BetterHelp Faces $7.8M Fine for Sending Facebook Patient Data
The Federal Trade Commission is poised to ban the mental health app BetterHelp from sharing medical information with Facebook, Snapchat, and other online advertisers. A proposed order issued Thursday includes a $7.8 million fine and limits the ways BetterHelp can share mental health data going forward. It’s part of a new push by the FTC to reign in the internet’s rampant problems with health privacy.
“When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “Instead, BetterHelp betrayed consumers’ most personal health information for profit.”
The FTC’s order will be open to public comment before the commissioners vote on its final approval. Given that they voted 4-0 in favor of it the first time, it’s very likely it will move forward.
When you visit a website or open an app, it’s a safe assumption that it’s going to be filled with trackers that are used to follow your behavior all over the web. Companies use trackers and cookies provided by companies like Meta (owner of Facebook) to identify the most tantalizing users to target with ads, and to measure how well those ads are working.
Along the way, companies send their advertising collaborators data about who’s doing what on an app or a website. When the thing you’re doing is, for example, telling a mental health app that you’ve been having suicidal thoughts, this kind of data sharing is a problem. It could even be a crime if you lie to your customers about how you handle their privacy and misrepresent how your services are “HIPAA compliant.” That’s exactly what the FTC says BetterHelp did.
“The FTC alleged we used limited, encrypted information to optimize the effectiveness of our advertising campaigns so we could deliver more relevant ads and reach people who may be interested in our services,” BetterHelp said in a statement. “To clarify, we do not share and have never shared with advertisers, publishers, social media platforms, or any other similar third parties, private information such as members’ names or clinical data from therapy sessions.”
The FTC says BetterHelp pushed its users to hand over sensitive health information so it could turn around and target them with ads, making false promises about privacy along the way.
The FTC says BetterHelp made numerous false promises about health privacy.Screenshot: The Federal Trade Commission
The FTC’s complaint includes a number of screenshots of the allegedly false promises BetterHelp made to its customers. In one snapshot, right under a questionnaire asking whether you’re taking any medication, BetterHelp provided reassurance to anyone feeling uneasy about their health data.
“Rest assured – your health information will stay private between you and your counselor,” BetterHelp’s interface said. It would have been more accurate to say that your health information will stay private between you and your counselor and Facebook and BetterHelp’s other advertising partners, according to the FTC.
In addition to the fine, the order would place several requirements on BetterHelp. From the FTC’s press release:
obtain affirmative express consent before disclosing personal information to certain third parties for any purpose;put in place a comprehensive privacy program that includes strong safeguards to protect consumer data;direct third parties to delete the consumer health and other personal data that BetterHelp revealed to them; andlimit how long it can retain personal and health information according to a data retention schedule.
It’s been a sorry week for the mental health tech business. On Wednesday, BetterHelp competitor Talkspace faced a class-action lawsuit alleging the company lies about the availability of therapists on its platform, ignores users’ stated medical needs, and tricks people into signing up to pay a subscription for therapy sessions they’re not even getting.
This isn’t the first time mental health apps landed in hot water over their data practices. Talkspace in particular is accused of some alarming privacy problems, but numerous mental health app privacy investigations, including into BetterHelp, have uncovered the mishandling of medical data and widespread misrepresentations about the privacy truth.
There is a huge misconception about health privacy in the US. A lot of people have heard of HIPAA, the Health Information Portability and Accountability Act, but most people don’t understand what it really does.
HIPAA is not a law that protects all your health data. It’s a law that regulates health data only when it’s in the hands of a healthcare provider, an insurance company, or anyone else acting directly on their behalf, like pharmacies or billing services.
Health apps have operated in a sort of legal gray area for most of the internet’s history. You can tell your doctor that you’re taking Prozac, and there are strict privacy rules. But if you tell an app like BetterHelp or a website like WebMD, it seemed that the rules about privacy were no different than if you were typing in the name of your favorite pizza topping.
But that all changed in February, when the FTC issued a historic fine and consent agreement against GoodRx, a company that gives out coupons on prescription medication. GoodRx shared users’ health data with advertising partners like Facebook and Google, without getting people’s explicit permission. The FTC just said “not so fast.”
The FTC used that case in a health privacy power grab, declaring that it’s illegal to use health data for ads without permission, and asserting that the FTC has the authority to regulate the problem.
It’s not at all clear whether that will hold up in court because the FTC reached a settlement with GoodRx instead of duking it out in a legal battle. The commission now seems to be doing the same thing with BetterHelp, enacting a newfound commitment to health privacy. If the FTC continues on this path, it will likely come up against a corporate opponent that isn’t willing to settle, and it’s anybody’s guess how the legal system will handle the issue.
“Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation,” Levine said about the BetterHelp case.