FTC Sanctions Monument Over Unauthorized Health Data Sharing

The Federal Trade Commission has taken enforcement action against Monument, an alcohol addiction telehealth provider, for allegedly sharing users' sensitive health data with third-party advertising platforms without consent. This action signals regulators' intensified focus on digital health companies' handling of protected information.

According to the FTC complaint, Monument shared identifiable health data—including users' enrollment in alcohol addiction programs—with advertising technology platforms like Meta and Google between 2020 and 2026. This occurred despite Monument's explicit claims that user information was "100% confidential, secure, and HIPAA compliant." The data disclosures impacted approximately 84,468 individuals, exposing treatment details alongside personal identifiers like email addresses and IP addresses.

Core Violations

• Misrepresentation of Privacy Protections: Monument falsely claimed HIPAA compliance while systematically sharing protected health information
• Unauthorized Data Disclosure: User data was funneled to advertising platforms without explicit consent
• Violation of Multiple Laws: The FTC cites breaches of the FTC Act and Opioid Addiction Recovery Fraud Prevention Act (OARFPA)

Samuel Levine, Director of the FTC's Bureau of Consumer Protection, stated: "The market should be getting the message that consumer health data should be handled with extreme caution."

Regulatory Consequences

Under the proposed settlement:

• Monument faces a $2.5 million civil penalty (which the company claims it cannot pay)
• Permanent ban on sharing health data for advertising purposes
• Requirement to implement comprehensive privacy safeguards
• Mandate to notify affected users and direct third parties to delete improperly shared data

This action continues the FTC's enforcement pattern targeting digital health privacy violations, following similar cases against companies like GoodRx. The FTC and Department of Health and Human Services' Office for Civil Rights (OCR) have increasingly coordinated efforts to close regulatory gaps around health data tracking.

Industry Implications

Healthcare privacy researchers note the significance of this enforcement. Matt McCoy, medical ethics researcher at the University of Pennsylvania, observed: "At this point, companies and health providers really have no excuse to say, well, we didn't understand the privacy implications of these tools. With the enforcement actions by the FTC and by OCR, the days of being able to say we don't know any better are over."

The regulatory landscape remains contested, however. Industry groups including the American Hospital Association have challenged OCR's interpretation of HIPAA regarding tracking technologies in ongoing litigation. Despite updated guidance from regulators, disagreement persists about permissible uses of third-party tracking tools on health platforms.

Ari Friedman, who researches digital health privacy at UPenn, emphasized proactive measures: "Health-related entities should audit their websites regularly to ensure they are not facilitating this type of privacy violation."

Monument did not respond to requests for comment regarding the settlement terms or allegations. The case highlights ongoing tensions between digital health innovation, advertising economics, and fundamental privacy rights.