The U.S. Federal Trade Commission (FTC) has taken a strong stand on behavioral health privacy by banning the virtual addiction treatment startup Monument from sharing sensitive patient health information with third parties for advertising purposes. Announced on April 11, this enforcement action against Monument addresses multiple allegations and underscores the increasing regulatory scrutiny on how virtual behavioral health companies handle and protect patient data. The Monument FTC behavioral health privacy case highlights the need for stricter compliance in the rapidly growing digital health market.
Background on Monument and Its Services
Monument, founded in 2019 and headquartered in New York City, offers virtual medication-assisted therapy (MAT) for individuals struggling with alcohol use disorder. The company also provides online support groups as part of its digital behavioral health treatment platform. Over the past few years, Monument has gained traction as a telehealth provider seeking to expand access to addiction treatment via technology-driven solutions. According to Crunchbase, Monument has raised approximately $24 million in venture capital funding to date.
While virtual treatment platforms like Monument are praised for improving accessibility and convenience, the FTC’s recent enforcement highlights significant privacy concerns stemming from the handling of sensitive health data in the digital space.
FTC Allegations Against Monument
According to the FTC complaint, Monument violated the Federal Trade Commission Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 by sharing patient health information without proper consent. Specifically, from 2020 to 2023, Monument allegedly transmitted various types of sensitive data to multiple technology companies as part of its marketing efforts.
These third parties include major digital advertising and analytics firms such as AdRoll, Amazon, Google, Impact, LiveIntent, Meta (formerly Facebook), Microsoft, Pinterest, PowerInbox, Quora, and Reddit. This extensive sharing of data occurred without securing what the FTC defines as “affirmative express consent” from patients — a mandatory requirement under federal law designed to protect consumer privacy in the healthcare context.
The FTC’s actions against Monument send a clear message about the importance of patient privacy, marking a milestone in Monument FTC behavioral health privacy enforcement efforts.
Notably, the FTC complaint also cites misrepresentations made by Monument regarding what data the company collected from users and how that data was being used. Such deceptive practices are central to the FTC’s enforcement authority and focus on protecting consumers from unfair or misleading business practices.
Financial Penalties and Compliance Mandates
As part of the settlement, the FTC has ordered Monument to pay a $2.5 million judgment. However, the payment may be suspended depending on the company’s financial disclosures submitted to the FTC.
Beyond the monetary penalty, the FTC’s complaint and order include several critical compliance measures to protect patient data going forward:
- Affirmative Consent: Monument must obtain explicit, informed consent from patients before sharing any protected health information with third parties.
- Data Usage Transparency: The company is prohibited from misrepresenting what types of data it collects or how it will use or share that data.
- Data Retrieval and Destruction: Monument must track down all health data that was improperly shared with third parties and ensure that those third parties destroy the data. Monument must also send instructions to the third parties and evidence of destruction to the FTC.
- User Notification: All impacted users must be notified within 14 days of the order’s effective date about the FTC action and the steps Monument is taking to address the violations.
- Privacy Program and Audits: Monument is required to develop and implement a comprehensive privacy protection program. The company must retain an independent third-party assessor to conduct an initial assessment of its privacy practices and then perform audits every two years.
These requirements reflect the FTC’s growing commitment to enforcing data privacy protections, especially within the sensitive arena of behavioral health care. This enforcement is a major chapter in Monument FTC behavioral health privacy regulation.
FTC’s Broader Enforcement Landscape
Monument’s case is not isolated. Just days after this announcement, on April 15, the FTC announced a separate, more substantial enforcement action against Cerebral Inc., a virtual mental health provider, for similar allegations of inappropriate sharing of patient data and misrepresenting data policies.
These back-to-back enforcement actions send a clear message to virtual behavioral health companies: The FTC is intensifying oversight and will rigorously police how sensitive health information is handled, particularly when it comes to digital marketing practices.
The FTC stated in a recent blog post, “Here’s the loud-and-clear message companies need to hear: The FTC won’t back down in the fight to protect the privacy of consumers’ sensitive health data.” This underscores the agency’s stance that patient data in behavioral health is particularly sensitive and deserving of the highest privacy protections — key elements of Monument FTC behavioral health privacy enforcement.
What This Means for Virtual Behavioral Health Providers and Patients
The digital transformation of behavioral health services offers unprecedented opportunities for patients to access treatment remotely. However, this shift also amplifies privacy risks if companies do not implement robust safeguards to protect health data.
For virtual behavioral health providers, the Monument case serves as a critical cautionary tale. Companies must ensure they comply fully with data privacy laws and maintain transparency with users regarding data collection, sharing, and use policies. Failure to do so can lead to costly enforcement actions, reputational damage, and loss of patient trust.
For patients and consumers, the FTC’s enforcement actions highlight the importance of vigilance. Users should carefully review the privacy policies of telehealth platforms and be aware of their rights regarding consent and control over personal health information.
This case is a major example of Monument FTC behavioral health privacy concerns shaping the future of telehealth.
Looking Ahead: The Future of Privacy in Virtual Addiction Treatment
As virtual care continues to evolve, regulatory oversight will likely become even more stringent. The FTC’s actions against Monument and Cerebral mark a significant moment in digital behavioral health regulation. Companies operating in this space must prioritize privacy and ethical data handling as core components of their business models.
Monument, with its $24 million in venture backing and growing presence in virtual addiction treatment, now faces the challenge of rebuilding trust by demonstrating compliance and respect for patient privacy. The required comprehensive privacy programs and periodic audits will hopefully set a higher standard for the industry.
Ultimately, the FTC’s enforcement will contribute to a safer virtual behavioral health ecosystem — one that balances innovation with the critical need to protect sensitive patient information. The Monument FTC behavioral health privacy enforcement stands as a benchmark in this ongoing effort.
