FTC fines mental health startup Cerebral $7 million for major privacy violations

ReportApril 16, 2024Editorial DepartmentPrivacy Breach/Regulatory Compliance

The US Federal Trade Commission (FTC) has ordered psychological telemedicine company Cerebral not to use or disclose personal data for advertising purposes.

The company was also fined more than $7 million for disclosing users’ sensitive personal health information and other data to third parties for advertising purposes and for failing to comply with its easy cancellation policy.

“Cerebral and its former CEO, Kyle Robertson, repeatedly violated their privacy commitments to consumers and misled them about the company’s cancellation policies,” the FTC said in a press statement.

The FTC said that although the company claimed to provide “safe, secure and discreet” services to attract consumers to sign up and provide data, it did not clearly disclose that this information would be shared with third parties for advertising purposes.

The agency also accused the company of deceptive behavior by hiding its data-sharing practices in dense privacy policies by claiming it would not share user data without their consent.

The company allegedly provided sensitive information about nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by integrating tracking tools into its websites and apps designed to provide advertising and data analytics.

This information includes name; medical and prescription history; home and email addresses; phone numbers; date of birth; demographic information; IP addresses; pharmacy and health insurance information; and other health information.

The FTC complaint further alleges that Cerebral failed to implement adequate security safeguards, allowed former employees to access users’ medical records between May and December 2021, used unsecured access methods to expose patient information, and failed to secure access to consumer data. Restrict access to employees who require it.

“Cerebral mailed promotional postcards without envelopes to more than 6,000 patients that included their names and language and appeared to disclose their diagnoses and treatments to anyone who saw the postcards,” the FTC said.

Under the proposed order, which is pending federal court approval, the company is prohibited from using or disclosing consumers’ personal and health information to third parties for marketing purposes and ordered to implement a comprehensive privacy and data security program.

Cerebral is also required to post a notice on its website reminding users of the FTC order and adopt a data retention plan and delete most consumer data that is not used for treatment, payment or health care operations unless they consent. Users also need to be provided with a mechanism to delete their data.

Days ago, the Federal Trade Commission banned alcohol addiction treatment company Monument from disclosing health information to third-party platforms such as Google and Meta for advertising without user consent between 2020 and 2022, even though the company claimed that such data would be used for advertising “100 % Confidential”. “

The New York-based company has been ordered to notify users of disclosures of their health information to third parties and ensure that any shared data is deleted.

“Monument failed to ensure that it lived up to its promises and actually disclosed users’ health information to third-party advertising platforms, including highly sensitive data that showed its customers were receiving help to overcome their alcohol addiction,” the FTC said.

Last year, the FTC announced similar enforcement actions against health care providers such as BetterHelp, GoodRx and Premom for sharing user data with third-party analytics and social media companies without their consent.

it also warns [PDF] After Amazon eventually acquired membership-based primary care provider One Medical for $3.9 billion, it objected to the use of patient data for marketing purposes.