Policy statement affirms that covered companies that hold fertility, heart health, glucose levels and other health data must notify consumers in the event of a breach. 

The Federal Trade Commission (FTC) today issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached. 

In a policy statement adopted during an open meeting, the Commission noted that health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.

In a 3-2 vote held during an open virtual meeting, the Commission approved the policy statement affirming that developers of health apps and connected devices are considered to be healthcare providers, and the unauthorised disclosure of sensitive information constitutes a breach. 

In failure to comply with the rules, companies could be subjected to financial penalties of up to $43,792 per violation per day. 

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”