The U.S. company Cerebral, which offers online mental health services and related care, has disclosed the sensitive personal information of over three million clients to social media platforms like LinkedIn, TikTok, and Snapchat for advertising purposes. When registering for Cerebral’s services, clients are required to submit a range of personal data, including residential addresses, email addresses, birth dates, medical histories, medication details, account information, driver’s license numbers, treatment plans, pharmacy selections, health insurance details, religious beliefs, and sexual orientation.
The FTC, the U.S. regulatory authority, has indicated that despite Cerebral’s assurances of data security, the company actually shared this information with various external parties for marketing objectives. Although the privacy policy, which was difficult to comprehend, contained warnings about this data sharing, Cerebral frequently asserted that it would not use customer data for marketing without obtaining consent.
Data belonging to approximately 3.2 million clients was transmitted to LinkedIn, Snapchat, and TikTok through tracking pixels and other software tools on Cerebral’s websites and apps. These tracking mechanisms allowed these third parties to access a wide array of Cerebral client data, including names, medical histories, medication details, addresses, email addresses, phone numbers, birth dates, demographic data, IP addresses, pharmacy and health insurance details, and other health-related information.
Additionally, the FTC criticized Cerebral for its “irresponsible marketing” practices. Notably, the company mailed postcards to over six thousand clients that were not enclosed in envelopes, displaying the recipients’ names and language indicative of their health conditions, potentially revealing their diagnoses and treatments to any observer.
The agency also highlighted that Cerebral failed to limit access to client data only to those employees who needed it; former employees continued to have access to sensitive files, and the company lacked proper training and procedures for handling sensitive information. Cerebral also fell short of maintaining proper information security protocols, policies, and procedures and used unsafe methods for accessing data, leading to incidents where clients logging into the portal simultaneously could view each other’s information.
Cerebral has reached a settlement with the FTC, agreeing to pay $7.1 million. Under the terms of the settlement, the company is required to cease using clients’ personal and health information for advertising, gain consent for data sharing, be transparent about its security and privacy practices, establish a comprehensive privacy and security program, and eliminate any client data not needed for treatment or billing.
The FTC has also initiated legal action against the CEO of Cerebral, Kyle Robertson, who opted not to settle; this issue is now pending judicial review.
