UPDATE: Class action lawsuit filed over Cerebral’s admission to sharing protected health information through invisible ad trackers.
On March 6, 2023, Cerebral began sending emails to users of its platforms, admitting that it uses pixels and other similar tracking technologies on its mobile applications and websites to share personal user data, protected health data, and financial data.
Depending on a patient’s engagement with Cerebral and how their Internet browser or mobile device was configured, this highly personal information may have been disclosed to social media sites and others using ad trackers from Google, Meta (Facebook), TikTok, and others.
Cerebral has been disclosing this sensitive data since 2019.
Cerebral stated that on January 3, 2023, it “determined that it had disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances.” Cerebral has assured users that the disclosed information did not include Social Security numbers, credit card information, or bank account information.
Class Action Lawsuit Filed Against Cerebral
On March 11, 2023, a class action lawsuit was filed by Plaintiffs John and Jane Doe alleging that Cerebral violated numerous provisions of California law, including the Comprehensive Computer Data Access and Fraud Act and the Confidential Medical Information Act. These statutes provide statutory damages ranging from $1,000 to $5,000 per violation.
The proposed class is defined as all persons in the United States whose user data were collected through Meta Pixel or other third-party trackers from any Cerebral controlled website since January 1, 2017.
The class action lawsuit was filed in the United States District Court for the Central District of California under the caption John and Jane Doe v. Cerebral Inc., C.D. Cal. Case No. 2:23-cv-01828-FMO-MAA. The lawsuit is in the process of being consolidated with several other lawsuits.
Cerebral Inc. has not yet filed an appearance in the lawsuit or responded to the claims.
What Protected Health Information Was Disclosed?
Depending on how users interacted with the Cerebral platforms and how their devices were configured, Cerebral said the following information might have been disclosed.
- If a user created a Cerebral account, the information disclosed might have included — name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic information.
- If a user completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included — selected services, assessment responses, and certain associated health information.
- If a user also purchased a subscription plan from Cerebral, the information disclosed may also have included — subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information (for example, plan name and group/ member numbers), and insurance co-pay amount.
Cerebral has said that it has “disabled, reconfigured, and/or removed” the offending trackers and “discontinued or disabled” data shared with entities unable to meet all HIPAA requirements.
Whether this means data will still be shared with certain Cerebral business partners is unclear. Cerebral is offering certain users complimentary access to Experian IdentityWorks SM for one year.
The company also suggests that users take a variety of precautions in light of these protected health information disclosures, including:
- Blocking or deleting cookies or using browsers that support privacy-protecting operations, such as “incognito” mode
- Adjusting privacy settings on Facebook, Google, and other platforms
- Changing any Cerebral user account password
- Monitoring any explanation of benefits (EOB), insurance member portal, and other communications from health insurance to confirm that all charges are appropriate, and
- Remaining vigilant against identity theft and fraud and reviewing your account statements.
On February 2, 2023, two members of the United States Senate sent a letter to Cerebral, Inc. where they “express our concern regarding reports that Cerebral is tracking and sharing sensitive and personally-identifiable health data with third-party social media and online search platforms such as Google and Facebook that monetize this data to target advertisements,” using what is known as the Meta Pixel tracking cookie. What is of particular concern is that Cerebral’s website was used by more than 200,000 patients in 2020 and 2021 alone.
Cerebral operates through its website at cerebral.com. It claims to be “a mental health telemedicine company that is democratizing access to high-quality mental health care for all.”
Cerebral also offers services for those with alcohol dependence and monthly subscriptions for medication and therapy for mental health conditions, including ADHD, anxiety, and depression. The San Francisco-based company has been valued at $4.8 billion after a $300 million funding round last December.
