By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Privacy of sensitive information, in particular healthcare information, remains a hot topic. Threats abound from both external and internal actors. Along with the threats, enforcing obligations to protect the information has also ramped up. Given the reality that healthcare information is being created in a lot of new places, enforcement is not just coming from the Office for Civil Rights under HIPAA. One of the newest and hottest entrants on the healthcare privacy front is the Federal Trade Commission (FTC). Being aware of the whole regulatory enforcement landscape is just as important as paying attention to compliance in the first place.
Quick Reminder
As a quick reminder, the FTC announced a couple of settlement actions in early April 2024. Both settlements centered around companies failing to live up to data protection assurances offered to users and using information for purposes that were not allowed.
The settlements provided warning that multiple agencies will track the user of healthcare information. That is especially true and necessary given the proliferation of healthcare data in new and different areas that may not fall under the scope of expected regulations.
The Latest Action
Coming from that backdrop, the latest announced joint action from the FTC and the Department of Justice should not come as that much of a surprise. On June 10, 2024, the FTC and DOJ announced a new complaint against Cerebral, Inc., Kyle Robertson (Cerebral’s founder and former CEO), Alex Martelli (a former Cerebral executive, Zealthy Inc., Gronk Inc., Bruno Health, P.A., and German Echeverry (an executive of Zealthy, Gronk, and Bruno Health). It should be noted that Gronk is the new name of Zealthy and Robertson founded Gronk after leaving Cerebral.
The announcement included news of a settlement with Cerebral to resolve the claims. Specifically, Cerebral agreed to pay $5 million in consumer redress (meaning payments to consumers) and a $10 million civil penalty judgment that was suspended to $2 million based on what Cerebral could afford to pay. If those details sound familiar it isn’t just a funny feeling. Those are the same settlement details as the announced plan between the FTC and Cerebral back in April. Other than the addition of new claims, it’s not clear why Cerebral is still a part of the announcement.
Coming from that backdrop, the latest announced joint action from the FTC and the Department of Justice should not come as that much of a surprise. On June 10, 2024, the FTC and DOJ announced a new complaint against Cerebral, Inc., Kyle Robertson (Cerebral’s founder and former CEO), Alex Martelli (a former Cerebral executive, Zealthy Inc., Gronk Inc., Bruno Health, P.A., and German Echeverry (an executive of Zealthy, Gronk, and Bruno Health). It should be noted that Gronk is the new name of Zealthy and Robertson founded Gronk after leaving Cerebral.
The announcement included news of a settlement with Cerebral to resolve the claims. Specifically, Cerebral agreed to pay $5 million in consumer redress (meaning payments to consumers) and a $10 million civil penalty judgment that was suspended to $2 million based on what Cerebral could afford to pay. If those details sound familiar it isn’t just a funny feeling. Those are the same settlement details as the announced plan between the FTC and Cerebral back in April. Other than the addition of new claims, it’s not clear why Cerebral is still a part of the announcement.
The New Claims and Parties
Moving beyond Cerebral, the allegations still offer a lot to consider. With regard to Cerebral and Robertson, the amended complaint asserts two primary violations of the FTC Act (think mostly along the lines of unfair and deceptive business practices). The first violation was a failure to protect sensitive healthcare information when, allegedly at Robertson’s direction, Cerebral deployed tracking technology across its website. The second violation was failing to protect the sensitive healthcare information from unauthorized disclosure as Cerebral allegedly suffered chronic breaches and unauthorized disclosures.
The next new allegation is that Robertson and Martelli caused Cerebral employees to impersonate patients to post positive reviews on various websites. The false reviews were used to suppress real reviews of Cerebral that contained critical or negative comments.
Connected to earlier claims, the amended complaint asserts in violation of the Restore Online Shoppers’ Confidence Act that Cerebral and Roberston did not disclose material terms from users before collecting billing information from users and then billing them. The cancellation process was also allegedly not simple and the overly difficult mechanisms enabled Cerebral to keep billing users for additional fees.
Lastly, new claims were added against Cerebral, Robertson, and Martelli that the Pioid Act was violated by engaging in allegedly deceptive acts or practices in relation to substance use disorder treatment services.
Moving away from conduct related to Cerebral, the amended complaint addresses Gronk (formerly known as Zealthy) because Robertson founded Gronk after leaving Cerebral. The allegations against Gronk mirror those against Cerebral. Essentially, the government is alleging that Robertson continued the same activities under a different umbrella. From that perspective, changing names or venues will not escape government notice or scrutiny.
What to Do with the News
The basic takeaway from the amended complaint is that deceiving consumers as to how healthcare information will be used is not a good idea. That should be common sense, but unfortunately a lot of the time outside enforcement is needed to remind companies and individuals of actions and levels of respect that should be included. Whether HIPAA applies or not, there are still other laws that govern the privacy and security of data as well as how data can be utilized.
Leaving aside the compliance aspect, the increasing awareness and sophistication of individuals around protecting their own data should inform the approach to the use of data and general interactions. Deceiving individuals whether intentionally or unintentionally is a sure way to drive users away and generate bad word of mouth that cannot be controlled. Implementing enhanced or more transparent controls is arguably just a good approach to business since it helps to establish an actual relationship with individuals as opposed to just viewing individuals or users as items to be taken advantage of.
Further, changing the approach is not enough if internal operations do not also reflect the same principles. From that perspective, it is essential to ensure that internal culture reflects the adopted approach and respects the terms and policies that have been implemented. Specifically, executives cannot just pay lip service to the protections or respectful approach and then drive contrary action behind the scenes. That is exactly why Cerebral, Gronk, and the named executives are being targeted. Instead, living by the terms of respect must occur. That can include appropriate internal education, review of activities, refinement of policies, and more. It is an ongoing effort that takes commitment and discipline.
If companies and individuals will not abide by publicly stated terms and conditions, expect more actions of this nature to occur. With privacy and security becoming topics of everyday conversation, the attention will not go away. It will only increase, which will also come with more enforcement action to ensure that words are met by actions. An inflection point is being created and each company and individual will need to decide where it or they want to fall.
This article was originally published on The Pulse blog and is republished here with permission.