In the hierarchy of confidential data, health information ranks right up there. And in the hierarchy of health information, details about a person’s mental health may be among the most confidential. But according to the FTC, that’s not how online counseling service BetterHelp viewed it. The FTC says the company repeatedly pushed people to take an Intake Questionnaire and hand over sensitive health information through unavoidable prompts. And it promised to keep that information private through statements like: “Rest assured – any information provided in this questionnaire will stay private between you and your counselor.” But from the FTC’s perspective, a truthful statement would have been “Rest assured – we plan to share your information with major advertising platforms, including Facebook, Snapchat, Criteo, and Pinterest.” A proposed FTC settlement with BetterHelp includes $7.8 million for partial refunds for BetterHelp customers and conveys an unmistakable message about just how seriously the FTC takes this kind of betrayal of trust.
BetterHelp offers online counseling services through that name and through specialized versions for particular audiences – for example, Pride Counseling for members of the LGBTQ community, Faithful Counseling for people of the Christian faith, Terappeuta for Spanish-speaking clients, and Teen Counseling for teenagers who enroll with parental permission.
Since BetterHelp was founded, more than two million people have signed up, entrusting the company with their personal information, much of it related to the status of their health – and their mental health. For example, the company’s Intake Questionnaire asked people to disclose if they’re “experiencing overwhelming sadness, grief, or depression,” if they’re having thoughts they “would be better off dead or hurting [themselves] in some way,” if they’re taking medication, and if they’ve been in therapy before.
To assuage concerns about revealing personal information online or through an app, BetterHelp made a variety of confidentiality promises to consumers. Visitors to the site were told at the outset that the company collected “general and anonymous background information about you and the issues you’d like to deal with in online therapy” so the person can be matched “with the most suitable therapist.” Although the exact wording changed over time, the company assured people that aside from a few narrow uses related to providing online counseling services, their private information would remain private. In addition, for more than three years, BetterHelp told people thinking about signing up for Faithful Counseling, Pride Counseling, or Teen Counseling that their email addresses would be “kept strictly private” and “never shared, sold or disclosed to anyone.”
Despite those promises, the FTC says BetterHelp used a wide variety of tactics to share the health information of over 7 million consumers with platforms like Facebook, Snapchat, Criteo, and Pinterest for the purpose of advertising. You’ll want to read the complaint for details, but here are just a few examples. In 2017, BetterHelp allegedly uploaded the email addresses of all current and former clients to Facebook – nearly 2 million in total – to target them with ads to refer their Facebook friends to BetterHelp for mental health services. During another period, the FTC says BetterHelp disclosed to Facebook for advertising purposes the previous therapy of 1.5 million people who visited or used BetterHelp’s site. The source of that information: their responses to the intake question “Have you been in counseling or therapy before?”
But that’s not all. According to the complaint, BetterHelp broke its privacy promises by disclosing to Snapchat the IP and email addresses of approximately 5.6 million former visitors to target them with BetterHelp ads. In addition, for a six-month period, the company disclosed to Criteo the email addresses of over 70,000 visitors – including people who had looked into Pride Counseling and Faithful Counseling. Similarly, for a one-year period, BetterHelp disclosed visitors’ email addresses to Pinterest. What was in it for BetterHelp? According to the complaint, “Using this health information for advertising, [BetterHelp] has brought in hundreds of thousands of new Users, resulting in millions of dollars in additional revenue.”
When a news site revealed in February 2020 that BetterHelp was sharing consumers’ health data with third parties, people complained to the company. As one person put it, “I have not given ANY consent to share my information with ANYONE. ESPECIALLY ads targeting my mental health ‘weakness.’” How did BetterHelp respond? The FTC says the company doubled down on deception by falsely denying it had shared consumers’ personal information – including their health information – with third parties.
The eight-count complaint details how the FTC says BetterHelp’s allegedly deceptive and unfair practices harmed consumers. The proposed order in the case will require BetterHelp to pay $7.8 million that will be used to provide partial refunds to people who signed up for and paid for BetterHelp’s services between August 1, 2017, and December 31, 2020. In addition, the proposed order prohibits BetterHelp from sharing consumers’ health data for advertising or sharing their personal information for re-targeting – serving ads to consumers who had visited the company’s site or used its app. The settlement also includes provisions to limit BetterHelp’s data sharing in the future. The company must contact affected consumers directly about the case and must direct third parties to delete consumers’ health and other personal data that BetterHelp shared with them. Once the proposed settlement is published in the Federal Register, you’ll have 30 days to file a public comment.
The case offers a key guidance point for other companies: Honor your privacy promises. Tell the truth and get consumers’ affirmative express consent before sharing any health information.
Here are other takeaways to take into consideration.
“Personal information” may be “health information” simply due to the nature of the product or service. Generally speaking, an email address might not be considered “health information” – unless, of course, the source of the information is a health-related service. In the case of BetterHelp, most people visited the site to seek mental health assistance. Therefore, just the fact that BetterHelp, Pride Counseling, or Faithful Counseling was the source of their email or IP address revealed highly sensitive information to third parties. The message for others in the industry: Context counts.
