The Federal Trade Commission (FTC) has warned that health apps and devices that collect or use personal health information must comply with rules requiring them to notify consumers if their health data is leaked.
“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said FTC chair Lina Khan.
She pointed to a study warning of problems with health apps ranging from insecure transmission of user data including geolocation, to unauthorized dissemination of data to advertisers and other third parties in violation of the apps’ own privacy policies.
“While users have been adopting health apps at a rapid rate, the commercial owners of these apps too often fail to invest in adequate privacy and data security, leaving users exposed,” Khan said.
The Commission said that health apps, which track everything from glucose levels to heart health to fertility and sleep, are collecting sensitive and personal data. Consequently, the data they collect must be secured, and unauthorized access prevented.
The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization.
“In practical terms, this means that entities covered by the rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information,” the FTC said.
Under the rule a ‘breach’ is not just defined by a cyberattack; unauthorized access, including sharing of covered information without an individual’s permission, also triggers notification obligations.
“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data,” the FTC said.
Although the Health Breach Notification Rule has been in place for over a decade, it has never been used. And the FTC worries that, with the rise of health apps and other connected devices, there are still too few privacy protections in place. The Commission said it “intends to bring actions to enforce the rule” with violations leading to civil penalties of $43,792 per violation per day.
The breach notification rule provides some accountability for tech firms that abuse our personal information, but a more fundamental problem is the commodification of sensitive health information, with companies using this data to feed behavioral ads or power user analytics, said Khan.
“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she said.
The FTC said a health app would be covered under the rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker.