Telehealth startup, Cerebral, which specializes in mental health has recently revealed that it has exposed its patients’ private information that includes mental health assessments.
This data of more than 3.1 million patients in the US has apparently been shared with advertisers and social media giants like Facebook, Google, and TikTok.
In a notice published on the company’s website, it addressed the case, admitting to having exposed patient data from as far back as October 2019 by the tracking technologies it had been utilizing.
The telehealth startup came to light in the wake of the COVID-19 pandemic, after the online-only virtual health services came into culture due to lockdown, disclosing the security lapse in its system at the time.
In a filing with the federal government, pertaining to the security lapse, the company revealed that it has shared personal and health-related information of patients who were attempting to seek therapy or other mental health care service via their app.
The collected and distributed data includes information like names, phone numbers, email addresses, dates of birth, IP addresses, and other demographic data. In addition to data obtained from Cerebral's online mental health self-assessment, which may also have included the services that the patient chose, assessment responses, and other related health information was also there.
Reportedly, Cerebral was using trackers and other data-collecting programmes that the company included in its apps to share patient data with digital giants in real time.
In most cases, it has been observed that online users have no idea if they are opting into the tracking options in these apps, and simply accept the app’s terms of use and privacy policies, which they clearly do not read.
According to Cerebral, the data could vary from patient to patient based on different factors, like “what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies,” and more. The company added that it will notify the affected users, regardless of “how an individual interacted with the Cerebral’s platform.”
Moreover, it claims that nothing such as the patient’s social security, credit card credentials, or bank account information has been exposed. Following the data breach in January, the company says it has “disabled, reconfigured, and/or removed any of the tracking pixels on the platform to prevent future exposures, and has enhanced its information security practices and technology vetting processes.”
It added that the company has terminated the tracking code from its apps. However, the tech giants are under no obligation in taking down the exposed data that Cerebral has shared.
Taking into account the way Cerebral manages sensitive patient information, it is being protected by the HIPAA health privacy regulation in the United States. The U.S. Department of Health and Human Services, which supervises and enforces HIPAA, has compiled a list of health-related security violations under investigation. Cerebral's data leak is the second-largest compromise of health data in 2023.