Medtronic, Edward-Elmhurst Health and UnitedHealthcare Services Lawsuits

by

The medical device company Medtronic based in Minneapolis, MN & the Illinois health system Edward-Elmhurst Health are facing class action lawsuits because of using website tracking technologies, which transmitted sensitive customer information to third parties like Meta and Google.

Medtronic MiniMed and MiniMed Distribution Corp Lawsuit

Medtronic MiniMed Inc. and MiniMed Distribution Corp (Medtronic) are facing a lawsuit for using tracking technologies in its InPen diabetes management application.

The A.H. v. Medtronic MiniMed Inc. and MiniMed Distribution Corp lawsuit was filed on behalf of plaintiff A.H, and likewise situated persons who had their sensitive data exposed to third parties through Google Analytics, Crashlytics, and Firebase. The lawsuit was filed in the District Court for the Central District of California.

Medtronic notified the HHS’ Office for Civil Rights about the data breach last April as impacting 58,374 persons and informed clients about the impermissible disclosure of IP addresses, email addresses, telephone numbers, unique identifiers linked to InPen accounts, or mobile gadgets, InPen App usernames and passwords, and timestamp data for InPen App events. Medtronic does not use Google Analytics and is shifting from Firebase and Crashlytics authentication to other reporting and authentication systems.

The lawsuit alleges that Medtronic put monetary gain over privacy when it intentionally added these tools to the application to access and generate income from user information and states that Medtronic broke its own privacy policy as it kept InPen app user information private and wouldn’t reveal user data with third parties for advertising reasons except if there is written authorization.

The lawsuit alleges the following violations: breach of confidence, breach of fiduciary duty, common law invasion of privacy, unjust enrichment, intrusion upon seclusion, negligence, breach of implied covenant & fair dealing, breach of implied contract, and violations of California Invasion of Privacy Act (CIPA), the Electronic Communications Privacy Act (ECPA), and New York General Business Law.

The lawsuit wants a jury trial, class action status, damages, attorneys’ fees, equitable and injunctive relief, and extended credit monitoring services to make sure that app users have their privacy secured. The attorneys from the law companies Milberg Coleman Bryson Phillips Grossman, PLLC, Chestnut Cambronne PA, and Markovits, Stock & Demarco, LLC represent the plaintiffs and class.

Edward-Elmhurst Health Lawsuit

The lawsuit filed against Edward-Elmhurst Health – Arnold Stein and Diane Miller V. Edward-Elmhurst Health in Cook County Circuit Court claims the violation of patient privacy because of using the Meta Pixel tracking code on its websites, which patients utilize for scheduling appointments at treatment centers and other healthcare facilities.

As per the lawsuit, the Meta Pixel tracking code was used in websites without the awareness of users, and transmitted “every click, keystroke and information regarding their health treatment” to Facebook. That data was linked to specific users via their Facebook IDs. The lawsuit states the data sent to Facebook was employed for advertising reasons in an attempt to reinforce Edward-Elmhurst Health’s profits.

The lawsuit claims the disclosures violated the Illinois Consumer Fraud and Deceptive Business Practices Act, the Illinois Eavesdropping Statute, and HIPAA. The lawsuit seeks attorneys’ fees, actual and punitive damages, and an injunction against Edward-Elmhurst Health avoiding even more patient privacy violations by means of tracking technologies. The lawyers from Stephan Zouras, LLP and Almeida Law Group LLC filed the lawsuit.

UnitedHealthcare Services Faces Lawsuit Because of the MOVEit Transfer Data Breach

Student healthcare insurance company UnitedHealthcare Services, dba UnitedHealthcare Student Resources, is facing a class action lawsuit, because of the MOVEit Transfer data breach that occurred in May 2023. The lawsuit was filed by plaintiff Kelly Abramowitz and alleges the health insurance company did not employ proper security procedures to protect the protected health information of plan members.

Many companies became victims of the attacks, which took advantage of a zero-day vulnerability found in Progress Software’s MOVEit Transfer file transfer tool. Progress Software made available a patch to resolve the vulnerability on May 31, 2023; nevertheless, the Clop ransomware group already took advantage of the vulnerability and extracted sensitive information. The attacker issued ransom demands, for which payment would stop the posting of stolen information on the group’s data leak website.

The ransomware attack on UnitedHealthcare allowed the theft of information such as names, birth dates, addresses, telephone numbers, email addresses, plan ID numbers, student ID numbers, medical data, claims details, Social Security numbers, other national ID numbers, and other sensitive information. Impacted students were informed about the attack in July 2023 and were provided free identity theft protection and credit monitoring and services.

The lawsuit claims UnitedHealthcare failed in its duty of care to its plan members and ought to have kept sufficient safety measures to secure the data it gathered and saved yet was unable to do so, then was late in sending breach notification letters to the impacted persons. The lawsuit alleges the plaintiff and class members have sustained irreparable hurt because of the theft of their sensitive data and currently face an impending and continuing threat of identity theft and fraud.

The lawsuit alleges unjust enrichment, negligence, negligence per se, and breach of implied contract and wants a jury trial, class action status, statuary damages, and declaratory and injunctive relief. The Abramowitz v. United Healthcare Services Inc. d/b/a UnitedHealthcare Student Resources lawsuit was filed by the plaintiff and class members as represented by Mark S. Reich, Gary S. Ishimoto, and Courtney Maccarone of Levi & Korsinsky, LLP, and Nathaniel J. Weimer of Tewksbury & Kerfeld, P.A. in the District Court for the District of Minnesota.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone