Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. On March 2, the Federal Trade Commission released the details of a proposed order banning BetterHelp, Inc. from sharing sensitive information about their consumer’s mental health challenges to companies for advertising purposes. Recipients of this sensitive consumer information include Facebook, Snapchat, Criteo, and Pinterest. BetterHelp will reportedly be required to pay $7.8 million for “deceiving consumers after promising to keep sensitive personal data private.”
Unprecedented in telehealth history, the sharing of sensitive health information in early 2023 is poised to shatter provider naivete about working for large-scale business entities entering healthcare. The issue isn’t limited to BetterHelp, though. Last week’s Betterhelp ban follows on the heels of Telehealth.org’s February announcement of 1) an FTC crackdown on GoodRX and 2) inquiries by a bi-partisan group of US Senators of telehealth companies Monument, Workit Health and Cerebral for failure to protect their patient’s sensitive health data by sharing it with marketing websites. Telehealth.org readers will also recall the January 4 research report titled, Some Telehealth Platforms Are Tracking Sensitive Patient Data: Are They Violating HIPAA? It showed how 49 or 50 telehealth platforms investigated by researchers shared sensitive healthcare data with marketing companies. Sharing sensitive consumer data with marketing companies for financial gain seems to have become the norm.
Is the FTC Making an Example of BetterHelp?
However serious previous complaints of sharing sensitive consumer data, this is the first Commission action asking a telehealth company to return consumer funds for intentionally-compromised health data. Rather than simply summarizing the FTC announcement, relevant portions have been excerpted from the supporting documents linked from the proposed order to answer likely questions by Telehealth.org’s healthcare professional audience.
The FTC’s BetterHelp news release outlines the ban, posts the official complaint, includes the proposed order detailing requirements for BetterHelp, and links to the concurring statement by Commission Christine S. Wilson. Given the thousands of questions fielded in CME, CNE, and CE professional training offered by Telehealth.org and its faculty for 30 years, previous provider concerns have guided the information cited and summarized below.
Official Complaint Against BetterHelp
Based on their investigation, the FTC has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data in the future for advertising, including sensitive information about mental health challenges, and requiring reparations to the consumers involved. The FTC’s official complaint against BetterHelp provides the following financial information:
Respondent’s primary website and app, “BetterHelp,” has seen explosive growth over the last few years, adding over 118,000 U.S. Users in 2018, over 158,000 U.S. Users in 2019, and over 641,000 U.S. Users in 2020. Since its inception, BetterHelp has signed up over 2 million Users, and, today, it has over 374,000 active Users in the United States. As a result, Respondent earned over $345 million in revenue in 2020, and over $720 million in revenue in 2021.
The complaint also explained the following details of the consumer processes involved, the promises they were given, the type of information shared with marketing companies, the training given to providers and managers, the marketing contracts signed with marketing companies, the subsequent use of sensitive consumer information by marketing companies, and the time it took BetterHelp to correct take corrective action:
3. Millions of consumers have signed up for the Service, entrusting Respondent with their email addresses, IP addresses, and certain information about their health status and histories— such as the fact that they are seeking or are in therapy, and whether they have previously been in therapy. Because Respondent collects certain types of personal information from consumers when they take affirmative steps to sign up for the Service, Respondent’s disclosure of that information to a third party would implicitly disclose the consumer’s interest in or use of the Service and therefore constitute a disclosure of the consumer’s health information. For example, because Respondent obtained a consumer’s email address only when the consumer took affirmative steps to utilize the Service, Respondent’s disclosure of this information would identify the consumer as associated with seeking and/or receiving mental health treatment. Similarly, Respondent’s disclosure that a consumer took affirmative steps to sign up for the Service (such as by filling out Respondent’s intake questionnaire for the Service or becoming a paying user), along with an identifier (for example, an IP address), would disclose the consumer’s seeking of mental health treatment via the Service.
4. Recognizing the sensitivity of this health information, Respondent has repeatedly promised to keep it private and use it only for non-advertising purposes such as to facilitate consumers’ therapy.
5. From 2013 to December 2020, however, Respondent continually broke these privacy promises, monetizing consumers’ health information to target them and others with advertisements for the Service. For example, from 2018 to 2020, Respondent used these consumers’ email addresses and the fact that they had previously been in therapy to instruct Facebook to identify similar consumers and target them with advertisements for the Service, bringing in tens of thousands of new paying users, and millions of dollars in revenue, as a result.
6. To capitalize on these consumers’ health information, Respondent handed it over to numerous third-party advertising platforms, including Facebook, Pinterest, Snapchat, and Criteo, often permitting these companies to use the information for their own research and product development as well.
7. In addition, Respondent failed to employ reasonable measures to safeguard the health information it collected from consumers. In particular, Respondent did not properly train its employees on how to protect the information when using it for advertising, and Respondent did not properly supervise its staff in the use of the information. Respondent also failed to provide consumers with proper notice as to the collection, use, and disclosure of their health information. And Respondent failed to limit contractually how third parties could use consumers’ health information, instead merely agreeing to their stock contracts and terms.
8. It was only in December 2020, well after reporters brought these practices to light and the FTC began investigating the practices, that Respondent curtailed its unauthorized use and disclosure of consumers’ health information.
Repayment to BetterHelp’s Consumers
The $7.8 million will provide partial refunds to consumers who signed up for and paid for BetterHelp’s services between August 1, 2017, and December 31, 2020. In addition to banning BetterHelp from disclosing health information for advertising, the proposed consent also prohibits the company from misrepresenting its sharing practices in the future and requires BetterHelp to:
- Obtain affirmative express consent before disclosing personal information to certain third parties for any purpose;
- Put in place a comprehensive privacy program that includes strong safeguards to protect consumer data;
- Direct third parties to delete the consumer health and other personal data that BetterHelp revealed to them; and
- Limit how long it can retain personal and health information according to a data retention schedule.
The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with the company. Commissioner Christine S. Wilson issued a concurring statement. The final paragraph of that statement reads:
I note further that I support the imposition of monetary relief in this matter. BetterHelp told consumers: “Rest assured—your health information will stay private between you and your counselor” but, as alleged, shared this highly sensitive information with third parties for the purpose of monetizing it. I am comfortable that this conduct falls within our authority to seek relief under Section 19 of the FTC Act. I commend the staff on the successful resolution of this matter.
In the FTC press release, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated the following:
When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy…. Instead, BetterHelp betrayed consumers’ most personal health information for profit. Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation.
Formal Next Steps
The FTC procedures include publishing the consent agreement package in the Federal Register, which will be subject to public comment for 30 days. The Commission will decide whether to make the proposed consent order final.
It may also be helpful for readers to note that the FTC “issues an administrative complaint when it has ‘reason to believe’ that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest.” The above ban, then, is not the final step. Rather, “when the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions.”
UPDATE 3/14/23
The Federal Register is now accepting comments from the public about BetterHelp’s practices. To submit your thoughts, go to the Federal Register webpage titled, BetterHelp, Inc.; Analysis of Proposed Consent Order To Aid Public Comment.
Who Is Protecting the Professionals?
However eye-opening these consumer-protection developments might be, more is sure to come. Unfortunately, while an announcement such as the FTC’s proposed order protects consumers seeking mental health care, who we dare ask, is protecting, or at the very least, educating mental health professionals of the realities associated with companies reporting an annual 2021 revenue of over $720 million?
On one hand, for example, the American Counseling Association has displayed BetterHelp recruitment ads and now its above-named entity, ReGain, on its homepage for several years (have a look). On the other hand, the Clinical Social Work Association and American Psychological Association have taken a stand and offered professional training through Telehealth.org to increase awareness of such potential practices with employers.
Is that enough?
As is often discussed in Telehealth.org’s telehealth certificate and training programs, businesses, providers, and consumers will need time and experience to gain awareness of and mitigate the significant risks involved in delivering behavioral health services through technology. Meanwhile, many overly-trusting providers and vulnerable consumers need to be better informed.
Please share your experiences of BetterHelp and any relevant thoughts below.
Accepting Telehealth Jobs: 5 Big Legal & Ethical Mistakes to Avoid
Do you have questions about being employed or looking for employment from a digital health company? Online employment can pose dilemmas that leave clinicians at a loss for how to proceed. This program will answer your questions about how or reasonably uphold your legal and ethical mandates.
It is interesting to see the FTC at the front of these cases and not CMS. It is also disturbing that in the agreed settlements, consumers are being informed of breaches but no accountability is being made for the breach itself.
Your statement about protecting clinicians really raises questions about the degree to which clinicians need to explore situations and to what degree they can rely on assertions by others. In this case, however, there has been significant amount of questioning of the outside company’s business model.
I have been a provider for BH since 2017. I left in 2022 bc I wasn’t being paid enough for the work I was doing. I had no idea BH was doing this and feel betrayed. I’m an honest therapist and have never gone against HIPAA. I wasn’t privy to BH doing this and now I feel like this reflects badly on me just by association. I’m so pi$$ed. This is not what we invest in our field for. To be exploited.
Shameful! They reject therapists with PAST infractions, yet they commit a HUGE one themselves! I’m so happy I was not signed up with them as a therapist! ¡KARMA IS A BITCH!
It is interesting to see the FTC at the front of these cases and not CMS. It is also disturbing that in the agreed settlements, consumers are being informed of breaches but no accountability is being made for the breach itself.
Your statement about protecting clinicians really raises questions about the degree to which clinicians need to explore situations and to what degree they can rely on assertions by others. In this case, however, there has been significant amount of questioning of the outside company’s business model.
I have been a provider for BH since 2017. I left in 2022 bc I wasn’t being paid enough for the work I was doing. I had no idea BH was doing this and feel betrayed. I’m an honest therapist and have never gone against HIPAA. I wasn’t privy to BH doing this and now I feel like this reflects badly on me just by association. I’m so pi$$ed. This is not what we invest in our field for. To be exploited.
Shameful! They reject therapists with PAST infractions, yet they commit a HUGE one themselves! I’m so happy I was not signed up with them as a therapist! ¡KARMA IS A BITCH!