FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

by | Mar 2, 2023 | Government Enforcement, HIPAA, Information Blocking, Privacy & Consent

  •  BetterHelp, an online counseling service App, falsely claimed it was certified “HIPAA Compliant” and maintained the privacy of consumer information.
  • BetterHelp failed to obtain the express consent of consumers before sharing their identifiable health information with FaceBook, Snapchat, and other 3rd parties. 
  • The FTC Health Breach Notification Rule was found to not apply here because records were not “drawn from multiple sources.” 

Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023!  

Today, the FTC issued a proposed order requiring BetterHelp, Inc., an online counseling service App, to pay $7.8 million to consumers to settle charges that it shared consumers’ health data (including sensitive mental health information) with third-party advertising platforms, including Facebook, Pinterest, Snapchat, and Criteo, after promising to keep such data private. The FTC Commissioner agreed that this alleged conduct violated Section 5 of the FTC Act. In addition, the FTC’s proposed order will require BetterHelp to:

  • obtain affirmative express consent before disclosing personal information to certain third parties for any purpose;
  • put in place a comprehensive privacy program that includes strong safeguards to protect consumer data;
  • direct third parties to delete the consumer health and other personal data that BetterHelp revealed to them; and
  • limit how long it can retain personal and health information according to a data retention schedule.

FTC Commissioner Christine S.Wilson accepted the consent agreement with BetterHelp and issued a concurring statement resolving all allegations. The FTC will publish a description of the consent agreement package in the Federal Register, and it will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final.

Summary of the Facts

The real JUICE of this is in the FTC Compliant, which I’ve republished at the end of this post and highly recommend reading. As with most cases like these, the details are important to understanding exactly what went wrong. That said, the FTC’s Press Release offers a good overview, which I will briefly summarize.

BetterHelp offers online counseling services under several names, including BetterHelp Counseling. Consumers interested in BetterHelp’s services must fill out a questionnaire that asks for sensitive mental health information—such as whether they have experienced depression or suicidal thoughts and are on any medications. They also provide their name, email address, birth date and other personal information. Consumers are then matched with a counselor and pay between $60 and $90 per week for counseling.

At several points in the signup process, BetterHelp expressly promised consumers that it would not use or disclose their personal health data except for limited purposes, such as to provide counseling services. In addition (and my personal favorite), from September 2013 to December 2020, BetterHelp displayed “HIPAA seals” indicating its compliance with HIPAA. Here are snapshots the FTC provided in its Compliant:

By displaying these HIPAA seals on every page of its multiple websites, FTC found that BetterHelp signaled to consumers that a government agency or other third party had reviewed BetterHelp’s privacy and information security practices and determined that they met HIPAA’s requirements. The FTC also concluded that BetterHelp outright represented to consumers that it was in fact “HIPAA certified.”  Yet, no government agency or other third party actually reviewed BetterHelp’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA. In addition, hundreds of BetterHelp’s therapists were not subject to HIPAA, presumably because they did not engage in “electronic standard transaction” (e.g., billing consumers health insurance for the services rendered). As a result, the identifiable health information of consumers who engaged with those therapists was not protected by HIPAA. In December 2020, after receiving a Civil Investigative Demand from the FTC, BetterHelp removed the “HIPAA” seals from the Multi-Sites.

Despite its promises of privacy and HIPAA compliance, BetterHelp shared consumers’ email addresses, IP addresses, and health questionnaire information with Facebook, Snapchat, Criteo, and Pinterest for advertising purposes.  The FTC found that BetterHelp failed to maintain sufficient policies or procedures to protect consumer data and did not obtain consumers’ affirmative express consent before disclosing their health data. BetterHelp also failed to place any limits on how third parties could use consumers’ health information—allowing Facebook and other third parties to use that information for their own internal purposes, including for research and development or to improve advertising.

Violation of Section 5 of the FTC Act

For their indiscretions, BetterHelp was charged with eight (8) violations of Section 5 of the FTC Act, 15 U.S.C. 45(a) or/and (n):

  • Count I Unfairness – Unfair Privacy Practices
  • Count II Unfairness – Failure to Obtain Affirmative Express Consent Before Collecting, Using, and Disclosing Consumers’ Health Information
  • Count III Failure to Disclose – Disclosure of Health Information for Advertising and Third Parties’ Own Uses
  • Count IV Failure to Disclose – Use of Health Information for Advertising
  • Count V Privacy Misrepresentation – Disclosure of Health Information for Advertising and Third Parties’ Own Uses
  • Count VI Privacy Misrepresentation – Use of Health Information for Advertising
  • Count VII Privacy Misrepresentation – Disclosure of Health Information
  • Count VIII Privacy Misrepresentation – HIPAA Certification

Why Doesn’t this Trigger the FTC Health Breach Notification (HBN) Rule?

