How would you feel if an invoice for your medical services was sent by the processor, in an unsecured e-mail, to a friend of yours? This seems like an odd and inexplicable event. Still, the complaint for this class action alleges that Square, Inc. sent the private information of the plaintiff in this case to a friend of his, violating his privacy and failing to keep his payment and personal information confidential.
The class for this action is all individuals who paid for health care services using Square’s credit card processing services and who received an Automatic Receipt for such services.
Square is a payment processing provider that markets its services to health care businesses.
The complaint quotes the company’s website as promising to protect the privacy of patient health information: “Square’s approach to security is designed to protect both you and your customers.”
When Square processes a transaction, it sends the customer an e-mail documenting the transaction. Payers can opt out of the sending of these Automatic Receipts, but they do not have to opt in; the default is the sending of the invoices.
In order to send the Automatic Receipts, Square associates a credit card number with either a cell phone number or an e-mail address. The complaint alleges that the receipts are “often” sent to the wrong phone number or e-mail address.
The complaint alleges that the receipts are “often” sent to the wrong phone number or e-mail address. In fact, the complaint says, it “is such a regular occurance that they address the issue on their website and maintain a link at the bottom of each receipt to report that it is ‘Not Your Receipt?’”
Plaintiff A. Trent Ruark uses a healthcare provider that uses Square’s processing services. The complaint says that he doesn’t know how his friend’s contact information “became associated with his credit card or this particular transaction” and never agreed to share his medical information with anyone.
The complaint claims that the incident “results from Square’s lack of any appreciable security measures to ensure that protected personal medical information (or any other receipt sent by Square) is not disclosed to third parties.”
According to the complaint, the use of insecure methods of transmitting such information violates both state and federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), the California Medical Information Act (CMIA), and other state laws, and is an act of negligence.