Cerebral agrees to $7M settlement with FTC, DOJ over user data sharing, cancellation practices

Virtual mental health startup Cerebral has agreed to pay the government more than $7 million, abide by a “first-of-its-kind” restriction on the handling of consumers’ sensitive information and rework its service cancellation practices, the Federal Trade Commission (FTC) announced Monday.

The government’s proposed order, which was filed by the Department of Justice (DOJ) and requires the court’s signoff, applies to Cerebral and not its former CEO Kyle Robertson.

The FTC wrote in an accompanying complaint that the co-founder had “extensive personal involvement” in the teams and practices that led to the enforcement. However, FTC said in its announcement, Robertson “has not agreed to a settlement, and the charges against him will be decided by the court.”

Just over $5 million of the payment would be used to give partial refunds to consumers who were impacted by the company’s “deceptive cancellation practices.”

A $2 million payment is also being made in lieu of a $10 million civil penalty, which the FTC said it will suspend “due to the company’s inability to pay the full amount.”

In the proposed order and complaint, the FTC alleges that the company drew in customers with promises of “safe, secure and discreet” mental health services. Despite this, Cerebral failed to disclose or “buried” information on its data sharing with practices, FTC said, and made multiple claims that it would seek consumers’ consent before sharing data.

All told, the company sent 3.2 million people’s sensitive information—names, medical histories, addresses, IP addresses and more—to third parties including LinkedIn and TikTok via integrated tracking tools. That data sharing was reported by the company to the U.S. Department of Health and Human Services Office of Civil Rights last year as an “unauthorized access/disclosure” incident.

The regulator also outlined several “sloppy security practices,” such as allowing former employees to access user data and delivering promotional postcards in which patient names and diagnoses could be easily seen.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the internet and in the mail,” FTC Chair Lina Khan said in the announcement. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."

Further, the proposed order requires the company to simplify its practices for consumers who want to cancel their services. Cerebral, the FTC said, allegedly continued to charge its consumers while slow-walking a “complex, multi-step and often multi-day” cancellation process that incurred “millions” of cumulative additional charges.

Going forward, the proposed order will “permanently ban Cerebral from using or disclosing” consumers’ sensitive information to third parties for marketing or advertising, FTC said.

Cerebral will also, among other requirements, be made to implement a “comprehensive privacy and data security program” addressing specific problems cited by the regulator; provide an easier method of canceling services; delete “most consumer data” not used for care or payment, unless it obtains user consent to data retention; and post a notification on its website informing users of the complaint’s allegations and the proposed order’s various requirements.

Cerebral provides comprehensive, online mental health services for depression, anxiety, post-traumatic stress disorder, attention-deficit/hyperactivity disorder, bipolar disorder and a range of other conditions. It launched in January 2020 and grew rapidly, propelled by hundreds of millions of dollars in fundraising and increased demand for behavioral health care services during the pandemic—though it's also suffered multiple rounds of layoffs in the time since.

Cerebral’s business practices have been under FTC and DOJ scrutiny since 2022, according to media reports and disclosures from the company itself. Its CEO and co-founder, Kyle Robertson, stepped down that same year with his replacement, Dave Mou, M.D., later promising to work with regulators and focus the company on clinical quality.

Though the FTC noted that several of the practices outlined in the proposed order either originated under or were not appropriately addressed under Robertson’s direction, the government wrote in its complaint that Cerebral has repeatedly "mishandled and exposed” consumers’ sensitive data “during and since Robertson’s tenure.”

In a statement published Monday on its website, Cerebral confirmed its agreement to the settlement and said it has been "transparent and fully cooperative" with the government's investigation. 

"The settlement allows Cerebral to move forward with a continued focus on our mission of building a new era of mental healthcare with a safe and secure platform for our clients," it wrote.

Though Monday’s proposed order outlines alleged violations of the Opioid Addiction Recovery Fraud Prevention Act, it does not directly speak to Cerebral’s “possible violations” of the Controlled Substances Act, for which it had also been under federal investigation.

The company had come under fire for virtual prescribing practices after complaints that it had been too quick to prescribe certain treatments like Adderall and Ritalin. Cerebral stopped writing new prescriptions for the products in 2022 shortly after media reports and the DOJ kicked off its investigation.