Notably, the complaint does not include an allegation that BetterHelp violated the HBN Rule. The Commissioner supported this approach to the application of the HBN Rule, particularly given the FTC Policy Statement on Breaches by Health Apps and Other Connected Devices. One could argue that BetterHelp would fall within the ambit of the FTC’s HBN Rule because it offers a health platform and App, particularly under the expansive view espoused in its Policy Statement. However, the Commission did not take that approach to interpreting the HBN Rule. Their rationale for not finding that the HBN Rule applies here was because the information BetterHelp collected from consumers and provided to therapists on its platform did not constitute a “personal health record” of identifiable health information under the FTC HBN Rule — specifically, because it does not include records that “can be drawn from multiple sources,” as required by the existing formulation of the Rule.  Here, a consumer provided his or her information to BetterHelp but the companydid not pull additional health information from another source or vendor. 

Impact for HIPAA-covered Health Care Providers, Facilities and Organizations

As the health care industry continues to march “towards the FHIR,” cases like this one (and GoodRx) are important to consider as more health care Apps approach HIPAA-covered health care providers, facilities and organizations for access to electronic health information.  Importantly, the Office of National Coordinator (ONC) indicated in its discussion with the Information Blocking Rule that certain practices which may involve educating consumers about about privacy and security risks posed by third-party apps that the patient choses would generally NOT violate the Information Blocking Rule.  Here is ONC’s specific FAQ on this topic:

It will not be considered an “interference” with the access, exchange, or use of EHI if:

— Foremost, the information provided by actors focuses on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;

— Second, this information is factually accurate, unbiased, objective, and not unfair or deceptive; and

— Finally, the information is provided in a non-discriminatory manner.

For example, actors may establish processes where they notify a patient, call to a patient’s attention, or display in advance (as part of the app authorization process within certified API technology) whether the third-party developer of the app that the patient is about to authorize to receive their EHI has attested in the positive or negative as to whether the third party’s privacy policy and practices (including security practices) meet particular benchmarks. However, such processes must be non-discriminatory in that they must be used in the same manner for all third-party apps/developers.

 

The particular benchmarks an actor might identify in this example could be the minimum expectations described below, more stringent “best practice” expectations that may be set by the market, or some combination of minimum and “best practice” expectations.

 

As described in the Final Rule at 85 FR 25816, all third-party privacy policies and practices should, at a minimum, adhere to the following:

1. The privacy policy is made publicly accessible at all times, including updated versions;

2. The privacy policy is shared with all individuals that use the technology prior to the technology’s receipt of EHI from an actor;

3. The privacy policy is written in plain language and in a manner calculated to inform the individual who uses the technology;

4. The privacy policy includes a statement of whether and how the individual’s EHI may be accessed, exchanged, or used by any other person or other entity, including whether the individual’s EHI may be sold at any time (including in the future); and

5. The privacy policy includes a requirement for express consent from the individual before the individual’s EHI is accessed, exchanged, or used, including receiving the individual’s express consent before the individual’s EHI is sold (other than disclosures required by law or disclosures necessary in connection with the sale of the application or a similar transaction).

 

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

_______________________ 

THE JUICE – FTC’s Complaint

[NOTE: The wording that follows has been paraphrased in certain parts.  You can review the full FTC Complaint published by the FTC here]

  1. Respondent BetterHelp, Inc. (“BetterHelp” or “Respondent”), also doing business as Compile, Inc.; MyTherapist; Teen Counseling; Faithful Counseling; Pride Counseling; iCounseling; ReGain; and Terappeuta, is a Delaware corporation with its principal office or place of business at 990 Villa Street, Mountain View, CA 94041.
  2. Respondent has developed, advertised, and offered for sale an online counseling service (the “Service”)—including specialized versions of the Service for people of the Christian faith, members of the LGBTQ community, and teenagers—which matches users with Respondent’s therapists and then facilitates counseling via Respondent’s websites and apps.
  3. Millions of consumers have signed up for the Service, entrusting Respondent with their email addresses, IP addresses, and certain information about their health status and histories— such as the fact that they are seeking or are in therapy, and whether they have previously been in therapy. Because Respondent collects certain types of personal information from consumers when they take affirmative steps to sign up for the Service, Respondent’s disclosure of that information to a third party would implicitly disclose the consumer’s interest in or use of the Service and therefore constitute a disclosure of the consumer’s health information. For example, because Respondent obtained a consumer’s email address only when the consumer took affirmative steps to utilize the Service, Respondent’s disclosure of this information would identify the consumer as associated with seeking and/or receiving mental health treatment. Similarly, Respondent’s disclosure that a consumer took affirmative steps to sign up for the Service (such as by filling out Respondent’s intake questionnaire for the Service or becoming a paying user), along with an identifier (for example, an IP address), would disclose the consumer’s seeking of mental health treatment via the Service.

