The United States Federal Trade Commission (FTC) has warned the developers of health apps and connected devices that they must disclose data breaches to consumers or face a fine.
In a policy brief issued Wednesday, the Commission clarified that healthcare apps that collect or use consumers' health information are subject to the Health Breach Notification Rule requiring entities not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to notify consumers when their health data is breached.
In a 3–2 vote held during an open virtual meeting, the FTC agreed to approve a policy statement affirming that developers of health apps and connected devices are considered healthcare providers and that sensitive information disclosed by them without authorization constitutes a breach.
Every breach, even breaches that did not occur due to a malicious cyber-attack, must be reported. The FTC stated that companies that fail to comply with the rule could be subject to financial penalties of up to $43,792 per violation per day.
The FTC said in a statement that "health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers.
"These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information."
The Commission noted that the use of health apps and other connected devices that collect personal health data increased during the COVID-19 pandemic. It observed that despite being a "ripe" target for scammers and cyber-attackers, "too few privacy protections" were in place for such apps.
“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC chair Lina M. Khan.
“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”