Pharmacies Warrantlessly Disclose Medical Records to Law Enforcement, Congress Finds

Most major U.S. pharmacy chains regularly disclose customers’ medical information to law enforcement agencies without a warrant, according to a Congressional investigation announced Tuesday and reported in the Washington Post.

In a letter to the Department of Health and Human Services (HHS), Sen. Ron Wyden and Reps. Pramila Jayapal and Sara Jacobs detailed the results of their inquiry into the issue. As part of the investigation, “officials with America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.” Pharmacies have unique flexibility under the Under the Health Insurance and Accountability Act (HIPAA) to interpret the legal standard required before disclosing customer medical records to law enforcement. Subpoenas require a less stringent showing than warrants and can be issued by a government agency without the oversight or approval of a judge.

“Although pharmacies are legally permitted to tell their customers about government demands for their data, most don’t,” the letter explains. “As a result, many Americans’ prescription records have few meaningful privacy protections, and those protections vary widely depending on which pharmacy they use.”

In recent comments to HHS, EPIC argued that the HIPAA Privacy Rule should establish a warrant requirement for law enforcement to access protected health information. In this context, law enforcement would have to get a warrant supported by probable cause before seeking a customer’s medical records from a pharmacy.

The ease with which law enforcement can currently obtain pharmacy data is especially concerning as many states continue to criminalize abortion and medication related to reproductive health. According to the Washington Post, nearly 1 in 3 women in the U.S. between the ages of 15 and 44 live in states where abortion is fully or mostly banned. Customers have an expectation of that their reproductive health information at their local pharmacy will remain private. As EPIC detailed in its comments to HHS, amending the HIPAA Privacy Rule to include a warrant requirement “would help normalize privacy protections nationwide and provide clarity to covered entities’ legal departments.”

EPIC regularly advocates for stronger privacy protections for personal health information, including reproductive health information, both under HIPAA and in contexts that fall outside of HIPAA. Recently, EPIC submitted comments to the U.S. Senate Committee on Health, Education, Labor, and Pensions urging the Committee to address the “unique and serious privacy and security risks” posed by the commercial processing of personal health data.

The Record: Meta sues FTC, seeking to block new rules for children’s data 

Meta is now seeking a preliminary injunction to prevent the FTC from moving forward with its update to the 2020 order. 

Privacy advocates called the lawsuit’s legal theory “far-fetched” and a “kitchen sink constitutional attack,” saying Meta is trying to run out the clock to block the proposed changes. 

“A hearing before the FTC will confirm that Meta continues to mishandle personal data and put the privacy and safety of minors at risk, despite multiple orders not to do so,” John Davisson, litigation director at the Electronic Privacy Information Center, said in a statement.

Read more here

EPIC Urges OMB to Strengthen Draft Regulations for Government Use of AI

EPIC submitted comments to the White House Office of Management and Budget commending their strong step toward regulating AI use by federal government agencies, and recommending several ways to strengthen it.

Last month, the agency took a major step toward ensuring the federal government uses new AI technologies responsibly: it released draft guidance outlining federal agencies’ obligations and suggested actions around the responsible development, use, and procurement of AI technologies.

The draft guidance comes on the heels of President’s Biden Executive Order 14110, entitled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” and incorporates previous federal efforts to manage the risks and impacts of AI technologies like the White House’s Blueprint for an AI Bill of Rights and the National Institute for Standards and Technology’s AI Risk Management Framework.

It has three overarching purposes: (1) established new agency roles, resources, and processes for managing new and existing government AI systems, including a new Chief AI Officer (CAIO) role to lead each agency’s implementation of the OMB draft guidance; (2) requires agencies to build internal processes to foster responsible AI innovation and adoption; and (3). sets out minimum AI risk management practices that most executive agencies are expected to follow when developing, procuring, or using AI systems that impact individuals’ rights or safety. These pra ctices include ongoing AI impact assessments covering an AI system’s intended purpose, potential risks, and relevant data; real-world performance testing to ensure reliability and risk mitigation in practice; independent evaluations of AI performance; annual AI monitoring; and consultations with affected and underserved communities.

