BetterHelp Cannot Detect When Therapy Is Making Things Worse
by Nick Clark | Published March 27, 2026
BetterHelp made therapy accessible to millions of users who would otherwise have gone without care, scaling matchmaking between licensed clinicians and people in distress through text, asynchronous messaging, phone, and video. The platform's reach is a genuine public-health achievement and its operational sophistication — clinician onboarding, scheduling, billing, modality switching, crisis triage — is well beyond what a fee-for-service phone tree could deliver. The platform is also the subject of the FTC's 2023 settlement, which imposed a $7.8 million payment and structural restrictions after the Commission concluded that BetterHelp had shared sensitive health-adjacent data with advertising partners in ways that users had not meaningfully consented to. The settlement frames the data-handling problem cleanly: clinical and clinical-adjacent data flowed centrally through the platform's servers and its analytics integrations, and the consent and disclosure architecture around that flow did not match what users believed they had agreed to. This paper examines two related architectural gaps that compound the data-handling problem: clinical data flows are centralized without cryptographic identity binding, which is the gap the FTC matter exposed in regulatory terms, and the platform has no structural model of cognitive disruption, which means that even when data flows are properly contained the platform cannot see when the therapeutic process itself is destabilizing a user. Disruption modeling as a primitive addresses both gaps: it provides the structural model of cognitive coherence that converts therapeutic data into clinically actionable signal, and it provides the credentialed-identity binding under which that data flows only to parties the user has cryptographically authorized.
Vendor and product reality
BetterHelp's product is, at its core, a structured marketplace with embedded clinical workflow. Users complete an intake questionnaire that captures presenting concerns, demographic context, modality preferences, and clinician-fit attributes. The platform's matching system proposes a clinician; users can switch clinicians without losing platform continuity. Communication runs through text threads with asynchronous messaging, scheduled video sessions, scheduled phone sessions, and on-platform live chat. Clinicians document sessions, manage scheduling, and operate within the platform's billing and compliance scaffolding. The platform serves users across U.S. states under a network of licensed clinicians and operates internationally where regulation permits.
Therapeutic safety monitoring at the platform level is presently bounded. Crisis detection — flagging language consistent with imminent suicide risk, immediate violence, or acute medical emergency — is in scope; routing to crisis resources and clinician notification follow established patterns. Beyond crisis detection, the platform relies on the assigned clinician to assess whether therapy is progressing, stagnating, or actively making the user worse. The platform's user-experience metrics (session attendance, satisfaction ratings, retention) capture engagement but not cognitive trajectory. The platform's data layer captures messages, transcripts, and metadata but does not run a structural model of the user's coherence over time.
The FTC settlement record establishes the data-handling reality. Health-adjacent data — intake responses, IP addresses, email addresses, presence on the platform — was shared with advertising partners in ways that the Commission found to exceed user consent. The settlement imposed structural changes on consent flows, on data-sharing practices, and on advertising integrations. It did not change the underlying architecture in which clinical and clinical-adjacent data is held centrally by BetterHelp and integrated with infrastructure providers, advertising partners under restricted terms, and clinicians under platform-mediated access. The trust model is operational and contractual, not cryptographic.
The architectural gap
Two structural gaps compound. The first is identity and data flow. Clinical and clinical-adjacent data is held centrally and accessed by parties — clinicians, platform engineers, vendors, regulators in audit, advertising integrations under whatever post-settlement terms apply — through platform-mediated access controls. The user's identity in the system is a server-side record. The user's consent to a particular data flow is a server-side record. There is no cryptographic binding between the user, the data, and the parties authorized to see it; there is a database row, a policy, and an access-control system. When the policy or the database is misconfigured, when an integration's scope drifts, when an analytics SDK is swapped, the user's data flows where the configuration sends it. The FTC matter is exactly this class of failure surfaced by enforcement.
The second gap is therapeutic safety modeling. Crisis detection captures acute risk; it does not capture the gradual loss of cognitive coherence that often precedes crisis and that is in fact the more common harm from poorly bounded therapy. A user whose therapeutic engagement is mobilizing trauma material faster than their coping resources can contain it is destabilizing in ways that show up as fragmented attention, eroding sleep, intrusive recall, dissociation, escalating numbing or substance use, and worsening relational function — none of which trip a crisis flag, all of which a clinician with adequate caseload visibility might see in session, and most of which are detectable at the platform layer if the platform runs a structural model of coherence rather than treating the data as inert messages and metadata. Without that model, the platform's capacity to act when therapy is making things worse is bounded by the clinician's individual judgment across a caseload that platform economics tends to enlarge. The platform sees more than any clinician but acts on less than any clinician would.
