Published in News

Cerebral admits sharing patent data with advertisers

by on13 March 2023

Nothing like targeting the mentally ill with poorly chosen adverts

Telehealth startup Cerebral has revealed it exposed the private health information, including the mental health data, of more than 3.1 million patients in the US with advertisers and social media companies like Meta, Google, and TikTok.

Cerebral disclosed the lapse in a filing with the federal government. According to the company, it shared the personal and health information of patients who used its app to search for therapy and other mental health services.

The company collected and shared information like names, phone numbers, email addresses, dates of birth, IP addresses, Cerebral client ID numbers, and other demographic or information. If a user also completed any portion of Cerebral’s online mental health self-assessment, the information exposed may also have included the service they selected, assessment responses, and other associated health data. 

If an individual purchased a subscription plan from Cerebral, the information disclosed may also have included subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information (for example, plan name and group/ member numbers), and insurance co-pay amount.

On the plus side, Cerebral says that it did not expose Social Security numbers, bank information or credit card numbers.

To make matters worse, Cerebral was sharing data to tech giants in real-time through trackers called "pixels" and data-collecting code that it embedded within its apps. This meant that some users may not be aware that they are opting-in to this tracking, as many of them only accept the app's terms of use and privacy policies without taking the time to read them.

Cerebral now says that it promptly "disabled, reconfigured, and/or removed" the trackers on its platforms to any more exposures in the future. It has also discontinued any data sharing with subcontractors that are unable to meet the requirements under the Health Insurance Portability and Accountability Act (HIPAA). What's more, the company says it took the time to enhance its information security practices and technology vetting processes.

The move might have followed the Federal Trade Commission (FTC) fined healthcare company GoodRx $1.5 million after it shared patient information with Meta and Google. More recently, the FTC ordered BetterHelp to pay customers $7.8 million to settle charges that it shared sensitive data for advertising purposes even if it promised to keep the information private.


Last modified on 13 March 2023
Rate this item
(2 votes)