Telehealth startup Cerebral has revealed that it shared the private health information, including mental health assessments, of over 3.1 million US patients with advertisers and social media giants such as Facebook, Google, and TikTok. The startup, which collects patients' personal and health information, shared data in real-time by embedding trackers and other data-collecting code within its apps.
The app's users were largely unaware of this tracking, as they had accepted the app's terms of use and privacy policies, which many people do not read. Cerebral has since removed the tracking code from its apps, but tech giants are not obligated to delete the data shared with them. This security lapse is the second-largest breach of health data in 2023 and has caused concern among patients and regulators. This news comes just weeks after the US Federal Trade Commission fined GoodRx for sharing patients' health data with advertisers and ordered BetterHelp to pay customers for mishandling user data. Chris Hauk, Consumer Privacy Advocate at Pixel Privacy highlighted the common trend of tech firms missing the mark on user data privacy and transparency on data-sharing:
"Tech firms over the last few years have been exposed as sharing data with other companies and the government when they absolutely should not have been doing so. Unfortunately, privacy is not a cornerstone of today's tech startups. It is especially disappointing when we find that a telehealth startup is sharing personal medical information.
Unfortunately, customer data is the currency used on the internet these days, and companies like Cerebral are compromising our privacy, security, and safety. We've seen exposure of data sharing that, along with what seems like daily data breaches, puts us all at risk."