FTC tells health apps to notify users of data breaches

The FTC crest on a building
(Image credit: Shutterstock)

The Federal Trade Commission (FTC) has told companies selling health apps and connected devices that these must comply with the Health Breach Notification Rule. This means if there is a data breach, users must be notified.

According to a policy statement by the commission, such apps and devices can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, and have increasingly collected sensitive and personal data from consumers. The FTC said that such apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.

In the American Recovery and Reinvestment Act of 2009, Congress enacted specific rules for the FTC to make sure customers are contacted in the case of a security breach. This led to the FTC creating the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization.

The FTC said it would enforce the new policy, with those in violation facing a financial penalty of over $43,000 per day.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina Khan.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

While the Commission voted 3-2 to approve the policy statement during the open virtual meeting, Commissioners Noah Joshua Phillips and Christine Wilson both voted no, and each issued dissenting statements.

“The majority surely believe the result they adopt is what consumers of health apps want and need,” Phillips said in his dissent. “But the right way to go about it is to conclude the ongoing rulemaking process, especially when the statutory and regulatory interpretation on which the majority rely is far from clear.”

Khan said in a statement that the global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health.

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” she said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.