FTC Sanctions Health Firm for Data Sharing
The U.S. Federal Trade Commission has taken action against digital health provider Monument for the unauthorized sharing of user health data. The case highlights regulatory expectations for explicit consent and transparency in data handling. This enforcement action reinforces the need for analytics pipelines dealing with sensitive patient information to have robust, automated auditing and monitoring capabilities.
- The FTC's complaint, filed by the Department of Justice, alleged that between 2020 and 2022, Monument used tracking pixels and APIs to send sensitive user data to advertising platforms, including Meta, Google, Microsoft, and Pinterest. This data included identifiers like email and IP addresses, along with descriptively named events such as “Paid: Weekly Therapy” or “Paid: Med Management,” which revealed the specific services users were receiving. - The unauthorized data sharing affected as many as 84,000 users. Despite Monument's on-site claims of being "100% confidential" and HIPAA compliant, an outside assessor hired by the company found it had not fully met HIPAA's requirements. - As part of the settlement, Monument is permanently banned from sharing user health data with third parties for advertising purposes. The company is also required to direct third parties to delete the consumer health data they received. - A civil penalty of $2.5 million was imposed, but it has been suspended due to the company's inability to pay. Monument will only be required to pay the full amount if it is found to have misrepresented its financial situation. - This enforcement is part of a broader crackdown by the FTC on digital health companies. The agency has taken similar actions against other well-known services like GoodRx, BetterHelp, and Premom for sharing health data for advertising without user consent, signaling a strict regulatory stance. - The action was brought under the Federal Trade Commission Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), which prohibits deceptive practices related to substance use disorder treatment services. - The FTC alleged that Monument's privacy policy, which mentioned sharing data for marketing, was a "voluminous, densely worded" document that contradicted its more prominent promises of confidentiality. The commission also asserted that the company failed to implement contractual limits on how third-party platforms like Meta could use the shared data.
