Is $10 the Best BetterHelp Could Do for Violating Patient Privacy?

— The paltry settlement emphasizes the need for stronger data privacy protections

MedicalToday
 A photo of a ten dollar bill.
  • author['full_name']

    N. Adam Brown is a practicing emergency physician, entrepreneur, and healthcare executive. He is the founder of ABIG Health, a healthcare growth strategy firm, and a professor at the University of North Carolina's Kenan-Flagler Business School.

In healthcare, privacy is paramount. It is an essential component of building trust with patients and, well, protecting patient privacy is also the law.

Or it is supposed to be.

According by the Federal Trade Commission (FTC), the online therapy provider BetterHelp (now a part of Teladoc Health) allegedly used and disclosed sensitive user data -- including internet protocol (IP) addresses, email addresses, and information in health questionnaires -- to social media giants like Facebook, Pinterest, and Snapchat, among others. In its findings, the FTC said BetterHelp with the Health Insurance Portability and Accountability Act (HIPAA).

While it remains unclear whether BetterHelp's actions constituted a direct violation of HIPAA, the allegations in this case are alarming. BetterHelp allegedly disregarded the implicit confidentiality patients believe exists with their therapists, no matter the medium through which care is delivered.

Patient Privacy Is Worth More Than $10

In 2023, BetterHelp reached a with the FTC in its case. Patients were to as a part of BetterHelp's settlement.

The total value of the refund per consumer? Just under $10 -- a fraction of the of care through BetterHelp.

That figure clearly trivializes the potential damage to those affected. Beyond not adequately reimbursing patients financially, $10 does not begin to address the emotional and psychological impact of knowing one's private data may have been used without consent. That violation may have compounded the hurt and trauma for which these patients sought care in the first place.

The violation also arguably damaged the reputation of all providers, especially those that operate exclusively online. When confidentiality is compromised, and trust is breached, it potentially deters people from seeking essential mental health services.

Is $10 the best BetterHelp could do?

Systemic Issues in Privacy Breaches

The privacy concerns highlighted by the BetterHelp case are not isolated. The industry has seen a over the last several years.

The recent Change Healthcare cyberattack was widely publicized, and, perhaps better than any other story, highlighted the fragility of our integrated billing and prescription transmission system for both patients and practitioners. (Side note: UnitedHealth Group may want to use in the future.)

As a result of the Change Healthcare security lapses, nearly have faced reimbursement backlogs or lost revenue, and patients have seen delays in procedures and prescriptions. While it appears timely reimbursements were the top-line issue reported in this case, patient privacy concerns should have been at the forefront too, with the House Energy and Commerce Committee finding that from the attack likely made its way onto the dark web.

exist within traditional healthcare settings, particularly involving third-party scheduling software services that have sold patient information.

Privacy concerns are exacerbated by incentives to monetize consumer information. A study in April 2024 found that 96% of hospital websites transmitted user information to third parties such as Meta and Google. It is unclear what Meta, the owner of Facebook and Instagram, does with this information, but similar practices have been suspected to be used to inform .

These incidents clearly demonstrate the pressing need for stringent data protection measures across all healthcare platforms, digital and traditional.

Washington Must Enhance Data Protections

The expansion of telehealth has transformed healthcare delivery, making it more accessible and, often, more efficient. But the rapid growth of this sector must not outpace the development of robust safeguards for patient privacy.

The House currently is considering a (the American Privacy Rights Act [APRA]), that if approved by the chamber and the Senate and signed into law, would provide a data privacy regime for all sectors of the U.S. economy, including healthcare. More specifically, the bill would give consumers the opportunity to gain access to, correct, and delete any of the personal data companies gather and share about them. While organizations subject to HIPAA would be mostly exempt, they would need to comply with APRA's data security provisions.

The APRA would also enhance consumer rights when it comes to non-HIPAA-protected information, like search queries and information recorded on mental health apps. Finally, APRA would allow consumers to sue companies that unlawfully transmit or collect covered data. (Maybe they would get more than $10.)

This draft bill is a good start.

Ensuring the security of patient data is a critical ethical obligation. As we continue to navigate the complexities of healthcare in the digital age, it is imperative that all stakeholders in the healthcare marketplace, including regulators, providers, and technology partners, reaffirm their commitment to protecting patient information. This task involves not only adhering to existing laws and regulations, but actively advocating for stronger protections and more transparent practices. It is also essential that patients stay informed and vigilant about their rights and the ways their data is used.

The BetterHelp settlement serves as a stark reminder of the vulnerabilities in telehealth and data security. Patients and livelihoods are at risk. As we embrace the immense promise of technology in healthcare, we must also prioritize the protection of the very individuals we aim to serve, and we must have strong regulatory protections, as well as penalties, for breaches.

The integrity of medicine, particularly mental healthcare, depends on our ability to safeguard patient data.