Privacy, Compliance Management, Application security

BetterHelp to pay FTC $7.8M for privacy failures, unfair practices

American cash banknotes money

BetterHelp must pay the FTC $7.8 million after repeatedly pushing its users into sharing their sensitive health information and violating its own privacy practices. The settlement includes partial refunds for BetterHelp users.

According to the FTC, BetterHelp leveraged users’ health information for advertising purposes. Their campaigns generated hundreds of thousands of new users and millions of dollars in additional revenue, at the cost of violating users’ privacy.

The digital health company offers online counseling services, including specialized versions for a range of audiences that include members of the LGBTQ community, those of the Christian faith, Spanish-speaking users, and services for teenagers who enroll with parental permission.

The documents show BetterHelp “repeatedly pushed people to take an intake questionnaire and hand over sensitive health information through unavoidable prompts.”

The FTC alleges the company violated its own privacy practices, which stated the provided data would remain private between the patient and the counselor. The settlement claims that a more “truthful statement would have been, ‘Rest assured — we plan to share your information with major advertising platforms, including Facebook, Snapchat, Criteo, and Pinterest.”

“In the hierarchy of confidential data, health information ranks right up there. And in the hierarchy of health information, details about a person’s mental health may be among the most confidential,” officials said in the release. “That’s not how online counseling service BetterHelp viewed it.”

In total, BetterHelp is accused of eight counts of privacy violations, including alleged deceptive and unfair practices. The proposed settlement order would require BetterHelp to pay the monetary penalty and ban the app from sharing consumer health data for advertising going forward.

The FTC also added provisions that would limit future data sharing by the company. BetterHelp would also be required to notify consumers about the privacy breach and direct the third parties with which the app shared consumer data to delete all users’ health and personal information.

The FTC warns the enforcement action should convey an “unmistakable message” on how seriously the agency “takes this kind of betrayal of trust.”

Case summary details host of privacy violations

The FTC’s case centers around the intake questionnaire, which allegedly relies on limiting the users ability to not fill in highly sensitive information. In one example, the questionnaire asks the user to disclose any depression symptoms or suicidal thoughts, along with medication and therapy experience.

BetterHelp offset the possible concerns about the highly personal questions with its privacy practices, which the FTC views as “confidentiality promises to consumers.” The app asserts that the information is shared anonymously in order to be matched “with the most suitable therapist.” 

Users were assured that “aside from a few narrow uses related to providing online counseling services, their private information would remain private,” according to the settlement. Those who signed up for specialized counseling were also told their email addresses would be “kept strictly private” and “never shared, sold or disclosed to anyone.”

Instead, the FTC claims BetterHelp shared the data of more than 7 million consumers with third parties for the purpose of advertising. The company also failed to contractually limit third parties from using users’ data for their own purposes.

In 2017, for example, the company uploaded nearly 2 million email addresses of all current and former clients to Facebook for the purpose of targeted advertisements that referred their Facebook friends to BetterHelp for mental health support. 

During another campaign, BetterHelp again disclosed the previous therapy of 1.5 million users to Facebook for advertising purposes based on users’ questions to whether they’ve been in counseling or therapy before. In another one-year period, the company allegedly disclosed visitors’ email addresses to Pinterest. 

BetterHelp is also accused of disclosing the IP and email addresses of approximately 5.6 million former visitors to SnapChat for the purpose of targeted BetterHelp ads. During another period, the company handed 70,000 users’ email addresses to Criteo. This disclosure included those who’d considered pride and faith-based counseling.

What’s more, a 2020 report revealed the company’s practices. Instead of being honest with users, the FTC claims BetterHelp “doubled-down on deception” and denied the claims.

FTC warns other digital health companies to review practices

The agency included a stern warning to other companies: “Honor your privacy promises. Tell the truth and get consumers’ affirmative express consent before sharing any health information.”

The settlement also offers guidance for these entities to review, which will be critical as the FTC has vowed, and followed through, with plans to ramp up enforcement of egregious privacy violations. The GoodRx settlement was only the first action under its Health Breach Rule and finalized just last week, signaling there will likely be similar actions on the horizon.

The FTC warned that personal data can be health data, “simply due to the nature of the product or service. Namely, “context counts." For example, an email address would not generally be viewed as health data. But on a health service platform, users’ email or IP address can inadvertently reveal highly sensitive information to third parties.

Further, failure to use appropriate safeguards can result in unfair and deceptive practices. As seen with BetterHelp, violations occur when a company fails to draft policies for protecting health privacy and failing to train or supervise employees tasked with health data.

Companies must always obtain affirmative consent from users before any disclosure of health data to third parties. 

The FTC settlement document contains a detailed list of necessary measures for digital companies, particularly those working with sensitive health data. Given the rapt attention of the FTC on enforcing possible privacy violations, the guidance will be imperative for health apps.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.