Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Cerebral Informing 3.1 Million Individuals of Inadvertent Data Exposure

Cerebral is informing 3.1 million individuals that their PHI was inadvertently exposed via third-party tracking technologies.

Emotional health care provider Cerebral is informing over 3.1 million individuals that their protected health information (PHI) might have been inadvertently exposed via third-party tracking technologies on its platforms.

Cerebral has been using tracking technologies – such as those provided by Facebook, Google, TikTok, and others – since 2019, but disabled, reconfigured, or removed them after learning that some of the data shared with the third-parties also included PHI.

Additionally, the sharing of data with all subcontractors that did not meet all HIPAA requirements was promptly disabled, Cerebral says in a data breach notice (PDF).

Before that, however, depending on factors such as individuals’ use of Cerebral platforms, the nature of subcontracted services, and the configuration of the tracking technologies and data capturing platforms, various amounts of personal information were exposed to third-parties.

According to the company, for individuals creating a Cerebral account, the exposed information included names, phone numbers, email and IP addresses, birth dates, Cerebral client ID numbers, and other information.

For individuals who also completed portions of Cerebral’s online mental health self-assessment, details on the service, the assessment responses, and certain health information was also exposed.

Advertisement. Scroll to continue reading.

In cases where the individuals also purchased a subscription plan from Cerebral, details on the selected plan, along with appointment dates, treatments, health insurance/pharmacy benefit information, other clinical information, and insurance co-pay amounts were also exposed.

According to the company, the exposed data did not include Social Security numbers, credit card data, or bank account information.

“Out of an abundance of caution, we are notifying anyone who fell into any of these categories, even if they did not become a Cerebral patient or provide any information beyond what was necessary to create a Cerebral account,” the company says.

Cerebral also notes that, in addition to preventing the use of tracking technologies by blocking or deleting cookies in their browsers, the impacted individuals may want to reset their Cerebral account passwords and can adjust their privacy settings on Facebook, Google, and other online platforms.

The company’s data breach notice does not mention a number of impacted individuals, but Cerebral informed the Department of Health and Human Services (HHS) that more than 3.1 million individuals were affected.

Responding to a SecurityWeek inquiry, Cerebral provided the following statement: 

“In December, the Department of Health and Human Services (HHS) issued subregulatory guidance of existing regulations around what constitutes individually identifiable health information (IIHI) and protected health information (PHI) – a clarification that we expect to have significant implications across both the broader healthcare industry and the telehealth industry.

Under the clarified guidance, all data – including the submission of basic user contact information – gathered from a healthcare entity’s website or app should be treated as PHI. We immediately took action to change our data transmission practices and bring them in line with our commitment to patient privacy. Guided by core principles of transparency and respect for our clients’ information, we are committed to correcting historical errors and leading the industry in privacy standards moving forward.”

*Updated with statement from Cerebral

Related: Data of 3 Million Advocate Aurora Health Patients Exposed via Malformed Pixel

Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider

Related: Data Breach at Louisiana Healthcare Provider Impacts 270,000 Patients

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.