Mental health startup Cerebral shared private patient data with Google, Meta and TikTok
The company exposed the personal information of more than 3.1 million US users.
Cerebral, a telehealth startup that gained popularity during the early days of the pandemic, disclosed this week that it shared the personal data of more than 3.1 million US patients with social media companies and advertisers, including Google, Meta and TikTok. As first reported by TechCrunch (via The Verge), a recently uploaded notice on Cerebral’s website reveals the company had been using “pixels,” tracking scripts companies like Meta offer to third-party developers for advertising purposes, to collect user data since it began operating in October 2019.
Following a recent review of its software, Cerebral “determined that it had disclosed certain information that may be regulated as protected health information under [the Health Insurance Portability and Accountability Act].” Among the data Cerebral shared are names, phone numbers, birth dates and insurance information. In some instances, the company may have also exposed information it collected through the mental health self-assessment patients completed to schedule counseling appointments and access other services. According to Cerebral, it did not disclose social security numbers, bank information or credit card numbers.
After learning of the oversight, Cerebral says it “disabled, reconfigured, and/or removed” the tracking pixels that caused the data exposure. “In addition, we have enhanced our information security practices and technology vetting processes to further mitigate the risk of sharing such information in the future.” The US Department of Health and Human Services is investigating Cerebral. News of the data exposure comes after the Federal Trade Commission fined discount drug app GoodRx $1.5 million for sharing patient information with Meta and Google. Earlier this month, the agency announced a $7.8 million settlement with online counseling company BetterHelp and said it was seeking to ban the company from sharing health data for ad targeting.