Turning its privacy focus to medical information, the Federal Trade Commission brought suit against a health billing company and its former CEO, charging that the defendants deceived consumers to get their hands on sensitive medical data.

In 2012 the company collaborated with a third party to develop a new service, the “Patient Health Record,” which would provide consumers with their comprehensive medical records online. One obstacle: the companies needed access to medical records for the service to function.

According to the FTC, PaymentsMD came up with a solution. The defendants tweaked the registration process so that when consumers signed up for the Patient Portal, they were presented with check-boxes to authorize the defendants to access and collect their sensitive health information. The consumer could check one box at a time or click just one box to agree to all authorizations at once. This sign-up process created a means for the defendants to collect information about customers’ medical information from pharmacies, medical labs, and insurance companies, the agency said.

As a result, thousands of consumers were not adequately informed that their data would be gathered by PaymentsMD. They simply believed they were consenting to authorization for the billing service and nothing else, according to the agency.

The FTC said that when some healthcare companies contacted by the defendants for data regarding, for example, prescriptions records, medical diagnoses and lab tests, they refused to provide the information. In addition, once PaymentsMD informed consumers about its collection process, they began to complain.

To settle the charges, the defendants agreed to destroy any information collected that was related to the Patient Health Record service. They also promised to obtain affirmative, express consent before collecting health information about a consumer from a third party and they are prohibited from deceiving consumers about the way they collect and use information.

To read the complaint and proposed consent order in In the Matter of PaymentsMD, click here.

Why it matters: “Consumers’ health information is as sensitive as it gets,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a press release. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.” The agency noted that while the health information business is burgeoning, marketers must continue to abide by traditional principles that require them to make clear and conspicuous consumer disclosures.