Behavioral telehealth company Cerebral will pay over $7 million of a $15 million settlement to resolve an investigation by the Federal Trade Commission into its privacy practices.
Under a proposed settlement, the company will pay $5.1 million to provide refunds to customers, and a $10 million civil penalty. Cerebral is unable to pay the full $10 million, so the agency will suspend the payment after it pays $2 million.
In an April 15 news release, the FTC said Cerebral failed to disclose how it distributed members' data to third-party platforms and did not provide members with a straightforward way to cancel their subscriptions.
The FTC alleges that Cerebral provided sensitive health information from over 3 million members to LinkedIn, TikTok, Snapchat and other parties by embedding tracking in the site. Cerebral also failed to secure customer's health data in several ways the FTC alleged, using unsafe marketing practices, allowing former employees to access protected data and using insecure access methods.
As part of the proposed settlement, the company will be prohibited from using personal or health information for marketing purposes.
"Cerebral violated its customers' privacy by revealing their most sensitive mental health conditions across the Internet and in the mail," FTC Chair Lina Khan said in the news release. "To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."
The FTC is also investigating former Cerebral CEO Kyle Robertson. The agency alleges Mr. Robertson directed the company's data security practices and instructed staff to remove buttons that made it easier to cancel services. The settlement does not resolve allegations against Mr. Robertson, which will be settled in court, according to the FTC. The former CEO left the company in 2022.
In a statement, Cerebral said it has "agreed to implement enhanced consumer protection, privacy, and compliance measures to further protect the personal information of our clients, increase transparency into our data practices, and implement enhanced data security protocols and tools to allow our clients control over their privacy settings."
"The settlement allows Cerebral to move forward with a continued focus on our mission of building a new era of mental healthcare with a safe and secure platform for our clients. We look forward to continuing to be a trusted provider of high-quality mental health care to all those who need it most," the company said.