Cerebral, Inc
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Cerebral, Inc., a mental health startup, has been involved in a significant data breach that affected the private health information of over 3.1 million users. The breach, which is the second-largest of health data in 2023, involved the sharing of sensitive patient data with advertisers and social media platforms such as Facebook, Google, and TikTok.
The company used tracking technologies known as “pixels” and similar tools to share client and user data with third-party platforms and subcontractors without obtaining the necessary assurances required under the Health Insurance Portability and Accountability Act (HIPAA)
This data sharing had been occurring since October 2019 and was only discovered and disclosed by the company in early 2023
The types of information disclosed varied depending on the individual’s interaction with Cerebral’s platforms. It included names, phone numbers, email addresses, dates of birth, IP addresses, demographic information, mental health self-assessments, treatment details, health insurance information, and more. However, Cerebral claims that Social Security numbers, credit card information, and bank account details were not disclosed
Upon discovering the breach, Cerebral disabled, reconfigured, or removed the tracking technologies to prevent further unauthorized disclosures and ceased data sharing with subcontractors that could not meet HIPAA requirements
The company has also provided free credit monitoring services and advised affected individuals to remain vigilant against identity theft and fraud
The breach has raised significant privacy concerns and has led to investigations and potential legal actions against Cerebral
The incident comes in the wake of other similar breaches in the healthcare industry and increased scrutiny by regulatory bodies such as the U.S. Department of Health and Human Services’ Office for Civil Rights and the Federal Trade Commission
Cerebral has issued a notice about the breach and has taken steps to address the issue, including enhancing its information security practices and technology vetting processes