Rush University System for Health Hit with Class Action Over Alleged Disclosure of Patient Info to Third-Party Advertisers

Rush University System for Health Hit with Class Action Over Alleged Disclosure of Patient Info to Third-Party Advertisers
by Kelly Mehorter
SHAREView Comments
Kurowski et al. v. Rush System For Health
FILED: SEPTEMBER 30, 2022 ◆§ CASE: 1:22-CV-05380

• Read Complaint
A class action claims that Rush System for Health has disclosed patients' data to third parties without consent.

DEFENDANT(S)
Rush System For Health

LAW(S)
Electronic Communications Privacy Act of 1986

STATE(S)
Illinois

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims that Rush System for Health has violated the medical privacy rights of its patients by disclosing their data to third parties without consent.

The 65-page complaint alleges the healthcare provider, who does business as Rush University System for Health in Chicago, has violated several state and federal laws by transmitting personally identifiable patient information to Facebook, Google, and digital advertising company Bidtellect.

Per the case, the shared patient information includes their status as a patient and communications with Rush about conditions, treatments, payments, and doctors. The suit also claims that third parties can access patients' IP addresses, cookie and device identifiers, account numbers, URLs and browser fingerprints.

The complaint says that Rush can track patient information when a consumer interacts with its homepage or the MyChart patient portal. MyChart is an online platform where patients can access their medical records and communicate with Rush about "bill payment, doctors, services, treatments, conditions, appointments," the case relays.

As the case tells it, Rush has embedded code on its websites to collect and transmit data about consumers. The complaint alleges Rush deploys invisible "third party source codes" like Google Analytics and the Facebook tracking pixel to secretly gather personally identifiable information.

The suit alleges Rush profits from selling user data to third parties, who use the valuable information for targeted advertising. According to the suit:

"Medical information derived from medical providers garner even more value from the fact that it is not available to third party data marketing companies because of strict restrictions on provider disclosures under [the Health Insurance Portability and Accountability Act], state laws, and provider standards, including the Hippocratic oath."

The filing charges that Rush System’s online privacy policy fails to inform users that the provider discloses patient data to third parties. The case claims that Rush falsely assures consumers it will securely protect any information collected through its website from outside advertisers.

The complaint alleges Rush's practice of transmitting consumer data without consent violates the Electronic Communications Privacy Act (ECPA), which prohibits any person from intentionally intercepting any electronic communication and disclosing it to an "unintended recipient."

Further, the case contends that Rush has breached its federal obligation to protect the confidentiality of its patients. Under the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA), a medical provider cannot disclose a patient's personal health information without express written consent.

As for state legislation, the suit alleges Rush has violated the Illinois Consumer Fraud and Deceptive Business Act and the Illinois Uniform Deceptive Trade Practices Act, both of which are designed to protect consumers against misleading business practices.

The lawsuit looks to represent anyone who, during the fullest period allowed by law, is or was a patient of Rush University System for Health or any of its affiliates and who accessed Rush's MyChart patient portal, which caused the transmission of personally identifiable data and communications to third parties.