Η US Federal Trade Commission (FTC) fined the mental health company $7 million Cerebral, for the use and disclosure of personal data for advertising purposes.
"The Cerebral Company and the former CEO 's, Kyle Robertson, have repeatedly failed to keep their promises to protect the privacy of people and their customers in deceptive tactics regarding service cancellation policies," the FTC said in a press release.
See also: Vulnerability in the Unjected app reveals sensitive user data
Despite the claim that it offers services "secure and discretionary" to persuade consumers to sign up and share their data, the company did not make clear, according to the FTC, that the information they would be shared with third parties for advertising purposes.
The agency accused the company of burying data sharing practices within complicated privacy policies, accusing it of deceptive actions on the grounds that it would never share users' data without their consent.
The company allegedly shared the sensitive data of around 3.2 million consumers with third parties, including the LinkedIn, the Snapchat and the TikTok. This was achieved by integrating monitoring tools into the websites and Applications which are configured to offer advertising and data analysis related functions.
The information collected includes the names of the individuals, their medical history, as well as their home and email addresses. Telephone numbers, dates of birth, demographic details are also included, IP addresses, information about pharmacies and health insurance, as well as other health-related data.
The FTC charged Cerebral, accusing it of failing to implement effective safeguards by allowing former employees to access users' medical data from May to December 2021. This was achieved through methods Accessed at failing to guarantee the security of information, exposing patient data and failing to restrict access to data strictly to those employees who needed access.
"Cerebral sent promotional cards to more than 6,000 patients, without placing them in envelopes. These cards directly expose patients' names and languages, potentially revealing their diagnosis and treatment to casual observers," the FTC said.
Read more: RansomHub team publishes Change Healthcare data
Under the order, which is under review by a federal court, the company is prohibited from using or disclosing personal and health data of its customers to third parties for marketing purposes. In addition, it has been ordered to implement a rigorous program to ensure the protection privacy and data security.
Cerebral was required to post a notice on its website informing users of the FTC's order, implement a data retention plan, and proceed to delete unnecessary consumer data that is not required for treatment, payment, or health care services unless explicit consent is obtained. The availability of a mechanism to allow users to delete their own data is also required.
This development comes just days after the FTC imposed a ban on Monument, a company specializing in alcohol rehabilitation treatment, prohibiting it from sharing personal data health with other platforms such as Google and the Meta for advertising purposes without users' consent, for incidents that took place between 2020 and 2022, despite the claim that such data would be "100% confidential".
The New York-based company was instructed to inform the users to disclose their personal health information to third parties and to ensure the complete deletion of all data disclosed.
"Monument has failed to ensure compliance with its commitments by exposing user health data on advertising platforms, including particularly sensitive information that revealed her seeking help from clients to recover from alcohol addiction," the FTC said.
Last year, the FTC made announcements of similar regulatory enforcement actions against healthcare providers such as BetterHelp, GoodRx and Premom. The offense involved sharing user data with third-party companies analysis and social networks without the prior consent of the users.
See more: Acuity confirms that hackers stole government data
In addition, it warned the Amazon to avoid using patient data for marketing activities, following the completion of the $3.9 billion purchase of member-based primary care physician-owned and operated One Medical.
Source: thehackernews
 των ΗΠΑ επέβαλε πρόστιμο 7 εκατ. δολαρίων στην εταιρεία ψυχικής υγείας Cerebral, για χρήση και αποκάλυψη προσωπικών δεδομένων για διαφημιστικούς λόγους.){kind=link}