Governance & Risk Management , Healthcare , Industry Specific

FTC Bans Online Counseling Firm From Sharing Health Data

Under Proposed Settlement, BetterHelp Will Also Pay Fine of $7.8 Million
FTC Bans Online Counseling Firm From Sharing Health Data
Image: Shutterstock

Online counseling provider BetterHelp is set to come under two decades of privacy monitoring by the U.S. Federal Trade Commission after settling allegations that it violated users' privacy by sharing identifying information with social media platforms including Facebook.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The California purveyor of online talk therapy will also pay a $7.8 million civil penalty that the FTC says it will share as partial refunds to affected customers who paid for BetterHelp's services between August 2017 and December 2020.

BetterHelp's user base and revenue exploded over the past half decade, particularly after the novel coronavirus pandemic caused Americans' anxiety levels to rise and drove them to screen-based therapy. The FTC says the company has more than 374,000 active users in the United States and earned more than $720 million in revenue in 2021. Multinational telemedicine giant Teladoc acquired BetterHelp for $4.5 million in 2015.

The FTC in recent weeks has ratcheted enforcement actions and warnings over safeguarding health data privacy, and it fined discount prescription drug provider GoodRx $1.5 million for sharing data with advertisers including Google and Facebook. It also warned Amazon not to use personal health information for marketing purposes.

"BetterHelp betrayed consumers' most personal health information for profit. Let this proposed order be a stout reminder that the FTC will prioritize defending Americans' sensitive data from illegal exploitation," said Sam Levine, director of the FTC's Bureau of Consumer Protection. The agency accuses the company of disregarding customer privacy between January 2013 and December 2020.

Legal experts say this latest move by the FTC is a stark reminder to other entities about their handling of sensitive consumer information.

"It is a clear warning to companies that collect personal health information," says regulatory attorney Nancy Perkins of the law firm Arnold & Porter. "The FTC has been focusing significant time and effort on investigations of companies that collect personal health information online."

Case Details

The FTC alleges that BetterHelp shared data including consumers' email addresses, whether or not they had previously been in therapy, their IP addresses and if they answered "good" or "fair" to an intake question about financial status. Recipients of the data included Facebook, Snapchat, Pinterest and online advertising firm Criteo.

FTC commissioners have already unanimously approved the proposed settlement, but it must undergo a 30-day comment period followed by another round of commissioner voting - a step that's typically a technicality. BetterHelp is not admitting or denying allegations laid out by the FTC, although on its website, it called sharing "limited" user information for advertising campaigns an "industry-standard practice" that is "routinely used by some of the largest health providers."

The FTC says that in October 2017, BetterHelp uploaded the email addresses of all current and former users - nearly 2 million - to Facebook in order to target the users with advertisements urging them to convert social media connections into paying customers. At the time, BetterHelp told customers of its LBGTQ+, teen and Christian faith counseling services and said that their emails are "kept strictly private."

From September 2020 until May 2021, all of BetterHelp's websites displayed a banner stating, "We never sell or rent any information you share with us." In May, the company replaced the banner with language acknowledging that it uses third-party cookies and web beacons to target and measure the effectiveness of online advertising.

As part of the settlement agreement, BetterHelp must instruct the third parties that received customer information to delete it. It also must implement a privacy program and agree to undergo a third-party privacy assessment every two years for the next two decades.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.