Cerebral Fined Over Major Privacy Violations in Telehealth Services
The U.S. Federal Trade Commission (FTC) has taken decisive action against Cerebral, a mental telehealth company, prohibiting it from utilizing or sharing personal medical data for advertising purposes. The company has also been levied a hefty fine exceeding $7 million in response to allegations that it disclosed sensitive health information to third parties for marketing purposes, as well as failed to adhere to its customer cancellation policies.
According to the FTC’s statement, Cerebral, alongside its former CEO, Kyle Robertson, consistently breached its privacy commitments to consumers and provided misleading information regarding the company’s cancellation processes. The FTC’s press release highlighted that while Cerebral marketed its services as "safe, secure, and discreet" to entice users into sharing their personal data, it did not transparently communicate that such data would be shared with third parties for advertising reasons.
The complaint details that Cerebral obscured its data-sharing practices within complex privacy policies, thus misleading customers by asserting that their information would not be shared without their consent. The FTC asserts that the firm engaged in deceptive practices by failing to provide clear disclosures.
Since its inception in October 2019, Cerebral reportedly shared the sensitive information of around 3.2 million users with platforms such as LinkedIn, Snapchat, and TikTok. This information encompassed names, medical histories, addresses, contact numbers, and other demographic details. The company allegedly implemented tracking tools across its applications designed for advertising and data analytics, which significantly compromised user privacy.
The FTC’s complaint also accused Cerebral of inadequate security measures, allowing former employees unrestricted access to sensitive medical records during a six-month period. This lapse in security controls reportedly enabled them to access patient information through vulnerable methods without enforcing necessary restrictions on data access.
Further complicating the situation, Cerebral reportedly mailed promotional postcards without envelopes to over 6,000 patients, leading to potential exposure of sensitive diagnoses and treatment information. In light of these findings, the FTC has proposed measures requiring Cerebral to develop a comprehensive privacy and data security program, pending approval from a federal court.
Under the terms of the proposed order, Cerebral is prohibited from disclosing consumer health information to third parties for marketing purposes. The company is also required to notify users about the FTC’s order on its website and implement a structured data retention schedule, ensuring deletion of most consumer data not needed for treatment, payment, or healthcare operations unless explicit consent is given.
This enforcement action from the FTC follows a similar prohibition against Monument, an alcohol addiction treatment provider, which is also barred from sharing health information without user consent. Recent actions demonstrate the FTC’s commitment to protecting consumers’ sensitive data in the healthcare sector, particularly against unauthorized disclosures to advertising platforms.
In understanding the methodologies potentially employed in this case, various tactics from the MITRE ATT&CK framework were likely utilized. Techniques such as initial access—through deceptive marketing practices—and persistence—by embedding tracking tools into Telehealth platforms—could have facilitated unauthorized data sharing. As the landscape of cybersecurity continues to evolve, organizations in similar sectors must closely examine their data handling practices to mitigate risks associated with privacy violations.
