Telehealth mental health startup Cerebral — after receiving a formal request from the federal government — admitted to sharing the private health information of more than 3.1 million patients in the United States with several advertisers and social media platforms.
According to the company’s “Notice of HIPAA Privacy Breach,” the data disclosed “varied depending on what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies when the individual used our services, the data capture configurations of the Third-Party Platforms, how individuals configured their devices and browser, and other factors.”
Cerebral admitted to using tracking technologies since the company began operations in October 2019.
As TechCrunch reports: “Cerebral was sharing patients’ data with tech giants in real-time by way of trackers and other data-collecting code that the startup embedded within its apps. Tech companies and advertisers, like Google, Facebook, and TikTok, allow developers to include snippets of their custom-built code, which allows the developers to share information about their app users’ activity with the tech giants, often under the guise of analytics but also for advertising. But users often have no idea that they are opting-in to this tracking simply by accepting the app’s terms of use and privacy policies, which many people don’t read.”
In the company’s notice, Cerebral officials noted the tracking technologies were “disabled, reconfigured and/or removed,” and security practices and technology have been “enhanced.”
On Feb. 2 – in the wake of the Federal Trade Commission’s $1.5 million settlement with telehealth services provider GoodRX for allegedly disclosing patient health data to Facebook, Google, and other digital companies — Sens. Amy Klobuchar (D-Minn.), Susan Collins (R-Maine), Maria Cantwell (D-Wash.), and Cynthia Lummis (R-Wyo.) sent letters to leaders of telehealth companies requesting specific information regarding how they share consumer health data. Cerebral, Monument and Workit Health were among the companies contacted.
“Telehealth — an industry valued at over $30 billion — has become a popular and effective way for many Americans to receive care,” the senators wrote in the letter. “One-fifth of the U.S. population resides in rural or medically underserved communities where access to virtual care is vital. This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems.”
Also, on March 3, Sen. Klobuchar, along with Sens. Elizabeth Warren (D-MA) and Mazie Hirono (D-HI) introduced legislation to expand protections for Americans’ personal health data privacy.