FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches

The Federal Trade Commission has issued a policy statement compelling companies operating health apps and smart connected devices that gather health data to immediately inform users when their data is compromised in a data breach.

The Health Insurance Portability and Accountability Act (HIPAA) protects people’s health data, but it turns out that it doesn’t cover companies that gather health data through apps and connected devices. Now, the same rules apply to them as well.

A plethora of apps and smart devices collect a wealth of health data, such as heart rhythm, blood pressure, sleep cycles, menstrual cycles and even EKG-type information. While it’s great that simple apps and devices can collect such information, it’s also a point of contention regarding privacy. Some companies might sell this data to third parties or use it to create more accurate shadow profiles.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The new FTC ruling is not just a declaration; it also enforces penalties. According to the FTC, companies that violate the rule could face fines of up to $43,792 per violation per day.

The commission voted 3-2 to approve the policy statement during an open virtual meeting, with commissioners Noah Joshua Phillips and Christine S. Wilson voting no and issuing dissenting opinions.