Cerebral Admits That it Wrongly Shared Data of 3.1M Users

Cerebral recently notified 3.1 million of its users that their private health information was shared with tech companies like Meta, Google and TikTok. The data breach stemmed from Cerebral’s use of pixel tracking technology, which the company said has been discontinued or reconfigured.

Close Up of Illuminated Glowing Keys on a Black Keyboard Spelling Data Breach 3d illustration

After months of criticism about its data privacy practices, Cerebral admitted that it wrongfully shared the private health information of 3.1 million of its users. This admission comes in the form of a March 9 letter to users and March 1 government filing.

Cerebral is a mental health platform specializing in the virtual treatment of mental health conditions, mainly ADHD, anxiety and depression. In its letter, the startup said it had used pixel technologies, which are third-party analytics tools made by companies like Meta, Google and TikTok.  

These tools are usually free and can give companies insight into the way consumers use their platforms, but the tech companies who provide this software can also use patient data to profile users as they browse. People usually aren’t aware that they are opting in to having their activity tracked because they are simply checking a box when reviewing an app or website’s terms of use and privacy policies, which few people take the time to read.

Cerebral said it has used tracking technologies since it began operations in October 2019. After reviewing its use of these tools, the company found out on January 3 that it had disclosed its patients’ protected health information to third parties without having obtained the necessary assurances required by HIPAA.

The startup assured users that it had “promptly disabled, reconfigured, and/or removed” its tracking technologies. It also said that it discontinued data sharing with any third parties that are unable to meet all HIPAA requirements, as well as enhanced its information security practices and technology vetting processes.

The following types of information were disclosed in the breach: clinical data about patients’ visits and treatments, mental health self-assessment responses, appointment dates, health insurance/ pharmacy benefit information, insurance co-pay amounts, name, phone number, email address, date of birth, IP address, Cerebral client ID number and demographic data.

The type of information disclosed varied depending on how extensively each patient used the platform. Cerebral said that no patients had their Social Security number, credit card information or bank account information leaked, no matter how they used its services. The company also told its patients that it is not aware of any misuse of their data.

This HIPAA violation is not Cerebral’s only recent legal woe. Last year, one of the company’s former executives sued the startup, claiming that it had fired him for calling out the company’s prescribing practices. Matthew Truebe, Cerebral’s ex-vice president of product and engineering, had criticized the company for being too hasty when prescribing young people addictive stimulant drugs like Adderall. His lawsuit came shortly after some Cerebral employees told media outlets that the startup was taking advantage of pandemic-era prescribing regulations that allowed providers to prescribe addictive drugs without requiring an in-person examination.

But Cerebral is far from the only company to suffer negative consequences after using pixel technology. 

A week ago, the Federal Trade Commission reached a $7.8 million settlement with virtual mental healthcare provider BetterHelp for sharing its patients’ sensitive health data with advertisers like Facebook, Snapchat, Criteo, and Pinterest. In a statement, BetterHelp — which was acquired by Teladoc in 2015 — said its settlement is not an admission of wrongdoing. 

The FTC also recently accused consumer-focused digital healthcare platform GoodRx of failing to notify users that it sold their personal health information to Google, Facebook and other tech companies. To settle the case, GoodRx agreed to pay a $1.5 million penalty for failing to report its leakage of user data to third parties, but did not admit to wrongdoing. 

Additionally, the Northern District of California filed a class action lawsuit this past summer against Meta, the UCSF Medical Center and the Dignity Health Medical Foundation, claiming that they have been illegally collecting patients’ health data for targeted advertising.

Photo: Paul Campbell, Getty Images