Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Security Data. Show all posts

Cerebral Admits to Revealing Patient Information to Meta, TikTok, and Google

 

As per TechCrunch, Cerebral, a telehealth startup specialising in mental health, inadvertently shared sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers. Cerebral admits to exposing a slew of patient data with the tracking tools it's been using since October 2019 in a notice posted on the company's website. 

Patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and other information are all impacted by the oversight. It is possible that the answers clients provided as part of the mental health self-assessment were exposed on the company's website and app, which patients can use to schedule therapy appointments and receive prescription medication.

Cerebral claims that this data was gathered through the use of tracking pixels, which are pieces of code that Meta, TikTok, and Google allow developers to embed in their apps and websites. For example, the Meta Pixel can gather information about a user's activity on a website or app after clicking an ad on the platform, and it can even keep track of the information a user fills out on an online form. While this allows companies like Cerebral to track how users interact with their ads on various platforms and the actions they take as a result, it also gives Meta, TikTok, and Google access to this data, which they can then use to gain insight into their own users.

Cerebral notes that the exposed information may "vary" from patient to patient depending on a variety of factors such as "what actions individuals took on Cerebral's Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies," and more. The company says it will notify affected users and that "regardless of how an individual interacted with Cerebral's platform," no social security numbers, credit card numbers, or bank account information were exposed.
Cerebral says it has "disabled, reconfigured, and/or removed" any tracking pixels on the platform to prevent future exposures and has "enhanced" its "information security policies and technology vetting processes" since discovering the security hole in January.

Cerebral is required by law to report potential HIPAA violations. HIPAA stands for Health Insurance Portability and Accountability Act. This prohibits healthcare providers from disclosing patient information to anyone other than the patient or anyone the patient has given permission to receive health information. The US Office for Civil Rights is currently investigating the breach, which follows similar incidents involving pixel-tracking tools.

An investigation by The Markup last year discovered that some of the nation's top hospitals were sending sensitive patient information to Meta via the company's pixel. Two class-action lawsuits were filed, accusing that Meta and the hospitals in question violated medical privacy laws.

The Markup discovered months later that Meta was able to obtain financial information about users via tracking tools embedded in popular tax services such as H&R Block, TaxAct, and TaxSlayer. Meanwhile, other online medical companies, such as BetterHelp and GoodRx, were fined by the FTC earlier this year for sharing sensitive patient data with third parties.

Cerebral is being investigated by the Department of Justice and the Drug Enforcement Administration for prescribing controlled substances such as Adderall and Xanax, in addition to whether or not it violated HIPAA regulations. It has since stopped prescribing these medications.

Countering Ransomware: Don't Let Your Data be Held Hostage

 

Today's enterprises operate in a digitally connected world, where technology and connectivity are at the heart of their digital transformation strategies and operations. However, organizations must contend with hyper-exposure to cyber risk due to hyper-connectivity. 

Ransomware, one of the most prevalent threats today, is one of the most disruptive and destructive risks that businesses face. As per the Cyber Security Breaches survey, 39% of UK businesses identified a cyber-attack in the previous 12 months, which is consistent with previous years. Because modern enterprises rely heavily on data to run their operations, cybercriminals can effectively shut down an entire organization by stealing their data.

Furthermore, ransomware attacks are becoming more sophisticated and multi-layered. For example, cyber perpetrators can extort more money from their victims by encrypting and exfiltrating their data and threatening to expose the information on data leak sites or underground forums.

In fact, ransomware has become such a significant risk that NordLocker's analysis examined the global distribution of ransomware attacks between January 2020 and July 2022, discovering that small businesses are the most vulnerable, accounting for nearly two-thirds (62%) of all attacks in the UK. Similarly, international law firm RPC discovered that the highest targeted sectors for UK ransomware attacks were finance, insurance, credit, education, and healthcare.

So, what can businesses do to protect themselves? Here are five critical considerations:

1. Enhance cyber hygiene
2. Adopt a zero-trust policy 
3. Secure your data
4. Invest in a security operations center to strengthen your defenses.
5. Safeguard your digital ecosystem

Organizations can better defend their continuity while staying one step ahead of cyber adversaries by seeking a trusted cybersecurity partner to help evaluate their security posture, improve their defenses, and boost their cybersecurity strategy to the next level by seeking a trusted cybersecurity partner to help evaluate their security posture, improve their defenses, and elevate their cybersecurity strategy to next level.