Cerebral, a mental health startup admits it shared the private health data of over 3.1 million patients with Google, Meta and TikTok. In a notice posted on the company’s website, Cerebral admits to exposing a laundry list of patient data with the tracking tools it’s been using as far back as October 2019.

The information affected by the oversight includes everything from patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and more. It may have even exposed the answers clients filled out as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and receive prescription medication.

The shared information could vary from patient to patient

As noted by Cerebral, the exposed information could vary from patient to patient depending on several factors, including what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies, and more. The company says it will notify affected users, and adds that no matter how an individual interacted with Cerebral’s platform, it didn’t expose social security numbers, credit card numbers, or bank account information.

After initially finding the security hole in January, Cerebral says it has disabled, reconfigured, and/or removed any of the tracking pixels on the platform to prevent future exposures, and has enhanced its information security practices and technology vetting processes.