Telehealth company Cerebral has reportedly shared private patient data with Google, Meta, and TikTok, according to recent news reports.
The company, which provides online therapy and medication management services, shared information on 3.1 million patients, including their names, dates of birth, and medical histories. The data was shared with the tech companies for advertising purposes.
Cerebral's disclosure at the bottom of their website states that the exposed information may include:
- Phone number
- Email address
- Date of birth
- IP address
- Cerebral client ID number
- Demographic information.
- Service selected
- Assessment responses
- Associated health information.
- Subscription plan type
- Appointment dates and other booking information
- Treatment and other clinical information
- Health insurance/pharmacy benefit information (for example, plan name and group/member numbers)
- Insurance co-pay amount
Why it matters:
The sharing of private patient data with third-party companies raises serious concerns about patient privacy and the security of medical information.
While sharing data can help companies target ads more effectively, it also risks patient confidentiality and harms patients' trust in the healthcare system. Companies that collect sensitive medical information are expected to be transparent about how that information is being used and to protect patients' privacy rights.
What they're saying:
Cerebral's actions have also drawn criticism from privacy advocates, who argue that patient data should be treated as confidential and protected under the Health Insurance Portability and Accountability Act (HIPAA).
Andrea Downing, who has done extensive research on pixel tracking and privacy, said patients are often unaware of how much personal data healthcare startups collect and potentially transmit to other parties.
While Cerebral has stated that it did not violate HIPAA regulations, some experts have raised concerns that the company may have violated patients' privacy rights by sharing their data without explicit consent.
Sharing private patient data with third-party companies is a growing concern in the healthcare industry. Regulators are likely to look closely at companies that engage in these practices.
Patients should know the risks of sharing their medical information with online healthcare providers. They should take steps to protect their privacy, such as reading privacy policies and asking providers how their data will be used.
The bottom line:
While companies like Cerebral can provide valuable telehealth services, they must keep patient data confidential and protected from unauthorized access. Patients should be able to trust that their medical information will be used only for legitimate purposes and that their privacy rights will be respected.
As the healthcare industry continues to evolve, it is important for all involved to ensure patient privacy is maintained and that the benefits of technology are balanced against potential risks.
Steps to stay protected:
- Use secure communication platforms: Make sure that the telehealth service you are using has secure communication platforms, such as encrypted, HIPAA compliant email, encrypted messaging, or video conferencing software. Avoid using unsecured public Wi-Fi networks when communicating with healthcare providers.
- Opt out of targeted advertising: If a telehealth provider uses targeted advertising, consider opting out of these programs. This can help prevent your health information from being shared with third-party advertisers.
- Limit the information you share: When using a telehealth service, only share information that is necessary for your healthcare needs. Avoid sharing sensitive information that is not directly related to your treatment.
- Choose reputable providers: Choose telehealth providers that have a proven track record of protecting patient privacy and are transparent about their data-sharing practices.
Related: How to send HIPAA compliant emails