Dec 4, 2014 · 2 minutes

The Federal Trade Commission has settled a case against an online medical bill company that used data supplied during the payment process to request more information about a consumer's medical history from pharmacies, labs, and insurance companies. The commission originally said the company deceived its users about how information used to pay their bills would be used.

All that medical information was going to be used to create a comprehensive medical history that consumers could purchase from the company, PaymentsMD, when it debuted later this year. As part of the settlement, the company must delete any data gathered for that project and receive "express consent from consumers before collecting their health information from a third party," Digits says in its report on the settlement. The case will not lead to any kind of financial penalty.

The good news is that many of the companies from which PaymentsMD attempted to receive information declined its request; only 1 of the 31 companies approached offered some data. And it seems like the FTC was able to restore privacy to consumers already affected by the efforts. But the case still demonstrates the problems with trusting startups not to abuse data given to them.

Consumers didn't supply PaymentsMD with their own medical information. The FTC's complaint says that they just gave out the information necessary to pay their medical bills -- the company then reached out to pharmacies near its users, even though it didn't know if the user received their medications from that pharmacy or a different one, and other groups on its own.

And the crux of the issue is PaymentsMD's decision to allow consumers to agree to four separate authorizations, of which only six lines of text were shown by default, by checking a single box. The company might not have outright lied to its users, but it certainly wasn't forthcoming about its plan to become more than just a billing company, either. That's the real issue with this case.

Companies aren't only interested in gathering the data provided to them, and they aren't going to limit their databases to information supplied by the person it's about, either. They'll get as little as they can from consumers and use other resources to fill in the blanks, which is exactly what PaymentsMD did here, and most of the time those consumers don't know what's really going on.

That's why privacy is so important. Not because everyone is painting a portrait of themselves every time they visit a website, but because different companies can take every individual strand to create a canvas upon which those portraits can be painted without their subjects' knowledge.