Health Breach Notification Tracking

It's been 1005 days and still no health breach notifications from 22 companies blatantly violating people's health privacy rights.

Health Breach Notification Tracking

We're trying a new way to shine a light on privacy issues related to online addiction treatment and recovery support. We're now conducting monthly tracking of whether the companies are fulfilling their legal requirement to disclose their health breaches to HHS OCR, the FTC, the affected individuals, and the media.

As shown in the FTC cases against Cerebral and Monument:

Yes, using privacy-violating tools (e.g., Google Analytics, Meta [Facebook] Pixel) by companies that provide addiction treatment and recovery support is sufficient to trigger a health breach notification.
, cookie banners and "click here to see privacy practices" do not qualify as informed consent.

We are now outside the 60-day mandatory health breach notifications timeframe for 21/23 companies we study, making this the perfect time to start tracking compliance with this important law.

Let's see how the companies did!