A middle-aged woman with glasses and a pink scarf answers a confusing scam call at home.

Cerebral Telehealth Meta Pixel Privacy Investigation

The Lyon Firm is investigating the Cerebral, Inc. telehealth website for potential data tracking technology, and health privacy violations.

Cerebral has acknowledged in a HIPAA privacy breach notice on their site that the information of over 3 million individuals may have been leaked. Tracking technologies used by the company are allegedly to blame.

According to a recent investigation published on The Markup website, popular telehealth websites, including Cerebral have allegedly been using data tracking tools, and sharing users’ medical and personal information to Facebook and other big tech companies.

This private information on telehealth websites like Cerebral might be shared with tech companies with the use of tracking code and without user consent.

The Markup reported that 49 direct-to-consumer telehealth companies had a third-party tracking code on their site, with the potential to share data with third parties. The study follows another privacy report that revealed many healthcare systems in the U.S. using tracking code on their web portals.

In many cases, user answers to medical questionnaires regarding health conditions, medical histories, and drug use were sent to big tech firms. Dozens of the telehealth websites shared email addresses, phone numbers, and full names.

Collected information from some websites are sent to Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest, possibly for the future use in targeted advertising.

Can I Sue Cerebral for HIPAA Violations?

The Lyon Firm is still investigating whether any data collection process was unlawful. Remote healthcare providers are HIPAA-covered entities and disclosures of protected health information are therefore restricted by the HIPAA Privacy Rule.

The HHS’ Office for Civil Rights has confirmed that the use of third-party tracking code on health websites violates HIPAA if that tracking code collects and transfers protected health information (PHI) to third parties unless the third party qualifies as a business associate.

But, sometimes telehealth websites are not actually bound by HIPAA rules, but more often the information collected through these websites is passed on to HIPAA-covered entities. In a scramble to protect themselves, some have begun removing tracking technology from their websites to review the legality of their business.

Some healthcare systems have added these tracking technologies to their websites to improve the user experience, while others may be benefiting financially.

The question is more about transparency, as many users are unaware that information they provide directly through answers on web forms and medical questionnaires can be shared with other companies.

It is also unclear to consumers how the big tech companies use the transferred data, though there are some obvious theories. Meta has been named a defendant in several privacy lawsuits, some of which allege health data has been used to serve targeted advertising.

Experts have said new regulation is needed because the current privacy regulations like HIPAA were not made for telehealth companies like Cerebral, leaving huge gaps in the law.

photo of the cerebral meta pixel breach notice

The HIPAA Breach Notification Rule calls for data breach notifications to be issued to the Secretary of the Health and Human Services “without unnecessary delay.” No later than 60 days after the date of discovery of a data breach, healthcare entities have a duty to alert the government and begin preparing to alert the public.

Consumer privacy attorneys say there has been a trend for HIPAA-regulated entities to wait as long as possible before alerting affected individuals, a practice that place consumers at a higher risk of identity theft and fraud.

In many cases, data breach notifications have been sent out many months after a security breach incident was detected. There may be valid reasons for a delay in reporting, though in some cases this institutes a severe disservice to those impacted by a data theft event.

Delays to individual data theft notifications could mean individuals’ Personal Health Information (PHI) has been in the hands of criminals for many months before they are even aware about the data theft.

Privacy lawyers claim promptly sending out individual data breach notification letters and being transparent about the fraud risk for individuals is not only ethical, but the only way to avoid stiff penalties.

The HHS has made it clear that if healthcare entities do not comply with the 60 day rule from the date of data breach discovery, they may be liable for notification violations.

If you have reason to believe your personal information has been compromised by Cerebral or another telehealth website, contact the Lyon Firm to discuss your personal privacy and potential legal action.