Fraud Management & Cybercrime , Governance & Risk Management , Healthcare
FTC Bans Online Mental Health Firm From Sharing Certain Data
Proposed Action Also Orders Cerebral Inc. to Pay $7M PenaltyThe Federal Trade Commission has proposed restricting a mental telehealth service firm from sharing consumer data and requiring it to pay a $7 million penalty to settle allegations that the firm used online tracking tools to unlawfully disclose sensitive health information to third-party advertisers without the patients' consent.
See Also: Using the Netskope HIPAA Mapping Guide
The FTC in its complaint against Cerebral Inc. and the company's former CEO Kyle Robertson, alleges unfair or deceptive practice violations of the FTC Act and the Opioid Act, which pertains to substance use disorder treatment services.
The FTC also alleges the firm failed to honor its easy cancellation promises to consumers.
The FTC's proposed order against Cerebral, filed in federal court by the Department of Justice on Monday, seeks to restrict how the company can use or disclose sensitive consumer data and calls for the company to pay more than $7 million in penalties, including $5.1 million to partially refund consumers affected by the company's deceptive cancellation practices.
The proposed order must be approved by the U.S. District Court for the Southern District of Florida before it can go into effect.
Cerebral in a statement said it is "pleased" it has reached an agreement to close the FTC's investigation of the company.
"Cerebral has been transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy," the company said.*
The FTC's action against Cerebral follows a data breach the company reported to the U.S. Department of Health and Human Services in March 2023 as affecting nearly 3.2 million individuals.
The incident involved the company's use of website tracking tools to share sensitive patient information with third parties including Facebook, Google and TikTok - without the individuals' consent (see: Not-So-Cerebral Sharing of Mental Health Data Hits Millions).
"Through the use of tracking tools, Cerebral gave third parties personal data about its users including names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information," according to the FTC's complaint.
Among other provisions, the FTC's proposed order would:
- Permanently ban Cerebral from using or disclosing consumers' personal and health information to third parties for most marketing or advertising purposes;
- Require the company to obtain consumers' consent before disclosing consumers' personal and health information to outside parties;
- Prohibit Cerebral from misrepresenting its privacy and data security practices;
- Require the company to implement a comprehensive privacy and data security program;
- Require Cerebral to implement a data retention schedule;
- Require the company to delete most consumer data not used for treatment, payment or healthcare operations unless consumers consent to its retention;
- Prohibit Cerebral from misrepresenting its cancellation policies or practices;
- Require the company to provide consumers with an easy method to cancel services.
The proposed order against Cerebral follows several similar FTC actions against other firms in several other health data privacy cases over the last year or two, including those involving the use of online trackers.
The FTC has taken enforcement actions against at least two other telehealth providers - BetterHelp and GoodRx - plus mobile fertility app vendor Premom in cases involving those companies' use of tracking tools that shared consumer's sensitive health and personal information with third-party analytics and social media firms without individuals' consent.
The FTC alleged those companies' use of online trackers amounted to unfair acts or practices in violation of Section 5 of the FTC Act. In the enforcement actions against GoodRx and Premom, the FTC also alleged the companies had violated the FTC's health data breach notification rule (see: Feds Warn Hospitals, Telehealth Firms About Web Tracker Use).
Earlier this month, the FTC finalized an order prohibiting data broker X-Mode and its successor Outlogic from sharing or selling any sensitive location data.
The action settled allegations that the company sold precise location data that could be used to track people's visits to sensitive locations such as medical and reproductive health clinics and places of worship.
*April 16, 2024 11:09 UTC - Updated to add Cerebral's statement.