[4-9 intentionally omitted]

  1. BetterHelp offers the Service under several names, each of which has its own website and app (collectively, the “Multi-Sites”). Its primary website and app, which is named “BetterHelp,” serves general audiences and has been in operation since 2013. Faithful Counseling, in operation since July 2017, is aimed at consumers of the Christian faith. Pride Counseling, in operation since August 2017, caters to the LGBTQ community. Teen Counseling, in operation since January 2017, offers counseling to 13- to 18-year-olds with parental consent. And ReGain, in operation since May 2016, offers couples counseling.1 The Multi-Sites all function similarly and facilitate therapy via the Service, and they are all subject to BetterHelp’s policies, practices, and procedures.
  2. Users pay $60 to $90 per week for counseling through the Service. To sign up for the Service and become a paying user (a “User”), an individual visiting one of the Multi-Sites (a “Visitor”) must fill out a questionnaire (the “Intake Questionnaire”), answering detailed questions about the Visitor’s mental health.
  3. Upon completing the Intake Questionnaire, a Visitor is prompted to create an account for the Service by entering the Visitor’s name or nickname, email address, phone number, and emergency contact information. The Visitor is then asked to enter credit card information to become a paying User.
  4. BetterHelp then utilizes the User’s responses to the Intake Questionnaire to match the User with one of BetterHelp’s more than 25,000 licensed therapists. BetterHelp’s therapists provide Users with mental health therapy via video conferencing, text messaging, live chat, and audio calls.
  5. BetterHelp’s primary website and app, “BetterHelp,” has seen explosive growth over the last few years, adding over 118,000 U.S. Users in 2018, over 158,000 U.S. Users in 2019, and over 641,000 U.S. Users in 2020. Since its inception, BetterHelp has signed up over 2 million Users, and, today, it has over 374,000 active Users in the United States. As a result, BetterHelp earned over $345 million in revenue in 2020, and over $720 million in revenue in 2021.
  6. BetterHelp’s Marketing History
  7. Since its inception, BetterHelp has utilized numerous third parties to market the Service, including, at various times, Facebook, Snapchat, Pinterest, and Criteo. In addition, BetterHelp has advertised the Service on search engines, television, podcasts, and radio.
  8. In 2017, BetterHelp delegated most decision-making authority over its use of Facebook’s advertising services to a Junior Marketing Analyst who was a recent college graduate, had never worked in marketing, and had no experience and little training in safeguarding consumers’ health information when using that information for advertising. In doing so, BetterHelp gave the Junior Marketing Analyst carte blanche to decide which Visitors’ and Users’ health information to upload to Facebook and how to use that information. This same individual, who now holds the title “Senior Marketing Analyst,” continues to oversee BetterHelp’s use of Facebook’s advertising tools.
  9. BetterHelp provided this marketing analyst with little training on how to protect Visitors’ and Users’ health information in connection with advertising until 2021. In fact, while BetterHelp has purported to provide privacy training to its employees since 2015, it was not until 2021 that BetterHelp gave them any training specific to its business or advertising.
  10. BetterHelp has spent tens of millions of dollars annually to market the Service. In 2020, for example, it spent $10-$20 million on Facebook advertising, and by 2021 BetterHelp’s advertising on Facebook was bringing in approximately 30,000 to 40,000 new Users per quarter.
  11. BetterHelp’s Deceptive Business Practices
  12. In connection with the advertisement and sale of the Service, BetterHelp has disseminated, or caused to be disseminated, false and deceptive statements about its use and disclosure of consumers’ health information. BetterHelp also disseminated, or caused to be disseminated, misleading and deceptive representations regarding its compliance with federal health privacy laws. Visitors and Users relied on these representations and were misled as a result.
  13. Deceptive Statements About Privacy on BetterHelp’s Websites and Apps

BetterHelp’s deceptive statements concerning Intake Questionnaire responses

  1. Upon arriving at any of the Multi-Sites, a Visitor is immediately prompted to begin the Intake Questionnaire. For example, on the BetterHelp website, a Visitor begins the Intake Questionnaire by selecting whether he or she is looking for “Individual,” “Couples,” or “Teen” therapy, as shown below:

[PICTURE 1]