The two gaps interact. A platform with no structural model of disruption produces data that is clinically thin, which means the data is harder to govern as clinical data — the temptation to treat it as marketing-adjacent telemetry is exactly the dynamic the FTC matter surfaced. A platform with no cryptographic identity binding cannot offer a credible structural answer to the user about who has access to the disruption signal even if it builds one, which means a clinically meaningful safety model risks becoming the next consent-and-disclosure incident rather than the safety improvement it could be.
What the disruption-modeling primitive provides
Disruption modeling as a primitive is two things at once for this domain. As a clinical model, it provides phase-shift detection across a five-axis diagnostic — attention, containment, promotion-containment balance, affective regulation, and relational coherence — that captures coherence trajectory in a way crisis detection does not. The model runs continuously over the user's platform-mediated activity (with explicit, cryptographically bound consent), produces a coherence trajectory, identifies phase shifts toward destabilization, and emits coping intercepts that can be surfaced to the clinician, to the platform's clinical-operations team, or to the user themselves under user-authorized rules. Phase-shift detection is the structural element that distinguishes productive therapeutic distress (where coherence dips and recovers as material is processed) from destabilizing disruption (where coherence trends down across sessions and recovery shrinks).
As an identity and data-flow architecture, the primitive provides credentialed binding between the user, the disruption signal, and the parties authorized to see it. The user holds keys; clinicians hold keys; the platform holds operational keys distinct from clinical keys; data flows as signed assertions to credentialed parties under cryptographic policy rather than as database rows under server-side access control. Advertising integrations cannot quietly receive clinical-adjacent signal because the signal is not in plaintext to anyone outside the credentialed clinical scope. Audit becomes verifiable rather than logged-and-trusted. The HIPAA-adjacent posture becomes a structural property rather than a contractual assertion.
The combination is what telehealth-grade therapeutic safety actually requires. Coping intercepts that fire at the right moment for the right user, surfaced to the right clinician, under data-handling terms the user has cryptographically authorized — that is the architecture the FTC matter pointed toward without naming, and that is the architecture clinicians have been asking telehealth platforms for since the modality scaled.
Composition pathway
The composition pathway is sequenced to match BetterHelp's existing operating model. The first step is the credentialed-identity layer: user keys provisioned at intake, clinician keys provisioned at credentialing, platform operational keys separated from clinical keys, and a cryptographic data-flow policy that replaces the current server-side access-control model for clinical and clinical-adjacent data. This step alone changes the FTC posture: data-sharing scope drift becomes structurally bounded rather than policy-bounded, and consent becomes cryptographically expressed rather than form-mediated.
The second step is the disruption model itself: a coherence trajectory built over consented platform activity, with phase-shift detection trained on clinically validated trajectories and with coping intercepts that integrate into the clinician workflow. The model runs in the credentialed clinical scope, signals are signed assertions, and surfacing to the clinician is a credentialed event. Users see what the model sees about them under user-authorized rules, which restores the agency the platform's current asymmetric data posture undermines.
The third step is integration with the broader telehealth and crisis ecosystem: signed disruption signals can be shared with consenting external clinicians, with health systems under user-authorized care coordination, and with crisis services in escalation pathways, all under the same credentialed identity model. The platform becomes the ratified hub of a credentialed clinical network rather than the central plaintext store of clinical-adjacent data.
Commercial and licensing considerations
For BetterHelp specifically, the commercial frame is post-settlement architectural credibility. The FTC matter is closed in litigation terms but not in market-trust terms; the structural answer to the next round of regulatory and journalistic scrutiny is not better consent forms, it is a data architecture that does not require trusting consent forms. Disruption modeling licensed as a primitive provides both the clinical safety story (phase-shift detection, coping intercepts, structural coherence monitoring) and the data-handling story (credentialed identity binding, cryptographic policy, structural HIPAA-adjacent posture) in a single architectural element.
For the broader telehealth and digital-mental-health category — Talkspace, Cerebral, Headspace Health, Lyra, Spring Health, and the long tail of employer- and payer-integrated platforms — the same primitive addresses the same compounded gaps. Crisis detection alone is insufficient as the category scales; clinical-adjacent data flowing centrally without cryptographic binding is increasingly a regulatory liability as state attorneys general, the FTC, and HHS expand their attention to digital mental health. The licensable element is the primitive at the layer where therapeutic safety and clinical data governance actually live: structural disruption modeling under credentialed identity binding. For software architects designing the next telehealth platform, the primitive is the design element that closes the gap between the access problem (which BetterHelp solved) and the safety-and-governance problem (which the category has not yet solved). The remaining gap is bridgeable, and bridging it is the commercially meaningful path forward.
