Cerebral breached 3.1 million patients’ and users’ data over three years through advertising
Kyler Kent CISSP 
Cerebral Logo
(Cerebral, n.d.-a)
One-sentence summary:
Cerebral, through its tracking technologies, breached the potential PII and PHI of over 3.1 million registered users and patients since October 2019.
Who was involved?
Cerebral, Inc. and 3,179,835 Cerebral patients and users (HHS, 2023).
What was the timeline?
October 12, 2019: Cerebral begins use of “Tracking Technologies” that breach patient’s PHI
January 3, 2023: Cerebral realized it has been breaching PHI for years with advertising.
March 1, 2023: Cerebral begins notifying patients/users and reports the breach to HHS.
What occurred?
Cerebral integrated “Advertising Technologies” including tracking pixels and advertising technologies in use by “Google, Meta (Facebook), [and] TikTok” in October 2019 (Cerebral, n.d.-b, p. 1). As a result, 3.1 million patient’s PHI and registered user’s PII were breached by advertisers and third parties, with the following PII/PHI: “name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information”, “the service the individual selected, assessment responses, and certain associated health information,” and “subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information (for example, plan name and group/ member numbers), and insurance co-pay amount” (Cerebral, n.d.-b, p. 1)
Estimated costs:
Potential breach notification costs, 12 months Experian IdentityWorks SM, M-F call center.
Involved laws:
Federal: HIPAA and HITECH.
California: CCPA and Cal. Civ. Code § 1798.29(a)
Root cause:
Voluntary business practices and/or misconfiguration: advertising technologies.
Lessons learned:
In-house and independent risk and GRC assessments on advertising practices. Thorough compliance audits and privacy assessments. Another paradigm: assessing risk with established data flows in the enterprise (advertising is an outbound data flow and, therefore, a potential privacy risk). Breaches continue to occur at major corporations due to misconfiguration and, therefore, necessitate the need for regular, rigorous auditing.
Sources:
Cerebral. (n.d.-a). Cerebral_Logo.jpg. PR Newswire. https://mma.prnewswire.com/media/1758736/Cerebral_Logo.jpg?p=facebook
Cerebral. (n.d.-b). Notice of HIPAA Privacy Breach. In Cerebral. Retrieved March 11, 2023, from https://cerebral.com/static/hippa_privacy_breach-4000c6eb21449c2ecd8bd13706750cc2.pdf
FINAL BREACH NOTIFICATION LETTER 3.1.2023.pdf. (2023). In Submitted Breach Notification Sample. State of California Department of Justice. Retrieved March 11, 2023, from https://oag.ca.gov/system/files/FINAL%20BREACH%20NOTIFICATION%20LETTER%203.1.2023.pdf
HHS. (2023, March 1). Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health & Human Services – Office For Civil Rights. Retrieved March 11, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
