Cerebral shared private health data on 3.1M users for years with advertisers, social media platforms

Cerebral, the embattled mental health startup, shared millions of patients' private health information with advertisers in the second-largest breach of health data of 2023. 

The data on more than 3.1 million patients were shared with the likes of Facebook, Google and TikTok, TechCrunch originally reported. A notice of the breach was also included at the bottom of Cerebral’s site, which said the tracking has been going on since October 2019. 

"Like others in many industries, including health systems, traditional brick and mortar providers and other telehealth companies, Cerebral has used what are called “pixels” and similar common technologies (“Tracking Technologies”), such as those made available by Google, Meta (Facebook), TikTok, and other third parties," the company wrote in its notice.

These data were being shared with tech companies in real time through trackers and data-gathering code that Cerebral had embedded in its apps. It has now disabled or reconfigured those technologies to prevent disclosures of HIPAA-protected data in the future, the notice stated. Tech giants, meanwhile, are not obligated to delete the data they received from Cerebral, TechCrunch reported.

The company said it determined that it had disclosed certain information that may be regulated as protected health information under the U.S. health privacy law known as HIPAA to certain third-party platforms and some subcontractors without having obtained HIPAA-required assurances.

Cerebral disclosed the breach to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) as an "unauthorized access/disclosure" incident involving 3.1 million individuals, according to the HHS OCR breach portal.

The data collected and shared included names, phone numbers, email addresses, dates of birth, IP addresses and other demographics, plus mental health self-assessments and related data. If a patient purchased a subscription plan, the data disclosed may have also included appointment dates, treatment, insurance information like plan name and member numbers and the co-pay.

In its notice, Cerebral claimed no Social Security, credit card or bank account information was disclosed in its breach. At the same time, it recommends patients monitor their explanation of benefits, insurance member portal and other communications from payers to "ensure all charges are appropriate."

It says it is also providing credit monitoring and encourages individuals to remain vigilant about incidents of identity theft and fraud. 

The startup rose to popularity during COVID-19 as demand for virtual behavioral health services shot up. It expanded quickly and as of spring 2022 had a valuation of $4.8 billion. Cerebral’s course began to change when allegations of overprescribing emerged and a former executive claimed the company fired him after he complained it was overprescribing stimulants. The CEO then stepped down.

Last May, the Department of Justice announced it was investigating the startup for possible violations of the Controlled Substances Act, which led to the company halting prescriptions for most controlled substances.

Just last month, the Federal Trade Commission (FTC) fined GoodRx $1.5 million for sharing users’ health data with social media giants. The action was the first of its kind under the FTC’s Health Breach Notification Rule. Then, earlier this month, the FTC ordered BetterHelp to pay millions of dollars to its users over similar allegations. Both actions, pending court approval,  included a ban on BetterHelp sharing user health data with applicable third parties.