Cerebral admits to sharing patient data with Meta, TikTok and Google

Cerebral, a telehealth startup specializing in mental health, says it inadvertently shared the sensitive information of more than 3.1 million patients with Google, Meta, TikTok and other third-party advertisers, as previously reported . techcrunch, In a notice posted on the company’s website, Cerebral has admitted to exposing a laundry list of patient data with the tracking tools it was using as far back as October 2019.

Information affected by the inspection includes everything from patient names, phone numbers, email addresses, dates of birth, IP addresses, insurance information, appointment dates, treatments, and more. It may also have exposed the answers customers filled out as part of a mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and obtain prescription medication.

According to Cerebral, this information emerged through its use of tracking pixels, or bits of code meta, that TikTok, and Google allow developers to embed in their apps and websites. For example, Meta Pixel may collect data about a User’s activity on a website or app after clicking an ad on the Platform, and even track information a User fills out in online forms. keeps. While this allows companies like Cerebral to measure how users interact with their ads on various platforms and track subsequent follow-up actions, it also gives Meta, TikTok and Google access to this information, Which they can use to get information about themselves. own user.

As noted by Cerebral, the information disclosed may “vary” from patient to patient based on a number of factors, including “what actions individuals took on Cerebral’s platform, the services provided by subcontractors, and other factors.” configuration of tracking technologies,” and more. , The company says it will notify affected users, and adds that “it doesn’t matter how a person interacted with Cerebral’s platform,” be it a Social Security number, credit card number, or bank account information. does not disclose

After initially finding the security hole in January, Cerebral says it has “disabled, reconfigured and/or removed” any tracking pixels on the platform to prevent future risks, and its “information security practices and technology review procedures”. ,

Cerebral is required by law to disclose potential violations of HIPAA, also known as the Health Insurance Portability and Accountability Act. It prohibits healthcare providers from disclosing patient information to anyone other than the patient, or the patient has given consent to receive information about his or her health. The breach is currently under investigation by the US Office of Civil Rights and follows similar incidents related to pixel-tracking tools.

Last year, an investigation by Marck up It was found that some of the country’s top hospitals were sending sensitive information of patients to Meta through the company’s pixel. This sparked two class-action lawsuits alleging Meta and the hospitals violated medical privacy laws.

months later, Marck up It also found that Meta was able to obtain financial information about users through tracking tools embedded in popular tax services such as H&R Block, TaxAct and TaxSlayer. Meanwhile, other online medical companies like BetterHelp and GoodRx were hit with hefty fines from the FTC earlier this year for sharing sensitive patient data with third parties.

In addition to facing scrutiny over whether it violated HIPAA rules, Cerebral is facing scrutiny by the Justice Department and the Drug Enforcement Administration over its prescribing of controlled substances like Adderall and Xanax. It has since stopped prescribing these drugs.