FTC tells health apps to notify users of data breaches

Companies selling connected devices must also comply with the Health Breach Notification Rule

The Federal Trade Commission (FTC) has told companies selling health apps and connected devices that these must comply with the Health Breach Notification Rule. This means if there is a data breach, users must be notified.

According to a policy statement by the commission, such apps and devices can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, and have increasingly collected sensitive and personal data from consumers. The FTC said that such apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.

In the American Recovery and Reinvestment Act of 2009, Congress enacted specific rules for the FTC to make sure customers are contacted in the case of a security breach. This led to the FTC creating the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization. 

The FTC said it would enforce the new policy, with those in violation facing a financial penalty of over $43,000 per day.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina Khan.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

While the Commission voted 3-2 to approve the policy statement during the open virtual meeting, Commissioners Noah Joshua Phillips and Christine Wilson both voted no, and each issued dissenting statements.

“The majority surely believe the result they adopt is what consumers of health apps want and need,” Phillips said in his dissent. “But the right way to go about it is to conclude the ongoing rulemaking process, especially when the statutory and regulatory interpretation on which the majority rely is far from clear.”

Khan said in a statement that the global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health.

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” she said.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now


Senator reintroduces federal data protection bill
data protection

Senator reintroduces federal data protection bill

17 Jun 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022