More FTC Privacy Action

By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

The Federal Trade Commission recently reasserted itself into the privacy discussion when it comes to healthcare information. Given the defined scope of HIPAA that does not cover a number of growing areas where healthcare data can be found, it is important to remember that agencies beyond the HHS Office for Civil Rights can act to require protection. It all boils down to respecting privacy and living up to statements or promises made in policies presented to users.

The Monument Settlement

The first recent settlement from the FTC was from April 11, 2024 with Monument, Inc. (Monument). Monument seems to offer direct to consumer alcohol addiction treatment services. For a varying monthly fee, Monument would connect individuals with support groups online therapy, or clinicians to help treatment with alcohol addiction. Monument collected a variety of information from individuals, including name, email address, date of birth, phone number, address, government ID, information about the user’s devices, and medical history and alcohol consumption.

The scope of that information is not necessarily surprising or bad since it does not connect to the services provided by Monument. Where Monument ran into trouble, in the FTC’s eyes, was the further assurance to users that all personal information would be completely confidential and not shared with third parties without the consent of the user. Monument also claimed that it complied with the requirements contained in HIPAA. The FTC noted that an outside assessor retained by Monument did not confirm that compliance, which demonstrated direct knowledge by Monument that the statement of HIPAA compliance was not accurate.

Despite all of those statements and assurances, the FTC alleged that Monument shared personal information of users with multiple third parties. For example, Monument shared information through the use of tracking technologies (the subject of a lot of debate under HIPAA) and used the information collected and shared to push targeted advertisements. Monument also provided information about custom events that could be tied to specific individual users.

The upshot from all of the alleged improper activity was the FTC extracting a $2.5 million civil penalty (though this won’t be collected because it doesn’t have enough money) and banning the sharing of data with third parties and must get affirmative consent from users before sharing personal information for any other use.

The Cerebral Settlement

The second settlement announcement from the FTC came on April 15, 2024 and involved Cerebral, Inc. (Cerebral). This settlement may be the first of many for Cerebral on various fronts if the various reports about all of its allegedly troubling activity may be remembered. In this instance, the FTC reportedly found fairly widespread activities by Cerebral that did not respect the privacy of users’ sensitive information.

For a bit of background (as laid out by the FTC), Cerebral provides online mental health services and related services on a so-called negative option basis. A negative option means that users are automatically charged for services unless the user cancels the services (think recurring subscription or gym memberships, for a comparison sure to bring a big cringe factor). When signing up, users provided a score of personal information including home and email addresses, birth dates, medical and prescription histories, payment account or drivers license numbers, and information about insurance coverage. The FTC alleged that Cerebral claimed to provide services that were safe, secure, and discreet that would keep data confidential. However, the FTC claims Cerebral regularly shared data for advertising purposes and buried disclaimers about data sharing practices in purportedly dense privacy policies.

To gloss over the terms, Cerebral allegedly claimed it would not share information for marketing purposes without user consent. Despite not obtaining consent, Cerebral shared information with various social media networks and operators of different tracking technology solutions. The FTC’s complaint detailed further allegations such as: (i) sending unsealed postcards that showed diagnosis and treatment information, (ii) allowing former employees to continue accessing medical records of users, (iii) not implementing appropriate safety measures for accessing its patient portal, and (iv) failing to limit internal access to sensitive information to only those employees who needed to access the information.

Lastly, going back to the negative option model utilized by Cerebral, the FTC claimed that Cerebral did not clearly disclose the full method for being able to cancel services. As described by the FTC, the cancellation process was complex, involved multiple steps, and often took many days to finish despite the claim that users could cancel at any time. As users navigated the process, charges would still be imposed.

For all of the conduct, the FTC imposed almost a $5.1 million penalty to fund partial refunds to individuals, as well as a $10 million civil penalty of which only $2 million will be paid because of Cerebral’s alleged inability to pay. Further, Cerebral will be banned from using or disclosing user information for marketing or advertising purposes and require consent before sharing user information in other instances, prohibit Cerebral from misrepresenting its privacy and security practices, implementing comprehensive privacy and security programs, notifying users of the allegation, implement a clear data retention policy along with removing a lot of current data, and cleaning up the cancellation process.

The Overall Impact

The dual actions by the FTC should serve as a clear reminder that more than just the OCR is paying attention to the privacy and security of healthcare information. Given the ever-growing number of organizations that collect, generate, use, store, and otherwise interact with healthcare information outside of the traditional healthcare system, it is necessary for some agency to step in and provide enforcement of baseline expectations. The non-traditional organizations very typically fall outside of the ambit of HIPAA (intentionally or unintentionally), which can foster a perception that it is a free-for-all. Leaving aside the increasing number of comprehensive state privacy schemes, federal action is important because it can be more all-encompassing and generate bigger headlines.

The compliance aspect is important and should not be quickly dismissed. Calling out alleged bad behavior and shining a spotlight on the purportedly bad conduct is very important. Public shaming can be a big factor in changing behavior on a broader scale because no company wants all of that bad press. Allegations of the nature raised by the FTC can undercut trust of users (beyond what may occur through actual experience) and could significantly impact ongoing operations. No users means no business.

With all of that in mind, it is essential to seriously assess operations and honor privacy commitments communicated to users. That can be challenged by trying to achieve some business goals, but long term organizational health will typically be served better by respecting promises made to users and “doing the right thing.”

This article was originally published on The Pulse blog and is republished here with permission.