Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label telehealth. Show all posts

Telehealth Startup Reveals Exposing Private Data of Millions of its Patients


Telehealth startup, Cerebral, which specializes in mental health has recently revealed that it has exposed its patients’ private information that includes mental health assessments. 

This data of more than 3.1 million patients in the US has apparently been shared with advertisers and social media giants like Facebook, Google, and TikTok. 

In a notice published on the company’s website, it addressed the case, admitting to having exposed patient data from as far back as October 2019 by the tracking technologies it had been utilizing. 

The telehealth startup came to light in the wake of the COVID-19 pandemic, after the online-only virtual health services came into culture due to lockdown, disclosing the security lapse in its system at the time. 

In a filing with the federal government, pertaining to the security lapse, the company revealed that it has shared personal and health-related information of patients who were attempting to seek therapy or other mental health care service via their app. 

The collected and distributed data includes information like names, phone numbers, email addresses, dates of birth, IP addresses, and other demographic data. In addition to data obtained from Cerebral's online mental health self-assessment, which may also have included the services that the patient chose, assessment responses, and other related health information was also there.

Reportedly, Cerebral was using trackers and other data-collecting programmes that the company included in its apps to share patient data with digital giants in real time. 

In most cases, it has been observed that online users have no idea if they are opting into the tracking options in these apps, and simply accept the app’s terms of use and privacy policies, which they clearly do not read. 

According to Cerebral, the data could vary from patient to patient based on different factors, like “what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies,” and more. The company added that it will notify the affected users, regardless of “how an individual interacted with the Cerebral’s platform.” 

Moreover, it claims that nothing such as the patient’s social security, credit card credentials, or bank account information has been exposed. Following the data breach in January, the company says it has “disabled, reconfigured, and/or removed any of the tracking pixels on the platform to prevent future exposures, and has enhanced its information security practices and technology vetting processes.” 

It added that the company has terminated the tracking code from its apps. However, the tech giants are under no obligation in taking down the exposed data that Cerebral has shared. 

Taking into account the way Cerebral manages sensitive patient information, it is being protected by the HIPAA health privacy regulation in the United States. The U.S. Department of Health and Human Services, which supervises and enforces HIPAA, has compiled a list of health-related security violations under investigation. Cerebral's data leak is the second-largest compromise of health data in 2023.  

Telehealth Companies Monetizing and Sharing Health Data

These reports come despite company promises to prospective patients that their user data, including information about mental health and addiction treatment, will remain confidential. 

Senators Amy Klobuchar, Susan Collins, Maria Cantwell, and Cynthia Lummis expressed their concern over the protection of patients' sensitive health information by well-known telehealth companies. 

They referenced an investigation by STAT and The Markup that uncovered the deliberate sharing of patient data by telehealth companies with tech giants such as Meta, Facebook, Google, TikTok, Microsoft and Twitter, and other advertising platforms. 

It has been reported that these digital health companies are monitoring and distributing the personally identifiable health information of their clients, including their contact information, financial details, and more. 

“Telehealth…has become a popular and effective way for many Americans to receive care.  One-fifth of the U.S. population resides in rural or medically-underserved communities where access to virtual care is vital. This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems,” the senators added. 

Senators Amy Klobuchar (D-Minn.), Susan Collins (R-Maine), Maria Cantwell (D-Wash.), and Cynthia Lummis (R-Wyo.) recently sent letters to telehealth companies Monument, Workit Health, and Cerebral, inquiring about their data sharing practices. 

“Recent reports highlight how your company shares users’ contact information and health care data that should be confidential. This information is reportedly sent to advertising platforms, along with the information needed to identify users. This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” the letter reads.

Telehealth involves the provision of healthcare services and information through the use of electronic communication and information technologies. It enables remote patient-provider communication to provide services including consultation, education, monitoring, intervention, and even admission for treatment, overcoming the barriers of distance.