Cerebral Faces Double Trouble: 3.1 Million Users Affected By Data Breach And Criticism Over Prescribing Practices

Cerebral, a telehealth company, recently notified its 3.1 million users of a data breach that occurred on January 3, 2023. The company revealed protected health information (PHI) to unaffiliated third-party platforms and subcontractors without satisfying the stipulations mandated by the Health Insurance Portability and Accountability Act (HIPAA).The company used “pixels” and other tracking technologies provided by Facebook, TikTok, and Google since 2019.

During a review of its data sharing practices involving subcontractors, Cerebral discovered the breach. The company took prompt action by disabling, reconfiguring, and/or removing the tracking technologies on its platforms. Cerebral also stopped exchanging data with any subcontractors that did not satisfy all HIPAA regulations. In addition, the organization improved its data security procedures and examined technology more carefully to reduce the chance of this type of information being shared going forward.

Users who used Cerebral’s online mental health self-assessment may have had their personal information including name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic information exposed due to the data breach. Moreover, they may have let out details such as the service they used, answers to the assessment, and any health-related information linked to this assessment. Subscribers may have also had the type of subscription plan, appointment dates and booking details, treatment and clinical data, health plan or pharmacy benefit info, and insurance co-payment figure revealed to them.

Cerebral has informed everyone who might have had their information exposed by the breach, giving instructions to those affected on how to make use of free credit monitoring and providing extra advice on defending their data. The company has suggested that those affected check their explanation of benefits, insurance member portal, and other health insurance provider messages to make sure all expenses are valid. Additionally, it is recommended that individuals change their Cerebral user account password and adjust their privacy settings on Facebook, Google, and other platforms to prevent the use of tracking technologies.

In addition to the recent data breach, Cerebral faced legal trouble in the past. Last year, Matthew Truebe, the company’s former vice president of product and engineering, sued Cerebral for wrongful termination. Truebe criticized the company’s prescribing practices and claimed that Cerebral was too hasty in prescribing young people addictive stimulant drugs like Adderall. Some Cerebral employees also accused the startup of taking advantage of pandemic-era prescribing regulations that allowed providers to prescribe addictive drugs without requiring an in-person examination.

These allegations are concerning, as Cerebral’s core business is providing mental health services to its users. The prescribing of addictive drugs without proper examination is a serious breach of medical ethics and could have severe consequences for vulnerable patients. Although the company has not publicly commented on the lawsuit or the allegations, the incident underscores the importance of transparency and ethical practices in the provision of mental health services. Companies must prioritize patient safety and follow established medical protocols.

The data breach serves as a reminder of the importance of data privacy and the need for companies to be vigilant in safeguarding sensitive information. Companies must ensure that they are compliant with data privacy regulations, particularly those related to the handling of PHI, with the proliferation of digital technologies and the increasing use of third-party platforms. Cerebral’s swift response to the breach and the measures it has taken to prevent such incidents in the future is commendable. However, the company must continue to be transparent in its communication with its users and provide regular updates on the steps it is taking to address the breach.