Let’s say you’re running an online portal for people to pay their medical bills.
But now you want to start up a site that has their medical records.
How do you get people’s personal medical information in order to populate your new site?
According to the FTC, PaymentsMD got that data by setting up authorizations in tiny windows on the billing site, each of which displays a meager six lines of a far lengthier text that, when consumers click the box, grants the go-ahead for your data grab.
Oh, and don’t forget to make it even easier to weasel away that data by putting a single box on the front page. Anybody who clicks that one box accepts all of the four authorizations at once.
On Wednesday, the FTC announced that PaymentsMD and its former CEO have settled charges that they misled thousands of consumers who signed up for the billing portal, by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.
The FTC charged in a pair of complaints that the company and its CEO used the sign-up process for the patient portal as “a pathway to deceptively seek consumers’ consent to obtain detailed medical information about the consumers.”
That’s pretty bad, privacy-wise, said Jessica Rich, director of the FTC’s Bureau of Consumer Protection:
Consumers’ health information is as sensitive as it gets. Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.
The complaints say that PaymentsMD, along with a third party, began developing a separate service known as Patient Health Report in 2012.
To get the new site populated with medical records, the complaints allege, PaymentsMD tweaked the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.
According to the complaint, it’s only reasonable for customers of the Patient Portal billing service to expect that when they clicked to authorize the site, they were authorizing exactly that: billing.
The complaints allege that once the company and its partners had the authorization, they then scooped up sensitive health information from pharmacies, medical testing companies and insurance companies in order to create a patient health report.
That includes prescriptions, procedures, medical diagnoses, lab tests performed, test results and more.
The company allegedly contacted pharmacies located near the consumers, without knowing whether the consumers in question were in fact customers of any particular pharmacy.
Here’s the good news, which speaks highly of the privacy sophistication of many healthcare companies: All but one of the companies refused to hand over the requested data to the company, given that PaymentsMD was after information pertaining to minors and to individuals who weren’t customers of the healthcare company contacted.
It was when PaymentsMD began to let customers know that it was trying to collect consumers’ health information that the truth emerged.
“Numerous” angry consumers complained to the FTC, it said, having been under the impression that they had signed up only for a billing portal and not an online health record.
All that weaseled-away information has to be destroyed under the terms of the settlements.
Nor can they pull this stunt again, the FTC said, having banned them from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party.
Also, the settlements state that the respondents must obtain consumers’ affirmative, express consent before collecting health information about a consumer from a third party.
Moral of the story: Beware the tiny and/or hidden legalese!
A company that’s handling sensitive consumer data in a manner that’s on the up and up very likely doesn’t need to stuff the permissions far away from the light of day.