Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Government

BetterHelp Sold Customer Data While Promising It was Private, Says FTC (theverge.com) 38

Online counseling company BetterHelp has agreed to pay $7.8 million to settle charges from the Federal Trade Commission that it improperly shared customers' sensitive data with companies like Facebook and Snapchat, even after promising to keep it private. The Verge reports: The proposed order, announced by the FTC on Thursday, would ban the same behavior in the future and require BetterHelp to make some changes to how it handles customer data. According to the regulator, the sign-up process for the company's service "promised consumers that it would not use or disclose their personal health data except for limited purposes." However, the FTC alleges that the company instead "used and revealed consumers' email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes."

The FTC also says that the company gave customer service agents false scripts to try and reassure users that it wasn't sharing personally identifiable or personal health information after a February 2020 report from Jezebel exposed some of its practices. The commission's complaint (PDF) accuses the company of misleading customers by putting a HIPAA seal on its website, despite the fact that "no government agency or other third party reviewed [BetterHelp]'s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA."

If the FTC's order ends up going through, the $7.8 million would go to customers who signed up for the service between August 1st, 2017, and December 31st, 2020. Here are some of the other things BetterHelp would be required to do:

- Stop sharing individually identifiable information about consumer's mental health with any third parties
- Stop misrepresenting its data collection and use policies
- Alert customers who created accounts before January 1st, 2021, that their personal info may have been used for advertising
- Obtain "affirmative express consent" from a customer before sharing information with a third party
- Reach out to third parties that received customer information and ask that it be deleted
- Establish a "comprehensive privacy program" and have an independent third party carry out privacy assessments

This discussion has been archived. No new comments can be posted.

BetterHelp Sold Customer Data While Promising It was Private, Says FTC

Comments Filter:
  • This kind of blatant crooks will simply close the company and start something else, without paying a dime.
    • Depends on their profit margins, they may be in a position to just brush it off as a cost of doing business.

      Not that that's any better, mind.

  • by BishopBerkeley ( 734647 ) on Thursday March 02, 2023 @05:50PM (#63337415) Journal
    Have we reached a point at which people have so thoroughly given up hope against big tech that any attempt at redress will prove futile? BetterHelp will likely lose no patients because it is the avenue of last resort for them. Preventing companies from preying on the helpless was the primary means by which government helped keep accountability in the economy and to help people rise economically. We really seem to have abandoned that idea. Much too much of tech has preying on the helpless as its business model. It's very discouraging and disheartening.
    • by AmiMoJo ( 196126 )

      Wasn't California considering a GDPR-like law at one stage?

      If you had that then not only could the regulator issue a massive fine, but individuals could get compensation for their medical data being sold.

  • by 93 Escort Wagon ( 326346 ) on Thursday March 02, 2023 @05:56PM (#63337431)

    'However, the FTC alleges that the company instead "used and revealed consumers' email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes."'

    Given the companies listed here, I'm wondering if this sort of data sharing for advertising is basically a requirement designed into their systems.

    • by HiThere ( 15173 )

      That's a fair comment, but not an excuse. It just means that those companies should also be prosecuted. (For abusing health information, if nothing else.)

      OTOH, to me the proposed "remedies" look quite minor and difficult to enforce. And I feel the monetary sanctions should be paid by the management of "BetterHelp", and paid to the "customers". And that they are insufficient. (And I say this withiout having any idea as to what those damages were, as I didn't see a figure in the summary.)

    • How is this in any way relevant? If you can't advertise on Facebook without violating HIPAA, then you can't advertise on Facebook. It's just that simple.

  • So I'm not surprised they're kind of dodgy. Most of the other ads there are for tactical man bags and open carry insurance. Not exactly good company.
  • by dmomo ( 256005 ) on Thursday March 02, 2023 @06:09PM (#63337455)

    Otherwise this bad behavior is a cost-benefit analysis and it will keep happening.

    • Otherwise this bad behavior is a cost-benefit analysis and it will keep happening.

      Found the American who still thinks throwing people in jail solves anything (we have an overwhelming body of evidence that it doesn't).

