Cerebral shared 3.1M patients' private health information with advertisers Google Facebook Meta TikTok

Cerebral, a mental health-focused startup, has been found to share millions of its users’ data with advertisers, according to a report by TechCrunch. The startup, which offers online therapy and medication services, reportedly shared user data with advertising companies including Facebook, Google, TikTok, and others.

The data shared included sensitive information such as mental health diagnoses, prescription information, and therapy session notes, among other details. This information was reportedly used by advertisers to target users with ads for mental health-related products and services.

Cerebral’s privacy policy does mention that the company may share user data with third-party service providers for various purposes, including advertising, but it is not clear if users were aware of the extent of data sharing that was taking place.

TechCrunch reported that Cerebral did not respond to requests for comment on the matter.

The revelation raises concerns about the privacy and security of sensitive health information, as well as the ethics of using such data for targeted advertising.

Mental health advocates have long warned against the stigmatization of mental health issues, and the use of targeted advertising based on mental health diagnoses could exacerbate this problem.

Health startups: A history of violating your privacy

This is not the first time that a healthcare startup has been found to be sharing user data with advertisers.

Because of how Cerebral and other health startups handle confidential patient data, it’s covered under the US health privacy law known as HIPAA. Cerebral’s data lapse is the second-largest breach of health data in 2023, according to the Department of Health and Human Services (HHS).

In 2019, it was reported that the popular period tracking app, Flo, had shared sensitive user data with Facebook and other companies. The company faced backlash and eventually updated its privacy policy to be more transparent about its data sharing practices.

Just weeks ago, the FTC penalized GoodRx with a $1.5 million fine after it was discovered that the startup was sharing patients’ health data with advertisers.

BetterHelp was ordered to pay customers $8.5 million for mishandling user data for years after an FTC investigation.

The incidents with Cerebral, Flo, BetterHelp and GoodRx highlight the need for stronger regulations around data privacy and protection, especially when it comes to sensitive health information.

Healthcare startups and companies must be held accountable for their data practices, and users should be informed and have control over how their data is used and shared.

Disclaimer: The author of this article is a current employee of Google. This article does not represent the views or opinions of his employer and is not meant to be an official statement for Google, or Google Cloud.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.