[HN Gopher] Telehealth startup Cerebral shared millions of patie...
___________________________________________________________________
Telehealth startup Cerebral shared millions of patients' data with
advertisers
Author : mzs
Score : 241 points
Date : 2023-03-10 14:44 UTC (8 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| [deleted]
| smn1234 wrote:
| confused as the following statements are conflated: 'shared ...
| data collected' and 'disclosed the security lapse'
|
| so was this intentional, unintentional, negligent ?
| lazyfanatic wrote:
| you know how it is, cookies in bed @ midnight, then they get
| everywhere and somehow they sell all your information to
| advertisers. C'mon Technology, amiriteguys?
| vegcel wrote:
| I signed up and paid for service on Cerebral in California,
| anyone have the latest scoop on a class action lawsuit forming? I
| want to get signed on.
| awinter-py wrote:
| fwiw the new york state health insurance portal has snap + tiktok
| integrations that make ajax calls
|
| it's too easy to make this mistake
|
| throw the book at cerebral, fine, but also legislate 1) private
| right of action and 2) shared liability by pixel vendors, so
| individual consumers can catch this early and adtech has like
| _some_ incentive to not work with health cos
| peruvian wrote:
| The therapy/mental health startup space seems like a mess. Tons
| of companies in the space popped up in the past five years. Don't
| expect any to be around in five.
| whalesalad wrote:
| I imagine a lot of them are doing this. My experience with Done
| (donefirst.com) was super sketchy and terrible. The whole thing
| is fake it till you make it energy.
| anon84873628 wrote:
| After provider mistakes multiple months in a row, and
| contacting a useless support team, I was eventually able to get
| to an operations person who knew how to do customer service and
| sorted the issues out.
|
| Thankfully I was able to establish a relationship directly with
| the new provider before all the pharmacies called shenanigans.
| (Like it seems many other legit patients did - a failure mode
| of any two sided marketplace)
|
| It's a shame because there is an opportunity to help people by
| disrupting the traditional healthcare companies. The local
| large conglomerate Psych department is stuck in the 90s and
| can't understand why you would want to use medication on the
| weekends (surely ADHD only matters if it's affecting your
| ability to work for the man?!) And most independent practices
| are completely saturated with patients already (assuming they
| even take your insurance).
| mola wrote:
| Well, this is how disrupting the healthcare system looks
| like. There's no other end state when you make the goal of
| the system make as much money as possible.
| PragmaticPulp wrote:
| Cerebral became famous for selling Adderall and Xanax
| prescriptions as a subscription service. They advertised on
| social media sites like TikTok. The "patients" were rushed
| through the minimal telehealth screenings that they could get
| away with before writing the prescription, as providers were
| incentivized to do as many calls per hour as they could.
|
| Worse, whistleblowers have revealed that the company was
| encouraging their providers to write more Schedule II
| prescriptions (high addictive potential) and avoid the non-
| addictive alternatives because they determined they the Schedule
| II patients had a higher retention rate:
| https://www.theverge.com/2022/5/9/23063356/cerebral-teleheal...
|
| Multiple major pharmacies refused to fill prescriptions from
| Cerebral because it was such a blatant internet prescription
| mill. I was a mentor in a remote mentoring program at a time and
| it was stunning to see the Slack side conversations where college
| students were bragging about how easily they were getting high-
| dose Adderall prescriptions from the company after consultations
| measured in a couple minutes. One person shared a link to a
| script people were using that would trigger the providers to
| increase their dose on every visit, including lying about certain
| factors to help overcome provider concerns about going into high
| doses. One student had reached 60mg of Adderall per day (the
| maximum dose, far above common dosing) and was _clearly_
| overstimulated, unwell, and, frankly, hooked on their new
| stimulant source.
|
| Terrible company. It's going to leave a mark on the availability
| of ADHD treatment for years to come, I'm afraid.
| thomastjeffery wrote:
| Everything you said is true, but the surrounding context is
| still incredibly important.
|
| There is a reason ADHD is such an open target for this
| behavior. We have a very significant problem with adult ADHD
| diagnosis and treatment in our healthcare system. In the
| overwhelming majority of cases, it simply isn't being done.
|
| In order for an adult with undiagnosed ADHD to receive
| treatment, they must navigate our healthcare system. That means
| finding insurance, finding providers, and setting appointments.
| Every one of those steps is hell for most people living with
| ADHD symptoms: they literally have an untreated disorder making
| those steps too difficult.
|
| And even when they do manage all of these steps, there is a
| very serious lack of education in healthcare about adult ADHD.
| Many doctors have an outdated belief that ADHD is a child's
| disorder, and that patients will simply "grow out of it".
| Studies have shown very thoroughly that this is not the case.
|
| And even when you do get a diagnosis, there is a serious
| hesitance to prescribe medication.
|
| There are two familiar narratives about stimulant medication.
| Despite being at odds with each other, both narratives are
| true.
|
| Stimulant medication is, in the overwhelming majority of cases,
| the single most effective part of treatment. Without stimulant
| medication, most ADHD patients are effectively stuck in
| therapy: they need to change their behavior to treat their
| symptoms, but it's their symptoms that are driving the
| behavior!
|
| The other story: stimulant medication is addictive and
| dangerous. People see their lives fall apart in addiction. It's
| a very serious problem that demands our attention.
|
| This is the story seen by law enforcement: particularly in the
| DEA. That is, after all, the set of circumstances they exist to
| respond to.
|
| So what do we do about it? Ban the substances? That clearly
| doesn't work. And we shouldn't simply be trying to keep every
| person from using them: the positive effects are incredibly
| positive.
|
| Another thing to be aware of: stimulant medication helps fight
| addiction, too. People with untreated ADHD are very likely to
| enter addiction, because they have a chronic deficit in
| stimulation. Giving those people stimulant medication resolves
| that deficit, and has been shown to very significantly reduce
| addiction, often even eliminating the addiction completely.
|
| This situation with Cerebral certainly increased the negative
| consequences of stimulant medication. It also increased the
| positive consequences.
