Telehealth company Cerebral has reached a $7 million settlement with the Federal Trade Commission (FTC) following allegations it mishandled users’ sensitive health information.

The settlement stems from Cerebral’s use of Facebook tracking pixels, which inadvertently shared patient data.

In March 2023, the company sent out notices of data breach to 3.2 million people who had interacted with its websites, applications, and services, that their information had been exposed due to using tracking pixels on its platform.

“The complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat, and TikTok by using or integrating tracking tools on its website or apps,” reads the announcement.

“These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps.”

Buy Me a Coffee

Moreover, the agency says the company used an insecure single sign-on method to access the patient portal, and Cerebral’s failure to restrict employee access only to the data needed for carrying out their job tasks.

The proposed order, pending court approval, includes the following provisions:

  • Refund of $5,100,000 to customers who were impacted by deceptive cancellation practices.
  • $10M civil penalty, limited to $2,000,000 due to Cerebral’s inability to pay the full amount.
  • Permanent ban on sharing health data with third parties for marketing and advertising purposes.
  • Require consent from consumers before disclosing their personal and health data to any third parties.
  • Prohibit Cerebral from misrepresenting its data security and privacy practices.
  • Implement a comprehensive data security and privacy program.
  • Post a notice on its website detailing the complaint and required actions.
  • Implement a data retention schedule, delete unnecessary consumer data unless consented to be retained, and provide a clear data deletion request mechanism.
  • Prohibit misrepresentations of cancellation policies and simplify the cancellation process for consumers.
READ
WhatsApp Introduces Exciting Upgrades for Calls

Former CEO Robertson, who is accused of ordering the removal of an “easy cancellation” button from Cerebral’s site, has not agreed to a settlement, so the court will decide about his charges.

(ref: Bleepingcomputer)