More than 3 million patients of the online virtual mental health platform Cerebral might have had protected health information shared outside the platform, according to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). According to a notice listed on Cerebral’s website, “On January 3, 2023, Cerebral determined that it had disclosed certain information that may be regulated as protected health information (PHI) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances.” The information that may have been shared includes patient names, phone numbers, email addresses, dates of birth, IP addresses, Cerebral client ID numbers, and more. This critical information may have been shared with Google, Facebook, TikTok, and other third-party platforms. Additionally, the notice mentions that if an individual created an account and completed any portion of the self-assessment then the disclosed information may have also included assessment responses, certain associated health information, and which service the user chose. Furthermore, if an individual created an account, completed the self-assessment, and selected a subscription plan, the patient’s appointment information, treatment notes, and health insurance information may also have been disclosed. Cerebral’s notice did indicate that the disclosed information did not include bank account information, credit card information, or Social Security numbers. Since the platform started operating in October 2019, Cerebral has used pixels and other tracking technologies. However, it wasn’t until a review of the tracking technologies’ use and data sharing practices that the company discovered that it had disclosed information considered PHI “without having obtained HIPAA-required assurances,” the organization says.