The Federal Trade Commission (FTC) recently announced a proposed order settling charges that online alcohol addiction treatment service provider Monument, Inc. deceived users of its services about how it used and shared their sensitive health data. If finalized, the order would fine Monument US$2.5 million and, among other things, permanently prohibit the company from sharing health data for advertising purposes. The development reinforces the agency's position, articulated in actions brought last year against GoodRx, BetterHelp, and Premom, that companies must handle consumer health data with heightened sensitivity, particularly when sharing such data with third-party advertisers.
Based on the FTC's claims, the Department of Justice (DOJ) filed a complaint against Monument, too, asserting that Monument deceived users of its service by disclosing members' highly sensitive personal health data to third-party advertising platforms like Meta without obtaining consent. The complaint alleges that Monument affirmed on its website and in communications with its members that personal information would be kept "100% confidential," that Monument would not disclose this information to third parties without members' consent, and that Monument complied with the Health Insurance Portability and Accountability Act (HIPAA).
Despite making these promises, the complaint alleges, Monument disclosed personal information for as many as 84,000 members. Although Monument did not share its members' actual medical records, it allegedly disclosed users' health information to third-party advertising platforms, like Meta and Google, via tracking technologies integrated into Monument's website that tracked "standard" and "custom events." The titles of these custom events, for example "Paid: Weekly Therapy," allegedly conveyed details about treatment sought by users. The complaint also alleges the company's representations regarding HIPAA compliance were deceptive given that an outside assessor previously concluded that Monument was only partially compliant with HIPAA.
Much like the FTC's claims against BetterHelp, the complaint alleges that Monument shared "personal information" with Meta by disclosing user email addresses, even though such email addresses were in hashed form (i.e., represented cryptographically with a sequence of letters and numbers that masked the underlying data), because Monument allegedly knew Meta would be able to undo the hashing and uncover the email addresses of Monument members who joined to receive treatment for alcohol addiction. Meta could then match the un-hashed email addresses to Facebook user IDs.
The complaint also asserts that Monument failed to contractually limit how third parties, such as Meta, could use or disclose sensitive information. According to the complaint, Monument "merely agreed to the third parties' general terms of service," which either did not restrict third parties' use and disclosure of the information or explicitly allowed them to use the information for their own purposes.
Based on these allegations, DOJ has asserted four causes of action against Monument under Section 5(a) of the FTC Act: (1) unfair privacy practices, (2) unfair disclosure of consumers' health information for advertising and recipient third parties' own purposes without affirmative express consent, (3) misrepresentations regarding disclosures of health information to third parties, and (4) misrepresentations regarding compliance with HIPAA. The DOJ also asserts that Monument violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 by misrepresenting practices involving disclosure of users' personal information in connection with its marketing and sale of alcohol treatment services.
This action underscores the FTC and DOJ's commitment to disciplining organizations that fail to accurately inform consumers about how their personal health information is collected, used, and shared, particularly with third-party advertisers. The Monument case and the other recent actions by the FTC involving alleged privacy abuses by members of the digital health industry are a strong warning to companies to protect consumer data. Indeed, as Samuel Levine, Director of the FTC's Bureau of Consumer Protection, stated in the FTC's press release about the Monument case: "[f]ollowing on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.