The Betrayal Was The Business Model

Monument, Inc. built its brand on a foundation of trust. It offered online therapy, support groups, and prescriptions for people seeking to overcome alcohol addiction. On its website and in direct communications with users, it made explicit promises. The service was “100% confidential.” It was “fully HIPAA-compliant.” Your most personal information, the company claimed, would never be shared without your “expressed written consent.”

A federal complaint filed by the United States Department of Justice on behalf of the Federal Trade Commission (FTC) reveals these promises were a lie. The complaint, Case 1:24-cv-01034, alleges that for nearly three years, Monument’s actual business model involved the systematic disclosure of its users’ most sensitive health data to a roster of Big Tech advertising platforms. This data pipeline was active from January 2020 through December 2022, a period where Monument spent over $3 million on Meta ads and nearly $2.4 million on Google ads.

The Non-Financial Ledger

Seeking help for addiction is one of the most vulnerable decisions a person can make. It requires confronting deep personal struggles and placing immense trust in caregivers. Monument exploited that trust. The disclosure of a user’s status as someone in treatment for alcohol addiction is not a trivial data point. It is information that can cause profound and lasting harm.

“Disclosure of this information is likely to cause stigma, embarrassment, and/or emotional distress to the users. Exposure of this information may also affect these users’ ability to obtain and/or retain employment, housing, health insurance, or disability insurance.”

This is the non-financial cost of Monument’s actions. Every one of the up to 84,468 people whose data was shared now faces a future where their recovery journey has been turned into a commodity, a data profile to be bought and sold. That data now lives on the servers of companies like Meta and Google, who were given free rein to use it for their own purposes, including research and product development, with no contractual limits imposed by Monument.

Legal Receipts: A Pattern of Deception

Monument’s deception was not a subtle omission buried in fine print. It was a series of direct, repeated, and false statements made to the public and to individual users who asked for reassurance.

“From May 3, 2021, to April 30, 2023, Monument’s webpage concerning insurance stated: ‘Is Monument HIPAA Compliant? Monument is fully HIPAA-compliant. Your information is kept confidential and is not shared with any third party without your expressed written consent.’”

The company’s own internal review, prompted by new HHS guidance in late 2022, confirmed that “some information may have been shared with those third parties without the appropriate authorization, consent, or agreements required by law.” The FTC complaint details how this happened.

Monument used tracking pixels and APIs to send “Custom Events” to ad platforms. These events had descriptive titles that broadcasted users’ health status, such as “Paid: Med Management,” “Paid: Bi Weekly Therapy,” and “Paid: Weekly Therapy.” This data was bundled with personal identifiers like IP addresses and hashed email addresses, which Monument knew ad platforms could easily reverse-engineer to identify specific individuals.

Even after Meta warned Monument in June 2020 that its event titles conveyed health information, the company continued its practices. In January 2022, a Monument engineer explicitly raised an alarm that the company was sending health data to Meta and recommended stopping. The recommendation was ignored.

Societal Impact Mapping: The Data Spread

The health data of Monument users was not sent to a single bad actor. It was broadcast across a wide network of the internet’s largest data harvesting machines. The FTC complaint names them specifically:

• Meta: Received events like “Sign Up” and “Paid: Weekly Therapy” for at least 25,110 users, linking their recovery status to their Facebook profiles.
• Google: Received “Sign Up” and “Activated” events, and potentially the insurance information, name, and contact details of up to 2,436 users via a Google Analytics integration.
• LiveIntent: Received explicit event titles like “Monument – Total Care Sign Up Confirmation Weekly” for 1,842 users.
• Others: Data was also sent to AdRoll, Amazon, Impact, Microsoft, Pinterest, PowerInbox, Quora, and Reddit.

Monument agreed to the standard terms of service for these platforms, which often permitted them to use the data for their own internal purposes, such as improving their ad-targeting algorithms. Your recovery became a training tool for their surveillance machine.

“HIPAA Compliant” Was A Lie

Perhaps the most cynical of Monument’s claims was its repeated assertion of HIPAA compliance. The Health Insurance Portability and Accountability Act is supposed to be the legal shield protecting your health information. For Monument, it was just a marketing slogan.

In December 2021, Monument hired an outside firm for a “HIPAA Gap Assessment.” The result was a failing grade. The assessor concluded the company was only 60% in compliance with HIPAA, having “not addressed” critical areas like risk analysis, risk management, and contingency planning. Despite this, Monument continued to tell customers it was “fully HIPAA-compliant.”

A follow-up security assessment in November 2022 found them still deficient, at only 71% compliance. It wasn’t until the summer of 2023 that their score reportedly improved to 94%, long after the damage was done and the FTC investigation was underway.

What Now?

The federal government is seeking a permanent injunction and civil penalties against Monument. But justice for the people whose trust was broken requires more than a corporate fine. The individuals who made these decisions must be held accountable.

This case is a brutal reminder that in the digital age, privacy policies are weapons. Corporations use promises of confidentiality to lure you in, while their actual business practices treat your deepest vulnerabilities as a product to be sold. The only effective defense is collective action. Support local mutual aid networks that provide care without harvesting data. Demand that your elected officials strengthen and enforce privacy laws with real teeth, including personal liability for executives. The system is broken by design; we have to build the alternative ourselves.