Last month, the Federal Trade Commission (“FTC”) announced its enforcement action against telehealth firm, Cerebral, Inc. (“Cerebral”), for its alleged unauthorized disclosures of consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes in violation of the FTC Act.  The complaint also alleges that Cerebral violated the Opioid Addiction Recovery Fraud Prevention Act (“OARFPA”), and the Restore Online Shoppers’ Confidence Act (“ROSCA”), which permits the court to order permanent injunctive relief, civil penalties, and other monetary relief for actions in violations of specific sections of the FTC Act, the OARFPA, and the ROSCA.  According to the proposed order, Cerebral must pay more than $7 million in civil penalties and consumer refunds.  In addition, Cerebral will be banned from using or disclosing consumers’ personal and health information (including online identifiers, such as IP addresses or other persistent identifiers) for advertising and must obtain consumers’ affirmative express consent before disclosing such information to outside parties.

Below is a discussion of the complaint and proposed order.

Complaint

Cerebral is a telehealth platform that sells subscription services offering online health care treatment, such as mental health treatment and/or medication management services, through websites and mobile apps.  According to the complaint, Cerebral routinely “collected and stored personal health information (“PHI”) and other sensitive information of consumers seeking treatment,” such as names, addresses, birth dates, demographic information, IP address, medication histories, and treatment plans, among other information.  Per the complaint, Cerebral misrepresented the extent to which and the purposes for, use and disclose of patients’ personal information, mishandled and exposed hundreds of thousands of patients’ personal information, and failed to provide patients with a simple means to cancel their subscriptions and stop recurring charges.  The FTC also emphasized that Cerebral did not appropriately inform consumers about the company’s information practices, including during Cerebral’s registration process, but rather offered hyperlinks to its privacy policy and telehealth consent in small print and buried key information regarding the company’s data sharing terms within its lengthy and dense privacy policy.

In addition to other allegations, the complaint alleges:

  • Cerebral failed to clearly disclose that it would be sharing consumer’s sensitive data with third parties for advertising.  Cerebral utilized tracking tools (e.g., pixels) that collected and sent patients’ PHI to third parties who used the PHI to provide advertising, data analytics, or other services to Cerebral.  The data Cerebral sent included consumers’ contact information, persistent identifiers, information about consumers’ activities while using Cerebral’s website and/or apps, and medical or mental health information disclosed by users when filling out Cerebral’s mental health questionnaire or engaging with its website in ways that demonstrated interests in particular services and treatments.  Per the complaint, Cerebral shared the sensitive information of nearly 3.2 million consumers with third party media and advertising platforms by using or integrating tracking tools on its website or apps.
  • Cerebral failed to deploy adequate safeguards for the sensitive data collected from consumers and engaged in “sloppy security practices.”  For example, the complaint alleges Cerebral failed to block former employees from accessing confidential electronic medical records of patients and failed to ensure only the patients’ providers accessed patient records. 
  • Cerebral sent more than 6,000 promotional materials to patients in the form of a postcard—rather than within an envelope— that included names and addresses of patients in treatment, and language that reasonably indicated diagnosis, treatment, and a relationship with Cerebral, thereby revealing patients’ private, HIPAA-protected status. 
  • Cerebral sold its subscription services on a negative option basis, meaning a consumer’s silence (i.e., failure to cancel an agreement) was treated as consent to be charged for goods or services.
  • Cerebral violated ROSCA by failing to clearly disclose all material terms of their cancellation policies before charging customers and failing to obtain consumers’ express informed consent before charging their financial institution for products or services.

The complaint also charges Cerebral’s former CEO, Kyle Robertson, alleging that he had “extensive personal involvement” in the teams and practices that led to the enforcement.  However, according to the FTC’s announcement, Robertson “has not agreed to a settlement and the charges against him will be decided by the court.”

Proposed Order

The proposed order, among other requirements, will:

  • Prohibit Cerebral from using “Covered Information” for advertising, marketing, promoting, offering, offering for sale, or selling any products or services on, or through websites, mobile apps, or other platforms, including those of a third party.  Covered Information is broadly defined to include personal information, individually identifiable health information, and persistent identifiers (e.g., IP address, device ID), among other data types.  Past orders generally banned companies from using “Health Information” for advertising purposes, which the FTC defined more narrowly to include individually identifiable information relating to the past, present, or future physical or mental health or conditions of an individual, or “Covered Information” to the extent it would be used for targeted advertising.  Here, the proposed order appears to prohibit Cerebral from using any personal identifiers for a larger pool of advertising activities.
  • Require that Cerebral delete all consumer personal and health information and any product (e.g., models, tools) derived therefrom that has not been collected for treatment, payment, or health care operations unless Cerebral obtains affirmative express consent from the consumer for such retention.
  • Require Cerebral to implement a data retention schedule and provide consumers with a clear mechanism to request their data be deleted.
  • Prohibit Cerebral from misrepresenting any negative option and cancellation policies or practices and require it to provide consumers with an easy method to cancel services.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.

Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.