mailing list archives
Lawsuit alleges blood bank shared donor information without consent
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Fri, 19 Jul 2013 11:33:38 -0500
A Florida man who was a compensated blood plasma donor is suing the
firm where he donated blood for sharing his information with a third
party firm that sent him text messages urging him to donate again.
DCI Biologicals is an FDA-regulated business that has dozens of blood
collection centers around the country. Potential donors provide some
personal and medical information and are screened by physician. They
are also tested for HIV status, and are informed that some of their
information may be shared, e.g., the HIV testing informed consent form
notifies potential donors that positive results may be shared with
federal and state donor deferral lists.
It seems that nowhere in the forms that were in use in 2010, however,
are potential donors informed that their contact phone number might be
shared with a third party who may send them text messages about
donating again. Nor were they asked for their express written consent
to such text messages.
After receiving such text messages two years after he last donated,
Joseph Murphy filed suit in U.S. District Court Middle District of
Florida in September 2012.
At the heart of the lawsuit is Murphy’s claim that DCI Biologicals
violated the Telephone Consumer Protection Act (TCPA) by not getting
his written express consent to such automatically dialed messages. The
text messages were delivered by three firms: DoCircle, Inc. (aka
Trumpia), Skyy Consulting, Inc., (aka CallFire), and SMSOfficer, Ltd.
(aka SMS Officer). None of those firms are named as defendants in the
lawsuit, and Murphy claims that those firms even tried to warn DCI
Biologicals that they needed express opt-in consent for such messages.
But did DCI Biologicals really need express written consent to share
information with the text messaging services under the law as it was
in effect when the information sharing and text messages occurred?
According to DCI Biological’s motion to dismiss the original
complaint, they did not. Murphy claims DCI has that wrong.
Although some blood banks (those that are hospital-affiliated) are
HIPAA-covered entities, my understanding is that not all blood banks
are HIPAA-covered entities. HHS had considered bringing them all under
HIPAA and rejected it, explaining that donors are not receiving health
care or treatment, but are doing something to provide treatment for
others. As far as I can tell, DCI Biologicals is not itself a
HIPAA-covered entity even if their staff provides medical screening
tests to potential blood donors. Lawyers representing DCI Biologicals
declined to comment on the lawsuit, citing their policy of not
commenting on pending litigation, and did not respond to my specific
question as to whether DCI Biologicals is a HIPAA-covered entity as
well as an FDA-regulated entity.
Given our patchwork quilt of privacy laws, it is not clear to me
whether the FTC would consider a complaint, if one were to be made,
that DCI Biologicals did not adhere to the written privacy assurances
of its donor information and consent forms. It is also not clear to
me whether HHS has any authority here, or if the FDA would
investigate. Right now, what we have is a complaint alleging
violations of Florida law and the TCPA.
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
- Lawsuit alleges blood bank shared donor information without consent Erica Absetz (Jul 19)