|
| People who do not have ADHD, and should not be given stimulant
| medication were provided an easily abusable system to obtain
| that medication.
|
| People who do have ADHD and benefit greatly from stimulant
| medication were provided an easily _useable_ system to obtain
| that medication.
|
| Please, for the love of all people, don't let us get so caught
| up in the negatives that we outlaw the positives!
|
| We need to take a long and hard look at how our healthcare
| system is failing us. It's failing potential addicts by playing
| fast and lose, _and_ it is failing those with untreated ADHD by
| giving them impossible hurdles.
|
| Each failure demands the other as a solution. We need to break
| this cycle.
| opportune wrote:
| I used online telehealth (through a more legit provider) to
| seek treatment for ADHD just because before COVID, it was
| very hard to find psychiatric services that catered to adult
| ADHD.
|
| The same is true for many others I've talked to: they had
| been meaning to seek adhd treatment for a while (and in many
| cases had done so, only to be diagnosed with depression, or
| to be told that they were doing well enough in life that they
| didn't need treatment) but it was such a daunting process
| that most hadn't gone through with it.
|
| There are of course perverse incentives when it comes to
| these kinds of businesses (nobody would use them if they were
| extremely stingy), so they do need to be held to a standard
| that prevents them from just becoming pill mills. OTOH I
| think the cost/benefit to society is maximized when barriers
| to care are lower than what they were pre-telehealth, even if
| it means some people are just going to abuse the system,
| especially with adhd meds which are not that addictive or
| harmful, contrary to popular opinion (that stereotype comes
| from much more hardcore stuff like smoking and injecting
| large amounts of meth) - compared to opiates or benzos it's
| really no contest that prescription stimulants are less
| problematic and less addictive.
|
| What concerns me is that so many pundits are listening to the
| DEA bozos that all the stimulant shortage (which, btw,
| impacts people who have been stable on adhd meds for decades
| almost as much as those who only started treatment during the
| pandemic) is due to the increase in diagnoses from
| telehealth, when in fact it's due to arbitrary production
| quotas set by the DEA that can easily be raised. The fact we
| let the DEA determine how much of a prescription medicine can
| be made, allowing formal and above board medical care to be
| impacted, is absolutely insane to me.
|
| This is literally the war on drugs preventing longtime
| patients from getting the care they've been relying on for
| decades, just because it became easier to get treatment. The
| attitude should be that 5 abusers are a small price to pay
| for 1 legitimate patient getting the care they need, not that
| 5 abusers need to be stopped so bad that 20 legitimate
| patients go without treatment.
| PragmaticPulp wrote:
| Primary care doctors have been treating ADHD for a long time.
| Making an appointment with a primary care doctor and showing
| up to it isn't that much harder than making an appointment
| with a telehealth doctor and showing up to it.
|
| > Stimulant medication is, in the overwhelming majority of
| cases, the single most effective part of treatment.
|
| Let's not downplay the effectiveness of non-stimulant ADHD
| medications. They're actually quite powerful at improving
| cognition and can have even better outcomes in many people,
| especially those prone to anxiety, rumination, or insomnia
| (all of which can be substantially worsened by stimulant
| medications). The downside is that the non-stimulant
| medications can take some time to become fully effective,
| which has created a false belief that they're worse than
| stimulants.
|
| Telehealth pill mills like Cerebral only make the situation
| worse, as the doctors have no interest in long term patient
| outcomes other than writing as many Schedule II prescriptions
| per hour as they can. This isn't healthy.
| thomastjeffery wrote:
| > Making an appointment with a primary care doctor and
| showing up to it isn't that much harder than making an
| appointment with a telehealth doctor and showing up to it.
|
| It sure as hell is when you have ADHD. I know because I've
| done it. The difference is night and day, and _I 'm really
| good at appointments._
|
| > Let's not downplay the effectiveness of non-stimulant
| ADHD medications
|
| In other words: let's please downplay the effectiveness of
| stimulant medication. No. That's my answer. No.
|
| > The downside is that the non-stimulant medications can
| take some time to become fully effective
|
| That's incredibly significant if you are dealing with ADHD
| symptoms. It means you must not a habit before treatment.
| And if they don't work, you have to taper off. If
| stimulants work they work _immediately_.
|
| But that's not the whole story: non-stimulant medication
| _is_ helpful for a lot of patients! And stimulant
| medication is helpful for a lot of patients! Choosing which
| one to start with is important, and the decision is in the
| hands of the prescribing doctor. Let them do their job.
|
| The idea that we should be avoiding stimulant medication is
| not backed by any science. Stimulants are reliable and
| effective. When prescribed to patients in a responsible way
| (not just because they asked please, but because they are
| pursuing treatment) stimulant medication is proven to be
| very safe.
|
| > Telehealth pill mills like Cerebral only make the
| situation worse, as the doctors have no interest in long
| term patient outcomes
|
| Yes indeed, that is a real problem, and I totally agree we
| should get rid of them for that very reason.
|
| But what do we replace them with? A system that is
| fundamentally broken for the people it is meant to serve?
| That isn't good enough.
|
| Despite having every wrong and damaging perverse incentive,
| "telehealth pill mills" like Cerebral - alongside the real
| damage they caused - managed some real good. They made an
| impossible system possible. They did so by breaking that
| system.
|
| I want to see us move forward, not by simply dropping the
| old broken system back into place, but by _actually fixing
| it_. Let 's make real responsible treatment _actually
| available_ to the millions of adults who simply can 't get
| over the bullshit hurdles we have in their way. Until then,
| dangerous practices like Cerebral will be implicitly
| validated as the best we've got.
| opportune wrote:
| Where do you live that a primary care doctor handles adhd
| treatment, beyond continuation of care for long-time stable
| patients? IME primary care doctors will refer you to a
| psychiatrist who themselves may or may not specialize in
| ADHD - I've never heard of a PCP (outside of maybe
| concierge medicine) handling adhd diagnosis or working on
| finding the right choice/amount of medication.
