FTC warns health apps to notify consumers impacted by data breaches

The Federal Trade Commission (FTC) voted 3-2 Wednesday that a decade-old rule on health data breaches applies to apps that handle sensitive health information, warning these companies to comply.  

The new policy statement agreed to by the FTC was intended to clarify the agency’s 2009 Health Breach Notification Rule, which requires vendors handling health records to notify consumers if the data is accessed through a breach or other means without the individual’s authorization.

The new policy states that the rule applies to health apps, such as those tracking fitness or menstrual cycles, which have been developed over the past decade. 

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” the policy statement agreed to Wednesday reads. “Firms offering these services should take appropriate care to secure and protect consumer data.”

The FTC intends to enforce the new policy, with those in violation facing a financial penalty of over $43,000 per day.  

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina Khan said in a statement Wednesday. 

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” Khan said. 

The vote for the policy fell along party lines, with Khan and the other two Democratic commissioners voting 3-2 in favor of the policy against Republican Commissioners Noah Phillips and Christine Wilson.

Phillips and Wilson issued separate dissenting opinions against the policy, with both raising concerns that it was issued as the FTC is in the midst of a larger rulemaking process aimed at deciding whether changes should be made to the Health Breach Notification Rule.

“The majority surely believe the result they adopt is what consumers of health apps want and need,” Phillips wrote in his dissent. “But the right way to go about it is to conclude the ongoing rulemaking process, especially when the statutory and regulatory interpretation on which the majority rely is far from clear.”

Khan stressed the need to move forward with the new policy, particularly as more virtual health applications have been developed to cope with the COVID-19 pandemic. 

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” Khan wrote in a statement supporting the policy. “Given the rising prevalence of these practices, it is critical that the FTC use its full set of tools to protect Americans.”