"Cerebral Informing 3.1 Million Individuals of Inadvertent Data Exposure"

Emotional health care provider Cerebral is informing over 3.1 million individuals that their protected health information (PHI) might have been inadvertently exposed via third party tracking technologies on its platforms.  Cerebral noted that it has been using tracking technologies such as those provided by Facebook, Google, TikTok, and others since 2019 but disabled, reconfigured, or removed them after learning that some of the data shared with the third parties also included PHI.  Cerebral stated that, additionally, the sharing of data with all subcontractors that did not meet all HIPAA requirements was promptly disabled.  Before that, however, depending on factors such as individuals’ use of Cerebral platforms, the nature of subcontracted services, and the configuration of the tracking technologies and data capturing platforms, various amounts of personal information were exposed to third parties.  According to the company, for individuals creating a Cerebral account, the exposed information included names, phone numbers, email and IP addresses, birth dates, Cerebral client ID numbers, and other information.  For individuals who also completed portions of Cerebral’s online mental health self-assessment, details on the service, the assessment responses, and certain health information were also exposed.  The company noted that in cases where the individuals also purchased a subscription plan from Cerebral, details on the selected plan, along with appointment dates, treatments, health insurance/pharmacy benefit information, other clinical information, and insurance co-pay amounts, were also exposed.  According to the company, the exposed data did not include Social Security numbers, credit card data, or bank account information.  The company stated that out of an abundance of caution, they are notifying anyone who fell into any of these categories, even if they did not become a Cerebral patient or provide any information beyond what was necessary to create a Cerebral account.  Cerebral noted that, in addition to preventing the use of tracking technologies by blocking or deleting cookies in their browsers, the impacted individuals might want to reset their Cerebral account passwords and can adjust their privacy settings on Facebook, Google, and other online platforms.

SecurityWeek reports: "Cerebral Informing 3.1 Million Individuals of Inadvertent Data Exposure"