The Federal Trade Commission is cracking down on the data-sharing practices of telehealth companies, focusing on widespread uses of data that many companies in the industry have failed to disclose to users.
The FTC earlier this month reached a proposed settlement with BetterHelp, a subsidiary of
Teladoc Health Inc.,
TDOC 3.43%
over allegations that the therapy-focused telemedicine company promised to keep users’ health data private but shared it with advertising partners.
Many telehealth apps have similar data-sharing practices and are likely to face scrutiny as the agency continues to focus on health data, privacy specialists said.
“We’re very concerned by how easy it is for consumers to hand over their most sensitive information,” said Miles Plant, senior privacy and data security attorney at the FTC.
Mr. Plant said it is important to the FTC to make sure “these companies are honest and transparent about what they’re collecting, what they’re using it for and who they’re disclosing it to.”
BetterHelp settled the charges and didn’t admit wrongdoing. On its website, BetterHelp described its practices as industry-standard and said the FTC was working to “set new precedents around consumer marketing.”
The FTC’s proposed order, which is expected to be made final by the commission, would require BetterHelp to pay $7.8 million and bar the company from sharing consumers’ health data for advertising.
Millions of consumers turned to telehealth providers at the onset of pandemic-induced lockdowns, prompting federal authorities to loosen certain restrictions on virtual healthcare, paving the way for tremendous growth.
Consumers continue to turn to apps for medicine, therapy and other issues. About 80% of respondents to a digital-health survey of U.S. consumers in 2022 said they used telemedicine services, up from 72% in 2021, according to Rock Health, a research and investment firm.
Telehealth revenue is expected to grow 4.6% to $30.4 billion in 2023, according to estimates from the market-research firm IBISWorld.
Nicholson Price,
a professor at the University of Michigan Law School, said many consumers erroneously expect that the Health Insurance Portability and Accountability Act, or HIPAA, safeguards their health data in all contexts.
“HIPAA really doesn’t reach apps or places where patients share their own information,” he said. “So that’s generally not preventing companies or app developers from sharing or selling or licensing this sort of data.”
Such practices are drawing the attention of lawmakers. Last month four senators—
Amy Klobuchar
(D., Minn.),
Susan Collins
(R., Maine),
Maria Cantwell
(D., Wash.) and
Cynthia Lummis
(R., Wyo.)—requested more information from three telehealth companies about their privacy practices.
The FTC has pursued privacy-related settlements with other companies. Earlier this year the prescription-drug discount provider
GoodRx Holdings Inc.
agreed to pay a $1.5 million civil penalty to resolve FTC allegations that it unlawfully disclosed consumers’ personal health information to advertisers.
GoodRx didn’t admit wrongdoing and proactively addressed the issues before the FTC inquiry began, a company spokeswoman said.
Last year the FTC alleged that Kochava Inc. sold geolocation data that could reveal users’ visits to abortion clinics, addiction-recovery facilities and other sensitive locations.
Kochava sued the FTC and argued in court that the agency’s allegations “are based on vague, ill-informed references to our business practices and hypotheticals that don’t violate any law,”
Charles Manning,
founder and chief executive of Kochava, said. Kochava complies with all privacy laws, he said.
The FTC sued Kochava. Both suits are pending.
In 2021, the FTC settled with the menstruation-tracking app Flo Health Inc. over allegations that it improperly shared personal data with Facebook and others. Flo Health didn’t admit wrongdoing in its settlement and has since completed an external, independent privacy audit, a company spokeswoman said.
The Wall Street Journal reported in 2019 that Flo Health’s data was used to target online ads, despite Flo Health’s promises that the information would be kept private.
Studies have shown that apps providing mental-health services often share users’ data with third parties—sometimes in an anonymized form and sometimes along with personal, identifiable information such as an email address.
Of 32 mental-health-app privacy policies that the Mozilla Foundation studied for its “Privacy Not Included” report published last year, 25 either acknowledged that they shared user data with third parties for advertising purposes or didn’t say whether they did.
“This puts companies on notice, especially companies that are dealing with really sensitive data, that the FTC is going to be on the lookout,” said
Sara Collins,
senior policy counsel at the consumer-advocacy nonprofit Public Knowledge.
In BetterHelp’s case, the commission alleged that the app revealed consumer data from 2017 to 2020 to third-party ad networks such as Facebook, Snapchat, Pinterest and Criteo—effectively telling them which of their users were seeking or receiving therapy—despite promising to keep such data private.
BetterHelp didn’t indicate in its privacy policy whether it would share user data for advertising purposes, according to the FTC complaint. The app made users promises such as “Rest assured—any information provided in this questionnaire will stay private between you and your counselor,” according to the FTC complaint.
Michael Ulrich,
a professor at Boston University’s School of Public Health who has studied privacy in telehealth apps, said, “It’s common for companies to use language like that to try to give the consumer the idea that they are more protected than they actually are.”
Under the proposed order, the $7.8 million must be used to partially refund consumers who signed up for and paid for BetterHelp’s services between August 2017 and December 2020. The proposed order is the commission’s first-ever action that returns funds to consumers whose health data was compromised, according to the agency’s press release.
The FTC has traditionally been able to get money back to consumers who purchased products based on a deceptive material representation, said
Daniel Kaufman,
a partner at the law firm Baker & Hostetler LLP and former deputy director of the FTC’s bureau of consumer protection.
Refunding money in a data-privacy case—and determining the proper amount to give—is more difficult, Mr. Kaufman said.
“The fact that the agency is seeking money in a case like this is a strong signal that the FTC will continue to focus on health-privacy issues and will be broadly interpreting its authority,” he said.
—Rolfe Winkler contributed to this article.
