Alcohol Addiction Company Violates Consumer Data Privacy

The Federal Trade Commission (FTC) has instructed the alcohol addiction treatment company Monument to cease sharing consumers’ health information with third parties for promotion purposes without acquiring affirmative authorization. A $2.5 million civil monetary penalty was enforced although the penalty was suspended because Monument could not afford to pay.

The FTC’s issued order settles FTC charges that Monument shared consumers’ personal and health data with third parties like Meta and Google from 2020 to 2022 without getting permission. The information disclosed showed that clients were getting alcohol addiction help contrary to Monument told its clients that their information would be 100% private.

When clients subscribe to Monument’s services, they share their sensitive data such as their name, date of birth, email address, telephone number, address, details about their alcohol usage, medical background, their IP address, device IDs, and copies of their government-released IDs. Based on the complaint, from 2020 to 2022, Monument told clients on its website and in messages that the personal and medical data given to the company will be 100% private and will not be revealed to third parties without user permission. Monument additionally stated that it complied with the Health Insurance Portability and Accountability Act (HIPAA).

Nevertheless, Monument installed tracking codes, also called pixels and application programming interfaces (APIs), on its website, which were employed to gather data that permitted it to target advertisements for its services to new clients and present clients who had registered for the lowest-cost subscriptions. Monument categorized website activities under standard and custom events, with the latter having descriptive titles like “Paid: Med Management” or “Paid: Weekly Therapy” when a person registered for services.

The “custom events” data was shared with advert platforms together with users’ IP addresses, email addresses, and other identifiers, that permitted the identification of individuals and association with the custom events. The descriptions affirmed that the persons were getting alcohol addiction treatment. Monument didn’t monitor the disclosures nor keep a listing of the data it obtained and shared with third parties; nevertheless, based on the FTC, up to 84,000 users got their data shared with third parties without permission.

These disclosures were considered to make up unfair and deceitful practices that violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) and the FTC Act. A $2.5 million civil monetary penalty must be paid when the company is confirmed to have misrepresented its financial situation. Monument should likewise identify the user information it has provided to third parties and tell them to remove the information, enforce an extensive privacy program with robust safety measures to secure consumer information and deal with the problems the FTC found in its complaint, and tell consumers whose data were exposed to third parties for marketing reasons. The FTC order is currently waiting for a District Court judge’s approval.

Director Samuel Levine of the FTC’s Bureau of Consumer Protection stated that this action is the FTC’s effort to implement strict limitations on the way organizations manage sensitive health information, instead of placing the onus on users to safeguard themselves. The industry should understand that client health information must be managed with care.

The FTC has likewise taken enforcement action on the mental health telehealth firm Cerebral and has instructed the firm to pay a $7.1 million penalty.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X