  1. After making a selection, the Visitor is ushered through the Intake Questionnaire, which asks an array of questions. For many Visitors, these questions include whether the Visitor is “experiencing overwhelming sadness, grief, or depression”; whether the Visitor has been having thoughts that the Visitor “would be better off dead or hurting yourself in some way”; whether the Visitor is “currently taking any medication”; whether the Visitor has “problems or worries about intimacy”; and whether the Visitor has previously been in therapy.
  2. The Intake Questionnaire also asks whether the Visitor identifies as a member of the Christian faith, shuttling such individuals to Faithful Counseling. Similarly, the Intake Questionnaire takes those who identify as members of the LGBTQ community to Pride 4 Counseling. And BetterHelp ushers teenagers to Teen Counseling, where the teenage Visitors provide their responses to the Intake Questionnaire before BetterHelp obtains parental consent.
  3. BetterHelp has included privacy assurances throughout the Intake Questionnaire. Until November 2021, each Multi-Site displayed a banner at the top of each question, explaining that BetterHelp is merely asking for “some general and anonymous background information about you and the issues you’d like to deal with in online therapy” (emphasis added) so that the Visitor can be matched “with the most suitable therapist for you.”
  4. As Visitors proceed through the Intake Questionnaire, BetterHelp includes additional periodic privacy assurances. From at least August 2017 to December 2020, when a Visitor reached the question as to whether the Visitor was taking medication, the Visitor was shown the statement: “Rest assured—any information provided in this questionnaire will stay private between you and your counselor.”
  5. In December 2020, BetterHelp changed the statement to read: “Rest assured—this information will stay private between you and your counselor” (emphasis on alteration added). And in January 2021, BetterHelp changed it again to state: “Rest assured—your health information will stay private between you and your counselor” (emphasis on alteration added). This version, which was in use until September 2021, is circled in red below:

[PICTURE 2]

In October 2021, BetterHelp removed this representation altogether.

  1. After being presented with these repeated promises of privacy, millions of Visitors, including those that became Users, filled out the Intake Questionnaire and shared their health information with BetterHelp.
  2. Despite the aforementioned assurances of privacy, BetterHelp disclosed Visitors’ and Users’ Intake Questionnaire responses, as well as their email addresses and IP addresses, to Facebook for advertising purposes, as well as for Facebook’s own purposes, as discussed in Paragraphs 51-54 and 57 below.

BetterHelp falsely promised to keep Christian, LGBTQ, and teenage consumers’ email addresses “strictly private

  1. From at least August 2017 to as recently as December 2020, BetterHelp gave additional privacy assurances to Faithful Counseling, Pride Counseling, and Teen Counseling Visitors to induce them to sign up for the Service, stating that their email addresses would be “kept strictly private” and “never shared, sold or disclosed to anyone.” This representation, which BetterHelp displayed prominently and unavoidably during the sign-up process, is circled in red below:

[PICTURE 3]

  1. Tens of thousands of Visitors provided BetterHelp with their email addresses and signed up for Faithful Counseling, Pride Counseling, and Teen Counseling after viewing this privacy assurance.
  2. BetterHelp understood that its disclosure of Visitors’ email addresses in association with BetterHelp would reveal that the Visitors were seeking mental health treatment through the Service. And BetterHelp understood that consumers would want to keep this information private. In fact, a senior BetterHelp employee acknowledged at an investigational hearing conducted by FTC staff that individuals “want to keep . . . the fact that they’re in therapy private” and at times even “keep their identities . . . secret from their therapist[s].”
  3. Nevertheless, BetterHelp disclosed the email addresses of thousands of these Visitors to various third parties for advertising purposes and the third parties’ own purposes, as discussed in further detail in Paragraphs 47-55 and 57, thereby revealing to the third parties that these Visitors were seeking and/or receiving mental health treatment via the Service.

BetterHelp pushed Visitors and Users into disclosing their health information

  1. In addition to making false representations, BetterHelp has pushed Visitors and Users into handing over their health information before they have ever had a chance to read any privacy disclosures.
  2. Upon visiting any of the Multi-Sites, Visitors are urged to begin the Intake Questionnaire and hand over their health information. At the same time, Visitors are repeatedly presented with the aforementioned privacy assurances discussed in Paragraphs 23-25 and 28—displayed in large, high-contrast, unavoidable text.
  3. By contrast, BetterHelp linked to the privacy policy in small, low-contrast writing that is barely visible at the bottom of the page.
  4. The image below depicts the BetterHelp homepage (www.betterhelp.com), with the prompts to enter the Intake Questionnaire magnified at the top and the link to the privacy policy magnified at the bottom and circled in red:

[PICTURE 4]

  1. In September 2020, BetterHelp added A banner to the bottom of every page of its Multi-Sites (until a Visitor closed it), which stated: “We use cookies to help the site function properly, analyze usage, and measure the effectiveness of our ads. We never sell or rent any information you share with us. Read our Privacy Policy [(linked)] to learn more.”
  2. Despite including a link to the privacy policy, the banner effectively dissuaded Visitors from reading the privacy policy by stating, until October 2020, that BetterHelp would “never sell or rent any information you share with us.”
  3. In May 2021, BetterHelp revised the banner and added the following underlined language: “We use BetterHelp and third-party cookies and web beacons to help the site function p and measure the effectiveness of our ads. Read our Privacy Policy [(linked)] to learn more roperly, analyze usage, target and go to Cookie Preferences to manage your settings” (emphasis added). But this banner still did not inform Visitors that BetterHelp would use and disclose their health information for advertising or that third parties would be able to use Visitors’ information for their own purposes.
  4. It was not until October 2021 that BetterHelp revised the banner to state that it discloses Visitors’ IP addresses and other personal identifiers for advertising and offered Visitors an opportunity to opt out of the disclosures via the banner.

