FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties
The Federal Trade Commission (FTC) has ordered the alcohol addiction treatment firm Monument to stop disclosing consumers’ health data to third parties for advertising purposes without obtaining affirmative consent. A $2.5 million civil monetary penalty has also been imposed but the penalty has been suspended due to the inability of Monument to pay.
The FTC’s proposed order settles FTC charges that Monument disclosed consumers’ personal and health information to third parties such as Google and Meta between 2020 and 2022 without obtaining consent. The data disclosed revealed that customers were receiving help with alcohol addiction when Monument had informed its customers that their data would remain 100% confidential.
When customers sign up for Monument’s services, they disclose sensitive information including their name, email address, date of birth, phone number, address, information about their alcohol consumption, medical history, copies of their government-issued IDs, and their IP address and device IDs are collected. According to the complaint, between 2020 and 2022, Monument informed consumers on its website and in communications that the personal and health information provided to the company would be 100% confidential and would not be disclosed to third parties without user consent. Monument also claimed that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA).
However, Monument added tracking technologies to its website, also known as pixels and application programming interfaces (APIs), which were used to collect information that allowed it to target ads for its services to new consumers and current customers who had signed up for the lowest-cost memberships. Monument classified website interactions under standard and custom events, with the latter given descriptive titles such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The “custom events” information was disclosed to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, that allowed individuals to be identified and associated with the custom events. The descriptions confirmed that the individuals were receiving treatment for alcohol addiction. Monument did not track the disclosures nor maintain an inventory of the information it collected and disclosed to third parties; however, according to the FTC, as many as 84,000 of its users had their information disclosed to third parties without consent.
These disclosures were deemed to constitute unfair and deceptive practices that violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). The $2.5 million civil monetary penalty will have to be paid if the company is found to have misrepresented its finances. Monument must also identify the user data it has sent to third parties and instruct them to delete the data, implement a comprehensive privacy program with strong safeguards to protect consumer data and address the issues the FTC identified in its complaint, and inform consumers whose information has been disclosed to third parties for advertising purposes. The FTC order now awaits approval from a District Court judge.
“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”
The FTC has also recently taken action against the mental health telehealth company Cerebral and has ordered the company to pay a $7.1 million penalty.
