Here’s an update on a lawsuit I noted back in March 2011. Eric Goldman writes:
CVS Caremark provided consumer data to pharma companies and data brokers. The plaintiffs alleged that the data transfers violated CVS’s privacy policies, but CVS apparently disclosed only “de-identified” data as contemplated by HIPAA. Plaintiffs couldn’t sue under HIPAA, both because CVS complied with HIPAA and because HIPAA doesn’t enable a private cause of action for these violations. Although these facts implicate Sorrell v. IMS, that case didn’t come up because the plaintiffs didn’t sue under an analogous statute specifically pharmaceutical data transfers.
Instead, the plaintiffs sued under Pennsylvania’s consumer protection act, claiming that CVS made material misrepresentations in its privacy policies about its data handling. The court dismisses the suit–with prejudice!–on two principal grounds.
Read more on Technology & Marketing Law Blog.