Write to Patience Haggin at patience.haggin@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
The Federal Trade Commission is cracking down on the data-sharing practices of telehealth companies, focusing on widespread uses of data that many companies in the industry have failed to disclose to users.
The FTC earlier this month reached a proposed settlement with BetterHelp, a subsidiary of
Teladoc Health Inc.,
TDOC 3.43%
over allegations that the therapy-focused telemedicine company promised to keep users’ health data private but shared it with advertising partners.
Many telehealth apps have similar data-sharing practices and are likely to face scrutiny as the agency continues to focus on health data, privacy specialists said.
“We’re very concerned by how easy it is for consumers to hand over their most sensitive information,” said Miles Plant, senior privacy and data security attorney at the FTC.
Mr. Plant said it is important to the FTC to make sure “these companies are honest and transparent about what they’re collecting, what they’re using it for and who they’re disclosing it to.”
BetterHelp settled the charges and didn’t admit wrongdoing. On its website, BetterHelp described its practices as industry-standard and said the FTC was working to “set new precedents around consumer marketing.”
The FTC’s proposed order, which is expected to be made final by the commission, would require BetterHelp to pay $7.8 million and bar the company from sharing consumers’ health data for advertising.
Millions of consumers turned to telehealth providers at the onset of pandemic-induced lockdowns, prompting federal authorities to loosen certain restrictions on virtual healthcare, paving the way for tremendous growth.
Consumers continue to turn to apps for medicine, therapy and other issues. About 80% of respondents to a digital-health survey of U.S. consumers in 2022 said they used telemedicine services, up from 72% in 2021, according to Rock Health, a research and investment firm.
Telehealth revenue is expected to grow 4.6% to $30.4 billion in 2023, according to estimates from the market-research firm IBISWorld.
Nicholson Price,
a professor at the University of Michigan Law School, said many consumers erroneously expect that the Health Insurance Portability and Accountability Act, or HIPAA, safeguards their health data in all contexts.
“HIPAA really doesn’t reach apps or places where patients share their own information,” he said. “So that’s generally not preventing companies or app developers from sharing or selling or licensing this sort of data.”
Such practices are drawing the attention of lawmakers. Last month four senators—
Amy Klobuchar
(D., Minn.),
Susan Collins
(R., Maine),
Maria Cantwell
(D., Wash.) and
Cynthia Lummis
(R., Wyo.)—requested more information from three telehealth companies about their privacy practices.
The FTC has pursued privacy-related settlements with other companies. Earlier this year the prescription-drug discount provider
GoodRx Holdings Inc.
agreed to pay a $1.5 million civil penalty to resolve FTC allegations that it unlawfully disclosed consumers’ personal health information to advertisers.
GoodRx didn’t admit wrongdoing and proactively addressed the issues before the FTC inquiry began, a company spokeswoman said.
Last year the FTC alleged that Kochava Inc. sold geolocation data that could reveal users’ visits to abortion clinics, addiction-recovery facilities and other sensitive locations.
Kochava sued the FTC and argued in court that the agency’s allegations “are based on vague, ill-informed references to our business practices and hypotheticals that don’t violate any law,”
Charles Manning,
founder and chief executive of Kochava, said. Kochava complies with all privacy laws, he said.
The FTC sued Kochava. Both suits are pending.
In 2021, the FTC settled with the menstruation-tracking app Flo Health Inc. over allegations that it improperly shared personal data with Facebook and others. Flo Health didn’t admit wrongdoing in its settlement and has since completed an external, independent privacy audit, a company spokeswoman said.
The Wall Street Journal reported in 2019 that Flo Health’s data was used to target online ads, despite Flo Health’s promises that the information would be kept private.
Studies have shown that apps providing mental-health services often share users’ data with third parties—sometimes in an anonymized form and sometimes along with personal, identifiable information such as an email address.
Of 32 mental-health-app privacy policies that the Mozilla Foundation studied for its “Privacy Not Included” report published last year, 25 either acknowledged that they shared user data with third parties for advertising purposes or didn’t say whether they did.
“This puts companies on notice, especially companies that are dealing with really sensitive data, that the FTC is going to be on the lookout,” said
Sara Collins,
senior policy counsel at the consumer-advocacy nonprofit Public Knowledge.
In BetterHelp’s case, the commission alleged that the app revealed consumer data from 2017 to 2020 to third-party ad networks such as Facebook, Snapchat, Pinterest and Criteo—effectively telling them which of their users were seeking or receiving therapy—despite promising to keep such data private.
BetterHelp didn’t indicate in its privacy policy whether it would share user data for advertising purposes, according to the FTC complaint. The app made users promises such as “Rest assured—any information provided in this questionnaire will stay private between you and your counselor,” according to the FTC complaint.
Michael Ulrich,
a professor at Boston University’s School of Public Health who has studied privacy in telehealth apps, said, “It’s common for companies to use language like that to try to give the consumer the idea that they are more protected than they actually are.”
Under the proposed order, the $7.8 million must be used to partially refund consumers who signed up for and paid for BetterHelp’s services between August 2017 and December 2020. The proposed order is the commission’s first-ever action that returns funds to consumers whose health data was compromised, according to the agency’s press release.
The FTC has traditionally been able to get money back to consumers who purchased products based on a deceptive material representation, said
Daniel Kaufman,
a partner at the law firm Baker & Hostetler LLP and former deputy director of the FTC’s bureau of consumer protection.
Refunding money in a data-privacy case—and determining the proper amount to give—is more difficult, Mr. Kaufman said.
“The fact that the agency is seeking money in a case like this is a strong signal that the FTC will continue to focus on health-privacy issues and will be broadly interpreting its authority,” he said.
—Rolfe Winkler contributed to this article.
Write to Patience Haggin at patience.haggin@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8