Cerebral Confirms Sharing 3.1 Million Patients' Data With Meta, TikTok, Google

The telehealth firm said it was unintentional.

T-Mobile Security Breach: Over 37 Million User Data Compromised! Here's What Hackers Accessed
Participant hold their laptops in front of an illuminated wall at the annual Chaos Computer Club (CCC) computer hackers' congress, called 29C3, on December 28, 2012 in Hamburg, Germany. The 29th Chaos Communication Congress (29C3) attracts hundreds of participants worldwide annually to engage in workshops and lectures discussing the role of technology in society and its future. Photo by Patrick Lux/Getty Images

Cerebral, a mental health telehealth firm, claims it accidentally exposed the personal information of more than 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers.

The startup has acknowledged in a post published on its website that it has been utilizing monitoring tools that have revealed a slew of patient data since at least October 2019.

Patients' names, contact information, email addresses, birth dates, IP addresses, insurance details, appointment schedules, medication, and more were all compromised due to the error, as TechCrunch first reported. In certain cases, this may have revealed customers' responses to the company's mental health self-assessment, which is used to set up treatment sessions and provide medicines.

Tracking Pixels

According to Verge, Cerebral claims this information was leaked via tracking pixels, which are small pieces of code that platforms like Meta, TikTok, and Google made available to app and website builders. For instance, after clicking an ad on a website, the Meta Pixel may follow a user's activities on a website or app and even their online form submissions.

Although this is useful for businesses like Cerebral to see how people respond to their advertising across different platforms and what they do next, it also provides valuable data to other firms like Meta, TikTok, and Google.

Cerebral has said that the information made public may vary from patient to patient based on variables such as what activities people performed on Cerebral's platforms, the services offered by subcontractors, the settings of tracking systems, and more.

The organization promises to contact anyone impacted and assures the public that no matter how a person is connected with Cerebral's platform, no sensitive data was compromised, such as social security numbers or credit and bank account details.

Cerebral claims it has "disabled, reconfigured, and/or removed" any tracking pixels from the platform. Since discovering the vulnerability issue in January, it has improved its information security standards and technology vetting processes.

Probable Violations

HIPAA, or the Health Insurance Portability and Accountability Act, mandates that Cerebral report any suspected breaches to the appropriate authorities. To put it simply, this rule prevents healthcare practitioners from sharing their patients' personal health information with anybody other than the patient or a person specifically authorized by the patient to receive such data.

The US Department of Justice's (DOJ) Office for Civil Rights is presently looking into the breach, which follows other cases using pixel-tracking programs.

The DOJ and the Drug Enforcement Administration are also looking into Cerebral's prescription of restricted medications, including Adderall and Xanax, in addition to investigating the possibility that the company has broken HIPAA standards. The company has now stopped selling these drugs, Verge said.

Trisha Andrada
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics