Holy crap. Sometimes I see headlines like this and then the details aren't all that bad. This one is all that bad.
They gave it all away. They do call it "inadvertent" though.
"The information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information. The information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information, subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/pharmacy benefit information (for example, plan name and group/member numbers), and insurance co-pay amount."
Because Cerebral is a telehealth startup and handles confidential patient data, it’s considered a company covered under the U.S. health privacy law known as HIPAA. According to a list of health-related security lapses under investigation by the U.S. Department of Health and Human Services, which oversees and enforces HIPAA, Cerebral’s data lapse is the second-largest breach of health data in 2023.
> Cerebral’s data lapse is the second-largest breach of health data in 2023.
We're not even three full months into 2023, and this is the second biggest? I can't even comprehend how anybody thought this was a good idea.
Really thinking that basing our economy's primary motivator on human greed isn't doing us many favors right now, not when it's so easy for bad actors to out-earn any and all penalties.
> I can't even comprehend how anybody thought this was a good idea.
Oh, it's easy. Advertisers showed people millions of dollars. The people in charge were quickly convinced of the "need" for patients to consent to having their medical information sold to the highest bidder.
More accurately, their own corruption exposed the corruption already present in others. It just needed the right opportunity to hatch. Live for money, die by money.
(Generally speaking, it's quite common for most of us to think highly of ourselves and our moral character ("I'm a good person. I'm not Hitler!"), but under the right circumstances, many (but not all) of us would discover the flaws in our own hearts. A routine examination of conscience, and refinement or correction of defects in the conscience, is enormously helpful and essential to leading a life of moral excellence and virtue.)
this is not new -- in the 1980s I recall the story of a sales agent who figured out that radio station license renewal or sale was subject to strict conditions as part of protecting market areas. So when a radio station was approaching FCC license deadline, this sales agent discovered that pre-bidding on the license before the legal renewal started, and then pre-selling that license to interested parties as if they had control of it, was very profitable; rinse, repeat. A sales-boiler room was setup in Florida and stations across the USA got the treatment. Everyone gets paid.
When sleepy enforcement caught up, the guy terminated all his willing sales guys with some cash to be quiet, and literally hid in his sister-in-law's basement for more than two years, with lots of money to pay bills.
IMO, the problem is that they no longer have to hide. They pay a pittance of a fine (usually a pittance because the fine amount is static and set a decade+ ago) and keep right on doing it.
Believe it or not, I think putting white collar criminals in prison for lengthy sentences would dissuade them. Imagine if we were learning this news alongside pictures of the CEO, CFO and some board members in handcuffs being perp walked out of the office? The next start up would think way harder about security.
The society would need to agree on the seriousness of the crime of selling personal information. Is it as serious as selling drugs? A burglary? Rape? Do you think the majority of the Americans would share your opinion on the matter? Keep in mind US incarceration rate is one of the highest in the world.
And this one deserves (in my opinion) to be punished more harshly than other things which today are already punished (you mention selling drugs, which is way better morally). The amount of people damaged by this privacy infringement is quite high.
Any attempt to answer that would heavily depend on how a "victim" is defined in each case.
Are people who attempted to opt out of online tracking, but got tracked anyway[0] victims? That's probably less severe than this case where a company sold health information, but it's definitely illegal in the EU and likely at least a deceptive business practice in other jurisdictions.
Are people who buy drugs and harm themselves by overdosing or spending all their time intoxicated victims? If the person is an adult and the drug is alcohol, that's not even illegal most places.
Are victims of secondary crimes victims of the illegal drug trade, of drug prohibition itself, or simply of the secondary crime? One could easily make a case for any of those.
One definition of victimhood could be how much a person has suffered as a result of the crime. I'd say if someone has lost their job because the data leak, or had their identity stolen with actual serious financial consequences, they are a victim.
True, a lot of people are victims of their own stupid decisions. A society should still try reduce the likelihood of the stupid decisions, especially when there are obvious bad actors actively trying to increase such likelihood.
But your approach requires us to wait for something bad to happen to someone else before forming an opinion. Why exactly should people whose privacy has been violated have to be sacrificed further before any value is assigned to their privacy? We can use retroactive data to estimate the downside risk.
When measuring a large scale crime like that of Cerebral, the number of victims is as important as the magnitude of the impact. There were 3.1 million victims. Stealing a dollar each from 3.1 million people would get the kind of law enforcement response that stealing $3.1M does even though the individual impact of that crime is virtually nil.
Stealing a dollar each from 3.1 million people would get the kind of law enforcement response that stealing $3.1M does even though the individual impact of that crime is virtually nil
That's an interesting question whether it's fair to treat it this way. I can see valid arguments on both sides.
The people affected by the drug trade are not affected by the act of selling drugs but by secondary crimes (which arise because selling drugs is illegal and vendors cannot take advantage of the legal framework).
Also the people affected by this incident alone number in the millions.
The harm of data loss is entirely the harm caused by secondary bad actors.
No ones life is directly injured because of a data leak. It's just data, it is entirely inert on it's own. Their life is injured entirely because of what third parties do with that data.
If data leaked and there were no bad actors in the world, there would be zero harm.
As a sibling comment to mine points out, people who "die or have their life destroyed" is simply one way to define victim in this context.
With mental health data being at stake here, the amount of victims under this definition could also very well be non-zero.
Anyway there are a lot of crimes, that don't produce those kind of victims. If I mug someone and don't kill them or destroy their life in the process, have I not commited a crime?
The privacy infringement here is an obvious damage to the dignity of everyone affected.
Wouldn't you feel victimized if I listened in on you speaking with your doctor, wrote everything down, stamped your name, address, and date of birth on it and started giving out copies of the resulting paper to random people? Which is exactly whats happening here, except my example is more harmless by a factor of a few million people and has a lot fewer data points.
Wouldn't you feel victimized if I listened in on you speaking with your doctor, wrote everything down, stamped your name, address, and date of birth on it and started giving out copies of the resulting paper to random people?
I would. I would also feel victimized if you mugged me (without killing me or hurting me physically). The question we are debating here is - should you be punished equally harshly in this two scenarios? I'm leaning towards "no". If you disagree I would like to understand your reasoning.
A doctor who reveals some information on one of their patients should be treated less harshly then a mugger of one person.
A mugger who robs ten people should be treated more harshly than a mugger who robs one person.
A doctor/company who reveals thousands of patients' information can reasonably treated more harshly than a mugger of ten people, because the absolute negative impact may be greater.
OK, this is a good point. Still, you're comparing an act of hurting people to an act of potentially hurting people. An investigation into the harm done by private data sales would be helpful.
Why are we trying to mash everything down to a one-dimensional ranking? Over simplification can be as deceptive as over-complication.
A breach of one's personal data is clearly less severe than a violent attack upon one's person. But the former could enable the latter (eg if information were purchased by a stalker). And it certainly increases the base level of risk from fraud and adversarial commercial contact (secretly exploiting knowledge of a target to manipulate them into a purchase/sale decision).
Now scale the individual loss up by huge numbers of people, and consider what incentives led to the information security failure. While it's sometimes practical to remediate individual losses of privacy, at scale future injuries are virtually assured. It seems to me that this warrants an application of strict liability principles.
As for restitution, in ym view not only should injured parties be compensated in cash (and much more of it), but they should also be granted, individually or by proxy, partial ownership of the offending firm; that is, existing investors should have the value of their asset significantly diluted. The loss of personal security should be reflected in a loss of financial security to the asset holders.
You make good points, and I actually agree with your suggestions. My original concern was not so much about what constitutes a "fair punishment" in this particular case, but about how is this crime is being perceived by our society, and especially how it is perceived by society (i.e. an average American) when compared to some other crimes? I'm more interested in higher level questions: How do we decide on the severity of a crime? Who should decide that?
I'm guessing a similar argument was made in support of the "war on drugs". Many drug dealers have been punished harshly. 50 years later, nothing has changed.
The war on drugs was perpetuated by the Nixon and Reagan administrations to criminalize being antiwar and being black. Do you think that is what is happening here?
I strongly suspect the war on drugs was initiated mainly because drugs were ruining many lives (just like they do today), and that selling illegal drugs was perceived by the majority of population as a crime deserving a harsh punishment.
Your ignorance is a problem we simply don't have time to address here. Luckily, we don't need to base reality off of your strong suspicions since we have direct quotes from the Nixon administration.
