Online alcohol recovery programs Monument and Tempest shared users’ personal information with third-party advertisers for several years, according to a data breach notification filed last week with California’s attorney general.
In the notice, first reported by TechCrunch, Monument said it used pixel-tracking technologies from companies like Meta, Google, Bing and Pinterest “without the appropriate authorization, consent or agreements required by law.”
Information shared could include name, birth date, email address, phone number, address, insurance member ID, IP address, selected services, assessment or survey responses, appointment information, associated health information and other details. Monument told MobiHealthNews a little more than 100,000 people were affected.
In the notification, the company said an internal review found the data sharing began in January 2020 for Monument members and November 2017 for Tempest users. Monument acquired Tempest last year.
Monument said it stopped using most tracking technologies late last year and fully disconnected its websites by the end of February.
“Protecting our patients’ privacy is a top priority. We have put robust safeguards in place and will continue to adopt appropriate measures to keep data safe. In addition, we have ended our relationship with third-party advertisers that will not agree to comply with our contractual requirements and applicable law,” Monument CEO Mike Russell said in a statement to MobiHealthNews.
THE LARGER TREND
Monument and Tempest are the latest digital health companies that have disclosed sharing users’ personal information for advertising purposes.
Last month, digital mental health company Cerebral said it had disclosed more than three million patients’ personal health information to Google, Meta, TikTok and others.
The Federal Trade Commission has also been looking into digital health companies using consumers’ data for advertising purposes. The agency fined drug cost transparency platform GoodRx and online therapy company BetterHelp for allegedly sharing users’ information with third parties. Both companies said the settlements were related to old practices and admitted no wrongdoing.
Late last year, the Department of Health and Human Services issued guidance on the use of pixel-tracking technology in healthcare. Monument said it began its internal review after the HHS guidance.
Nate Lesser will offer more detail during the HIMS23 session “Code Dark: Finding Force Multipliers in Hospital Cybersecurity.” It’s scheduled for Wednesday, April 19 at 11:30 a.m. – 12:30 p.m. CT at the South Building, Level 4, room S406 B.