EPIC recommends that OMB (1) enforce agency compliance with its AI guidance; (2) refine responsible AI provisions like AI impact assessments and AI use case inventory reporting to increase transparency and accountability for more types of AI systems; (3) increase agency data management practices through additional data minimization provisions and reinvigorated privacy impact assessment reporting requirements; (4) encourage AI adoption only where AI can serve as a curated tool to meet predefined agency needs; and (5) monitor national security systems and mandate AI risk management practices when they are used for other purposes covered by OMB’s AI guidance.

Sen. Wyden Reveals Government Surveillance of Smartphone “Push” Notifications

Senator Wyden published a letter today to the Attorney General revealing that the U.S. government and other foreign governments have “secretly compelled” Google and Apple to turn over information obtained from push notifications including both communications metadata and often the contents of communications. Push notifications are alerts from apps that pop up on phones, informing the user of a new message or reminder. Because these notifications are routed through centralized Google and Apple servers, the government can mine them for otherwise difficult to obtain data, like how often a person uses an app, or even what a particular push notification says. Also today, 404 Media today published a story detailing how the U.S. government compels tech companies to turn over push notification data. 

Senator Wyden urged the DOJ to permit Apple and Google to “be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data.” The Senator also requested that the DOJ permit companies to reveal at least aggregate statistics on how often governments are accessing push notification data. 

Senator Wyden also recently revealed new details about the Drug Enforcement Agency’s Hemisphere program, now known as Data Analytical Services (DAS), a vast and highly-secretive surveillance authority run by the White House Office of National Drug Control Policy and the DEA. 

Senator Wyden’s letter came out in the midst of a bipartisan push to reform government surveillance in the U.S. EPIC and a bipartisan coalition of privacy, civil liberties, and civil rights groups have launched a campaign to significantly reform Section 702 of the Foreign Intelligence Surveillance Act and related surveillance authorities. Members of this coalition recently urged Senate Majority Leader Chuck Schumer to refrain from including any short-term reauthorization of FISA Section 702 in the continuing resolution or any other “must-pass” legislation.

How the FCC’s Voluntary Nutrition Label Program Could Equip Consumers to Shop for Secure Connected Devices

Americans are rightly concerned about what information their devices may be collecting about them and their family, and businesses would be wise to learn the lessons of tech policy past and address data privacy and security issues now to avoid fragmented, reactive regulation later. In November, the Federal Communications Commission closed the reply comment period for PS Docket No. 23-239, “Cybersecurity Labeling for Internet of Things, Notice of Proposed Rulemaking” (IoT NPRM). EPIC, represented by the Georgetown Law Communications and Technology Law Clinic, joined by coalition partners, filed a reply comment to this NPRM, proposing several key elements in the best interest of consumers and which companies should embrace.

Given the label’s primary goal of ensuring consumer confidence in the cybersecurity of their IoT devices, we urged the FCC to adopt a dual-layer labeling solution. This solution would include an easily glanceable primary label and a secondary label that displays additional cybersecurity and privacy information, empowering consumers to make an informed purchase at point of sale.   For the vast majority of products, we supported the FCC’s proposal that the product itself contain a mark–a “U.S. Cyber Trust Mark.” To qualify for the U.S. Cyber Trust Mark, our proposal would require the product itself to collect only the data necessary to provide its essential functions and services, a principle called data minimization that has been promoted since the Fair Information Practice Principles (FIPPs) of the 1970s but not adhered to in recent memory (although some regulators are looking to change this). Companies should design the product itself to include the mark. Additionally, the product box should include a primary label which displays a information most critical to the consumer’s evaluation of the product’s relative cybersecurity, including the kind of data the device collects (e.g. video, audio, physiological, geolocation, etc.) per Carnegie Mellon University CyLab’s model. The primary label on the product box should also include a URL and a QR code to connect the consumer to a website which hosts a secondary label that displays a set of more detailed information regarding the privacy and cybersecurity of the device. 

Our vision for the label also builds in cybersecurity best practices through a robust enforcement regime. Cybersecurity is a constantly evolving field, and capturing compliance at a single point in time is not enough to ensure consumer protection. We urge the FCC to conduct periodic recertification and post-certification audits to ensure that IoT device companies stay current in their cybersecurity practices. Additionally, we urge the FCC to implement a short cure period for devices discovered to be noncompliant with label obligations and representations. While robust enforcement of the label is necessary for success, immediate punishment does not fix the device vulnerability, leading to greater consumer risk. By using a short cure period, the FCC will incentivize companies to quickly patch any vulnerabilities, leading to safer devices for consumers.

