Online alcohol recovery startups Monument and Tempest reportedly shared their users’ personal information with advertisers without consent.
Monument, which acquired Tempest in 2022, confirmed the years-long leak of patients’ information in a recent data breach notification filed with California’s attorney general, blaming their use of third-party tracking systems from the likes of Facebook, Google, Microsoft and Pinterest. Overall, more than 100,000 patients are affected.
In its disclosure, the companies confirmed their use of website trackers which are used for analytics and advertising.
Monument and Tempest shared such details as patient names, dates of birth, email and postal addresses, phone numbers, and membership numbers associated with the companies and patients’ insurance providers. Also included were the person’s photo, unique digital ID, which services or plan the patient is using, appointment information, and assessment and survey responses submitted by the patient.
To make things worse, Monument’s website says answers to these are “protected” and “used only” by its care team.
The company confirmed that this “practice” of sharing patients’ data with advertisers started in January 2020, while Tempest began earlier – in November 2017. Both companies say they have removed the tracking code from their websites, though the tech giants are not obligated to delete the data that was shared with them.
Unfortunately, Monument and Tempest are not the only healthcare companies that inadvertently share patient data with third parties using tracking technologies. Recently, we have also seen the mental health startup Cerebral doing the same, and chances are – we’ll be hearing more similar stories down the road.
In the meantime, we advise anyone to be careful where they leave their data as it could fall into the wrong hands. And also to use a VPN to encrypt all traffic flowing between their device(s) and the rest of the Internet. It’s just the way the world works these days, and you can never be extra cautious.