Cerebral

Advertencia: *Privacidad no incluida con este producto

Cerebral

Fecha de la reseña: 25 de abril de 2023

|
|

Mozilla dice

|
La gente votó: Sumamente siniestro

Feeling anxious, depressed, can't sleep? Cerebral says it can help you with a variety of plans that offer medication and management, medication and therapy, or just therapy. Hop on their website, create an account (there's no getting started without creating an account), take their questionnaire, and pay up. Off you'll go with a video or phone call with a mental health provider or a chat with a counselor. Cerebral even says you could get your medications within days. All this is well and good. What's not good AT ALL is the fact that Cerebral admitted to sharing the private personal health information of over 3.1 million patients with social media sites like Facebook and TikTok! That's not likely going to help your anxiety much.

¿Qué podría pasar si algo falla?

We’d expect an app called “Cerebral” to be, uh, smarter about protecting your personal data. Especially because it handles protected health information covered by the US’s stronger health privacy law, HIPAA. So, being conscientious should be a no-brainer… Right? Cue the sad trumpet sound. The short answer is no.

Cerebral could go head-to-head with your doctor and your dog on the topic of intimate knowledge about you. Now, a lot of that information is given by you to get treatment, like your medical history, your Social Security number, and even your feelings – or “emotional characteristics” as their privacy policy puts it. And while it makes sense for them to have access to that in the context of care, handing it over means granting them a lot of trust. And considering earlier in 2023 Cerebral says they revealed that they shared the private mental health information of millions -- yes, millions, 3.1 million to be exact -- of their users, well, trust isn't something we'd say they are worthy of right now. As TechCrunch pointed out, according to a list put together by the U.S. Department of Health and Human Services, Cerebral's big data oopsy was the one of the largest breaches of Americans’ health data so far in 2023.

On top of what you tell them about yourself, Cerebral may collect information about how you use the services, like which products you’re using, when, and from what computer. Okay, if you must. But here’s where they may be getting a little greedy. Cerebral leaves the door open to collect information about you elsewhere, like social media sites and public sources, and combine it with what they already know about you. Plus, your lovely privacy researcher identified a heck of a lot of tracking going on, detecting 799 points of contact with different ad platforms during one minute of app activity. Why are you so obsessed with us, Cerebral?

They promise that the intimate knowledge will help them to “to better understand your interests and needs,” but it’s not clear whether that actually benefits you or not. They also mention “measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you” but that part definitely feels like that’s more like a benefiting-them-thing.

Here’s where we can share a little silver lining on an otherwise gray matter: they say that they “do not ‘sell’ your personal information and have not done so in the prior 12 months from the effective date of this Policy.” So your data’s not for sale! Not exactly cause for celebration, but we’ll take it.

Now scurrying back to the bad news. It’s worth mentioning that they’ve given themselves carte blanche to do what they want with your information so long as it’s de-identified or “no longer reasonably capable of being associated with you.” And we’ve got a two-pronged beef with that. The first is, studies have found “anonymized data” can be hard to make truly anonymous . But even if it was, most people probably don’t mean to agree to be a guinea pig when they click “accept” on a single checkbox as they’re signing up to seek help. Indeed, Cerebral says in their privacy policy that once they anonymize the data they can use it "for any purpose, including for research and marketing purposes, and we may also share such information for any purpose with any third parties, at our discretion." Uh..yikes.

So what if you change your mind and want to take back ownership of all that super-intimate information you shared with Cerebral? Well, it’s not clear whether all users have the right to have their data deleted. Indeed, if you don't live under stricter privacy laws like California's CCPA, you might be out of luck trying to get your data deleted according to Cerebral's privacy policy.

In Cerebral’s case, it’s not too tough to imagine what could go wrong when you share your most sensitive personal information with them -- it already happened when they admitted they shared millions of their customers personal information, including potentially some pretty sensitive mental health information, for their own marketing purposes without permission. Yup, that's bad.

Consejos para protegerte

- Do not give access to your photos and video
- Do not log in using third-party accounts
- Do not connect to any third party via the app, or at least make sure that a third party employs decent privacy practices
- Do not give consent for sharing of personal data for marketing and advertisement.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Do not use social media plug-ins.
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible."

  • mobile

¿Me puede espiar? Información

Cámara

Dispositivo: No aplica

Aplicación:

Micrófono

Dispositivo: No aplica

Aplicación: No

Rastrea la ubicación

Dispositivo: No aplica

Aplicación:

¿Qué se puede usar para registrarse?

Google sign-up available.

¿Qué datos recopila la empresa?

