Two alcohol recovery apps shared user data without their consent

Update 04/06/2023: Comments from Monument’s CEO have been added to this article.

According to recent reports, two online alcohol recovery startups shared users’ detailed private health information and personal data to third-party advertisers without their consent. They were able to do so via popular tracking systems such as the Meta Pixel. Both Tempest and its parent company, Monument, confirmed the extensive privacy violations to TechCrunch on Tuesday. They now claim to no longer employ the frequently criticized consumer profiling products developed by companies such as Microsoft, Google, and Facebook.

In a disclosure letter mailed to its consumers last week, Monument states “we value and respect the privacy of our members’ information,” but admitted “some information” may have been shared to third parties without the “appropriate authorization, consent, or agreements required by law.” The potentially illegal violations stem as far back as 2020 for Monument members, and 2017 for those using Tempest.

Within those leaks, as many as 100,000 accounts’ names, birthdates, email addresses, telephone numbers, home addresses, membership IDs, insurance IDs, and IP addresses. Additionally, users’ photographs, service plans, survey responses, appointment-related info, and “associated health information” may also have been shared to third-parties. Monument and Tempest assured customers, however, that their Social Security numbers and banking information had not been improperly handled.

[Related: How data brokers threaten your privacy.]

Major data companies’ largely free “pixel” tools generally work by embedding a small bit of code into websites. The program then subsequently supplies immensely personal and detailed information to both third-party businesses, as well as the tracking tech’s makers to help compile extensive consumer profiles for advertising purposes. One study estimates that approximately one-third of the 80,000 most popular websites online utilize Meta Pixel (disclosure: PopSci included), for example. While both Tempest and Monument pledge to have removed tracking code from their sites, TechCrunch also notes the codes’ makers are not legally required to delete previously collected data.

“Monument and Tempest should be ashamed of sharing this extremely personal information of people, especially considering the nature and vulnerability of their clients,” Caitlin Seeley George, campaigns managing director of the digital privacy advocacy group, Fight for the Future, wrote PopSci via email. For George, the revelations are simply the latest examples of companies disregarding privacy for profit, but argues lawmakers “should similarly feel ashamed” that the public lacks legal defense or protection from these abuses. “It seems like every week we hear another case of companies sharing our data and prioritizing profits over privacy. This won’t end until lawmakers pass privacy laws,” she said.

“Protecting our patients’ privacy is a top priority,” Monument CEO Mike Russell told PopSci over email. “We have put robust safeguards in place and will continue to adopt appropriate measures to keep data safe. In addition, we have ended our relationship with third-party advertisers that will not agree to comply with our contractual requirements and applicable law.”

Tracking tools are increasingly the subject of scrutiny and criticism as more and more reports detail privacy concerns—last year, an investigation from The Markup and The Verge revealed that some of the country’s most popular tax prep software providers utilize Meta Pixel. The same tracking code is also at the center of a lawsuit in California concerning potential HIPAA violations stemming from hospitals sharing patients’ medical data.

Correction 04/06/2023: A previous version of this article’s headline stated Tempest and Monument “sold” user data. A spokesperson for the companies stated they “shared” data with third-party companies.