The Federal Trade Commission (FTC) recently filed a proposed decision and order (Proposed Order) that, if approved, will settle claims brought in a complaint (Complaint) against telehealth provider Cerebral, Inc. (Cerebral) and its former CEO for alleged wrongful use and disclosure of users' personal health information (PHI), including addiction treatment information. The Complaint asserts that Cerebral violated both Section 5 of the FTC Act and Section 8023(a) of the Opioid Addiction Recovery Fraud Prevention Act of 2018 by engaging in deceptive acts or practices, and also violated Section 4 of the Restore Online Shoppers' Confidence Act, which generally prohibits online sales through "negative option marketing" (i.e., interpreting a consumer's silence as acceptance of an offer). With respect to deception, Cerebral allegedly misrepresented its privacy and security practices. As for negative option marketing, Cerebral allegedly made it "complicated, challenging, and frustrating for users to try to cancel—flouting Cerebral's assurance to users that they would be able to 'cancel anytime.'"
The Proposed Order follows the FTC's recent action against Monument, Inc., another telehealth company that the FTC alleged wrongfully shared users' PHI with third-party advertising platforms. The Proposed Order would impose on Cerebral a first-of-its-kind prohibition on the use or disclosure of a wide array of health information for most advertising purposes.
Cerebral's Alleged Misrepresentations
The FTC grounded its claims that Cerebral engaged in "deceptive and unlawful" practices on alleged misrepresentations by Cerebral regarding its sharing with third parties users' PHI and other personal information. Specifically, the FTC cited statements in Cerebral's account-creation workflow, blog posts, successive iterations of its online privacy policy, and a notice of privacy practices of a Cerebral affiliate (an entity covered under the Health Insurance Portability and Accountability Act (HIPAA)) that allegedly failed to reveal that Cerebral would disclose users' PHI to third parties for advertising purposes without consent. For example, the FTC pointed to the statement in Cerebral's privacy policy that only "non-personal information or aggregate information" would be disclosed through tracking pixels, and that Cerebral would not use PHI for marketing without user consent. And the FTC suggested that, overall, Cerebral's privacy policy lacked the transparency consumers need, noting that the policy was at one point "over seven single-spaced pages in length" and eventually "ballooned to fifteen single-spaced pages."
With respect to data security, the FTC alleged that Cerebral's Telehealth Informed Consent screen misleadingly promised users that their data would be secure and that Cerebral complies with HIPAA. The Complaint also asserted deception in Cerebral's advertising, which promised that the company would keep user treatments and information "confidential," "secure," "safe," and "private," through "the latest information security technology."
Privacy and Security Practices
The FTC alleged that Cerebral's representations described above were misleading because, in fact, the company disclosed a wide range of PHI (e.g., mental health information, prescription history, pharmacy and health insurance information, treatment appointment dates) to third parties via tracking pixels and other third-party tracking tools integrated into Cerebral's websites and apps, each without user consent. According to the Complaint, the recipient third parties would then analyze the PHI for Cerebral for targeted advertising on social media and search engines, again without user consent.
The FTC further alleged that Cerebral failed to live up to its assurances that it would keep secure its users' PHI and other personal information. For example, in 2021, unauthorized individuals allegedly accessed 880 patients' electronic medical files. In another instance, Cerebral allegedly allowed former employees and contractors to view users' confidential medical records without authorization for several months — including 10 weeks when Cerebral already knew of the security lapse. Further, the FTC alleged that Cerebral used a single sign-on method for its patient portal that allowed users to view other users' medical information. The FTC alleged other data security failures by Cerebral, including making medical records accessible to non-essential individuals and failing to implement adequate information security training.
Relief in Proposed Order
Under the Proposed Order, Cerebral will face a US$7 million penalty and will be required, among other things, to implement a comprehensive privacy and information security program, to refrain from making any further misrepresentations, and to undertake biennial third-party information security assessments. And the Proposed Order, if executed, will "permanently" restrain and enjoin Cerebral from using or disclosing certain personal information, including PHI, for certain advertising purposes or for any third party's purposes. The Proposed Order provides no exception for Cerebral obtaining users' consent for such disclosures; they are simply prohibited. This is an extraordinary measure, and it appears such a remedy may become a powerful enforcement tool of the FTC.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.