“The Nixon Campaign in 1968, and the Nixon White House after that, had two enemies: the antiwar Left, and Black people. You understand what I’m saying? We knew we couldn’t make it illegal to be either against the war or Black. But by getting the public to associate the hippies with marijuana and Blacks with heroin, and then criminalizing both heavily, we could disrupt those communities. We could arrest their leaders, raid their homes, break up their meetings and vilify them night after night on the evening news. Did we know we were lying about the drugs? Of course we did.” - Lee Atwater
Well, your ignorance is a problem we can address here. Please read the entirety of the Wikipedia article [1], specifically:
The veracity of the quote has been questioned by Ehrlichman's family, while Vox senior correspondent German Lopez has suggested that Ehrlichman was either wrong or lying. According to Lopez:
But Ehrlichman's claim is likely an oversimplification, according to historians who have studied the period and Nixon's drug policies in particular. There's no doubt Nixon was racist, and historians told me that race could have played one role in Nixon's drug war. But there are also signs that Nixon wasn't solely motivated by politics or race: For one, he personally despised drugs – to the point that it's not surprising he would want to rid the world of them. And there's evidence that Ehrlichman felt bitter and betrayed by Nixon after he spent time in prison over the Watergate scandal, so he may have lied.
More importantly, Nixon's drug policies did not focus on the kind of criminalization that Ehrlichman described. Instead, Nixon's drug war was largely a public health crusade – one that would be reshaped into the modern, punitive drug war we know today by later administrations, particularly President Ronald Reagan...
"It's certainly true that Nixon didn't like blacks and didn't like hippies," Courtwright said. "But to assign his entire drug policy to his dislike of these two groups is just ridiculous."*
I'm following a direct quote, while you are citing a third party trying to handwave it away. I don't really consider it ignorant to believe the primary source's exact words when they so closely mirror the reality of what happened.
Why would we ever need this? We never compare rape and murder, for that matter. We have the entire justice system for that, with judges and courts and prosecutors and defenders and jurys.
Of course we do. We, as a society, have decided that murder is a more serious offense, and assigned a punishment for each accordingly. This process has to be repeated every time a new type of crime emerges.
The conversation is around how to prevent similar white collar crimes. I'm sure it has been discussed before. I'm not sure what the conclusion is. Please provide some helpful information if you have any.
You've left about 10 comments on this topic posing questions and soliciting information from other people. Curiosity is good of course, but at some point you should consider contributing information to support your point of view instead of expecting everyone else to provide you with information. It's not like you're a judge in this case with decisional authority and an obligation to assess the fact pattern in splendid isolation.
Sure. My view - we need concrete data about the actual harm done in cases like this. We have such data for most other types of crimes. In my opinion, saying that something bad "can" happen is not sufficient to determine the punishment.
Note this is not the same as being against punishing illegal sale of private data.
A note to the reader: this is how debate-bros corner you into bullshit arguments. Best to disengage from this kind of bad-faith posturing, no matter how much they insist on their "intentions".
I just followed the thread down from here and you seem to be so determined to undermine or counter every reasonable point that it could be suspected your original question here is motivated by ideological or other partial objection rather than genuine interest in the answer.
Well, thank you for the polite response here, I certainly wouldn't want or intend to discourage genuine good faith discussion; it just registered as otherwise motivated in that instance for me.
Increase fines to a point where the estimated prosecution rate makes the expected value of breaking the law negative.
Directly punish executives, upper management, board members and large shareholders when their companies break the law rather than just fining the company. This could include fines, prohibitions from holding similar positions, and jail time.
Stop commoditizing ownership by prohibiting ownership of companies by non-participants. This last one would have the largest impact but is the least likely.
Then the fine isn't high enough. Make them higher. If they complain, make them even higher.
These aren't human beings. These are corporations: inanimate, unfeeling entities worth billions of dollars whose only point in existing is making money at your personal expense. They should think 10 times before engaging in any destructive behavior such as "leaking" patient data to advertising companies. If they're not afraid, then the fines aren't high enough and must be increased.
My understanding is that if the fines ever become an existential threat then it motivates companies to commit criminal behavior but try to be sneakier about it, because in for a penny in for a pound.
Of course we’re finding out repeatedly that no threatening fines don’t prevent that behavior either. :/ there’s a theoretical fine line where just enough fines will prevent such behavior but frankly I’m having a harder and harder time believing such rhetoric.
Maybe it’s the ownership of such companies that are wrong. I highly doubt Cerebral would’ve made this decision in the first place if it was owned by regular people, especially regular mental health professionals.
How do you ensure the penalty is actually higher then what the criminals managed to put aside?
An uncle of an ex-girlfriend was put in jail for a MITM scheme in the construction bussiness. He was active for about 2 years until they got him. When I heard an estimate of how much he made, I went ahead and did the 24/7 hourly rate calculation for his jailtime. It was a 3 digit figure.
