FTC requires health apps to notify consumers affected by data breaches

Since 2009, companies that manage health records have been required to notify consumers in the event of a breach of their data. Now, the rule has been extended to health apps that track fitness, vital stats, sleep, and more. The FTC has ruled 3-2 that companies producing such apps must notify users affected by data breaches, lest they face a financial penalty of more than $ 43,000 per day, The hill reported.

“While many Americans are turning to applications and other technologies to track disease, diagnostics, treatment, medications, fitness, fertility, sleep, mental health, diet and other vital areas, this rule is more important than ever, ”the FTC wrote in the ruling. “Companies offering these services must take the necessary precautions to secure and protect consumer data.”

A more fundamental issue is the commodification of sensitive health information, where companies can use that data to fuel behavioral ads or powerful user analytics.

Recent high-profile breaches include UnderArmour’s MyFitnessPal breach that affected 150 million users in 2018. A more recent data breach occurred due to an exposed server containing 61 million records related to fitness trackers and wearable devices that exposed data from Apple and Fitbit users online.

The rule was passed along party lines, with the majority Democratic commissioners voting 3-2 in favor. However, the Republican commissioners expressed their dissent as the FTC was already working to overhaul the rules for reporting health incidents. “The right way to proceed is to conclude the current rule-making process, especially when the legislative and regulatory interpretation on which the majority relies is far from clear,” said Commissioner Noah Phillips.

FTC President Lina Khan said the move is just the start of what’s needed. “A more fundamental issue is the commodification of sensitive health information, where companies can use that data to fuel behavioral ads or powerful user analytics,” Khan said. “The Commission should carefully consider what data is collected in the first place and whether particular types of business models create incentives that necessarily put users at risk.”

Leave a Comment