Healthcare platform Cerebral is sending data breach notices to 3.18 million people who have interacted with its websites, applications, and telehealth services.
Cerebral is a remote telehealth company that provides online therapy and medication management for various mental health conditions, including anxiety, depression, ADHD, Bipolar Disorder, and substance abuse.
In a ‘Notice of HIPAA Privacy Breach’ published on Cerebral’s site this week, the company disclosed that they had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 12, 2019.
Due to a tracking pixel’s data logging features, Cerebral said the sensitive medical information of people who used the provider’s platform was exposed to third parties without the patient’s permission.
“Cerebral recently initiated a review of its use of Tracking Technologies and data sharing practices involving Subcontractors,” warned Cerebral’s privacy breach notice.
“On January 3, 2023, Cerebral determined that it had disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances.”
Cerebral reported on the U.S. Department of Health and Human Services breach portal that 3,179,835 people had their information exposed as part of this breach.
The information disclosed to the tech giants and subtractors varies for each individual, depending on what was entered on the Cerebral platform.
For example, some users only created an account on Cerebral, others completed the online mental self-assessment, and a portion bought a subscription plan.
In general, the company lists the following information as potentially exposed:
- Full name
- Phone number
- Email address
- Date of birth
- IP address
- Cerebral client ID number
- Demographic information
- Self-assessment responses and associated health information
- Subscription plan type
- Appointment dates
- Treatment details and other clinical information
- Health insurance/ pharmacy benefit information
This information may have been leaked to third parties from October 12, 2019, through January 3, 2023, when the company realized that data was being exposed via tracking pixels.
Cerebral clarifies that no matter the level of user interaction with its platforms, their Social Security number, credit card information, and bank account information have not been impacted.
All trackers active on Cerebral’s platform have now been removed or reconfigured to prevent the disclosure of sensitive data to third parties not meeting the HIPAA requirements.
The company says it’s unaware of any misuse of the sensitive health information. However, it suggests that all impacted people reset their Cerebral user account password out of an abundance of caution.
Moreover, the firm will cover the costs of free credit monitoring for individuals at risk of identity theft and fraud.
This disclosure comes only a few days after the FTC reached a $7.8 million settlement with online counseling service BetterHelp for sharing sensitive medical health data with advertisers like Facebook, Snapchat, Criteo, and Pinterest.
In July 2022, a class action lawsuit was filed against Meta, the UCSF Medical Center, and the Dignity Health Medical Foundation, alleging that the organizations were unlawfully collecting sensitive healthcare data about patients for targeted advertising.