Posted On March 10, 2023 Consumer Privacy & Data Breaches
March 10, 2023 – After discovering that the company’s use of certain online tracking technologies known as pixels led to the unauthorized disclosure of sensitive customer data, Cerebral Inc. filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights on March 1, 2023. According to the firm’s report, the breach led to illegal access to client names, phone numbers, addresses, protected health information, replies to mental health assessments, and insurance information. Cerebral started notifying the 3.1 million people who had been impacted by the latest data security issue of the data breach after confirming that user data had been exposed.
The Cerebral data leak is currently being looked into by the data breach lawyers at Console & Associates, P.C. We are providing free consultations where we can go over your legal options for obtaining compensation from Cerebral, Inc. if you have received a breach notice and are curious about the dangers of identity theft and what you can do to protect yourself.
Cerebral Inc., a Walnut, California-based provider of mental health telehealth, serves people with conditions like depression, anxiety, ADHD, bipolar disorder, PTSD, insomnia, and others with medication management, therapy, and counseling. Established in 2020, more than 4,500 individuals are now employed by Cerebral Inc., bringing in about $660 million in revenue annually.
Both the company’s filing with the Office for Civil Rights of the U.S. Department of Health and Human Services and a notification published on the Cerebral Inc. website provide the information that is known about the breach. These sources claim that Cerebral started using different tracking technologies in October 2019 to learn more about how visitors use the company website. However, on January 3, 2023, Cerebral discovered that by using these monitoring tools, it had divulged some patient data without first getting consent, in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Cerebral Inc. started looking through the affected files after learning that private customer information had been made available to an unauthorized party to identify what information had been compromised and which customers were impacted. Consumers’ names, phone numbers, addresses, protected health information, replies to mental health assessments, and insurance information may all have been compromised, though the specifics vary by individual.
On March 1, 2023, Cerebral Inc. sent data breach notification letters to all individuals who were affected by the leak.
Hackers are able to carry out a wide range of offenses with the data that was exposed in the Cerebral, Inc. data breach. They are free to conduct any number of crimes themselves or to sell the knowledge to others on the dark web who want to commit those crimes.
The types of harm that could be caused by the information discovered during the security mishap are virtually limitless. Hackers may use your details to make unauthorized charges to your accounts and credit cards, among other things. They could also use your information to register for new credit cards and loans. Names and Social Security numbers, which were involved in the Cerebral data breach, along with dates of birth and addresses, among other details, can often be readily found in public profiles and are all the information they need to apply for new credit cards.
Hackers can use your information to conduct other types of identity theft besides financial theft. They may steal medical identities as well. They can obtain medical care in your name and burden you with medical debt if they have access to all of your protected health information. Additionally, inaccurate details about your medical history or medications may compromise your medical records.
The consumer privacy lawyers at Console & Associates, P.C. help customers affected by data and security breaches pursue legal solutions by offering free consultations. By explaining your rights in clear, concise terms, we help you make an informed decision about your next steps. If you are a victim of the Cerebral Inc. data breach, Console & Associates, P.C. will investigate at no charge to you and offer advice on how to proceed. If you decide to pursue a case, rest assured that we don’t get paid unless you do. If your claim is successful, legal fees are either paid out of the funds recovered or by the defendant. If your claim is not successful, you pay nothing.
Below is a portion of the notice posted on their website:
Cerebral, Inc. is issuing a notice about a recently discovered issue related to inadvertent information sharing and the steps Cerebral has taken to address it. This notice was drafted in accordance with HIPAA disclosure requirements.
What Happened? Like others in many industries, including health systems, traditional brick and mortar providers, and other telehealth companies, Cerebral has used what are called “pixels” and similar common technologies (“Tracking Technologies”), such as those made available by Google, Meta (Facebook), TikTok, and other third parties (“Third-Party Platforms”), on Cerebral’s Platforms. Cerebral has used Tracking Technologies since beginning operations on October 12, 2019. Cerebral recently initiated a review of its use of Tracking Technologies and data sharing practices involving Subcontractors. On January 3, 2023, Cerebral determined that it had disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances.
What Information Was Disclosed? The information disclosed varied depending on what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies when the individual used our services, the data capture configurations of the Third-Party Platforms, how individuals configured their devices and browser, and other factors.
If an individual created a Cerebral account, the information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information.
If, in addition to creating a Cerebral account, an individual also completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information.
If, in addition to creating a Cerebral account and completing Cerebral’s online mental health self-assessment, an individual also purchased a subscription plan from Cerebral, the information disclosed may also have included subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information (for example, plan name and group/ member numbers), and insurance co-pay amount.
Out of an abundance of caution, we are notifying anyone who fell into any of these categories, even if they did not become a Cerebral patient or provide any information beyond what was necessary to create a Cerebral account. No matter how an individual interacted with Cerebral’s Platforms, the disclosed information did not include Social Security number, credit card information, or bank account information.
What We’ve Done and Are Doing. Upon learning of this issue, Cerebral promptly disabled, reconfigured, and/or removed the Tracking Technologies on Cerebral’s Platforms to prevent any such disclosures in the future and discontinued or disabled data sharing with any Subcontractors not able to meet all HIPAA requirements. In addition, we have enhanced our information security practices and technology vetting processes to further mitigate the risk of sharing such information in the future.
What Affected Individuals Can Do. We are not aware of any misuse of PHI arising from this incident. However, individuals can prevent the use of Tracking Technologies by blocking or deleting cookies or using browsers that support privacy-protecting operations, such as “incognito” mode. Individuals can also adjust privacy settings in Facebook, Google, and other platforms. Individuals may also wish to change their Cerebral user account password (and the use of that password for any other site if used a common password). It is also a best practice to monitor explanation of benefits, insurance member portal and other communications from health insurance providers to confirm that all charges are appropriate. Out of an abundance of caution, we are providing free credit monitoring and encourage individuals to remain vigilant against incidents of identity theft and fraud and review their account statements. Affected individuals are being provided with instructions to take advantage of the free credit monitoring and additional guidance to help them protect their information.
For More Information. Contact us at 800.785.8435 (toll-free) Monday through Friday from 8 am to 10 pm Central, or Saturday and Sunday from 10 am to 7 pm Central (excluding major U.S. holidays).