Healthcare provider Cerebral recently sent breach notifications to 3.18 million data subjects who have engaged with its websites, apps, and assorted telehealth services.

A remote telehealth enterprise, Cerebral delivers online medication management and therapy for an extensive selection of mental health conditions, which include, but are not limited to, anxiety, attention deficit hyperactivity disorder (ADHD), depression, bipolar disorder as well as issues resulting from substance abuse.

Privacy breach disclosed

In the ‘Notice of HIPAA Privacy Breach’ posted on Cerebral’s website, the healthcare provider disclosed that it had been employing invisible pixel trackers from Meta, Google and TikTok, among other third parties on the online services its platform issued since October 2019.

Because of the tracking pixel’s specific data logging features, the mental healthcare provider confirmed that the confidential medical information of platform users was accessible to third party entities without patient permission.

The privacy breach notice explained:

“Cerebral recently initiated a review of its use of Tracking Technologies and data sharing practices involving Subcontractors. On January 3, 2023, Cerebral determined that it had disclosed certain information that may be regulated as protected health information (PHI) under HIPAA to certain third party platforms and some subcontractors without having obtained HIPAA-required assurances.”

The healthcare platform reported the incident on the US Department of Health and Human Services’ dedicated breach portal, stating that a total of 3,179,835 individuals had their personal data exposed as a result of the information spillage.

Patient health data exposed

The data that was disclosed to the subcontractors and tech giants listed as third parties varies for every individual, depending on the details they submitted onto the Cerebral’s online platform.

For instance, some users had only created a user account on Cerebral, while others had completed an online mental self-assessment. Additionally, some users had purchased a subscription plan to Cerebral’s services.

However, Cerebral has listed types of information that may have been exposed by the breach. These include full names, phone numbers, email addresses, dates of birth, Cerebral client ID numbers, IP addresses, subscription plan types, demographic information as well as self-assessment responses and other associated health information.

Additional private data exposed included patient appointment dates, pharmacy benefit and health insurance information, as well as treatment specifics and other sensitive clinical information.

However, Cerebral has clarified that regardless of the level of interaction that users have had with its apps and platforms, their credit card data, Social Security number and banking information have not been compromised.

Now all active trackers on Cerebral’s online platform have been reconfigured or entirely removed to prevent any disclosure of private data to third parties that does not meet the HIPAA requirements.

The healthcare provider has stated that it is unaware of any evidence of misuse of sensitive health information exposed during the breach. However, it has advised that all impacted individuals reset the personal password for their Cerebral user account to exercise caution.

Additionally, Cerebral is covering the costs of credit monitoring for people under threat of identity theft or fraud.