BetterHelp’s privacy policies claimed limited use and disclosure of consumers’ information

  1. Those Visitors and Users that persevered and read BetterHelp’s privacy policy were presented with additional deceptive statements about BetterHelp’s use and disclosure of health information.
  2. From August 2013 to November 2018, BetterHelp’s privacy policies represented that it would use and disclose Visitors’ and Users’ email addresses, IP addresses, enrollment in the Service, and Intake Questionnaire responses for certain purposes, including to connect them with therapists and operate the Service. Notably, these privacy policies made no mention of using or disclosing this information for advertising purposes, and they said nothing about permitting third parties to use this information for their own purposes.
  3. In November 2018, BetterHelp updated the privacy policy to state affirmatively that it would use and disclose this information only for limited purposes, such as to operate and improve the Service. These limited purposes did not include using or disclosing the information for advertising or disclosing the information to third parties for their own purposes.
  4. BetterHelp revised its privacy policy again in September 2019, stating that it might use this health information for advertising. But the policy continued to say that BetterHelp would only disclose this information to third parties for certain stated limited purposes, which did not include advertising or the third parties’ own purposes. In September 2020, BetterHelp revised the privacy policy yet again, finally stating that it may both use and disclose Visitors’ and Users’ information for advertising. But, even then, the privacy policy continued to claim that BetterHelp would disclose this information to third parties for only the stated limited purposes, which did not include third parties’ own purposes.
  5. From August 2013 to June 2021, BetterHelp’s privacy policies stated that it would use web beacons (including pixels) and cookies for limited purposes. These limited purposes did not include the use or disclosure of Visitors’ or Users’ health information for advertising purposes, or the disclosure of this information for third parties’ own purposes. These tools allow BetterHelp and third parties to collect Visitors’ and Users’ information when they use one of the Multi-Sites, including what pages a Visitor or User visits and what information a Visitor or User inputs into the website (which would include the Visitor’s or User’s email address, IP address, and certain Intake Questionnaire responses).
  6. But, as discussed in Paragraphs 46-57 below, these privacy policy representations misled Visitors and Users. In fact, BetterHelp used and disclosed Visitors’ and Users’ health information for advertising purposes, and BetterHelp disclosed this information to third parties for their own purposes, from 2013 to December 2020. BetterHelp used and disclosed this information for advertising purposes through various means, including by uploading consumers’ email addresses to third-party advertising platforms and through web beacons (specifically pixels) BetterHelp had placed on various pages of the Multi-Sites.
  7. BetterHelp Used and Disclosed Millions of Consumers’ Health Information for Advertising
  8. Since 2013, BetterHelp has repeatedly broken each of its aforementioned privacy promises, using Visitors’ and Users’ email addresses, IP addresses, enrollment in the Service, and certain Intake Questionnaire responses for various advertising purposes, including (1) retargeting Visitors with advertisements for the Service; (2) using Users’ health information to find and target potential new Users with advertisements—on the basis that these potential new Users were likely to sign up for the Service because they shared traits with current Users; and (3) optimizing BetterHelp’s advertisements, which involved targeting advertisements at individuals with attributes similar to those that had previously responded to BetterHelp’s ads, such as new Users. Using this health information for advertising, BetterHelp has brought in hundreds of thousands of new Users, resulting in millions of dollars in additional revenue.
  9. BetterHelp utilized a number of third-party advertising platforms, including Facebook, Snapchat, Criteo, and Pinterest, to carry out this advertising. To do so, BetterHelp disclosed Visitors’ and Users’ email addresses, IP addresses, enrollment in the Service, and certain Intake Questionnaire responses to these third parties, as detailed below.
  10. As noted above, each such disclosure of even a Visitor’s or User’s email address constituted a disclosure of the Visitor’s or User’s health information. Specifically, because BetterHelp collected email addresses only from Visitors and Users seeking mental health therapy via the Service (by filling out the Intake Questionnaire, signing up for the Service, and/or becoming a User), disclosure of a Visitor’s or User’s email address implicitly identified the Visitor or User as one seeking and/or receiving mental health treatment via the Service.