In Burundi you'll probably just be captured and murdered.
The USA has very high recitivism when we throw ex convicts out on the streets homeless and broke, which is not a punishment, it's just piss-poor social management.
Norway has one of the lowestest recitivism rates in the world. They combine just punishments with actual correctional assistance for reintegration into society.
Punishments with real correctional assistance and social resources is a proven successful combination.
Handling confidential patient data does not necessarily mean the organization is a covered entity under HIPAA. One of the organizations I work with receives, stores, and uses significant amounts of confidential patient data, but they are not a covered entity under HIPAA (although they are covered separately under the Privacy Act).
You are correct, but despite the article's misunderstanding of HIPAA they are covered by it. The incident is being investigated by HHS, as opposed to the FTC who dealt with the (non-HIPAA-covered) GoodRx incident from like yesterday.
According to HHS incident listing[1], the are a Business Associate. This means they handle patient data because they are contracted to do so by a HIPAA-covered entity. I've never heard of Cerebral before (and hopefully I won't again), but that likely means that their customers are the hospitals.
> I've never heard of Cerebral before (and hopefully I won't again), but that likely means that their customers are the hospitals.
Cerebral is a mental health therapy app, but unlike most apps, they also prescribed medicine until very recently. They stopped after the FDA started investigating them for being a pill mill for schedule II controlled substances like adderall (ie amphetamine salts)
Covered entities are required to enter into BAA (Business Associate Agreement) contracts when they let other entities handle protected data. Those agreements basically say HIPAA rules and more have to be followed. You do this, for example, with AWS for your infrastructure, any other service that might be exposed to patient data, etc. With a broad perspective, these secondary entities are covered by HIPAA and it's rules, it's just technicalities with how this happens that makes a distinction. In other words you can't circumvent HIPAA by having a third party process your data.
You can however, circumvent the spirit of HIPAA and what most people would expect for data privacy by "deidentifying" your data and monetizing it in one of many ways which are wholly inadequate and usually reversable without much effort.
That's going to be tens of millions of dollars of fines. HIPAA is not anything to mess around with. Data breaches like that are an existential threat to a medtech.
They bumped it to 1.9 for inflation. There are also criminal jail time penalties though. It depends on intent. Unlikely it would happen though even if it is deserved.
Maybe that's new, when I was a HIPAA architect for a health related company, I rarely saw anyone being sued or even investigated (mid 2000s). Given how many violations I saw there (and complained about) nothing ever changed because they felt no one would do anything to them.
I work in publicly funded mental health and our responses to possible/actual HIPAA breaches are monitored very closely by our funders. So even if an event occurs that is not deemed to be an actual breach, if our response/investigation/corrective action is found to be unsatisfactory, our county/state/fed contracts, foundation grants, and Joint Commission Accreditation could be altered/canceled.
Really? That's surprising to me. I worked a hospital job for several years, and had heard of employees making minor infractions who were fired and sued by both the hospital as well as the patient(s). Though those were individuals, things could be different if you're a corporation [rolls eyes pessimistically].
>> even a minor infringement is taken very seriously. The lawsuits are gonna be something else.
Would be great to have a retrospective on this a year from now. I realize it isnt HIPPA, but from what I see from Credit Agency breaches, regulations are often just suggestions and there are no real consequences. Would be happy to see otherwise.
That's actually a common misconception, that HIPAA infringements mean people are going to jail for a long time or something.
While infringements are taken seriously, and intentional infringement (e.g. looking up the records of a famous celebrity being treated in your hospital without reason to) results in hefty penalities, 99% sure this was a case of them using Google Analytics/Tag Manager and accidentally tagging stuff with protected PII fields. Yes, definitely a serious issue, but on my scale of "breaches I would be concerned about", this one would actually be relatively low.
That’s probably because that’s security by accident, and it’s only in comparison to the shit show we have today. It isn’t security by thoughtful, deliberate design.
They are? All doctors I've been to in the past 10 years have them digitally and will transfer files digitally to your new doctor -- they won't even ask you if you've asked for them to be transferred. It's enough to tell my new doctor where I've previously been and they'll contact them and handle everything else.
Cerebral became famous for selling Adderall and Xanax prescriptions as a subscription service. They advertised on social media sites like TikTok. The “patients” were rushed through the minimal telehealth screenings that they could get away with before writing the prescription, as providers were incentivized to do as many calls per hour as they could.
Worse, whistleblowers have revealed that the company was encouraging their providers to write more Schedule II prescriptions (high addictive potential) and avoid the non-addictive alternatives because they determined they the Schedule II patients had a higher retention rate: https://www.theverge.com/2022/5/9/23063356/cerebral-teleheal...
Multiple major pharmacies refused to fill prescriptions from Cerebral because it was such a blatant internet prescription mill. I was a mentor in a remote mentoring program at a time and it was stunning to see the Slack side conversations where college students were bragging about how easily they were getting high-dose Adderall prescriptions from the company after consultations measured in a couple minutes. One person shared a link to a script people were using that would trigger the providers to increase their dose on every visit, including lying about certain factors to help overcome provider concerns about going into high doses. One student had reached 60mg of Adderall per day (the maximum dose, far above common dosing) and was clearly overstimulated, unwell, and, frankly, hooked on their new stimulant source.
Terrible company. It’s going to leave a mark on the availability of ADHD treatment for years to come, I’m afraid.
Done did the same thing. Massive growth. A new therapist every month. Pharmacies would stop supporting it, so that would change every month or so too. Absolutely terrible experience.
Through Done, I was given a Zoom meeting with a Florida-based practitioner (I'm on the west coast). They wrote me an Adderall prescription after 15 minutes of questions. This felt sketchy at best, and malpractice at worst.
I sought out a real, local doctor with a specialty in mental health, who I could make my primary care physician and have a long-term patient relationship with.
Unsurprisingly, that route not only assures that I'm getting good medical treatment, but any Rx issues that pop up are resolved quickly and relatively painlessly.
These prescription mills have made it tough to get the drugs due to shortages. I've been prescribed Adderall for 10+ years, and while there were a handful or minor blips in the past, it was nothing like what I've seen for the past 6 months or so. It's a very real problem.
The shortages stem from arbitrary production quotas set by the DEA. Pharmaceutical companies would be able to increase supply to meet demand without those quotas. Even with no quotas, pill mills could still be shut down and prosecuted.
Everything you said is true, but the surrounding context is still incredibly important.
There is a reason ADHD is such an open target for this behavior. We have a very significant problem with adult ADHD diagnosis and treatment in our healthcare system. In the overwhelming majority of cases, it simply isn't being done.
In order for an adult with undiagnosed ADHD to receive treatment, they must navigate our healthcare system. That means finding insurance, finding providers, and setting appointments. Every one of those steps is hell for most people living with ADHD symptoms: they literally have an untreated disorder making those steps too difficult.
And even when they do manage all of these steps, there is a very serious lack of education in healthcare about adult ADHD. Many doctors have an outdated belief that ADHD is a child's disorder, and that patients will simply "grow out of it". Studies have shown very thoroughly that this is not the case.
And even when you do get a diagnosis, there is a serious hesitance to prescribe medication.
There are two familiar narratives about stimulant medication. Despite being at odds with each other, both narratives are true.
Stimulant medication is, in the overwhelming majority of cases, the single most effective part of treatment. Without stimulant medication, most ADHD patients are effectively stuck in therapy: they need to change their behavior to treat their symptoms, but it's their symptoms that are driving the behavior!
The other story: stimulant medication is addictive and dangerous. People see their lives fall apart in addiction. It's a very serious problem that demands our attention.
This is the story seen by law enforcement: particularly in the DEA. That is, after all, the set of circumstances they exist to respond to.
So what do we do about it? Ban the substances? That clearly doesn't work. And we shouldn't simply be trying to keep every person from using them: the positive effects are incredibly positive.
Another thing to be aware of: stimulant medication helps fight addiction, too. People with untreated ADHD are very likely to enter addiction, because they have a chronic deficit in stimulation. Giving those people stimulant medication resolves that deficit, and has been shown to very significantly reduce addiction, often even eliminating the addiction completely.
This situation with Cerebral certainly increased the negative consequences of stimulant medication. It also increased the positive consequences.
People who do not have ADHD, and should not be given stimulant medication were provided an easily abusable system to obtain that medication.
People who do have ADHD and benefit greatly from stimulant medication were provided an easily useable system to obtain that medication.
Please, for the love of all people, don't let us get so caught up in the negatives that we outlaw the positives!
We need to take a long and hard look at how our healthcare system is failing us. It's failing potential addicts by playing fast and lose, and it is failing those with untreated ADHD by giving them impossible hurdles.
Each failure demands the other as a solution. We need to break this cycle.
