The Federal Trade Commission voted Thursday to ban Teladoc Health-owned online mental health counseling service BetterHelp from sharing consumers’ sensitive data for advertising. As part of deal to settle an FTC complaint, the company has agreed to pay a $7.8 million fine, which will be used to partially refund consumers.
This settlement and deal with BetterHelp marks the first time the FTC has ordered a company to return funds to consumers whose health data was compromised.
The FTC found that the company repeatedly broke its promises to consumers that it wouldn’t disclose health data except for directly related services. For example, between 2018 and 2020, the company used consumer email addresses combined with their therapy history to inform advertising on Facebook to target a similar audience. The company brought “in tens of thousands of new paying users, and millions of dollars in revenue, as a result,” according to the FTC complaint.
Before using BetterHelp, users are required to fill out a survey providing sensitive mental health information such as experiences with depression or suicidal thoughts and medication history. The company also collects names, email addresses and dates of birth. BetterHelp, which offers services specifically marketed to teens and the LGBTQ community, disclosed information such as the email addresses for individuals seeking these services to Snapchat, Pinterest and Criteo for advertising.
Criteo said in a statement neither the FTC nor BetterHelp contacted the company about the complaint and declined to comment on the allegations made in the complaint.
CyberScoop has reached out to BetterHelp for comment.
“When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “Instead, BetterHelp betrayed consumers’ most personal health information for profit. Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation.”
This isn’t the first time the agency has gone after healthcare providers for sharing patient data to advertisers. Earlier this week, the FTC finalized its a $1.5 million settlement with telehealth and prescription drug discount platform GoodRx for failing to disclose to consumers that it was sharing health data with Facebook, Google and other ad-targeting companies.
Lawmakers previously raised concerns that BetterHelp and other Teladoc Health apps had taken advantage of a “regulatory gray area” of what data collected by telehealth apps is considered sensitive. The FTC’s increased enforcement actions demonstrate a step toward clearing up the ambiguities.
It may be difficult for the agency to fully rein in a growing market for sensitive health data created during the telemedicine boom brought on by the COVID-19 pandemic. A recent Duke University study found that mental health data has become a lucrative market for data brokers, with some even offering personally identifiable data in lists with categories such as “Anxiety Sufferers.” In 2021, CyberScoop found that the telehealth platform Doxy.me was sharing information with advertisers that included patients’ provider names. (The company fixed the issue after CyberScoop contacted it.)
In addition to banning the use of health data in future advertising, the proposed order requires BetterHelp to obtain affirmative consent before disclosing personal information to third parties for any reason, enact a comprehensive privacy program and direct third parties to delete sensitive data BetterHelp shared.
Updated Mar. 2, 2023: To include a statement from Criteo.