Alcohol Recovery Startups Shared Patients' Private Data With Advertisers

An anonymous reader quotes a report from TechCrunch: For years, online alcohol recovery startups Monument and Tempest were sharing with advertisers the personal information and health data of their patients without their consent. Monument, which acquired Tempest in 2022, confirmed the extensive years-long leak of patients' information in a data breach notification filed with California's attorney general last week, blaming their use of third-party tracking systems developed by ad giants including Facebook, Google, Microsoft and Pinterest. When reached for comment, Monument CEO Mike Russell confirmed more than 100,000 patients are affected.

In its disclosure, the companies confirmed their use of website trackers, which are small snippets of code that share with tech giants information about visitors to their websites, and often used for analytics and advertising. The data shared with advertisers includes patient names, dates of birth, email and postal addresses, phone numbers and membership numbers associated with the companies and patients' insurance provider. The data also included the person's photo, unique digital ID, which services or plan the patient is using, appointment information and assessment and survey responses submitted by the patient, which includes detailed responses about a person's alcohol consumption and used to determine their course of treatment.

Monument's own website says these survey answers are "protected" and "used only" by its care team. Monument confirmed that it shared patients' sensitive data with advertisers since January 2020, and Tempest since November 2017. Both companies say they have removed the tracking code from their websites. But the tech giants are not obligated to delete the data that Monument and Tempest shared with them.

five-minute chip. It's worth a Pabst. at moe's

[Joe_Dragon]

five-minute chip. It's worth a Pabst. at moe's

On consent

[Styles of NID]

This doing things without consent stuff. Not a fan of it.

Re:On consent

[omnichad]

It's probably not covered by HIPAA. But it should be.

Re:

[Styles of NID]

People that violate that, deserve what's coming to them.

Re:On consent

[RKThoadan]

It sounds like the recovery startups would probable be considered a Covered Entity under HIPPAA, but it's possible they can avoid that classification somehow. The annoying thing is that the advertisers and other parties who received the data are completely out of HIPPAA's scope, which is very annoying.

Re:

[Anonymous Coward]

It sounds like the recovery startups would probable be considered a Covered Entity under HIPPAA, but it's possible they can avoid that classification somehow. The annoying thing is that the advertisers and other parties who received the data are completely out of HIPPAA's scope, which is very annoying.

If they take health insurance they are a covered entity. And both companies do.

What of it

[DarkRookie2]

No one will be punished. If they are, it will be a pittance. These companies will survive and continue on to screw up again.

Re:

[RemindMeLater]

Exhibit A being the credit score companies like Equifax

Re:

[arQon]

These companies will survive and continue on to screw up again.

What on earth makes you think they "screwed up" in the first place?!

You can't possibly believe that a company sending data to third parties who were paying them for that data was in any way "accidental". Even if you're willing to imagine that might somehow be the case, the fact that the people whose data they were selling are especially vulnerable, and that the companies were "internet startups", both modify that probability down by orders of magnitude each.

The rest of your post though, I don't think anyone

Pretty awful

[HBI]

Considering the repercussions of being identified as an addict on your job prospects, legal rights (addicts/alcoholics are often specially deprived of rights in law) and background investigations in general, which could impact insurability (auto, life) and such, this is pretty bad. Seems like a pretty nasty class action lawsuit is justified since it would be easy to prove there was some harm here. The whole idea of commercialized addiction recovery is debatable anyway, but that's another conversation. Turns out the physical aspect of the addiction is just the tip of the iceberg. Most people are using the drugs/alcohol to self-medicate another issue, even if they don't realize it. Getting them off the alcohol or drugs doesn't do anything about that. In retrospect, the physical addiction is often the easy part. I'm avoiding any program lingo but I know about that, and as you'd expect the view of this commercial recovery stuff is pretty dim. Whatever way you go, the numbers are not good on recovery, nowhere near what they claim. You still don't want anyone knowing unless they have to - or you make it impossible to avoid, such as by getting a DUI.

