Two major online healthcare service providers face substantial civil penalties for disclosing personal health information to third parties and engaging in other deceptive practices that allegedly harmed consumers.
The Federal Trade Commission (FTC), which enforces consumer protection and privacy laws, investigated Cerebral and Monument following health data breaches in the spring of 2023.
Both companies were found to have used website tracking technology to gather customers’ personal information and sell it to third-party advertisers. The FTC also looked into other potentially deceptive marketing tactics and data security concerns.
Cerebral
Mental healthcare platform Cerebral faces a $7 million penalty. Cerebral’s settlement prohibits it from disclosing consumers’ personal health information to third parties and from misrepresenting its privacy and data security practices. Over 3.1 million individuals’ health data was breached.
According to the FTC, Cerebral engaged in careless marketing tactics, including sending promotional postcards without envelopes that disclosed names and diagnosis information to anyone who saw them. The FTC also claimed that Cerebral failed to protect patient privacy by allowing former employees to access confidential medical records.
The FTC also alleged that Cerebral violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) by engaging in deceptive practices related to substance use disorder treatment.
Cerebral also allegedly violated the Restore Online Shoppers’ Confidence Act (ROSCA) by requiring a multi-step process for customers to cancel their services, resulting in millions of dollars of overcharges.
Monument
Alcohol treatment provider Monument faces a $2.5 million penalty. Monument’s settlement prohibits it from disclosing health data to third-party advertisers. Over 100,000 individuals’ health data was breached.
The FTC alleged that Monument violated the FTC Act’s prohibition against unfair and deceptive practices and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). The FTC also suggested that Monument misrepresented its compliance with HIPAA.
Under the settlement, Monument must 1) inform all consumers who have not yet been notified that their health information was disclosed to third parties and 2) implement a comprehensive privacy program to address the FTC’s complaints and protect consumer data.
Follow HIPAA to Avoid Penalties
The FTC and the Office for Civil Rights (OCR), the agency that enforces HIPAA, are pursuing other website pixel tracking technology cases where providers and business associates have disclosed personal health information to third parties.
According to law firm BakerHostetler, private lawsuits brought by patients against healthcare companies using pixel tracking are also on the rise. Following the HIPAA Security Rule is the best way to prevent problems and defend against investigations or lawsuits alleging a breach of patient privacy.