Telehealth service provider Cerebral has revealed it shared the private health information — including mental health assessments — of more than 3.1 million patients in the United States with advertisers and social media giants like Facebook, Google, and TikTok.
The company, which grew rapidly during the COVID-19 pandemic, disclosed the security lapse in a filing with the federal government, saying that it shared patients’ personal and health information who used the app to search for therapy or other mental health care services.
It collected and shared names, phone numbers, email addresses, dates of birth, IP addresses, and other demographics — as well as data collected from Cerebral’s online mental health self-assessment — which may have also included the services that the patient selected, assessment responses, and other associated health information.
The full disclosure goes like this:
If an individual created a Cerebral account, the information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information. If, in addition to creating a Cerebral account, an individual also completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information.
If, in addition to creating a Cerebral account and completing Cerebral’s online mental health self-assessment, an individual also purchased a subscription plan from Cerebral, the information disclosed may also have included subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/pharmacy benefit information (for example, plan name and group/member numbers), and insurance co-pay amount.
Cerebral used embedded trackers provided by tech giants to share data in real time without users knowing a thing about it since October 2019. The company did disclose this at the bottom of its website, though that wasn’t visible to most users.
Because it handles confidential patient data, Cerebral is the subject of the U.S. health privacy law known as HIPAA. And according to a list of health-related security lapses under investigation by the U.S. Department of Health and Human Services, which oversees and enforces HIPAA, Cerebral’s data lapse is the second-largest breach of health data in 2023.
This news comes just weeks after the U.S. Federal Trade Commission slapped GoodRx with a $1.5 million fine and ordered it to stop sharing patients’ health data with advertisers, while BetterHelp was ordered to pay customers $8.5 million for mishandling users’ data.
Unfortunately, this is not the first time we’re read about this, and chances are – this is also not the last case. I do understand online clinics have to advertise to get new clients, but I also assume that some roadblocks should be put in place in order to prevent them from using their patients’ data for (re)targeting purposes.
A VPN can’t protect you from these sorts of practices, and you should use your head and read the terms of any service before signing up. That’s the only way you can protect your personal information.