As consumers, we often encounter promotions from new businesses, such as Cerebral Inc., through coupons or free trials. Alongside these, we also receive the usual junk mail in our emails that we might never open. Working in a pharmacy has taught me that consumer safety must be the priority. For example, if manufacturers tamper with medication, we should advise all patients in writing of the issue and send the medication back for reimbursement, provided it matches the contaminated lot numbers and expiration dates.
Cerebral Inc. was a mental health telemedicine service similar to Doctor on Demand, while Doctor on Demand focuses more on issues like COVID and flu symptoms. Cerebral Inc. was meant to be like Doctor on Demand, but focused on mental health, which affects many consumers. What exactly did they do wrong? Could something have been done differently to avoid such a disaster?
Broken Laws:
Broken law #1: CAN-SPAM Act of 2003″ is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them.” (ftc.gov,2023)
Broken law #2: Restore Online Shoppers’ Confidence Act(ROSCA). A US federal law that protects consumers from deceptive online sales tactics, particularly those involving negative option features like auto-renewal subscriptions.
Broken law #3: Health Insurance Portability and Accountability Act( HIPAA). A US federal law that sets national standards for protecting sensitive patient health information or Protected Health Information (PHI).
As a consumer and pharmacy technician, Cerebral Inc. caused harm to its consumers. When certain types of data get released, it becomes knowledge to your neighbors and friends. From a medical standpoint, we would hate it if the company that is supposed to keep our information private releases it for people to see and know what we are being treated for. We can sign up for subscriptions and cancel anytime we like, without being charged for something we no longer require.
Consequences to consumer:
When dealing with data privacy and health privacy, they are similar but different. Data privacy includes name, date of birth, and social security number. As consumers, we should be given the ability to know how businesses should use our data and when. Laws are put in place to protect us, and the government should enact stricter laws to ensure consumer safety. We live in an era where scam calls and emails are a thing. Hackers can easily steal our data from businesses if they are not equipped to handle these types of scenarios. “From May to December 2021, the company failed to block former employees from accessing confidential electronic medical records of Cerebral patients. It also failed to ensure providers only accessed their patients’ records.” (Ftc.gov,2024)
Most consumers dont read the fine print when signing up for subscriptions. An example of this would be a subscription to http://www.forbes.com. Given that I am a business student, I should be able to cancel at any time and keep the subscription for academic purposes, since most websites offer 3 articles max and then require you to sign up for a service. If we cancel a subscription and then next month we’re billed, that’s not the best way to keep consumers around. ” Despite promising that consumers could “cancel anytime,” Cerebral required its clients to navigate a complex, multi-step, and often multi-day process to cancel. The complaint alleges that the company continued to charge consumers while it slow-walked consumers’ cancellation requests, which cost consumers millions in additional charges.” (ftc.gov,2024)However, we can’t retain consumers who no longer need our services, as that is illegal and would harm the business in the long run.
A patient’s privacy regarding any ailment or illness is a concern for the patient and the doctor only. The HIPAA breach affects only the consumer and the business that released this information without the patient’s knowledge. “Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards.” (ftc.gov, 2024)As a consumer, I would hate it if the mailman knew I was battling depression or something worse, like schizophrenia, cause then someone other than the patient knows the disease and treatment drugs being taken to battle such diseases.
Penalties for breaking laws:
- CAN-SPAM Act of 2003, is subject to penalties of up to $53,088, so non-compliance can be costly.
- Restore Online Shoppers’ Confidence Act (ROSCA), up to approximately $53,088 per violation.
- Health Insurance Portability and Accountability Act (HIPAA), ” HIPAA violation: Unknowing Penalty range: $100-$50,000 per violation, with an annual maximum of $25,000 for repeat violations. HIPAA violation: Reasonable Cause Penalty range: $1,000-$50,000 per violation, with an annual maximum of $100,000 for repeat violations. HIPAA violation: Willful neglect but violation is corrected within the required time period Penalty range: $10,000- $50,0000 per violation, with an annual maximum of $250,000 for repeat violations. HIPAA violation: Willful neglect and is not corrected within required time period Penalty range: $50,000 per violation, with an annual maximum of $1.5 million.” (ama-assn.org)
Given the penalties that can be imposed on businesses, the most severe is a HIPAA breach. The HIPAA breach is the most expensive based on the type of violation because the law gives businesses a chance to address issues that are going wrong in their business. As a business, if we break the law one year, the government gives us a chance to fix the problems that have gone wrong before causing a huge problem that can’t be fixed.
