Two online alcohol recovery businesses confirmed they have been sharing private data with advertisers.
What happened
Monument, an online alcohol recovery startup that also acquired the alcohol recovery business Tempest in 2022, disclosed that approximately 100,000 patients had their data breached over several years.
Personal data, like addresses, date of birth, phone numbers, and responses to surveys regarding alcohol use, were shared with advertisers like Facebook, Bing, Google, and Pinterest. Monument admitted to using pixels, a tracking technology that allows advertisers to track website use for advertising purposes.
Monument conducted an internal investigation in 2022 following a guidance released by the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR). Monument found that “some information may have been shared with those third parties without the appropriate authorization, consent, or agreements required by law.” They found Tempest began sharing private data in 2017, while Monument began sharing private data in 2020.
In response, Monument started decreasing its use of tracking technologies, and by February 23rd, 2023, they had completely stopped using them. They are also offering to provide free credit-tracking services to those who may have been affected.
Why it matters
Even though it may be a HIPAA violation to track and send this data to third parties, these companies are not required to delete it once it’s been stored, which means it can still be used for targeted marketing purposes.
While Monument immediately began to end its third-party tracking, it did affirm to patients prior to the investigation that sensitive data would be protected and only used by the medical team.
Related: BetterHelp fined $7.8M and banned from sharing sensitive data
Going deeper
Furthermore, Monument isn’t the only company using pixels that could leak private data. According to a study by The Markup, 33 of the 100 hospital websites they analyzed sent data to Facebook alone through pixels.
Read more: 98.6% of hospitals use tracking that puts patient privacy at risk.
While there have been many class-action lawsuits, none have significantly changed hospital use of third-party trackers. Some hospitals defend the use of pixels, with Chris King from Northwestern Memorial Hospital saying, “The use of this type of code was vetted.”
The bottom line
As of the HHS and OCR guidance, patients have the right to file complaints if they believe a health service may not be HIPAA compliant, but with many companies like Monument claiming data protection, it can be difficult to track where data winds up.
When entities find that they are releasing sensitive data, whether, through internal or external investigations, they become potentially subject to lofty fines from the HHS.
Related: HIPAA Complaint Email: The Definitive Guide.
Abby Grifno
