About

Important information

• Government Actions:

  Government Action: BBB reports on known government actions involving business’ marketplace conduct:

  FTC vs Cerebral
  Cerebral, Inc. has agreed to an order that will restrict how the company can use or disclose sensitive consumer data and require it to provide consumers with a simple way to cancel services to settle Federal Trade Commission charges that the telehealth firm failed to secure and protect sensitive health data.
  
  Under the proposed order, filed by the Department of Justice upon notification and referral from the FTC, Cerebral will also be required to pay more than $7 million over charges that it disclosed consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes and failed to honor its easy cancellation promises. The order must be approved by the court before it can go into effect.
  
  “As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."
  
  Cerebral provides online mental health and related services on a negative option basis, which means consumers are automatically charged unless they cancel those services. Consumers who sign up and use the company’s services provide detailed personal data including their home and email addresses, birthdates, medical and prescription histories, payment account or driver license numbers, as well as information about their treatment plans, pharmacy and health insurance plans, and other personal data, such as their religious or political beliefs, or sexual orientation.
  
  The complaint charges that Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy promises to consumers and misled them about the company’s cancellation policies. The complaint also charges that Cerebral and Robertson violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) by engaging in unfair and deceptive practices with respect to substance use disorder treatment services.
  
  To get consumers to sign up for the company’s services and provide detailed personal data, the company claimed it offered “safe, secure, and discreet” services and that users’ data would be kept confidential, according to the complaint. The complaint charges that Cerebral failed to clearly disclose that it would be sharing consumers’ sensitive data with third parties for advertising and buried disclaimers about its data sharing practices in dense privacy policies. In fact, according to the complaint, the company claimed in many instances that it would not share users’ data for marketing purposes without obtaining consumers’ consent. The complaint alleges that these practices originated under the direction of its former CEO, Robertson, and continued after his tenure.
  
  Specifically, the complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps. These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps. Through the use of tracking tools, Cerebral gave third parties personal data about its users including names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information, according to the complaint.
  
  The complaint says that Cerebral, and Robertson, while he was CEO, also failed to deploy adequate safeguards for the sensitive data collected from consumers and engaged in sloppy security practices. As described in the complaint, Cerebral’s practices included:
  
  Engaging in Careless Marketing: Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards;
  Allowing Former Employees to Access User Data: From May to December 2021, the company failed to block former employees from accessing confidential electronic medical records of Cerebral patients. It also failed to ensure providers only accessed their patients’ records;
  Using Insecure Access Methods: The company used a single sign-on method for accessing its patient portal that in numerous instances exposed confidential medical files and patient information such as diagnoses, medications, email addresses, and phone numbers, to other patients when those users signed onto the portal at the same time; and
  Failing to Implement Adequate Policies and Training: The company failed to restrict access to consumer data to only those employees who needed it, implement proper procedures and training related to the handling of sensitive data, and develop and implement adequate information security standards, policies, and procedures.
  In addition to its privacy and data security failures, the complaint alleges that Cerebral also violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of Cerebral’s cancellation policies before charging consumers. Despite promising that consumers could “cancel anytime,” Cerebral required its clients to navigate a complex, multi-step, and often multi-day process to cancel. The complaint alleges that the company continued to charge consumers while it slow-walked consumers’ cancellation requests, which cost consumers millions in additional charges. When it first implemented an easier cancellation button in April 2020, the company removed it after only two weeks at Robertson’s direction after seeing cancellations rise, according to the complaint.

  Click here for details
• Pending Government Action:

  Government Action: BBB reports on known government actions involving business’ marketplace conduct:

  NY AG vs Cerebral
  New York Attorney General Letitia James today secured more than $740,000 from Cerebral, an online mental health provider, for maintaining a long and burdensome cancellation process and continuing to charge consumers after they tried to cancel. An investigation by the Office of the Attorney General (OAG) found Cerebral required subscribers to cancel by email, but then required consumers to take additional steps and wait as long as a week for their cancellation request to be processed. The investigation also revealed that Cerebral manipulated online reviews by asking its employees to submit positive reviews and hide negative reviews. Today’s agreement requires Cerebral to pay more than $540,000 in restitution to more than 16,500 affected consumers and stop its deceptive and burdensome tactics. Eligible consumers will be refunded in the original form of payment they used and do not need to take action to receive a refund.
  
  “Making New Yorkers withstand stressful and extended delays to cancel a subscription for mental health care coverage is unacceptable,” said Attorney General James. “It is illegal and unfair to make consumers spend extra time or jump through hoops to try to cancel a subscription they no longer need. The law is clear that companies must make it easy and simple to end a subscription and my office will continue to hold them to that standard.”
  
  Cerebral is an online telehealth company that provides consumers with mental health treatment on a subscription fee basis. Cerebral’s subscriptions provided consumers with access to virtual appointments with different types of providers, including licensed therapists, counselors, coaches, and individuals who are duly licensed and can prescribe medication. The OAG opened an investigation into Cerebral’s cancellation practices after consumers reported that they could not cancel their subscriptions.
  
  The OAG’s investigation found that Cerebral informed subscribers they could cancel by email, but then made subscribers take a number of additional steps, such as completing a multi-question survey, before processing the cancellation. Cerebral had the ability to cancel subscriptions with the click of a button, however it allowed itself up to 72 hours to finalize cancellations – and at times took a week or more. The company used the extra time to contact subscribers with multiple retention offers to try and convince them not to cancel. When Cerebral’s delay straddled a consumer’s billing date, Cerebral charged the consumer for another month of service. The OAG’s investigation also found that Cerebral charged consumers for its mental health treatment services, even when it had no providers available to provide the treatment.
  
  The investigation also revealed that the company illegally directed its employees to manipulate online reviews of its services by anonymously posting fake reviews and by “upvoting” positive reviews or “downvoting” negative ones. Employees were also instructed to contact customers directly and ask them to remove negative reviews, and to tell them, “We wouldn’t want anything online to deter someone from seeking mental health care and that’s really why we ask people if they are willing to” edit or remove the review.
  
  Shortly after OAG commenced its investigation into the company, Cerebral started improving its cancellation process, including creating a “click-to-cancel” process and implementing other recommendations made by OAG regarding disclosure and refunds. Cerebral is also committing not to make more than one attempt to retain subscribers once they have indicated an intent to cancel.
  
  Today’s agreement requires Cerebral to pay $200,000 in penalties and $540,162 in restitution, which will be distributed to 16,552 New York consumers who continued to be charged after submitting a cancellation request, or who canceled having never met with any provider.  Cerebral is required to pay restitution directly to consumers within 90 days, by crediting the payment account originally used for the subscription.  Consumers entitled to restitution do not need to take any action in order to receive the payment. 

  Click here for details