Re:

[DarkOx]

Almost every life and auto application I have ever seen asks you to disclose medical conditions; which chemical dependency on drugs/alcohol certainly qualifies. Many of them directly ask if you or a parent are alcohol.

This is necessary information for appropriate underwriting decisions. Your argument seems to be boohoo it makes it harder for these people to commit frauds of their own?

insure-ability is a non-issue unless you want to argue for restricts on considering drug/alcohol addiction in underwriting (w

Re:

[HBI]

You seem to be making a judgement. You might consider why you are making that one size fits all judgement. That is all.

Re:Pretty awful

[mobby_6kl]

Almost every life and auto application I have ever seen asks you to disclose medical conditions; which chemical dependency on drugs/alcohol certainly qualifies. Many of them directly ask if you or a parent are alcohol.

This is necessary information for appropriate underwriting decisions. Your argument seems to be boohoo it makes it harder for these people to commit frauds of their own?

It's your private medical data and not theirs to disclose, that's it.

Re:Pretty awful

[Ed Tice]

Worse is that inpatient addiction recovery in the US is priced at obscene levels. I believe more than an order of magnitude higher than anywhere else in the world. These companies are already making so much money for doing so little. I am not an addict (other than caffeine) so I don't want to speak for anybody else. But if I could take that much time off of work (and life) to recover and spend that much money, I think I'd rather book a stay (for the same price) at a luxury resort and hire a private nurse to make sure I don't die from withdraw symptoms than go to one of the dumpy overpriced "addiction centers"

Re: Pretty awful

[lostmy4digitUID]

The physical addiction part is the easy part. It's the psychological part that makes addiction a disease. That's why people relapse even decades after being sober. It's not as easy as just over coming withdrawl.

Re:

[Ed Tice]

Right which is why one is better saving the money on inpatient addiction facilities where you pay thousands of dollars a day for physical withdrawal and use that money for mental health counseling. In the sane part of the world, inpatient addiction treatment is priced non-astronomically.

Re:

[HBI]

I agree in general, though one must keep in mind that 'relapse is part of recovery' and have a safety net for the inevitable relapse. One of my relatives that works with rehabs claims that the rough average is 7x through the rehab system before it sticks, and even then, relapse is still a reality.

Re:

[Ed Tice]

Which is a fancy way of saying that the rehab programs don't work. The success rate is less than 15%!

Re:

[HBI]

One of the things i've learned in my own recovery (from codependency, being the partner of an addict) is that I try to not volunteer information that people can discover for themselves, or try to make judgement calls for others. That is otherwise known as 'control', which is a big problem for the codependents that try to 'save' addicts. I generally agree with you, but only after you come to your own conclusion.

Re:

[Ed Tice]

I've also known addicts. Feel free to judge me. But it's not an area in which I try to help because I have no skills or experience. And the success rate is quite low. I wish it were otherwise. I hope none of my posts are construed as specific advice to anybody rather than general statements. I would not offer any advice to somebody who actually asked me in terms of addiction since I don't know anything.

Re:

[HBI]

I was talking myself rather than you, and was explaining why my comments fail to take logical leaps that I know are there, as you pointed out. You aren't saying anything wrong - you aren't a codependent perhaps. We say we are just like the alcoholics/addicts themselves except we don't use substances. Our drug is control, thinking we can tell people how to live their lives 'better' than they can. It might even be objectively true, that we do know better, but you can't control others. They ultimately are

Re: Pretty awful: Class Action

[todmanic]

You mean where you get a postcard that says "you may be entitled to compensation of 14 cents usd..." that you throw away?

Re:

[HBI]

No, where the vendor gets torn to pieces for allowing this to happen and they pierce the corporate veil and get the officers personal assets. One can dream.

Re:

[fermion]

I know people in the recovery scam. Outside of the volunteer non profits, the users are largely screwed. It is expensive and to make a profit every bit has to be monetized

This meshes with the larger proliferation of pill mill apps. You go online. The doctor checks your credit report and presides you psychotropics. You are then put on a mailing list for other scams, including recovery.

