Cerebral acknowledges sharing patient information with Meta, TikTok, and Google

The startup focused on mental health has stated that it inadvertently revealed patients' names, dates of birth, insurance details, and their answers to mental health self-assessments.

Cerebral, a telehealth startup specializing in mental health, recently announced that it inadvertently shared sensitive information of more than 3.1 million patients with several third-party advertisers, including Google, Meta, and TikTok. The exposure occurred due to Cerebral's use of tracking pixels, which are small bits of code that allow companies to track user interactions with their ads across various platforms.

According to a notice posted on the company's website, Cerebral admits to exposing a laundry list of patient data with the tracking tools it's been using since October 2019. The information affected by the oversight includes everything from patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and more. In fact, it may have even exposed the answers clients filled out as part of the mental health self-assessment on the company's website and app, which patients can use to schedule therapy appointments and receive prescription medication.

Cerebral explains that the exposed information could vary from patient to patient depending on several factors, including "what actions individuals took on Cerebral's Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies," and more.

The company is required by law to disclose potential violations of HIPAA, also known as the Health Insurance Portability and Accountability Act. This law bars healthcare providers from divulging patient information to anyone else other than the patient, or anyone the patient has consented to receive information about their health. The breach is currently under investigation by the US Office for Civil Rights.

Cerebral has since disabled, reconfigured, and/or removed any of the tracking pixels on the platform to prevent future exposures, and has enhanced its information security practices and technology vetting processes. The company has also vowed to notify affected users.

In addition to facing scrutiny over whether or not it has violated HIPAA regulations, Cerebral is facing an investigation by the Department of Justice and the Drug Enforcement Administration over its prescribing of controlled substances, such as Adderall and Xanax. The company has since halted the prescription of these medications.

The incident involving Cerebral is not the first of its kind. Last year, The Markup found that some of the nation's top hospitals were sending sensitive patient information to Meta through the company's pixel. This sparked two class-action lawsuits, which allege Meta and the hospitals in question violated medical privacy laws. Furthermore, The Markup also found that Meta was able to obtain financial information about users through the tracking tools embedded in popular tax services, such as H&R Block, TaxAct, and TaxSlayer. Additionally, other online medical companies, such as BetterHelp and GoodRx, have faced hefty fines from the FTC for sharing sensitive patient data with third parties earlier this year.