Online mental provider Cerebral, Inc. has admitted that it inappropriately shared private health data on 3.1 million of its users, a problem that arose from its use of pixel-based tracking technologies which gather and share data on people who visit the site.
According to the company, which just released a letter outlining the nature of the data issue, Cerebral discovered a breach on January 3, 2023.
Its leaders found that the tracking technology used to mine user data had disclosed information to third parties and subcontractors.
Cerebral’s investigation concluded that the data might be considered protected health information and that it had failed to make sure that these third parties met HIPAA requirements for protecting PHI.
The technology Cerebral used is based on pixels and works along the lines of technologies currently used by third parties such as Google, TikTok, and Meta (Facebook). According to the letter, Cerebral has been using such technology since it began doing business on October 12, 2019.
Depending on what actions the user took, Cerebral collected varied types of information, including name, phone number, email address, date of birth, IP address, and client ID number, in addition to other demographic information.
If users signed up for a Cerebral account and completed any part of the company’s online mental health self-assessment, information shared on that user could include the service the individual selected, their responses to assessment questions, and certain related health information.
Meanwhile, if the individual also decided to buy a Cerebral subscription plan, the trackers might have provided third parties with users’ subscription plan types, appointment dates, other booking information, treatment data and additional clinical information, as well as health insurance/pharmacy benefits data.
Once it found out that data was being shared improperly, Cerebral said, it quickly disabled, reconfigured, or and/or removed tracking technologies from its platform, along with disabling data sharing with any subcontractors that weren’t ready to meet HIPAA requirements.
It also beefed up its information security practices as well as its data and technology vetting processes to prevent data-sharing problems from emerging in the future.
The company noted that while it wasn’t aware of any misuse of PHI made available by the tracking technology, it was prepared to offer free credit monitoring to users who want it.
The announcement follows news of two other digital health companies recently fined by the federal government for improper data-sharing practices.
Earlier this month, the Federal Trade Commission announced that it had taken steps to sanction the online counseling service BetterHelp, Inc., which it said shared sensitive healthcare data inappropriately. The FTC’s proposed order would impose a $7.8 million fine to settle charges that it wrongly shared various types of consumer health data, including data on consumers’ mental health challenges, with third parties such as Facebook, Pinterest, Criteo, and Snapchat.
Earlier this year the FTC cited telehealth and drug discount provider GoodRx for sharing sensitive consumer health data with several advertising platforms, in violation of its policy promises to consumers. The agency plans to hit GoodRx a $1.5 million in civil penalties for failing to let consumers know about unauthorized disclosures of their data.
Meanwhile, Meta continues to face accusations that it has engaged in improper collection and sale of sensitive patient health information, in addition to allegations by two health systems that the Meta Pixel tool was responsible for their data breaches.
