The US now has another data privacy scandal on its hands.
Mental health startup Cerebral Inc. recently revealed that it had accidentally shared certain information it shouldn't under the Health Insurance Portability and Accountability Act.
The case is somewhat similar to the Cambridge Analytica scandal, which implicated Meta, then known as Facebook Inc., as an untrustworthy social media company. According to Vox, Meta allowed a third-party developer to create an application to gather data, exploiting a loophole to do so without users knowing in the process.
Cerebral Inc. Data Privacy Breach Details
Cerebral mentioned in its announcement that it had inadvertently shared the sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers.
According to the company, it may have unintentionally disclosed Cerebral account holders' names, phone numbers, email addresses, birthdates, IP addresses, Cerebral client ID numbers, and other demographic.
Should a Cerebral client complete any of the company's mental health self-assessments, Cerebral may have also shared the service they selected, assessment responses, and certain associated health information.
Additionally, the company may have shared their subscription plan type, appointment dates, and other booking information, treatment, and other clinical information if a Cerebral client completed the company's online mental self-assessment. The company may also have shared their treatment and other clinical information, health insurance/pharmacy benefit information like their plan name and group numbers, and insurance co-pay amount.
Read More: TikTok's Project Texas Has Major Flaws, Whistleblower Claims
Cerebral mentioned it accidentally shared the above-mentioned information through the use of tracking pixels or "tracking scripts" that Meta, Google, and TikTok offer to third-party developers for advertising purposes, per The Verge. However, these pixels also give Meta, Google, and TikTok access to the information Cerebral needs as they made the trackers the company uses.
The company explained in its notice that many industries, including health systems, traditional brick-and-mortar providers, and other telehealth companies have been using these trackers too.
The company admits that it has been using user data since it began operating in Oct. 2019 to determine how its clients interact with its ads, per Engadget. However, it promptly disabled, reconfigured, and/or removed the trackers and other tracking technologies on Cerebral's platforms to prevent any such disclosures in the future upon learning of the issue. Additionally, it discontinued or disabled data sharing with any of its subcontractors that didn't meet HIPAA requirements.
Finally, it enhanced its information security practices and technology vetting processes to better mitigate the risk of sharing such information in the future.
The Department of Health and Human Services is currently investigating Cerebral.
How Do Tracking Pixels Work?
Tracking Pixels are tiny, often invisible images usually hidden in an email or website that helps a company determine if, when, and on which device customers opened their email or website and where they were located when they did, per Ryte.
Cerebral can use their custom-built code with the one Facebook, Google, and TikTok made to track users' interaction with their ads, but it also allows these tech giants to receive information about their clients for advertising under the guise of analytics.
Additionally, Cookie Pro reports that these tracking Pixels can follow users across all of their devices that allow marketing efforts to be linked across the website and mobile ads.
Related Article: Meta Agrees To Settle Cambridge Analytica Case for $725M
