Startups are notoriously bad at protecting our data(Opens in a new tab). Cerebral — a telehealth startup that rose to popularity at the start of the coronavirus pandemic — shared the private health information of more than 3.1 million US users with advertisers and social media platforms, including Google, MetaAnd ICT Tac.
In a disclosure first reported by TechCrunch(Opens in a new tab), Cerebral said it uses tracking technologies made available by third parties such as Google, Meta and TikTok. It’s not uncommon for websites to use these types of tracking technologies for advertising and it’s not uncommon for these practices to end in data breaches and, yes, even HIPAA violations.
That’s exactly what Cerebral did: after reviewing its use of these technologies and its data-sharing practices, the company “determined that it had disclosed certain information that could be regulated as health information. protected under HIPAA” to some of these third parties. Cerebral may have accidentally given Google, Meta and TikTok its users’ personal information such as names, phone numbers, email addresses, birthdays, IP addresses, results of their mental health self-assessments, treatments and other information. clinics.
“Upon becoming aware of this issue, Cerebral promptly disabled, reconfigured and/or removed tracking technologies on Cerebral’s platforms to prevent any such disclosure in the future and discontinued or disabled data sharing with contractors unable to meet all HIPAA requirements”, Cerebral said in the disclosure(Opens in a new tab). “In addition, we have enhanced our information security practices and technology verification processes to further mitigate the risk of sharing such information in the future.”
The company’s opinion to customers is not easy to find. You need to scroll down to bottom of the site(Opens in a new tab) where you will find, in small print: “See here(Opens in a new tab) for more information on the March 2023 HIPAA breach.” Social media companies that now have access to this data do not have to delete it, even though the data from the Cerebral breach is supposed to be covered by law American HIPAA on the protection of privacy in the field of health.
Cerebral is just one of about 50 telehealth startups that shared user data with advertising platforms last year, according to a joint survey by STAT and The Markup(Opens in a new tab).