InfoBytes Blog
FTC orders mental health service company to pay for privacy and data violations
On April 15, the FTC released its administrative complaint and joint stipulated order against a mental health service provider, requiring the provider to pay a total of more than $7 million, including $5.1 million for consumer refunds and $2 million in civil penalties. According to the complaint, the defendant collected sensitive personal health information and sold online mental healthcare treatments (i.e., telehealth) through its website to “hundreds of thousands” of patients between 2021 to 2022. The FTC alleged the mental health service provider had engaged in deceptive and unfair practices relating to the marketing of its data security practices, like failing to disclose material items, failing to obtain consumers’ express informed consent, and failing to implement adequate data security measures. In addition, the FTC alleged that the provider misled consumers about its cancellation of services, including failure to provide a mechanism to stop recurring charges. The FTC’s complaint specifically found that the company misrepresented how it would use and disclose patients’ personal information, mishandled and exposed “hundreds of thousands” of personal information, and failed to provide a means to cancel subscriptions. The FTC charged the defendant with violating Section 5 of the FTC Act covering deceptive privacy practices, deceptive data security practices, unfair privacy and data security practices, and deceptive cancellation practices – allegedly violating the Opioid Act, and violating the Restore Online Shoppers’ Confidence Act (ROSCA).
In the joint stipulated order, although the defendant neither admitted nor denied these allegations, the judgment prohibited the defendant from disclosing any covered information to any third party for advertising purposes, disclosing any covered information to an outside party without obtaining a consumer’s affirmative express consent, and misrepresenting its cancellation policies. The order also required the defendant to implement stronger protections of the private information of individuals and initiate regular assessments of its data security practices. The court ordered the defendant to pay $5,087,252 as monetary relief to consumers and a civil money penalty of $10 million, which the FTC agreed to suspend in exchange for a payment of $2 million, based on the defendant’s inability to pay the full civil money penalty.