Cerebral logo

Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million

The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive consumer data, as well as require it to provide consumers with a simple way to cancel services.

After a data breach in 2023 Cerebral disclosed that it had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 2019.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the combined information of all these pixels potentially provides a company with an almost complete picture of your browsing behavior and a lot of information about you.

The FTC statement claims that by using these tracking pixels, which are invisible to the website visitor unless they look at the underlying code, Cerebral provided the sensitive information of nearly 3.2 million consumers to these third parties.

The complaint points out that to get consumers to sign up for Cerebral’s services and to provide detailed personal data, the company claimed to offer “safe, secure, and discreet” services, saying that users’ data would be kept confidential.

Also, according to the complaint, the company specifically claimed in many instances that it would not share users’ data for marketing purposes without obtaining people’s consent.

Many organizations are unclear about how much information the social media companies behind the tracking pixels can gather. In the Notice of HIPAA Privacy Breach Cerebral disclosed that the following data were potentially exposed:

  • Full name
  • Phone number
  • Email address
  • Date of birth
  • IP address
  • Cerebral client ID number
  • Demographic information
  • Self-assessment responses and associated health information
  • Subscription plan type
  • Appointment dates
  • Treatment details and other clinical information
  • Health insurance/pharmacy benefit information

Among other penalties, Cerebral has to refund $5.1 million to customers who were impacted by deceptive cancellation practices and pay a $10 million civil penalty, limited to $2 million due to Cerebral’s inability to pay the full amount.

The number of breaches concerning health information is shocking. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the US Department of Health and Human Services Office for Civil Rights publishes a list of breaches that reveal unsecured protected health information affecting 500 or more individuals.

We have reported about similar cases that involved tracking pixels. Research done by TheMarkup in June of 2022 showed that Meta’s pixel showed up on the websites of 33 of the top 100 hospitals in America.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.