The United States Federal Trade Commission has given a friendly reminder to health apps that they have to tell users when their data has been breached. You can speculate that a ‘friendly reminder’ means someone didn’t do the thing they were meant to, but let’s hope they’re just refreshing some guidance.
In making the announcement, FTC chair Lina M. Khan said while users have been adopting health apps at a rapid rate, the commercial owners of the apps “too often fail to invest in adequate privacy and data security,” leaving users exposed.
A recent study found that health apps suffer from ‘serious problems’, ranging from insecure transmission of user data (including geolocation) to unauthorised dissemination of data to advertisers and other third-parties. This is often in violation of the apps’ own privacy policies. Eek.
The study Khan is citing was actually performed by researchers from Australia’s Macquarie University.
The researchers probed 15,000 free health apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps. They found that while these apps collected less user data than other types of mobile apps, 88% could access and potentially share personal data. More eek.
“In my view, these problems stem in part from a gap: health apps are generally not covered by HIPAA, and some may mistakenly believe that they are not covered by the Commission’s Rule,” Khan said.
To that end, the FTC has clarified that the Health Breach Notification Rule applies to connected health apps and similar technologies. That notification rule has been in place since 2009.
Essentially, it requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorisation.
More than a decade later, health apps and other connected devices that collect personal health data are not only mainstream — and have increased in use during the pandemic — but are targets ripe for scammers and other cyber hacks. Yet, there are still too few privacy protections for these apps.
Under the definition of ‘health’ in this context are apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.
The rule does not just apply to cybersecurity intrusions or other nefarious behaviour; incidents of unauthorised access also trigger notification obligations.
Health apps that are capable only of collecting data from users directly — in other words, apps that are not capable of drawing data from multiple sources — are not covered by the rule, however.
What’s the punishment for health apps?
Khan has vowed the Commission will enforce this rule with vigour. So much so that violations of the rule carry civil penalties of $US43,792 per violation, per day. And the FTC will not hesitate to seek significant penalties against developers of health apps and other technologies that ignore its requirements.
Although this is a U.S. mandate, many of these apps are used by Aussies, so you, and the country’s Privacy Commissioner, will be made aware of an incident. We hope.