Labcorp Violated Patients Trust and Privacy By Sharing Sensitive Data With Google, Lawsuit Claims

Medical testing company Labcorp not only violated the trust and privacy of thousands of patients by giving Google their personal data, but also put them at risk having their individually-identifiable information stolen and sold on the black market, a new lawsuit alleges. 

Labcorp, which operates one of the largest clinical laboratory networks in the world with 2,135 locations in 47 U.S. states, did so for the sake of a profit, the proposed class action claims.

Breaching privacy for profit

Michael Wiggins and Teri Stevens filed the proposed class action lawsuit against Laboratory Corporation of America Holdings, aka Labcorp, after they discovered the company had been sharing their “sensitive medical information” with Google for years in a “systematic process,” which they said they had no knowledge of and did not authorize. 

Labcorp allowed Google to gather the data by installing Google Analytics, Google Ads, and Google Display Ads on its public website, and match the data collected with individual users, the lawsuit claims. 

During the period at issue, Google didn’t disclose to users that it was gathering their health information when they used a provider’s website, the lawsuit says, and none of Labcorp’s terms of privacy statements informed users about the data sharing either. 

“Labcorp’s interception, dissemination, and commercial use of its patients’ individually-identifiable health information without notice or consent violates federal and state law, harms patients by intruding upon their privacy, erodes the confidential nature of the provider-patient relationship, violates patients’ property rights, deprives patients of their right to control dissemination of their individually-identifiable health information, and requires decisive corrective action by this Court,” the lawsuit alleges.

Why do companies share data?

Data-mining for consumers' personal information, especially healthcare information, has grown into a multi-billion dollar market, with prominent firms including IBM and Lexis-Nexis in the game, Time Magazine reports. 

The data miners argue mass commercial collection of patient data will lead to medical breakthroughs, but it also brings about significant privacy risks for patients. Last year, the Valuing Healthcare Data report, released by the Value Examiner, said, that given the huge increase in the industry, providers must de-identify data and purchasers and sellers of “such data should ensure it is priced at fair market value to mitigate any regulatory risk.”

Selling data can seem like an attractive option to hospitals facing financial issues, and a number of tech companies are waiting at the ready to pay for it, as CNBC reports.

What are the risks?

While the most obvious risk in sharing patients’ personal data is of it falling into the wrong hands and being stolen or sold, leading to identity theft, other risks exist, too.  CNBC reported that health systems administrators have fears the data could be used to cross-referenced with other data to identify individuals at higher risk of diseases, leading to increased health premiums, and that individuals could be targeted through the use of the data.

Pew Research shows that while Americans want their health data to be more accessible to them, they also want it to be better protected — that is especially given that federal privacy protections, like the Health Insurance Portability and Accountability Act (HIPAA), don’t cover data stored on apps. 

Top concerns expressed in the research were identity theft and blackmail; discrimination; the absence of federal data protections; and a desire to protect their information from access by large technology companies. 

What is being done to protect data?

As the proposed class action lawsuit lays out, the HIPAA and state laws require confidential treatment of medical records, and they “expressly prohibit healthcare providers from sharing individually-identifiable health information with third parties except as needed for a patient’s treatment, payment, or with their authorization.” 

The lawsuit argues that like any private property, patients have the right to control and make decisions over their own health information. Google has even warned companies such as Labcorp that using its data collection tools might violate HIPAA. 

Vermont has enacted a new law requiring companies that buy and sell third-party personal data to register with the Secretary of State, but the law doesn’t require the data brokers to disclose who’s in their databases, what data they collect, or who buys it. They do, however, have to show consumers how to opt-out (provided they offer a way to do so). 

What protections can you take 

Protecting your data can seem like an overwhelming task in the digital world, but you can take some quick steps to increase privacy protections. 

1. Use strong passwords and multi factor authentication
2. Limit what is publicly available in your privacy settings
3. Beware of phishing messages
4. Delete some apps and use a browser instead
5. Use an encrypted messaging service
6. Turn off ad personalization
7. Opt out of data broker’s lists

The biggest factor in increasing data protection would be legislation, so if the issue is important to you, call your senator and let them know. If you think a company has mishandled your personal data, you can file a complaint with the Federal Trade Commission. 

In the proposed class action at hand, Labcorp is being sued for alleged violations of the Electronic Communications Privacy Act for, Breach of Contract, Negligence, Invasion of Privacy - Intrusion Upon Seclusion, and Unjust Enrichment. Wiggins and Stevens want to represent patients from across the country, and they are seeking damages, injunctive relief, and fees.

The plaintiffs are represented by David J. Cohen, Ryan F. Stephan, James B. Zouras, Teresa M. Becvar, and Michael J. Casas of Stephan Zouras LLP.

The Labcorp data privacy class action lawsuit is Wiggins et al v. Laboratory Corporation of America Holdings, Case No. 2:24-cv-00648, in the U.S. District Court for the Eastern District of Pennsylvania.