startups Notorious for keeping our data safe(Opens in a new tab). Cerebral — a telehealth startup that took off during the early days of the coronavirus pandemic — has shared more than 3.1 million American users’ private health information with advertisers and social media platforms including GoogleAnd metaAnd Tik Tok.
in It was first reported by TechCrunch(Opens in a new tab)Cerebral said it uses tracking technologies provided by third parties such as Google, Meta, and TikTok. It is not uncommon for websites to use these types of tracking technologies for advertising, and it is not uncommon for these practices to end in data breaches and even HIPAA violations.
That’s exactly what Cerebral did: After reviewing its use of these technologies and data-sharing practices, the company determined that it “disclosed certain information that could be structured as HIPAA-protected health information” to some of these third parties. Cerebral may have mistakenly given Google, Meta, and TikTok personal information of its users such as names, phone numbers, email addresses, birthdays, IP addresses, results of mental health self-assessments, treatments, and other clinical information.
Upon learning of this issue, Cerebral will immediately disable, reconfigure and/or remove the tracking technologies on the Cerebral Platforms to prevent any such disclosure in the future and stop or disable data sharing with any subcontractors that are unable to meet all HIPAA requirements. “,” Cerebral said in the disclosure(Opens in a new tab). “In addition, we have enhanced our information security practices and technology screening processes to further mitigate the risks of such information being shared in the future.”
It is not easy to find the company’s notice to customers. You have to scroll all the way to File down the site(Opens in a new tab) Where you will find, in small print: “Look here(Opens in a new tab) for more information on the March 2023 HIPAA breach.”Social media companies that now have access to this data do not have to delete it, even if the data from the Cerebral breach is supposed to be covered under the US Health Privacy Act HIPAA.
Cerebral is just one of about 50 telehealth startups that shared user data with advertising platforms last year. According to a joint investigation by STAT and The Markup(Opens in a new tab).