Cerebral Shared Patient Data with Google, Meta, TikTok
Cerebral has admitted to sharing sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party platforms.
The disclosure from the telehealth startup was made in a notice posted on the company's website, revealing that "On January 3, 2023, Cerebral determined that it had disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances."
The shared information included patients' names, phone numbers, email addresses, birth dates, IP addresses, health insurance information, appointment dates, treatments, and other clinical information. It may have even exposed customer answers to mental health self assessments on the company's website and app.
Worryingly, the tech giants that have previously accessed and stored Cerebral user data do not have to delete it, despite this sensitive information being covered by HIPAA.
It was revealed that the company had been using tracking technologies, such as those created by Google, Meta, and TikTok, since they launched in October 2019. These trackers collected information regarding Cerebral users and shared it with the aforementioned tech giants for analytics and advertising purposes.
The disclosure further stated that: "Upon learning of this issue, Cerebral promptly disabled, reconfigured, and/or removed the Tracking Technologies on Cerebral's Platforms to prevent any such disclosures in the future and discontinued or disabled data sharing with any Subcontractors not able to meet all HIPAA requirements. In addition, we have enhanced our information security practices and technology vetting processes to further mitigate the risk of sharing such information in the future".
The Department of Health and Human Services is conducting an official investigation into this user privacy violation at Cerebral. This isn’t the first time Cerebral has been under the microscope — an investigation was launched by the U.S. Federal Trade Commission in June 2022 to examine suspicions that Cerebral had engaged in deceptive or unfair practices related to the advertising or marketing of mental health services.