This week, the Federal Trade Commission hit virtual mental health startup Cerebral with a $7 million fine, accusing the company of mishandling users’ sensitive health data and misleading consumers about cancellation policies.
Cerebral agreed to pay the fine, as well as adhere to a “first-of-its-kind prohibition” that bans the startup from using any health data “for most advertising purposes.”
Cerebral’s less-than-stellar privacy track record
The startup is a mental health platform specializing in the virtual treatment of mental health conditions — mainly ADHD, anxiety and depression. The startup has faced years of criticism about its data privacy practices, as well as some recent legal woes.
In 2022, one of the company’s former executives sued the startup, claiming that it had fired him for calling out the company’s prescribing practices. Matthew Truebe, Cerebral’s ex-vice president of product and engineering, had criticized the company for being too hasty when prescribing young people addictive stimulant drugs like Adderall. His lawsuit came shortly after some Cerebral employees told media outlets that the startup was taking advantage of pandemic-era prescribing regulations that allowed providers to prescribe addictive drugs without requiring an in-person examination.
And in March of last year, the startup publicly admitted that it had wrongfully shared the data of 3.1 million users..
Cerebral notified its users, telling them that it had used pixel tracking technologies since beginning operations in October 2019. After reviewing its use of these tools, the startup found out that it had disclosed its patients’ protected health information to third parties without having obtained the necessary assurances required by HIPAA, Cerebral said in its notice to users.
The following types of information were disclosed in the breach: clinical data about patients’ visits and treatments, mental health self-assessment responses, appointment dates, health insurance/ pharmacy benefit information, insurance co-pay amounts, name, phone number, email address, date of birth, IP address, Cerebral client ID number and demographic data.
In its letter to users, Cerebral assured them that it had “promptly disabled, reconfigured, and/or removed” its tracking technologies. It also said that it discontinued data sharing with any third parties that are unable to meet all HIPAA requirements, as well as enhanced its information security practices and technology vetting processes.
How the FTC cracked down
In the FTC’s complaint that was filed this week, the agency said that Cerebral violated its users’ privacy by letting their most sensitive mental health conditions become exposed across the Internet. The complaint also alleged that Cerebral exposed patients’ mental health diagnoses via mail as well because the startup sent users uncovered promotional postcards displaying information pertaining to their health conditions and treatments.
To remedy this, the FTC ordered Cerebral to obtain patients’ consent before sharing their data, and also imposed a first-of-its-kind restriction that bans the company from using any health data for most advertising purposes.
The FTC’s complaint also accused Cerebral of misrepresenting its cancellation policies, as well as failing to obtain users’ express informed consent before charging them. To cancel their subscription, users had to “navigate a burdensome, complex, lengthy, multi-step, and often
multi-day process,” the complaint read.
In a statement posted Monday, Cerebral said it was “pleased to report” it had reached a settlement agreement with the FTC. In the statement, Cerebral did not expressly admit to wrongdoing when it came to the allegations of deceptive cancellation practices.
“As part of the resolution, Cerebral has agreed to implement enhanced consumer protection, privacy, and compliance measures to further protect the personal information of our clients, increase transparency into our data practices, and implement enhanced data security protocols and tools to allow our clients control over their privacy settings,” the startup’s statement read.
Under the FTC’s proposed order — which must be approved by the Florida District Court where it’s been filed — Cerebral is required to pay nearly $5.1 million for partial refunds for consumers who have been negatively affected by its cancellation policies. The company is also required to pay a $10 million civil penalty, which the FTC will suspend after Cerebral pays $2 million “due to the company’s inability to pay the full amount.”
What does this mean for the industry?
Ray Mina, vice president of marketing at healthcare privacy platform Freshpaint, said what surprised him the most about the FTC’s order was the fact that it included a permanent ban on using consumer data for most marketing efforts.
“Modern day marketing and advertising strategies in consumer channels require data to measure and optimize campaigns. They just won’t work without a data feedback loop. The potential of getting locked out of consumer channels is an existential risk for all healthcare marketers,” he said.
Mina added that Cerebral is not an outlier — he said that most healthcare marketing teams are “working hard with internal legal and compliance teams” to come up with solutions to avoid class action lawsuits and punishment from regulators.
Another healthcare executive — Cecily Harris, former general counsel at Wheel and current general counsel at Atropos Health — said that the Cerebral news wasn’t necessarily surprising.
Since HHS’ Office for Civil Rights’ December 2022 bulletin on the use of online tracking technologies by HIPAA-regulated entities, many telehealth companies have been subject to compliance reviews and investigations. The OCR’s position and increased level of scrutiny into these practices have put some healthcare companies on notice, Harris explained.
“The FTC’s action here, as well as with health systems, demonstrates how serious they are about enforcing the rules when it comes to collecting consumers’ healthcare data. This action also suggests they’ll continue to investigate,” she said. “If they haven’t already, telehealth providers should work with health regulatory counsel to conduct a thorough analysis of their practices around collection and use of health data.”
Photo: gustavofrazao, Getty Images