The U.S. Federal Trade Commission has recently reached a settlement with telehealth firm Cerebral. As part of the settlement, Cerebral has agreed to pay $7,000,000 in response to allegations of mishandling sensitive health data in the Facebook Pixel Data Leak Case.
Cerebral is a prominent remote telehealth company that specializes in providing online therapy and medication management for various mental health conditions, such as anxiety, depression, ADHD, Bipolar Disorder, and substance abuse.
In March 2023, Cerebral discovered a data breach and took immediate action. The company promptly notified 3.2 million individuals who had engaged with its websites, applications, and services. It was determined that the breach occurred as a result of tracking pixels utilized on the platform.
Facebook Pixel Data Leak Case
The complaint filed by the FTC alleges that Cerebral, along with its former CEO Kyle Robertson, violated consumer privacy by disclosing personal health information to third parties for advertising purposes. Additionally, the company was found to be non-compliant with its cancellation policies.
“The complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps,”
“These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps.”
Reads the announcement.
In the FTC’s announcement, several alleged bad practices by Cerebral were highlighted, leading to different levels of exposure of sensitive health data for consumers.
These practices include the company’s failure to revoke access of former employees to Cerebral patient records and the lack of proper segregation between providers, allowing unrestricted access to patient records.
Furthermore, the agency noted that Cerebral utilized an insecure single sign-on method for accessing the patient portal, which posed security risks. Additionally, the company did not implement adequate restrictions on employee access, failing to limit it to the necessary data required for their job responsibilities.
The proposed order, subject to court approval, includes the following provisions:
• Refund of $5,100,000 to impacted customers due to deceptive cancellation practices.
• $10M civil penalty, with a limitation of $2,000,000 considering Cerebral’s financial capacity.
• Permanent ban on sharing health data with third parties for marketing and advertising purposes.
• Requirement of consumer consent before disclosing personal and health data to any third parties.
• Prohibition of misrepresenting data security and privacy practices.
• Implementation of a comprehensive data security and privacy program.
• Posting of a notice on the company’s website outlining the complaint and necessary actions.
• Establishment of a data retention schedule, deletion of unnecessary consumer data unless consented to be retained, and provision of a clear data deletion request mechanism.
• Prohibition of misrepresentations regarding cancellation policies and simplification of the cancellation process for consumers.
Former CEO Robertson, who allegedly instructed the removal of an “easy cancellation” button from Cerebral’s website, has not reached a settlement agreement. As a result, the court will determine the outcome of the charges against him.