I used online telehealth (through a more legit provider) to seek treatment for ADHD just because before COVID, it was very hard to find psychiatric services that catered to adult ADHD.
The same is true for many others I’ve talked to: they had been meaning to seek adhd treatment for a while (and in many cases had done so, only to be diagnosed with depression, or to be told that they were doing well enough in life that they didn’t need treatment) but it was such a daunting process that most hadn’t gone through with it.
There are of course perverse incentives when it comes to these kinds of businesses (nobody would use them if they were extremely stingy), so they do need to be held to a standard that prevents them from just becoming pill mills. OTOH I think the cost/benefit to society is maximized when barriers to care are lower than what they were pre-telehealth, even if it means some people are just going to abuse the system, especially with adhd meds which are not that addictive or harmful, contrary to popular opinion (that stereotype comes from much more hardcore stuff like smoking and injecting large amounts of meth) - compared to opiates or benzos it’s really no contest that prescription stimulants are less problematic and less addictive.
What concerns me is that so many pundits are listening to the DEA bozos that all the stimulant shortage (which, btw, impacts people who have been stable on adhd meds for decades almost as much as those who only started treatment during the pandemic) is due to the increase in diagnoses from telehealth, when in fact it’s due to arbitrary production quotas set by the DEA that can easily be raised. The fact we let the DEA determine how much of a prescription medicine can be made, allowing formal and above board medical care to be impacted, is absolutely insane to me.
This is literally the war on drugs preventing longtime patients from getting the care they’ve been relying on for decades, just because it became easier to get treatment. The attitude should be that 5 abusers are a small price to pay for 1 legitimate patient getting the care they need, not that 5 abusers need to be stopped so bad that 20 legitimate patients go without treatment.
Primary care doctors have been treating ADHD for a long time. Making an appointment with a primary care doctor and showing up to it isn’t that much harder than making an appointment with a telehealth doctor and showing up to it.
> Stimulant medication is, in the overwhelming majority of cases, the single most effective part of treatment.
Let’s not downplay the effectiveness of non-stimulant ADHD medications. They’re actually quite powerful at improving cognition and can have even better outcomes in many people, especially those prone to anxiety, rumination, or insomnia (all of which can be substantially worsened by stimulant medications). The downside is that the non-stimulant medications can take some time to become fully effective, which has created a false belief that they’re worse than stimulants.
Telehealth pill mills like Cerebral only make the situation worse, as the doctors have no interest in long term patient outcomes other than writing as many Schedule II prescriptions per hour as they can. This isn’t healthy.
Where do you live that a primary care doctor handles adhd treatment, beyond continuation of care for long-time stable patients? IME primary care doctors will refer you to a psychiatrist who themselves may or may not specialize in ADHD - I’ve never heard of a PCP (outside of maybe concierge medicine) handling adhd diagnosis or working on finding the right choice/amount of medication.
> Making an appointment with a primary care doctor and showing up to it isn’t that much harder than making an appointment with a telehealth doctor and showing up to it.
It sure as hell is when you have ADHD. I know because I've done it. The difference is night and day, and I'm really good at appointments.
> Let’s not downplay the effectiveness of non-stimulant ADHD medications
In other words: let's please downplay the effectiveness of stimulant medication. No. That's my answer. No.
> The downside is that the non-stimulant medications can take some time to become fully effective
That's incredibly significant if you are dealing with ADHD symptoms. It means you must not a habit before treatment. And if they don't work, you have to taper off. If stimulants work they work immediately.
But that's not the whole story: non-stimulant medication is helpful for a lot of patients! And stimulant medication is helpful for a lot of patients! Choosing which one to start with is important, and the decision is in the hands of the prescribing doctor. Let them do their job.
The idea that we should be avoiding stimulant medication is not backed by any science. Stimulants are reliable and effective. When prescribed to patients in a responsible way (not just because they asked please, but because they are pursuing treatment) stimulant medication is proven to be very safe.
> Telehealth pill mills like Cerebral only make the situation worse, as the doctors have no interest in long term patient outcomes
Yes indeed, that is a real problem, and I totally agree we should get rid of them for that very reason.
But what do we replace them with? A system that is fundamentally broken for the people it is meant to serve? That isn't good enough.
Despite having every wrong and damaging perverse incentive, "telehealth pill mills" like Cerebral - alongside the real damage they caused - managed some real good. They made an impossible system possible. They did so by breaking that system.
