Cerebral, a telehealth company specializing in mental health services (particularly ADHD and anxiety/depression treatment), disclosed in March 2023 that it had shared sensitive patient data with Meta, Google, TikTok, and other third-party advertising and analytics platforms from October 2019 through January 2023. Approximately 3.18 million patients were affected. The data shared included: names, phone numbers, email addresses, dates of birth, IP addresses, Cerebral client ID numbers, URLs of pages visited, and — critically — information about patients’ mental health conditions, medications prescribed, and appointment details. Mental health data is among the most sensitive categories of personal health information, as its exposure can lead to discrimination, stigma, employment consequences, and relationship harm. Cerebral filed a HIPAA breach report with HHS for the incident. The company also faced a DEA investigation related to over-prescription of controlled substances (a separate matter). Cerebral notified affected users and updated its privacy practices to remove tracking pixels. The Cerebral breach, alongside the GoodRx FTC action and multiple hospital/health system Meta Pixel investigations, prompted the HHS Office for Civil Rights to issue explicit guidance in December 2022 warning that tracking technologies on healthcare websites that transmit PHI to third parties may violate HIPAA — clarifying a legal gray area that many health tech companies had exploited. The combined Cerebral and GoodRx cases substantially reshaped how health tech companies approach advertising technology.