Health Apps Face $43K Daily Fines for Keeping Data Breaches Quiet

The Federal Trade Commission (FTC) has voted in favor of a new policy statement that ensures health apps and connected fitness devices must inform consumers when their sensitive health data has been compromised. But what counts as a compromise goes far beyond a server being hacked and is sure to surprise/scare a few companies.

As The Hill reports, the FTC issued a new rule back in 2009 called the Health Breach Notification Rule. It exists to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) face accountability when consumers’ sensitive health information is compromised. However, the FTC has realized the rule is being misunderstood, especially in light of the explosion of consumer health tech recently, so clarification was required.

The FTC voted 3-2 this week in favor of the new policy statement (PDF). It aims to make clear that any company offering health apps or connected fitness devices collecting health data must notify consumers if their data has been compromised. If they don’t, the FTC will enforce a financial penalty of $43,792 per violation per day.

As the policy statement explains, “Under the definitions cross-referenced by the Rule, the developer of a health app or connected device is a “health care provider” because it “furnish[es] health care services or supplies.” When a health app, for example, discloses sensitive health information without users’ authorization, this is a “breach of security” under the Rule.”

Companies offering such devices and apps rely on maintaining a good reputation with consumers and so already take measures to protect data from hackers. But it’s important to realize this FTC rule goes further than that. A breach includes “incidents of unauthorized access, including sharing of covered information without an individual’s authorization.” So any sharing of health data by a company with a third-party without first gaining the consent of a consumer counts as a breach.

This also seems to be the start of a new focus on the security surrounding health data by the FTC, with FTC Chair Lina Khan stating:

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics … Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”