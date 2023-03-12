



As TechCrunch previously reported, Cerebral, a telehealth startup specializing in mental health, has misled sensitive information about more than 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers. and shared it. In a notice posted on the company’s website, Cerebral acknowledges that it has released a laundry list of patient data with the tracking tools it used dating back to October 2019. increase.

Information affected by monitoring includes everything from patient names, phone numbers, email addresses, dates of birth, IP addresses, insurance information, appointment dates, treatments, and more. The company’s website and app may also have published responses completed by clients as part of a mental health self-assessment, which patients could use to schedule treatment appointments and receive prescription medications. increase.

According to Cerebral, this information was obtained using tracking pixels or bits of code that Meta, TikTok and Google allow developers to embed in their apps and websites. For example, meta pixels can collect data about user activity on websites and apps after clicking on an advertisement on the platform, and even track information that users enter into online forms. This allows companies such as Cerebrum to measure how users interact with ads on various platforms and track their subsequent steps. Meta, TikTok, and Google will also be able to access this information and use it to gain insights into their advertising. own user.

The information published may vary from patient to patient.

As noted by Cerebrum, the information published can vary from patient to patient depending on several factors, including the actions individuals take on the Cerebrum platform, the nature of the services provided by subcontractors, and the configuration of tracking technology. The company said it would notify affected users, adding that it did not disclose social security numbers, credit card numbers, or bank account information, no matter how the individuals interacted with the Cerebrals platform. .

After first discovering the security hole in January, Cerebral disabled, reconfigured, and/or removed tracking pixels on its platform to prevent future exposure and strengthened its information security practices and technical review process. said he did.

Cerebral is required by law to disclose potential violations of HIPAA, also known as the Health Insurance Portability and Liability Act. This prohibits healthcare providers from divulging patient information to anyone other than the patient or to whom the patient has consented to receive information about their health. This violation is currently under investigation by the U.S. Civil Rights Administration, following similar incidents involving pixel tracking tools.

Last year, an investigation by The Markup found that some of the country’s top hospitals were sending sensitive patient information to Meta through corporate pixels. This triggered two class-action lawsuits in which he claimed Meta and the hospital in question violated medical privacy laws.

A few months later, The Markup also discovered that Meta was able to obtain financial information about its users through tracking tools built into popular tax services such as H&R Block, TaxAct and TaxSlayer. Meanwhile, other online healthcare companies such as BetterHelp and GoodRx were fined heavily by the FTC earlier this year for sharing sensitive patient data with third parties.

Cerebral faces scrutiny for whether it violates HIPAA regulations, as well as investigations by the Department of Justice and the Drug Enforcement Administration for prescribing controlled substances such as Adderall and Xanax. Since then, I have stopped prescribing these drugs.

