Telehealth startup Cerebral has inadvertently shared sensitive information of over 3.1 million patients with third-party advertisers, including Google, Meta and TikTok. The company admitted to the oversight on its website, stating that it exposed a range of patient data through tracking tools used as far back as October 2019. The information compromised includes patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment and more. It may have also revealed the answers patients provided as part of the mental health self-assessment on the Cerebral platform, which they can use to schedule therapy appointments and receive prescription medication.
Cerebral said that the information got out through tracking pixels, bits of code embedded in websites and apps that companies like Cerebral use to measure how users interact with their ads on various platforms and track the steps they take afterward. Meta Pixel, for instance, collects data about a user’s activity on a website or app after clicking an ad on the platform and keeps track of the information the user fills out on an online form. While this provides insight to companies, it also gives Meta, TikTok and Google access to the data, which they can use to gain insight into their own users.
Cerebral added that the exposed information could vary depending on several factors, including what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies and more. The company plans to notify affected users and said it did not expose social security numbers, credit card numbers or bank account information. After discovering the security hole in January, Cerebral removed any of the tracking pixels on the platform to prevent future exposures and enhanced its information security practices and technology vetting processes.
Cerebral is required by law to disclose potential violations of HIPAA, which bars healthcare providers from divulging patient information to anyone other than the patient or anyone the patient has consented to receive information about their health. The US Office for Civil Rights is currently investigating the breach, which follows similar incidents involving pixel-tracking tools.