Cerebral faces $7M FTC penalty over alleged health data security failures

April 17, 2024 - Under a proposed order from the Federal Trade Commission (FTC), online mental healthcare platform Cerebral will be restricted from disclosing consumers’ personal health information to third parties for advertising purposes and from misrepresenting its privacy and data security practices.

Cerebral will also be required to provide customers with a simpler way to cancel services, following allegations that the company and its former CEO, Kyle Robertson, broke their privacy promises to consumers and were misleading about the service’s cancellation policies.

This marks the second proposed order the FTC has issued this month relating to a telehealth platform. The FTC recently banned Monument, an alcohol addiction treatment service, from disclosing its users’ personal health data to third-party advertisers, following allegations that Monument improperly shared health data with companies such as Meta and Google without consumer consent.

In Cerebral’s case, the company reported a data breach to HHS in 2023 that had impacted more than 3.1 million individuals. The breach resulted from Cerebral’s use of tracking pixels, which it had used in its operations from the time it launched in October 2019 until 2023, when it conducted a review of its data-sharing practices.

The FTC’s complaint alleged that Cerebral’s use of tracking tools on its website and app gave third parties personal information about its users, including names, prescription histories, home and email addresses, IP addresses, and health insurance information.

What’s more, the complaint alleged that Cerebral engaged in careless marketing tactics, including sending promotional postcards without envelopes that clearly stated patient names and potentially diagnosis information to anyone who saw them. The FTC also claimed that the company failed to ensure only providers accessed patient records, allowing former employees to access confidential medical records.

Other alleged failures included using insecure access methods and failing to implement proper training procedures related to the handling of sensitive health data. According to the FTC, Cerebral and Robertson violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) by engaging in deceptive practices related to substance use disorder treatment services.

Cerebral also allegedly violated the Restore Online Shoppers’ Confidence Act (ROSCA) by making customers go through a multi-step process to cancel their services, resulting in millions in additional charges.  

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."

If approved by a federal court, the proposed order will demand Cerebral to pay nearly $5.1 million to provide partial refunds to consumers affected by its deceptive cancellation policies. Cerebral also faces a $10 million civil penalty, which will be capped at $2 million due to the company’s inability to pay the full amount. This settlement only applies to Cerebral, and former CEO Robertson has not agreed to a settlement at this time.

In addition to the monetary penalties, Cerebral will be permanently banned from disclosing consumer health data to third parties for most advertising purposes, and consent must be obtained before doing so. Additionally, Cerebral must post a notice on its website alerting consumers to these allegations and implement a comprehensive data security and privacy program to address these complaints.

In response, Cerebral posted a statement on its website expressing that the FTC’s investigation into the company is now closed, and said that it had been “transparent and fully cooperative throughout the investigation.”

“The settlement allows Cerebral to move forward with a continued focus on our mission of building a new era of mental healthcare with a safe and secure platform for our clients,” the statement continued. “We look forward to continuing to be a trusted provider of high-quality mental health care to all those who need it most.”