Virtual mental health platform Cerebral has admitted to mishandling sensitive data it gathered from its patients, sending much of it to advertisers. As part of the settlement announced by the Federal Trade Commission (FTC), the company will pay a $7.1 million fine and make it easier for its users to cancel its services.
A total of $5.1 million from the fine will be used to give partial refunds to those who used Cerebral but had trouble canceling their memberships as a result of what the FTC calls “deceptive” practices. When members of the Cerebral platform attempted to cancel, the complaint alleges, they were “slow-walked” and ultimately billed for “millions in additional charges.”
While the company has agreed to the settlement, Cerebral’s co-founder and former CEO Kyle Robertson has not, opting to potentially face his own charges. The FTC said Robertson had “extensive personal involvement” in crafting the policies mentioned in the complaint, and most of the unlawful practices occurred while he was serving as CEO.
“When it first implemented an easier cancellation button in April 2020, the company removed it after only two weeks at Robertson’s direction after seeing cancellations rise,” the FTC wrote.
Mental health data exploited for social media ads
Despite billing itself as a “safe, secure and discreet” virtual mental health provider, Cerebral failed to properly disclose the data sharing to its patients, the FTC said. In total, regulators said Cerebral sent names, medical histories, IP addresses and more personally identifiable information on 3.2 million users to social media platforms, where the data was used for targeted advertising.
Patient engagement practices at Cerebral also allegedly violated consumer rights and their expectation of privacy. The complaint states Cerebral’s employees were given extensive access to user data, and promotional marketing materials were sent directly to patients, some of which were postcards that prominently displayed their diagnoses.
“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the internet and in the mail,” FTC Chair Lina Khan said in the statement. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."
The proposed order will permanently ban Cerebral from sharing sensitive patient data with advertisers. Additionally, they will be required to change their cancellation policy and implement a “comprehensive privacy and data security program.”
Self-reported shadiness
In an uncommon twist, the initial investigation into the company began in 2022 when Cerebral reported itself to regulators. That move coincided with Robertson leaving the company.
In its own statement, Cerebral said the settlement “allows Cerebral to move forward with a continued focus on our mission of building a new era of mental healthcare with a safe and secure platform for our clients.”
Cerebral is still allowed to provide services for a wide range of conditions—including anxiety, depression, post-traumatic stress disorder and serious mental illness—within the new guidelines set by the FTC and U.S. Department of Justice (DoJ).
The $7.1 million fine imposed by the FTC initially exceeded $10 million. However, according to the complaint, the company was unable to afford the penalty. The DoJ has filed the settlement agreement with the courts, but it will not be finalized until a judge signs off.