Finally, and perhaps most importantly, we urged the FCC to not allow the label to be used as a…

Capitol Forum: Antitrust Tech Tuesday – California Privacy Privacy Protection Agency Proposes New Privacy Regulations

John Davisson, the director of litigation and senior counsel at the Electronic Privacy Information Center, told The Capitol Forum that this draft regulation is a “significant potential step” for privacy law.

“The board appears to be trying to make the most of what the California Consumer Privacy Act authorizes them to do, and to really put teeth into the automated decision-making pieces of this,” Davisson said.

Davisson told The Capitol Forum that he hopes the CPPA will consider including a universal opt-out option for consumers, like they have done in the past, so that consumers do not have to continually opt-out for every company they interact with.

“If you are constantly being barraged with requests to manage your privacy settings at a granular level, it very quickly becomes exhausting and exasperating,” Davisson said. “And people will just click through and consent to everything. It’s important for these obligations to lie with the companies rather than with individuals or having to manage everything at a granular level.”

(Subscription newsletter)

Brooklyn Daily Eagle: Massive data breach alert: AG James urgers New Yorkers to secure their data 

This state-level push is not aimed at seeping across all 50 states but rather at tightening regulation in enough places to compel the industry to adopt a de facto national standard. Privacy advocates are striving to enact state-level proposals that align closely with the ADPPA, including limitations on data collection and sharing, establishing a data broker registry, and creating new rights for Americans to delete their data. 

However, this approach faces challenges from an industry-led campaign that has successfully enacted weaker laws in states like Virginia and Utah. The Electronic Privacy Information Center, a D.C.-based nonprofit, is spearheading the multi-statehouse push among privacy advocates, targeting states like Maryland and Michigan to introduce state versions of ADPPA. 

Read more here.

EPIC Endorses Traveler Privacy Protection Act

Today, Senators Jeff Merkley (D-OR) and John Kennedy (R-LA) introduced the Traveler Privacy Protection Act, which would prohibit the Transportation Security Administration (TSA) from using facial recognition. The TSA has been testing the use of facial recognition at various airports over the past few years and despite warnings of the dangers of implementing facial recognition technology, TSA plans to push the technology out to hundreds of airports. EPIC Senior Counsel, Jeramie Scott, has explained why TSA’s plans to implement facial recognition in airports across the country is so dangerous.

EPIC has previously urged on Congress to suspend TSA’s use of facial recognition and in comments to the TSA, insisted the agency halt the deployment of facial recognition programs. Earlier this year, EPIC supported Senators’ call for TSA to stop the use of facial recognition.

Jeramie Scott, EPIC Senior Counsel & Director of the Project on Surveillance Oversight, released the following statement on the Traveler Privacy Protection Act:

“The Electronic Privacy Information Center (EPIC) applauds the introduction of the Traveler Privacy Protection Act and its prohibition on TSA’s use of facial recognition technology. The privacy risks and discriminatory impact of facial recognition are real, and the government’s use of our faces as IDs poses a serious threat to our democracy. The TSA should not be allowed to unilaterally subject millions of travelers to this dangerous technology,” said Jeramie Scott, Senior Counsel and Director of EPIC’s Project on Surveillance Oversight.

Meta Launches Kitchen Sink Constitutional Attack on FTC to Evade New Privacy Limits

Meta, the parent company of Facebook and Instagram, launched a far-reaching legal attack on the Federal Trade Commission’s authority to enforce consumer protection laws Wednesday in an attempt to evade proposed restrictions on the company’s collection and use of personal data.

In May, the FTC announced its intent to impose significant new limits on the personal data practices of Meta, including a ban on monetizing the data of minors and constraints on the company’s use of facial recognition technology. The proposed action, which would modify an existing FTC order against Meta resulting from the Cambridge Analytica scandal, is based on findings that Meta “failed to fully comply with the order, misled parents about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.”

