Mental Health Startup Shared Patient Data With Google, Facebook, Meta
A telehealth startup that blew up in popularity during the pandemic has said it shared private patient data with tech giants Google, Meta, and TikTok for years.
As reported by TechCrunch(Opens in a new window), Cerebral, which is used by millions of people to search for therapy or mental health services, said it disclosed data collected from its online mental health self-assessment with third-party advertisers, as well as big tech.
The data was shared via tracking pixels, custom-built code that Meta, TikTok, and Google allow developers to embed in their apps and websites. As The Verge notes(Opens in a new window), Meta’s tracking pixel for instance can collect data about a user’s activity on a given app or website after an ad is clicked on the platform. Information is then tracked in real-time, including any forms filled in on said app or website.
In a notice(Opens in a new window) published on Cerebral’s website, the company admitted to employing these tracking pixels and sharing data with outside companies since October 2019, when the telehealth startup commenced operations. The company further stated that private information pertaining to over 3.1 million users was shared until it discovered the security lapse in January this year. Cerebral said it moved to remove, reconfigure and disable the tracking pixels on the platform in January.
This information included patient names, phone numbers, email addresses, date of birth, IP addresses, demographic, and insurance details. Google, Facebook, and TikTok were also able to track the different mental health services that patients used. The tech giants are not under any obligation to delete the data that was shared with them.
Cerebral also revealed that shared information could have included appointment dates, treatment, and insurance co-pay amount.
The telehealth company said shared information could “vary” between patients, and was dependent on factors such as “what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies,” as well as more. The company said social security numbers, credit card details, or bank account information were not shared with third parties.
Recommended by Our Editors
According to the US Department of Health and Human Services, which is investigating Cerebral, the data lapse counts as the second-largest(Opens in a new window) breach of health data this year so far. Cerebral revealed the data-sharing practices because it is required by law to disclose potential violations of the US health data privacy law HIPAA.
The largest breach involves Southern California medical firm Regal Medical Group. The company is now facing a federal lawsuit(Opens in a new window) for failing to protect and properly notify its patients after personal information belonging to 3.3 million patients was exposed in a hack.
Get Our Best Stories!
Sign up for What’s New Now to get our top stories delivered to your inbox every morning.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.