Protecting Mental Health Info Online
#INVESTIGATION | If consumer data is AI fuel, we must be even more vigilant in protecting our children. But as this NYC case study shows, families must take on the due diligence ourselves...
In November 2023, New York City Mayor Eric Adams and DOHMH Commissioner Dr. Dr. Ashwin Vasan announced a $26 million partnership with mental health platform Talkspace.
Called “Teenspace,” the partnership is to provide free mental health support to New Yorkers ages 13 to 17 via an app, with benefits such as a dedicated online therapist, monthly 30 minute video meetings with the practitioner, and unlimited texting.
Providing mental health support to teens, and embracing the digital world in doing so, should be something to celebrate. But when you consider the frequency of cybersecurity attacks against schools (all across the nation), there should be a reasonable level of caution in undertaking any online partnership that could expose particularly sensitive data.
And while we should have expected especially rigorous vetting on behalf of the nation’s largest population of teens, unfortunately Teenspace is instead a cautionary tale about what could go wrong.
That said, if there is good news found here… parents can do to a lot more to protect kids and raise the red flag when they see something that seems wrong.
Consider the Source: Talkspace Criticism
While there is a lot of reason to celebrate the way Talkspace has helped destigmatize mental health, sometimes good intentions can mask commercial realities (e.g., that for-profit business need to focus on, well, making money). And for Talkspace there has, in fact, been much past criticism of the methods the company uses to gain data for marketing purposes from would-be patients.
In fact, Mozilla Foundation’s privacy guide, has kept close tabs on the company’s privacy practices and the tactics they use of exploiting registration information for marketing purposes — because once a customer becomes a patient (aka, works with a therapist) there are more legal protections via HIPAA.
From Mozilla’s *privacy not included blog:
“…They [Talkspace] also ask users straight away to take a questionnaire where pretty sensitive information is gather about things like a users' mental state, gender and gender identity, date of birth, and more. No privacy policy is presented before the answers to those questions are collected so you can understand how that information could be used.” (Mozilla Foundation)
The Teenspace Co-Branded New York Platform
When New York announced the Teenspace platform with much fanfare, the details seemed simple enough and were communicated clearly (it seemed). One important point was particularly notable: parents must opt-in for teens to use the service (a legal requirement in New York State). But a teen began using the app the registration flow proceeded much differently.
Teens, in fact, would ultimately input a shocking amount of personal information BEFORE parents received the required opt-in email request. See the onboarding process here. Teens only pass one screen with two tiny links to the terms and privacy policy after they add an email address. But from there they sail through dozens of highly personal questions that anyone would be forgiven to think remained private. And they do this all before an email is triggered and sent to parents to receive the legally-required consent.
What is Protected? What is Marketing?
Here is the part that brings us full circle back to the beginning and to a point relevant to anyone reading the tale even outside of New York City … the initial information inputted in this process is not protected data.
More specifically, the more than a dozen upfront questions are not protected by HIPAA — as the teen would have not yet begun receiving therapy service. So it can be used for marketing, for law enforcement purposes— in fact, a long list of ways that Talkspace is very “transparent” about (if of course, you check the privacy policy).
And so, yes, those privacy policies are important. They are long and onerous by design. But if you start you’ll learn to look for the things that jump out. There are also great resources and platforms advocating for solid privacy policy. Had I not waded past the program praise and found Mozilla Foundation’s blog, I would not have been able to see the pattern of abuse in this tactic. Hopefully NYC is making changes to the partnership and now we are all a bit wiser for understanding what can happen.
Concerned about how a company is using your data? Let me know and I’ll investigate!