Pixel Use Results in Impermissible Disclosure of the PHI 3.1 Million Cerebral Platform Users
The telehealth company, Cerebral Inc., has confirmed that pixels and other tracking technology on its website resulted in the impermissible disclosure of the personal and protected health information of 3,179,835 patients. Cerebral is a fully remote telehealth provider that provides access to mental health services, including online therapy, mental health assessments, and visits with clinicians to treat mental health issues such as anxiety, depression, and insomnia. On January 3, 2023, Cerebral said it discovered pixels and other tracking technologies on its platform had collected and transferred sensitive HIPAA-protected information to third parties such as Meta (Facebook), Google, TikTok, and others.
Cerebral said in its breach notice that tracking technologies have been used by many bricks and mortar healthcare providers, telehealth companies, and other businesses on their websites, but was made aware that these technologies could potentially capture and impermissibly disclose sensitive data to the companies that provided those tracking technologies. An investigation was launched into the use of these tools, which confirmed that the tracking technologies had been added to Cerebral’s platforms on October 12, 2019. The review confirmed that protected health information had been impermissibly disclosed to certain third parties and some subcontractors, without business associate agreements that included HIPAA-required assurances about uses and disclosures of any transferred protected health information.
Cerebral confirmed that the pixels and tracking technologies were disabled when the issue was detected, and were either removed or reconfigured to prevent any further unauthorized data sharing with any third party or subcontractor that was unable or unwilling to meet HIPAA requirements. Security practices and technology vetting procedures have also been enhanced to mitigate the risk of similar impermissible disclosures in the future.
Cerebral said it is unaware of any misuse of the transferred data, which may have included an individual’s name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information if they created a Cerebral account. If they completed or partially completed a mental health self-assessment, information such as the service the individual selected, assessment responses, and certain associated health information may also have been disclosed. If a subscription plan was purchased, the information disclosed may also have included the plan type, appointment dates/booking information, treatment and other clinical information, health insurance/pharmacy benefit information, and insurance co-pay amounts.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notification letters were sent to all individuals who fell into one of those categories, even if they did not become Cerebral patients or if they provided information beyond what was required to create a Cerebral account. Cerebral confirmed that Social Security numbers, credit card information, and bank account information were not disclosed; however, out of an abundance of caution, free credit monitoring services have been offered to affected individuals. Cerebral also provided information in the notification letters on how privacy can be protected against tracking technologies, including blocking/deleting cookies, using browsers that have privacy features such as an incognito mode, and setting privacy protections in social media and Google accounts.