Communications Litigation Today was a Warren News publication.
Data a 'Form of Currency'

Microsoft, Qualtrics Named in Health Privacy Suit Over Website Tracking Code

May 17, 2023 by Rebecca Day|Top News

Microsoft and experience management company Qualtrics “repeatedly and systematically” violated patients’ healthcare privacy rights on the Kaiser Permanente website by intercepting and collecting data, alleged plaintiff “Jane Doe” in a Monday class action (docket 2:23-cv-00718) in U.S. District Court for Western Washington in Seattle.

Patients use the Kaiser website to access their medical records and activity -- including prescriptions, immunizations, research of medical conditions and communications with doctors – with the understanding those interactions are private, said the complaint. But defendants violated their legally protected privacy interest by extracting private healthcare and other information from Kaiser members’ communications with the website via defendants’ tracking code, it said. The code allows defendants to identify the Kaiser member via unique identifiers, it said.

Plaintiff Jane Doe, a California resident, has been a Kaiser member for 10 years and used the website to access records, make appointments, review physician information and medical conditions, and watch videos, said the complaint. Doe didn’t know Microsoft software development kits on the Kaiser website intercept and collect her browsing activity and private medical information. The personally identifiable information includes the URLs of each page Doe visits about medical conditions she’s researched, videos she views and her private data, said the complaint.

The Kaiser website also incorporates Qualtrics’ Experience Management Site Intercept software, which collects users’ internet data through unique identifiers and cookies, said the complaint. Qualtrics is able to link users to their medical information and sends a packet of digital data with the user’s unique identifiers back to their internet browser, alleged the complaint. It can then match users to their medical information. The interception and collection of data on videos on the Kaiser Website “occurs regardless of whether the user is logged in to her Kaiser Account,” it said.

The value of personal data is “well understood” and generally accepted as a form of currency, said the complaint. There's a market for the data generated by Kaiser members on its website, said Doe, noting the economic value has been leveraged by corporations and even users. The private, illegal market for users’ personal information is also lucrative, with hacked financial accounts selling for $1,200 on the dark web, it said. Defendants have intercepted and collected Doe’s private data “without providing anything of value” to her in exchange, it said.

The class action alleges violations of the California Invasion of Privacy Act, Unfair Competition Law, and the state constitution’s right of privacy, plus the Computer Fraud and Abuse Act. It also asserts unjust enrichment, statutory larceny and conversion. Plaintiff seeks for her and the class compensatory, punitive and statutory damages; orders to enjoin defendants from committing “similar wrongdoing” and requiring them to destroy customers’ private data; and legal costs.