Senators probe Cerebral, other telehealth players over sharing user information with Facebook, Google

A bipartisan coalition of senators sent letters to three telehealth companies requesting more information regarding their data-sharing practices.

Specifically, the lawmakers are responding to a report by Stat and The Markup that found dozens of telehealth companies are tracking and sharing sensitive and personally identifiable health data with third-party social media and online search platforms such as Google and Facebook.

The letters, sent to Monument, Workit Health and Cerebral highlighted the monetary scale of the telehealth industry, and its use among the one-fifth of Americans living in rural or medically-underserved communities. “This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems,” wrote Sens. Amy Klobuchar, D-Minnesota Susan Collins, R-Maine; Maria Cantwell, D-Washington; and Cynthia Lummis, R-Wyoming, in letters sent to the three companies Feb. 2.

The letters laid out specific practices allegedly used by all three companies along with four requests, the first being the complete list of questions users may be asked on the platform.

These questions, the senators wrote, reveal sensitive and personally identifiable health data that the companies then share with third-party social media and online search platforms “that monetize this data to target advertisements.”

A Cerebral spokesperson issued the following statement when contacted about the lawmakers' letter: "We take patient privacy very seriously and share the Senators’ thoughts about the importance of privacy of patient information. We are working diligently to answer their important questions and are in the process of responding. We remain committed to working with other responsible parties to establish clear guidelines concerning the evolving technologies that improve the delivery of mental health care.”

In the letters, the senators highlight specific questions the companies ask users. For Workit, intake forms include questions such as: Are you in danger of harming yourself or others? If not, what’s your current opioid and alcohol use? How much methadone do you use?

The responses to sensitive questions like these were reportedly then sent to Facebook along with the user’s personal information including full name, email and phone number, the lawmakers wrote.

The URLs users visited were also sent to Google and Bing, according to the recent investigation by Stat and The Markup cited by the senators.   

“This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” wrote the senators.

Stat’s investigation followed 50 direct-to-consumer telehealth companies including the three addressed by the senators. Of the 50 companies, 49 sent URLs visited by users to third-party advertisers, 35 sent personal information, 13 sent users' answers to questionnaires and 11 sent items users put in their digital shopping cart, oftentimes a prescription medication.  

As mentioned in the letters, both Workit and Monument websites claim that information shared is confidential and HIPAA compliant. Cerebral makes no claims that information shared in intake forms is HIPAA compliant, but its website does state that responses are confidential and secure.

All three platforms were asked to provide a complete list of questions users may be asked on a platform, all third-party platforms the company has sent tracked user information to in the last three years and information on how the company will protect user information in the future.

Monument, Workit and Cerebral were also asked to commit to “providing clear, easy-to-understand, plain language information to patients about which personal information you do and do not keep confidential.”

Workit provides online prescriptions for controlled substances, a practice permitted during the ongoing COVID-19 public health exemption. 

In the Workit clinic notice of privacy practice, the company states that patients are protected under two federal laws: HIPAA and the Confidentiality of Substance Use Disorder Patient Records. The notice also states that Workit’s clinics cannot acknowledge to anyone outside the program that a user is a patient nor can they disclose any “information identifying you as a substance use disorder patient.” Exceptions are made with the written consent of patients or due to court order or medical emergency.

Workit responded to Stat following the investigation into its practices stating that “out of an abundance of caution, we elected to adjust the usage of a number of pixels for now as we continue to evaluate the issue.” “Pixels” refers to website tracking technology that's currently the subject of several privacy investigations.

At the beginning of this month, the Federal Trade Commission reached a $1.5 million settlement with the online pharmacy GoodRx after the company allegedly shared users’ health data with Facebook and Google, along with advertisers. The agreement also bans the company from sharing users’ health information for advertising purposes.

The senators gave the three companies until Feb. 10 to respond.

Editor's note: This story has been updated with a statement from Cerebral.