| jaywalk wrote:
| These prescription mills have made it tough to get the drugs
| due to shortages. I've been prescribed Adderall for 10+ years,
| and while there were a handful or minor blips in the past, it
| was nothing like what I've seen for the past 6 months or so.
| It's a very real problem.
| opportune wrote:
| The shortages stem from arbitrary production quotas set by
| the DEA. Pharmaceutical companies would be able to increase
| supply to meet demand without those quotas. Even with no
| quotas, pill mills could still be shut down and prosecuted.
| hef19898 wrote:
| Well, that adictive products result in a higher customer
| retention is something the British faught a war over against
| China.
|
| Such businesses shouldn't be legal.
| whalesalad wrote:
| Done did the same thing. Massive growth. A new therapist every
| month. Pharmacies would stop supporting it, so that would
| change every month or so too. Absolutely terrible experience.
|
| It's easier to buy drugs illegally.
| dymk wrote:
| Through Done, I was given a Zoom meeting with a Florida-based
| practitioner (I'm on the west coast). They wrote me an
| Adderall prescription after 15 minutes of questions. This
| felt sketchy at best, and malpractice at worst.
|
| I sought out a real, local doctor with a specialty in mental
| health, who I could make my primary care physician and have a
| long-term patient relationship with.
|
| Unsurprisingly, that route not only assures that I'm getting
| good medical treatment, but any Rx issues that pop up are
| resolved quickly and relatively painlessly.
| dahfizz wrote:
| Startups are fun when they make websites. I'm never going to
| trust a "move fast and break things" VC startup with real world
| things like medicine or food.
| [deleted]
| Eumenes wrote:
| I truly don't get Telehealth ... Who TF is using this stuff?
| sjkoelle wrote:
| while sharing data with advertisers is clearly bad, im going to
| make a contrarian take that allowing hipaa opt out could be very
| beneficial to peoples health
| bentcorner wrote:
| I have wondered more than once if complete and total sharing of
| all data could lead to new insights that are currently not
| possible. There is no way this could happen for good reason,
| but I wonder in an alternate universe what good could come of
| it.
| siva7 wrote:
| Well, denial of healthcare insurance as an example - from the
| POV of the insurers.
| alexpetralia wrote:
| At least 1,400 employees are listed on LinkedIn as working there.
| Are they all imminently going to be out of a job?
| erellsworth wrote:
| I don't know, but if I were one of them I'd for damn sure be
| polishing my resume.
| uptown wrote:
| Not necessarily. A lot of prisons these days have pretty good
| work-release programs.
| siva7 wrote:
| But the engineers didn't know, they're innocent
| bilbo0s wrote:
| Please tell me people are not this naive?
|
| Look, I'm fairly certain Cerebral has not incurred any
| criminal liability here. I could be wrong, but based on the
| information available right now, I don't think they have
| anything to worry about. That said, if new information
| comes to light, and it turns out crimes were committed, you
| can't say "I didn't know."
|
| You can't seriously believe that you can help someone
| commit a crime, and not incur any criminal liability for
| that act on the grounds of ignorance? Do you think you can
| be caught with drugs at an airport and expect to be
| released because "you didn't know" they were there?
|
| Engineers, _please_ protect yourselves. It doesn 't matter
| what legal relationship you have with your employer, one of
| the first principals of criminal law you're exposed to in
| law school is that one cannot contract away criminal
| liability. It's not possible. Keep this in mind when you're
| working at whatever random crypto firm you're at that wants
| to build an "exchange". Keep it in mind when you're working
| at Boeing and they ask you to sign a quality document for a
| part you worked on. Keep it in mind when you're working at
| a health care startup and they ask you to sign the quality
| documents they need to register with the FDA for 510(k).
| (By the way, the way the attorney at my first medical
| imaging startup explained it to us, each signature is a
| single count. So you signed a document and initialed it in
| 7 places? OK, guess what? That's 8 counts of lying to the
| federal government when everything goes south. We were
| advised to always keep that in mind.)
| yawnxyz wrote:
| Then how come you don't hear many engineers working at
| big banks who regularly break the law get slapped with
| either jail time or fines?
|
| Actually curious-- are there any examples of engineers
| getting jail (or even fined) for being an employee at a
| company that did a lot of wrongdoing? Even for Theranos,
| I don't think any regular scientists were on the hook?
| Benlights wrote:
| People are throwing the word fine around, what there needs to be
| is jail time...
| nmstoker wrote:
| Clearly they ought to be in existential trouble for this, but the
| companies on the receiving side need to be bollocked (unless
| they've evidence they promptly reported unsuitable information
| being shared with them). Come down heavy on all parties and it'll
| gradually stop happening.
| edot wrote:
| Extremely scammy company. Not surprised. They take credit card
| information first, then do a questionnaire, then tell you if
| services for you are available in your area. If they aren't,
| you're still charged and they make it extremely difficult to
| cancel or get a refund. Had them hang up on me twice. Eventually
| just did a chargeback.
| shagymoe wrote:
| Are you telling me that the company who suckered me into creating
| a roadmap and hiring plan as part of the interview process for
| the Head of Engineering position and then ghosted me after I
| presented it has made a horrible technical blunder?! I'm shocked!
| /s. Fun fact: I gave the "HIPAA Compliance Audit & Actioning"
| project the highest priority of all their projects.
|
| [edit] I dug up my response to their recruiter who contacted me
| 1.5 years later for an EM role.
|
| "Hi <recruiter>, I interviewed with Cerebral in 2020 for Head of
| Engineering. I put together a slide deck outlining exactly how I
| would build out the team, including resourcing costs and project
| prioritization. I then presented this to Kyle, the CEO. I
| literally never heard back from him or Maddie, even after
| requesting the status of my candidacy. So, no, I would never be
| interested in working for Cerebral and I would surely advise
| everyone I've ever met to avoid the company as well."
| siva7 wrote:
| Thanks for sharing. I guess when some healthcare CEOs are
| hearing the word HIPAA the cold sweat starts running down.
| coffeebeqn wrote:
| A mental health tele health startup. Hey these people are
| anxious/depressed/bipolar. Wanna sell some "solutions" to them?
