Healthcare platform Cerebral sends data breach notices to 3.18 million people who have interacted with its websites, apps and telehealth services.

Cerebral is a remote telehealth company that provides online therapy and medication management for a variety of mental health conditions, including anxiety, depression, ADHD, bipolar disorder, and addiction.

In a ‘HIPAA privacy breach notice’ posted on Cerebral’s site this week, the company revealed that it uses web beacons trackers from Google, Meta (Facebook), TikTok and other third parties. on its online services since October 12, 2019.

Due to the data-logging capabilities of a tracking pixel, Cerebral said the sensitive medical information of people who use the provider’s platform is exposed to third parties without the patient’s permission.

“Cerebral recently launched a review of its use of tracking technologies and data sharing practices involving contractors,” Cerebral warned. privacy breach notice.

“On January 3, 2023, Cerebral determined that it had disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain third-party platforms and contractors without having obtained the assurances required by HIPAA.”

Cerebral reported the US Department of Health and Human Services breach portal that 3,179,835 people had their information exposed as part of this breach.

The information disclosed to tech giants and subtractors varies for each individual, depending on what was entered into the Cerebral platform.

For example, some users only created an account on Cerebral, others completed the mental self-assessment online, and some purchased a subscription plan.

In general, the company lists the following information as potentially exposed:

• Full name
• Phone number
• E-mail address
• Date of birth
• IP adress
• Brain Client ID Number
• Demographic information
• Self-report responses and associated health information
• Subscription type
• Appointment dates
• Treatment details and other clinical information
• Information on health insurance/pharmacy benefits

This information may have been disclosed to third parties from October 12, 2019 to January 3, 2023, when the company became aware that the data was being exposed via tracking pixels.

Cerebral says that regardless of users’ level of interaction with its platforms, their social security number, credit card information, and bank account information were not impacted.

All active trackers on Cerebral’s platform have now been removed or reconfigured to prevent disclosure of sensitive data to third parties that do not meet HIPAA requirements.

The company says it is not aware of any misuse of sensitive health information. However, this suggests that everyone involved reset their Cerebral user account password as a precaution.

Additionally, the company will cover the costs of free credit monitoring for those at risk of identity theft and fraud.

This disclosure comes just days after the FTC reached a $7.8 million settlement with online counseling service BetterHelp to share sensitive medical data with advertisers like Facebook, Snapchat, Criteo and Pinterest.

Last year it was revealed that several American hospitals used an online patient services portal named “MyChart”, which hosted the invisible Meta Pixel JavaScript tracker, essentially allowing advertisers to access sensitive data million medical data.

In July 2022, a class action was filed against Meta, UCSF Medical Center, and the Dignity Health Medical Foundation, alleging that the organizations were unlawfully collecting sensitive patient health data for the purpose of targeted advertising.