Cerebral disclosed the lapse in a filing with the federal government. According to the company, it shared the personal and health information of patients who used its app to search for therapy and other mental health services.
The company collected and shared information like names, phone numbers, email addresses, dates of birth, IP addresses, Cerebral client ID numbers, and other demographic or information. If a user also completed any portion of Cerebral’s online mental health self-assessment, the information exposed may also have included the service they selected, assessment responses, and other associated health data.
If an individual purchased a subscription plan from Cerebral, the information disclosed may also have included subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information (for example, plan name and group/ member numbers), and insurance co-pay amount.
On the plus side, Cerebral says that it did not expose Social Security numbers, bank information or credit card numbers.
Cerebral now says that it promptly "disabled, reconfigured, and/or removed" the trackers on its platforms to any more exposures in the future. It has also discontinued any data sharing with subcontractors that are unable to meet the requirements under the Health Insurance Portability and Accountability Act (HIPAA). What's more, the company says it took the time to enhance its information security practices and technology vetting processes.
The move might have followed the Federal Trade Commission (FTC) fined healthcare company GoodRx $1.5 million after it shared patient information with Meta and Google. More recently, the FTC ordered BetterHelp to pay customers $7.8 million to settle charges that it shared sensitive data for advertising purposes even if it promised to keep the information private.