This article was co-published with STAT, a national publication that delivers trusted and authoritative journalism about health, medicine, and the life sciences. Sign up for its health tech newsletter here.

Telehealth company Cerebral will limit the consumer health data it uses for advertising purposes under a new order announced by the Federal Trade Commission last week.

Cerebral, a startup best known for dispensing counseling services and prescriptions for conditions like anxiety and depression, has also agreed to pay $7 million to resolve charges that it disclosed customers’ personal health information to third parties for ads, and that it did not honor its promise to make cancellation easy for customers.

“Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” FTC Chair Lina Khan said in a statement, noting that the charge is a “first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

The proposed order, which only applies to Cerebral, must still be approved by a federal court before it goes into effect — but the company has already agreed to it. In 2022, the Department of Justice opened an investigation into the company for potential violations of the Controlled Substances Act, as Cerebral came under scrutiny for its prescribing of ADHD medications like Adderall.

This is just the latest in a series of federal actions cracking down on health data privacy online. The current commissioners have pledged to shore up gaps between federal privacy laws governing providers and payers and those protecting consumer services. Two weeks ago, the FTC filed a complaint against Monument, a telehealth company that treats alcohol use disorder with therapy and medications.

That complaint similarly alleged that the company misled consumers into believing their health information was protected, while embedded trackers sent details about treatment and more to third parties. Taken together, FTC attorney Lesley Fair wrote in a blog post Monday, the cases mean “businesses in the health sector should make privacy and data security part of the corporate DNA.”

Both the FTC and the Department of Health and Human Services’ Office for Civil Rights have targeted third-party tracking, often in concert—as Fair cracked, they’re “joined at the HIPAA.” While OCR directly enforces the longstanding privacy protections in health care, the FTC has gone after companies for falsely claiming their HIPAA compliance.

In response, some health care companies, including Monument and Cerebral, started self-disclosing health data breaches to OCR in 2023. The “unauthorized access or disclosure” of health data at Monument left more than 100,000 individuals’ information vulnerable, the company reported. Cerebral disclosed that its breach impacted more than 3 million.

An investigation from STAT and the Markup in 2022 found that dozens of telehealth companies, including Cerebral and Monument, were leaking sensitive health data to third parties like Google, TikTok, and Meta through the use of pixel trackers embedded in their websites. In Cerebral’s onboarding survey, which asks users to answer questions about their mental health and other symptoms, a pixel sent the answers to Meta along with information that could be used to identify the individual user.

The FTC’s complaint alleges that between 2019 and 2023, Cerebral sent information including contact details, medical histories, insurance information, and prescriptions to third parties through tracking tools, and that the information was used to provide advertising and analytics services to the telehealth company.

Cerebral referred STAT to a statement posted to its website, where it acknowledged its settlement with the FTC. “As part of the resolution, Cerebral has agreed to implement enhanced consumer protection, privacy, and compliance measures to further protect the personal information of our clients, increase transparency into our data practices, and implement enhanced data security protocols and tools to allow our clients control over their privacy settings,” the statement reads.

Under the Justice Department order referred to the FTC, Cerebral must permanently stop using and disclosing users’ personal and health information to outside companies for most marketing or ad purposes, and get consumers’ consent in any instances when it does disclose. It must also post a notice on its website about the complaint and steps that it’s taking to address it.

The complaint also says the company and former CEO Kyle Robertson broke privacy promises to customers and misled them about the cancellation process. “Robertson drove Cerebral’s decision to exploit users’ [personal and health information] without their consent in scores of targeted advertisement campaigns,” the complaint reads. The complaint alleges these actions constituted “unfair and deceptive” business practices — a key enforcement area for the FTC. Robertson has not agreed to a settlement.

The proposed order says Cerebral will pay $5.1 million to partially refund customers who were affected by its deceptive cancellation policy, as well as $2 million of a $10 million civil penalty “due to the company’s inability to pay the full amount.”