Mental Health Organization Cerebral Pays $7.1 Million for Consumer Privacy Violations

by

The Federal Trade Commission (FTC) has issued a $7.1 million penalty to the mental health startup company Cerebral for consumer privacy violations and deceitful trading tactics. The $7.1 million financial fine settles claims that the mental health telehealth firm and its ex-CEO, Kyle Robertson, committed violations of the privacy of consumers by impermissibly sharing their sensitive personal data and protected health data to third parties for marketing uses, misinformed consumers regarding its cancellation process, and did not secure sensitive health information. The offered FTC order requires Cerebral to avoid exposing consumers’ information to third parties for marketing purposes without permission and to offer consumers a quick way to call for its services.

Privacy is an important factor that consumers consider when selecting a mental health care company. Consumers should be able to carefully talk about sensitive mental health issues and be certain that the details shared are held confidential. The FTC claimed that Cerebral maintained it offered safe, secure, and unobtrusive services yet did not tell consumers that their sensitive information would be disclosed to third parties. Because of the data sharing, consumers may encounter ads associated with the data they shared with Cerebral in private.

Cerebral had shared its data sharing procedures in its privacy policies, but those privacy policies were jam-packed and the details about data sharing procedures were buried. Additionally, Cerebral stated in several parts that it wouldn’t share consumer information with third parties for marketing reasons without their permission. Based on the FTC complaint, Cerebral disclosed the sensitive information of about 3.2 million people with third parties including Snapchat, TikTok, and LinkedIn by using tracking tools installed in its web pages and applications, which is tantamount to a deceitful business practice violating the FTC Act.

The data shared with those third parties contained names, dates of birth dates, addresses, email addresses, telephone numbers, IP addresses, health and medicine records, pharmacy and medical insurance details, other types of health data, and other personal information like religious and political views and sexual orientation. That data was accessible too to Cerebral employees, as access to customer information wasn’t limited to the workers who required access to that data. From May 2021 to December 2021, past staff members could continue accessing consumer data and the organization did not ascertain that healthcare companies could view their patients’ files.

The FTC complaint claimed that Cerebral had bad marketing practices. For example, 6,000 postcards were sent to patients that had patients’ names and details that would disclose their diagnosis and procedure to other people. Envelopes should have been used instead. Also, Cerebral utilized a Single Sign-on solution that revealed patient information to other patients whenever they logged into the patient website as well.

The FTC claimed that Cerebral along with its CEO violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) because of participating in unlawful and deceitful practices with regard to substance use disorder treatment services. Additionally, they were accused of violating the Restore Online Shoppers’ Confidence Act (ROSCA) by not properly disclosing all terms of their cancellation policies before billing customers. These deceitful practices allegedly began during Robertson’s tenure as CEO and persisted after he left his position.

The FTC order is pending approval by the U.S. District Court for the Southern District of Florida. When approved, Cerebral will be subject to a financial penalty and a prohibition on disclosing sensitive information for marketing purposes. Additionally, Cerebral needs to post a notification on its website informing consumers concerning the FTC order, remove consumer information that is not being used for treatment, payment, or healthcare procedures if users haven’t agreed to those uses, offer consumers a way to request the deletion of their information and implement a data retention plan.

The financial penalty consists of two parts. $5.1 million will be allocated for partial refunds to consumers impacted by the deceitful cancellation policies. A civil monetary penalty of $10 million was also imposed, but only $2 million is required upfront; the remainder will be suspended because of the company’s financial constraints.

FTC Chair Lina M. Khan explained that based on the Commission’s complaint, Cerebral breached its customers’ privacy by exposing their sensitive mental health conditions online and through mail. To address this breach of trust, the Commission is banning Cerebral from using health data for any form of advertising.

In response to the FTC order, Cerebral mentioned its transparency and full cooperation throughout the investigation. The company reaffirmed its commitment to delivering quality patient care, good customer support, data protection, and consumer privacy.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone