Telehealth firm Cerebral faces $7m FTC fine over privacy

patient data privacy
Towfiqu barbhuiya

A proposed order by the Federal Trade Commission (FTC) would impose a $7 million fine on telehealth company Cerebral in connection with charges that it disclosed its customers’ personal health information and other sensitive data to third parties for advertising.

The order (PDF) – which has now been filed by the Justice Department – also accuses the company of failing to honour promises made to customers about easy cancellation. It must be approved by a court before it can go into effect, but if it does so will be the first of its kind involving a telehealth provider.

Cerebral offers online mental health services, including sessions with therapists for conditions like anxiety, depression, insomnia, and substance use disorders, personalised treatment plans, medication prescribing, and an online pharmacy. It was formed in 2020 and claims to have signed up more than 750,000 customers.

According to court documents, Cerebral has admitted to sharing the data of nearly 3.2 million consumers with around two dozen external companies, including social media firms, such as Facebook/Meta and TikTok, and other businesses such as Google, in a violation of their data privacy.

That included information like their full name, phone numbers, email addresses, birth date, insurance information, and medical history. On sign-up, users of the service were asked to fill out a detailed questionnaire that also included other personal data, such as their religious or political beliefs, or sexual orientation.

The company also “failed to provide patients with a simple means to cancel their subscriptions and stop recurring charges,” according to the FTC’s complaint, which says it took “millions of dollars from vulnerable consumers, including patients suffering from mental health problems, for subscriptions after they had asked it to cancel those subscriptions.”

Around $5 million of the fine will go towards repaying those customers, with the remainder the maximum that Cerebral can afford as part of a $10 million civil penalty.

It is also accused of sending out promotional postcards, which were not in envelopes and included names, addresses, and details of mental health conditions in a “careless marketing” effort, and also allowed former employees to access user data. Former chief executive Kyle Robertson is also named in the complaint.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC chair Lina Khan.

“To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

Now, Cerebral will be required to get patients’ explicit consent before sharing their data, according to the regulator, but the case exposes the difficulties in regulating how telehealth companies make use of patients’ data.

US lawmakers recently introduced a bipartisan bill, the American Privacy Rights Act (PDF), which would shore up consumers’ rights to control how their data is used and give them greater powers of redress if those rights are violated.

Robertson was ousted by Cerebral’s board in 2022 when news of the FTC’s investigation into the company emerged, to be replaced by chief medical officer Dr David Mou. He has not agreed to a settlement, and the charges against him will be decided by the court.

Photo by Towfiqu barbhuiya on Unsplash