On Wednesday, Meta filed suit in the U.S. District Court for the District of Columbia to preemptively halt the FTC’s proceeding, arguing that the Commission’s structure and enforcement procedures—which are firmly grounded in decades of federal law and agency practice—violate a laundry list of constitutional provisions. Meta is seeking a preliminary injunction staying the FTC’s action based on the company’s novel reading of the Constitution. Earlier this week, a separate legal challenge by Meta to the FTC’s enforcement action was rejected by a federal judge.

“It seems there’s no legal theory, however far-fetched, that Meta won’t deploy to avoid a full accounting of its harmful data practices,” EPIC Director of Litigation John Davisson said in a statement. “The reason is clear. A hearing before the FTC will confirm that Meta continues to mishandle personal data and put the privacy and safety of minors at risk, despite multiple orders not to do so. The changes FTC is proposing to Meta’s exploitative business model can’t come soon enough. We hope the court will reject Meta’s latest attempt to run out the clock, as another federal court did just this week.”

EPIC has long fought to protect the privacy of social media users, particularly users of Facebook and Meta. In 2009, EPIC and coalition partners brought an FTC complaint concerning Facebook’s privacy settings that led to the Commission’s first consent decree with Facebook. EPIC filed numerous FTC complaints targeting Facebook’s abusive data practices in the years after and challenged the inadequacy of the Commission’s 2019 consent decree in federal court. EPIC has also advocated for heightened privacy protections for minors. Recently, EPIC submitted comments to the National Telecommunications and Information Administration to provide recommendations for improving youth mental health, safety and privacy online.

Writing Contest Prize Winners Announced

We’ve completed the judging for Round 109 of the SurvivalBlog non-fiction writing contest.  The judging was particularly difficult for this round, because there were so many great articles. Round 108 began on August 1st and ended on September 30, 2023. (The contest is run in rounds that each last two months.) The prize-winning writers for Round 108 are:

First Prize

First Prize goes to SaraSue, for: Homesteading – A Cautionary Tale, posted on November 10-11-12, 2023. See: Part 1, Part 2, and Part 3. She will receive the following prizes:

  1. The photovoltaic power specialists at Quantum Harvest LLC are providing a store-wide 10% off coupon. Depending on the model chosen, this could be worth more than $2000.
  2. A Gunsite Academy Three Day Course Certificate. This can be used for any of their one, two, or three-day course (a $1,095 value),
  3. Two cases of Mountain House freeze-dried assorted entrees in #10 cans, courtesy of Ready Made Resources (a $350 value),
  4. A $250 gift certificate good for any product from Sunflower Ammo,
  5. American Gunsmithing Institute (AGI) is providing a $300 certificate good towards any of their DVD training courses.
  6. Two sets of The Civil Defense Manual, (in two volumes) — a $193 value — kindly donated by the author, Jack Lawson.
Second Prize

Second Prize goes to J.M. for Alternative and Improvised Weapons, posted in six parts from November 14th to 19th, 2023.  See: Part 1, Part 2, Part 3, Part 4, Part 5, and Part 6.

  1. A SIRT STIC AR-15/M4 Laser Training Package, courtesy of Next Level TrAlternative and Improvised Weapons – Part 6, by J.M.aining, that has a combined retail value of $679
  2. Two 1,000-foot spools of full mil-spec U.S.-made 750 paracord (in-stock colors only) from www.TOUGHGRID.com (a $240 value).
  3. Two Super Survival Pack seed collections, a $150 value, courtesy of Seed for Security, LLC,
  4. A transferable $150 FRN purchase credit from Elk Creek Company, toward the purchase of any pre-1899 antique gun. There is no paperwork required for delivery of pre-1899 guns into most states, making them the last bastion of firearms purchasing privacy!
Third Prize

Third Prize goes to Michael X, for: 12 Basic Actions To Make It Through the First 12 Weeks of TEOTWAWKI, posted on October 24-25, 2023. See: Part 1 and Part 2. He will receive the following prizes:

  1. A $300 gift certificate from Good2Goco.com, good for any of their products: Home freeze dryers, pressure canners, Country Living grain mills, Emergency Essentials foods, and much more.
  2. Three sets each of made-in-USA regular and wide-mouth reusable canning lids. (This is a total of 300 lids and 600 gaskets.) This prize is courtesy of Harvest Guard (a $270 value)
  3. A Royal Berkey water filter, courtesy of Directive…