Actions to take as a marketer:
As marketers, it is up to us to identify and address issues/ flaws within the business, and to learn from past mistakes that have harmed businesses and consumers alike. The issues that occurred at Cerebral Inc. should be addressed by the company’s board and the CEO, and resolutions should be put in place to compensate consumers for breaches of data and patient/doctor confidentiality. Within this scenario, if we fire/terminate employees unlawfully, we need to implement new keys and changes to computer accounts so former employees dont have a chance to access files they no longer have access to because they dont work for the company anymore. This company did more harm than good because of what happened to their consumers. We have no way of knowing if they can trust a business again, let alone a physician who was trying to help, but it was the way that they set up the business that failed the consumer. The way they handled emails, subscriptions, and actual mail outside an envelope is illegal; a consumer’s business is theirs alone, not the postal service’s, a nurse’s, or anyone else’s with access to the actual stuff the business sends to the consumer.
References:
(2024, April 15). Proposed FTC Order will Prohibit Telehealth Firm Cerebral from Using or Disclosing Sensitive Data for Advertising Purposes, and Require it to Pay $7 Million. Federal Trade Commission. Retrieved December 8, 2025, from https://www.ftc.gov/news-events/news/press-releases/2024/04/proposed-ftc-order-will-prohibit-telehealth-firm-cerebral-using-or-disclosing-sensitive-data#:~:text=In%20addition%20to%20its%20privacy,consumers%20millions%20in%20additional%20charges.
(n.d.). CAN-SPAM Act: A Compliance Guide for Business. Federal Trade Commission. Retrieved December 8, 2025, from https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business
(n.d.). Restore Online Shoppers’ Confidence Act. Federal Trade Commission. Retrieved December 8, 2025, from https://www.ftc.gov/legal-library/browse/statutes/restore-online-shoppers-confidence-act
(n.d.). HIPAA violations & enforcement. AMA. Retrieved December 8, 2025, from https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement#:~:text=HIPAA%20violation:%20Unknowing,imprisonment%20up%20to%201%20year.
(2024). Doctor on demand [Photograph]. Google Images. https://www.google.com/search/about-this-image?img=H4sIAAAAAAAA_wEWAOn_ChQIzOyf94TQuusiEJ–2-u6ocL5VF4zOiYWAAAA&q=https:%2F%2Fdoctorondemand.com%2Fhow-it-works%2F&ctx=iv&hl=en-US&sa=X&ved=0CA8Qg4ILahcKEwjIvq2U2q6RAxUAAAAAHQAAAAAQCA
(2022). Cerebral logo [Photograph]. Google Images. https://www.google.com/search/about-this-image?img=H4sIAAAAAAAA_-MS4Xj_rGHjpv4ZhzkE7u7a_uP-390NRgCM08BHFgAAAA%3D%3D&q=https:%2F%2Fthemarkup.org%2Fpixel-hunt%2F2024%2F04%2F22%2Fcerebral-to-pay-7-million-fine-and-limit-health-data-use-for-ads-under-federal-order&ctx=iv&hl=en-US&sa=X&ved=0CA8Qg4ILahcKEwj4uee32q6RAxUAAAAAHQAAAAAQCA
(2021). Cerebral box [Photograph]. Google Images. https://www.google.com/search/about-this-image?img=H4sIAAAAAAAA_wEWAOn_ChQI0bGF-OnJp8JdEP7p_qGxx6msKUtmJkAWAAAA&q=https:%2F%2Fwww.statnews.com%2F2024%2F04%2F15%2Fftc-fines-cerebral-telehealth-health-data-sharing%2F&ctx=iv&hl=en-US&sa=X&ved=0CA8Qg4ILahcKEwj4uee32q6RAxUAAAAAHQAAAAAQIA
Site Title 
