As clinics scrambled a year ago to figure out how to respond to a new virus, regulators swung open the doors on what tools they could use to see their patients virtually. For the time being, they could use Zoom, Skype, Facebook Messenger, Skype, or a plethora of other platforms, without facing penalties from the Department of Health and Human Services’ Office for Civil Rights.
But a recent class action settlement by Zoom Video Communications may give healthcare providers pause when evaluating what tools to use.
Zoom would have to pay out $85 million to settle allegations that it shared users’ personal information with Facebook, and Google without their consent, and lied about its encryption practices. The terms haven’t yet been approved by U.S. District Judge Lucy Koh.
While the settlement is focused on compensating users of Zoom’s service, there are also some important lessons for healthcare providers.
“The onset of Covid provided new relevance to Zoom and other like technology platforms, but it also shone a spotlight on their risks and limitations,” Chris Bowen, founder, chief privacy and security officer for ClearDATA, wrote in an email. “Fortunately, we saw Zoom patch some of those glaring security issues quickly and adequately, but since that time other privacy issues have come to light that are equally problematic.”
The problems first surfaced last year, after Zoom settled with the Federal Trade Commission for telling users it offered end-to-end, 256-bit encryption, which it had touted in a HIPAA-compliance guide for healthcare products.
Zoom actually used a shorter encryption key, and also had access to cryptographic keys that could allow it to see the content of users’ meetings, according to the FTC’s complaint. The company has since updated its security practices.
In a class action lawsuit, the company also faced allegations that it shared users’ data with social media companies, like Facebook, Google, and LinkedIn, through their software developer kits (SDKs). That information included users’ unique advertising identifier, and what type of device they used to access Zoom. One of the plaintiffs, a physical therapist, had been using a paid version of Zoom’s video conferencing service to see her patients at the start of the pandemic.
Per the settlement, Zoom would have to not reintegrate Facebook’s SDK for a year, and request that Facebook delete any data on U.S. users that it had obtained.
“The privacy implications are the same as any other breach of sensitive data, entirely without the user’s express permission,” Bowen added. “This is a huge lesson and insight for the industry – a glaring reminder that health data cannot and should not be capitalized upon with the same callous disregard that the rest of our behavioral data is aggregated for the purpose of consumer marketing.”
When asked about the settlement, Zoom pointed to changes the company had made in the last year, including adding meeting passcodes, waiting rooms and limiting screen sharing.
“We are proud of the advancements we have made to our platform, and look forward to continuing to innovate in the areas of privacy and security,” a company spokesperson wrote in an email.
Recently, the company has begun touting a version of its Zoom for Healthcare platform for smaller practices, and a feature that would let people access video visits in their browser instead of its app. Healthcare practices are required to buy a paid version of its software to get a signed business associate agreement.
Photo credit: elenabs, Getty Images
