On April 15, 2024, Cerebral, Inc. agreed to a settlement and proposed order with the Department of Justice which will restrict how the telehealth startup can use or disclose sensitive user data. As part of this agreement, Cerebral will also be required to pay more than $7 million dollars to resolve charges that it disclosed users’ sensitive personal health information to third parties for advertising purposes. The order must be approved by the court before it can go into effect. Proposed FTC Order will Prohibit Telehealth Firm Cerebral from Using or Disclosing Sensitive Data for Advertising Purposes, and Require it to Pay $7 Million | Federal Trade Commission.
Cerebral provides online mental health and related services. Consumers who sign up and use the company’s services provide detailed personal data including their home and email addresses, birthdates, medical and prescription histories, payment account or driver license numbers, as well as information about their treatment plans, pharmacy and health insurance plans, and other personal data, such as their religious or political beliefs, or sexual orientation.
To get consumers to sign up for the company’s services and provide detailed personal data, the company claimed it offered “safe, secure, and discreet” services and that users’ data would be kept confidential, according to the complaint. The complaint charges that Cerebral failed to clearly disclose that it would be sharing consumers’ sensitive data with third parties for advertising and buried disclaimers about its data sharing practices in dense privacy policies.
Leaked Data to LinkedIn, Snapchat, and TikTok
Specifically, the complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps. These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps.
Through the use of tracking tools, Cerebral gave third parties personal data about its users including names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information, according to the complaint.
If you have used Cerebral in the past year and believe your personal health information may have been leaked to third-party advertisers, explore our open cases to see if you are entitled to compensation.
Careless Marketing
Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards.
Allowing Former Employees to Access Patient Data
From May to December 2021, Cerebral failed to block former employees from accessing confidential electronic medical records of Cerebral patients. It also failed to ensure providers only accessed their patients’ records.
Insecure Access Methods
Cerebral used a single sign-on method for accessing its patient portal that in numerous instances exposed confidential medical files and patient information such as diagnoses, medications, email addresses, and phone numbers, to other patients when those users signed onto the portal at the same time.