Monument and Tempest Shared Patient Data with Advertisers
Alcohol recovery services, Monument and Tempest, have admitted to sharing patients’ private information with advertisers for several years without their consent. Monument disclosed in a filing with the California Attorney General that the tracking tools on their websites may have inadvertently shared sensitive information with advertisers. The data includes patients’ names, photos, dates of birth, email addresses, phone numbers, home addresses, insurance information, and more.
The breach has been attributed to the third-party pixel tracking tools included on its sites. Pixel trackers are snippets of code that are often embedded into websites, ads, or emails. They track users’ activities for both analytics and marketing purposes. However, the sensitive data gained was also shared with third-party advertisers, such as Google, Meta, Pinterest, and more.
Monument stated that the breach also potentially exposed patients’ answers to surveys concerning their alcohol consumption habits, which the company insisted was confidential and exclusively used by its care teams. It says the leak didn’t include social security numbers or credit card information, but it may have affected over 100,000 people.
Following the US government’s guidance to healthcare companies regarding the use of tracking pixels in late 2022, Monument discovered that its pixel tracking tools had been inadvertently exposing user information on its site since January 2020. On the Tempest site, this had been occurring since November 2017.
Although Monument claims to have stopped using "most" tracking tools in late 2022 and completely removed them from its websites by February 2023, third parties are not obliged to delete the information that was shared with them.
Monument CEO Mike Russell told the Verge that protecting patients’ privacy is a “top priority.” He also affirmed that the company has put “robust safeguards in place and will continue to adopt appropriate measures to keep data safe.”
The Monument and Tempest breaches come amidst a wave of recent data leaks involving online health services, like BetterHelp and Cerebral, which also involved pixel trackers. BetterHelp was directed by the FTC to pay $7.8 million due to accusations of sharing patient data with Facebook and Snapchat. Cerebral also recently confessed to having exposed the private information of more than 3.1 million patients to third-party advertisers such as Google, Meta, and TikTok.