Close-up of logo for mental health telehealth company Cerebral on paper, Lafayette, California, May 17, 2022.
Washington CNN  — 

A mental health startup exposed the personal data of as many as 3.1 million people online. In some cases, possibly sensitive information on mental health treatment was leaked, according to a company statement and a Department of Health and Human services filing.

Cerebral, a California-based firm that connects people suffering from anxiety and depression with mental health professionals via video calls, said it discovered the “inadvertent” data exposure more than three years after it started using “pixels” – a common method that companies and advertisers use to track user behavior for marketing purposes.

The company determined in January that tracking pixels had been sharing client and user data to “third-party platforms” and “subcontractors” that it didn’t name, according to a privacy notice near the bottom of its website.

Cerebral said it was unaware of any misuse of the protected health information that was disclosed. But privacy advocates have for years warned that such data troves can be used to aggressively market products at consumers and infringe on their privacy.

Some of the data potentially exposed in the Cerebral breach includes answers to online “self-assessments” about mental health that Cerebral asks prospective clients to fill out. That can include questions on whether someone is experiencing panic attacks, abusing alcohol or has a personality disorder, CNN’s review of the online assessments found.

Cerebral said in a statement to CNN on Friday that it was “committed to correcting historical errors and leading the industry in privacy standards moving forward.”

Cerebral notified the Department of Health and Human Services (HHS), which said in a filing this month that the breach affects over 3.1 million users. The department investigates potential violations of the Health Insurance Portability and Accountability Act (HIPAA), a law that requires medical providers to safeguard patient data.

Rachel Seeger, a spokesperson for the HHS Office for Civil Rights, said the office typically “does not comment on open or potential investigations.”

Cerebral said in its public statement that it had disabled the tracking pixels on its platforms and stopped sharing data with subcontractors “not able to meet all HIPAA [Health Insurance Portability and Accountability Act] requirements.”

“It is important to note that Cerebral never impermissibly transmitted clinician generated notes or clinician communications,” the company told CNN.

Cerebral spokesperson Chris Savarese did not respond to emailed questions about which and how many platforms and contractors to which the company disclosed the client health information.

Some analysts argue that the broader market for data tracking tools is out of control. A group of conservative Catholics has spent millions of dollars to buy mobile data that identified priests who used gay dating and hookup apps, the Washington Post reported this week.

Andrea Downing, who has done extensive research on pixel tracking and privacy, said patients are often unaware of how much personal data health care startups collect and potentially transmit to other parties.

“What is in the fine print or the details of how data is being shared for advertising is not apparent to us when we’re going through the trauma of a diagnosis and seeking knowledge,” said Downing, who is co-founder of Light Collective, a digital rights nonprofit.

“The only thing that is incentivizing change right now is the threat of liability,” Downing told CNN.