IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FTC tells health apps to notify users of data breaches

Companies selling connected devices must also comply with the Health Breach Notification Rule

The Federal Trade Commission (FTC) has told companies selling health apps and connected devices that these must comply with the Health Breach Notification Rule. This means if there is a data breach, users must be notified.

According to a policy statement by the commission, such apps and devices can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, and have increasingly collected sensitive and personal data from consumers. The FTC said that such apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.

In the American Recovery and Reinvestment Act of 2009, Congress enacted specific rules for the FTC to make sure customers are contacted in the case of a security breach. This led to the FTC creating the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization. 

The FTC said it would enforce the new policy, with those in violation facing a financial penalty of over $43,000 per day.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina Khan.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

While the Commission voted 3-2 to approve the policy statement during the open virtual meeting, Commissioners Noah Joshua Phillips and Christine Wilson both voted no, and each issued dissenting statements.

“The majority surely believe the result they adopt is what consumers of health apps want and need,” Phillips said in his dissent. “But the right way to go about it is to conclude the ongoing rulemaking process, especially when the statutory and regulatory interpretation on which the majority rely is far from clear.”

Khan said in a statement that the global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health.

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” she said.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022