For years, online alcohol recovery startups Monument and Tempest were sharing with advertisers the personal information and health data of their patients without their consent.
Monument, which acquired Tempest in 2022, confirmed the extensive years-long leak of patients’ information in a data breach notification filed with California’s attorney general last week, blaming their use of third-party tracking systems developed by ad giants including Facebook, Google, Microsoft and Pinterest.
When reached for comment, Monument CEO Mike Russell confirmed more than 100,000 patients are affected.
In its disclosure, the companies confirmed their use of website trackers, which are small snippets of code that share with tech giants information about visitors to their websites, and often used for analytics and advertising.
The data shared with advertisers includes patient names, dates of birth, email and postal addresses, phone numbers and membership numbers associated with the companies and patients’ insurance provider. The data also included the person’s photo, unique digital ID, which services or plan the patient is using, appointment information and assessment and survey responses submitted by the patient, which includes detailed responses about a person’s alcohol consumption and used to determine their course of treatment.
Monument’s own website says these survey answers are “protected” and “used only” by its care team.
Monument confirmed that it shared patients’ sensitive data with advertisers since January 2020, and Tempest since November 2017. Both companies say they have removed the tracking code from their websites. But the tech giants are not obligated to delete the data that Monument and Tempest shared with them.
Monument and Tempest are the latest healthcare companies to disclose the inadvertent sharing of patient data with third-parties by way of tracking technologies. Last month, online mental health startup Cerebral confirmed it had exposed the personal and health information of more than 3 million patients who signed up to its services because of a similar years-long leak of data to third-party advertisers.
Updated with comment from Monument’s CEO.