Re:

[HBI]

I don't disagree. I don't have a solution except to point people who want recovery to actual options that might work. Ironically they are mostly free, but you have to want it bad enough. One of the sayings is "Recovery isn't for those who need it, it is for those who want it".

Re:

[fermion]

Which is what I said. Volunteer based non profits can work. Otherwise you are the product.

Tech giants + tech illiteracy?

[Unpopular Opinions]

Equals to a huge profit on you.

This is what happens when tech giants offers the world, and the tech illiterates making decisions embrace them without fully understand the rabbit hole they are getting into.

Another example is over hospitals using MyChart app. They make heavy use of these trackers anytime users need to interact with their providers. Why nobody has complained yet is out of my pay grade. But we continue to feed the advertisers, and the few companies getting busted are only doing so when they rea

the people at epic have access to spotted cow

[Joe_Dragon]

the people at epic have access to spotted cow and other WI only beers

Re:

[Randseed]

EPIC's MyChart and CareAnywhere are privacy holes just waiting to happen. Aside from the obvious privacy risks, the wisdom of patients having direct, by default access to their care notes is questionable. This is where all manner of stuff doesn't get addressed because the providers know the patients/parents/caregivers are going to see it. For example, "Patient believes that she was sexually molested by mother's boyfriend."

Really looking forward to

[rsilvergun]

Reading these same stories about all those dodgy mental health companies being advertised over on YouTube. I can't even imagine what they must be sharing

Re:

[John Smith 2294]

You mean like BetterHelp?: BetterHelp Sold Customer Data While Promising It was Private, Says FTC [slashdot.org]

To be expected

[xanthos]

Isn't using an analytics/data hoovering company just standard practice for any Internet based company these days?

Isn't data exfiltration marketed as being an additional revenue stream to keep down the cost of the service? (news flash: if I am willing to pay you x amount for the data it is actually worth x+)

Aren't the Internet based companies just assuming that the majority of people on their service don't mind being exploited?

This was not a "leak"

[thomn8r]

This was not a leak: this was the monetization of patient data, and they just so happened to get caught. Furthermore, any company involved involved in health care should not be sharing anything with any 3rd-party entity - period.

Re:

[Teun]

I sooner believe it is/was a lack of legal protection of the consumer, very American.

You "lost" a may there

[Pinky's Brain]

They never fucking said "The data shared with advertisers includes patient names, dates of birth, email and postal addresses, phone numbers and membership numbers associated with the companies and patients' insurance provider.". They said "may have included".

One possible explanation is that they are saying that by running an untrusted tracking script on their website, form data might have been diverted.

One possible explanation for Techcrunch and Slashdot ommitting the "may" may be because they are clickbait

"Breach"

[Petersko]

Pretty rich calling it a "breach". They're relying on the meaning of the term within "breach of trust", but placing it in the IT context, where a first glance might make you think they were hacked. That's shady as hell.

Re:

[John Smith 2294]

This should not be modded down. I think it expresses the sentiments of many here quite well.

Companies should be required to carry insurance

[joe_frisch]

If companies were required to be insured for some reasonable amount (say $100K / person whose data was released) then the insurance market would force companies to have secure systems. Car manufactures have been successfully sued for millions for injuries caused by bad designs, its time that data breaches were recognized as causing significant harm as well.

Captain Morgan

[Black-Adder-61]

Of course, everyone undergoing the alcohol addiction treatment is an ideal target for Captain Morgan ads. Have some captain in you.

In other news...

[John Smith 2294]

Jack Daniels, Seagrams and Budweiser all report increased Q1 profits!

Should be a felony

[olddoc]

If the terms of the website said that data was confidential but it was shared with advertisers, I feel this should be a felony. I also think that officers of the company should be heavily fined and possibly sent to prison over this.