Abbott Laboratories Exposure of Patient Information California CMIA Class Action

This data breach class action concerns not a cyberattack but an email apparently sent out to hundreds of people who are patients of a certain medical group, containing too much information. The complaint alleges that Abbott Laboratories, by sending this email which disclosed medical information without the consent of the subjects, violated California’s Confidentiality of Medical Information Act (CMIA).

The class for this action is all persons in California who were sent a letter on behalf of the medical group, entitled Notice of Data Breach, dated on or around December 7, 2022.

Abbott Laboratories was formed in 1900. The complaint quotes the Securities and Exchange Commission (SEC) website as saying that its “principal business is the discovery, development, manufacture, and sale of a broad and diversified line of health care products.” Abbott “has four reportable segments: Established Pharmaceutical Products, Diagnostic Products, Nutritional Products, and Medical Devices.”

To market its products, the complaint alleges, the company’s salespeople work with physicians, hospitals, and medical groups, hoping to get them to recommend its various products, such as drugs and medical devices. This case concerns the patients of one such medical group. (The group is not named in the complaint.)

In October 2022, the group delivered to Abbott a list of patients which the complaint alleges was “for joint marketing purposes.” On October 10, an agent of Abbott sent out an email to the patients on the list. Unfortunately, it seems that this email contained too much information.

The email, which was sent to hundreds of people, the complaint claims, “contained information such as medical conditions, treatments, systems, devices, therapies, doctor names, Medical Group name, studies, results” along with Abbott’s contact information. It also showed the patients’ names, email addresses, and the fact that they were patients of the particular medical group.

The medical group sent out a Notice of Data Breach Letter to the patients on December 7, 2022, the complaint says.

The complaint also suggests that Abbott may have “sent the same or similar emails to other groups of” patients beside the one described in this case.

The complaint quotes the CMIA as saying, “A provider of health care, health care service plan, or contractor shall not disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization…”

It also quotes is as saying, “Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records shall do so in a manner that preserves the confidentiality of the information contained therein.”

The email in question, the complaint alleges, did expose such information to others without the authorization of the subjects.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Sharing Medical Information Without Consent, Sharing Personal Information with Third Parties, Your Privacy