Cerebral will pay a $7 million settlement in the Facebook Pixel data leak case.
The United States Federal Trade Commission has struck a settlement with telehealth startup Cerebral in which the company will pay $7,000,000 in response to charges of mishandling sensitive health data.
Cerebral is a remote telehealth organization that offers online treatment and medication management for a variety of mental health issues, including anxiety, depression, ADHD, bipolar disorder, and substance misuse.
In March 2023, the company notified 3.2 million people who had interacted with its websites, applications, and services of a data breach, stating that their information had been compromised as a result of the platform's use of tracking pixels.
The FTC's complaint accuses Cerebral and its former CEO, Kyle Robertson, of releasing consumers' personal health information to other parties for advertising and failing to follow its cancellation procedures.
"The complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps," according to the news release.
"These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps."
The FTC's announcement also lists some alleged bad practices by Cerebral that resulted in varying levels of consumer exposure to sensitive health data, such as failing to revoke former employees' access to Cerebral patient records and failing to silo providers and restrict their access to only their patient's records.
Furthermore, the agency claims the company employed an unsecured single sign-on mechanism to access the patient portal, as well as Cerebral's failure to limit staff access to only the data required to perform their job duties.
The proposed order, which is pending court approval, includes the following provisions:
- Customers victimized by misleading cancellation practices will receive a $5,100,000 refund.
- $10 million civil penalty, reduced to $2 million because to Cerebral's inability to pay the full amount.
- A permanent ban on exchanging health data with third parties for marketing and commercial purposes.
- Before providing any personal or health data to third parties, obtain customers' consent.
- Cerebral shall not mislead its data security and privacy standards.
- Set up a thorough data security and privacy program.
- Post a notice on its website explaining the complaint and the necessary actions.
- Implement a data retention schedule, erase superfluous consumer data unless it is consented to be kept, and give a clear data deletion request process.
- Prohibit misrepresenting of cancellation terms and make the canceling process easier for customers.
Former CEO Robertson, who is accused of directing the removal of a "easy cancellation" button from Cerebral's website, has not agreed to a settlement, therefore the court will rule on his allegations.
Source: Bleeping Computer
#CEREBRAL #FINE #FTC #HEALTH SERVICES #HEALTHCARE #PRIVACY #TRACKERS