In February 2023, The Markup and STAT reported that a bipartisan group of senators fiercely criticized several prominent telehealth startups for failing to protect their patients’ sensitive health information, citing an investigation by The Markup and STAT. Their investigation had included Monument.
On April 11, the Federal Trade Commission (FTC) announced it had taken action against the alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential:
As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose.
Despite Monument’s promises to keep users’ personal information private, the complaint, filed by the Department of Justice upon notification and referral from the FTC, alleges that Monument failed to ensure it was complying with its promises and in fact disclosed users’ health information to third-party advertising platforms, including highly sensitive data that revealed that its customers were receiving help to recover from their addiction to alcohol.
“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”
New York-based Monument offers users, depending on membership levels that cost from $14.99 to $249 a month, access to online support groups, community forums, online therapy, and access to physicians who can prescribe medications that assist in treating alcohol addiction. The company collects personal information from consumers when they sign up for the service including their name, email addresses, date of birth, phone numbers, addresses, copies of their government issued IDs, and information about their alcohol consumption and medical history, as well as their IP addresses and device IDs when they start using the service.
The complaint says that from 2020-2022, Monument claimed on its website and/or in other communications with consumers that users’ personal information would be “100% confidential” and that the company would not disclose such data to third parties without users’ consent. The company also claimed it complied with the Health Insurance Portability and Accountability Act (HIPAA), which protects health information held by entities covered by HIPAA and their business associates, when in fact an outside assessor hired by the company found that it had not fully complied with HIPAA’s requirements.
According to the complaint, the company contradicted its privacy promises. From 2020-2022, the company allegedly disclosed users’ personal information, including their health information, to numerous third-party advertising platforms via tracking technologies, known as pixels and application programming interfaces (APIs), which Monument integrated into its website. Monument used the information to target ads for its services to both current users who subscribe to the lowest cost memberships and to target new consumers, according to the complaint.
Monument used these pixels and APIs to track “standard” and “custom events,” meaning instances in which consumers interacted with Monument’s website. The FTC says that Monument gave the custom events descriptive titles that revealed details about its users such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service. Monument disclosed this custom events information to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, which enabled third parties to identify the users and associate the custom events with specific individuals, according to the complaint.
Monument disclosed information of as many as 84,000 users, though it did not have a precise number because it did not adequately track or inventory the personal information it collected and disclosed to third-party advertising platforms like Meta, according to the complaint.
The complaint alleges that these practices violated the FTC Act’s prohibition against unfair and deceptive practices and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), which prohibits deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product.
In addition to the ban on sharing data with third parties for advertising, the proposed order with Monument, which must be approved by a federal court before it can go into effect, also prohibits the company from misrepresenting its data collection and disclosure practices and imposes a $2.5 million civil penalty for violating OARFPA, which will be suspended due to the company’s inability to pay. If the company is found to have misrepresented its finances, it will be required to pay the full amount. Other provisions of the proposed order require Monument to:
- Seek deletion of data: Monument must identify all the user data it shared with third parties and direct those third parties to delete the personal data that was shared with them.
- Inform Consumers: Monument must inform consumers who have yet to be notified by the company about the disclosure of their health information to third parties for advertising.
- Implement Mandated Privacy Program: Monument must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data and address the issues the FTC identified in its complaint. The program must include limits on how long Monument can retain personal and health information according to a data retention schedule.
The Commission voted 3-0 to refer the complaint and stipulated final order to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the District of Columbia.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.
The lead staffers on this matter were Elisa Jillson and Robin Rosen Spector in the FTC’s Bureau of Consumer Protection.
The Federal Trade Commission works to promote competition and protect and educate consumers. The FTC will never demand money, make threats, tell you to transfer money, or promise you a prize. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.