| Maybe this explains some of the (questionable legality) drug ads
| I get bombarded with on Facebook because I was a cerebral
| customer for a little bit.
|
| I gotta say their "counseling" was hilariously bad and made me
| cancel it but keep the prescription with my GP. It was like a
| call center worker reading off a paper giving you "therapy". I
| did it twice and was like this is a joke
| siva7 wrote:
| Thanks. This is what finally ruins it for everyone else in
| startup land who plays by the rules.
| motohagiography wrote:
| There's a real issue with this where another large health company
| has a captive market, where small providers are being forced to
| take on the product to integrate with their larger partners, and
| their ToS has all these terrible loopholes for them to ignore
| national laws by pretending they have "consent."
|
| Health is structured as a radical monopoly, and if you thought
| pharma were a bit cavalier about people, wait until you see
| health IT. It's the original platform. Their customers are
| doctors and hospitals - people are the product.
| modzu wrote:
| oh no not my health data!!! seriously though, why do we put
| health data in some kind of special class worthy of more privacy
| than anything else? your entire identity is out there -- where
| you live, when you're home, who you know, what you download,
| pictures of your children, how much money you have, where your
| great great fucking grandma is from... tell you one thing, if
| your health data is not in that list, it soon will be
| bigbillheck wrote:
| You've got a point, it should be illegal to disclose those
| other kinds of data as well.
| phkahler wrote:
| >> The telehealth startup, which exploded in popularity during
| the COVID-19 pandemic after rolling lockdowns and a surge in
| online-only virtual health services, disclosed the security lapse
|
| That's not a security lapse, it's a straight up violation of
| HIPPA done for profit. They also seem to suggest that ToS can get
| around that if only people would read it. Sorry nope.
| jonathankoren wrote:
| I came here to say the same thing.
|
| This needs a lawsuit. This isn't some accidental breech. This
| was intentional. There's zero reason to be sharing this
| information.
| JohnFen wrote:
| ...and yet people sometimes wonder why I avoid using these sorts
| of services, and why I work so hard to minimize the amount of
| data that companies learn about me.
| neilv wrote:
| > _News of Cerebral's years-long data lapse comes just weeks
| after the U.S. Federal Trade Commission slapped GoodRx with a
| $1.5 million fine and ordered it to stop sharing patients' health
| data with advertisers, and BetterHelp was ordered to pay
| customers $8.5 million for mishandling users' data._
|
| The amounts seem somewhere between a handslap and a loving
| caress.
| bilbo0s wrote:
| That's because they didn't get slapped for HIPAA violations.
| They got fined by the FTC, not HHS. To put it into context,
| Anthem got hit with USD115 Million in fines for a breach
| similar to Cerebral's.
|
| Just my guess, but I'd put money on Cerebral being finished as
| a going concern.
| domrdy wrote:
| On another note, isn't it just fantastic that Amazon made a
| pinky-swear "promise" to not use patient data it acquired with
| (Alphabet-backed) OneMedical? I mean, what could possibly go
| wrong with such an ironclad guarantee? It's not like Amazon has a
| history of exploiting user data for profit or anything. I feel so
| much better knowing that our medical information is in such
| trustworthy hands!
|
| https://www.ftc.gov/system/files/ftc_gov/pdf/2210191amazonon...
| qwertyuiop_ wrote:
| Health data startups are mainly in the business for the data and
| how to monetize it. Not to provide healthcare services. I hope
| they die with the rising interest rates.
| blakesterz wrote:
| Holy crap. Sometimes I see headlines like this and then the
| details aren't all that bad. This one is all that bad.
|
| They gave it all away. They do call it "inadvertent" though.
| "The information disclosed may have included name, phone number,
| email address, date of birth, IP address, Cerebral client ID
| number, and other demographic or information. The information
| disclosed may also have included the service the individual
| selected, assessment responses, and certain associated health
| information, subscription plan type, appointment dates and other
| booking information, treatment, and other clinical information,
| health insurance/pharmacy benefit information (for example, plan
| name and group/member numbers), and insurance co-pay amount."
|
| Because Cerebral is a telehealth startup and handles confidential
| patient data, it's considered a company covered under the U.S.
| health privacy law known as HIPAA. According to a list of health-
| related security lapses under investigation by the U.S.
| Department of Health and Human Services, which oversees and
| enforces HIPAA, Cerebral's data lapse is the second-largest
| breach of health data in 2023.
| techwizrd wrote:
| Handling confidential patient data does not necessarily mean
| the organization is a covered entity under HIPAA. One of the
| organizations I work with receives, stores, and uses
| significant amounts of confidential patient data, but they are
| not a covered entity under HIPAA (although they are covered
| separately under the Privacy Act).
| lmkg wrote:
| You are correct, but despite the article's misunderstanding
| of HIPAA they are covered by it. The incident is being
| investigated by HHS, as opposed to the FTC who dealt with the
| (non-HIPAA-covered) GoodRx incident from like yesterday.
|
| According to HHS incident listing[1], the are a Business
| Associate. This means they handle patient data because they
| are contracted to do so by a HIPAA-covered entity. I've never
| heard of Cerebral before (and hopefully I won't again), but
| that likely means that their customers are the hospitals.
|
| [1] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
| jonathankoren wrote:
| > I've never heard of Cerebral before (and hopefully I
| won't again), but that likely means that their customers
| are the hospitals.
|
| Cerebral is a mental health therapy app, but unlike most
| apps, they also prescribed medicine until very recently.
| They stopped after the FDA started investigating them for
| being a pill mill for schedule II controlled substances
| like adderall (ie amphetamine salts)
|
| https://www.theverge.com/2022/5/9/23063356/cerebral-
| teleheal...
| matheusmoreira wrote:
| A corporation prescribing amphetamines? No doctors
| involved at all? How is that possible?
| prepend wrote:
| Doctors were involved all right, thus the "pill mill"
| part.
| colechristensen wrote:
| Covered entities are required to enter into BAA (Business
| Associate Agreement) contracts when they let other entities
| handle protected data. Those agreements basically say HIPAA
| rules and more have to be followed. You do this, for example,
| with AWS for your infrastructure, any other service that
| might be exposed to patient data, etc. With a broad
| perspective, these secondary entities are covered by HIPAA
| and it's rules, it's just technicalities with how this
| happens that makes a distinction. In other words you can't
| circumvent HIPAA by having a third party process your data.
|
| You _can_ however, circumvent the spirit of HIPAA and what
| most people would expect for data privacy by "deidentifying"
| your data and monetizing it in one of many ways which are
| wholly inadequate and usually reversable without much effort.
| time0ut wrote:
| Regarding de-identification, are you talking about the
| expert determination method?
| wins32767 wrote:
| That's going to be tens of millions of dollars of fines. HIPAA
| is not anything to mess around with. Data breaches like that
| are an existential threat to a medtech.
| junon wrote:
| If memory serves the fines stop after 1.5 million. Please
| someone correct me if I'm misremembering.
| warent wrote:
| It looks like the maximum penalty (if corrected within 30
| days) is about $450,000 as of 2022.
|
| However, there is apparently an addendum to the law that
| the State Attorney General is authorized to impose civil
| penalties in addition to this.
|
| As we see, Anthem settled for $115,000,000 for a similar
| breach.
|
| So, yeah, unless Cerebral gets a very lenient AG, they're
| done.
|
| https://www.hipaajournal.com/court-approves-
| anthem-115-milli...
|
| https://www.hipaajournal.com/what-is-the-maximum-penalty-
| for...
| time0ut wrote:
| They bumped it to 1.9 for inflation. There are also
| criminal jail time penalties though. It depends on intent.
| Unlikely it would happen though even if it is deserved.
| [deleted]
| danielvaughn wrote:
| This is pretty wild. HIPAA does _not_ fuck around, even a minor
| infringement is taken very seriously. The lawsuits are gonna be
| something else.
| TuringNYC wrote:
| >> even a minor infringement is taken very seriously. The
| lawsuits are gonna be something else.
|
| Would be great to have a retrospective on this a year from
| now. I realize it isnt HIPPA, but from what I see from Credit
| Agency breaches, regulations are often just suggestions and
| there are no real consequences. Would be happy to see
| otherwise.
| hn_throwaway_99 wrote:
| That's actually a common misconception, that HIPAA
| infringements mean people are going to jail for a long time
| or something.
|
| While infringements are taken seriously, and _intentional_
| infringement (e.g. looking up the records of a famous
| celebrity being treated in your hospital without reason to)
| results in hefty penalities, 99% sure this was a case of them
| using Google Analytics /Tag Manager and accidentally tagging
| stuff with protected PII fields. Yes, definitely a serious
| issue, but on my scale of "breaches I would be concerned
| about", this one would actually be relatively low.
| coldcode wrote:
| Maybe that's new, when I was a HIPAA architect for a health
| related company, I rarely saw anyone being sued or even
| investigated (mid 2000s). Given how many violations I saw
| there (and complained about) nothing ever changed because
| they felt no one would do anything to them.
| danielvaughn wrote:
| Really? That's surprising to me. I worked a hospital job
| for several years, and had heard of employees making
| _minor_ infractions who were fired _and_ sued by both the
| hospital as well as the patient(s). Though those were
| individuals, things could be different if you 're a
| corporation [rolls eyes pessimistically].
| hn_throwaway_99 wrote:
| 9 times out of 10 those types of infractions are
| intentional, stuff like this:
| https://www.reliasmedia.com/articles/11576-13-hospital-
| worke...
| claytongulick wrote:
| It has changed a lot since then. 2015 was a huge overhaul
| of HIPAA and its enforcement.
|
| Prior to that, it was just a polite suggestion.
| Optimal_Persona wrote:
| +1
|
| I work in publicly funded mental health and our responses
| to possible/actual HIPAA breaches are monitored very
| closely by our funders. So even if an event occurs that
| is not deemed to be an actual breach, if our
| response/investigation/corrective action is found to be
| unsatisfactory, our county/state/fed contracts,
| foundation grants, and Joint Commission Accreditation
| could be altered/canceled.
| SkyPuncher wrote:
| If this is anything like GoodRx, they're not viewed as a
| covered entity.
| hef19898 wrote:
| Well, and than people ridicule Germany because patient files
| are still handled decentralized, on paper and shared between
| doctors by fax...
| freetinker wrote:
| That's probably because that's security by accident, and it's
| only in comparison to the shit show we have today. It isn't
| security by thoughtful, deliberate design.
| luckylion wrote:
| They are? All doctors I've been to in the past 10 years have
| them digitally and will transfer files digitally to your new
| doctor -- they won't even ask you if you've asked for them to
| be transferred. It's enough to tell my new doctor where I've
| previously been and they'll contact them and handle
| everything else.
| siva7 wrote:
| Not anymore, the digital patient file is finally ready.
| hef19898 wrote:
| With a usage of, what did they say in the news today, 13% ?
| falcolas wrote:
| > Cerebral's data lapse is the second-largest breach of health
| data in 2023.
|
| We're not even three full months into 2023, and this is the
| _second_ biggest? I can 't even comprehend how anybody thought
| this was a good idea.
|
| Really thinking that basing our economy's primary motivator on
| human greed isn't doing us many favors right now, not when it's
| so easy for bad actors to out-earn any and all penalties.
| p1esk wrote:
| _basing our economy 's primary motivator on human greed isn't
| doing us many favors right now_
|
| How would you fix it?
| shkkmo wrote:
| Increase fines to a point where the estimated prosecution
| rate makes the expected value of breaking the law negative.
|
| Directly punish executives, upper management, board members
| and large shareholders when their companies break the law
| rather than just fining the company. This could include
| fines, prohibitions from holding similar positions, and
| jail time.
|
| Stop commoditizing ownership by prohibiting ownership of
| companies by non-participants. This last one would have the
| largest impact but is the least likely.
