US FTC says Health Apps Must Notify Customers About Data Breaches

Building with the words Federal Trade Commission Above A Door With Wall Lamps on Either Side

The US Federal Trade Commission (FTC) issued a policy statement saying that health apps that collect or use their customers’ data must comply with the Health Breach Notification Rule. This means that these apps must notify their customers about data breaches.

The Commission noted that health apps collect sensitive health information, and therefore have a responsibility to protect it. This includes preventing unauthorized access to sensitive information.

The Commission worries that these apps currently have very few privacy protections in place. Companies that fail to comply could face monetary penalties of up to $43,792 per violation per day.

Apps Must Comply with Health Breach Notification Rule

On Wednesday, September 15, the FTC issued a new policy statement stating that health apps must comply with the Health Breach Notification Rule. The Rule was originally issued in 2009, and requires vendors of personal health records and related entities to notify their customers when their data is breached or shared without their consent. It focuses primarily on fitness trackers and other health monitoring apps.

These apps include those that track “diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.”

Additionally, the Commission says the rule applies to apps if they are “capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (“APIs”).”

Users’ Sensitive Health Data is Susceptible to Breaches

Lina M. Khan, Chair of the FTC, worries that these apps do not invest in adequate privacy and data security measures. The Commission’s statement notes that health apps have significantly grown in popularity since 2009. However, they are also ripe targets for cybercriminals.

Khan said that while the rule would bring a degree of accountability to their data collection practices, the commodification of sensitive health information presents a more fundamental problem.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she added.

“Breaches” Not Limited to Cybersecurity or Malicious Hacks

In its statement, the Commission also said that a “breach” constitutes more than just cybersecurity intrusions. Apart from malicious acts from outside actors, it includes incidents of unauthorized access.

This means that such apps cannot share their customers’ information with third parties without consent. This is important since many Americans use these apps to track fitness, sleep, diet, and overall health.

The FTC also warned companies to enforce the Rule strictly. Companies in violation of the Rule will face civil penalties of $43,792 per violation per day.

You may want to read about securing your privacy on popular mobile apps if you are concerned about how apps use your data.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.