This article was co-published with STAT, a national publication that delivers trusted and authoritative journalism about health, medicine, and the life sciences. Sign up for its health tech newsletter here.
On April 11, the Federal Trade Commission took action against alcohol addiction telehealth company Monument, affirming its promise to crack down on digital health companies’ misuse of personal health data.
Monument revealed health information to third parties including Meta and Google without users’ consent, the FTC alleged, while misleading users into thinking their health data was kept confidential. A proposed order to settle the allegations would ban the company from disclosing that sensitive data for advertising purposes, among other penalties.
Pixel Hunt
“Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies
An investigation by The Markup and STAT found 49 out of 50 telehealth websites sharing health data via Big Tech’s tracking tools
The action followed a joint investigation by STAT and The Markup, which found that Monument was one of dozens of telehealth companies leaking sensitive health data through third-party trackers used to trail users across the internet and target advertising.
This is the latest in a string of digital health enforcements that began last February, when the FTC implemented its long-dormant Health Breach Notification Rule against GoodRx. “The market should be getting the message that consumer health data should be handled with extreme caution,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a release.
Monument’s site claimed that “Any information you enter with Monument is 100% confidential, secure, and HIPAA compliant.” But starting in 2020, the FTC complaint states, Monument disclosed sensitive information about users’ enrollment in its alcohol addiction programs, including therapy and medication. By sharing that data along with personal identifiers like email and IP addresses, third party advertising platforms like Meta and Google could associate health status and treatment information with as many as 84,468 individuals.
The complaint alleges that Monument misrepresented its compliance with the Health Insurance Portability and Accountability Act, as well as its assurances that users’ data wouldn’t be disclosed to third parties without their consent, violating the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018.
“People can’t throw around HIPAA willy nilly,” said Matt McCoy, a medical ethics and health policy researcher at the University of Pennsylvania whose research has revealed the ubiquity of third-party tracking on hospital websites. “To the extent that these digital health companies or other kinds of online health entities are using that as a signal to bolster consumers’ sense of their privacy protections, it’s good that the agency is not letting them get away with that.”
The action against Monument comes as the FTC and the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, work together to close the regulatory loopholes that enable the inappropriate use of sensitive health data. Last July, the agencies issued joint warning letters to about 130 telehealth companies and hospitals, emphasizing the risks to health data when companies use third-party trackers.
Both organizations have attempted to clarify the scope of their regulatory authority in the digital age. In December 2022, OCR put out a bulletin that explained how HIPAA applied to third-party tracking technologies. And last year, the FTC proposed updates to its Health Breach Notification Rule that clarify how it can be applied to unauthorized disclosures like data sharing via a tracking pixel without a user’s consent.
“In other contexts, companies would never install code in mission critical operations that they don’t trust. Yet that’s what they do every day with web tracking technologies,” wrote Ari Friedman, who researches digital health privacy with McCoy at the University of Pennsylvania, in an email to STAT. “Health-related entities should audit their websites regularly to ensure they are not facilitating this type of privacy violation.”
Industry has pushed back, especially against OCR’s characterization of HIPAA, culminating in a lawsuit filed by the American Hospital Association. Last month, the office attempted to clarify the scenarios in which use of tracking tools would be disclosing protected information in an updated bulletin. But “they don’t seem to be backing away from the central claims,” said McCoy.
For violating OARFPA, the FTC’s proposed order to settle the allegations imposed a civil penalty of $2.5 million that Monument says it isn’t able to pay. If the order is approved, the company will be banned from sharing health data with third parties for advertising purposes. It will also be required to implement a privacy program to protect consumer data, inform consumers about the disclosure of their health data, and direct third parties to delete all the personal data that was shared through Monument. Monument did not respond to a request for comment by the time of publication.
“At this point, companies and health providers really have no excuse to say, well, we didn’t understand the privacy implications of these tools,” said McCoy. “With the enforcement actions by the FTC and by OCR, the days of being able to say we don’t know any better are over.”