Two US-based startups that focussed on counseling alcoholics have been, for years, sharing with advertisers their patients’ personal information and health data without their consent, the media reported.

In a disclosure filed with California’s attorney general last week, Monument and Tempest said that ad trackers of Facebook, Google, Microsoft, and Pinterest led to the leak of more than 100,000 patients’ information, TechCrunch reported.

The leaked data includes patient names, dates of birth, email and postal addresses, phone numbers, and membership numbers associated with the companies and patients’ insurance providers.

Alarmingly, it also included the person’s photo, unique digital ID, which services or plan the patient is using, appointment information, and assessment and survey responses submitted by the patient, which includes detailed responses about a person’s alcohol consumption and used to determine their course of treatment, the report said.

Launched in 2020, Monument is a telehealth service that provides access to prescription medication and therapies to combat alcohol use disorders. Tempest, acquired by Monument in 2022, focuses on curbing alcohol abuse.

Buy Me A Coffee

According to Monument, it reviewed its use of ad trackers after the US government issued guidance to health companies about them in late 2022.

Trackers are embedded into ads, websites, or emails to track information about what a user clicks or the forms they fill out, which then gets used by both parties to create tailored ads or better understand their user bases.

New York Times Source Code Stolen Using Exposed GitHub Token

Monument, in its disclosure, confirmed that tracking tools had been exposing user information on its site since January 2020 and on Tempest as far back as November 2017. The companies said they stopped using “most” tracking tools in late 2022 and “fully disconnected” them from their websites by February this year, the Verge reported.

“Protecting our patients’ privacy is a top priority,” Monument CEO Mike Russell was quoted as saying to The Verge.

“We have put robust safeguards in place and will continue to adopt appropriate measures to keep data safe. In addition, we have ended our relationship with third-party advertisers that will not agree to comply with our contractual requirements and applicable law,” he added.

Last month, online mental health startup Cerebral also confirmed it had exposed the personal and health information of more than 3 million patients who signed up for its services because of a similar years-long leak of data to third-party advertisers, the report said.