Hey, CIPAWorld! The Baroness here. Happy Friday everyone
Believe it or not, even health insurance companies are facing litigation for allegedly tracking and sharing consumer information. Just yesterday, Blue Cross Blue Shield of Massachusetts (BCBS) and its subsidiary removed such a case to the District of Massachusetts. Vita v. Blue Cross & Blue Shield of Mass., Inc., No. 1:25-cv-10420 (D. Mass. Feb. 20, 2025).
In the Amended Complaint, Plaintiff Vita claims that she lives in Massachusetts and obtains health insurance from BCBS. She claims that BCBS’s Website, https://ww.bluecrossma.org/, offers consumers general information about insurance plan offerings by BCBS and individualized information about consumers’ insurance plans. Notably, Plaintiff states that the website includes a “Find a Doctor” function that enables users to search by condition, specialty, gender, language, and location; a “24/7 Nurse Line” through which consumers can communicate with nurses employed by BCBS; allows consumers to access their insurance information, including services and medications obtained, amounts paid, and benefits available; and it allows consumers to access their private medical information through the MyBlue patient portal.
Vita argues that BCBS Website users have legitimate expectations of privacy and that BCBS will not share with third parties their communications with BCBS without consent. She alleges that these expectations are supported by Massachusetts state law and HIPAA, which prohibit healthcare companies from using or disclosing individuals’ protected health information without valid authorization from the individual.
Additionally, Vita references multiple statements in BCBS’s online policies in which it explicitly states that BCBS’s cookies, clear gifs, and other web monitoring technologies do not collect any personally identifiable information. Because of this, Vita claims that healthcare consumers would not anticipate that their communications with BCBS would be intercepted and shared with third parties, like Google, Facebook, Twitter, and LinkedIn for marketing purposes, and that BCBS did not inform consumers of this via a pop-up notification or otherwise.
Despite this expectation, Vita alleges that BCBS’s Website is designed with tracking technology that permits third parties such as Google and Facebook to intercept consumers’ interactions with BCBS, and that the information intercepted includes private health information. Vita claims that BCBS uses or has used tracking technologies such as Google Analytics, Google DoubleClick, Meta Pixel, and others, and that such tracking is injected into the code of almost all of the pages on BCBS’s Website, including the MyBlue patient portal. The Amended Complaint is detailed, going so far as to include screenshots of the code of the Website with portions highlighted to show tracking.
Based on these facts, Vita seeks to represent the following class:
All Massachusetts residents who, while in the Commonwealth of Massachusetts, accessed any portion of the website at bluecrossma.org between three years prior to the date of the filing of the initial complaint in this action and September 29, 2023.
Based on these facts, Vita alleges that BCBS violated the ECPA, 18 USC § 2511, which prohibits the intentional interception of the content of any electronic communications, as well as HIPAA, which imposes a criminal penalty for knowingly disclosing individually identifying health information to a third party. 42 USC § 1320d-6(a)(3). Second, Vita claims that BCBS violated M.G.L. c. 93A §§ 2, 9, which proscribes unfair competition and unfair or deceptive acts in trade or commerce, by falsely stating that its website does not capture personally identifiable information. Third, Vita brings a cause of action for violating the Massachusetts Right to Privacy Act, M.G.L. c. 214 § 1B, which confers a private right of action to Massachusetts citizens for privacy violations. Vita also brings claims for negligence, breach of confidence, breach of contract, and unjust enrichment.
Because this case was just removed, it is still in its nascent stage. We will be sure to keep you folks updated as the case progresses.