Cerebral Unintentionally Leaks Patient Data to Google, Meta, and TikTok
Table of Contents
- By Steven
- Mar 16, 2023
Cerebral is an online mental health company that's attempting to bring mental health care to patients around the country virtually. The company deals with tens of thousands of patients, and we've just learned that many of those patients may have had their information exposed to companies like Meta, Google, and TikTok. Cerebral is a startup company, and unfortunately, it isn't that unusual for startups to suffer from data issues such as this one.
How Did the Attack Occur?
It isn't accurate to call this Cerebral data leak an cyber attack. The company was utilizing tracking tools from TikTok, Meta, and Google. Those tracking tools shared information with the companies that Cerebral isn't allowed to share. By trying to monitor its campaigns, it leaked confidential information protected by HIPAA and inadvertently damaged its reputation. It's unclear whether this will cause serious damage to the company or not, but it's a violation of its patients' trust, and the company will certainly suffer some reputation damage at the very least.
What Information Was Viewed or Stolen?
Cerebral made the mistake of sharing information protected by HIPAA, such as mental health self-assessments, clinical information, and different treatments, as well as more generic email addresses, phone numbers, full names, IP addresses, and more. This information was all given to Meta, Google, and TikTok because of the tracking software used by Cerebral, and that's a serious violation that could hurt the company and that exposes the many patients that trusted the company.
How Did Business Admit to the Breach?
Cerebral did as little as possible to make it known that this happened. The company put up a small notice on the bottom of its website that overviews the details of the March 2023 data leak. The details spell out all the issues, but few people are likely to see the disclosure because of how Cerebral put up the information. It's similar to the side effects posted on the medication infomercials. Clearly, Cerebral is trying to avoid shouting its mistake to the public. The company has taken immediate steps to avoid sharing this sort of information in the future, but the damage is already done to so many patients.
What Will Become of the Stolen Information?
While it's unlikely that the three major companies with the user information will use it for fraud, there is no way to take the leaked data back from the organizations. They are free to utilize the medical data any way they like, and it could be used for advertising and other forms of monetary gain if the companies decide to do so.
What Should Affected Parties Do in the Aftermath of the Breach?
Affected parties in the Cerebral fallout should reconsider whether or not they want to trust their medical information to other online companies, especially startups such as Cerebral. Startup companies are known for being bad at protecting customer data, and that's exactly the case in Cerebral's situation. Customers can take their business away from Cerebral if they feel strongly about the situation, but there aren't many other changes they have available to implement.