Telehealth firm Cerebral fined $7 million over ‘careless’ privacy violations

The Federal Trade Commission (FTC) is proposing a $7 million fine against Cerebral, a mental telehealth firm that it says not only was careless with patients’ data but actively shared it with third parties for advertising purposes. The company and its CEO, Kyle Robertson, are also accused of lying to customers about how their data is shared and of having a misleading cancellation policy.

The FTC notes that Cerebral shared the sensitive data “of nearly 3.2 million consumers” with third parties like LinkedIn, TikTok, and Snapchat through trackers on its website or apps — something the company admitted to last year. That apparently included details like home and email addresses, phone numbers, pharmacy and health insurance details, and medical history. Many of Cerebral’s ads were misleading, promoting ADHD treatment by, for instance, linking ADHD to obesity.

FTC Chair Lina Khan says Cerebral revealed its patients’ “most sensitive mental health conditions across the internet and in the mail,” so the agency is permanently banning the company “from using any health information for most advertising purposes.” Khan says such a prohibition is a first. Cerebral will also be required to get patients’ consent before sharing their data.

The FTC says Cerebral mailed patients uncovered postcards that included apparent diagnosis and treatment details. The agency also describes lazy security practices that enabled former employees to access patients’ confidential medical records in 2021, while “in numerous instances,” its single sign-on patient portal “exposed confidential medical files” to other patients who were signed on at the same time.

Additionally, the FTC says canceling Cerebral’s services was a “complex, multi-step, and often multi-day process” and not the easy “cancel anytime” policy that Robertson and the company promoted. When the company did make it easier, the FTC says Robertson reversed the change when cancellations went up.

The FTC’s proposed order (PDF) underscores the longstanding murkiness of the telehealth industry’s data handling. Washington state passed a law that requires telehealth firms to get explicit consent before collecting and sharing patient data. But there are no such federal guidelines, at least for now, though lawmakers recently unveiled a new bipartisan privacy law that could change that.

Once the order is approved by the Florida District Court where it’s been filed, Cerebral will be on the hook for $5.1 million in partial refunds for those its cancellation policies affected. It’s also being fined $10 million, but because the company is unable to pay that, most of that will be suspended once it pays $2 million. Cerebral will be required to establish a “comprehensive” data privacy program and report annually on it, and it will be audited every two years for 20 years.