urgent care varies widely among telehealth providers. Experts have cautioned that patient data privacy concerns could bubble to the service as telehealth gains traction.
Following the publication of this story, an MDLive spokesperson sent FierceHealthcare the following statement:
"Protecting patient privacy and confidentiality is a top priority for MDLIVE. We have confirmed that patient information is safe and we have located no evidence of any breach of HIPAA. Our services, policies and procedures are designed to keep personally identifiable information secure and meet the strictest legal and regulatory standards. The claims of this lawsuit are entirely without merit, and we will immediately seek its dismissal."