According to a report issued by Cerebral Inc., a telehealth startup specializing in mental health, they have revealed that they unintentionally shared sensitive information of over 3.1 patients with media and tech giants like Meta, Tiktok, Google, and other third-party advertisers without having obtained Health Insurance Portability and Accountability Act (HIPAA)-required assurances. In a notice posted on Cerebrals website, they admitted to exposing a list of patient data dating as far back as October of 2019 with their tracking technologies.
The information they shared through their tracking tech includes everything from patients' names, birthdates, phone numbers, email addresses, IP addresses, insurance information, appointment dates, treatment plans, and their Cerebral client ID numbers.
The notice also claims that in addition to creating a Cerebral account, those clients who have completed any portion of Cerebral's online mental health self-assessment on the company's website and app would have had their information disclosed. This includes any information regarding any services the individual selected, assessment responses, and other certain associated health information. The telehealth company explained that they were sharing their patients' data with the tech giants Meta, TikTok, and Google in real-time through the use of "tracking technologies" or "pixels." With the use of these pixels, companies like Meta or Tiktok are able to allow their developers to include snippets of their custom-built code. Typically used under the guise of advertising analytics, with the custom code in place, developers are granted access to share information about the app users' activity with the tech giants.
Take Meta Pixels, for example. With their code in place, once a user has clicked on their advertisement, they are then able to collect a user's activity on an app or website. Keeping track of the information that user will fill out online and any other steps they may take afterward. While it is helpful for companies to better narrow down how their users interact with their platforms, it leaves the door open for other companies like Tiktok and Google to use this information to gain insight into their users.
While Cerebral noted that the information exposed could very well vary from patient to patient depending on several factors like what actions each patient took on their platforms, the nature of the services provided by the subcontractors, and the configuration of Tracking Tech, the company was firm that they did not expose users social security numbers, credit card numbers, or bank account information. Since finding the hole in their security, this past January, Cerebral has since claimed they have disabled, reconfigured, and removed the tracking pixels on their platform in order to prevent any further or future exposures. They have also set measures in place to enhance their information security practices and technology vetting processes.
Now the mental health startup is required by law to disclose potential violations of the Health Insurance Portability and Accountability Act. Under HIPPA, healthcare providers are banned from disclosing any patient information to anyone besides the patient or anyone the patient has consented to receive information about their health. Along with the data breach, the company is also facing an investigation being conducted by the Department of Justice and the Drug Enforcement Administration over prescribing controlled substances, such as Adderall and Xanax, to its patients.
While the data breach is under investigation by the U.S. Office for Civil Rights, it follows similar incidents that have passed over the last few years involving pixel-tracking tools. According to a list of health-related security lapses under investigation by the U.S. Department of Health and Human Services, Cerebral's data lapse is only the second-largest breach of health data in 2023. The news broke only weeks after the U.S. Federal Trade Commission fined GoodRx $1.5 million over data sharing and ordered them to stop sharing patients' health data with advertisers. BetterHelp, another online mental health platform, was also ordered to pay customers $8.5 million for mishandling their users' data.
In the lineup of breaches last year, an investigation conducted by The Markup uncovered that the nation's top hospitals had been sharing sensitive patient information with Meta through the company's pixel. After sparking two class-action lawsuits that alleged the hospitals and Meta violated HIPPA, the investigation also uncovered that Meta was able to obtain users' financial information through the pixels embedded in tax service websites such as H&R Block, TaxAct, and TaxSlayer.
For questions or more information regarding this case, you can connect with one of our legal staff today by completing our case evaluation form.