The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.<\/p>\n
Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive consumer data, as well as require it to provide consumers with a simple way to cancel services.<\/p>\n
After a data breach in 2023 Cerebral disclosed<\/a> that it had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 2019.<\/p>\n A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That\u2019s nice for the advertisers, but the combined information of all these pixels potentially provides a company with an almost complete picture of your browsing behavior and a lot of information about you.<\/p>\n The FTC statement<\/a> claims that by using these tracking pixels, which are invisible to the website visitor unless they look at the underlying code, Cerebral provided the sensitive information of nearly 3.2 million consumers to these third parties.<\/p>\n The complaint points out that to get consumers to sign up for Cerebral’s services and to provide detailed personal data, the company claimed to offer \u201csafe, secure, and discreet\u201d services, saying that users\u2019 data would be kept confidential.<\/p>\n Also, according to the complaint, the company specifically claimed in many instances that it would not share users\u2019 data for marketing purposes without obtaining people’s consent.<\/p>\n Many organizations are unclear about how much information the social media companies behind the tracking pixels can gather. In the Notice of HIPAA Privacy Breach<\/a> Cerebral disclosed that the following data were potentially exposed:<\/p>\n Among other penalties, Cerebral has to refund $5.1 million to customers who were impacted by deceptive cancellation practices and pay a $10 million civil penalty, limited to $2 million due to Cerebral’s inability to pay the full amount.<\/p>\n The number of breaches concerning health information is shocking. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the US Department of Health and Human Services Office for Civil Rights publishes a list of breaches<\/a> that reveal unsecured protected health information affecting 500 or more individuals.<\/p>\n We have reported<\/a> about similar cases that involved tracking pixels. Research done by TheMarkup<\/a> in June of 2022 showed that Meta\u2019s pixel showed up on the websites of 33 of the top 100 hospitals in America.<\/p>\n There are some actions you can take if you are, or suspect you may have been, the victim of a data breach<\/a>.<\/p>\n Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it\u2019s best to give the one you most frequently use) to our\u00a0free Digital Footprint scan<\/a>\u00a0and we\u2019ll give you a report and recommendations.<\/p>\n<\/p>\n\n
Protecting yourself from a data breach<\/h2>\n
\n
Check your digital footprint<\/h2>\n