FTCs "Second-of-Its-Kind" $7.8 Million for Breach by a Consumer App

This blog is the second of two blogs discussing the FTC’s enforcement of the Health Breach Notification Rule. The first blog discussed the FTC’s “First-of-Its-Kind” $1.5 Million Civil Penalty for Breach of Unsecured Data by a Consumer Health App. Use the forward and backward arrows on the bottom of the screen to navigate among the blogs.

Do you think that healthcare providers are exempt from compliance with FTC rules?   Think again.

The FTC just filed a "Second-of-Its-Find" $7.8 million civil penalty for the breach of unsecured data by a consumer health app by a Covered Entity. 

The FTC just filed an “FTC’s Second-of-Its-Kind” $7.8 Million Civil Penalty Settlement for Breach of Unsecured Data by a Consumer App by a Covered Entity.  This case is different from the “First-of-Its-Kind” case that imposed a $1.5 Million Civil Penalty because that case involved a consumer health app. This case involves a consumer health app used by a Covered Entity (see previous blog post entitled FTC’s “First-of-Its-Kind” $1.5 Million Civil Penalty for Breach of Unsecured Data by a Consumer Health App).

BetterHelp, a HIPAA Covered Entity that provides online counseling services, allegedly beached data by disclosing customers' sensitive health information including mental health records to Meta Facebook and Snapchat for the purposes of advertising and failed to notify 7 million customers that a breach of their personal health information had occurred. The FTC has reached a proposed settlement with BetterHelp whereby BetterHelp has agreed to pay a $7.8 million civil penalty as well as other restrictions for violating the Health Breach Notification Rule and The Federal Trade Commission Act (FTC Act) Section 5 Unfair or Deceptive Acts or Practices. BetterHelp denies any wrongdoing.  In order to go into effect, a Federal court must approve the order.

For the second time, the Federal Trade Commission (FTC) has exercised its enforcement rights under the Health Breach Notification Rule to impose a fine for failing to notify customers and others of its unauthorized disclosure of their personal health information.

Regulatory Environment

To understand what happened, let’s first review the regulations. A summary of applicable regulations can be found in the prior blog post by clicking on the backward arrow below.  The post, entitled "First-of-Its-Find" $1.5 Million Civil Penalty for Breach of Unsecured Data by a Consumer Health App" contains several sections that are applicable including on Regulatory Agencies, FTC Policy Statement. The FTC Health Breach Notification Rule (16 CFR Part 318), and The Federal Trade Commission Act (FTC Act) Section 5 Unfair or Deceptive Acts or Practices. 

BetterHelp Allegations

BetterHelp, a HIPAA Covered Entity proving online mental health services operated under the following business names: 

1. BetterHelp, Inc
2. BetterHelp
3. Compile Inc.
4. MyTherapist
5. Ten Counseling
6. Faithful Counseling
7. Pride Counseling
8. iCounseling
9. ReGain
10. Terappeuta

BetterHelp allegedly disclosed and/or sold “sensitive personal health information (PHI)” including mental health information on 7 million patients for the purposes to third parties for the purposes of target marketing and advertising. This data was shared with:

1. Meta Facebook
2. Snapchat
3. Pinterest
4. Criteo

BetterHelp allegedly:

BetterHelp promised its customer that it would keep their data private, then disclosed this data to third parties for the purposes of marketing.  

