Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC: Online Billing Service Deceptively Collected Medical Records

Posted by samzenpus on from the tell-us-everything dept.

itwbennett writes The FTC has reached a proposed settlement with PaymentsMD, an Atlanta health billing company that used the sign-up process for its billing service to surreptitiously seek customers' consent to obtain detailed medical information. The medical information PaymentsMD requested included customers' prescriptions, procedures, medical diagnoses, lab tests performed and their results, and other information, the FTC said. The bright spot in all this: In all but one case, the health care providers contacted for data refused to comply with PaymentsMD's requests.

25 comments

  1. I take it by msobkow · · Score: 2

    I take it the one medical provider who had the major screwup of providing such personal and private data has had their license revoked and is now out of business?

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:I take it by dbc · · Score: 1

      Eh, I think HIPPA (or whatever the acronym is..) only threatens you with draconian fines.

    2. Re:I take it by Njorthbiatr · · Score: 1

      So let's give them draconian fines.

    3. Re:I take it by Anonymous Coward · · Score: 1

      Criminal Penalties
      In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

    4. Re:I take it by cdrudge · · Score: 1

      But it sounds like the service did tell customers they were collecting the information, and required for the consent to do so. It was just buried in a kajilion screens of 6 lines of text each. Shady? Yes. Should be fined? Definitely. Criminally culpable to the point that the guilty need to serve a prison sentence? eh...no so sure.

    5. Re: I take it by Anonymous Coward · · Score: 0

      No more blow jobs from Eric Holder- the consumers champion ,for a 10 day period.

    6. Re:I take it by sribe · · Score: 3, Insightful

      I take it the one medical provider who had the major screwup of providing such personal and private data has had their license revoked and is now out of business?

      Why? If someone comes to your doctor with a release approved by you for your medical information, do you really expect your doctor to give them the third degree over exactly how they obtained that release from you?

      Personally, I think it's remarkable that so many providers were apparently paying enough attention to notice some irregularity and question the requests.

    7. Re:I take it by Anonymous Coward · · Score: 0

      At 50k a pop, it's cheaper to pay somebody to monitor it, don't ya think?

  2. "refused to comply" by whoever57 · · Score: 1

    The bright spot in all this: In all but one case, the health care providers contacted for data refused to comply with PaymentsMD's requests.

    Naturally. Those health care providers did not want any competition in selling their customers' data.

    --
    The real "Libtards" are the Libertarians!
  3. Seems logical by EzInKy · · Score: 1

    It just seems to make sense to me that a payer of medical bills would collect information that would confirm the validity of the bills that they were paying. Sharing that aforesaid information is a totally different ball of wax though.

    --
    Time is what keeps everything from happening all at once.
    1. Re:Seems logical by Anonymous Coward · · Score: 0

      No. If we bother to look at what actually was done here there isn't even a diffuse area. They used social engineering to obtain private information they didn't have the right to get.
      If I were to do something like that I would face several years in prison. For a small company it could be the same for the CEO or possibly very hefty fines.
      Larger companies generally get away with promising to stop doing what they did, then when they keep doing it they get a slap on the wrist.

    2. Re:Seems logical by Anonymous Coward · · Score: 0

      And then you could kill yourself because "Boo-hoo, information wants to be free, I'll lose my office at Harvard, the big mean people are threatening my genius with a felony, boo-hoo, boo-hoo, boo-hoo, w-a-a-a-a-a-a-h-h!!!! Meanies, boo-hoo, go organize protests, boo-hoo, I'm too pretty to go to jail!!! I might have to steal from my *own* office at Harvard instead of hiding my equipment at MIT!!! You're so ***unfair***, my victims are so mean to me! Boo-hoo, boo-hoo, boo-hoo"

      And then it would show up on Slashdot and we could cry you a river.

    3. Re:Seems logical by mean+pun · · Score: 1

      Grow up.

      And give us a report of at least 20 pages about the legal and societal differences between these two cases before Monday, or you'll go to bed without desert for two weeks.

    4. Re:Seems logical by Anonymous Coward · · Score: 0

      That's fine, I didn't want desert anyway; it's too grainy. I'll have my dessert though. Fudge brownies. Mmm. Fudge.

