The U.S. Federal Trade Commission has reached a settlement with telehealth firm Cerebral in which the company will pay $7,000,000 over allegations of mishandling people's sensitive health data.
Cerebral is a remote telehealth company that provides online therapy and medication management for various mental health conditions, including anxiety, depression, ADHD, Bipolar Disorder, and substance abuse.
In March 2023, the company sent out notices of data breach to 3.2 million people who had interacted with its websites, applications, and services, that their information had been exposed due to using tracking pixels on its platform.
FTC's complaint charges Cerebral and its former CEO, Kyle Robertson, with disclosing consumers' personal health information to third parties for advertising and not adhering to its cancellation policies.
FTC's announcement also lists some alleged bad practices followed by Cerebral that resulted in varying levels of exposure of sensitive health data for consumers, including failure to revoke access of former employees to Cerebral patient records and failure to silo providers and restrict their access only to their patient's records.
The agency says the company used an insecure single sign-on method to access the patient portal, and Cerebral's failure to restrict employee access only to the data needed for carrying out their job tasks.
Refund of $5,100,000 to customers who were impacted by deceptive cancellation practices.
10M civil penalty, limited to $2,000,000 due to Cerebral's inability to pay the full amount.
Permanent ban on sharing health data with third parties for marketing and advertising purposes.
Require consent from consumers before disclosing their personal and health data to any third parties.
Prohibit Cerebral from misrepresenting its data security and privacy practices.
Implement a comprehensive data security and privacy program.
Post a notice on its website detailing the complaint and required actions.
Implement a data retention schedule, delete unnecessary consumer data unless consented to be retained, and provide a clear data deletion request mechanism.
Prohibit misrepresentations of cancellation policies and simplify the cancellation process for consumers.
Tech support firms Restoro, Reimage fined $26 million for scare tactics.
FTC to ban Avast from selling browsing data for advertising purposes.
OpenTable won't add first names, photos to old reviews after backlash.
Former AT&T customers get $6.3 million in data throttling refunds.
OpenTable is adding your first name to previously anonymous reviews.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 16 Apr 2024 21:40:33 +0000