BetterHelp Settlement Agreed with FTC to Resolve Health Data Privacy Violations
The Federal Trade Commission (FTC) has announced a settlement has been reached with the California-based online counseling service provider, BetterHelp Inc., to resolve allegations of violations of the FTC Act. The proposed BetterHelp settlement requires $7.8 million to be paid to consumers as refunds due to deceptive trading practices. This is the first such FTC settlement to require refunds to be paid to consumers whose health information was compromised.
FTC Cracks Down on Deceptive Privacy Practices by Online Healthcare Service Providers
This is the second such settlement to be announced by the FTC in the past month and is part of its current crackdown on deceptive trading practices by online providers of healthcare services. The announcement was made just a few days after a $1.5 million settlement with GoodRx was signed off by a judge to resolve alleged FTC Act and Health Breach Notification Rule violations. These settlements are intended to send a message to providers of online health services – which are often not bound by the protections of HIPAA – that they must ensure consumers are informed about how their sensitive health information will be used, and that if they claim to keep health information private and confidential, that they must not share that information with third parties without the consent or knowledge of consumers.
As was the case with GoodRx, BetterHelp is alleged to have shared sensitive consumer data with major advertising platforms such as Facebook, Snapchat, Criteo, and Pinterest, despite making promises on its websites that sensitive health information would be kept private and confidential and would not be shared.
FTC Investigation of BetterHelp
BetterHelp provides online mental health and counseling services under the name BetterHelp, BetterHelp Counseling, as well as under different names for specific, targeted markets, such as Pride Counseling for members of the LGBTQ community, Faithful Counseling for people of the Christian faith, Terappeuta for Spanish-speaking clients, and Teen Counseling for teenagers. According to the FTC, BetterHelp went to lengths to inform users of its services that their sensitive information would be kept private and confidential and would not be shared with third parties when the company was providing sensitive consumer information to advertising platforms.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Lesley Fair, Senior Attorney with the FTC, explained in a blog post about the BetterHelp settlement that statements were provided on BetterHelp web pages such as “Rest assured – any information provided in this questionnaire will stay private between you and your counselor,” when the FTC’s view is BetterHelp should have included the statement, “Rest assured – we plan to share your information with major advertising platforms, including Facebook, Snapchat, Criteo, and Pinterest.” The FTC said the notices assuring privacy were provided at various stages of the sign-up process, which involved consumers having to disclose sensitive health information, such as if they have experienced depression, were having suicidal thoughts, and information about any medications they were taking. Based on their responses, consumers are matched with an appropriate counselor and pay between $60 and $90 per week for counseling.
BetterHelp stated on its web pages that information would only be disclosed to others for limited purposes, such as for providing counseling services, yet the information of consumers was disclosed to third parties, including email addresses, IP addresses, and health questionnaire information. The FTC also alleged that consumers that previously registered and who had therapy had their email addresses and the fact they had previously had therapy to Facebook. Those disclosures allowed approximately 5.6 million individuals to be served with targeted adverts for BetterHelp’s services. The FTC alleged the email addresses of 70,000 visitors were disclosed to Criteo for advertising purposes over a 6-month period, and similar disclosures were made to Pinterest over a one-year period. These disclosures helped the company attract thousands of new customers and generate millions of dollars in revenue.
In addition to making false statements about privacy, most of BetterHelp’s web pages included multiple seals related to privacy and security, including a seal depicting the medical caduceus and the term “HIPAA,” suggesting the company’s practices met HIPAA requirements, which the FTC considered to be a deceptive practice. The FTC also alleged that in 2020, BetterHelp had misled the public by denying news reports that it was disclosing consumers’ personal and health information. In its responses to the subsequent consumer complaints, the FTC claims BetterHelp “doubled down on deception.”
Under the terms of the settlement, in addition to issuing partial refunds to consumers, BetterHelp has been banned from sharing consumers’ health data for advertising purposes or sharing personal information for retargeted advertising without consent. BetterHelp has also agreed to notify consumers about the case directly and order any third party that received consumer data to ensure that information is deleted.
The settlement has yet to be approved by a judge and the method used to issue partial refunds to customers who paid for BetterHelp services between August 1, 2017, and December 31, 2020, has yet to be decided.
Response to the BetterHelp FTC Settlement
“We are deeply committed to the privacy of our members and we value the trust people put in us by using our services. Our technology, policies, and procedures are designed to protect and secure our members’ information so it is not used or shared without their approval and consent,” said BetterHelp in response to the FTC complaint. “BetterHelp and the FTC have reached a settlement in regard to BetterHelp’s advertising practices that were in effect between 2017 to 2020. The FTC alleged we used limited, encrypted information to optimize the effectiveness of our advertising campaigns so we could deliver more relevant ads and reach people who may be interested in our services.” BetterHelp also confirmed that, “this industry-standard practice is routinely used by some of the largest health providers, health systems, and healthcare brands. Nonetheless, we understand the FTC’s desire to set new precedents around consumer marketing, and we are happy to settle this matter with the agency. This settlement, which is no admission of wrongdoing, allows us to continue to focus on our mission to help millions of people around the world get access to quality therapy.”
BetterHelp also confirmed that these were limited disclosures for marketing purposes, and stressed that private information such as members’ names and information from therapy sessions has always and will always be 100% private and confidential and that the company has recently received HITRUST certification.
Criteo provided The HIPAA Journal with a response to the BetterHelp settlement announcement. “Criteo has a proven record of ensuring our technology maintains the highest levels of data privacy and security. Criteo also implements best practices and data protection principles such as data security, data minimization, collection limitation, retention limitation and pseudonymization to ensure we meet and go beyond the most stringent regulatory and ethical standards globally. Criteo is not named as a defendant in the FTC complaint and has not been contacted by either the FTC or any other party regarding the allegations in the FTC complaint, and therefore we cannot comment on the complaint at this time.”
