Telehealth startup Cerebral has admitted to inadvertently sharing sensitive patient information with Google, Meta, TikTok, and other advertisers. As a startup that specializes in mental health, Cerebral collected and stored a plethora of patient data that have now been compromised.
More than 3.1 million patients may have been affected by the HIPAA Privacy Breach, which was revealed by Cerebral in a notice posted on their website.
In addition to general information, personal details like the patients’ contact information have also been leaked. Additionally, the mental health startup may have shared answers filled out by patients during self-assessments.
The breach was a result of an oversight regarding the tracking pixels from advertisers embedded in the app and website.
The information exposed to advertisers may vary from patient to patient. Influencing factors include the configuration of tracking technologies, activities by the patients on Cerebral’s platform, and the nature of services the subtractors provided them with.
The company assured that the exposed data doesn’t include any bank account information, credit card numbers, and social security numbers. However, the patients’ names, phone numbers, email addresses, IP addresses, and insurance details have been leaked. Exposed medical details include treatments, appointment dates, and information filled out by patients in online forms for assessment.
A deeper look into the breach
The compromised data were leaked by tracking pixels – small bits of code from advertisers like Meta, Google, and TikTok that are encoded into the Cerebral app and website. The key purpose of the pixels is to gather information on user behavior advertisements on the platform.
Cerebral used the pixels to gather information on how users are interacting with the ads and the steps they take.
However, embedding the tracking pixels on the company’s platforms also granted Meta, Google, and TikTok access to the gathered information. The advertisers can directly use the data for better insight into their users.
Users affected by the breach of privacy will be contacted by Cerebral regardless of the extent of their interaction with the platform.
The problem with the tracking pixels is that they didn’t stop at tracking user interaction with advertisements. The pixels also collected data on other user activities on the platforms, including information they filled out on the forms.
Cerebral discovered the security hole in January and has plugged it by removing, disabling, and/or reconfiguring the tracking pixels. The company also claims to have improved its “information security practices and technology vetting processes”.
Similar privacy breaches found in other healthcare platforms too
Sadly, Cerebral isn’t the only company in the healthcare industry to have shared sensitive patient information with third parties. The FTC slapped large fines on other online healthcare companies like GoodRX and BetterHelp for the same.
The Markup later discovered that Meta was also able to use tracking tools encoded in popular tax services to collect sensitive financial information.
The Markup conducted an investigation in 2022, revealing that some of the top hospitals in the US had been sharing such information through Meta’s pixel. Following the revelation, lawsuits were filed against Meta and the responsible hospitals for privacy violations.
Cerebral has undoubtedly landed in hot water, not only for the privacy breach but also for the prescription of controlled substances like Xanax and Adderall. It now faces an investigation by the Department of Justice and Drug Enforcement Administration.
The privacy breach is being investigated by the US Office for Civil Rights, which will determine whether Cerebral violated the HIPAA regulations.