Telehealth startup Cerebral has revealed this week that it exposed the private health information, including the mental health data, of more than 3.1 million patients in the U.S. with advertisers and social media companies like Meta, Google, and TikTok.
As first reported by TechCrunch, Cerebral disclosed the lapse in a filing with the federal government. According to the company, it shared the personal and health information of patients who used its app to search for therapy and other mental health services.
The company collected and shared information like names, phone numbers, email addresses, dates of birth, IP addresses, Cerebral client ID numbers, and other demographic or information. If a user also completed any portion of Cerebral’s online mental health self-assessment, the information exposed may also have included the service they selected, assessment responses, and other associated health data. The company’s filing further stated:
If, in addition to creating a Cerebral account and completing Cerebral’s online mental health self-assessment, an individual also purchased a subscription plan from Cerebral, the information disclosed may also have included subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information (for example, plan name and group/ member numbers), and insurance co-pay amount.
Cerebral says that it did not expose Social Security numbers, bank information or credit card numbers.
Upon learning of the issue, Cerebral says that it promptly “disabled, reconfigured, and/or removed” the trackers on its platforms to any more exposures in the future. It has also discontinued any data sharing with subcontractors that are unable to meet the requirements under the Health Insurance Portability and Accountability Act (HIPAA). What’s more, the company says it took the time to enhance its information security practices and technology vetting processes.
This development comes after the Federal Trade Commission (FTC) fined healthcare company GoodRx $1.5 million after it shared patient information with Meta and Google. More recently, the FTC ordered BetterHelp to pay customers $7.8 million to settle charges that it shared sensitive data for advertising purposes even if it promised to keep the information private.