FTC Files Security Complaint Over Medical Billing, Payment Portal
Nearly 5,500 consumers who thought they were only joining an online medical bill payment portal ended up having their information sent to 31 companies, a Federal Trade Commission complaint alleges.
A set of complaints against PaymentsMD and its CEO Michael C. Hughes charge that PaymentsMD “used the sign-up process for a ‘Patient Portal’—where consumers could view their billing history—as a pathway to deceptively seek consumers’ consent to obtain detailed medical information about the consumers.”
Since 2008, PaymentsMD offered online billing services for medical professionals and in 2011 launched a portal where, for free, patients could log in and view their billing histories, check payments, and view account balances. Then the company started offering a fee-based service that purported to allow patients to review, manage, and consolidate all of their billing information.
According to the complaints, this service automatically made enrollees’ information available to other healthcare companies; for example, patient’s information would be available not just to their usual pharmacy, but also to all major pharmacies near the patient’s home, according to an FTC blog post. The complaint alleges that the information was distributed to third parties without authorization required by the FTC.
“The complaint alleges that PaymentsMD used the consumers’ registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report,” an FTC press release states. “The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests, and more. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy.”
Under the terms of the complaint and settlement, Hughes and PaymentsMD “must destroy any information collected related to the Patient Health Report service. In addition, the respondents are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party, and they must obtain consumers’ affirmative express consent before collecting health information about a consumer from a third party,” according to the FTC.