Cerebral, a telehealth startup specializing in mental health, says it accidentally shared the sensitive information of more than 3.1 million patients with Google, Meta, TikTok and other third-party advertisers, as previously reported by TechCrunch. In a post on the company’s website, Cerebral admits that as far back as October 2019, it released a laundry list of patient data showing the tracking tools it uses.
The information affected by the monitoring includes everything from patient names, phone numbers, email addresses, dates of birth, IP addresses, insurance information, appointment dates, treatment and more. It may have even exposed the answers customers filled out as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and get prescribed medication.
According to Cerebral, this information has come out through the use of tracking pixels, or the bits of code that Meta, TikTok and Google use to embed developers in their apps and websites. For example, the Meta Pixel can collect data about a user’s activity on a website or app after clicking an ad on the platform, and even track what information a user enters into an online form. While this allows companies like Cerebral to measure how users interact with their ads across platforms and track the next steps they take, it also gives Meta, TikTok and Google access to this information, which they can then use to gain insight into their own users.
The information exposed may “vary” from patient to patient.
As noted by Cerebral, the information exposed may “vary” from patient to patient depending on several factors, including “what actions individuals have taken on Cerebral’s platforms, the nature of the services provided by the subcontractors, the configuration of tracking technologies”, and more . The company says it will notify affected users, adding that “regardless of how a person interacted with the Cerebral platform,” it has not released social security numbers, credit card numbers or bank account information.
After initially finding the vulnerability in January, Cerebral says it has “disabled, reconfigured and/or removed” all tracking pixels on the platform to prevent future exposures, and has “enhanced” its “information security practices and technology control processes.” .”
Cerebral is required by law to disclose potential violations of HIPAA, also known as the Health Insurance Portability and Accountability Act. This prohibits healthcare providers from disclosing patient data to anyone other than the patient, or to anyone from whom the patient has consented to receive information about their health. The breach is currently under investigation by the U.S. Office for Civil Rights and follows similar incidents involving pixel-tracking tools.
Last year passed an investigation The layout discovered that some of the nation’s top hospitals were sending sensitive patient information to Meta through the company’s pixel. This led to two class action lawsuits alleging that Meta and the hospitals in question violated medical privacy laws.
Months later, The layout also found that Meta was able to obtain financial information about users through the tracking tools embedded in popular tax authorities, such as H&R Block, TaxAct, and TaxSlayer. Meanwhile, other online medical companies, such as BetterHelp and GoodRx, faced hefty fines from the FTC for sharing sensitive patient data with third parties earlier this year.
Not only is Cerebral under investigation as to whether or not it violated HIPAA regulations, but it also faces an investigation by the Department of Justice and the Drug Enforcement Administration for prescribing controlled substances, such as Adderall and Xanax. Since then, the prescription of these drugs has been discontinued.