Online Health Firm Cerebral to Pay $7 Million for Sharing Private Data – Source: securityboulevard.com

Mental telehealth startup Cerebral says it will stop sharing sensitive consumer health information with third parties, make it easier for consumers to cancel services, and pay $7 million to settle a complaint with the Federal Trade Commission (FTC), which accused the company of sharing data of 3.2 million users with third parties.

The “first-of-its-kind” agreement announced this week would settle a case that opened last year when Cerebral self-reported the data sharing to the U.S. Health and Human Services Department’s Office of Civil Rights. The agreement still needs to be approved by a federal court judge in Florida.

The case also represents the latest in a growing number of complaints brought by the FTC against data brokers and other businesses that collect and disseminate consumers’ personal information for advertising or other purposes without proper consent. Those include cases against data brokers Outlogic and InMarket Media earlier this year and telehealth providers BetterHelp and GoodRx in 2023.

“Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” FTC Chair Lina Khan said in a statement. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

In a brief statement, the company said it is happy with the settlement, adding that it has been “transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy.”

Privacy Violations, Deceptive Practices

According to the complaint, Cerebral shared such user information as names, medical and prescription histories, home and email addresses, birthdates, demographic information, and pharmacy and health insurance data with companies including LinkedIn, Snapchat, and TikTok. It did so via tracking tools that it either used or integrated into its website and applications. Cerebral gave third parties the personal data through the tracking tools.

The online mental health services company, which was founded in 2019, didn’t disclose to consumers that it would be sharing sensitive data with other companies for advertising purposes and it buried disclaimers about how it shared data in “dense privacy policies.” Moreover, the Cerebral also claimed to consumers in many instances that it wouldn’t share the data without their consent, according to the FTC.

Another problem was that Cerebral provided its services via a negative option basis, with consumers being automatically charged unless they cancelled the them. The range of information they provided to Cerebral touched on everything from treatment plans and health insurance policies to their sexual orientation and religious or political beliefs.

Cancellation Practices at Issue

The federal agency said Cerebral violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 by using in unfair and deceptive practices with its substance use disorder treatment services and the Restore Online Shoppers’ Confidence Act by not clearly disclosing the terms of its cancellation policies before charging users.

The FTC said that while the company told consumers they could cancel anytime, the process was actually complex. It had multiple steps and could take days to complete, with Cerebral all the while charging users while it “slow-walked” the cancellation requests. This cost consumers millions of dollars in additional charges.

Practices Started with Ex-CEO

The company implemented an easier cancellation policy in April 2020, but co-founder and CEO Kyle Robertson ordered it removed after two weeks after the number of cancellations rose, according to the FTC.

There also were other problems, including sending promotional postcards that weren’t in envelopes to more than 6,000 users that disclosed their diagnosis and treatment to anyone who saw them, letting former continue to have access to user data, using a single sign-on to access the patient portal, and not having proper employee training in place.

The practices started under Robertson and continued after he left the company in 2022. The agreement reached with the FTC only covers Cerebral; Robertson hasn’t agreed to a settlement, so the case against him will continue in court.

Along with the improving the cancellation policy and paying $7 million, Cerebral also must implement a comprehensive data security and privacy program, create a data retention policy, delete most consumer data not used for treatment, payment, or health care operations without user consent.

FTC Puts Focus on Data Brokers, Others

The FTC over the past couple of years has been aggressive against organizations sharing or collecting consumers’ sensitive information without their consent. Researchers at Securiti in a blog post last year noted the agency’s “increased interest in protecting the consumers’ digital health information by cracking down on companies deploying unfair and deceptive practices to share user health data with third parties for marketing,” pointing to two enforcement cases over three months.

One was the case against GoodRx, which Securiti said was the first brought by the FTC under the Health Breach Notification Rule.

In January, the FTC issued its first order against a data broker, banning Outlogic from selling or sharing sensitive location data with third parties. The agency followed that less than two weeks later with a similar order against InMarket Media.