Institute policies, practices, and procedures to protect health information. As the FTC’s complaint makes clear, a lack of appropriate safeguards can lead to unfair and deceptive practices related to the collection, use, and disclosure of health information. For example, the complaint alleged that BetterHelp failed to have written policies and procedures for protecting the privacy of health information. And it failed to properly train and supervise employees that handled that health information. It also didn’t get consumers’ affirmative express consent before disclosing their health information to third parties and it failed to contractually limit those third parties from using the data for their own purposes.
“Slinging hash” won’t necessarily protect consumers’ personal data. Although BetterHelp hashed people’s email addresses before sharing them with third parties – in other words, converted them into a sequence of letters and numbers through a cryptographic tool – the hashing was done just to hide the addresses in case of a security breach. The FTC says BetterHelp knew that third parties like Facebook would effectively undo the hashing to reveal the email addresses of people who had gone to the BetterHelp site for mental health services. Once Facebook had those addresses, it would easily match them to the email of people with Facebook accounts. What can other companies learn from that example? Certainly there are instances where hashing may be called for, but it won’t protect the privacy of consumers’ information if third parties can un-hash the data.
Monitor data flows to all third parties your site or app may transmit to via web beacons, pixels, or other tracking technologies. It’s illegal to make privacy promises to consumers without taking into account any information that’s going to third parties through various forms of ad tech. It boils down to this: Don’t make privacy promises that your practices don’t live up to.
When it comes to conveying claims to consumers, a picture can be worth a thousand words. Almost all of BetterHelp’s pages displayed multiple seals from third parties. Among them was a depiction of the medical caduceus and the term “HIPAA.” The complaint alleges that BetterHelp’s use of that visual falsely signaled to consumers that a government agency or other third party had reviewed the company’s practices and determined they met HIPAA’s requirements. Have you checked your site recently for graphics that could send similar deceptive messages?
Until the FTC’s proposed settlement with BetterHelp is final, we can’t offer specifics about the refund process. Bookmark the FTC’s refund page and watch for more information.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
Better Help is doing it’s best to take over the mental health services for thousands if not millions of people. Because they have paid google to be first in advertising, its difficult for people searching to find anything else.
They certainly do not comply with ethics regarding PHI information and other data about its customers. Please take them off of the market. They are misusing the public.
Hello ftc.gov admin, Thanks for the educational content!
THIS is EXACTLY why the people in this country are facing astronomical rates of depression and anxiety and suicide! If the company 1) KNOWINGLY LIED in order to put ppl at ease so they would enter their information, 2) KNOWINGLY displayed symbols and/or signs to mislead the consumer 3) took information that EVERYONE knows is illegal and deliberately "protected" it before distribution in a way that it had knowledge would be easily undone and used to benefit their bottom line, along with every other moral and ethical misstep described here, that company SHOULD NOT be 'fined' (and a PARTIAL PAYMENT? I thought this was supposed to be the CONSUMER PROTECTION agency?!) they should be shut down PERIOD.
This is a sad attempt of this agency to try to spin the fact that put a company above the consumer AGAIN. This should've been made much more widely known so that potential customers could make a much better-informed choice about whether or not to spend their money there.
Many complaints were submitted by therapists like myself about BetterHelp mining therapist data from websites, which was then used to falsely inflate their number of providers despite those providers never having signed up or agreeing to use of our data. Therapists have complained that BetterHelp used this tactic to draw in clients. When clients asked for a data-mined therapist who had not signed up to be a provider, BetteHelp referred these clients to their own contracted providers. I’d like to know if these complaints that appear to be an unethical bait and switch tactic were also investigated.
The penalty Better Help is apparently agreeing
to sounds like a bargain. Are they ensuring proper credentials & licensing for their "counselling" services? Are they avoiding state licensing (by jurisdiction jumping) to insulate themselves from malpractice claims? Isn't the penalty a small % of their ill-gotten revenue?
Even if you find them, it will just be another cost of doing business. Find a way to put the people in charge in jail.
They need to be SHUT DOWN. They BETRAYED the most vulnerable people. Most of us need(ed) therapy, in part, specifically BECAUSE OF BETRAYAL OF TRUST. Personally, just reading this has set me back in my recovery. I will never be able to trust therapy ever again. This is just beyond wrong.
Thank you to everyone who commented. This is helpful information to know. I also read an article about how much they spend on advertising. I recommend it.
"A proposed FTC settlement with BetterHelp includes $7.8 million for partial refunds for BetterHelp customers and conveys an unmistakable message about just how seriously the FTC takes this kind of betrayal of trust."
7.8 million concerts that they don't take it very seriously at all. That amount is a line item "cost of doing business" compared to how much these companies profit from this kind of stuff.
Add new comment