Privacy, Compliance Management, Data Security

Cerebral admits sharing data of 3.2M with third parties amid Senate inquiry

A worker walks by a video monitor on the Meta campus.

One month after a group of senators launched an inquiry into Cerebral, the mental health subscription platform issued a breach notice to nearly 3.2 million patients that appears to confirm many of the data-sharing claims brought to light in the inquiry.

The notice shows the unauthorized disclosure of patient health data began in 2019. Despite the large number of impacted patients, it’s only the second-largest healthcare data breach report so far this year.

As SC Media reported last month, Sens. Maria Cantwell, D-Wash.; Amy Klobuchar, D-Minn.; Susan Collins, R-Maine; and Cynthia Lummis, R-Wyo.; sent letters to Cerebral, Monument, and Workit Health, after reports showed the digital health providers were both tracking and sharing patient data with third parties.

The letter accused Cerebral and the other platforms of routinely engaging in third-party data sharing for advertising purposes, without consent from patients and despite promises to users that the data they entered into the platform would remain confidential.

The allegations are nearly identical to the accusations levied against BetterHelp and GoodRx in multi-million dollar settlements over what the FTC calls "egregious" privacy practices, centered around “sharing sensitive and personally-identifiable health data with third-party social media and online search platforms such as Google and Facebook that monetize this data to target advertisements.”

The senators warned Cerebral that its choice to gather “extremely personal” data could lead to individuals being targeted with “unnecessary or potentially harmful physically, psychologically, or emotionally” advertisements.

The Senate letter was promptly met with a patient-led lawsuit. At the time of the letter, Cerebral did not confirm or deny the accusations.

The new breach notice confirms the breach and shows the alleged tracking and sharing of data was brought on by its use of pixels and “similar common technologies.” These tools, made available by Google, Meta (Facebook), TikTok, and other third parties, have been used by Cerebral since the company launched its operations on Oct. 12, 2019.

The company “recently initiated a review of its use of tracking technologies and data sharing practices involving subcontractors.” 

Cerebral determined on Jan. 3, 2023, that Cerebral in fact “disclosed certain information that may be regulated as protected health information... to certain third-party platforms and some subcontractors without having obtained HIPAA-required assurances.”

Patients are being notified that the impacted information varied by individual “depending on what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the subcontractors,” tracking technology configuration when accessing the platform, the data capture configurations of the third parties, and user configuration of their device and browser.

As such, the data could include names, contact information, IP addresses, Cerebral client ID number, dates of birth, and other demographic information, as well as the service the individual selected, assessment responses, and health information, if a user “completed any portion of Cerebral’s online mental health self-assessment.”

Users who completed an online mental health self-assessment and purchased a subscription plan, the disclosed data aso included appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information.

The disclosure mirrors the recent accusations levied against Meta throughout the last year, as well as disclosures by major health providers like Advocate Aurora Health after using pixel tracking tech on patient-facing websites for marketing purposes.

Facebook and the long list of providers that have issued breach notices are all facing lawsuits over these privacy practices. For the healthcare providers, industry leaders have noted that those tasked with marketing were likely unaware of the potential violations that could occur by using tech not intended for healthcare sites.

As the litigation is pending, it’s unclear how these actions will play out. However, as the FTC recently warned Amazon after its One Medical acquisition, the regulatory agency will be scrutinizing health apps to ensure consumer data privacy is protected from these types of disclosures. The action suggests there will be more enforcement actions on the horizon.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.