Oracle Sued for Sharing Private Health Information in Possible HIPAA Violation

Oracle Health “deployed various Google digital marketing and automatic rerouting tools on its Patient Portals,” which “purposefully and intentionally disclosed patients’ Health Information to third parties who exploited the information and used it for advertising” in a “clear violation of patients’ reasonable expectations of privacy, their rights as patients, and their rights under federal and state law,” the complaint said. “As courts have found across the country, violating these privacy rights harms patients, as it misappropriates their rights to control how information about them is distributed and exploits the value their health data in the marketplace.”

Plaintiffs in case 25-04087 in the U.S. District for Western Missouri claim that Oracle Health enabled tracking software in patient portals, which shared private health information -- including appointment details, messages from doctors and test results -- with Google’s ad systems. Patient IP addresses and device identifiers were also allegedly included in the information shared with Google, in addition to content of communications.

The complaint added that in December 2022, the Office of Civil Rights at the U. S. Department of Health and Human Services issued a bulletin “reminding both covered entities and business associates alike of their patient privacy obligations ‘when using online tracking technologies,’” in compliance with HIPAA’s privacy rule and security rule. The plaintiffs additionally allege counts of violations of the Electronic Communications Privacy Act, identity theft, invasion of privacy, unjust enrichment and Missouri state law.