Behavioral health and addiction treatment are the highest-risk categories on the U.S. healthcare web. Three things drive that.
First, the data is uniquely sensitive. Mental-health diagnoses, substance-use history, suicidal ideation, and treatment specifics carry social and economic consequences that other health data doesn't. Disclosure can affect employment, insurance, custody, immigration status, and personal relationships. Both FTC and OCR weight enforcement higher when the underlying data is more sensitive.
Second, the regulatory framework is layered. HIPAA covers most behavioral-health practices. 42 CFR Part 2 (the substance-use disorder confidentiality rule) covers federally-assisted SUD treatment programs and is stricter than HIPAA in several ways. Section 1557 covers federally-funded practices. Many states have additional mental-health privacy laws — Washington's MHMDA, Massachusetts c.123 §36, California's LPS Act, and others.
Third, the digital-first business model is dominant. BetterHelp, Cerebral, Talkspace, Brightside, Hims/Hers' mental health line, Spring Health, Lyra, and dozens of smaller telehealth platforms have built primarily-online care models. Their entire patient experience is web-based. That makes them disproportionately exposed to the tracking-pixel and SDK leak categories.
The four FTC cases, in pattern
The FTC enforcement against behavioral-health platforms follows a consistent pattern. Read together, they describe the regulator's analysis.
BetterHelp ($7.8M, March 2023). Online therapy platform. Intake form collected detailed mental-health history. Hashed email and intake signals shared with Facebook, Snapchat, Pinterest, Criteo for ad targeting. Privacy policy claimed data wasn't shared. Order requires consumer redress, permanent ad-data ban, third-party data deletion, 20-year compliance program.
Cerebral ($7M+, April 2024). Telehealth for mental health and substance-use disorders. Pixels on website plus SDKs in mobile app sent intake responses, prescriptions, and diagnoses to LinkedIn, Snap, TikTok, Google, Meta. 3.2 million patients affected. Order includes first-of-kind data-use restrictions plus a 20-year compliance program.
Monument/Tempest (permanent ad-data ban, April 2024). Online alcohol-addiction treatment platform. Pixels transmitted addiction-treatment events to advertising platforms. Order: permanent ban on disclosing addiction-treatment data to third parties for advertising purposes.
Premom ($200K, May 2023). Fertility-tracking app. Different category but same legal frame: SDKs sent fertility data to AppsFlyer, Google, Umeng, Jiguang.
The common pattern across all four: tracking pixels or SDKs, sensitive intake data, advertising-platform disclosure, privacy-policy contradictions, FTC charges under Section 5 plus the Health Breach Notification Rule.
For HIPAA-covered behavioral-health practices, the same fact pattern means OCR rather than FTC enforcement, but the technical exposure is identical.
42 CFR Part 2 — the rule that's stricter than HIPAA
42 CFR Part 2 covers patient records of federally-assisted programs that hold themselves out as providing substance-use disorder treatment, diagnosis, or referral. Many addiction-treatment centers, methadone clinics, and dual-diagnosis behavioral-health programs are covered.
Part 2 differs from HIPAA in several ways that matter for web tracking:
- Stricter authorization requirements. Disclosure of SUD treatment information generally requires written patient consent specific to each disclosure. HIPAA's broader "treatment, payment, operations" exception is narrower under Part 2.
- Re-disclosure restrictions. Once SUD information is disclosed under Part 2, the recipient is bound by the same restrictions. This restriction follows the data.
- Specific notice requirements. Part 2 has its own notice requirements separate from HIPAA's Notice of Privacy Practices.
- Penalties. Part 2 violations can be charged criminally in some circumstances, in addition to civil consequences.
A 2024 final rule (45 CFR Part 164 amendments) brought some Part 2 provisions closer to HIPAA but didn't merge them. SUD treatment programs still face the stricter framework.
