Cerebral, a telehealth startup that specializes in mental health, says it inadvertently shared the confidential information of more than 3.1 million patients with Google, Meta, TikTok and other third party advertisers, as previously reported by TechCrunch. In a new Posted on the company’s website, Cerebral admits to exposing a long list of patient data with the tracking tools it has been using since October 2019.
Information affected by the oversight includes everything from patient names, phone numbers, email addresses, dates of birth, IP addresses, insurance information, appointment dates, treatment, and more. It may even have posted the responses customers filled out as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and receive prescription drugs.
According to Cerebral, this information came to light through the use of tracking pixels, or the snippets of code that Meta, TikTok, and Google allow developers to embed into their apps and websites. He metapixelFor example, it can collect data about a user’s activity on a website or app after clicking on an ad on the platform, and even track information a user fills out on an online form. While this allows companies like Cerebral to measure how users engage with their ads across various platforms and track the steps they take afterward, it also gives Meta, TikTok, and Google access to this information, which can then use to obtain information about its own users.
The information displayed could “vary” from one patient to another.
As Cerebral noted, the information exposed could “vary” from patient to patient depending on several factors, including “what actions people took on Cerebral’s platforms, the nature of the services provided by subcontractors, the configuration of the technologies tracking” and more. . The company says it will notify affected users, adding that “no matter how an individual interacted with Cerebral’s platform,” it did not expose social security numbers, credit card numbers, or bank account information.
After initially finding the security hole in January, Cerebral says it has “disabled, reconfigured and/or removed” any of the tracking pixels on the platform to prevent future exposure, and has “enhanced” its “security practices of the information and technology research processes”. .”
Cerebral is required by law to disclose potential violations of HIPAA, also known as the Health Insurance Portability and Accountability Act. This prevents healthcare providers from disclosing patient information to anyone other than the patient, or anyone the patient has consented to receive health information from. The breach is currently under investigation by the US Office for Civil Rights and follows similar incidents involving pixel tracking tools.
Last year, an investigation by The market discovered that some of the country’s top hospitals were sending sensitive patient information to Meta through the company’s pixel. This sparked two class action lawsuits, alleging that Meta and the hospitals in question violated medical privacy laws.
Months later, The market it also discovered that Meta was able to obtain financial information about users through the tracking tools built into popular tax services, such as H&R Block, TaxAct, and TaxSlayer. Meanwhile, other online medical companies, such as BetterHelp and GoodRx, received heavy fines from the FTC for sharing sensitive patient data with third parties earlier this year.
In addition to facing scrutiny over whether or not it has violated HIPAA regulations, Cerebral faces investigation by the Department of Justice and the Drug Enforcement Administration for prescribing controlled substances, such as Adderall and Xanax. Since then she has stopped prescribing these drugs.