Telehealth startup shares your data with tech giants

The telehealth startup, Cerebral, has unveiled it shared personal data with Meta, TikTok, and Google. The personal data includes the date of birth, name, email addresses, phone numbers, IP addresses, other demographics, and Cerebral's mental health assessments.

Cerebral made its name known during the pandemic, offering online virtual health services. With lockdowns and the state of life back then, Cerebral's services came in handy for millions of people. However, the latest filing to the federal government shows that apart from its benefits to mental health, the app failed to keep users' privacy hidden and caused a massive leak. As reported by Tech Crunch, Cerebral has unintentionally shared the information of over 3.1 million patients.

Cerebral said that just like other telehealth companies, it used tracking technologies called "pixels," made available by Google, Meta, TikTok, and other third-party apps on Cerebral's platform. The company began its operations in October 2019 and used pixels from the start. On January 3, 2023, the company realized it had disclosed certain information that may be regulated as protected health information to companies like Google, Facebook, and TikTok.

What information was disclosed?

"If an individual created a Cerebral account, the information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information. If, in addition to creating a Cerebral account, an individual also completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information.

If, in addition to creating a Cerebral account and completing Cerebral’s online mental health self-assessment, an individual also purchased a subscription plan from Cerebral, the information disclosed may also have included subscription plan type, appointment dates, and other booking information, treatment, and other clinical information, health insurance/pharmacy benefit information (for example, plan name and group/member numbers), and insurance co-pay amount," says the full disclosure, shared by Zack Whittaker.

After learning the issue, the company disabled, reconfigured, and removed tracking technologies to prevent further damage. "In addition, we have enhanced our information security practices and technology vetting processes to further mitigate the risk of sharing such information in the future," Cerebral added.

This is the second big breach of 2023, submitted to the US Department of Health and Human Services. Recently, multiple lawsuits were filed against Regal Media Group for over 3.3 million ransomware attacks. You can check the whole list here.

Advertisement