      Also found the person who thinks that just because a fine is issued that those are the only fines capable of being issued and that repeat offenders face exactly the same regulatory fines as first timers. That's not the case. Cost/benefit does not apply when analysing the first fine.

  • Consequences (Score:5, Insightful)

    by Fnord666 ( 889225 ) on Thursday March 02, 2023 @06:12PM (#63337459) Journal
    Let me know when there are real, individual consequences for this sort of behavior. The executives involved in his sort of infringement of people's privacy need to be held accountable.
  • by GameboyRMH ( 1153867 ) <gameboyrmh@@@gmail...com> on Thursday March 02, 2023 @06:19PM (#63337481) Journal

    The company I work for gets calls every now and then from advertising data companies looking for access to healthcare data, which of course we never give because we fear being nuked from orbit for flagrant HIPAA/PHIPA violations, but then some of them say that x/y/z does it so it should be fine for us to do it too...

  • When will they do something about the REAL threat, and we all know what that is...

    TikTok. Obviously.

    FTC is in the pocket of Big Chat I tell you!!!

  • personally by the directors. If paid for by the company it will be seen as just a business cost and they will think "pity we got caught".

    They should also pay for an external auditor to examine their systems once a year to look for a repetition. Any repetition should result in jail time for executives.

  • Are “rough guidelines” at best. Do not expect companies to follow them. Do not expect consumers to follow them. Anything that isn’t nailed down and enforced by actual laws and actual prison sentences is free game, baby.

    The only thing that you can trust is past behavior, and VERY FEW online companies respect their customers privacy. Off the top of my head, the only one I can think of that even comes close is Apple, and I know that they ain’t all that great either.
  • by v1 ( 525388 ) on Thursday March 02, 2023 @08:04PM (#63337649) Homepage Journal

    - Reach out to third parties that received customer information and ask that it be deleted

    When I report something stolen, and the fence is identified and points the finger as to who got the goods, you don't tell the fence to "ask" the person in possession of stolen property to return it. The police get directly involved, and the ones in possession get a legal demand to return it.

    Same sort of thing should happen here. The FTC should be contacting the recipients, and DEMANDING they delete it. Returning stolen property should never be optional.

    • by HiThere ( 15173 )

      How do you prove they didn't keep copies? They may (probably have) already sold the info onwards several times. A datafile is not a car. (Even cars can get hacked apart and sold as pieces, though. But it takes longer, and you can only sell each piece once.)

      • by jd ( 1658 )

        Flamethrowers, napalm, or just nuke 'em from orbit - it's the only way to be sure, after all.

      • by v1 ( 525388 )

        How do you prove they didn't keep copies?

        Just like extortion, this is a different and difficult problem. I'm just focusing on the initial return with my post. This isn't just an ugly can of worms, it's more like a cupboard of cans of worms. Best to tackle one at a time.

  • You mean, like a military rank?
  • by RitchCraft ( 6454710 ) on Thursday March 02, 2023 @08:27PM (#63337689)
    Want to send a real message? Start throwing these asshats in prison and taking everything they own to distribute to victims. This shit needs to stop.
  • $7.8 million is a slap on the wrist. How is BetterHelp's behavior not a HIPAA violation? It should be, if it's not.

  • They should be forced to rename their company to WorseHelp.
  • by doubledown00 ( 2767069 ) on Thursday March 02, 2023 @11:02PM (#63337917)

    The "offense" here was not selling the data, it's that they weren't up front about selling the data. The solution then is fairly straight forward.

    Step 1: Modify the TOS to allow data sharing with "trusted partners";
    Step 2: Put a radio button somewhere on the page that defaults to "opt in";
    Step 3: Send an email to current users alerting them to the TOS changes;
    Step 4: Apply these changes to new users that sign up;
    Step 5: Compliance!

  • I hope it reduces their ad spend so I don't have to hear about them on just about every single podcast I listen to. (until I click the skip button).

  • I should just ordered the pad thai.

  • They used a HIPAA seal so lets prosecute them to the same level that those with HIPAA seal violations face. given this was intentional it should be the maximum 10 years in prison for each offense.
  • If you can't trust internet companies that collect all your most secret and private information, then who can you trust??

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...