Cerebral, a telehealth startup that gained popularity in the early days of the pandemic, revealed this week that it shared the personal data of more than 3.1 million US patients with social media companies and advertisers, including Google, Meta and TikTok. As first reported TechCrunch (through the edge), a notice recently posted on Cerebral’s website reveals that the company has been using “pixels,” tracking scripts that companies like Meta provide to third-party developers for advertising purposes, to collect user data since it began operations in October. of 2019.
Following a recent review of its software, Cerebral “determines that it has disclosed certain information that may be regulated as protected health information under [the Health Insurance Portability and Accountability Act].” Among the data Cerebral shared were names, phone numbers, dates of birth and insurance information. In some cases, the company may also have exposed information it collected through mental health self-assessment patients completed to schedule counseling appointments and access other services. According to Cerebral, he did not disclose social security numbers, banking information or credit card numbers.
After learning of the oversight, Cerebral says it “disabled, reconfigured, and/or removed” the tracking pixels that caused the data exposure. “In addition, we have enhanced our information security practices and technology vetting processes to further mitigate the risk of sharing such information in the future.” The US Department of Health and Human Services is investigating Cerebral. News of the data exposure comes after the Federal Trade Commission fined discount drug app GoodRx $1.5 million for sharing patient information with Meta and Google. Earlier this month, the agency announced a $7.8 million settlement with online counseling company BetterHelp, saying it sought to ban the company from sharing health data for ad targeting.