Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Cerebral Informing 3.1 Million Individuals of Inadvertent Data Exposure

Cerebral is informing 3.1 million individuals that their PHI was inadvertently exposed via third-party tracking technologies.

Emotional health care provider Cerebral is informing over 3.1 million individuals that their protected health information (PHI) might have been inadvertently exposed via third-party tracking technologies on its platforms.

Cerebral has been using tracking technologies – such as those provided by Facebook, Google, TikTok, and others – since 2019, but disabled, reconfigured, or removed them after learning that some of the data shared with the third-parties also included PHI.

Additionally, the sharing of data with all subcontractors that did not meet all HIPAA requirements was promptly disabled, Cerebral says in a data breach notice (PDF).

Before that, however, depending on factors such as individuals’ use of Cerebral platforms, the nature of subcontracted services, and the configuration of the tracking technologies and data capturing platforms, various amounts of personal information were exposed to third-parties.

According to the company, for individuals creating a Cerebral account, the exposed information included names, phone numbers, email and IP addresses, birth dates, Cerebral client ID numbers, and other information.

For individuals who also completed portions of Cerebral’s online mental health self-assessment, details on the service, the assessment responses, and certain health information was also exposed.

In cases where the individuals also purchased a subscription plan from Cerebral, details on the selected plan, along with appointment dates, treatments, health insurance/pharmacy benefit information, other clinical information, and insurance co-pay amounts were also exposed.

According to the company, the exposed data did not include Social Security numbers, credit card data, or bank account information.

Advertisement. Scroll to continue reading.

“Out of an abundance of caution, we are notifying anyone who fell into any of these categories, even if they did not become a Cerebral patient or provide any information beyond what was necessary to create a Cerebral account,” the company says.

Cerebral also notes that, in addition to preventing the use of tracking technologies by blocking or deleting cookies in their browsers, the impacted individuals may want to reset their Cerebral account passwords and can adjust their privacy settings on Facebook, Google, and other online platforms.

The company’s data breach notice does not mention a number of impacted individuals, but Cerebral informed the Department of Health and Human Services (HHS) that more than 3.1 million individuals were affected.

Responding to a SecurityWeek inquiry, Cerebral provided the following statement: 

“In December, the Department of Health and Human Services (HHS) issued subregulatory guidance of existing regulations around what constitutes individually identifiable health information (IIHI) and protected health information (PHI) – a clarification that we expect to have significant implications across both the broader healthcare industry and the telehealth industry.

Under the clarified guidance, all data – including the submission of basic user contact information – gathered from a healthcare entity’s website or app should be treated as PHI. We immediately took action to change our data transmission practices and bring them in line with our commitment to patient privacy. Guided by core principles of transparency and respect for our clients’ information, we are committed to correcting historical errors and leading the industry in privacy standards moving forward.”

*Updated with statement from Cerebral

Related: Data of 3 Million Advocate Aurora Health Patients Exposed via Malformed Pixel

Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider

Related: Data Breach at Louisiana Healthcare Provider Impacts 270,000 Patients

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Data Breaches

Delta Dental of California says over 6.9 million individuals were impacted by a data breach caused by the MOVEit hack.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.