I want to see us move forward, not by simply dropping the old broken system back into place, but by actually fixing it. Let's make real responsible treatment actually available to the millions of adults who simply can't get over the bullshit hurdles we have in their way. Until then, dangerous practices like Cerebral will be implicitly validated as the best we've got.
Are you telling me that the company who suckered me into creating a roadmap and hiring plan as part of the interview process for the Head of Engineering position and then ghosted me after I presented it has made a horrible technical blunder?! I'm shocked! /s. Fun fact: I gave the "HIPAA Compliance Audit & Actioning" project the highest priority of all their projects.
[edit] I dug up my response to their recruiter who contacted me 1.5 years later for an EM role.
"Hi <recruiter>, I interviewed with Cerebral in 2020 for Head of Engineering. I put together a slide deck outlining exactly how I would build out the team, including resourcing costs and project prioritization. I then presented this to Kyle, the CEO. I literally never heard back from him or Maddie, even after requesting the status of my candidacy. So, no, I would never be interested in working for Cerebral and I would surely advise everyone I've ever met to avoid the company as well."
>> The telehealth startup, which exploded in popularity during the COVID-19 pandemic after rolling lockdowns and a surge in online-only virtual health services, disclosed the security lapse
That's not a security lapse, it's a straight up violation of HIPPA done for profit. They also seem to suggest that ToS can get around that if only people would read it. Sorry nope.
A mental health tele health startup. Hey these people are anxious/depressed/bipolar. Wanna sell some “solutions” to them? Maybe this explains some of the (questionable legality) drug ads I get bombarded with on Facebook because I was a cerebral customer for a little bit.
I gotta say their “counseling” was hilariously bad and made me cancel it but keep the prescription with my GP. It was like a call center worker reading off a paper giving you “therapy”. I did it twice and was like this is a joke
Extremely scammy company. Not surprised. They take credit card information first, then do a questionnaire, then tell you if services for you are available in your area. If they aren’t, you’re still charged and they make it extremely difficult to cancel or get a refund. Had them hang up on me twice. Eventually just did a chargeback.
Startups are fun when they make websites. I'm never going to trust a "move fast and break things" VC startup with real world things like medicine or food.
The therapy/mental health startup space seems like a mess. Tons of companies in the space popped up in the past five years. Don't expect any to be around in five.
By nature and necessarily so, healthcare is not "move fast break things"
It's move if and only if we are provably sure that the new movement is an improvement on status quo. "First, Do no harm" is the ethos of the medical world.
Health data startups are mainly in the business for the data and how to monetize it. Not to provide healthcare services. I hope they die with the rising interest rates.
> News of Cerebral’s years-long data lapse comes just weeks after the U.S. Federal Trade Commission slapped GoodRx with a $1.5 million fine and ordered it to stop sharing patients’ health data with advertisers, and BetterHelp was ordered to pay customers $8.5 million for mishandling users’ data.
The amounts seem somewhere between a handslap and a loving caress.
That's because they didn't get slapped for HIPAA violations. They got fined by the FTC, not HHS. To put it into context, Anthem got hit with USD115 Million in fines for a breach similar to Cerebral's.
Just my guess, but I'd put money on Cerebral being finished as a going concern.
Look, I'm fairly certain Cerebral has not incurred any criminal liability here. I could be wrong, but based on the information available right now, I don't think they have anything to worry about. That said, if new information comes to light, and it turns out crimes were committed, you can't say "I didn't know."
You can't seriously believe that you can help someone commit a crime, and not incur any criminal liability for that act on the grounds of ignorance? Do you think you can be caught with drugs at an airport and expect to be released because "you didn't know" they were there?
Engineers, please protect yourselves. It doesn't matter what legal relationship you have with your employer, one of the first principals of criminal law you're exposed to in law school is that one cannot contract away criminal liability. It's not possible. Keep this in mind when you're working at whatever random crypto firm you're at that wants to build an "exchange". Keep it in mind when you're working at Boeing and they ask you to sign a quality document for a part you worked on. Keep it in mind when you're working at a health care startup and they ask you to sign the quality documents they need to register with the FDA for 510(k). (By the way, the way the attorney at my first medical imaging startup explained it to us, each signature is a single count. So you signed a document and initialed it in 7 places? OK, guess what? That's 8 counts of lying to the federal government when everything goes south. We were advised to always keep that in mind.)
Then how come you don't hear many engineers working at big banks who regularly break the law get slapped with either jail time or fines?
Actually curious— are there any examples of engineers getting jail (or even fined) for being an employee at a company that did a lot of wrongdoing? Even for Theranos, I don't think any regular scientists were on the hook?