1. BetterHelp displayed a logo with a caduceus and the term “HIPAA” falsely claiming to be HIPAA compliant.
2. Breached the personal health information of 7 million people that had entrusted BetterHelp with their private data.
3. BetterHelp repeatedly pushed patients to complete an online Intake Questionnaire that included sensitive and private data through unavoidable prompts.
4. The questions included items such as are you “experiencing overwhelming sadness, grief, or depression” and have you ever thought you “would be better off dead or hurting [themselves] in some way”.
5. These questions also asked about medications and previous therapy.
6. BetterHelp made the claim that “Rest assured – any information provided in this questionnaire will stay private between you and your counselor”.
7. BetterHelp also told patients that they collected “general and anonymous background information” so they could be matched “with the most suitable therapist”.
8. BetterHelp told patients for three years that information was “kept strictly private” and “never shared, sold, or disclosed to anyone”.
9. Then BetterHelp shared individuals’ private health data including information about mental health without the patient’s consent with Meta’s Facebook, Snapchat, Pinterest, and Criteo.  
10. BetterHelp also uploaded the email addresses of 2 million current and former patients to Facebook for the purpose of targeting them to refer their Facebook Friends to BetterHelp.
11. In a separate period, BetterHelp disclosed to Facebook for the purposes of advertising 1.5 million people that had previous therapy with BetterHelp or had visited their website.
12. BetterHelp disclosed to SnapChat the IP address and email of 5.6 million former visitors to its website to target them for BetterHelp Ads.
13. Over a six-month period, BetterHelp provided email addresses on 70,000 site visitors who looked into Pride Counseling (LGBTQ) and Faithful Counseling (Christian).

 Why the Enforcement Agency is by FTC, not the OCR

The FTC is a consumer protection agency that does not have jurisdiction to enforce HIPAA. That jurisdiction falls under the OCR. However, the FTC does have the right to enforce the Health Breach Notification Rule and BetterHelp allegedly failed to notify patients of the breach of their personal health information. Further, BetterHelp falsely “displayed a seal at the bottom of its telehealth services homepage suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)” violating The Federal Trade Commission Act Section 5 that protects the interest of all consumers to prevent deceptive and unfair acts or practices to mislead consumers.

The Proposed Settlement Order 

1. The FTC found that BetterHelp violated its promise to keep the data private and ordered BetterHelp to pay $7.8 million fine.
2. BetterHelp agreed to a pay $7.8 million settlement payment; however, BetterHelp denied all wrongdoing.
3. BetterHelps’ statement “Rest assured – any information provided in this questionnaire will stay private between you and your counselor” constituted an advertising promise that was untruthful and violated truth-in-advertising standards which by law claims that you make in advertising must be truthful, cannot be deceptive, unfair, and must be evidence-based.
4. By sharing sensitive personal health information with third parties BetterHelp betrayed the trust of its customers.
5. BetterHelp is prohibited from misrepresenting its sharing practices and is required to:
   
   

   a.  obtain affirmative express consent before disclosing personal information to certain third parties for any purpose

   b.  put in place a comprehensive privacy program that includes strong safeguards to protect consumer data

   c.  direct third parties to delete the consumer health and other personal data that BetterHelp revealed to them; and

   d.  limit how long it can retain personal and health information according to a data retention schedule. 

 What do the FTC cases against GoodRx and BetterHelp have in common?

They both allegedly: 

1. Used web tracking to collect unauthorized data and provided that data to third parties to be used for advertising and marketing.
2. Failed to obtain the consumer's written authorization permitted their data to be used for marketing and advertising.
3. Made false claims that the data would be kept private.
4. Display a logo containing “HIPAA” deceiving consumers into believing that they were HIPAA compliant.

FTC Signaling

The FTC is sending a clear signal to consumer apps and HIPAA Covered Entities that it will be enforcing consumer protection laws for:

1. Privacy and security of personally identifiable information (PII) and protected health information (PHI).
2. Requirement for consumer consent and written authorization for use of data for advertising and marketing.
3. Prohibition on unauthorized capture and use of marketing and tracking technologies.
4. Misrepresentations and deceptive marketing and advertising practices.

Sign up today and start securely sharing medical records now.  Call us today at 816.249.2555 or email us at info@isharemedical.com.

Disclaimer: iShare Medical is a health information technology company. The information provided in this blog does not and is not intended to, constitute legal or medical advice. Should you need legal or medical advice, please contact a qualified legal or medical licensed professional.