  11. Although BetterHelp “hashed” Visitors’ and Users’ email addresses (i.e., converted the email addresses into a sequence of letters and numbers through a cryptographic tool) before disclosing them to third parties, the hashing was not meant to conceal the Visitors’ and Users’ identities from Facebook or the other recipient third parties. Rather, the hashing was done merely to hide the email addresses from a bad actor in the event of a security breach. In fact, BetterHelp knew that third parties such as Facebook were able to, and in fact would, effectively undo the hashing and reveal the email addresses of those Visitors and Users with accounts on the respective third parties’ platforms, which is how Facebook matched these email addresses with Facebook user IDs. Indeed, Facebook’s standard terms of service, to which BetterHelp agreed, explained that Facebook would use hashed email addresses it received from BetterHelp to match Visitors and Users with their Facebook user IDs for advertising purposes, among other things. Thus, BetterHelp knew that by sending these lists of Visitors’ and Users’ email addresses to third parties, it was telling these third parties which of their users were seeking or in therapy through the Service.
  12. In addition, BetterHelp disclosed the Visitor’s or User’s IP address in conjunction with other data about their enrollment in the Service and/or their Intake Questionnaire responses to third parties. Each such disclosure similarly constituted a disclosure of the Visitor’s or User’s health information because it both identified the individual (via the IP address) and conveyed to the recipient third party that the Visitor or User was seeking and/or receiving mental health treatment via the Service (via his or her enrollment in the Service or answering the Intake Questionnaire).
  13. Health information shared with Facebook: BetterHelp disclosed Visitors’ and Users’ health information to Facebook in two ways.
  14. First, BetterHelp compiled lists of Visitors’ and Users’ email addresses, which it then uploaded to Facebook to match these individuals to their Facebook user accounts in order to target them and others like them with advertisements. Between 2017 and 2018, BetterHelp uploaded lists of over 7 million Visitors’ and Users’ email addresses to Facebook. Facebook matched over 4 million of these Visitors and Users with their Facebook user IDs, linking their use of the Service for mental health treatment with their Facebook accounts. Several examples are listed below:
  15. January 2017 – October 2018: BetterHelp uploaded over 170,000 Visitors’ and Users’ email addresses to Facebook, re-targeting these individuals and targeting potential new Users with advertisements for the Service.
  16. January 2018 – October 2018: BetterHelp uploaded over 15,000 Users’ email addresses to Facebook to find and target new potential Users with advertisements for the Service.
  17. October 2017: BetterHelp uploaded the email addresses of all their current and former Users—nearly 2 million in total—to Facebook, targeting them all with advertisements to refer their Facebook friends to the Service.
  18. Second, from 2013 to December 2020, BetterHelp shared Visitors’ and Users’ email addresses, IP addresses, and records known as “Events” with Facebook. These Events automatically tracked certain actions of each Visitor and User on the Multi-Sites, such as when they answered certain questions on the Intake Questionnaire in a certain way or when a Visitor enrolled in the Service to become a User. BetterHelp recorded and automatically disclosed these Events to Facebook through web beacons BetterHelp had placed on each of the Multi-Sites. BetterHelp disclosed Visitors’ and Users’ IP addresses, email addresses, and/or other persistent identifiers to Facebook alongside the Events so that Facebook could match the Events information with the Visitors’ and Users’ Facebook accounts for advertising. Several examples are listed below:
  19. January 2018: BetterHelp disclosed to Facebook that over 70,000 Visitors had signed up for accounts (but had not become paying Users)—through an Event denoting as much—in order to re-target them with advertisements for the Service.
  20. November 2018 – March 2020: BetterHelp disclosed to Facebook over 1.5 million Visitors’ and Users’ previous therapy—gathered through their affirmative responses to the Intake Questionnaire question “Have you been in counseling or therapy before?”—to re-target the Visitors with advertisements and optimize BetterHelp’s advertisements.
  21. October 2018 – November 2020: BetterHelp used and shared over 3.5 million Visitors’ and Users’ “good” or “fair” financial status—gathered through the Intake Questionnaire—with Facebook to optimize BetterHelp’s advertisements and to find potential new Users and target them with advertisements.
  22. January – December 2020: BetterHelp shared with Facebook the fact that over 180,000 Visitors had become paying Users—through an Event denoting they had entered credit card information after completing the Intake Questionnaire—to optimize BetterHelp’s advertisements and to find potential new Users and target them with advertisements.
  23. BetterHelp labeled the Intake Questionnaire responses concerning prior therapy and financial status with anonymous Event titles before giving them to Facebook; however, in July 2018, the previously mentioned inexperienced and insufficiently trained Junior Marketing Analyst whom BetterHelp had put in charge of Facebook advertising revealed certain Events’ true meaning to Facebook via the Facebook employee that serviced BetterHelp’s advertising account. For example, though an affirmative response to the question “Have you been in counseling or therapy before?” was coded as “AddToWishlist,” the analyst revealed to Facebook that this event meant that the “user completes questionnaire marking they have been in therapy before,” thereby disclosing millions of Visitors’ and Users’ prior therapy to Facebook.
