Cerebral Fined $7 Million by FTC for Privacy and Security Violations

The Federal Trade Commission (FTC) has proposed a $7.1 million penalty for the mental healthcare platform provider Cerebral and has ordered the company not to disclose consumer data for advertising purposes without consent, not to misrepresent its data security and privacy practices to consumers, to place a notice on its website to inform consumers about the FTC order, and to implement a comprehensive data security and privacy program.

The financial penalty could have been far worse. The FTC proposed a $10 million penalty but suspended $8 million due to the inability of Cerebral to pay. In addition to the $2 million civil monetary penalty, Cerebral is required to pay out $5.1 million in partial refunds to consumers who have been affected by its deceptive business practices. If the FTC learns that Cerebral has misrepresented its financial position, the suspended $8 million will also need to be paid.

Cerebral was investigated by the FTC following a reported breach of the protected health information of 3.1 million individuals to the HHS in 2023. Cerebral used tracking technologies on its website from October 2019, when the company was launched, to 2023. The tracking technologies were disclosing protected health information to third parties such as Meta and Google with the privacy violations identified when the company conducted a review of its data sharing practices in 2023. According to the FTC, the tracking technologies on the Cerebral website disclosed consumers’ sensitive information to third parties such as LinkedIn, Snapchat, and TikTok for advertising purposes, including names, email addresses, home addresses, IP addresses, health insurance information, prescription information, mental health conditions, and health information. While these disclosures were reported to the HHS’ Office for Civil Rights as HIPAA violations, the FTC took action over Cerebral’s deceptive business practices, which violated the FTC Act.

In addition to breaking its promises to consumers that their sensitive information would be protected and would not be disclosed without consent, the FTC alleged that Cerebral and its then CEO, Kyle Robertson misled consumers about the cancellation policy due to the failure to clearly disclose all material terms of its cancellation policies before charging consumers, which violated the Restore Online Shoppers’ Confidence Act (ROSCA). The FTC also alleged there was a violation of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) due to Cerebral engaging in deceptive practices related to its substance use disorder treatment services.

The FTC also alleged that Cerebral and Robertson failed to ensure that providers could only access the records of their own patients, failed to restrict access to patient records to employees who needed access, did not have proper policies and procedures regarding training on the handling of sensitive data, failed to implement adequate access controls which allowed former employees could continue to access confidential medical records, and patient records were exposed to other patients who signed in at the same time due to its single sign-on method. The FTC also alleged that the company engaged in careless marketing tactics – postcards were sent to more than 6,000 patients that were not in envelopes, which revealed the patient’s diagnosis and treatment to anyone who saw the postcards.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Cerebral said it has been “transparent and fully cooperative throughout the investigation,” and agreed to the settlement with the FTC. “The settlement allows Cerebral to move forward with a continued focus on our mission of building a new era of mental healthcare with a safe and secure platform for our clients,” according to a company spokesperson. “We look forward to continuing to be a trusted provider of high-quality mental health care to all those who need it most.”

The FTC’s proposed order was filed in federal court in Florida and now awaits approval from a District Court judge.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/