Cerebral, a telehealth startup specializing in mental health, claims to have inadvertently shared the sensitive information of more than 3.1 million patients with Google, Meta, TikTok and other third-party advertisers, as previously reported by Tech Crunch. In an opinion published on the company’s website, Cerebral admits to exposing a long list of patient data with the tracking tools it has been using since October 2019.
Information covered by monitoring includes everything from patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment , etc. He may even have exposed the answers clients completed as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments. and receive prescription drugs.
According to Cerebral, this information was disseminated through the use of tracking pixels, or the Meta, TikTok and Google pieces of code allow developers to embed it into their apps and websites. THE Metapixel, for example, can collect data about a user’s activity on a website or application after clicking on an ad on the platform, and even track information a user fills in an online form . While this allows companies, like Cerebral, to measure how users interact with their ads across various platforms and track the steps they take afterward, it also gives Meta, TikTok and Google the access to this information, which they can then use to better understand their own users.
The information exposed may “vary” from patient to patient.
As noted by Cerebral, the information exposed may “vary” from patient to patient depending on several factors, including “the actions individuals have taken on Cerebral’s platforms, the nature of the services provided by contractors, configuration of tracking technologies”, and more. . The company says it will notify affected users and adds that “no matter how an individual interacts with Cerebral’s platform,” it has not exposed social security numbers, credit card numbers, or bank account information.
After initially finding the security flaw in January, Cerebral claims to have “disabled, reconfigured, and/or removed” one of the tracking pixels on the platform to prevent future exposures, and has “enhanced” its “security practices.” information security and technology verification process”. .”
Cerebral is required by law to disclose potential violations of HIPAA, also known as the Health Insurance Portability and Accountability Act. This prohibits healthcare providers from disclosing patient information to anyone other than the patient or anyone to whom the patient has consented to receive health information. The breach is currently being investigated by the US Civil Rights Office and follows similar incidents involving pixel tracking tools.
Last year, an investigation of markup found that some of the nation’s top hospitals were sending sensitive patient information to Meta through the company’s pixel. This triggered two class action lawsuitswho allege that Meta and the hospitals in question violated medical confidentiality laws.
months later, markup also found that Meta was able to obtain financial information on users through tracking tools built into popular tax services, such as H&R Block, TaxAct and TaxSlayer. Meanwhile, other online medical companies, like BetterHelp And GoodRx received hefty fines from the FTC for sharing sensitive patient data with third parties earlier this year.
In addition to being subjected to intense scrutiny to find out whether or not it violated HIPAA regulations, Cerebral faces Justice Department and Drug Enforcement Administration investigation on his prescription of controlled substances, such as Adderall and Xanax. He has since stopped prescribing these drugs.
