The US Federal Trade Commission (FTC) has ordered the mental telemedicine company Cerebral to use or disclose personal data for advertising purposes.
It was also fined more than $7 million for disclosing sensitive user personal health information and other data to third parties for advertising purposes and for failing to enforce its easy deletion policies.
“Cerebral and its former CEO, Kyle Robertson, repeatedly broke privacy promises to consumers and misled them about the company’s deletion policies,” the FTC said in a press release.
While claiming to offer “safe, secure, and discreet” services to get consumers to sign up and provide their information, the company, the FTC alleges, did not clearly disclose that the information would be shared with third parties for advertising purposes.
The agency also accused the company of burying its data sharing practices in thick privacy policies, with the company engaging in deceptive practices by claiming that it would not share users’ data without their consent.
The company is said to have provided the sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by integrating tracking tools within its websites and apps designed to provide advertising and data analytics functions .
The information included names; medical and prescription histories; home and email addresses; phone numbers; date of birth; demographic information; IP addresses; information on pharmacies and health insurance; and other health information.
The FTC complaint also accused Cerebral of failing to implement adequate security measures by allowing former employees to access users’ medical records from May to December 2021, using insecure access methods that exposed patient information, and failing to restrict access to consumer data only to the employees I needed it.
“Cerebral sent promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards,” the FTC said.
Under the proposed order, pending approval by a federal court, the company was barred from using or disclosing consumers’ personal and health information to third parties for marketing purposes and was ordered to implement a comprehensive privacy and data security. .
Cerebral was also required to post a notice on its website alerting users to the FTC’s order, as well as adopt a data retention schedule and delete most consumer data not used for processing operations, payment or healthcare unless they have consented. You also need to provide a mechanism that allows users to delete their data.
The development comes just days after the FTC prohibited alcohol addiction treatment company Monument from disclosing health information to third-party platforms such as Google and Meta for advertising without users’ permission between 2020 and 2022, despite claims that such data would be “100% confidential.”
The New York-based company was ordered to notify users of the disclosure of their health information to third parties and to ensure that any shared data was deleted.
“Monument failed to deliver on its promises and actually disclosed user health information to third-party advertising platforms, including highly sensitive data revealing that its customers were receiving help to recover from alcohol addiction.” , FTC said.
Over the past year, the FTC has announced similar enforcement actions against healthcare providers such as BetterHelp, GoodRx, and Premom for sharing user data with third-party social media and analytics companies without their consent.
He also warned [PDF] Amazon opposes the use of patient data for marketing purposes after finalizing its $3.9 billion acquisition of primary care practice One Medical.