Security Experts:

Connect with us

Hi, what are you looking for?


Data Breaches

Cerebral Informing 3.1 Million Individuals of Inadvertent Data Exposure

Cerebral is informing 3.1 million individuals that their PHI was inadvertently exposed via third-party tracking technologies.

Emotional health care provider Cerebral is informing over 3.1 million individuals that their protected health information (PHI) might have been inadvertently exposed via third-party tracking technologies on its platforms.

Cerebral has been using tracking technologies – such as those provided by Facebook, Google, TikTok, and others – since 2019, but disabled, reconfigured, or removed them after learning that some of the data shared with the third-parties also included PHI.

Additionally, the sharing of data with all subcontractors that did not meet all HIPAA requirements was promptly disabled, Cerebral says in a data breach notice (PDF).

Before that, however, depending on factors such as individuals’ use of Cerebral platforms, the nature of subcontracted services, and the configuration of the tracking technologies and data capturing platforms, various amounts of personal information were exposed to third-parties.

According to the company, for individuals creating a Cerebral account, the exposed information included names, phone numbers, email and IP addresses, birth dates, Cerebral client ID numbers, and other information.

For individuals who also completed portions of Cerebral’s online mental health self-assessment, details on the service, the assessment responses, and certain health information was also exposed.

In cases where the individuals also purchased a subscription plan from Cerebral, details on the selected plan, along with appointment dates, treatments, health insurance/pharmacy benefit information, other clinical information, and insurance co-pay amounts were also exposed.

According to the company, the exposed data did not include Social Security numbers, credit card data, or bank account information.

“Out of an abundance of caution, we are notifying anyone who fell into any of these categories, even if they did not become a Cerebral patient or provide any information beyond what was necessary to create a Cerebral account,” the company says.

Cerebral also notes that, in addition to preventing the use of tracking technologies by blocking or deleting cookies in their browsers, the impacted individuals may want to reset their Cerebral account passwords and can adjust their privacy settings on Facebook, Google, and other online platforms.

The company’s data breach notice does not mention a number of impacted individuals, but Cerebral informed the Department of Health and Human Services (HHS) that more than 3.1 million individuals were affected.

Responding to a SecurityWeek inquiry, Cerebral provided the following statement: 

“In December, the Department of Health and Human Services (HHS) issued subregulatory guidance of existing regulations around what constitutes individually identifiable health information (IIHI) and protected health information (PHI) – a clarification that we expect to have significant implications across both the broader healthcare industry and the telehealth industry.

Under the clarified guidance, all data – including the submission of basic user contact information – gathered from a healthcare entity’s website or app should be treated as PHI. We immediately took action to change our data transmission practices and bring them in line with our commitment to patient privacy. Guided by core principles of transparency and respect for our clients’ information, we are committed to correcting historical errors and leading the industry in privacy standards moving forward.”

*Updated with statement from Cerebral

Related: Data of 3 Million Advocate Aurora Health Patients Exposed via Malformed Pixel

Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider

Related: Data Breach at Louisiana Healthcare Provider Impacts 270,000 Patients

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.


Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.

Data Breaches

Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.

Data Breaches

Google Fi informs customers about a data breach related to the recent T-Mobile cyberattack and some users claim they were targeted in a SIM...