Consumer Health Information: Handle With (Extreme) Care

From the Federal Trade Commission, Business Blog, by Lesley Fair:

The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.

The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.

The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).

Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.