The U.S. Federal Trade Commission has reached a settlement with telehealth firm Cerebral in which the company will pay $7,000,000 over allegations of mishandling people's sensitive health data.
Cerebral is a remote telehealth company that provides online therapy and medication management for various mental health conditions, including anxiety, depression, ADHD, Bipolar Disorder, and substance abuse.
In March 2023, the company sent out notices of data breach to 3.2 million people who had interacted with its websites, applications, and services, that their information had been exposed due to using tracking pixels on its platform.
FTC's complaint charges Cerebral and its former CEO, Kyle Robertson, with disclosing consumers' personal health information to third parties for advertising and not adhering to its cancellation policies.
"The complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps," reads the announcement.
"These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps."
FTC's announcement also lists some alleged bad practices followed by Cerebral that resulted in varying levels of exposure of sensitive health data for consumers, including failure to revoke access of former employees to Cerebral patient records and failure to silo providers and restrict their access only to their patient's records.
Moreover, the agency says the company used an insecure single sign-on method to access the patient portal, and Cerebral's failure to restrict employee access only to the data needed for carrying out their job tasks.
The proposed order, pending court approval, includes the following provisions:
- Refund of $5,100,000 to customers who were impacted by deceptive cancellation practices.
- $10M civil penalty, limited to $2,000,000 due to Cerebral's inability to pay the full amount.
- Permanent ban on sharing health data with third parties for marketing and advertising purposes.
- Require consent from consumers before disclosing their personal and health data to any third parties.
- Prohibit Cerebral from misrepresenting its data security and privacy practices.
- Implement a comprehensive data security and privacy program.
- Post a notice on its website detailing the complaint and required actions.
- Implement a data retention schedule, delete unnecessary consumer data unless consented to be retained, and provide a clear data deletion request mechanism.
- Prohibit misrepresentations of cancellation policies and simplify the cancellation process for consumers.
Former CEO Robertson, who is accused of ordering the removal of an "easy cancellation" button from Cerebral's site, has not agreed to a settlement, so the court will decide about his charges.