Consumer health information: Handle with (extreme) care

What will it take to get businesses to honor the promises they make about the privacy of consumers’ health data? Multiple FTC law enforcement actions in the past year? Two more cases against companies that shared health information with third-party advertising platforms without people’s consent? Here’s the loud-and-clear message companies need to hear: The FTC won’t back down in the fight to protect the privacy of consumers’ sensitive health data. 

Online health care provider Cerebral provides mental health and pain management subscription services to consumers. When people sign up, Cerebral collects a ton of private information – both the usual contact and payment data and also medical and prescription histories, health insurance details, religious and political beliefs, and sexual orientation. Wouldn’t consumers be wary of disclosing so much confidential information? Of course, which is why Cerebral promised to use “the latest information security technology to protect your data, which is not shared without your consent, and will only be used internally to improve clinical care.”

Assuring consumers that their information would receive “safe, secure, and discreet” treatment, the company promised “At Cerebral, patients come first.” But according to the FTC, patients came far down the list with advertising apparently taking the top spot.

The FTC charged that Cerebral turned over the sensitive health data of close to 3.2 million consumers to third-party platforms like LinkedIn, Snapchat, and TikTok for advertising purposes and data analytics. How did the company do it? By using tracking tools on its website or built into its apps that sent users’ names, addresses, phone numbers, medical and prescription histories, and other health information to the platforms. According to the FTC, Cerebral did this secretly and without fully disclosing to consumers what it was doing behind the scenes.

The FTC also alleges that Cerebral failed to have adequate protections in place for the data it collected and engaged in a host of slipshod security practices. For example, according to the complaint, Cerebral failed to block former employees’ access to consumers’ confidential medical records, sent promotional postcards (yes, postcards) to over 6,000 consumers that appeared to reveal their diagnosis and treatment, used single sign-in and access methods for its patient portal that let users see confidential health information about other users, and put consumers’ medical records at risk by permitting staffers and contractors to use a single key for Dropbox access.

Image

The FTC says Cerebral’s illegal practices didn’t end there. The lawsuit alleges the company also violated the Restore Online Shoppers’ Confidence Act (ROSCA) by playing fast and loose – or more accurately, slow and loose – with its “Cancel anytime” promise. In fact, Cerebral imposed a multi-step and often multi-day obstacle course consumers had to overcome to cancel the service. According to the complaint:

Emailing a cancellation demand did not actually cancel a subscription or stop recurring charges. Instead, Cerebral systematically subjected many clients to a “save” process in which its staff contacted them with questions and attempted to dissuade them from cancelling. Until this process ended, and Cerebral’s staff “confirmed” consumers’ cancellation demands, clients’ subscriptions remained active, and the clients remained subject to additional charges.

In other words, Cerebral was quick to charge – but slow to cancel – even in the face of consumers’ clear intent to stop the service. People conveyed their dissatisfaction to the company about its cancellation policies, with some drawing an insightful connection for why they considered Cerebral’s practices to be particularly harmful. As one consumer put it, “I find it appalling that a mental health care app/company that serves those with ADHD would make you jump through hoops to cancel like this – it’s just the thing people with ADHD typically find challenging to manage and seems predatory.” What happened when Cerebral finally put an easier cancellation button in place? The company removed it two weeks later after seeing cancellations increase. The complaint suggests a possible motivation for the company’s conduct: “Between October 2019 and May 2022, Cerebral collected over $8 million from consumers after receiving their cancellation demands.”

Filed by the Department of Justice on the FTC’s behalf, the six-count complaint alleges violations of the FTC Act and ROSCA. Given that some of Cerebral’s practices related to the treatment of substance use disorders, the lawsuit also alleges violations of the Opioid Addiction Recovery Fraud Prevention Act (OARFPA).

The settlement with Cerebral includes a $5.1 million judgment, which will be used to provide refunds to consumers, as well as a $10 million civil penalty, which will be suspended after a $2 million penalty payment due to the company’s inability to pay the full amount. The proposed order also imposes tough injunctive provisions that will change how the company does business going forward. Some key provisions: 1) a permanent ban on Cerebral using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes, 2) a general requirement that the company obtain consumers’ consent before disclosing that information for any other purpose, 3) a ban on misrepresentations about any negative option or cancellation practice, and 4) a requirement that the company give consumers an easy way to cancel.

