Aviso: *Privacidade não incluída neste produto
Feeling anxious, depressed, can't sleep? Cerebral says it can help you with a variety of plans that offer medication and management, medication and therapy, or just therapy. Hop on their website, create an account (there's no getting started without creating an account), take their questionnaire, and pay up. Off you'll go with a video or phone call with a mental health provider or a chat with a counselor. Cerebral even says you could get your medications within days. All this is well and good. What's not good AT ALL is the fact that Cerebral admitted to sharing the private personal health information of over 3.1 million patients with social media sites like Facebook and TikTok! That's not likely going to help your anxiety much.
O que pode acontecer se algo der errado?
We’d expect an app called “Cerebral” to be, uh, smarter about protecting your personal data. Especially because it handles protected health information covered by the US’s stronger health privacy law, HIPAA. So, being conscientious should be a no-brainer… Right? Cue the sad trumpet sound. The short answer is no.
Cerebral could go head-to-head with your doctor and your dog on the topic of intimate knowledge about you. Now, a lot of that information is given by you to get treatment, like your medical history, your Social Security number, and even your feelings – or “emotional characteristics” as their privacy policy puts it. And while it makes sense for them to have access to that in the context of care, handing it over means granting them a lot of trust. And considering earlier in 2023 Cerebral says they revealed that they shared the private mental health information of millions -- yes, millions, 3.1 million to be exact -- of their users, well, trust isn't something we'd say they are worthy of right now. As TechCrunch pointed out, according to a list put together by the U.S. Department of Health and Human Services, Cerebral's big data oopsy was the one of the largest breaches of Americans’ health data so far in 2023.
On top of what you tell them about yourself, Cerebral may collect information about how you use the services, like which products you’re using, when, and from what computer. Okay, if you must. But here’s where they may be getting a little greedy. Cerebral leaves the door open to collect information about you elsewhere, like social media sites and public sources, and combine it with what they already know about you. Plus, your lovely privacy researcher identified a heck of a lot of tracking going on, detecting 799 points of contact with different ad platforms during one minute of app activity. Why are you so obsessed with us, Cerebral?
They promise that the intimate knowledge will help them to “to better understand your interests and needs,” but it’s not clear whether that actually benefits you or not. They also mention “measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you” but that part definitely feels like that’s more like a benefiting-them-thing.
Here’s where we can share a little silver lining on an otherwise gray matter: they say that they “do not ‘sell’ your personal information and have not done so in the prior 12 months from the effective date of this Policy.” So your data’s not for sale! Not exactly cause for celebration, but we’ll take it.
Now scurrying back to the bad news. It’s worth mentioning that they’ve given themselves carte blanche to do what they want with your information so long as it’s de-identified or “no longer reasonably capable of being associated with you.” And we’ve got a two-pronged beef with that. The first is, studies have found “anonymized data” can be hard to make truly anonymous . But even if it was, most people probably don’t mean to agree to be a guinea pig when they click “accept” on a single checkbox as they’re signing up to seek help. Indeed, Cerebral says in their privacy policy that once they anonymize the data they can use it "for any purpose, including for research and marketing purposes, and we may also share such information for any purpose with any third parties, at our discretion." Uh..yikes.
So what if you change your mind and want to take back ownership of all that super-intimate information you shared with Cerebral? Well, it’s not clear whether all users have the right to have their data deleted. Indeed, if you don't live under stricter privacy laws like California's CCPA, you might be out of luck trying to get your data deleted according to Cerebral's privacy policy.
In Cerebral’s case, it’s not too tough to imagine what could go wrong when you share your most sensitive personal information with them -- it already happened when they admitted they shared millions of their customers personal information, including potentially some pretty sensitive mental health information, for their own marketing purposes without permission. Yup, that's bad.
Dicas para se proteger
- Do not give access to your photos and video
- Do not log in using third-party accounts
- Do not connect to any third party via the app, or at least make sure that a third party employs decent privacy practices
- Do not give consent for sharing of personal data for marketing and advertisement.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Do not use social media plug-ins.
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible."
Pode me bisbilhotar?
Câmera
Dispositivo: Não aplicável
Aplicativo: Sim
Microfone
Dispositivo: Não aplicável
Aplicativo: Não
Rastreia localização
Dispositivo: Não aplicável
Aplicativo: Sim
O que pode ser usado para se inscrever?
Sim
Celular
Não
Conta de terceiros
Sim
Google sign-up available.
Que dados a empresa coleta?
Pessoal
Name, home and billing address, email address, and telephone number; demographic information such as date of birth, gender, race/ethnicity, location data
Relacionado ao corpo
Health-related information, such as information about your medical history, medical conditions, treatment options, physician referrals, prescriptions, lab results, lifestyle and personal preferences, health insurance information, or other related health information, such as your physical and emotional characteristics.
Social
Como a empresa usa esses dados?
Como você pode controlar seus dados?
Qual é o histórico conhecido da empresa na proteção de dados dos usuários?
In 2023 Cerebral admitted to sharing the private personal health information of over 3.1 million patients to social media sites such as Facebook and TikTok.
Informações de privacidade infantil
Este produto pode ser usado offline?
Informações de privacidade fáceis de entender?
Links para informações de privacidade
Este produto atende aos nossos padrões mínimos de segurança?
Criptografia
Senha forte
Atualizações de segurança
Gerencia vulnerabilidades
"Cerebral utilizes a vulnerability management process that leverages external vendor services, and a suite of security scanning and penetration testing tools to identify, validate, and prioritize remediation. If a vulnerability requiring remediation has been identified, it is logged and prioritized based on its severity, likelihood of risk, and impact.
If an individual has concerns they can be raised via phone (415-403-2156), in the patient and client portal, or to the Privacy or the Compliance functions of the company at [email protected] or [email protected]."
Política de privacidade
The company representative shared with us that "We use machine learning models in various areas of the product to improve patient outcomes from optimizing patient-clinician matching to identifying patients potentially in crisis. These models help the patient, clinician or our operations teams see the most relevant, actionable information in a timely manner. These models do not make any decisions for users and the internal models are not accessible or controlled by users."
Esta inteligência artificial não é confiável?
Que tipo de decisões a inteligência artificial faz sobre você ou por você?
A empresa é transparente sobre como funciona a inteligência artificial?
O usuário tem controle sobre os recursos da inteligência artificial?
Mergulhe mais fundo
-
Notice of HIPAA Privacy BreachCerebral
-
Cerebral admits to sharing patient data with Meta, TikTok, and GoogleThe Verge
-
Telehealth startup Cerebral shared millions of patients’ data with advertisersTechCrunch
-
Mental health startup exposes the personal data of more than 3 million peopleCNN
-
‘Shut it off immediately’: The health industry responds to data privacy crackdownPolitico
-
Mental health app privacy language opens up holes for user dataThe Verge
Comentários
Tem um comentário a fazer? Nos diga.