Ediscovery Implications For HIV Privacy

Imagine having your HIV-positive status disclosed to everyone in your small town — or everyone in the world. This recently happened to thousands of people who had their status disclosed through two separate privacy breaches.

CVS Health inadvertently revealed the HIV status of approximately 6,000 Ohio residents by mailing out letters in envelopes that displayed their participation in an HIV drug-assistance program. Three people have already filed a class-action lawsuit against CVS for the disclosure.

Grindr didn’t accidentally reveal its users’ HIV status: rather, it intentionally shared test dates and results with vendors. Although the information was encrypted, it was provided along with identifying information that would allow individuals to be matched with their status. Grindr countered that its users voluntarily entered the information it provided. Further, Grindr argued that its privacy policy stated that user information is publicly visible. Grindr has since announced that it will no longer share HIV status information.

Both disclosures come with significant ediscovery implications. As to CVS, expect litigation to center on who approved the mailings and what process was used to create them. “It’s surprising that a company that regularly deals with medical records and HIPAA penalties wouldn’t have a heavily vetted, very rigorous process for mailings,” said Charles N. McGee III, a lawyer in the strategic discovery and information management practice of Murphy & McGonigle PC. It’s all the more surprising given that Aetna recently paid over $17 million for making the same mistake last year.

If litigation follows the Grindr disclosure, there will be myriad challenges. “Anytime you’re dealing with an app, the collection process can be very difficult. It’s definitely not one-size-fits-all,” McGee stated. Determining whether data is stored on the individual’s phone or in the cloud is the first hurdle, although in this situation, it’s likely that individual collections would be bypassed in favor of collecting data directly from Grindr and its vendors.

“Situations like the Grindr disclosure reinforce the fact that there’s no true privacy on the internet,” McGee warned. “Companies need to adopt the strictest standard applicable in their field for how they deal with personal data” to avoid repercussions, particularly in an age of increasing international data privacy concerns.

The Grindr situation also highlights a concern that is common with ediscovery: it’s not just the privacy screening measures of the company you provide data to that you have to worry about — it’s also the security of any third parties that company may share data with. This is true whenever data is shared, even with ediscovery vendors. Choose wisely!