[TheRecord] FTC: Health app and connected device makers must disclose data breaches

The Federal Trade Commission approved a policy statement Wednesday that warns makers of health apps and connected devices that collect health-related information to comply with a decade-old data breach notification rule.

The policy is part of a shift towards more aggressive enforcement on technology issues at the agency under the leadership of Chair Lina Khan, who signalled more scrutiny of data-based ecosystems connected to such apps and devices may be down the line. 

While the rule provides some measure of accountability, “a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said in a statement, adding that the Commission “should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The FTC developed its Health Breach Notification Rule in 2009 after being tasked with studying and devising ways to protect health information as part of the American Recovery and Reinvestment Act. The rule was designed to require vendors not covered under other medical information related privacy laws like Health Insurance Portability and Accountability Act (HIPAA) to disclose breaches of health information—including to users, the agency, and the media in some cases. 

Since the rule was first issued, there’s been an explosion of apps related to tracking everything from fertility and menstruation to mental health as well as connected devices that collect health-related information, like fitness trackers. 

In March, Senator Bob Menendez (D-NJ) and Congresswomen Bonnie Watson Coleman (D-NJ) and Mikie Sherrill (D-NJ) sent a letter to the FTC urging it to enforce the Health Breach Notification Rule against mobile apps that leak data. The letter cited a Wall Street Journal report about Flo Period & Ovulation Tracker, a popular fertility monitoring app, sharing sensitive information with third parties. 

In June, the agency finalized a settlement with the app’s developer requiring that the company get user consent before sharing personal health information and go through an independent review of its privacy practices. However, that action was based on the agency’s broader ability to protect consumers from unfair and deceptive practices, rather than the specific Health Breach Notification Rule. 

The agency announced a review of the rule last year and previously released guidance suggesting the makers of health-tracking apps should app makers consider if they fell under its purview. The new policy statement makes the warning more explicit, with the agency noting that failure to comply could result in “monetary penalties of up to $43,792 per violation per day.”

The post FTC: Health app and connected device makers must disclose data breaches appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Incremental improvements are not enough as Biden signs order boosting US cyber posture

All posts, ZDNet

Presidential order will see the US government shift to zero-trust as-a-service architectures with mandated 2FA, endpoint detection and response, and log keeping, as well as a Cybersecurity Safety Review Board. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Saudi Activist Sues 3 Former U.S. Officials Over Hacking

All posts, Security Week

Loujain al-Hathloul, a prominent Saudi political activist who pushed to end a ban on women driving in her country, is suing three former U.S. intelligence and military officials she says helped hack her cellphone so a foreign government could spy on her before she was imprisoned and tortured. read more Source: Read More (SecurityWeek RSS […]

Read More

[ZDNet] Brazilian government organizes US visit to speed up 5G auction

All posts, ZDNet

The delegation will meet government officials and investors as part of the agenda in Washington and New York. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.