In a significant development for digital health privacy and consumer protection, telehealth provider Cerebral, Inc. has agreed to settle Federal Trade Commission (FTC) charges regarding its data handling practices. The proposed order, which requires court approval, includes monetary penalties and new restrictions on the company's use of consumer health data for advertising purposes.
Background and Allegations
The FTC's complaint targeted Cerebral and its former CEO for violations of consumer privacy and protection laws. The company, which provides online mental health services, allegedly mishandled sensitive health information of approximately 3.2 million consumers while failing to honor its privacy promises and cancellation policies.
Key Privacy Violations
The FTC's investigation revealed multiple privacy violations that raised concerns about patient confidentiality in digital healthcare. These violations were particularly noteworthy given the sensitive nature of mental health services and the vulnerable status of many patients seeking treatment. The breaches of privacy occurred across multiple touchpoints of the patient journey, from data collection to storage and sharing.
Data Sharing with Third Parties
Despite promising "safe, secure, and discreet" services, Cerebral reportedly shared sensitive user information with major social media platforms including LinkedIn, Snapchat, and TikTok. This shared data included:
Medical and prescription histories
Personal identification information
Pharmacy and health insurance details
Other sensitive health information
Security Failures
The complaint outlined several concerning security practices:
Sending unencrypted promotional postcards revealing patient diagnoses
Failing to revoke former employees' access to medical records
Using insecure single sign-on methods that exposed confidential information
Lacking adequate data security policies and employee training
Consumer Protection Issues
The FTC also alleged violations of the Restore Online Shoppers' Confidence Act (ROSCA) regarding Cerebral's cancellation practices. Despite advertising "cancel anytime" policies, the company allegedly implemented a complex, multi-step cancellation process that resulted in continued charges to consumers. When an easier cancellation option was briefly implemented, it was reportedly removed at the former CEO's direction after observing increased cancellations.
Settlement Terms
The proposed order includes several notable provisions across three key areas: financial penalties, data protection requirements, and consumer rights. On the financial front, Cerebral will pay $5.1 million to provide refunds to affected consumers. Additionally, while the original civil penalty was set at $10 million, the company will pay $2 million due to its demonstrated inability to pay the full amount.
The data protection requirements include specific measures to address the company's privacy practices. Cerebral faces restrictions on sharing consumer health information for most marketing purposes and must implement a comprehensive privacy and security program. The company will need to obtain explicit consumer consent for data retention and sharing, while also providing clear mechanisms for data deletion.
To address consumer rights violations, the settlement mandates operational changes. Cerebral must streamline its service cancellation procedures and maintain transparency about its practices. The company is required to post a notice on its website informing users about the FTC's allegations and outlining the steps being taken under the order. Furthermore, the settlement explicitly prohibits any misrepresentation of privacy and cancellation policies, ensuring greater accountability in consumer communications.
Implications for the Digital Health Industry
This settlement provides important guidance for privacy practices in digital health. The FTC's prohibition on using health information for advertising purposes, while specific to this case, may indicate the Commission's perspective on the use of sensitive health data for marketing. Healthcare providers, particularly in the digital space, should consider these requirements when evaluating their own data handling practices.
Closing Remarks
This enforcement action highlights the need for digital health companies to ensure their marketing practices align with their privacy promises. Digital health companies should review their tracking tools and third-party data sharing arrangements, particularly when handling sensitive health information.
Additionally, for subscription-based services, digital health companies should ensure their cancellation processes are as straightforward as advertised.
Lastly, digital health companies should ensure their privacy and security measures extend beyond written policies to include practical safeguards such as access controls and secure communication methods.
The information provided is for general informational purposes only and is not intended and should not be construed as legal advice or opinion for any individual matter. You should consult your own attorney for any legal advice you may require.
If you would like to learn how Caruso Law can assist you, reach out to schedule a complimentary consultation using the contact form or by emailing venus@carusolawoffice.com.