On another note, isn't it just fantastic that Amazon made a pinky-swear "promise" to not use patient data it acquired with (Alphabet-backed) OneMedical? I mean, what could possibly go wrong with such an ironclad guarantee? It's not like Amazon has a history of exploiting user data for profit or anything. I feel so much better knowing that our medical information is in such trustworthy hands!
There's a real issue with this where another large health company has a captive market, where small providers are being forced to take on the product to integrate with their larger partners, and their ToS has all these terrible loopholes for them to ignore national laws by pretending they have "consent."
Health is structured as a radical monopoly, and if you thought pharma were a bit cavalier about people, wait until you see health IT. It's the original platform. Their customers are doctors and hospitals - people are the product.
...and yet people sometimes wonder why I avoid using these sorts of services, and why I work so hard to minimize the amount of data that companies learn about me.
As someone who works for the NHS building systems that handle user data this blows my mind. How was "don't give advertisers personal data" or at the very least "don't give advertisers medical data" not top priority!?
This is the type of data breach that people should go to jail for.
Clearly they ought to be in existential trouble for this, but the companies on the receiving side need to be bollocked (unless they've evidence they promptly reported unsuitable information being shared with them). Come down heavy on all parties and it'll gradually stop happening.
America is really atrocious when it comes to data protection accountability. I wonder if Cerebral customers will have to sue in a class action to get any legal recourse.
you know how it is, cookies in bed @ midnight, then they get everywhere and somehow they sell all your information to advertisers. C'mon Technology, amiriteguys?
I imagine a lot of them are doing this. My experience with Done (donefirst.com) was super sketchy and terrible. The whole thing is fake it till you make it energy.
After provider mistakes multiple months in a row, and contacting a useless support team, I was eventually able to get to an operations person who knew how to do customer service and sorted the issues out.
Thankfully I was able to establish a relationship directly with the new provider before all the pharmacies called shenanigans. (Like it seems many other legit patients did - a failure mode of any two sided marketplace)
It's a shame because there is an opportunity to help people by disrupting the traditional healthcare companies. The local large conglomerate Psych department is stuck in the 90s and can't understand why you would want to use medication on the weekends (surely ADHD only matters if it's affecting your ability to work for the man?!) And most independent practices are completely saturated with patients already (assuming they even take your insurance).
Well, this is how disrupting the healthcare system looks like.
There's no other end state when you make the goal of the system make as much money as possible.
fwiw the new york state health insurance portal has snap + tiktok integrations that make ajax calls
it's too easy to make this mistake
throw the book at cerebral, fine, but also legislate 1) private right of action and 2) shared liability by pixel vendors, so individual consumers can catch this early and adtech has like some incentive to not work with health cos
I don't know anything about Cerebral, but I started seeing a therapist two days ago, my first time ever. I have nothing serious going on, but I'm getting near retirement and want a sounding board to make sure I'm prepared for such a significant change to my identity.
We're doing it remotely. Why? It is really convenient. I'm busy and taking out 50 minutes during work hours is bad enough, but adding another 50 minutes round trip travel time would be much worse.
Agree. I still operate under the assumption that anything I put online will become public at some point. Thus I don’t do much online that has any connection to my real identity. I do my taxes on paper. Telehealth is right out.
My rural town doesn't have any psychiatry practices as far as I know. I use telehealth to be able to get treatment from a psychiatry practice in a nearby city without having to drive 90 minutes each way.
while sharing data with advertisers is clearly bad, im going to make a contrarian take that allowing hipaa opt out could be very beneficial to peoples health
I have wondered more than once if complete and total sharing of all data could lead to new insights that are currently not possible. There is no way this could happen for good reason, but I wonder in an alternate universe what good could come of it.
oh no not my health data!!! seriously though, why do we put health data in some kind of special class worthy of more privacy than anything else? your entire identity is out there -- where you live, when you're home, who you know, what you download, pictures of your children, how much money you have, where your great great fucking grandma is from... tell you one thing, if your health data is not in that list, it soon will be
They gave it all away. They do call it "inadvertent" though.
Because Cerebral is a telehealth startup and handles confidential patient data, it’s considered a company covered under the U.S. health privacy law known as HIPAA. According to a list of health-related security lapses under investigation by the U.S. Department of Health and Human Services, which oversees and enforces HIPAA, Cerebral’s data lapse is the second-largest breach of health data in 2023.