Another day, another privacy breach by an online mental health provider.
This time, the telemedicine company Cerebral has sent emails to users admitting that it used tracking technologies to share personal user data, protected health data, and other data despite promising the information would be private, according to the website Legal Scoops.
The company said that, depending on a user’s configuration, their highly personal information may have been disclosed to sites such as Google, Meta (the parent company of Facebook), TikTok, and others. Shared information may have included personal and demographic information, parts of their mental health assessment, and/or their clinical, health insurance, and pharmacy benefit details.
Just last week, the Federal Trade Commission (FTC) proposed a $7.8 million fine against BetterHelp, another mental health app, accusing the company of sharing sensitive user data with third parties such as Meta and Snapchat. The app had promised to keep all information private, but the FTC said that, instead, it shared it to social media companies and third party advertisers who used it to target ads to consumers.
Telepsychiatry in Flux Due to Shifting Pandemic-Era Rules
User Perception of Telepsychiatry
Cerebral, which describes itself as “a mental health telemedicine company that is democratizing access to high-quality mental health care for all,” has been disclosing this information since 2019, Legal Scoop said. The site’s intake asks patients to answer questions covering conditions such as depression, anxiety, and bipolar disorder.
In a company statement, Cerebral said that on January 3, 2023, it “determined that it had disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances.” However, they did not share Social Security numbers, credit card information, or bank account information, the company said.
Cerebral claimed that it has now “disabled, reconfigured, and/or removed” the offending trackers and “discontinued or disabled” data shared with entities unable to meet all HIPAA requirements. It is also offering complimentary access to identity protection services for one year to some of its users.
US senators sent a letter to Cerebral, and several other telehealth providers earlier this year, expressing concerns over privacy and tracking processes, as well as their practice of sharing sensitive and personally identifiable health information with third-parties that monetize the data to target advertisements.
“What is of particular concern is that Cerebral’s website was used by more than 200,000 patients in 2020 and 2021 alone,” the letter said in part.
Last year, a former vice president of the company claimed he was fired after complaining about unethical practices, including alleged plans to prescribe stimulants to 100 percent of ADHD patients as a retention strategy, according to Bloomberg News. The complaint also alleged numerous user privacy issues.
