The Federal Trade Commission (FTC) has assumed the authority to enforce unauthorized data disclosures under the Federal Trade Commission Act (FTC Act). During the past three weeks, the FTC has used this authority to go after healthcare companies that disclose their customers’ personal data without permission.

On April 11, the FTC sued Monument, an online addiction treatment company, for violating the FTC Act. Specifically, the FTC alleged that Monument: (1) failed to employ reasonable measures to prevent the disclosure of consumers’ health information via tracking technologies to third parties for advertising purposes; (2) failed to obtain its customers’ “affirmative express consent” before disclosing their health information to third parties; (3) misrepresenting that it would not disclose their customers’ health information without their knowledge or consent; and (4) misrepresenting that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA). The same day the FTC filed the complaint, Monument entered into a stipulated order that bans it from disclosing health information for advertising purposes and must obtain users’ affirmative consent before sharing health information with third parties for any purpose.

Cerebral, a telehealth firm, did not get off as easily. The FTC charged Cerebral with violating the FTC Act by disclosing its customers’ personal health information and other sensitive data to third parties for advertising purposes and failing to honor its easy cancellation promises. On April 15, the FTC obtained an order restricting how Cerebral can use or disclose sensitive information and provide customers with a simple way to cancel. It also hit Cerebral with a $5 million judgment and a $2 million civil penalty, with another $8 million penalty suspended premised upon the “truthfulness, accuracy, and completeness” of Cerebral’s sworn financial attestations going forward.

The FTC also sued BetterHelp, an online therapy firm, for violating the FTC Act. Like Monument and Cerebral, BetterHelp was charged with disclosing its customers’ personal information – including their email addresses, IP addresses, and health questionnaire information – to third parties for advertising purposes. The FTC also alleged that BetteHelp failed to maintain sufficient policies or procedures to protect its users’ health data or to limit how third parties could use that information. The FTC charged that this use violated BetterHelp’s own privacy policy. On May 6, the FTC issued a proposed order banning BetterHelp from sharing consumers’ health data for advertising purposes and requiring the company to pay restitution of $7.8 million to its customers. 

The FTC has made its points clearly. Companies that obtain their users’ health information must implement appropriate policies and procedures to protect that information. If those companies disclose or sell that information to third parties for advertising or any other purpose, they must (1) advise their customers of that potential disclosure; (2) obtain the customers’ affirmative express consent; and (3) only disclose that data in accordance with its policies and the customers’ consent.