FTC orders mental health company to pay for privacy and data breaches | Orrick, Herrington & Sutcliffe LLP

On April 15, the FTC released its administrative complaint and jointly negotiated order against a mental health provider, requiring the provider to pay a total of more than $7 million, including $5.1 million for consumer refunds and $2 million in civil penalties . According to the complaint, between 2021 and 2022, the defendant collected sensitive personal health information and sold online mental health treatments (i.e., telehealth) through his website to “hundreds of thousands” of patients. The FTC alleged that the mental health service provider engaged in deceptive and unfair practices in the marketing of its data security practices, such as failing to disclose material matters, failing to obtain consumers’ express informed consent, and failing to implement adequate data security measures. In addition, the FTC alleged that the provider misled consumers about the cancellation of services, including the lack of a mechanism to stop recurring charges. The FTC’s complaint specifically found that the company misrepresented how it would use and disclose patients’ personal information, mishandled and disclosed “hundreds of thousands” of personal information, and failed to maintain a ​provide a way to cancel subscriptions. The FTC charged the defendant with violating Section 5 of the FTC Act, which covers deceptive privacy practices, deceptive data security practices, unfair privacy and data security practices, and deceptive cancellation practices – allegedly a violation of the Opioid Act and the Restore Online Shoppers Confidence Act. (ROSCA).