| moomoo3000 wrote:
| Heavy fines
| eurasiantiger wrote:
| So you think that a greed-based demotivator will truly
| impact greedy behavior in any positive way for society at
| large?
|
| The greedy will just find ways to hide their greed.
| moomoo3000 wrote:
| Make them work harder for it
| MonkeyMalarky wrote:
| Ah I see, we should not fine or punish criminals because
| otherwise they would just hide their criminal behaviour.
| Makes sense.
| warent wrote:
| MonkeyMalarky says: malarky detected
| eurasiantiger wrote:
| Kudos, that is exactly what I'm saying. How is the
| current approach working in your opinion?
| warent wrote:
| It depends on what country you're talking about.
|
| In Burundi you'll probably just be captured and murdered.
|
| The USA has very high recitivism when we throw ex
| convicts out on the streets homeless and broke, which is
| not a punishment, it's just piss-poor social management.
|
| Norway has one of the lowestest recitivism rates in the
| world. They combine just punishments with actual
| correctional assistance for reintegration into society.
|
| Punishments with real correctional assistance and social
| resources is a proven successful combination.
| tomp wrote:
| Fines are just "cost of business" for companies.
|
| Either bankrupt the company (fine is 20% of yearly
| revenue) or jail the executives and everyone responsible.
| matheusmoreira wrote:
| Then the fine isn't high enough. Make them higher. If
| they complain, make them even higher.
|
| These aren't human beings. These are corporations:
| inanimate, unfeeling entities worth billions of dollars
| whose only point in existing is making money at your
| personal expense. They should think 10 times before
| engaging in any destructive behavior such as "leaking"
| patient data to advertising companies. If they're not
| afraid, then the fines aren't high enough and must be
| increased.
| SamoyedFurFluff wrote:
| My understanding is that if the fines ever become an
| existential threat then it motivates companies to commit
| criminal behavior but try to be sneakier about it,
| because in for a penny in for a pound.
|
| Of course we're finding out repeatedly that no
| threatening fines don't prevent that behavior either. :/
| there's a theoretical fine line where just enough fines
| will prevent such behavior but frankly I'm having a
| harder and harder time believing such rhetoric.
|
| Maybe it's the ownership of such companies that are
| wrong. I highly doubt Cerebral would've made this
| decision in the first place if it was owned by regular
| people, especially regular mental health professionals.
| lynx23 wrote:
| How do you ensure the penalty is actually higher then
| what the criminals managed to put aside?
|
| An uncle of an ex-girlfriend was put in jail for a MITM
| scheme in the construction bussiness. He was active for
| about 2 years until they got him. When I heard an
| estimate of how much he made, I went ahead and did the
| 24/7 hourly rate calculation for his jailtime. It was a 3
| digit figure.
| idiotsecant wrote:
| I'm not sure you can count it as income if it gets seized
| as part of prosecution.
| lynx23 wrote:
| The point of the story was that the money actually never
| got seized.
| mellosouls wrote:
| I just followed the thread down from here and you seem to
| be so determined to undermine or counter every reasonable
| point that it could be suspected your original question
| here is motivated by ideological or other partial objection
| rather than genuine interest in the answer.
| p1esk wrote:
| I have a genuine interest in the _discussion_. I, too,
| tried to be reasonable in my arguments.
| mellosouls wrote:
| Well, thank you for the polite response here, I certainly
| wouldn't want or intend to discourage genuine good faith
| discussion; it just registered as otherwise motivated in
| that instance for me.
| arrosenberg wrote:
| Believe it or not, I think putting white collar criminals
| in prison for lengthy sentences would dissuade them.
| Imagine if we were learning this news alongside pictures of
| the CEO, CFO and some board members in handcuffs being perp
| walked out of the office? The next start up would think way
| harder about security.
| p1esk wrote:
| The society would need to agree on the seriousness of the
| crime of selling personal information. Is it as serious
| as selling drugs? A burglary? Rape? Do you think the
| majority of the Americans would share your opinion on the
| matter? Keep in mind US incarceration rate is one of the
| highest in the world.
| anigbrowl wrote:
| Why are we trying to mash everything down to a one-
| dimensional ranking? Over simplification can be as
| deceptive as over-complication.
|
| A breach of one's personal data is clearly less severe
| than a violent attack upon one's person. But the former
| could _enable_ the latter (eg if information were
| purchased by a stalker). And it certainly increases the
| base level of risk from fraud and adversarial commercial
| contact (secretly exploiting knowledge of a target to
| manipulate them into a purchase /sale decision).
|
| Now scale the individual loss up by huge numbers of
| people, and consider what incentives led to the
| information security failure. While it's sometimes
| practical to remediate individual losses of privacy, at
| scale future injuries are virtually assured. It seems to
| me that this warrants an application of strict liability
| principles.
|
| As for restitution, in ym view not only should injured
| parties be compensated in cash (and much more of it), but
| they should also be granted, individually or by proxy,
| partial ownership of the offending firm; that is,
| existing investors should have the value of their asset
| significantly diluted. The loss of personal security
| should be reflected in a loss of financial security to
| the asset holders.
| p1esk wrote:
| You make good points, and I actually agree with your
| suggestions. My original concern was not so much about
| what constitutes a "fair punishment" in this particular
| case, but about how is this crime is being perceived by
| our society, and especially how it is perceived by
| society (i.e. an average American) when compared to some
| other crimes? I'm more interested in higher level
| questions: How do we decide on the severity of a crime?
| Who should decide that?
| chclt wrote:
| Well thats the case for every crime.
|
| And this one deserves (in my opinion) to be punished more
| harshly than other things which today are already
| punished (you mention selling drugs, which is way better
| morally). The amount of people damaged by this privacy
| infringement is quite high.
| p1esk wrote:
| You think there are more victims from privacy
| infringement than victims from illegal drug trade? I'd
| like to see some data.
| chclt wrote:
| The people affected by the drug trade are not affected by
| the act of selling drugs but by secondary crimes (which
| arise because selling drugs is illegal and vendors cannot
| take advantage of the legal framework).
|
| Also the people affected by this incident alone number in
| the millions.
