Federal Trade Commission Continues to Target Healthcare Companies for Unauthorized Data Disclosures

Robinson+Cole Data Privacy + Security Insider
Contact

The Federal Trade Commission (FTC) has assumed the authority to enforce unauthorized data disclosures under the Federal Trade Commission Act (FTC Act). During the past three weeks, the FTC has used this authority to go after healthcare companies that disclose their customers’ personal data without permission.

On April 11, the FTC sued Monument, an online addiction treatment company, for violating the FTC Act. Specifically, the FTC alleged that Monument: (1) failed to employ reasonable measures to prevent the disclosure of consumers’ health information via tracking technologies to third parties for advertising purposes; (2) failed to obtain its customers’ “affirmative express consent” before disclosing their health information to third parties; (3) misrepresenting that it would not disclose their customers’ health information without their knowledge or consent; and (4) misrepresenting that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA). The same day the FTC filed the complaint, Monument entered into a stipulated order that bans it from disclosing health information for advertising purposes and must obtain users’ affirmative consent before sharing health information with third parties for any purpose.

Cerebral, a telehealth firm, did not get off as easily. The FTC charged Cerebral with violating the FTC Act by disclosing its customers’ personal health information and other sensitive data to third parties for advertising purposes and failing to honor its easy cancellation promises. On April 15, the FTC obtained an order restricting how Cerebral can use or disclose sensitive information and provide customers with a simple way to cancel. It also hit Cerebral with a $5 million judgment and a $2 million civil penalty, with another $8 million penalty suspended premised upon the “truthfulness, accuracy, and completeness” of Cerebral’s sworn financial attestations going forward.

The FTC also sued BetterHelp, an online therapy firm, for violating the FTC Act. Like Monument and Cerebral, BetterHelp was charged with disclosing its customers’ personal information – including their email addresses, IP addresses, and health questionnaire information – to third parties for advertising purposes. The FTC also alleged that BetteHelp failed to maintain sufficient policies or procedures to protect its users’ health data or to limit how third parties could use that information. The FTC charged that this use violated BetterHelp’s own privacy policy. On May 6, the FTC issued a proposed order banning BetterHelp from sharing consumers’ health data for advertising purposes and requiring the company to pay restitution of $7.8 million to its customers. 

The FTC has made its points clearly. Companies that obtain their users’ health information must implement appropriate policies and procedures to protect that information. If those companies disclose or sell that information to third parties for advertising or any other purpose, they must (1) advise their customers of that potential disclosure; (2) obtain the customers’ affirmative express consent; and (3) only disclose that data in accordance with its policies and the customers’ consent.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Robinson+Cole Data Privacy + Security Insider

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide