FTC Settles with Telehealth Company Over Mishandling of Sensitive Health Data
The U.S. Federal Trade Commission (FTC) recently announced a $7 million settlement with telehealth firm Cerebral for allegedly mishandling the personal health information of 3.2 million consumers.
The Background of Cerebral and its Alleged Misconduct
Cerebral is a remote telehealth company that offers online therapy and medication management for mental health conditions such as anxiety, depression, ADHD, Bipolar Disorder, and substance abuse. In March 2023, the company notified individuals who had used its websites, applications, and services that their information had been exposed due to the use of tracking pixels on its platform.
The FTC complaint charges Cerebral and its former CEO, Kyle Robertson, with disclosing consumers’ sensitive health information to third parties for marketing and advertising purposes, and failing to adhere to its cancellation policies. The agency alleges that Cerebral provided this information to third parties, including LinkedIn, Snapchat, and TikTok, by using tracking tools on its website and apps. These tools collect and send data to third parties for the purpose of advertising, data analytics, and other services.
Alleged Misconduct and Bad Practices by Cerebral
The FTC’s announcement also outlines other practices by Cerebral that resulted in varying levels of exposure of personal health information for consumers. These include:
- Failure to revoke access to Cerebral patient records for former employees
- Failure to silo providers and restrict their access to only their patients’ records
- Using an insecure single sign-on method for accessing the patient portal
- Failure to restrict employee access to only the data necessary for their job tasks
Provisions of the Settlement
The proposed settlement includes several provisions that Cerebral must follow, pending court approval. These include:
- Refund of $5.1 million to customers impacted by deceptive cancellation practices
- Civil penalty of $10 million, with a cap of $2 million due to Cerebral’s inability to pay the full amount
- A permanent ban on sharing health data with third parties for marketing purposes
- Require consent from consumers before disclosing their personal and health data to any third parties
- Prohibit misrepresentation of data security and privacy practices
- Implementation of a comprehensive data security and privacy program
- Posting a notice on its website detailing the complaint and required actions
- Adherence to a data retention schedule, with deletion of unnecessary consumer data unless consented to be retained, and implementing a clear data deletion request mechanism
- Prohibition of misrepresentations of cancellation policies and simplifying the cancellation process for consumers
Robertson, the former CEO accused of ordering the removal of an “easy cancellation” button from Cerebral’s website, has not agreed to a settlement. The court will make a decision about his charges.
Protecting Consumer Privacy and Data Security
This recent settlement emphasizes the importance of organizations adhering to data privacy and security laws, such as the
To learn more about how to protect your personal and health data, visit
