Dive Brief:
- Telehealth company Cerebral agreed to pay more than $7 million to settle allegations it disclosed personal health information for advertising purposes and misled customers about easy cancellation policies, according to a proposed order released Monday by the Federal Trade Commission.
- The agency argued that the virtual mental healthcare provider gave sensitive data of nearly 3.2 million consumers — including medical and prescription histories and pharmacy and health insurance information — to third parties like LinkedIn, Snapchat and TikTok through tracking technologies embedded on its website and apps.
- The FTC also alleged Cerebral maintained “sloppy” data security practices. The company previously failed to block former employees from accessing patient records, didn’t adequately train employees on handling sensitive data and used a single sign-on method that exposed medical information to other patients, according to the agency.
Dive Insight:
The complaint against Cerebral — a mental health treatment startup that raised hundreds of millions of dollars during the pandemic digital health funding boom — alleged the company and its former CEO, Kyle Robertson, had broken its privacy promises to users.
The FTC said Cerebral had often claimed it wouldn’t share user data for marketing without obtaining consent, and buried disclaimers in “dense” privacy politics.
The agency also alleged the company had engaged in “careless” marketing, sending out promotional postcards that included customer names and language that could reveal diagnoses.
“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” FTC Chair Lina Khan said in a statement.
Customers also struggled to cancel the service, even though Cerebral promised users could cancel at any time, according to the FTC.
Under the proposed order, Cerebral will pay nearly $5.1 million to provide partial refunds to customers, as well as a $10 million civil penalty. The civil penalty will be suspended after a $2 million payment because the company can’t pay the full amount, according to the agency.
Cerebral will also be banned from using or disclosing consumer personal health information to third parties for most marketing or advertising purposes, and it will need to implement a comprehensive privacy and security program.
In a statement, Cerebral said it had been “transparent and fully cooperative throughout the investigation.”
The settlement comes as federal regulators have warned healthcare providers and digital health companies about the use of online trackers, arguing they could expose consumers’ personal health data to third parties.
The technologies, which collect data on how users interact with websites or apps, are widely used by hospitals, according to a study published last year by Health Affairs.
Many direct-to-consumer telehealth companies use the trackers too, sending information like which URLs users visited or their answers to questionnaires, according to an investigation published in late 2022 by Stat and the Markup.
Regulators have taken action against some companies that inappropriately shared user information with third parties. Last week, the FTC said it would ban another digital health company, alcohol use disorder treatment service Monument, from disclosing health information for advertising.
The agency alleged Monument had disclosed personal information, like when a user signed up for a service, to third parties, and contradicted its own privacy promises to consumers.