The Federal Trade Commission (FTC) has proposed a $7 million fine against Cerebral Inc for what it sees as a mishandling of consumer data. Cerebral, allegedly not only mishandled the data but actively shared it with third parties for advertising purposes.
The complaint alleges that Cerebral Inc consumer data consisting of sensitive information of nearly 3.2 million individuals had been to various third-party agencies, such as Google, Meta (Facebook), TikTok, among other advertising giants.
This sharing of consumer data reportedly occurred through Cerebral’s platforms by utilizing tracking tools on its website or apps, such as tracking pixels.
Cerebral, Inc. agreed to comply with a settlement with the FTC, which includes restrictions on the company’s use or disclosure of sensitive consumer data. In the statement, the FTC reaffirmed its fight against the poor data handling of consumers’ sensitive health data in some health companies.
FTC Cites Poor Handling and Malpractices Behind Cerebral Inc Consumer Data Collection
The data being mishandled reportedly included not only typical contact and payment information but also detailed medical histories, prescriptions, health insurance details, and even sensitive personal beliefs and orientations.
The publication cites various examples of Cerebral’s poor practices including a failure to restrict former employees from accessing confidential medical records, promotional postcards that disclosed patient health details, and relying on insecure access methods for its patient portal, which allowed users to access others’ the confidential health information of other patients.
Furthermore, the lawsuit accused Cerebral Inc. of violating the ‘Restore Online Shoppers’ Confidence Act’ (ROSCA) by making it difficult for consumers to cancel subscriptions. The complaint outlined a convoluted cancellation process that involved staff contacting consumers to dissuade them from canceling, keeping subscriptions active until staff “confirmed” cancellation demands, and even removing a simplified cancellation button after observing an increase in cancellations.
Mental Health Firm Issued Data Breach Notice Last Month
Cerebral Inc. disclosed in a breach notice published on its website that company data had been shared through invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since 2019, without adequate patient permission.
The breach had been reported on the U.S. Department of Health and Human Services breach portal, mentioning the personal details of 3,179,835 people being exposed as part of this breach. The data breach was stated to include details such as full name, phone number, email address, date of birth, IP address, Cerebral client ID number, and demographic information.
However, the firm stated that the shared information did not include Social Security numbers, credit card information, or bank account information. The firm indicated that it had ‘enhanced’ its information security practices and technology vetting processes to mitigate the sharing of such information in the future.
The firm claimed that it was among several others across industries such as health systems, traditional brick-and-mortar providers, and other telehealth companies who had resorted to the use of pixel and other common tracking technologies. Cerebral stated that it would provide free credit monitoring to help affected users.
The data breach incident as well as FTC’s proposed fine highlight the importance of safeguarding consumer data and ensuring transparent and accessible cancellation processes, particularly in sensitive industries such as mental health care.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
