Insights
FTC Seeks Significant Penalties from Two Health Companies Alleging Misuse of Consumer Personal Information
The Federal Trade Commission (FTC) is continuing its aggressive pursuit of companies it believes have mishandled consumers’ sensitive health information, and in particular those who have shared consumers’ information with Meta, Google, and other third-party advertising platforms without consumers’ express authorization.
Within the last week, the Department of Justice filed two complaints on FTC’s behalf along with proposed orders of resolution – one on April 11, 2024 against Monument (an online alcohol addiction treatment service) and one on April 12, 2024 against Cerebral (an online mental health and substance use disorder treatment service). In both complaints, FTC alleges that the companies disclosed users’ personal information to third parties via pixels and application programming interfaces, and subsequently used that information to target ads to existing users and new clients. In the Monument complaint, FTC specifically highlights alleged misuse of names, dates of birth, details about alcohol consumption, medical histories, and IP addresses. In the Cerebral complaint, FTC details alleged misuse of names, contact information, treatment and prescription histories, appointment information, and treatment plans.
Monument Complaint
FTC asserts that from 2020-2022, Monument may have shared the data of as many as 84,000 users, despite promises that no such disclosures would be made without users’ consent. Specifically, the complaint alleges that Monument represented on its website FAQs, and via customer service representatives’ responses to consumer questions, that the company complied with HIPAA and did not share sensitive health information with third parties without prior written consent. FTC asserts, however, that the company had completed multiple HIPAA compliance assessments and been told that it was not, in fact, HIPAA compliant. In addition, FTC points to statements in which the company assured consumers that their personal information would be “100% confidential” – something contradicted by the company’s own privacy policy. FTC alleges that these and other practices violate both the FTC Act’s prohibition against unfair and deceptive practices and provisions of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA).
Cerebral Complaint
In the Cerebral complaint, FTC asserts that, between October 2019 and March 2023, the company shared health or other personal information about more than three million individuals with third parties, despite claims it would not share personal information for marketing purposes without consent. These disclosures were largely tied to the use of web-tracking tools, but also included disclosures via the use of marketing postcards that arguably revealed an individual’s status as a client or associated diagnosis. Additionally, the complaint outlines alleged flaws associated with access controls for former employees and agents, and a sign-in process for a patient portal that allowed customers to see information about other patients. The Cerebral complaint also addresses the company’s service cancellation practices, which FTC found to be overly complicated and inconsistent with assurances to customers that they could “cancel anytime.” Like the Monument complaint, the government contends that Cerebral’s actions violated not only the FTC Act, but also various provisions of OARFPA. Notably, the CEO of Cerebral is not a party to this resolution and the government’s case against the CEO will continue.
Costly and Long-Term Implications of FTC’s Proposed Resolutions
FTC’s proposed orders to resolve these cases include several significant features beyond a one-time financial penalty. For example, both proposed orders require, among other things: (a) the implementation of detailed privacy and information security compliance programs; (b) regular internal assessments; (c) third-party assessments, including mandatory monitoring of compliance with these programs (in the case of Monument for 10 years and in the case of Cerebral for 20 years); (d) incident reporting; and (e) a go-forward ban on sharing personal data with third parties for nearly all advertising purposes. Both companies are also required to send impacted consumers a detailed notice describing how personal information was used and explaining that any such information will be deleted if it is not used for treatment, payment, or operations purposes without their express authorization. In addition, both companies must notify third parties with whom consumer information was shared, that they must delete the data previously shared with them. Implementing these program requirements will be expensive for both companies, not only in terms of dollars, but also in time, technology, and personnel.
As for immediate financial penalties, Monument’s $2.5 million civil penalty is expected to be waived given the company’s inability to pay. In Cerebral’s case, the company must pay more than $7 million in monetary relief and penalties to address its cancelation and privacy practices, with an additional $8 million in privacy-related penalties expected to be waived due to the company’s stated inability to pay.
Quick Takeaways
Following FTC’s activity last year against GoodRx, BetterHelp, and Premom, the Monument and Cerebral complaints suggest that the federal government will continue to pursue companies that it believes are engaging in unauthorized sharing of consumers' sensitive health information with platforms such as Meta and Google. Companies that receive and use sensitive consumer health information, or those seeking to acquire such companies, should carefully review their privacy and data security practices and consider implementing or enhancing their internal compliance programs. The FTC’s allegations against Monument and Cerebral underscore the importance of not just having robust written policies, but also ensuring that those policies are followed in practice.