Telehealth startup Cerebral shared patient data with social media

While online applications and services have made people’s lives easier in myriad ways, the convenience can come with downsides, particularly when it comes to user privacy and data collection. Telehealth, in particular, has helped make healthcare more accessible to so many people, especially during lockdown periods of the COVID-19 pandemic. Because of this, people could attend therapy and refill prescriptions from the safety of their own homes. However, users using such platforms have much to lose if their data is compromised. 

Unfortunately, Cerebral, one of the virtual health services that rose in popularity during the pandemic, recently admitted they unwittingly shared their users’ confidential patient data with social media advertisers. According to TechCrunch, the company filed a notice of a HIPAA Privacy Breach with the federal government outlining what happened and what data was inadvertently shared. 

Tracking pixels to blame

Cerebral revealed that sensitive user data of more than 3.1 million patients in the United States may have been exposed to advertisers and social media companies such as Facebook and TikTok. This information may include dates of birth, IP addresses, client ID numbers, and private health information. If a user had completed their online mental health self-assessment, this information may also have been disclosed. 

This data leak was due to tracking pixels and other data-collecting codes embedded within the Cerebral app. Tech companies frequently let developers use parts of their code to monitor how users interact with their ads on other platforms. Companies like Cerebral benefit from having more ways to measure user behavior. However, these third-party companies benefit from having access to data they shouldn’t, allowing them to gain even more insight into their users. Developers using the code often claim not to know the extent of the data collection. Meanwhile, users typically have no idea how much information they share using these apps.

Since becoming aware of the security hole in January, Cerebral claims to have removed all tracking pixels and has advanced its information security practices. Information that was not leaked includes social security numbers, credit card numbers, and bank account information. Cerebral said it would notify any user who was affected.

Not the first time

Unfortunately, Cerebral is just the most recent case of patient data being mined by advertisers and social media giants. Just a few weeks before, online therapy company BetterHelp was ordered by The Federal Trade Commission (FTC) to pay its users a $7.8 million settlement due to alleged data mishandling. The month before, the FTC fined online pharmacy GoodRx $1.5 million for several years of sharing health data with third parties.

Share on Twitter, Facebook, Google+