Wouldn’t you think a big company like Cerebral Health wouldn’t need help being HIPAA compliant?
The telehealth startup specializing in mental health, says it inadvertently shared the sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers, as reported earlier by TechCrunch.
In a notice posted on the company’s website, Cerebral admits to exposing a laundry list of patient data with the tracking tools it’s been using as far back as October 2019.
The information the oversight affects includes everything from patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment information, and more. It may have even exposed the answers clients filled out as a part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and receive prescription medication.
Cerebral Violating HIPAA
According to Cerebral, this information got out through tracking pixels or the bits of code from Meta, TikTok, and Google that allow developers to embed the platforms in their apps and on websites. Websites frequently use these monitoring technologies for advertising purposes, and it is also typical for these actions to result in data breaches and, yes, HIPAA violations.
After initially finding the security hole in January, Cerebral says it has “disabled, reconfigured, and/or removed” any of the tracking pixels on the platform to prevent future exposures and has “enhanced” its “information security practices and technology vetting processes.”
Cerebral is required by law to disclose potential violations of HIPAA (Health Insurance Portability and Accountability Act). This bars healthcare providers from divulging patient information to anyone other than the patient or anyone the patient has consented to receive information about their health. The Cerebral Breach is currently under investigation by the US Office for Civil Rights (OCR), following similar incidents involving pixel-tracking tools.
Senators on the Cerebral Breach
The Cerebral Breach struck a chord with Senators Maria Cantwell, Amy Klobuchar, Susan Collins, and Cynthia Lummins. They made Cerebral the poster child of pixel breaches, asking Cerebral to list all inquiries that patients might be subjected to and whether any information has ever been shredded that might identify a patient as seeking treatment for a particular mental health or substance abuse issue.
Additionally, they requested that Cerebral commit to safeguarding patient privacy and providing patients with plain, understandable language about the precise categories of information that will be shared with third parties and their intended uses.
The OCR of the Department of Health and Human Services (HHS) provided advice on using website tracking technologies to companies subject to HIPAA regulations last year. OCR confirmed that organizations covered by HIPAA are not allowed to share protected health information (PHI) using these tracking technologies unless:
- prior consent has been obtained from individuals;
- a valid business associate agreement (BAA) is in place with the provider of the technology; and
- the HIPAA Privacy Rule permits the disclosure explicitly.
The use of this tracking technology on health applications and websites has also caught the attention of the Federal Trade Commission (FTC) as a result of this breach.
HIPAA and Cookies
As healthcare becomes increasingly interconnected, web tracking can be easy to overlook but can also introduce additional risks to patient privacy.
Officially referred to as “tracking cookies,” these snippets of code are embedded on many websites and are used to track and collect data from website visitors. This data helps organizations deliver better consumer experiences, define custom audiences, and analyze website conversion. It does the same in the healthcare world.
HHS issued a bulletin in December of 2022 warning about the use of cookies and data tracking technologies, as they could be the reason for HIPAA violations. This bulletin can serve as a reminder of the need to take certain measures, such as contractual safeguards, into account, particularly while pursuing a business relationship with a Business Associate (BA), Covered Entity (CE), or a third-party data collector of PHI.
When starting any business transaction or hiring a third-party data collector, it is important to consider the negative effects of improper data collecting, sharing of PHI, and HIPAA violations. The HHS bulletin makes it very apparent that there needs to be special attention paid to PHI that is ordinarily collected online through portals or mobile applications.