  24. Health information shared with other third parties: In January 2019, BetterHelp disclosed to Snapchat the IP addresses and email addresses of approximately 5.6 million Visitors to re-target them with advertisements for the Service. From July 2018 to January 2019, BetterHelp disclosed the email addresses of over 70,000 Visitors—including Pride Counseling and Faithful Counseling Visitors—to Criteo in order to re-target them with advertisements. And, from August 2019 to September 2020, BetterHelp disclosed Visitors’ email addresses to Pinterest for advertising.
  25. Additional use of health information for advertising: From November 2017 to October 2020, BetterHelp used information concerning approximately 600,000 Pride Counseling Visitors’ or Users’ mental health statuses and their connection with the Visitors’ and Users’ LGBTQ identities to optimize future advertisements for the Service on Facebook. BetterHelp gathered this information through the Intake Questionnaire whenever a Pride Counseling Visitor or User revealed that the Visitor’s or User’s “LGBTQ identity is contributing to your mental health concerns.” BetterHelp used Facebook to identify characteristics and interests common among these Visitors and Users and then to target future advertisements for the Service on Facebook to individuals with similar characteristics and interests.
  26. Failure to limit third parties’ use of health information: In disclosing Visitors’ and Users’ health information to Facebook and other third parties, BetterHelp did not contractually limit how the third parties could use and disclose the data other than merely agreeing to these third parties’ general terms of service, which either placed no restrictions on the third parties’ use and disclosure of the information or specifically permitted the third parties to use the information for their own purposes. For example, Facebook’s Business Tools Terms, to which BetterHelp agreed, stated that it “may also use Event Data . . . for research and development purposes, and to . . . improve the Facebook Company Products.” Similarly, Pinterest’s Ad Data Terms provided: “We use Ad Data you give us for measuring ad effectiveness, ad delivery and reporting, improving safety and security on Pinterest, research and product development, and for other uses that you give us permission for.” And Facebook has in fact used the Visitor and User information it received from BetterHelp for its own purposes, including improving its advertising products, tracking suspicious activity on its platforms, and research and development.
  27. Further, though BetterHelp has deleted some of the Visitor and User information it disclosed to third parties from those third parties’ advertising platforms, this deletion did not remove the information from those third parties’ underlying databases.
  28. BetterHelp’s Deceptive Statements Were Material to Consumers
  29. BetterHelp’s deceptive privacy assurances were material to consumers.
  30. Visitors and Users want to keep their health information private. Indeed, a senior BetterHelp employee acknowledged at an investigational hearing conducted by FTC staff that consumers want “privacy in the context of therapy.”
  31. And BetterHelp acknowledges that this information is sensitive. In fact, BetterHelp’s customer service representatives tell consumers that their “name, age, address, email, medical history, conversations between you and your counselor” are “PHI” or “Protected Health Information” (emphasis added).
  32. Following the February 2020 publication of news reports that BetterHelp was sharing consumers’ health information with third parties, including Facebook, numerous Users contacted BetterHelp and voiced their anger about the disclosures. For example, one individual noted: “I learned that you sell yet more private information to Facebook. This is disgusting. This information makes clients easily identifiable and your platform takes 100% control of its dissemination. I have no ability to decide where that information is sent. Only you do.” Another stated: “I have not given ANY consent to share my information with ANYONE. ESPECIALLY ads targeting my mental health ‘weakness.’” And another called BetterHelp an “untrustworthy company.” Other Users demanded the truth as to BetterHelp’s data-sharing practices, asking for assurances as to the privacy of their health information.
  33. BetterHelp scripted the following false responses, which customer service representatives provided to BetterHelp’s customers: (1) “At BetterHelp, we are fully committed to protecting data and will not pass any P[ersonally] I[dentifiable] I[nformation] and/or P[rotected] H[ealth] I[nformation] to external entities including our third party partners;” and (2) “your P[rotected] H[ealth] I[nformation] and P[ersonally] I[dentifiable] I[nformation] is protected and not exposed” to Facebook. 64. Similarly, several health insurance and patient-advocacy companies representing tens of thousands of Users contacted BetterHelp, looking for assurance that Users’ health information had not been shared with any third parties. Senior BetterHelp employees answered each such inquiry with a variation on the same falsehood, claiming again and again that BetterHelp did not share any health information with any third parties.
  34. BetterHelp’s Deceptive HIPAA Seal

