An ongoing investigation by The Lyon Firm alleges that Ro, a telehealth platform serving patients with conditions including erectile dysfunction, weight loss, fertility issues, mental health concerns, and hair loss, impermissibly collected and shared private health information with third parties without adequate disclosure or informed consent. The investigation centers on claims that Ro’s website failed to clearly communicate how sensitive data—including medical conditions, telehealth session details, pharmaceutical inquiries, and identifying information—would be shared with marketing partners and other third parties, raising serious concerns about data handling practices in the telehealth industry.
Table of Contents
- What Are the Allegations Against Ro’s Data Handling and Marketing Partnerships?
- How Does Ro’s Data Sharing Compare to Other Major Telehealth and Fertility Privacy Cases?
- What Privacy Laws and Consumer Rights Apply to Telehealth Data Sharing?
- What Should Telehealth Patients Do to Protect Their Privacy?
- What Are the Legal Avenues for Affected Patients?
- What Role Did Informed Consent Play in the Ro Investigation?
- What Does the Ro Investigation Mean for the Future of Telehealth Privacy?
What Are the Allegations Against Ro’s Data Handling and Marketing Partnerships?
The core allegation is that Ro engaged in data tracking and sharing practices that violated user privacy expectations. According to The Lyon Firm’s investigation, Ro collected detailed information about patient medical conditions, the specifics of telehealth consultations, questions about pharmaceuticals, and personal identifiers—then shared this sensitive data with third parties for marketing purposes without obtaining clear, informed consent from users.
The investigation specifically addresses how reproductive health data, including information related to male fertility treatments, was allegedly routed to external marketing partners who could use it to target advertisements or conduct market research. A critical issue is the lack of transparent disclosure: patients visiting Ro’s website reportedly did not encounter clear notices explaining that their health information would be shared with marketers, meaning many users had no genuine opportunity to decide whether to accept these practices before providing their data.
How Does Ro’s Data Sharing Compare to Other Major Telehealth and Fertility Privacy Cases?
The Ro investigation is not an isolated incident in the telehealth and fertility sectors. The fertility diagnostics industry has seen major settlements related to data mishandling.
US Fertility LLC agreed to a $5.75 million settlement in 2024 after a data breach exposed sensitive information on approximately 900,000 patients, while ReproSource Fertility Diagnostics settled for $1.25 million after a ransomware attack compromised records for 350,000 patients. However, the Ro case differs in a significant way: rather than involving a data breach or unauthorized access by external hackers, the allegations focus on Ro’s own business practice of intentionally sharing patient data with third-party marketing partners. This distinction matters because it suggests the exposure resulted from the company’s ordinary operations rather than a security failure, potentially exposing far more patients and raising sharper questions about whether companies should be allowed to monetize sensitive health data in this way at all.
What Privacy Laws and Consumer Rights Apply to Telehealth Data Sharing?
Telehealth companies operate under privacy frameworks that include HIPAA (Health Insurance Portability and Accountability Act), state privacy laws, and the Federal Trade Commission Act’s prohibition on deceptive practices. HIPAA requires companies to obtain explicit authorization before using or disclosing protected health information for purposes beyond treatment, payment, and healthcare operations—and marketing is generally not considered a covered function, meaning HIPAA-covered entities and their business associates require affirmative consent before sharing data for marketing.
Additionally, the FTC can challenge companies for making claims about privacy practices they don’t follow, such as stating they protect data when they’re actually sharing it widely. State-level privacy laws, including California’s Consumer Privacy Act (CCPA) and similar statutes in other states, give consumers rights to know what data is collected, who it’s shared with, and often the ability to opt out of certain uses. The Ro investigation touches on these frameworks because patients may not have received the clear notices these laws require.
What Should Telehealth Patients Do to Protect Their Privacy?
Before using any telehealth service, patients should take several protective steps. First, carefully review the company’s privacy policy—specifically looking for language about sharing with “marketing partners,” “third-party service providers,” “business partners,” or “advertising networks,” which are common euphemisms for data monetization. Second, look for an opt-out mechanism; many privacy policies include a way to request that your data not be used for marketing, though some companies make this difficult by burying instructions in lengthy documents.
Third, use a dedicated email address for telehealth accounts rather than your primary personal email, limiting the exposure if data is compromised. Finally, be aware that even if a company claims HIPAA compliance, HIPAA alone does not prevent marketing uses if the company obtained consent or operates outside a covered entity structure. The limitation here is that patients have limited practical recourse once they’ve shared data, making prevention the most effective strategy.
What Are the Legal Avenues for Affected Patients?
Affected Ro patients may pursue compensation through multiple legal channels. Class Action U and The Lyon Firm are currently coordinating a legal response to Ro’s alleged data practices, indicating that a class action lawsuit or settlement negotiation may be forthcoming. Patients in this situation typically have the option to join a class action, where a group of affected individuals sues collectively and shares in any settlement, or to pursue individual claims if state law permits.
Important to note: settlement amounts vary widely depending on case strength, the number of affected individuals, and what damages courts or defendants acknowledge. The US Fertility and ReproSource settlements, while substantial, still meant relatively small per-person payments once distributed across hundreds of thousands of affected patients. Additionally, some states allow patients to pursue claims under state consumer protection laws or privacy statutes, which may offer different remedies than class actions, such as statutory damages per violation or the ability to recover attorney fees even in small cases.
What Role Did Informed Consent Play in the Ro Investigation?
A key element of the Ro investigation centers on informed consent—or the lack of it. Informed consent in the context of data use means that patients receive clear, understandable information about how their data will be shared, with whom, and for what purposes, and that they affirmatively agree to those practices before data is collected.
According to Class Action U’s documentation, Ro’s website allegedly failed to provide this clarity, leaving patients unaware that their fertility-related health information and other sensitive data would reach marketing partners. This differs from scenarios where a company discloses data sharing clearly but in fine print that most users don’t read—the allegation here is that the disclosure was absent or buried to the point that users could not reasonably find or understand it.
What Does the Ro Investigation Mean for the Future of Telehealth Privacy?
The Ro investigation is part of a broader regulatory and legal reckoning with how telehealth companies handle sensitive health data. As telehealth adoption accelerates, regulators and legislators are increasingly scrutinizing whether existing privacy frameworks adequately protect patient interests or whether new rules are needed specifically for telehealth’s unique data-sharing dynamics.
Federal Trade Commission enforcement actions have already signaled heightened concern about telehealth companies making deceptive privacy claims or failing to secure data. The Ro case may influence future settlement standards, potentially establishing stronger expectations around disclosure, consent, and the permissibility of selling or sharing reproductive health data specifically, which carries heightened sensitivity for patients. Going forward, patients should expect that scrutiny of telehealth privacy will continue to increase, and that companies will face pressure to offer clearer opt-outs and fewer financial incentives to share data with marketers.