  4. Wrist Slap by Anonymous Coward · · Score: 0

    Under the proposed settlements, PaymentsMD and former CEO Hughes are banned from deceiving consumers about the way they collect and use information,

    Yay! They are forbidden from doing what they are forbidden from doing, that will teach them a lesson!

  5. BILLER, not PAYER by jtara · · Score: 2

    It just seems to make sense to me that a payer of medical bills would collect information that would confirm the validity of the bills that they were paying. Sharing that aforesaid information is a totally different ball of wax though.

    No. did you bother to read the very first paragraph?

    An online service allowing consumers to pay their medical bills failed to adequately inform them that it would also try to collect highly detailed medical information |from their pharmacies, medical labs and insurance companies, the U.S. Federal Trade Commission said.

    They send out bills. Patients send them money. They send money to the doctor or hospital. They keep ledgers.

    They don't need to know detailed medical information. They are acting as a billing agent for the doctor. They don't need to verify what the doctor did or what the patient had.

    1. Re:BILLER, not PAYER by cdrudge · · Score: 2

      They send out bills. Patients send them money. They send money to the doctor or hospital. They keep ledgers.

      They don't need to know detailed medical information.

      Almost every bill that I've received has a diagnostic code on it, or a semi-detailed description of what the charge was for. My chiropractor bill showed which specific vertebrae was the focus of the adjustment. My dentist bill had that I had a cavity filled on a particular tooth. The supplier for my CPAP machine listed all the accessories I purchased for my sleep apnea. In all 3 cases, I paid my bill with my flexible spending account debit card, and my insurance company wanted a copy of the detailed bill to insure compliance required by the IRS. If any of those 3 providers used a 3rd party billing company, that company would need to know what the charges were for to include in the invoice. They wouldn't need to know specific results of a lab, or what a prescription was written for (unless they were billing on behalf of say a mail-order pharmacy), but saying they don't need to know detailed medical information isn't completely true. They need to know more than just you owe $X to Dr. Smith.

  6. Culture of lawlessness by Anonymous Coward · · Score: 1

    If PaymentMD is grabbing medical records, and telecoms are spying on their customers, and Uber is grabbing their location, apps they use, emails, SMSs and everything else in their mobile, its done for money.

    On the one hand they know they can sell this data and make a healthy profit, on the other hand, they know the government is breaking all laws, lying in legal documents (parallel construction is perjury, the name tries to make it sound otherwise), so they really won't get punished.

    So there is a market for your private data, and a government that is probably the biggest buyer in that market, and law makers are ineffective, because every time someone suggest privacy laws, the spooks scream "terrorists" to cover their asses.

    It's like the wild-west all over again, only the Sheriff is the bad guy.

    1. Re:Culture of lawlessness by Anonymous Coward · · Score: 0

      If tax dollars weren't a big funder of this it would be funny. They are just wasting money/time collecting this if they analyze it the way I suspect. I imagine this happens once every few years:
      Q:"We still can't predict shit with our neural networks, what now?"
      A: "Sell the info to idiots then spy more and try again!"

  7. aim by Anonymous Coward · · Score: 0

    in selling their customers' data.

  8. Who thought that's a good idea? by gnasher719 · · Score: 1

    Someone in that company must have thought this is a good idea. Being in that line of business, they should have known that even with a user clicking on "consent", a health care provider giving them the information would be acting illegally. And then I wonder why did they want this information in the first place? You can't use it for anything that isn't again highly illegal.

    1. Re:Who thought that's a good idea? by Anonymous Coward · · Score: 0

      a health care provider giving them the information would be acting illegally

      The medical record belongs to you; if you sign a consent form to release the record, the provider must release it. The problem here was that the consent was obtained through deception.

  9. Commodity, not Customer by Anonymous Coward · · Score: 0

    Another indication that people have become the commodity, not the customer.

  10. Welcome to modern medicine by Virtucon · · Score: 1

    I can't believe that there was any legitimate reason to ever ask for this in the first place, meaning a few felonies have been committed. Hopefully the scumbags will be thrown in prison.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  11. tldr version by Anonymous Coward · · Score: 0

    An online service allowing consumers to pay their medical bills ... medical information it collected related to its separate online medical records service...

    So, they used their foot in the door to get people to sign consent for them to collect information that they could then slide over to their side business that collects medical information about people. I didn't dig deep enough to find out what this side business does with the info it hordes but based on their method of collection, I would say "nothing good".