From September 2013 to December 2020, BetterHelp displayed seals—in proximity to seals provided by third parties to BetterHelp—implying BetterHelp’s purported compliance with HIPAA. These seals are circled in red below: September 2013 – December 2015:

[PICTURE 5]

  1. By displaying the HIPAA seals on every page of the Multi-Sites, BetterHelp signaled to consumers that a government agency or other third party had reviewed BetterHelp’s privacy and information security practices and determined that they met HIPAA’s requirements. In addition, BetterHelp represented to consumers that it was in fact “HIPAA certified,” with its customer service representatives informing consumers that “[y]ou will also be able to see our HIPAA certification at the bottom of” our webpages.
  2. However, no government agency or other third party reviewed BetterHelp’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.
  3. In addition, hundreds of BetterHelp’s therapists are not subject to HIPAA and the identifiable health information of Users who engage with those therapists is therefore not protected by HIPAA. Further, BetterHelp does not even know which of its therapists are, or are not, subject to HIPAA, and it does not know which data are, or are not, protected by that law. 69. In December 2020, after receiving a Civil Investigative Demand from the Commission, BetterHelp removed the “HIPAA” seals from the Multi-Sites.

III. BetterHelp’s Unfair Business Practices

  1. BetterHelp’s Unreasonable Privacy Practices
  2. From at least 2017 to at least 2021, BetterHelp has engaged in a number of practices that, individually or taken together, failed to safeguard Visitors’ and Users’ health information with respect to the collection, use, and disclosure of that information. Among other things, BetterHelp:
  3. failed to develop, implement, or maintain written organizational standards, policies, procedures, or practices with respect to the collection, use, and disclosure of consumers’ health information, including ensuring that BetterHelp’s practices complied with its privacy representations to consumers;
  4. failed to provide adequate guidance or training for employees or third-party contractors concerning properly safeguarding the privacy of consumers’ health information in connection with the collection, use, and disclosure of that information;
  5. failed to properly supervise employees with respect to their collection, use, and disclosure of consumers’ health information;
  6. failed to obtain Visitors’ and Users’ affirmative express consent to collect, use, and disclose their health information for BetterHelp’s advertising, as well as for third parties’ own purposes, such as research and improvement of their own products; and
  7. failed to contractually limit third parties from using Visitors’ and Users’ health information for their own purposes, including but not limited to research and improvement of their own products, when BetterHelp did not provide Visitors and Users notice or obtain their consent for such uses.
  8. As a result, BetterHelp repeatedly misrepresented its practices with respect to the collection, use, and disclosure of Visitors’ and Users’ health information (see Paragraphs 19-57, 62-64), and BetterHelp failed to provide consumers with sufficient notice or obtain their consent as to these practices. BetterHelp disclosed these Visitors’ and Users’ health information to numerous third parties without authorization.
  9. These misrepresentations went on for years because, until no earlier than January 2021, BetterHelp did nothing to ensure that its collection, use, and disclosure practices complied with their privacy promises to Visitors and Users. Indeed, neither the head of BetterHelp’s marketing team, nor the analyst whom BetterHelp put in charge of advertising on Facebook reviewed the privacy policy on a regular basis, and there was no company requirement that anyone on the marketing team review the policy until no earlier than January 2021.
  10. Injury to Consumers
  11. BetterHelp’s collection, use, and disclosure of millions of Visitors’ and Users’ health information without reasonable privacy practices or safeguards has caused or is likely to cause them substantial injury. This health information—including whether Visitors and Users have previously been in therapy, the fact that they are seeking therapy or in therapy via the Service, and whether their LGBTQ status is affecting their mental health, together with identifying information such as their email addresses and IP addresses—is highly sensitive. Disclosure of this information without these Visitors’ and Users’ authorization is likely to cause them stigma, embarrassment, and/or emotional distress. Exposure of this information may also affect these Visitors’ and Users’ ability to obtain and/or retain employment, housing, health insurance, or disability insurance.
  12. In addition, Users pay $60 to $90 per week for the Service, which provides mental health therapy and counseling and includes privacy as an integral component—a price that includes a “price premium” based on BetterHelp’s deceptive privacy assurances. Had BetterHelp not made these deceptive claims, consumers would not have been willing to purchase a subscription at the prevailing price because of consumers’ privacy concerns. Thus, BetterHelp’s deceptive privacy claims enabled it to inflate the price it charged to consumers, whose actual willingness to pay would have been lower had they known about the true privacy issues concerning BetterHelp’s services. Consumers have therefore been injured by having to pay this price premium.
  13. These harms were not reasonably avoidable by consumers. It was effectively impossible for Visitors and Users to know that BetterHelp was using and disclosing their health information for advertising purposes because BetterHelp actively concealed the practices through repeated misrepresentations and a lack of notice. Indeed, as described in Paragraph 62, numerous Users expressed outrage about the disclosures upon learning of them.
  14. These harms were not outweighed by countervailing benefits to consumers or competition. Indeed, BetterHelp compromised consumers’ health information for BetterHelp’s own financial benefit through the growth of its user base, which only compounded these injuries by subjecting more Visitors and Users to BetterHelp’s deceptive and unfair practices.

 

 

 

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives