DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data

Posted on December 3, 2014 by Dissent

From the FTC:

An Atlanta-based health billing company and its former CEO have settled Federal Trade Commission charges they misled thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.

In a pair of complaints, the FTC charges that PaymentsMD, LLC, and its former CEO, Michael C. Hughes, used the sign-up process for a “Patient Portal” — where consumers could view their billing history — as a pathway to deceptively seek consumers’ consent to obtain detailed medical information about the consumers.

“Consumers’ health information is as sensitive as it gets,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.”

According to the complaints, PaymentsMD operated a website where consumers could pay their medical bills. In 2012, the company and a third party began developing a separate service known as Patient Health Report, designed to provide consumers with comprehensive online medical records. In order to populate the medical records, though, the company first needed to acquire consumers’ medical information. The complaints allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.

According to the complaints, consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once. Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for just that – billing, according to the complaint.

The complaint alleges that PaymentsMD used the consumers’ registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report. The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests, and more. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy.

According to the complaints, in all but one case, the healthcare companies contacted for data refused to comply with the requests, as they included requests for information about minors, as well for individuals who were not customers of the healthcare company contacted. Once PaymentsMD began informing customers that it was attempting to collect consumers’ health information, the company received numerous complaints from consumers angered because they believed they had signed up only for a billing portal and not an online health record.

Under the terms of the settlements, PaymentsMD and its former CEO, Hughes, must destroy any information collected related to the Patient Health Report service. In addition, the respondents are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party, and they must obtain consumers’ affirmative express consent before collecting health information about a consumer from a third party.

The Commission vote to issue the complaint and accept the proposed consent order for public comment was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Jan. 2, 2015, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically (PaymentsMD, LLC | Michael C. Hughes) by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

SOURCE: FTC

See also A Pain in the Privacy on FTC’s Business Blog.

Category: Uncategorized

Post navigation

← Former college professor/FBI informant indicted on federal charges of credit card fraud, identity theft
Hackers Infiltrate Payment Systems of Major Parking Garage Operator →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.