What Cerebral did
Cerebral grew rapidly during the pandemic as a virtual-first mental-health platform. Patients signed up online, completed intake assessments, were matched with prescribers, and received care (including medication management for ADHD, depression, anxiety, and substance use disorders) via telehealth visits.
The intake assessments asked detailed questions about psychiatric symptoms, substance use, suicidal ideation, and trauma history. Patients also created accounts that contained their full names, contact information, dates of birth, insurance information, prescribed medications, and treatment plans.
The FTC complaint described how Cerebral installed tracking pixels and software development kits (SDKs) from Meta, Google, TikTok, Snap, and LinkedIn on its website and mobile app. The trackers transmitted patient data to those platforms. The data included intake-form responses, prescribed medications, diagnoses, and identifiers tied to specific patients.
What made this case different from BetterHelp
Three things, by FTC's framing.
First, Cerebral is a telehealth provider, which meant it touched more of the care continuum than BetterHelp. Cerebral wasn't just matching patients to therapists — it was prescribing controlled substances, including ADHD stimulants. That added a layer of regulatory exposure (DEA, state medical boards) that BetterHelp didn't have.
Second, the SDK piece. Mobile-app SDKs from advertising platforms get embedded directly in the app code. They have access to whatever data the app has access to. Cerebral's app was full of patient data, and the SDKs sent that data continuously.
Third, the data scale. 3.2 million patients is roughly four times the BetterHelp class size.
The settlement
The order has several distinctive elements.
The financial component is $7 million plus consumer redress (final amount depends on the class).
The data-use restrictions are first-of-their-kind. Cerebral is permanently barred from disclosing patient information to third parties for advertising purposes — going further than the BetterHelp ban by also restricting internal uses of the data.
The order requires Cerebral to delete data that had been disclosed to ad platforms and to request deletion from those platforms.
A 20-year compliance program with FTC oversight.
The order also addressed Cerebral's controlled-substance prescribing practices, which were the subject of a separate DEA investigation. The FTC piece is the privacy-related part of a much larger compliance overhaul.
What it means for telehealth platforms generally
Three lessons.
Mobile-app SDKs are not safer than website pixels. Cerebral's case was largely an app case. Many telehealth founders have moved to mobile-first architectures believing it would reduce regulatory exposure. It doesn't.
Hashing and aggregation aren't defenses. Cerebral's data flows used the same techniques as BetterHelp and GoodRx. The FTC has now rejected those defenses in three consecutive cases.
The "data-use restrictions" frame is going to expand. The FTC is signaling that for sensitive health data, even properly-consented disclosures may face restrictions on how third parties can use the data. Telehealth platforms relying on broad consent language need to reconsider.
What HIPAA-covered telehealth practices should learn
Most hospital-affiliated telehealth platforms are inside HIPAA scope. The Cerebral fact pattern (pixels and SDKs in patient-facing tools) is exactly the issue OCR has been investigating in the Risk Analysis Initiative. The Advocate Aurora $12.25M settlement covered the LiveWell mobile app for the same reason.
If your telehealth platform has trackers, you have the same exposure Cerebral had — the only difference is which agency comes after you.