SoylentNews is people
SoylentNews
from the we-can't-help-it-if-all-these-data-are-sent-to-us dept.
Alcohol Recovery Startups Monument and Tempest Shared Patients' Private Data With Advertisers
Alcohol recovery startups Monument and Tempest shared patients' private data with advertisers:
For years, online alcohol recovery startups Monument and Tempest were sharing the personal information and health data of their patients with advertisers without their consent.
Monument, which acquired Tempest in 2022, confirmed the extensive years-long leak of patients' information in a data breach notification filed with California's attorney general last week, blaming their use of third-party tracking systems developed by ad giants including Facebook, Google, Microsoft and Pinterest.
In its disclosure, the companies confirmed their use of website trackers, which are small snippets of code that share information about visitors to their websites with tech giants, and often used for analytics and advertising.
The data shared with advertisers includes patient names, dates of birth, email and postal addresses and phone numbers, and membership numbers associated with the companies and patients' insurance provider. The data also included the person's photo, unique digital ID, what services or plan the patient is using, appointment information, and assessment and survey responses submitted by the patient, which includes detailed responses about a person's alcohol consumption and used to determine their course of treatment.
Monument's own website says these survey answers are "protected" and "used only" by its care team.
Two Alcohol Recovery Startups Just Got Caught Sharing Private User Data
More than 100,000 patients are impacted:
Online alcohol recovery startups Monument and Tempest got caught sharing confidential user data with advertisers without their consent, as originally reported by TechCrunch. Everything came to light after an internal review revealed a data breach impacting 100,000 users, forcing the companies to issue a formal disclosure to the user base. The violations started in 2017 and were ongoing until last month's review.
Monument and Tempest started as two entirely different platforms, but the former acquired the latter several months back. Parent company Monument confirmed not only the data breach but that the companies shared private information with advertisers via a notification filed with California's attorney general. Data shared with advertisers, without user consent, includes patient names, dates of birth, email addresses, postal addresses, phone numbers, insurance information and more.
[...] The companies blame third-party tracking systems for the issue, stating that they have removed the offending tracking codes from their websites. The companies do not admit to sharing this information on purpose to increase profits, indicating that the tracking pixels provided by third parties did the deed all on their own.
[...] Though this is an especially egregious example, it is important to remember that most companies have a less-than-pristine record regarding data privacy, even in the case of medical records. There is a near-endless list of similar violations, like the time a mental health startup shared patient information without consent and when Meta was caught with its own hand in the digital cookie jar. Be careful out there folks.
(Score: 2) by stormwyrm on Tuesday April 11, @04:34PM (1 child)
Last I heard wilful violation of HIPAA is a $1.8 million fine minimum for each violation. A good lawyer seems to be warranted.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Tuesday April 11, @06:06PM
Sounds like some junior devs and interns are going to get fucked...