CCPA redefines data breaches in BetterHelp ruling

A California federal court has ruled that the disclosure of certain data collected through website cookies could constitute a data breach under the California Consumer Privacy Act (CCPA). 

What happened

The ruling followed the legal case of the online counseling platform, BetterHelp, which allegedly violated the CCPA by sharing users' private information. Users who had visited BetterHelp’s website interacted with third-party advertisers through retargeted cookies. These are a type of third-party cookie that tracks a user's browsing activity and then displays targeted ads to the user on other websites they visit.

Even though BetterHelp faced a settlement with the Federal Trade Commission, the California court refused to dismiss the CCPA data breach claim, reasoning that the information being disclosed through those cookies–specifically, the fact that a user visited a website offering therapy services–could potentially qualify as "medical information" under the CCPA. The court noted that since the BetterHelp website facilitates the provision of healthcare services, a user's interaction with the site could be interpreted as seeking or receiving medical treatment, and this fact alone may be considered protected health information.

What was said

The court's ruling allows the CCPA data breach claim to proceed, noting that "it can reasonably be argued that allowing tracking software on the website was not an appropriate security procedure or practice, given the nature of the information." The language indicates that healthcare businesses are expected to uphold a higher standard of privacy protection for users' interactions on their websites, even if those interactions do not involve the direct sharing of medical records or other sensitive health data.

In the know

Potential consequences for healthcare businesses

• Increased risk of data breach class-action lawsuits in California, as the court's decision provides a potential legal avenue for plaintiffs to claim that retargeting cookies or other tracking technologies on healthcare websites constitutes a reportable data breach.
• Heightened scrutiny of healthcare businesses' data privacy and security practices, as the court's ruling, indicates that these entities have a heightened responsibility to protect the privacy of their users' interactions with their websites.
• Potential regulatory enforcement actions, as state and federal authorities may view the ruling as a signal to reevaluate healthcare businesses' data privacy and security practices.

Strategies for healthcare organizations to mitigate risk

In light of the court ruling, healthcare businesses should take proactive steps to review and strengthen their data privacy and security practices, including:

• Thoroughly evaluate the types of data collected through your website, including cookie use and other tracking technologies, to determine if any information could be considered "medical information" or other sensitive personal data under applicable privacy laws.
• Ensure that the website prominently displays cookie consent banners or pop-ups that require users to opt-in before any non-essential cookies, including third-party retargeting cookies, are placed on their devices or browsers.
• Carefully review and update your website's privacy policy to disclose the types of data collected, how it is used, and with whom it is shared, including if cookies or other tracking technologies are used.
• Continuously monitor changes in state and federal data privacy laws, alongside court rulings that may impact your obligations to protect the privacy of user interaction on your website. 

Related: HIPAA Compliant Email: The Definitive Guide 

Why it matters

The ruling carries implications for healthcare businesses, even those not governed by the CCPA. It suggests that simply visiting a healthcare provider might be classified as sensitive personal information. If this information is disclosed without proper safeguards, it could result in a reportable data breach.

FAQs

What is a data breach?

A data breach occurs when sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. It may include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.

Can legal action result from a data breach?

Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.

How can healthcare organizations prevent data breaches?

Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular employee training, and using encryption to protect sensitive data. 

What should a healthcare organization do immediately after discovering a data breach?

Upon discovering a data breach, a healthcare organization should contain it, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.