The FTC’s action against Cerebral’s former CEO Kyle Robertson is pending in federal court in Florida.

That’s just one action the FTC took in recent days to protect consumers’ health privacy. In a separate lawsuit, the agency alleges that Monument, Inc., a New York-based alcohol addiction treatment service, shared consumers’ health data with third-party advertising platforms, including Meta and Google, without consumer consent.

For monthly membership fees ranging from $14.99 to $249, Monument offers users online support groups, online therapy, and access to physicians who can prescribe medications to help treat alcohol addiction. When consumers signed up for the service, Monument collected their names, email addresses, phone numbers, and government-issued IDs, as well as information about their alcohol consumption and medical history.  

Throughout its website, Monument promised to protect consumers’ privacy. For example, according to the company, “Your information is kept confidential and is not shared with any third party” and “any information you enter with Monument is 100% confidential, secure, and HIPAA compliant.” 

That’s what Monument promised, but what consumers didn’t know was that the company disclosed their personal information, including their health information, to third-party advertising platforms for advertising purposes through tracking technologies known as pixels and application programming interfaces (APIs) on its website.

Monument used those secret trackers to note “events” (for example, when a person visited the company’s website) and gave those events descriptive titles like “Paid: Weekly Therapy” or “Paid: Med Management” – titles the FTC says revealed details about their visits. According to the complaint, Monument shared those “events” with advertising platforms along with consumers’ partial email addresses, IP addresses, and other identifiers. Practically speaking, that meant Meta could match Monument’s event information with an individual’s Facebook account. Monument, in turn, could use Meta’s advertising platform to target that person with ads for the company’s services.

You’ll want to read the complaint for details about how the FTC says Monument violated the FTC Act and OARFPA. But the thumbnail summary is that Monument allegedly engaged in unfair privacy practices, unfairly and deceptively disclosed consumers’ health information to third parties for advertising purposes without consumers’ affirmative express consent, and failed to place limits on how those third parties used that information. What’s more, the FTC says Monument falsely claimed to be HIPAA compliant despite an independent assessor telling the company that it fell short in multiple categories.

In addition to a ban on sharing data with third parties for advertising, the proposed order prohibits Monument from misrepresenting its data collection and disclosure practices. The $2.5 million civil penalty imposed under OARFPA will be suspended due to the company’s inability to pay. Monument also must identify all the user data it shared with third parties and instruct them to delete that data.

What should other companies take from these two law enforcement actions?

Privacy or security representations are product claims you must substantiate. “We at the XYZ Company take care to protect the privacy and security of your personal information.” Chances are your company says something similar on your website or in your app. News flash: That’s not puffery. It’s an affirmative claim you must support with solid proof.

Businesses in the health sector should make privacy and data security part of the corporate DNA. If your company collects sensitive health information or makes any other use of it, you’ve upped your compliance ante. Privacy and security protections shouldn’t be afterthoughts stitched on at the end. They belong front-and-center in your business operations, including in the fundamental design of your website and apps. Given the additional remedies Congress provided for violations of OARFPA, that applies with full force to companies that market products or services advertised to treat substance use disorder.

FTC and HHS: Joined at the HIPAA.  The Department of Health and Human Services enforces the Health Insurance Portability and Accountability Act and the HIPAA Privacy, HIPAA Security, and HIPAA Breach Notification Rules. The FTC has brought multiple cases alleging that companies used words or seals to falsely claim they’re HIPAA-compliant. Read the FTC-HHS publication, Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule, for more information.

Stop in the name of the law. When consumers say “Cancel!” to a company, they mean it – and the law backs them up. When was the last time you walked through your company’s own cancellation process? If you require consumers to complete a Decision Tree Decathlon, you’re doing it wrong. Complaints about complicated procedures, ignored cancellation requests, long waits on the phone, emails that go unanswered, unauthorized charges, or endless “save” attempts should tip you off to a major problem. ROSCA requires that covered companies have “simple mechanisms” so consumers can stop recurring charges. What does “simple” mean in this context? Simply put, it means “simple.” It’s that simple.