Cerebral, a mental health telehealth firm, claims it accidentally exposed the personal information of more than 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers.

The startup has acknowledged in a post published on its website that it has been utilizing monitoring tools that have revealed a slew of patient data since at least October 2019.

Patients' names, contact information, email addresses, birth dates, IP addresses, insurance details, appointment schedules, medication, and more were all compromised due to the error, as TechCrunch first reported. In certain cases, this may have revealed customers' responses to the company's mental health self-assessment, which is used to set up treatment sessions and provide medicines.

Tracking Pixels

According to Verge, Cerebral claims this information was leaked via tracking pixels, which are small pieces of code that platforms like Meta, TikTok, and Google made available to app and website builders. For instance, after clicking an ad on a website, the Meta Pixel may follow a user's activities on a website or app and even their online form submissions.

Although this is useful for businesses like Cerebral to see how people respond to their advertising across different platforms and what they do next, it also provides valuable data to other firms like Meta, TikTok, and Google.

Cerebral has said that the information made public may vary from patient to patient based on variables such as what activities people performed on Cerebral's platforms, the services offered by subcontractors, the settings of tracking systems, and more.

The organization promises to contact anyone impacted and assures the public that no matter how a person is connected with Cerebral's platform, no sensitive data was compromised, such as social security numbers or credit and bank account details.

Cerebral claims it has "disabled, reconfigured, and/or removed" any tracking pixels from the platform. Since discovering the vulnerability issue in January, it has improved its information security standards and technology vetting processes.

Also Read: New Senate Bill Seeks Better Health Data Protection Following Roe v. Wade Reversal

Probable Violations

HIPAA, or the Health Insurance Portability and Accountability Act, mandates that Cerebral report any suspected breaches to the appropriate authorities. To put it simply, this rule prevents healthcare practitioners from sharing their patients' personal health information with anybody other than the patient or a person specifically authorized by the patient to receive such data.

The US Department of Justice's (DOJ) Office for Civil Rights is presently looking into the breach, which follows other cases using pixel-tracking programs.

The DOJ and the Drug Enforcement Administration are also looking into Cerebral's prescription of restricted medications, including Adderall and Xanax, in addition to investigating the possibility that the company has broken HIPAA standards. The company has now stopped selling these drugs, Verge said.

Also Read: Xenco Medical Named One of the World's Most Innovative Companies by Fast Company Magazine