The US Federal Trade Commission (FTC) has imposed a fine of more than $7 million on Cerebral, a provider of telemedicine services in the field of mental health, for disclosing confidential user information for advertising purposes. The company also received a separate ban on future use and disclosure of personal customer data for the same purpose.
FTC has accused Cerebral and its former CEO, Kyle Robertson, of violating confidentiality and misleading customers about the policy of canceling services. The company claimed to offer “safe, protected, and unobtrusive” services without disclosing that user data would be shared with third parties.
According to FTC, Cerebral embedded tracking tools on its websites and applications that transmitted data from almost 3.2 million users to platforms like LinkedIn, Snapchat, and Tiktok. This transmitted data included names, medical information, addresses, phone numbers, dates of birth, demographics, IP addresses, insurance details, and other personal information.
FTC also revealed that former Cerebral employees had access to customer medical records even after being dismissed due to oversight in reviewing personnel powers. This unauthorized access occurred from May to December 2021.
Additionally, the company is accused of sending advertising postcards without envelopes to customers, revealing patient names and information that could expose their diagnosis and treatment to anyone who saw the cards.
As per the proposed order awaiting federal court approval, Cerebral is required to implement a comprehensive privacy and data security program. The company must also post a notification on its website regarding the FTC order, establish a data retention schedule, and delete most consumer data not essential for treatment, payment, or healthcare operations, if consent is not granted by users.
This case is part of a wider FTC crackdown on medical service providers who have shared highly sensitive user data with analytical and social platforms without consent in recent years.