¿Cómo utiliza la empresa estos datos?

We ding this product as it may be combining collected data with data from third parties including advertisers.

"We may collect information about you if you use any of the other websites we operate or the other services we provide. We may collect information from public sources, advertisers, partners, and other third parties (such as third party intermediaries, including Providers and the Pharmacies). We may also collect information about you through a social media or other third-party account, such as Facebook or Google."

"We may use the information we collect in the following ways:
In accordance with applicable legal requirements, advertise and market our Services and those of our third-party partners to you, including on third-party websites (subject to any opt-out preferences you have communicated to us).
To personalize the Services, including engaging in analysis and research regarding use of the Services to better understand your interests and needs and measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you."

"Based on our understanding of the definition of “sell,” we do not “sell” your personal information and have not done so in the prior 12 months from the effective date of this Policy. "

"We have no control over how any third-party site uses or discloses the personal information it collects about you. We may combine information we receive from social media services and other sources with other information we collect from and about you."

"We may engage third parties to serve tailored advertisements for our Services on our behalf on third-party websites and applications. You have certain choices about how your information is used for this purpose."

¿Cómo puedes controlar el uso de tus datos?

It is not clear if all users regardless of location can get their data be deleted.

"Depending on your jurisdiction of residence, you may have certain rights to access, delete, or correct your information. Your rights will be subject to applicable exceptions, and we will need to verify your identity before processing your request. If you would like to submit a request relating to your data, please email us at [email protected]."

"We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, as necessary for our legitimate business interests, to resolve disputes, and to enforce our agreements."

¿Qué historial tiene la compañía en cuanto a la protección de los datos de los usuarios?

Necesita mejoras

In 2023 Cerebral admitted to sharing the private personal health information of over 3.1 million patients to social media sites such as Facebook and TikTok.

Información sobre privacidad infantil

"Our Services are not directed to children under the age of eighteen (18) without parental consent. We do not knowingly collect information for individuals under the age of 18 (including, for children under the age of 13, “personal information” as defined in the U.S. Children’s Online Privacy Protection Act) without the verifiable consent of that child’s parent or guardian. If we learn that we have received any information for an individual under the age of 18, we process and delete that information as required by applicable law. If you are aware of a child providing personal information to us without parental consent, please contact us using the information below."

¿El producto se puede usar sin conexión?

No

¿La información de privacidad es fácil de entender?

No

Enlaces a información de privacidad

¿El producto cumple nuestros estándares mínimos de seguridad? Información

Cifrado

Contraseña fuerte

Actualizaciones de seguridad

Gestiona las vulnerabilidades

"Cerebral utilizes a vulnerability management process that leverages external vendor services, and a suite of security scanning and penetration testing tools to identify, validate, and prioritize remediation. If a vulnerability requiring remediation has been identified, it is logged and prioritized based on its severity, likelihood of risk, and impact.

If an individual has concerns they can be raised via phone (415-403-2156), in the patient and client portal, or to the Privacy or the Compliance functions of the company at [email protected] or [email protected]."

Política de privacidad

¿El producto usa IA? Información

The company representative shared with us that "We use machine learning models in various areas of the product to improve patient outcomes from optimizing patient-clinician matching to identifying patients potentially in crisis. These models help the patient, clinician or our operations teams see the most relevant, actionable information in a timely manner. These models do not make any decisions for users and the internal models are not accessible or controlled by users."

¿Es poco confiable esta IA?

No se puede determinar

¿Qué tipo de decisiones toma la IA acerca de ti o por ti?

¿La empresa es transparente acerca del funcionamiento de la IA?

No se puede determinar

¿Tiene el usuario control sobre las características de la IA?

No aplica

*Privacidad no incluida

Profundiza más

  • Notice of HIPAA Privacy Breach
    Cerebral El enlace se abrirá en una nueva pestaña
  • Cerebral admits to sharing patient data with Meta, TikTok, and Google
    The Verge El enlace se abrirá en una nueva pestaña
  • Telehealth startup Cerebral shared millions of patients’ data with advertisers
    TechCrunch El enlace se abrirá en una nueva pestaña
  • Mental health startup exposes the personal data of more than 3 million people
    CNN El enlace se abrirá en una nueva pestaña
  • ‘Shut it off immediately’: The health industry responds to data privacy crackdown
    Politico El enlace se abrirá en una nueva pestaña
  • Mental health app privacy language opens up holes for user data
    The Verge El enlace se abrirá en una nueva pestaña

Comentarios

¿Tienes algún comentario? Queremos escucharte.