The Federal Trade Commission (FTC) has ordered Cerebral, Inc. to restrict how the company can use or disclose sensitive consumer data and require it to provide consumers with a simple way to cancel services. The order is designed to settle FTC charges that the telehealth firm failed to secure and protect sensitive health data.

Under the proposed order, filed by the Department of Justice upon notification and referral from the FTC, Cerebral will also be required to pay more than $7 million over charges that it disclosed consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes and failed to honor its easy cancellation promises. The order must be approved by the court before it can go into effect.

Cerebral provides online mental health and related services on a negative option basis, which means consumers are automatically charged unless they cancel those services. Consumers who sign up and use the company’s services provide detailed personal data including their home and email addresses, birthdates, medical and prescription histories, payment account or driver license numbers, as well as information about their treatment plans, pharmacy and health insurance plans, and other personal data, such as their religious or political beliefs, or sexual orientation.

The complaint charges that Cerebral and its former CEO repeatedly broke their privacy promises to consumers and misled them about the company’s cancellation policies. The complaint also charges that Cerebral violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) by engaging in unfair and deceptive practices with respect to substance use disorder treatment services.

To get consumers to sign up for the company’s services and provide detailed personal data, the company claimed it offered “safe, secure, and discreet” services and that users’ data would be kept confidential, according to the complaint. The complaint charges that Cerebral failed to clearly disclose that it would be sharing consumers’ sensitive data with third parties for advertising and buried disclaimers about its data sharing practices in dense privacy policies. In fact, according to the complaint, the company claimed in many instances that it would not share users’ data for marketing purposes without obtaining consumers’ consent.

Specifically, the complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps. These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps. Through the use of tracking tools, Cerebral gave third parties personal data about its users including names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information, according to the complaint.

The complaint says that Cerebral also failed to deploy adequate safeguards for the sensitive data collected from consumers and engaged in sloppy security practices. As described in the complaint, Cerebral’s practices included:

• Engaging in careless marketing: Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards.
• Allowing former employees to access user data: From May to December 2021, the company failed to block former employees from accessing confidential electronic medical records of Cerebral patients. It also failed to ensure providers only accessed their patients’ records.
• Using insecure access methods: The company used a single sign-on method for accessing its patient portal that in numerous instances exposed confidential medical files and patient information such as diagnoses, medications, email addresses and phone numbers, to other patients when those users signed onto the portal at the same time.
• Failing to implement adequate policies and training: The company failed to restrict access to consumer data to only those employees who needed it, implement proper procedures and training related to the handling of sensitive data, and develop and implement adequate information security standards, policies, and procedures.

In addition to its privacy and data security failures, the complaint alleges that Cerebral also violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of Cerebral’s cancellation policies before charging consumers. Despite promising that consumers could “cancel anytime,” Cerebral required its clients to navigate a complex, multi-step, and often multi-day process to cancel. The complaint alleges that the company continued to charge consumers while it slow-walked consumers’ cancellation requests, which cost consumers millions in additional charges.

Under the proposed order, Cerebral will pay nearly $5.1 million, which will be used to provide partial refunds to consumers impacted by its deceptive cancellation practices, as well as a $10 million civil penalty, which will be suspended after a $2 million penalty payment due to the company’s inability to pay the full amount. The proposed order also will:

• Permanently ban Cerebral from using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes, and generally require the company to obtain consumers’ consent before disclosing such information to outside parties.
• Prohibit the company from misrepresenting its privacy and data security practices.
• Require the company to implement a comprehensive privacy and data security program that, among other things, addresses the specific problems outlined in the complaint.
• Require the company to post a notice on its website alerting users to the allegations outlined in the complaint and detail the steps it is required to take under the order.
• Require the company to implement a data retention schedule and to delete most consumer data not used for treatment, payment, or health care operations unless consumers consent to its retention, and provide consumers with a clear mechanism to request that their data be deleted.
• Prohibit the company from misrepresenting any negative option and cancellation policies or practices and also require it to provide consumers with an easy method to cancel services.