Getty Images
FTC bans Monument from disclosing health data to third-party advertisers
In addition to being barred from disclosing personal health data to third-party advertisers without consent, the alcohol addiction treatment service is facing a $2.5M civil penalty.
The Federal Trade Commission (FTC) banned Monument, an alcohol addiction treatment service, from disclosing its users’ personal health data to third-party advertisers, following allegations that Monument improperly shared health data with companies such as Meta and Google without consumer consent.
As previously reported, Monument disclosed a data breach in April 2023 stemming from its use of third-party analytics tools. According to the complaint, Monument broke its promise to consumers that its users’ personal information would be “100% confidential” by integrating tracking pixels into its website and using that information to target ads to current and potential customers.
The FTC’s complaint alleged that Monument’s practices violated the FTC Act’s prohibition against unfair and deceptive practices and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). OARFPA prohibits deceptive practices in relation to any substance use disorder treatment service. The complaint also suggested that Monument misrepresented its compliance with HIPAA.
In addition to banning the sharing of data with third parties for advertising purposes, the proposed order imposed a $2.5 million civil penalty for violating OARFPA, though the penalty is suspended due to Monument’s inability to pay.
Under the proposed order, Monument must identify all the user data it shared with third parties and direct the third parties to delete that data. In addition, Monument will be required to inform all consumers who have not been notified yet about the disclosure of their health information to these third parties. What’s more, Monument must implement a comprehensive privacy program to address the FTC’s complaints and further protect consumer data.
“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
“Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”
As Levine mentioned, this is not the first time that the FTC has barred a health tech company from sharing user data with third parties without consumer consent. Previous actions against Premom, BetterHelp, and GoodRx all highlighted the FTC’s commitment to cracking down on improper health data sharing.