The Federal Trade Commission is reminding developers and vendors of health apps and connected devices that collect consumer health data of its Health Breach Notification Rule, which requires those entities to report any breaches of consumer health information to the FTC.
The commission voted 3-2 to approve the policy statement during the open virtual meeting on Sept. 15. Under the policy guidance, companies that fail to comply with the rule could be subject to monetary penalties of up to $43,792 per violation, per day.
“The global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health,” FTC Chair Lina Khan remarked during the commission meeting.
“As we have seen, however, digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” she added. “Given the rising prevalence of these practices, it is critical that the FTC use its full set of tools to protect Americans.”
In 2009, Congress directed the FTC to issue the Health Breach Notification Rule to protect the privacy and security of health information not regulated by the Health Insurance Portability and Accountability Act, while holding app developers accountable for consumer health data breaches.
The FTC breach notice requires vendors to notify the agency, users, and in some instances, the media whenever they discover an app is leaking unsecured health information that can identify users.
The companies that fall within the agency’s purview include apps and connected devices, including wearable fitness tracking devices that collect consumer health data, particularly those that draw data from multiple sources and not covered by HIPAA. The rule also covers service providers to those entities.
For example, the FTC deemed that a health app is covered under the breach rule if it collects health data from a consumer and has the technical capacity to draw information through an API able to sync with a consumer’s fitness tracker.
The data covered by the rule includes personal health records that contain personally identifiable information created or received by health care providers, which the rule defines as “the developer of a health app or connected device” as it “furnishes health care services or supplies.”
Further, the rule comes into play after “a breach is triggered” and isn’t limited by cybersecurity intrusions or nefarious behavior. It can also involve sharing data without the user’s authorization, such as data sharing with third parties without informing users of the practice.
In short, the rule confirms that health apps and developers can’t conceal data breaches from users.
The FTC is urging relevant companies to examine their obligations under the rule, including the use of an interactive tool that outlines relevant laws and responsibilities.
Despite having the authority, the FTC commission has not brought any enforcement actions under the rule “and many appear to misunderstand its requirements.”
Instead, FTC settlements related to consumer health apps have centered around inappropriate data sharing, such as the enforcement action against Flo Health in 2021. The settlement did not leverage the Health Breach Notification Rule, instead it centered on the fertility app developer routinely sharing user data with a number of data analytics companies without telling users about the practice.
The new decision to actively enforce the rule was brought on by a number of reports spotlighting security risks within the majority of popular health apps. A February Knight Ink and Approv report found the 30 most popular mHealth apps are highly vulnerable to API attacks. A successful exploit would give a threat actor access to full patient records, including protected health information.
The report also found that every analyzed app failed to implement certificate pinning, which allowed researchers to perform X-in-the-middle attacks against the platforms.
Most health apps also pose serious patient and consumer privacy risks, with the majority of mHealth and mental health apps routinely engaging in routine data sharing with third pirates without transparency around the practice.
It should be noted that Congress urged the FTC to leverage its Health Breach Notification Rule in March 2021, after the release of these reports, the Flo Health settlement, and the multiple reports disclosing the critical risks to consumer health data.
But the rule is just the first step in what Khan said she hopes will be further scrutiny of these companies. Praising the move to impose a measure of “accountability on tech firms that abuse our personal information,” Khan noted that these vendors are also part of another fundamental challenge with consumer data: “commodification of sensitive health information.”
Unauthorized disclosures of consumer data are a common practice for many apps, and it enables companies to use consumer information to feed behavioral ads or user analytics.
“Given the growing prevalence of surveillance-based advertising, the commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” Khan said in a statement.