Alcohol recovery companies ‘Monument’ and ‘Tempest’ accused of sharing users’ personal information

Two online alco­hol recov­ery com­pa­nies, Mon­u­ment and Tem­pest, were recent­ly caught shar­ing sen­si­tive data with adver­tis­ers with­out user con­sent. The data breach came to light in an inter­nal review affect­ing 100,000 users, forc­ing both com­pa­nies to make a for­mal dis­clo­sure to their user base. The breach began in 2017 and con­tin­ued until last mon­th’s review.

Mon­u­ment acquired Tem­pest a few months ago, and its par­ent com­pa­ny, Mon­u­ment, con­firmed the data breach and shar­ing of per­son­al infor­ma­tion with adver­tis­ers through a notice filed with the Cal­i­for­nia Attor­ney Gen­er­al. Data shared includ­ed patient names, dates of birth, email address­es, postal address­es, phone num­bers, insur­ance infor­ma­tion, and more.

Cru­el­ly, both com­pa­nies also shared data on sur­vey respons­es, includ­ing book­ing infor­ma­tion, rat­ing infor­ma­tion, and alco­hol con­sump­tion data. Mon­u­ment claims on its web­site that it cares about pri­va­cy, but the rev­e­la­tions have dashed those claims.

Both com­pa­nies attribute the prob­lem to a third-par­ty track­ing sys­tem, but have removed the offend­ing track­ing code from their web­sites. How­ev­er, it does not admit that it inten­tion­al­ly shared the infor­ma­tion for prof­it and indi­cates that a track­ing pix­el pro­vid­ed by a third par­ty was the cause of the infringement.

This is just one exam­ple of how com­pa­nies in the health­care sec­tor have a poor track record when it comes to data pri­va­cy. In anoth­er sim­i­lar breach, Meta was arrest­ed red-hand­ed after a psy­chi­atric com­pa­ny shared patient infor­ma­tion with­out con­sent. Users are advised to be care­ful about data han­dling and read the pri­va­cy pol­i­cy care­ful­ly before using online services.