This article explores how telehealth startup Cerebral unintentionally shared the private information of more than 3.1 million patients with third-party advertisers such as Google, Meta, and TikTok.
Key takeaways:
Telehealth startup Cerebral has recently made a disclosure that it inadvertently shared sensitive patient information with third-party advertisers, including Google, Meta, TikTok, and other companies.
The company specializes in mental health and offers patients the convenience of scheduling therapy appointments and receiving prescription medication online.
Unfortunately, this privacy breach has caused Cerebral to expose the personal information of over 3.1 million US patients through tracking tools that it has been using since October 2019.
The type of information that has been revealed is not the same for every patient and consists of various details such as names, IP addresses, insurance information, appointment dates,phone numbers, email addresses, birth dates, IP addresses, and treatments, and more.
Even the answers given by clients to mental health self-assessment questions on the company’s website and app may have been exposed.
This was caused by Cerebral’s use of tracking pixels, or bits of code from Google, Meta, TikTok, and other advertisers that allow developers to embed in their apps and websites.
This is how the startups measure how users interact with their ads on various platforms, but this also gave third-party advertisers access to patients’ sensitive information, potentially exposing their privacy.
Cerebral is under investigation because they are legally obligated to report possible violations of HIPAA, a law that prohibits healthcare providers from sharing patient information with anyone except the patient or those authorized by the patient to access their information.
This incident is not the first of its kind as similar incidents involving pixel-tracking tools have occurred in the past.
Last year, some of the US’s top hospitals were found to be sending sensitive patient information to Meta through its pixel.
This led to two class-action lawsuits alleging that both Meta and the hospitals in question violated medical privacy laws.
In addition, The Markup discovered that Meta was able to obtain financial information about its users through the tracking tools embedded in popular tax services like H&R Block, TaxAct, and TaxSlayer.
Moreover, other online medical companies, such as BetterHelp and GoodRx, have been fined by the Federal Trade Commission (FTC) for sharing sensitive patient data with third parties earlier this year.
In addition to the investigation about HIPAA violations, Cerebral is also being looked into by the Drug Enforcement Administration and the Department of Justice because of its prescription of controlled substances such as Adderall and Xanax. Cerebral has stopped the prescription of these medications.
The Cerebral incident highlights the importance of ensuring patient data privacy and security, especially as telehealth services continue to increase in use.
Healthcare providers must ensure that they take necessary precautions to protect patient data, including regularly reviewing and updating their security measures and ensuring that all employees are adequately trained in data security.
Patients also have a role to play in protecting their data by being cautious about the information they share and carefully reading the privacy policies of the services they use.
Overall, the privacy breach involving Cerebral serves as a reminder to healthcare providers and all parties involved in handling sensitive information that they must take the necessary precautions to prevent data breaches and protect patient privacy.
