FTC: Health app and connected device makers must disclose data breaches
The Federal Trade Commission approved a policy statement Wednesday that warns makers of health apps and connected devices that collect health-related information to comply with a decade-old data breach notification rule.
The policy is part of a shift towards more aggressive enforcement on technology issues at the agency under the leadership of Chair Lina Khan, who signalled more scrutiny of data-based ecosystems connected to such apps and devices may be down the line.
While the rule provides some measure of accountability, “a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said in a statement, adding that the Commission “should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
The FTC developed its Health Breach Notification Rule in 2009 after being tasked with studying and devising ways to protect health information as part of the American Recovery and Reinvestment Act. The rule was designed to require vendors not covered under other medical information related privacy laws like Health Insurance Portability and Accountability Act (HIPAA) to disclose breaches of health information—including to users, the agency, and the media in some cases.
Since the rule was first issued, there’s been an explosion of apps related to tracking everything from fertility and menstruation to mental health as well as connected devices that collect health-related information, like fitness trackers.
In March, Senator Bob Menendez (D-NJ) and Congresswomen Bonnie Watson Coleman (D-NJ) and Mikie Sherrill (D-NJ) sent a letter to the FTC urging it to enforce the Health Breach Notification Rule against mobile apps that leak data. The letter cited a Wall Street Journal report about Flo Period & Ovulation Tracker, a popular fertility monitoring app, sharing sensitive information with third parties.
In June, the agency finalized a settlement with the app’s developer requiring that the company get user consent before sharing personal health information and go through an independent review of its privacy practices. However, that action was based on the agency’s broader ability to protect consumers from unfair and deceptive practices, rather than the specific Health Breach Notification Rule.
The agency announced a review of the rule last year and previously released guidance suggesting the makers of health-tracking apps should app makers consider if they fell under its purview. The new policy statement makes the warning more explicit, with the agency noting that failure to comply could result in “monetary penalties of up to $43,792 per violation per day.”
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.