Cerebral’s website asks patients to answer questions covering conditions such as depression, anxiety, and bipolar disorder. Although Cerebral’s website claims that information entered on these intake forms is confidential and secure, this information is reportedly sent to advertising platforms, along with the necessary information to identify users. This data is highly personal and can be used to target advertisements for services that may be unnecessary or that, according to the US Senate, may be “potentially harmful physically, psychologically, or emotionally.”
This Senate request for information comes shortly after the FTC brought a groundbreaking enforcement action against telehealth and prescription discount company GoodRx and obtained a $1.5 million penalty and an agreement barring the company from sharing users’ sensitive health data with third-party advertisers.
On November 30, 2022, a spokesperson for Cerebral wrote in an email, “We are removing any personally identifiable information, including name, date of birth, and zip code, from being collected by the Meta Pixel,” suggesting that before that date, it was providing third-party advertisers access to that information. However, as late as December 7, 2022, Cerebral’s website still collected personally identifiable information. Tracking such private information also could reveal sensitive and personal material leading to other forms of privacy and security breaches.
This is not the first allegation of privacy-related issues made against Cerebral. In a lawsuit filed in California state court in April 2022, a former Cerebral employee alleged he was fired in retaliation for objecting to the company’s plans to “egregiously put profits and growth before patient safety” after he raised several concerns to Cerebral leadership during his time at the company. The Complaint also alleges that Cerebral does not adhere to regulations concerning the privacy and security of patient data and that “employees and former employees could gain unauthorized access to confidential patient medical information,” potentially compromising tens of thousands of patient records.
And August 19, 2022, a related medical provider group Cerebral Medical Group PA, notified the US Department of Health and Human Services about a security breach involving over 6,100 patients stemming from unauthorized access and disclosure of certain types of patient information.
If you have used Cerebral’s services over the last two years, your personal information may have been disclosed to third-party advertisers such as Facebook and Google without your informed authorization or consent.
Privacy Laws Protect Your Personal Information
California’s privacy laws specifically protect your personal information. Among these laws include the following:
- The California Customer Records Act requires businesses to implement and maintain reasonable security procedures and practices to protect consumers’ personal information.
- In 2018, California passed the California Consumer Privacy Act (CCPA). This law has many protections for the personal information of California residents.
- The California Legislature also enacted the Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502 (“CDAFA”) to “expand the degree of protection afforded . . .from tampering, interference, damage, and unauthorized access to [including the extraction of data from] lawfully created computer data and computer systems,” finding and declaring that “the proliferation of computer technology has resulted in a concomitant proliferation of . . . forms of unauthorized access to computers, computer systems, and computer data,” and that “protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals . . .” Cal. Penal Code § 502(a).
- The Confidential Medical Information Act (CMIA) also protects confidential health-related information, depending on the materials accessed. It is unclear at this time whether the information provided to companies due to the use of the Meta Pixel violated that law. The CMIA requires a health care provider, health care service plan, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a way that preserves the confidentiality of the information within those records.
The CMIA defines “medical information” to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or has any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or other information that reveals the individual’s identity.
You may only be awarded compensation with legal assistance despite the above California laws. You may be entitled to between $100 and $5,000 or more, or your actual damages, whichever is greater, depending on which California laws may have been violated by this conduct.
Participants can recover damages, injunctive relief (to ensure the business has reasonable security practices to protect consumer data), and anything else necessary to compensate victims and prevent these harms from occurring again.
Experienced class action attorneys can help you exercise your rights, evaluate your options and decide whether you are entitled to compensation. You have no out-of-pocket costs; we only get paid if we prevail.
You Have Important Legal Rights Under California’s CCPA
The CCPA also provides consumers with other essential rights. These include:
- The right to see a copy of a business’s personal data collected about you for free.
- The right to discover why a business has collected your personal information, what it has shared (by category), who it was collected from (by source type), and who it has shared your data with (by category).
Cerebral Class Action Lawsuit
Identity theft is on the upswing, as this data has significant value, as evidenced by what Cerebral has done to allow companies like Facebook and Google to access your personal information.