Cerebral, a telehealth startup specializing in mental health, says it accidentally shared the sensitive information of about 3.1 million patients with Google, Meta, TikTok and other third party advertisers, as previously reported by TechCrunch. In an announcement posted on the company’s website, Cerebral admits to making a laundry list of patient data public with the tracking tools it used way back in October 2019.
The information affected by the monitoring includes everything from patient names, phone numbers, email addresses, dates of birth, IP addresses, insurance information, appointment dates, treatment and more. It may have even exposed the answers customers filled out as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and get prescribed medication.
According to Cerebral, this information came out through the use of tracking pixels, or the pieces of code that Meta, TikTok, and Google allow developers to embed in their apps and websites. The Meta pixel, for example, can collect data about a user’s activity on a website or app after clicking an ad on the platform, and even track what information a user enters into an online form. While this allows companies like Cerebral to measure how users interact with their ads across platforms and track the next steps they take, it also gives Meta, TikTok and Google access to this information, which they can then use to gain insight into their own users.
The information exposed may “vary” from patient to patient.
As noted by Cerebral, the information exposed may “vary” from patient to patient depending on several factors, including “what actions individuals have taken on Cerebral’s platforms, the nature of the services provided by the subcontractors, the configuration of tracking technologies” , and more . The company says it will notify affected users, adding that “regardless of how an individual interacted with the Cerebral platform,” it has not released social security numbers, credit card numbers or bank account information.
After initially finding the vulnerability in January, Cerebral says it has “disabled, reconfigured and/or removed” all tracking pixels on the platform to prevent future exposures, and has “enhanced” its “information security practices and technology control processes.” .”
Cerebral is required by law to disclose potential violations of HIPAA, also known as the Health Insurance Portability and Accountability Act. This prohibits healthcare providers from disclosing patient data to anyone other than the patient, or to anyone from whom the patient has consented to receive information about their health. The breach is currently under investigation by the U.S. Office for Civil Rights and follows similar incidents involving pixel-tracking tools.
Last year, through an investigation The layout discovered that some of the nation’s top hospitals were sending sensitive patient information to Meta through the company’s pixel. This led to two class action lawsuits alleging that Meta and the hospitals in question violated medical privacy laws.
Months later, The layout also found that Meta was able to obtain financial information about users through the tracking tools embedded in popular tax authorities, such as H&R Block, TaxAct, and TaxSlayer. Meanwhile, other online medical companies, such as BetterHelp and GoodRx, faced hefty fines from the FTC for sharing sensitive patient data with third parties earlier this year.
Not only is Cerebral under investigation as to whether or not it violated HIPAA regulations, but it also faces an investigation by the Department of Justice and the Drug Enforcement Administration for prescribing controlled substances, such as Adderall and Xanax. Since then, the prescription of these drugs has been discontinued.