As per TechCrunch, Cerebral, a telehealth startup specialising in mental health, inadvertently shared sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers. Cerebral admits to exposing a slew of patient data with the tracking tools it's been using since October 2019 in a notice posted on the company's website.
Patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and other information are all impacted by the oversight. It is possible that the answers clients provided as part of the mental health self-assessment were exposed on the company's website and app, which patients can use to schedule therapy appointments and receive prescription medication.
Cerebral claims that this data was gathered through the use of tracking pixels, which are pieces of code that Meta, TikTok, and Google allow developers to embed in their apps and websites. For example, the Meta Pixel can gather information about a user's activity on a website or app after clicking an ad on the platform, and it can even keep track of the information a user fills out on an online form. While this allows companies like Cerebral to track how users interact with their ads on various platforms and the actions they take as a result, it also gives Meta, TikTok, and Google access to this data, which they can then use to gain insight into their own users.
Cerebral notes that the exposed information may "vary" from patient to patient depending on a variety of factors such as "what actions individuals took on Cerebral's Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies," and more. The company says it will notify affected users and that "regardless of how an individual interacted with Cerebral's platform," no social security numbers, credit card numbers, or bank account information were exposed.
Cerebral says it has "disabled, reconfigured, and/or removed" any tracking pixels on the platform to prevent future exposures and has "enhanced" its "information security policies and technology vetting processes" since discovering the security hole in January.
Cerebral is required by law to report potential HIPAA violations. HIPAA stands for Health Insurance Portability and Accountability Act. This prohibits healthcare providers from disclosing patient information to anyone other than the patient or anyone the patient has given permission to receive health information. The US Office for Civil Rights is currently investigating the breach, which follows similar incidents involving pixel-tracking tools.
An investigation by The Markup last year discovered that some of the nation's top hospitals were sending sensitive patient information to Meta via the company's pixel. Two class-action lawsuits were filed, accusing that Meta and the hospitals in question violated medical privacy laws.
The Markup discovered months later that Meta was able to obtain financial information about users via tracking tools embedded in popular tax services such as H&R Block, TaxAct, and TaxSlayer. Meanwhile, other online medical companies, such as BetterHelp and GoodRx, were fined by the FTC earlier this year for sharing sensitive patient data with third parties.
Cerebral is being investigated by the Department of Justice and the Drug Enforcement Administration for prescribing controlled substances such as Adderall and Xanax, in addition to whether or not it violated HIPAA regulations. It has since stopped prescribing these medications.
