Beyond the Fine: What the FTC’s Crackdown on Cerebral Really Means for Healthcare Marketers
Telehealth company Cerebral recently made headlines for all the wrong reasons after the FTC slapped them with an eye-popping $7 million fine. And while it’s easy to fixate on that seven-figure loss, Cerebral has much more to lose than money over the years to come.
Cerebral, which provides online mental health services, was fined for sloppy data sharing and security practices that happened between 2019 and 2023. Here’s a rundown of the violations, according to the FTC’s complaint:
- Cerebral shared the sensitive data (including medical history) of 3+ million users with third parties, including TikTok, Google, Snapchat, and Meta via trackers on its website and app.
- Cerebral enabled former employees to access patients’ confidential medical records in 2021, while its patient portal “exposed confidential medical files” to other patients who were signed on at the same time.
- Cerebral violated its “cancel anytime” policy by making the process “complex, multi-step, and often multi-day,” according to the FTC.
Cerebral is now on the hook for more than $7 million in fines—but there’s plenty more for Cerebral to worry about besides the dent in their bank account. Let’s look at three actions the FTC is taking against Cerebral and the threat they pose over the long term.
3 Punishments That Will Impact Cerebral’s Bottom Line
The $7 million fine is only a small part of the story. Here are three penalties that will damage Cerebral’s reputation, which is much harder to recover than cash.
1. Permanent Ban On Using Data
The FTC permanently banned Cerebral from using and sharing their users’ personal and health information with third parties for marketing purposes. Additionally, the company will be required to gain consumers’ explicit consent before sharing that data with any outside parties.
Why It Hurts: Data is the lifeblood of advertising and marketing platforms. Even when you follow HIPAA protocol with those platforms, you still need to pass some data to optimize performance.
For example, say a podiatry service focusing on runners wants to use Facebook to reach potential patients in specific regions. By sharing data with Facebook from the initial ad campaign, the ad platform can fine-tune its targeting, showing ads to people most likely to book a consultation for custom orthotics, based on similarities with the initial group. This fine-tuning drives down advertising costs.
Without accurate data, or without data at all, advertising costs will soar, which in turn causes your customer acquisition cost to soar—and that’s unsustainable for any company.
.png)
In a real world test, a nationwide dental system saw their cost-per-lead go up 8x after they tested using Facebook ads without passing any data. Keep in mind: this was an intentional test for a short time. Now imagine operating that way permanently—that’s the problem Cerebral will be stuck with.
Read more: How Digital Advertising Works in Healthcare Marketing
2. Mandatory Website Notice About Privacy Violations
Cerebral is required to post a notice on its website admitting to visitors that they broke the law by sharing consumers’ personal information without their permission. Additionally, the notice outlines all the steps Cerebral has to take to resolve the scandal.
This is the telehealth equivalent of a restaurant being required to post an “F” grade from the health inspector in their window. (Luckily, Cerebral was allowed to bury the notice in the footer of their website).
Why It Hurts: Cerebral’s brand trust got crushed by this punishment and will most likely stay in the gutter until the FTC gives them permission to remove the notice. Trust in healthcare (particularly mental healthcare) is priceless. If people trust an organization’s privacy policy, they’re more likely to trust the other interactions they have with the company and stick with them for the long haul.
In this sense, you can think of trust as a “daisy chain,” where each link represents a relationship built on trust: Any breach of trust can undermine confidence and erode patient-provider relationships. However, when trust is earned, it elevates the patient experience, strengthens provider-patient relationships, and contributes to the success of the organization.
It’s hard to see a way for Cerebral to earn it back any time soon—especially when the FTC specifically warns consumers to be skeptical.
3. Comprehensive Privacy Program Rollout
To address the problems outlined in the complaint, the FTC mandated that Cerebral implement a “comprehensive” privacy and data security program. According to the FTC’s official news release, the program requires Cerebral to “delete most consumer data not used for treatment, payment, or health care operations unless consumers consent to its retention, and provide consumers with a clear mechanism to request that their data be deleted.”
Cerebral will have to report annually on this program, and the company will be audited every two years for 20 years.
Why It Hurts: Cerebral had a chance to act on this matter way back in December 2022 when the US Department of Health and Human Services (HHS) released its original guidance on tracking technologies. Then they had a chance when the HHS fully approved privacy solutions (like Freshpaint) to solve the concerns they highlighted in their original guidance. Fast forward to 2024 and Cerebral looks sloppy for procrastinating on a pivotal issue for well over a year.
Cerebral’s Scandal Is a Wakeup Call for Healthcare Marketers
Cerebral and other healthcare companies have had more than enough time to solve their tracking technology problems—but they kicked the can down the road. Maybe they thought, or worse, maybe they didn’t even know they were supposed to do anything in the first place. Nevertheless, Cerebral has to grapple with a hefty fine, a loss of brand trust, and the inability to maximize the potential of ad platforms.
We get it—this isn’t the most uplifting story to read if you work in healthcare. But the good news is you don’t have to sacrifice patient privacy for high-performance marketing.
Take vybe urgent care for example. Using Freshpaint’s Healthcare Privacy Platform, vybe replaced its native web trackers with privacy-first technology, enabling vybe to collect data while letting them handpick what’s shared with ad platforms. This shift resulted in better ad performance while maintaining patient privacy.
“Taking a privacy-first approach with marketing is definitely still doable as long as you have a partner like Freshpaint to help you through the process,” says Andrew Lacomba, vybe urgent care’s Senior Marketing Manager.
Check out the full story here:
