In another sign of increased regulatory crackdowns over privacy breaches in health care, online therapy platform BetterHelp must pay $7.8 million to settle Federal Trade Commission charges that for years it shared users’ sensitive mental health information with third parties, such as Facebook and Snapchat, which used it for targeted advertising.
Under the settlement, which was approved by the commission 4-0 and announced Thursday, BetterHelp will be banned from sharing health data for advertising.
More than 2 million people have signed up with Mountain View, California-based BetterHelp since it launched 2013. The telehealth company requires anyone interested in its counseling service to fill out an online questionnaire with detailed questions about their health history, including whether they’ve been in therapy, have suicidal thoughts or are on medications. The intake questionnaire promises to keep the answers to those questions private.
That didn’t happen, according to the the FTC, which claims BetterHelp has repeatedly broken its privacy promises since it went into business, using email and IP addresses, as well as intake questionnaire responses, to re-target them with ads and make pitches to potential patients. The FCC says the practices continued until December 2020, when backlash from news reports forced it to stop.
The FTC’s complaint also notes BetterHelp’s unauthorized use of pixels, an analytics tool that tracks a users’ visits to its website.
The commission claims these tactics helped the company draw in hundreds of thousands of new paying users and millions of dollars in additional revenue.
“When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy. Instead, BetterHelp betrayed consumers’ most personal health information for profit,” Sam Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.
“Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation.”
The $7.8 million settlement will be used to give partial refunds to customers who signed up and paid for BetterHelp’s services between August 1, 2017, and December 31, 2020, marking the first FTC action returning money to consumers who have had their health information compromised.
In a statement posted on its website, BetterHelp said it used the information to deliver more relevant ads to interested potential customers, and that its practices are standard for the health care industry and are “routinely used by some of the largest health providers, health systems, and healthcare brands.”
It continued, “Nonetheless, we understand the FTC’s desire to set new precedents around consumer marketing, and we are happy to settle this matter with the agency. This settlement, which is no admission of wrongdoing, allows us to continue to focus on our mission to help millions of people around the world get access to quality therapy.”
The settlement is the latest indication of the FTC’s dim view of companies promising privacy while collecting and monetizing consumer data. Earlier this month, the FTC fined online discount pharmacy GoodRx $1.5 million for disclosing consumer health data to Facebook, Google and others despite promising never to do so.
That was also the commission’s first enforcement action under the Health Breach Notification Rule, which requires companies to notify consumers of the disclosures, a step GoodRx failed to follow, the agency said.
The health care industry has also become a litigation battleground over the use of pixels to track visits to hospital websites, as well as the portals patients used to schedule appointments and view their medical records.
Tracking tools have been at the heart of numerous lawsuits against hospital systems for using the pixel for marketing, where third parties can collect patient names, medical histories and email addresses for the purpose of targeting them with ads.
Source: FTC issues $7.8M fine in latest crackdown on health data sharing