A complaint filed with the Federal Trade Commission is accusing Facebook of failing to protect sensitive health data in its groups.
The complaint, filed with the agency last month and released publicly today, argues that the company improperly disclosed information on members of closed groups. The issue first came into the public eye in July, when members of a group for women with a gene mutation called BRCA discovered sensitive information, like names and email addresses of members, could be downloaded in bulk, either manually or through a Chrome extension.
Around that time, Facebook made changes to Groups that ended the practice, but said the decision was not related to the BRCA group’s concerns. The company also said at the time that the ability to view the data was not a privacy flaw, and noted that there was also an option for “secret” groups, which are more difficult to join but also have more limited discoverability.
The complaint, which was filed by a security researcher and BRCA advocates, among others, argues that Facebook has failed to make clear what personal information users might be giving up when they join a group. While the company might have also made changes to the ability to view personal information, the complaint argues that it is still too easy for a member to harvest information on others in a group.
Facebook did not immediately respond to a request for comment. The company is already reportedly negotiating a multibillion-dollar fine with the FTC over privacy lapses.