Online health care provider Cerebral provides mental health and pain management subscription services to consumers. When people sign up, Cerebral collects a ton of private information – both the usual contact and payment data and also medical and prescription histories, health insurance details, religious and political beliefs, and sexual orientation. Wouldn’t consumers be wary of disclosing so much confidential information? Of course, which is why Cerebral promised to use “the latest information security technology to protect your data, which is not shared without your consent, and will only be used internally to improve clinical care.”
Assuring consumers that their information would receive “safe, secure, and discreet” treatment, the company promised “At Cerebral, patients come first.” But according to the FTC, patients came far down the list with advertising apparently taking the top spot.
The FTC charged that Cerebral turned over the sensitive health data of close to 3.2 million consumers to third-party platforms like LinkedIn, Snapchat, and TikTok for advertising purposes and data analytics. How did the company do it? By using tracking tools on its website or built into its apps that sent users’ names, addresses, phone numbers, medical and prescription histories, and other health information to the platforms. According to the FTC, Cerebral did this secretly and without fully disclosing to consumers what it was doing behind the scenes.
The FTC also alleges that Cerebral failed to have adequate protections in place for the data it collected and engaged in a host of slipshod security practices. For example, according to the complaint, Cerebral failed to block former employees’ access to consumers’ confidential medical records, sent promotional postcards (yes, postcards) to over 6,000 consumers that appeared to reveal their diagnosis and treatment, used single sign-in and access methods for its patient portal that let users see confidential health information about other users, and put consumers’ medical records at risk by permitting staffers and contractors to use a single key for Dropbox access.
