Online alcohol recovery startups Monument and Tempest have been sharing their patients’ personal information and health data with advertisers without their consent for years, affecting more than 100,000 patients.
The companies confirmed that they used website trackers developed by tech giants such as Google, Facebook, Microsoft and Pinterest, which are used for analytics and advertising. The shared data included patients’ names, dates of birth, email and postal addresses, phone numbers, and membership numbers associated with the companies and patients’ insurance providers, as well as the person’s photo, unique digital ID, appointment information, and assessment and survey responses submitted by the patient.
Monument, which acquired Tempest in 2022, confirmed the data breach in a notification filed with California’s attorney general, blaming their use of third-party tracking systems. Both companies said they removed the tracking code from their websites.
However, tech giants are not obligated to delete the data shared with them. Monument’s own website claims that the survey answers are protected and used only by its care team.
The data sharing with third-parties by healthcare companies like Monument, Tempest and Cerebral, which confirmed last month that more than 3 million patients’ personal and health information was exposed due to a similar years-long leak of data to third-party advertisers, highlights the need for greater scrutiny and regulation of tracking technologies.
It also underscores the importance of patients being fully informed and consenting to how their personal and health data are used and shared.
