FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations

Posted by Steve Alder

The Federal Trade Commission (FTC) has fined the mental health startup Cerebral $7.1 million for consumer privacy violations and deceptive trading practices. The $7.1 million financial penalty resolves allegations that the mental health telehealth company and its former CEO, Kyle Robertson, broke its privacy promise to consumers by impermissibly disclosing their sensitive personal and health information to third parties for advertising purposes, misled consumers about its cancellation process, and failed to protect sensitive health data. The proposed FTC order includes a requirement for Cerebral to refrain from disclosing consumers’ data to third parties for advertising purposes without consent and for the company to provide an easy way for consumers to cancel its services.

One of the most important factors for consumers when choosing a mental health care provider is privacy. Consumers need to be able to discreetly discuss highly sensitive mental health problems and be sure that the information disclosed is kept private and confidential. The FTC alleged that Cerebral claimed it provided safe, secure, and discreet services but failed to clearly inform consumers that their sensitive data would be shared with third parties. As a result of the information sharing, consumers could be targeted with advertisements related to the information they disclosed to Cerebral in confidence.

Cerebral had disclosed its data sharing practices in its privacy policies; however, those privacy policies were dense and the information about data sharing practices was deeply buried making it likely that consumers would not see it. Further, Cerebral claimed in multiple areas that it would not share consumer data with third parties for advertising purposes without their consent. According to the FTC complaint, Cerebral shared the sensitive data of almost 3.2 million consumers with third parties such as Snapchat, LinkedIn, and TikTok via tracking tools embedded in its websites and apps, which amounted to a deceptive business practice that violated the FTC Act.

The information disclosed to those third parties included names, addresses, email addresses, phone numbers, birth dates, IP addresses, medical and prescription histories, pharmacy and health insurance information, other types of health information, and other personal data such as religious and political beliefs and sexual orientation. That information was also available internally to Cerebral staff, with access to customer data not restricted to the employees who needed to view that information. Between May 2021 and December 2021, former employees could continue to access consumer information and the company failed to ensure that healthcare providers could only access their own patients’ records.

The FTC complaint alleged that Cerebral engaged in sloppy marketing practices. For instance, 6,000 postcards were mailed to patients that included patients’ names and language that would reveal their diagnosis and treatment to others, rather than using envelopes and Cerebral used a Single Sign-on solution that exposed patient data to other patients when they signed into the patient portal at the same time.

The FTC also alleged that Cerebral and its CEO violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) due to engaging in unfair and deceptive practices regarding substance use disorder treatment services and violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of its cancellation policies before charging consumers. The alleged deceptive practices started while Robertson was CEO and continued after his tenure.

The FTC order has yet to be approved by the U.S. District Court for the Southern District of Florida. If approved, in addition to the financial penalty and ban on disclosing sensitive data for advertising purposes, Cerebral is required to post a notice on its website alerting consumers about the FTC order, delete consumer data that is not being used for either treatment, payment, or healthcare operations if users have not consented to those uses, provide consumers with a mechanism to request that their data is deleted, and adopt a data retention schedule.

The financial penalty includes $5.1 million to provide partial refunds to customers affected by its deceptive cancellation policies. A $10 million civil monetary penalty has also been imposed, which will be suspended after $2 million has been paid due to the inability of the company to pay the full amount.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

“Cerebral has been transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy,” explained Cerebral in a statement about the FTC order.

The post FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

The San Francisco, CA-based law firm Orrick, Herrington & Sutcliffe has agreed to a $8 million settlement to resolve a class action lawsuit filed in response to a 2023 cyberattack and data breach.

In March 2023, the law firm that specializes in helping companies that have experienced security breaches suffered one of its own. On March 13, 2023, hackers were discovered to have gained access to its network, with the forensic investigation revealing they had access for around two weeks between February 28 and March 13, 2023, before the intrusion was detected. The personal and protected health information of 637,620 individuals was compromised; however, it took months to determine how many individuals had been affected with the last batch of notification letters mailed to affected individuals in January 2024. The affected individuals were offered 2 years of complimentary credit monitoring services.

A lawsuit was filed against Orrick, Herrington & Sutcliffe in the U.S. District Court for the Northern District of California shortly after the announcement about the breach. The lawsuit made several allegations, including the failure to secure its systems, the failure to prevent and stop the breach, the failure to detect the breach in a timely manner, and the failure to disclose material facts that adequate system security measures were not in place to prevent data breaches. The lawsuit also alleged Orrick, Herrington & Sutcliffe did not honor repeated promises and representations to protect the information of the breach victims and failed to provide timely notifications. Several other lawsuits were filed over the breach that made similar claims, and they were consolidated into a single action – In re Orrick Herrington & Sutcliffe LLP Data Breach Litig.

The plaintiffs alleged they had been harmed by the data breach, including receiving a flood of spam emails and phone calls, actual and attempted identity theft, and other misuse of their personal information. Orrick, Herrington & Sutcliffe has denied liability and wrongdoing and said it regretted the inconvenience and distraction that the malicious incident caused. The proposed settlement was deemed to be reasonable and fair by class counsel and has received preliminary approval from the court. Under the terms of the settlement, class counsel may claim up to 25% of the settlement amount and after costs of up to $50,000 and $2,500 service awards for the lead plaintiffs have been deducted, the remainder of the settlement will cover claims from individuals affected by the data breach.

The settlement includes up to 5 hours of compensation for lost time at $25 per hour, reimbursement of up to $2,500 for unreimbursed out-of-pocket expenses, reimbursement of up to $7,500 for extraordinary losses such as identity theft and fraud, and three years of three-bureau credit monitoring services. California residents are entitled to a cash payment of $150. If class members choose not to submit a claim for lost time and reimbursement for out-of-pocket expenses and extraordinary losses, a claim may instead be submitted for a cash payment of $75.

The post Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Ransomware Attacks Reported by 4 Healthcare Providers

Posted by Steve Alder

Ransomware attacks have been reported by Canopy Children’s Solutions, the Sleep Management Institute, the Epilepsy Foundation of Metro New York, and Hapy Bear Surgery Center.

Canopy Children’s Solutions

Mississippi Children’s Home Services, Inc., Mississippi Children’s Home Society, and CARES Center, Inc., which do business as Canopy Children’s Solutions, have notified 19,190 individuals about a ransomware attack that was detected on April 4, 2023.

Encrypted files were discovered on its systems and the forensic investigation confirmed that an unknown threat actor accessed certain files on its network and may have exfiltrated some of those files on April 4, 2023. A comprehensive and time-consuming review was conducted to determine the individuals affected and the types of data involved, and that process was completed on October 13, 2023. It then took until March 8, 2024, to review and verify the affected information and obtain up-to-date contact information. Canopy said it was a time-intensive process as, “Canopy has different relationships with the potentially impacted individuals, such an employer, health care provider or educator, that necessitated looking for addresses in several different databases.”

The information exposed varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, medical information, and health insurance information. Consumer notifications were mailed on April 11, 2024. The breach notice submitted to the Maine Attorney General indicates that 19,190 individuals were affected, including 5 Maine residents.

Sleep Management Institute

The Sleep Management Institute in Cincinnati, OH, has recently announced a ransomware incident that occurred on February 5, 2024. The investigation into the attack is ongoing; however, it has been confirmed that patient data was exposed in the attack. The forensic investigation confirmed that an unauthorized third party had access to its network between January 27, 2024, and February 6, 2024, and may have accessed some or all of the following:

Name, address, date of birth, Social Security Number or taxpayer identification number, driver’s license number or other government-issued identification number, passport number, financial account information, payment card information, username and other credential information, digital signature, biometric data, mother’s maiden name, IRS-issued pin number, clinical or treatment information, medical provider name(s), medical procedure information, health insurance information, prescription information, and any other information on an individual that was created, used, or disclosed in the course of providing health care services.

These types of information were exposed but it has yet to be determined which specific types of information were exposed for each affected individual. Notification letters will be sent to all potentially affected individuals, and in the interim to meet breach reporting requirements, the HHS’ Office for Civil Rights has been told that at least 500 individuals have been affected. The total will be updated when the actual number of affected individuals is known.

Steps taken in response to the incident to improve security include updates to network configurations and firewalls, the deployment of a 24/7 managed detection and response solution, adding content filtering on all devices, installing intrusion prevention systems and advanced malware protection to monitor and prevent malicious network traffic, and implementing a more secure VPN protocol.

The Epilepsy Foundation of Metro New York

The Epilepsy Foundation of Metro New York has fallen victim to a ransomware attack involving unauthorized access/exfiltration of patient data. The forensic investigation confirmed that its electronic medical record system was not accessed in the attack; however, an unauthorized individual gained access to other systems on or around November 8, 2022, although it was not possible to tell if those files containing patient information were accessed.

A review of the affected files was completed on October 12, 2023, and confirmed that they contained information such as names, Social Security numbers, dates of birth, individual medical information, driver’s license or other government IDs, and health insurance information. The breach was reported to the HHS’ Office for Civil Rights on April 8, 2024, and individual notification letters have now been sent. The OCR breach report indicates that 3,852 individuals were affected.

Hapy Bear Surgery Center

Hapy Bear Surgery Center, a pediatric dental clinic in Tulare, CA, has fallen victim to a cyberattack that affected the functionality and availability of some of its IT systems. The attack occurred on December 27, 2023, and the forensic investigation confirmed on March 8, 2024, that the threat actor responsible had access to files that contained patient data.

The review of the affected files was completed on March 19, 2024, and confirmed that full names, addresses, medical information, health insurance information, Social Security numbers, and driver’s license numbers had been exposed. While those types of data were exposed and may have been stolen, Hapy Bear Surgery Center is unaware of any actual or attempted misuse of the data.

In response to the attack, Hapy Bear Surgery Center replaced its firewall systems and engaged a managed cybersecurity services provider to oversee its digital environment. The affected individuals have now been notified and have been offered single bureau credit monitoring/single bureau credit report/single bureau credit score services at no cost. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many people have been affected.

The post Ransomware Attacks Reported by 4 Healthcare Providers appeared first on HIPAA Journal.