| p1esk wrote:
| How many people will die or have their lives destroyed
| because of this incident?
| chclt wrote:
| As a sibling comment to mine points out, people who "die
| or have their life destroyed" is simply one way to define
| victim in this context.
|
| With mental health data being at stake here, the amount
| of victims under this definition could also very well be
| non-zero.
|
| Anyway there are a lot of crimes, that don't produce
| those kind of victims. If I mug someone and don't kill
| them or destroy their life in the process, have I not
| commited a crime?
|
| The privacy infringement here is an obvious damage to the
| dignity of everyone affected. Wouldn't you feel
| victimized if I listened in on you speaking with your
| doctor, wrote everything down, stamped your name,
| address, and date of birth on it and started giving out
| copies of the resulting paper to random people? Which is
| exactly whats happening here, except my example is more
| harmless by a factor of a few million people and has a
| lot fewer data points.
| p1esk wrote:
| _Wouldn 't you feel victimized if I listened in on you
| speaking with your doctor, wrote everything down, stamped
| your name, address, and date of birth on it and started
| giving out copies of the resulting paper to random
| people?_
|
| I would. I would also feel victimized if you mugged me
| (without killing me or hurting me physically). The
| question we are debating here is - should you be punished
| equally harshly in this two scenarios? I'm leaning
| towards "no". If you disagree I would like to understand
| your reasoning.
| gameman144 wrote:
| Scope of impact is important here.
|
| A doctor who reveals some information on one of their
| patients should be treated less harshly then a mugger of
| one person.
|
| A mugger who robs ten people should be treated more
| harshly than a mugger who robs one person.
|
| A doctor/company who reveals thousands of patients'
| information can reasonably treated more harshly than a
| mugger of ten people, because the absolute negative
| impact may be greater.
| p1esk wrote:
| OK, this is a good point. Still, you're comparing an act
| of hurting people to an act of potentially hurting
| people. An investigation into the harm done by private
| data sales would be helpful.
| donatj wrote:
| The harm of data loss is _entirely_ the harm caused by
| secondary bad actors.
|
| No ones life is _directly_ injured because of a data
| leak. It 's just data, it is entirely inert on it's own.
| Their life is injured entirely because of what third
| parties do with that data.
|
| If data leaked and there were no bad actors in the world,
| there would be zero harm.
| Zak wrote:
| Any attempt to answer that would heavily depend on how a
| "victim" is defined in each case.
|
| Are people who attempted to opt out of online tracking,
| but got tracked anyway[0] victims? That's probably less
| severe than this case where a company sold health
| information, but it's definitely illegal in the EU and
| likely at least a deceptive business practice in other
| jurisdictions.
|
| Are people who buy drugs and harm themselves by
| overdosing or spending all their time intoxicated
| victims? If the person is an adult and the drug is
| alcohol, that's not even illegal most places.
|
| Are victims of secondary crimes victims of the illegal
| drug trade, of drug prohibition itself, or simply of the
| secondary crime? One could easily make a case for any of
| those.
|
| [0] https://www.theregister.com/2023/03/03/online_privacy
| _tracki...
| p1esk wrote:
| One definition of victimhood could be how much a person
| has suffered as a result of the crime. I'd say if someone
| has lost their job because the data leak, or had their
| identity stolen with actual serious financial
| consequences, they are a victim.
|
| True, a lot of people are victims of their own stupid
| decisions. A society should still try reduce the
| likelihood of the stupid decisions, especially when there
| are obvious bad actors actively trying to increase such
| likelihood.
| anigbrowl wrote:
| But your approach requires us to wait for something bad
| to happen to someone else before forming an opinion. Why
| exactly should people whose privacy has been violated
| have to be sacrificed further before any value is
| assigned to their privacy? We can use retroactive data to
| estimate the downside risk.
| p1esk wrote:
| Sure. What does the retroactive data say? If the data is
| bad then I agree - it should be punished accordingly.
| Zak wrote:
| When measuring a large scale crime like that of Cerebral,
| the number of victims is as important as the magnitude of
| the impact. There were 3.1 million victims. Stealing a
| dollar each from 3.1 million people would get the kind of
| law enforcement response that stealing $3.1M does even
| though the individual impact of that crime is virtually
| nil.
| p1esk wrote:
| _Stealing a dollar each from 3.1 million people would get
| the kind of law enforcement response that stealing $3.1M
| does even though the individual impact of that crime is
| virtually nil_
|
| That's an interesting question whether it's fair to treat
| it this way. I can see valid arguments on both sides.
| uoaei wrote:
| Do you think this kind of rhetoric, acting as if this is
| literally the first time this idea has ever been
| considered, is helpful for conversation?
| p1esk wrote:
| The conversation is around how to prevent similar white
| collar crimes. I'm sure it has been discussed before. I'm
| not sure what the conclusion is. Please provide some
| helpful information if you have any.
| anigbrowl wrote:
| You've left about 10 comments on this topic posing
| questions and soliciting information from other people.
| Curiosity is good of course, but at some point you should
| consider contributing information to support your point
| of view instead of expecting everyone else to provide you
| with information. It's not like you're a judge in this
| case with decisional authority and an obligation to
| assess the fact pattern in splendid isolation.
| p1esk wrote:
| Sure. My view - we need concrete data about the actual
| harm done in cases like this. We have such data for most
| other types of crimes. In my opinion, saying that
| something bad "can" happen is not sufficient to determine
| the punishment.
|
| Note this is not the same as being against punishing
| illegal sale of private data.
| anigbrowl wrote:
| Seems like a business opportunity for you.
| arrosenberg wrote:
| The average person is pretty thirsty to see white collar
| criminals reigned in, yes.
| p1esk wrote:
| I'm guessing a similar argument was made in support of
| the "war on drugs". Many drug dealers have been punished
| harshly. 50 years later, nothing has changed.
| arrosenberg wrote:
| The war on drugs was perpetuated by the Nixon and Reagan
| administrations to criminalize being antiwar and being
| black. Do you think that is what is happening here?
