The US telehealth startup Cerebral has this week disclosed that – it shared the personal information of millions of its users with advertisers like Meta, Google, and TikTok.
The company now says it has removed the tracking scripts from its platform; and enhanced its information security practices. But it was already too late, as certain data shared in this manner is termed as protected health information under the US Health Insurance act, which may lead to penalizing the company.
Sharing Health Data With Advertisers
Cerebral, the US telehealth startup that gained massive popularity during the early months of the pandemic, has now shared intriguing news. The company admits to sharing the personal information of over 3.1 million US users with social media companies. These include popular tech giants like Google, Meta, and TikTok.
In a freshly uploaded notice on its website, Cerebral said it had been using “pixels” – the tracking scripts provided by advertisers for collecting user data – since it began operating in October 2019! Though the data collected through this practice is used strictly for advertising purposes, collection of the same has been prohibited!
The data points shared – names, phone numbers, birth dates, and insurance information – are regulated as protected health information under the Health Insurance Portability and Accountability Act; this is barred from sharing with advertisers. Further, Cerebral also admits to sharing the information it collected through the mental health self-assessment of some patients!
This was done by patients to schedule counseling appointments and access other services on the Cerebral platform. While all this is intriguing, the company says it hadn’t shared any social security numbers, bank information, or credit card numbers. Yet, it may face serious penalties for sharing other important data.
The US Department of Health and Human Services said it is investigating Cerebral, even after the company said it
“disabled, reconfigured, and/or removed” the tracking pixels from its platform. The company also claims to have “enhanced our information security practices and technology vetting processes to further mitigate the risk of sharing such information in the future”.
