Skip to main content

These alcohol counseling companies leaked patient data to advertisers for years

These alcohol counseling companies leaked patient data to advertisers for years

/

Monument and Tempest shared names, birthdates, addresses, insurance information, and survey responses with advertisers.

Share this story

Photograph of a hand wearing red nail varnish holding a mouse with a projection overlay of stylized eyes
Photo by Amelia Holowaty Krales / The Verge

Online alcohol recovery services Monument and Tempest admitted to sharing private patient information with advertisers for years, as reported earlier by TechCrunch. In a disclosure filed with the California Attorney General, Monument (which acquired Temple in 2022) says the tracking tools used on both services “may have shared” names, birthdates, email addresses, phone numbers, home addresses, insurance information, and more to advertisers.

Monument and Tempest, which both provide resources for patients struggling with alcohol addiction, say the leak might have also included patients’ responses to self-evaluations about their drinking habits, something Monument clearly says are “protected” and used only by its care teams. The companies blame the breach on the pixel tracking tools they included on their sites for advertising purposes.

Monument says it reviewed its use of tracking pixels after the US government issued guidance to health companies about them in late 2022. In a bulletin published by the Department of Health and Human Services (HHS), the agency warns health companies that they might be held liable for violating patient privacy through the use of pixel-tracking tools.

Monument and Tempest’s cases are remarkably similar to recent data leaks involving online health services

Pixel trackers are the snippets of code created by companies like Meta, Google, TikTok, and Pinterest that often get embedded into ads, websites, or emails. They track information about what a user clicks or the forms they fill out, which then gets used by both parties to create tailored ads or better understand their user bases.

As noted in its disclosure, Monument found that its pixel tracking tools had been exposing user information on the Monument site since January 2020 and on Tempest as far back as November 2017. Monument says it stopped using “most” tracking tools in late 2022 and “fully disconnected” them from Monument’s websites by February 23rd, 2023.

Monument and Tempest’s cases are remarkably similar to recent data leaks involving the online health services, BetterHelp, GoodRx, and Cerebral, which also involved pixel trackers. Last month, the Federal Trade Commission ordered BetterHelp and GoodRx to pay $7.8 million for allegedly sharing patient information with Facebook and Snapchat, while Cerebral recently admitted to exposing the personal information of over 3.1 million patients to Google, Meta, TikTok, and other third-party advertisers.

In Monument’s case, the amount of leaked information varies from user to user; as the company states, it depends on the “actions you took on the Monument website, the configuration of the tracking technologies,” as well as the configuration of the web browser that accessed the site. Monument says the leak didn’t include social security numbers or credit card information, however, and may have affected a little over 100,000 people.

“Protecting our patients’ privacy is a top priority,” Monument CEO Mike Russell says in an emailed statement to The Verge. “We have put robust safeguards in place and will continue to adopt appropriate measures to keep data safe. In addition, we have ended our relationship with third-party advertisers that will not agree to comply with our contractual requirements and applicable law.”