Cerebral disclosure shows vulnerability of online mental health data, risk of tracking tools
A company that provides online therapy services acknowledged last week that its customers’ sensitive health information had been sent to third-party firms, illustrating the risks for mental health data and calling attention to a problematic privacy practice.
The telehealth provider, Cerebral, sent letters to more than 3 million users on March 6 about the incident, then followed that with a notice to the Department of Health and Human Services. The company had been sharing user data with Google, Facebook parent Meta, TikTok and others via tracking “pixels.”
“On January 3, 2023, Cerebral determined that it had disclosed certain information that may be regulated as protected health information,” the notice reads, with the information ranging from IP addresses to what services someone selected.
The privacy practices of Cerebral and two other telehealth companies had already drawn congressional attention. Cerebral also is facing scrutiny from HHS under a law that governs exposure of health-care information.
Cerebral said it began using the trackers when it began operations in 2019. Such trackers can often provide information with few checks to outside companies. According to an HHS list of cases it’s investigating that involve unsecured protected health information, the 3.2 million affected individuals makes it the second-biggest case so far this year.
The incident could face scrutiny by regulators like the Federal Trade Commission, as data protection officer and privacy lawyer Whitney Merrill (a former FTC attorney) notes:
Online therapy company BetterHelp reached a settlement with the FTC last week for $7.8 million for sharing health data with third parties for advertising reasons. The FTC also barred it from sharing the health data going forward.
Dozens of telehealth companies have used tracking tools like the ones used by Cerebral, the Markup and STAT jointly reported in December.
“I thought I was at this point hard to shock,” Ari Friedman, an emergency medicine physician at the University of Pennsylvania and digital health privacy researcher, told the publications in response to their findings. “And I find this particularly shocking.”
Last month, five senators sent letters to the heads of Cerebral, Monument and Workit, which were mentioned in the Markup/STAT story.
“Recent reports highlight how your company shares users’ contact information and health care data that should be confidential,” the letter from Sens. Amy Klobuchar (D-Minn), Susan Collins (R-Maine), Maria Cantwell (D-Wash.) and Cynthia M. Lummis (R-Wyo.) reads. “This information is reportedly sent to advertising platforms, along with the information needed to identify users. This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally.”
The senators asked the three companies to provide a list of all the trackers they used, what questions users might be asked and more.
The Senate Homeland Security and Governmental Affairs Committee is also set to hold a hearing on cyber risks to the health care sector on Thursday.
Cerebral’s notice, alerting of the “privacy breach” under the Health Insurance Portability and Accountability Act, outlined what it has done in response. That includes offering free credit monitoring, a common standard response to data breaches that consumer advocates say doesn’t go far enough.
“Upon learning of this issue, Cerebral promptly disabled, reconfigured, and/or removed the Tracking Technologies on Cerebral’s Platforms to prevent any such disclosures in the future and discontinued or disabled data sharing with any Subcontractors not able to meet all HIPAA requirements,” Cerebral said. “In addition, we have enhanced our information security practices and technology vetting processes to further mitigate the risk of sharing such information in the future.”
Malicious hackers have a history of going after mental health information. Such data can also be valuable to advertisers.
The Cerebral case follows an incident last month where a ransomware gang, Vice Society, published a trove of the Los Angeles Unified School District’s current and former student mental health records on the dark web.
In one of the most prominent cases involving the breach of mental health records, hackers who stole data about tens of thousands of patients from Finish psychotherapy practice Vastaamo tried to extort ransoms out of individual patients.
Privacy attorneys say that exposed mental health data could cause reputational harm if it involves things like substance abuse treatment information. And telehealth services saw a big jump in usage as a result of the coronavirus pandemic.
House leaders ask for information on breach of congressional health insurance platform
The FBI and U.S. Capitol Police are investigating the breach of D.C. health insurance marketplace DC Health Link, which is used by thousands of people — including members of Congress and their staff, multiple outlets report. Top House lawmakers are also asking for answers.
House Speaker Kevin McCarthy (R-Calif.) and Minority Leader Hakeem Jeffries (D-N.Y.) sent a letter to Mila Kofman, the DC Health Benefit Exchange Authority’s executive director, last Wednesday after the breach was confirmed, Margaret Barthel reported for DCist. They requested answers about when the group will be notifying affected users about their stolen data and asked for additional steps about how to safeguard the exchange, among other things.
The data that was stolen contained the info of a former national security official, as well as employees of lobbying firms, CyberScoop reporters AJ Vicens and Tonya Riley reported last week. “The leaked data includes names, email addresses, dates of birth, home addresses, social security numbers and details about insurance policies,” they write in the story.
SEC reaches settlement with Blackbaud over misleading ransomware disclosures
South Carolina-based data management software firm Blackbaud agreed to pay $3 million to the U.S. Securities and Exchange Commission to settle charges over misleading claims about a 2020 ransomware attack, David Jones of Cybersecurity Dive reports.
The SEC said the company failed to notify regulators in an August 2020 quarterly report about the scope of a ransomware attack that occurred a month earlier. In July, the company said ransomware attackers did not access Social Security numbers and bank account details. When employees found that sensitive information was stolen, they didn’t tell upper management, according to the SEC.
Blackbaud “failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” David Hirsch, who leads the SEC Enforcement Division’s Crypto Assets and Cyber Unit, said in a statement.
In a statement from Blackbaud CFO Tony Boor that was provided to Jones, Boor said the company “is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the commission as the company continuously improves its reporting and disclosure policies.”
Leaked draft law highlights Cambodian government’s move to expand censorship authority
A leaked proposal of a new cybersecurity law would expand the Cambodian government’s ability to seize equipment, initiate searches and prosecute entities that are unable to mitigate cybersecurity threats, Rest of World’s Fiona Kelliher reports.
The 13-page draft law — which was dated Sept. 2, 2022 — wasn’t previously made public, and experts said the bill’s authority expands to both local and international companies, Kelliher writes.
Cambodia in 2018 reportedly faced an increased in hacking attempts leading up to its national elections. Critics said the draft law is meant to protect the current Cambodian regime, and some said it could be abused as the country’s government seeks to crack down on critics ahead of the country’s next round of national elections in July. The law is meant to apply to the majority of public and private entities operating in Cambodia who provide services in sectors such as banking and finance, telecommunications and health care.
Cambodia’s Ministry of Post and Telecommunications would oversee the law. A spokesperson from the ministry told Kelliher “the law is still in draft, and the team is working hard to review the comments from all stakeholders.”
- The Senate Homeland Security and Governmental Affairs Committee will hold a 10 a.m. hearing Thursday to examine cybersecurity risks in the health-care sector.
Thanks for reading. See you tomorrow.