Telehealth mental health startup Cerebral — after receiving a formal request from the federal government — admitted to sharing the private health information of more than 3.1 million patients in the United States with several advertisers and social media platforms.
According to the company’s “Notice of HIPAA Privacy Breach,” the data disclosed “varied depending on what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies when the individual used our services, the data capture configurations of the Third-Party Platforms, how individuals configured their devices and browser, and other factors.”
Cerebral admitted to using tracking technologies since the company began operations in October 2019.
In the company’s notice, Cerebral officials noted the tracking technologies were “disabled, reconfigured and/or removed,” and security practices and technology have been “enhanced.”
On Feb. 2 – in the wake of the Federal Trade Commission’s $1.5 million settlement with telehealth services provider GoodRX for allegedly disclosing patient health data to Facebook, Google, and other digital companies — Sens. Amy Klobuchar (D-Minn.), Susan Collins (R-Maine), Maria Cantwell (D-Wash.), and Cynthia Lummis (R-Wyo.) sent letters to leaders of telehealth companies requesting specific information regarding how they share consumer health data. Cerebral, Monument and Workit Health were among the companies contacted.
“Telehealth — an industry valued at over $30 billion — has become a popular and effective way for many Americans to receive care,” the senators wrote in the letter. “One-fifth of the U.S. population resides in rural or medically underserved communities where access to virtual care is vital. This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems.”