Cerebral says 3M affected by a patient data breach

The telehealth company said data was transmitted to third parties without patient consent through pixel trackers, including online self-assessment responses and some clinical information.
By Andrea Fox
11:09 AM

Photo by: Lacheev/Getty Images

 

A patient information disclosure has impacted more than three million patients who use online virtual mental health platform Cerebral, according to the U.S. Department of Health and Human Services' Office for Civil Rights.

WHY IT MATTERS

Cerebral is a consumer-facing telehealth platform providing mental and behavioral health services for patients with or without insurance. 

Like many technology companies and healthcare providers, between October 2019 to January 2023 Cerebral used pixel tracking technologies, according to the company's Notice of HIPAA Privacy Breach.

In the notice, Cerebral said it discovered on January 3 that it "had disclosed certain information that may be regulated as protected health information under HIPAA to certain third-party platforms and some subcontractors without having obtained HIPAA-required assurances."

That information, which may have been shared with Google, Meta, TikTok and others, may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number and other demographic information.

If an individual did more than create an account – such as take the online assessment – "the information disclosed may also have included the service the individual selected, assessment responses and certain associated health information," Cerebral added.

The unauthorized patient data disclosures may have also included appointment information, treatment notes and insurance particulars for those that subscribed to the service. 

However, the company insists that, "no matter how an individual interacted with Cerebral’s Platforms, the disclosed information did not include Social Security number, credit card information or bank account information."

The company says it disabled or discontinued the use of the trackers and is providing free credit report monitoring. It also is advising those affected to monitor credit statements and change Cerebral account passwords.

THE LARGER TREND

In December, HHS issued guidance on the use of online tracking tools, addressing patient data tracking on web pages and mobile apps and reminding regulated entities about HIPAA compliance obligations.

In 2022, a number of lawsuits against Meta Platforms and other entities named hundreds of hospitals and healthcare providers that were not previously aware that protected information was being transmitted through the data trackers.

Earlier this month, the Federal Trade Commission fined online therapy company BetterHelp, owned by Teladoc Health, $7.8 million for allegedly sharing consumer data with third-party advertisers.

"BetterHelp betrayed consumers' most personal health information for profit," said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a statement.

Cerebral recently announced a third round of layoffs in less than a year.

ON THE RECORD

"The information disclosed varied depending on what actions individuals took on Cerebral’s platforms, the nature of the services provided by the subcontractors, the configuration of tracking technologies when the individual used our services, the data capture configurations of the Third-Party Platforms, how individuals configured their devices and browser and other factors," the company said in its data breach notice.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.