Healthcare startups are scrambling to reassess how their websites and apps are built, and how third parties may, inadvertently or not, be putting patients’ protected health information at risk.
In March, U.S. mental health startup Cerebral admitted it shared the private health information of more than 3 million users with Facebook, Google, TikTok and other ad giants via so-called tracking pixels. These near-invisible bits of code are typically embedded in web pages to share information about users’ activity, often for analytics. Cerebral said these trackers inadvertently collected sensitive user data since it began operating in October 2019.
In its disclosure to the U.S. Department of Health and Human Services (HHS), Cerebral said that following a review of its code, it “determined that it had disclosed certain information that may be regulated as protected health information under [the Health Insurance Portability and Accountability Act],” or HIPAA, as it’s commonly referred to. This information included patients’ phone numbers, IP addresses, insurance information, mental health assessment responses and associated clinical data.
This data lapse is the third-largest breach of health data in 2023, according to the HHS, which is investigating the breach. However, while Cerebral’s lapse ranks among the most serious and damaging, the breach is just one of many currently being investigated by HHS — and this list is likely to grow.
More casualties
Last year, a joint investigation by STAT and The Markup found that dozens of hospital websites and telehealth startups were sharing patients’ medical information with advertisers and tech giants.