| p1esk wrote:
| I strongly suspect the war on drugs was initiated mainly
| because drugs were ruining many lives (just like they do
| today), and that selling illegal drugs was perceived by
| the majority of population as a crime deserving a harsh
| punishment.
| arrosenberg wrote:
| Your ignorance is a problem we simply don't have time to
| address here. Luckily, we don't need to base reality off
| of your strong suspicions since we have direct quotes
| from the Nixon administration.
|
| "The Nixon Campaign in 1968, and the Nixon White House
| after that, had two enemies: the antiwar Left, and Black
| people. You understand what I'm saying? We knew we
| couldn't make it illegal to be either against the war or
| Black. But by getting the public to associate the hippies
| with marijuana and Blacks with heroin, and then
| criminalizing both heavily, we could disrupt those
| communities. We could arrest their leaders, raid their
| homes, break up their meetings and vilify them night
| after night on the evening news. Did we know we were
| lying about the drugs? Of course we did." - Lee Atwater
| p1esk wrote:
| Well, _your_ ignorance is a problem we _can_ address
| here. Please read the entirety of the Wikipedia article
| [1], specifically:
|
| _The veracity of the quote has been questioned by
| Ehrlichman 's family, while Vox senior correspondent
| German Lopez has suggested that Ehrlichman was either
| wrong or lying. According to Lopez: But
| Ehrlichman's claim is likely an oversimplification,
| according to historians who have studied the period and
| Nixon's drug policies in particular. There's no doubt
| Nixon was racist, and historians told me that race could
| have played one role in Nixon's drug war. But there are
| also signs that Nixon wasn't solely motivated by politics
| or race: For one, he personally despised drugs - to the
| point that it's not surprising he would want to rid the
| world of them. And there's evidence that Ehrlichman felt
| bitter and betrayed by Nixon after he spent time in
| prison over the Watergate scandal, so he may have lied.
| More importantly, Nixon's drug policies did not focus on
| the kind of criminalization that Ehrlichman described.
| Instead, Nixon's drug war was largely a public health
| crusade - one that would be reshaped into the modern,
| punitive drug war we know today by later administrations,
| particularly President Ronald Reagan...
| "It's certainly true that Nixon didn't like blacks and
| didn't like hippies," Courtwright said. "But to assign
| his entire drug policy to his dislike of these two groups
| is just ridiculous."*
|
| [1] https://en.wikipedia.org/wiki/War_on_drugs_
| [deleted]
| arrosenberg wrote:
| I'm following a direct quote, while you are citing a
| third party trying to handwave it away. I don't really
| consider it ignorant to believe the primary source's
| exact words when they so closely mirror the reality of
| what happened.
| p1esk wrote:
| What are you talking about? Your quote is also from a
| third party - Dan Baum quoting John Ehrlichman. At least
| according to the Wikipedia article.
| SergeAx wrote:
| Why would we ever need this? We never compare rape and
| murder, for that matter. We have the entire justice
| system for that, with judges and courts and prosecutors
| and defenders and jurys.
| p1esk wrote:
| _We never compare rape and murder_
|
| Of course we do. We, as a society, have decided that
| murder is a more serious offense, and assigned a
| punishment for each accordingly. This process has to be
| repeated every time a new type of crime emerges.
| p_j_w wrote:
| >Is it as serious as selling drugs?
|
| Absolutely. It is 100% worse than selling drugs to
| willing buyers. How is this even a question?
| p1esk wrote:
| How about selling nuclear weapons to willing buyers?
| Serious question. Willing drug users don't just destroy
| their own lives.
| p_j_w wrote:
| Guess we better outlaw everything but fruits and
| vegetables then.
| [deleted]
| matheusmoreira wrote:
| > I can't even comprehend how anybody thought this was a good
| idea.
|
| Oh, it's easy. Advertisers showed people millions of dollars.
| The people in charge were quickly convinced of the "need" for
| patients to consent to having their medical information sold
| to the highest bidder.
|
| They corrupt everything.
| polishdude20 wrote:
| I mean if there are two this year, then being second biggest
| doesn't mean much?
| lizard wrote:
| Right?! If the first breach included 2 records and this
| only 1, it would still be the "second biggest" breach of
| the year.
|
| But, the necessary context is right in the first paragraph:
|
| > ...more than 3.1 million patients in the United States...
|
| So to clarify, "We're not even three full months into 2023,
| and 3.1 million records is the second biggest?" which is
| quite alarming.
| mistrial9 wrote:
| this is not new -- in the 1980s I recall the story of a sales
| agent who figured out that radio station license renewal or
| sale was subject to strict conditions as part of protecting
| market areas. So when a radio station was approaching FCC
| license deadline, this sales agent discovered that pre-
| bidding on the license before the legal renewal started, and
| then pre-selling that license to interested parties as if
| they had control of it, was very profitable; rinse, repeat. A
| sales-boiler room was setup in Florida and stations across
| the USA got the treatment. Everyone gets paid.
|
| When sleepy enforcement caught up, the guy terminated all his
| willing sales guys with some cash to be quiet, and literally
| hid in his sister-in-law's basement for more than two years,
| with lots of money to pay bills.
| falcolas wrote:
| IMO, the problem is that they no longer have to hide. They
| pay a pittance of a fine (usually a pittance because the
| fine amount is static and set a decade+ ago) and keep right
| on doing it.
| sizzle wrote:
| I hope people go to prison over this injustice. Insurance
| companies probably added this mental health data to our shadow
| profiles.
| sharemywin wrote:
| You know the start up, mantra: Move fast and break things.
| apparently the law is one of those things.
| JohnFen wrote:
| "Move fast and break things" is a dubious mantra to begin with,
| but it's downright abhorrent when applied to things like health
| services.
| siva7 wrote:
| The mantra predates the DevOps revolution and apparently didn't
| age well.
| icu wrote:
| America is really atrocious when it comes to data protection
| accountability. I wonder if Cerebral customers will have to sue
| in a class action to get any legal recourse.
___________________________________________________________________
(page generated 2023-03-10 23:01 UTC)