Online alcohol recovery startups Monument and Tempest got caught sharing confidential user data with advertisers without their consent, as originally reported by TechCrunch. Everything came to light after an internal review revealed a data breach impacting 100,000 users, forcing the companies to issue a formal disclosure to the user base. The violations started in 2017 and were ongoing until last month's review.
Monument and Tempest started as two entirely different platforms, but the former acquired the latter several months back. Parent company Monument confirmed not only the data breach but that the companies shared private information with advertisers via a notification filed with California’s attorney general. Data shared with advertisers, without user consent, includes patient names, dates of birth, email addresses, postal addresses, phone numbers, insurance information and more.
Unfortunately, that is just the beginning. In a cruel insult to those seeking recovery, the companies also shared data related to appointment information, assessment information and survey responses, which includes alcohol consumption data. Monument continues to tout its commitment to privacy on its website, saying that survey responses are “protected" despite the recent disclosure
The companies blame third-party tracking systems for the issue, stating that they have removed the offending tracking codes from their websites. The companies do not admit to sharing this information on purpose to increase profits, indicating that the tracking pixels provided by third parties did the deed all on their own.
Though this is an especially egregious example, it is important to remember that most companies have a less-than-pristine record regarding data privacy, even in the case of medical records. There is a near-endless list of similar violations, like the time a mental health startup shared patient information without consent and when Meta was caught with its own hand in the digital cookie jar. Be careful out there folks.