FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations
The Federal Trade Commission (FTC) has fined the mental health startup Cerebral $7.1 million for consumer privacy violations and deceptive trading practices. The $7.1 million financial penalty resolves allegations that the mental health telehealth company and its former CEO, Kyle Robertson, broke its privacy promise to consumers by impermissibly disclosing their sensitive personal and health information to third parties for advertising purposes, misled consumers about its cancellation process, and failed to protect sensitive health data. The proposed FTC order includes a requirement for Cerebral to refrain from disclosing consumers’ data to third parties for advertising purposes without consent and for the company to provide an easy way for consumers to cancel its services.
One of the most important factors for consumers when choosing a mental health care provider is privacy. Consumers need to be able to discreetly discuss highly sensitive mental health problems and be sure that the information disclosed is kept private and confidential. The FTC alleged that Cerebral claimed it provided safe, secure, and discreet services but failed to clearly inform consumers that their sensitive data would be shared with third parties. As a result of the information sharing, consumers could be targeted with advertisements related to the information they disclosed to Cerebral in confidence.
Cerebral had disclosed its data sharing practices in its privacy policies; however, those privacy policies were dense and the information about data sharing practices was deeply buried making it likely that consumers would not see it. Further, Cerebral claimed in multiple areas that it would not share consumer data with third parties for advertising purposes without their consent. According to the FTC complaint, Cerebral shared the sensitive data of almost 3.2 million consumers with third parties such as Snapchat, LinkedIn, and TikTok via tracking tools embedded in its websites and apps, which amounted to a deceptive business practice that violated the FTC Act.
The information disclosed to those third parties included names, addresses, email addresses, phone numbers, birth dates, IP addresses, medical and prescription histories, pharmacy and health insurance information, other types of health information, and other personal data such as religious and political beliefs and sexual orientation. That information was also available internally to Cerebral staff, with access to customer data not restricted to the employees who needed to view that information. Between May 2021 and December 2021, former employees could continue to access consumer information and the company failed to ensure that healthcare providers could only access their own patients’ records.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FTC complaint alleged that Cerebral engaged in sloppy marketing practices. For instance, 6,000 postcards were mailed to patients that included patients’ names and language that would reveal their diagnosis and treatment to others, rather than using envelopes and Cerebral used a Single Sign-on solution that exposed patient data to other patients when they signed into the patient portal at the same time.
The FTC also alleged that Cerebral and its CEO violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) due to engaging in unfair and deceptive practices regarding substance use disorder treatment services and violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of its cancellation policies before charging consumers. The alleged deceptive practices started while Robertson was CEO and continued after his tenure.
The FTC order has yet to be approved by the U.S. District Court for the Southern District of Florida. If approved, in addition to the financial penalty and ban on disclosing sensitive data for advertising purposes, Cerebral is required to post a notice on its website alerting consumers about the FTC order, delete consumer data that is not being used for either treatment, payment, or healthcare operations if users have not consented to those uses, provide consumers with a mechanism to request that their data is deleted, and adopt a data retention schedule.
The financial penalty includes $5.1 million to provide partial refunds to customers affected by its deceptive cancellation policies. A $10 million civil monetary penalty has also been imposed, which will be suspended after $2 million has been paid due to the inability of the company to pay the full amount.
“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”
“Cerebral has been transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy,” explained Cerebral in a statement about the FTC order.
The FTC has also recently ordered the alcohol addiction treatment firm Monument to stop disclosing consumer information to third parties for advertising purposes without consent.
