Cerebral Notifies 3.1M Users of Healthcare Data Breach Stemming From Pixel Use

March 10, 2023 - Telehealth platform Cerebral reported a healthcare data breach to HHS impacting more than 3.1 million individuals. Cerebral provides online therapy and medication management to millions of users.

“Like others in many industries, including health systems, traditional brick and mortar providers, and other telehealth companies, Cerebral has used what are called ‘pixels’ and similar common technologies (‘Tracking Technologies’), such as those made available by Google, Meta (Facebook), TikTok, and other third parties (‘Third-Party Platforms’), on Cerebral’s Platforms,” the breach notice stated.

Cerebral had used these technologies since it began operations in October 2019 until it launched a review of its data sharing practices a few years later. On January 3, 2023, Cerebral determined that it had disclosed protected health information (PHI) to certain subcontractors “without having obtained HIPAA-required assurances.”

The information that was disclosed varied based on how each individual interacted with Cerebral, how users configured their devices, and how each third-party captured data.

“If an individual created a Cerebral account, the information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information,” the notice stated.

“If, in addition to creating a Cerebral account, an individual also completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information.”

If the user also purchased a subscription plan, insurance co-pay amounts, subscription type, booking information, treatment information, and health insurance information may have also been disclosed.

“Out of an abundance of caution, we are notifying anyone who fell into any of these categories, even if they did not become a Cerebral patient or provide any information beyond what was necessary to create a Cerebral account,” Cerebral stated.

Cerebral said it immediately reconfigured or removed tracking technologies on its platform and disabled data sharing with any subcontractors who could not meet HIPAA requirements. The company said it has also enhanced its vetting processes.

Cerebral encouraged individuals to prevent the use of tracking tech by blocking or deleting cookies or using ”incognito” mode while browsing. Impacted individuals may also consider changing their Cerebral account passwords and adjusting privacy settings in Facebook, Google, and other platforms, Cerebral stated.

As previously reported, many healthcare organizations and tech companies are facing backlash for similar incidents. In October 2022, Advocate Aurora Health notified 3 million individuals of a breach stemming from the use of tracking pixels, and Novant Health notified 1.3 million individuals of potential unauthorized data disclosures resulting from its use of pixels.