Cerebral ‘Privacy Breach’ as the FTC Cracks Down on Data SharingPublished on: 2023-3-15
Telehealth Firm Cerebral Admits ‘Privacy Breach’ as the FTC Cracks Down on Data Sharing
US-based online therapy company Cerebral has admitted to unlawfully sharing sensitive health data with Google, TikTok, Meta, and other platforms. The company notified its users of a breach of the Health Insurance Portability and Accountability Act (HIPAA) via its website on March 15th.
Cerebral’s admission comes as the US Federal Trade Commission (FTC) tightens its grip on online advertising, particularly among remote healthcare providers.
Recent FTC sanctions of telehealth companies GoodRX and BetterHelp suggest a pattern of enforcement that might impact Cerebral. This article will explore what Cerebral did wrong and why it matters so much in the current privacy-focused climate.
Cerebral’s notice warns users about a “recently discovered issue” involving the “inadvertent” sharing of data. The notice arises out of an internal review of Cerebral’s data-sharing practices that ended on January 3rd, 2023.
Cerebral says that “like others in many industries”, it uses online tracking technologies such as pixels to share personal information for advertising purposes. The company cites Meta, TikTok, and Google as three examples of third-party platforms with whom Cerebral has shared data.
Given the sensitive information users provide to Cerebral, any breach of privacy law is potentially very serious.
What Data Has Been Disclosed?
Cerebral says that the types data that have been unlawfully disclosed include:
- Phone number
- Email address
- Date of birth
- IP address
- Cerebral client ID number
- Other demographic information
- Information provided to Cerebral during the self-assessment process
- Subscription details
- Appointment details
- Treatment details
- Health insurance information
Some of this information is particularly sensitive. When a user self-assesses for therapy, they might disclose details of their medication, symptoms, and mental state.
Even other information, such as a user’s name or email address, can reveal that a person is seeking therapy. As such, any information associated with a Cerebral user’s account could be considered “health data” or “protected health information”.
Did Cerebral Break the Law?
Cerebral’s notice to users says that the company had committed a “HIPAA privacy breach” by sharing protected health information (PHI) with third parties without obtaining “HIPAA-required assurances”.
Business associates can receive protected health information from HIPAA entities (such as health plans, healthcare clearinghouses, and some healthcare providers) subject to a contract that limits how they use the data.
It’s not clear whether Cerebral is making this disclosure as a business associate, or whether the company now considers its activities to be directly in the scope of HIPAA.
Either way, there are other US laws that would prohibit the company from sharing personal information without notice or consent.
Why Was Cerebral Disclosing This Data?
Cerebral suggests that many other companies are sharing personal data with advertisers in this way. This might not be deemed an excuse for violating HIPAA. But it’s true that such practices are relatively common.
Platforms share data with social media networks to increase growth and sales. For example, information about the demographics of existing Cerebral users will help platforms like Meta target ads at similar people (i.e. potential customers).
But this all-too-common practice might become soon become rarer, given current enforcement trends.
FTC Data-Sharing Sanctions
There are two very recent examples of enforcement action against companies similar to Cerebral. These cases suggest that the FTC is getting serious about the careless disclosure of personal information to advertisers.
In February 2023, the FTC settled with GoodRx, a telehealth company that provides discount prescription drugs.
Like Cerebral, GoodRX admitted to sharing user data with third-party platforms such as Meta, Google and Criteo.
Here’s an example of one of GoodRx’s violations.
- GoodRx created lists people who had bought heart disease and blood pressure medication.
- It shared data about those users with Meta, including their email addresses, phone numbers, and advertising IDs.
- Meta matched this data with the users’ Facebook profiles.
- GoodRx targeted the users with “relevant” ads on Facebook.
This all took place despite GoodRx’s numerous privacy assurances to users.
GoodRx settled with the FTC under the Health Breach Notification Rule. The company agreed to pay a $1.5 million civil penalty and is banned from sharing data for advertising purposes.
BetterHelp, like Cerebral, is a remote therapy provider. In March, the company agreed to pay a $7.8 million civil penalty after an FTC investigation into its data-sharing practices.
BetterHelp committed similar violations to both GoodRx and Cerebral: sharing user data with third-party platforms. The case cites Meta (of course) plus Snapchat and Pintrest.
BetterHelp made repeated promises not to share its users’ personal information, but the company was found to have shared information about its users’ medication and treatments for advertising purposes.
The FTC was particularly concerned with how BetterHelp shared its users’ email addresses with Facebook. While those email addresses had been through a security process known as “hashing”, this did not protect users’ identities, as Facebook could still identify individual users.
BetterHelp settled under the FTC Act, a consumer protection law that bars “deceptive or misleading commercial practices”. The case hinged on BetterHelp’s broken promises and lack of consent.
What Happens Next for Cerebral?
Cerebral says that it “promptly disabled, reconfigured, and/or removed” the tracking technologies present on its website and app.
The company advises users to consider adjusting their privacy settings on social media platforms, use “incognito mode” to avoid trackers, and monitor any communications from health insurance providers.
This is the type of notice normally provided following a security breach, such as where a malicious actor gains access to a company’s systems and steals data. Indeed, security breaches share many characteristics with the unlawful sharing of personal data with advertisers.
In both cases, users might not have known that a company was sharing their personal information with a third party. The affected users did not authorise the disclosure. And the users have little control over what happens to their data once it is shared.
Cerebral has not announced that it is under FTC investigation. The company waited over two months to notify its users of the breach, but may be attempting to mitigate any potential investigation that does occur.
This sort of proactive notification of a potential breach of privacy law is a further sign that companies worldwide are taking privacy more seriously.