For web-tracking purposes, this means: a tracking pixel on a substance-use-disorder treatment center's website is potentially a Part 2 violation in addition to a HIPAA violation. The Monument FTC case shouldn't be the template you read — it's a non-Part-2 case. A Part 2 case on similar facts would be worse.
State mental-health privacy laws
Several states have specific mental-health privacy statutes that go beyond HIPAA.
Washington's My Health My Data Act (effective March 31, 2024) defines "consumer health data" broadly to include mental-health information. It has a private right of action via the Washington Consumer Protection Act, with statutory damages of $7,500 per violation plus attorneys' fees. Active class actions have been filed under MHMDA against multiple defendants.
Massachusetts G.L. c. 123 §36 restricts disclosure of mental-health records by mental-health facilities. Older statute but still actively enforced.
California's Lanterman-Petris-Short Act restricts disclosure of mental-health treatment information from licensed facilities. CCPA adds a layer on top for companies that meet the thresholds.
New York Mental Hygiene Law §33.13 restricts disclosure of mental-health and substance-use treatment information from Office of Mental Health-licensed facilities.
For multi-state behavioral-health platforms, the cumulative effect is substantial. A pixel on a website serving California, Washington, Massachusetts, and New York residents creates four separate state-law exposures, each with its own remedies.
The five most-common findings at behavioral-health practices
In our scans of behavioral-health and addiction-treatment websites, these five issues are most common:
Intake form data leaving the practice's control. Practices use third-party intake software (SimplePractice, TheraNest, TherapyNotes, Jane App, IntakeQ, JotForm) to collect symptoms, diagnoses, and history. BAAs are usually in place with the primary intake vendor. They're often missing with downstream tools that the intake software integrates with — analytics, scheduling, billing.
Tracking pixels on landing pages targeting specific conditions. A behavioral-health practice that runs Facebook ads for "anxiety treatment near me" usually has the corresponding landing page tagged with the Meta Pixel. The page itself is clinical-context. The Pixel shouldn't be there.
Telehealth tools without BAAs. Generic Zoom, Google Meet, or Whereby for video sessions. Even practices that "know" they need BAAs sometimes use the wrong plan tier.
Online review-response disclosures. Especially common for behavioral-health practices because clinical disagreements drive negative reviews. Same Manasa Health Center pattern.
Patient-portal scripts. Behavioral-health practices using SimplePractice or TherapyNotes patient portals sometimes layer their own analytics scripts on top, especially if the practice has a marketing team. Portal-side scripts are the highest-risk surface in the entire stack.
What to do this quarter
Five things, prioritized by risk.
One: audit your intake flow. Every form a patient completes during onboarding. Where does the data go? What vendors see it? Is there a BAA with each? If you can't answer in writing for every vendor, fix that first.
Two: pixel-and-tracker audit, focused on landing pages. Most behavioral-health practices don't put pixels on their main site but do put them on ad landing pages. Those landing pages are clinical-context by definition (they're targeting specific conditions). Remove the pixels or move the targeted ads to a Conversions API setup with strict configuration that excludes any sensitive event data.
Three: telehealth platform check. Whatever tool you use for video sessions — Zoom, Doxy.me, SimplePractice's video, custom — verify the plan tier and the signed BAA. Don't assume.
Four: review-response training. Script for the front desk and the clinical team. "We can't discuss patients on public platforms. Please call us directly." Nothing else.
Five: state-law analysis. If you serve patients in Washington, Massachusetts, California, or New York, get specific advice on the state mental-health privacy statutes. The federal framework isn’t sufficient.
For SUD treatment programs, add: 42 CFR Part 2 analysis on every disclosure question, with a separate compliance review specifically for that rule. HIPAA-only review will miss Part 2 issues.
We scan behavioral-health and addiction-treatment websites with vendor catalogs tuned for the category — SimplePractice, TheraNest, TherapyNotes, Jane App, Doxy.me, Spruce Health, and the other behavioral-health-specific vendors are all in our database with BAA-status metadata.