Emotional health care provider Cerebral is informing over 3.1 million individuals that their protected health information (PHI) might have been inadvertently exposed via third-party tracking technologies on its platforms.
Cerebral has been using tracking technologies – such as those provided by Facebook, Google, TikTok, and others – since 2019, but disabled, reconfigured, or removed them after learning that some of the data shared with the third-parties also included PHI.
Additionally, the sharing of data with all subcontractors that did not meet all HIPAA requirements was promptly disabled, Cerebral says in a data breach notice (PDF).
Before that, however, depending on factors such as individuals’ use of Cerebral platforms, the nature of subcontracted services, and the configuration of the tracking technologies and data capturing platforms, various amounts of personal information were exposed to third-parties.
According to the company, for individuals creating a Cerebral account, the exposed information included names, phone numbers, email and IP addresses, birth dates, Cerebral client ID numbers, and other information.
For individuals who also completed portions of Cerebral’s online mental health self-assessment, details on the service, the assessment responses, and certain health information was also exposed.
In cases where the individuals also purchased a subscription plan from Cerebral, details on the selected plan, along with appointment dates, treatments, health insurance/pharmacy benefit information, other clinical information, and insurance co-pay amounts were also exposed.
According to the company, the exposed data did not include Social Security numbers, credit card data, or bank account information.
“Out of an abundance of caution, we are notifying anyone who fell into any of these categories, even if they did not become a Cerebral patient or provide any information beyond what was necessary to create a Cerebral account,” the company says.
Cerebral also notes that, in addition to preventing the use of tracking technologies by blocking or deleting cookies in their browsers, the impacted individuals may want to reset their Cerebral account passwords and can adjust their privacy settings on Facebook, Google, and other online platforms.
The company’s data breach notice does not mention a number of impacted individuals, but Cerebral informed the Department of Health and Human Services (HHS) that more than 3.1 million individuals were affected.
Responding to a SecurityWeek inquiry, Cerebral provided the following statement:
“In December, the Department of Health and Human Services (HHS) issued subregulatory guidance of existing regulations around what constitutes individually identifiable health information (IIHI) and protected health information (PHI) – a clarification that we expect to have significant implications across both the broader healthcare industry and the telehealth industry.
Under the clarified guidance, all data – including the submission of basic user contact information – gathered from a healthcare entity’s website or app should be treated as PHI. We immediately took action to change our data transmission practices and bring them in line with our commitment to patient privacy. Guided by core principles of transparency and respect for our clients’ information, we are committed to correcting historical errors and leading the industry in privacy standards moving forward.”
*Updated with statement from Cerebral
Related: Data of 3 Million Advocate Aurora Health Patients Exposed via Malformed Pixel
Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider
Related: Data Breach at Louisiana Healthcare Provider Impacts 270,000 Patients