DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data

Posted on December 3, 2014 by Dissent

From the FTC:

An Atlanta-based health billing company and its former CEO have settled Federal Trade Commission charges they misled thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.

In a pair of complaints, the FTC charges that PaymentsMD, LLC, and its former CEO, Michael C. Hughes, used the sign-up process for a “Patient Portal” — where consumers could view their billing history — as a pathway to deceptively seek consumers’ consent to obtain detailed medical information about the consumers.

“Consumers’ health information is as sensitive as it gets,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.”

According to the complaints, PaymentsMD operated a website where consumers could pay their medical bills. In 2012, the company and a third party began developing a separate service known as Patient Health Report, designed to provide consumers with comprehensive online medical records. In order to populate the medical records, though, the company first needed to acquire consumers’ medical information. The complaints allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.

According to the complaints, consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once. Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for just that – billing, according to the complaint.

The complaint alleges that PaymentsMD used the consumers’ registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report. The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests, and more. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy.

According to the complaints, in all but one case, the healthcare companies contacted for data refused to comply with the requests, as they included requests for information about minors, as well for individuals who were not customers of the healthcare company contacted. Once PaymentsMD began informing customers that it was attempting to collect consumers’ health information, the company received numerous complaints from consumers angered because they believed they had signed up only for a billing portal and not an online health record.

Under the terms of the settlements, PaymentsMD and its former CEO, Hughes, must destroy any information collected related to the Patient Health Report service. In addition, the respondents are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party, and they must obtain consumers’ affirmative express consent before collecting health information about a consumer from a third party.

The Commission vote to issue the complaint and accept the proposed consent order for public comment was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Jan. 2, 2015, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically (PaymentsMD, LLC | Michael C. Hughes) by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

SOURCE: FTC

See also A Pain in the Privacy on FTC’s Business Blog.

Category: Uncategorized

Post navigation

← Former college professor/FBI informant indicted on federal charges of credit card fraud, identity theft
Hackers Infiltrate Payment Systems of Major Parking Garage Operator →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)
  • Cyberattack puts healthcare on hold for hundreds in St. Louis metro
  • Europol: DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants
  • DOGE aims to pool federal data, putting personal information at risk
  • Privacy concerns swirl around HHS plan to build Medicare, Medicaid database on autism

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.