FTC says health apps must notify consumers of data breaches – or face fines – TechCrunch

The United States Federal Trade Commission (FTC) has warned that apps and devices that collect personal health information must notify consumers if their data is breached or shared with third parties without their permission.

In a 3-2 vote on Wednesday, the FTC approved a new policy statement to clarify a ten-year-old 2009 health breach notification rule that requires companies handling health records to inform consumers if their data is accessed without authorization, as the result of a breach. This has now been extended to apply to healthcare apps and devices – specifically calling for apps that track fertility, fitness and blood sugar data – which too often fail to invest in privacy and security. adequate data, ”said FTC President Lina Khan.

“Digital apps are consistently caught playing quickly and freely with user data, leaving users’ sensitive health information vulnerable to hacks and breaches,” Khan said in a statement, citing a study published this year in the British Medical Journal which found that health apps are suffering. “serious issues” ranging from unsecured transmission of user data to unauthorized sharing of data with advertisers.

There have also been a number of recent high profile breaches involving healthcare apps in recent years. Babylon Health, a UK AI chatbot and telehealth startup, suffered a data breach last year after a “software error” allowed users to access video views from other patients, while The rule tracker application Flo was recently discovered sharing user health data with third parties. -party analysis and marketing services.

Under the new rule, any business offering health apps or connected fitness devices that collect personal health data must notify consumers if their data has been compromised. However, the rule does not define a “data breach” as a simple intrusion into cybersecurity; unauthorized access to personal data, including sharing of information without an individual’s permission, may also trigger notification obligations.

“While this rule places some responsibility on tech companies that misuse our personal information, a more fundamental issue is the commodification of sensitive health information, where companies can use that data to fuel behavioral advertising or user analytics. powerful, ”Khan said.

If businesses don’t comply with the rule, the FTC has said it will “vigorously” enforce fines of $ 43,792 per violation per day.

The FTC has cracked down on privacy breaches in recent weeks. Earlier this month, the agency unanimously voted to ban spyware maker SpyFone and its CEO Scott Zuckerman from the surveillance industry for collecting mobile data from thousands of people. and have left them on the Internet.

Leave a Comment