"UK health company EMIS bought by US insurance giant"
Parhaps such transactions should require the informed and specific consent of the data subjects.
Social media megacorp Meta is the target of a class action suit which claims potentially thousands of medical details of hospital patients were shared with its Facebook brand. The proposed class action [PDF], filed on Friday, centers on the use of Facebook Pixel, a tool for website marketing and analytics. An anonymous …
"Parhaps such transactions should require the informed and specific consent of the data subjects."
If you're expecting the ICO put forward such a viewpoint then don't hold your breath. Enforcement regime? They've heard of it...
Currently I'm wrestling with the following ICO madness:
(a) ICO have confirmed they have no powers to take any action regarding organisations that broke data protection prior to 23/05/2018 (the day GDPR came into effect), even if the personal data unlawfully collected back then is still stored/in use by those organisations today.
(b) ICO have confirmed they will not investigate a large scale (1.9+ million people affected) unlawful data processing issue as insufficient people (i.e. likely only me as no-one else is probably aware of it) have complained about the issue. They will investigate the misuse of *my* personal data, that is all.
To use an analogy, that is like someone providing the police *with evidence* of an individual commiting large number of burglaries/muggings/whatever (including of the person who reported it) and the police saying "sorry, we can only investigate *your* burglary/mugging/whatever, regardless of all the evidence you have provided, as none of the other people affected have contacted us"...
This kind of tracking on medical sites is not new or unique to the USA. It has been widespread in Europe as well.
Agreed; 2 years ago I caught Dominos Pizza (UK), out; you couldnt get an online payment to process unless you allowed some FaceBook scripts to run.
Not sure if this was Dominos themselves, or the 3rd party payment system they were using, either way, Dominos no longer gets online orders from me, so even if they eventually fixed the issue, they lost my business.
This isnt the first time I have had issues with dodgy/sloppy coding in their payment process either.
As a user of the internet I do not want my medical information readily available and traded, indeed I don't want any of my personal information hijacked and used in this way. It is simply not theirs to have and use.
Tho ONLY time you should have my information is when:
You need it for a specific transaction that we are conducting and I freely give it to you.
I freely publish the information.
To that end all web sites, web forms etc should by law default to not collecting any of my information or tracking me in any way unless I specifically agree not only to the collection but also to the use the information will be used for.
Failing the legal laggards getting off their fat arises and doing something useful I want my browser to auto complete ALL the opt outs in the web sites so that my data is safeguarded to my requirements rather than having to maintain a constant battle. Also the browser should nuke all the leaky elements (Facebook pixels etc).
Where are you Firefox / Brave etc
No problemo!
We'll just put a non-skippable page for each and every tracking method we use where you can express your informed consent before you will be able to access the page you were looking for.
Don't worry, the page will be in plain legalese and you would have to scroll it all the way down before being able to make your choice.
And, just to make sure you would give your informed consent, we'll add a quick test.
After all, we wouldn't want to break the law.
/sarcasm
While I think Facebook is a terrible company founded and managed by a reprehensible person, I doubt this suit has legs. The plaintiff's have a valid complaint, but they are targeting the wrong entity.
HIPAA is very specific in the entities that are subject to it. Healthcare providers, insurers, and related entities that provide health services. For example, the taxi company that a hospital uses to travel to another hospital wouldn't be covered. And if a hospital revealed HIPAA-protected information to an entity (said taxi driver) who is not subject to HIPAA, the taxi driver would not be breaching HIPAA by repeating that information as they are not a covered entity.
It is the healthcare providers who are providing this information to FB that are the ones who should be the targets of the suit.
For reference, see the LegalEagle Youtube video This Video Is A HIPAA Violation! (According to Wrong People) that talks about HIPAA in the context of various people claiming "because HIPAA" as to why they couldn't talk about their vaccination status and other absurd claims resulting from a misunderstanding of HIPAA.
for those that are not aware, 90% of GPs in the NHS use either Egton Medical Information Systems (EMIS) Health or TPP's System One and its roughly a 50-50 split
Anyone using the Patient Access App is using EMIS.
This is a huge deal, making all EMIS patient data subject to the US CLOUD act.
"This is a huge deal, making all EMIS patient data subject to the US CLOUD act."
Did you fail to notice back in 2018 when EMIS moved all the UK patient data they host from their own infrastructure onto AWS? So it is already potentially subject to US law...
https://www.theregister.com/2018/11/30/emis_x_aws_nhs/
https://aws.amazon.com/solutions/case-studies/emis-case-study/