BetterHelp Sold Customer Data While Promising It was Private, Says FTC (theverge.com) 38
Online counseling company BetterHelp has agreed to pay $7.8 million to settle charges from the Federal Trade Commission that it improperly shared customers' sensitive data with companies like Facebook and Snapchat, even after promising to keep it private. The Verge reports: The proposed order, announced by the FTC on Thursday, would ban the same behavior in the future and require BetterHelp to make some changes to how it handles customer data. According to the regulator, the sign-up process for the company's service "promised consumers that it would not use or disclose their personal health data except for limited purposes." However, the FTC alleges that the company instead "used and revealed consumers' email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes."
The FTC also says that the company gave customer service agents false scripts to try and reassure users that it wasn't sharing personally identifiable or personal health information after a February 2020 report from Jezebel exposed some of its practices. The commission's complaint (PDF) accuses the company of misleading customers by putting a HIPAA seal on its website, despite the fact that "no government agency or other third party reviewed [BetterHelp]'s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA."
If the FTC's order ends up going through, the $7.8 million would go to customers who signed up for the service between August 1st, 2017, and December 31st, 2020. Here are some of the other things BetterHelp would be required to do:
- Stop sharing individually identifiable information about consumer's mental health with any third parties
- Stop misrepresenting its data collection and use policies
- Alert customers who created accounts before January 1st, 2021, that their personal info may have been used for advertising
- Obtain "affirmative express consent" from a customer before sharing information with a third party
- Reach out to third parties that received customer information and ask that it be deleted
- Establish a "comprehensive privacy program" and have an independent third party carry out privacy assessments
The FTC also says that the company gave customer service agents false scripts to try and reassure users that it wasn't sharing personally identifiable or personal health information after a February 2020 report from Jezebel exposed some of its practices. The commission's complaint (PDF) accuses the company of misleading customers by putting a HIPAA seal on its website, despite the fact that "no government agency or other third party reviewed [BetterHelp]'s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA."
If the FTC's order ends up going through, the $7.8 million would go to customers who signed up for the service between August 1st, 2017, and December 31st, 2020. Here are some of the other things BetterHelp would be required to do:
- Stop sharing individually identifiable information about consumer's mental health with any third parties
- Stop misrepresenting its data collection and use policies
- Alert customers who created accounts before January 1st, 2021, that their personal info may have been used for advertising
- Obtain "affirmative express consent" from a customer before sharing information with a third party
- Reach out to third parties that received customer information and ask that it be deleted
- Establish a "comprehensive privacy program" and have an independent third party carry out privacy assessments
Cannot get blood from a stone (Score:2)
Re: (Score:2)
Depends on their profit margins, they may be in a position to just brush it off as a cost of doing business.
Not that that's any better, mind.
Will people care? (Score:3)
Re: (Score:2)
Wasn't California considering a GDPR-like law at one stage?
If you had that then not only could the regulator issue a massive fine, but individuals could get compensation for their medical data being sold.
Not intending to give BetterHelp a pass, but (Score:3)
'However, the FTC alleges that the company instead "used and revealed consumers' email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes."'
Given the companies listed here, I'm wondering if this sort of data sharing for advertising is basically a requirement designed into their systems.
Re: (Score:2)
That's a fair comment, but not an excuse. It just means that those companies should also be prosecuted. (For abusing health information, if nothing else.)
OTOH, to me the proposed "remedies" look quite minor and difficult to enforce. And I feel the monetary sanctions should be paid by the management of "BetterHelp", and paid to the "customers". And that they are insufficient. (And I say this withiout having any idea as to what those damages were, as I didn't see a figure in the summary.)
Re: (Score:2)
How is this in any way relevant? If you can't advertise on Facebook without violating HIPAA, then you can't advertise on Facebook. It's just that simple.
They advertised like crazy on YouTube (Score:1, Troll)
A decision-maker should face prison time (Score:5, Insightful)
Otherwise this bad behavior is a cost-benefit analysis and it will keep happening.
Re: (Score:2)
Otherwise this bad behavior is a cost-benefit analysis and it will keep happening.
Found the American who still thinks throwing people in jail solves anything (we have an overwhelming body of evidence that it doesn't).
Also found the person who thinks that just because a fine is issued that those are the only fines capable of being issued and that repeat offenders face exactly the same regulatory fines as first timers. That's not the case. Cost/benefit does not apply when analysing the first fine.
Consequences (Score:5, Insightful)
There are more out there (Score:5, Interesting)
The company I work for gets calls every now and then from advertising data companies looking for access to healthcare data, which of course we never give because we fear being nuked from orbit for flagrant HIPAA/PHIPA violations, but then some of them say that x/y/z does it so it should be fine for us to do it too...
Re: (Score:2)
Incorrect, whether the company takes insurance money is immaterial:
https://www.hhs.gov/hipaa/for-... [hhs.gov]
The real question here is... (Score:1)
When will they do something about the REAL threat, and we all know what that is...
TikTok. Obviously.
FTC is in the pocket of Big Chat I tell you!!!
These fines should be paid ... (Score:3)
personally by the directors. If paid for by the company it will be seen as just a business cost and they will think "pity we got caught".
They should also pay for an external auditor to examine their systems once a year to look for a repetition. Any repetition should result in jail time for executives.
The TOS and company promises (Score:2)
The only thing that you can trust is past behavior, and VERY FEW online companies respect their customers privacy. Off the top of my head, the only one I can think of that even comes close is Apple, and I know that they ain’t all that great either.
"ask" that it be deleted?? (Score:3)
When I report something stolen, and the fence is identified and points the finger as to who got the goods, you don't tell the fence to "ask" the person in possession of stolen property to return it. The police get directly involved, and the ones in possession get a legal demand to return it.
Same sort of thing should happen here. The FTC should be contacting the recipients, and DEMANDING they delete it. Returning stolen property should never be optional.
Re: (Score:2)
How do you prove they didn't keep copies? They may (probably have) already sold the info onwards several times. A datafile is not a car. (Even cars can get hacked apart and sold as pieces, though. But it takes longer, and you can only sell each piece once.)
Re: (Score:2)
Flamethrowers, napalm, or just nuke 'em from orbit - it's the only way to be sure, after all.
Re: (Score:2)
Just like extortion, this is a different and difficult problem. I'm just focusing on the initial return with my post. This isn't just an ugly can of worms, it's more like a cupboard of cans of worms. Best to tackle one at a time.
Private? (Score:2)
No real message (Score:3)
WINNING! (Score:2)
$7.8 million is a slap on the wrist. How is BetterHelp's behavior not a HIPAA violation? It should be, if it's not.
WorseHelp (Score:2)
The solution going forward is easy. (Score:3)
The "offense" here was not selling the data, it's that they weren't up front about selling the data. The solution then is fairly straight forward.
Step 1: Modify the TOS to allow data sharing with "trusted partners";
Step 2: Put a radio button somewhere on the page that defaults to "opt in";
Step 3: Send an email to current users alerting them to the TOS changes;
Step 4: Apply these changes to new users that sign up;
Step 5: Compliance!
Good. (Score:2)
I hope it reduces their ad spend so I don't have to hear about them on just about every single podcast I listen to. (until I click the skip button).
Hm (Score:2)
I should just ordered the pad thai.
Re: (Score:2)
*have. Should have just ordered the pad thai.
prosecute them under the HIPAA rules. (Score:2)
Re: (Score:2)
Re: (Score:2)
Sheesh! (Score:2)
If you can't trust internet companies that collect all your most secret and private information, then who can you trust??