The Federal Trade Commission put health apps on notice this week with a brand new policy statement aimed at protecting the sometimes super-sensitive data that they collect from their users. In a 3-2 vote held on Wednesday, the Commission agreed to clarify a decade-old rule in order to mandate that these apps—and any high-tech device handling medical data—needs to notify users in cases where their data gets disclosed without their permission.
The new policy will be tacked onto the Health Breach Notification Rule that the FTC first passed back in 2009, which mandated that any vendor handling personal health records and related intel, like, say, a hospital, needs to notify both its patients and the Commission as soon as they learn about a breach on their systems. In the 12 years since that policy went into effect, we’ve seen plenty of hospitals hacked, and—thankfully!—many of them fessing up when they notice patient’s data being breached.
At the same time, we’ve seen the booming world of health tech spawn apps and wearables that largely skirt these sorts of disclosure rules because, well, they were passed at a time before that kind of tech was possible. Now that it is, there are plenty of players who aren’t afraid to slip through loopholes in our current data privacy laws in order to profit from our personal medical details.
Hopefully, the FTC’s new order will have these players thinking twice. “Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said Commission Chair, Lina Khan in a Wednesday statement on the new ruling. And she’s right: one recent study from the British Medical Journal pointed out some of the “serious problems” for patient privacy currently found in hundreds of medical apps. In some cases, this meant that the apps came embedded with covert third-party trackers; in others, this meant that they were sending patient data via unencrypted channels. Overall, the researchers behind the study noted that whatever data the average health-centric app was collecting “often exceeded what is publicly disclosed by app developers.”
Under the new rule, Khan went on, these sorts of apps and devices won’t only need to notify consumers if they think that their systems have been breached, but also if they believe that customer data has been compromised in any unauthorized way. That means that under the new rule, these devices will (hopefully!) be mandated to notify users before sharing their personal health data with any third party that their users didn’t expressly agree to.
And if they get caught sharing that data anyway? According to the FTC, any company caught flouting the new rule could be subject to a $43,792 fine per violation per day until they shape up. Khan noted that the Commission will be tracking down these companies “with vigor.”
“While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan added. “In the meantime, it is vital that the Commission use the full suite of its authorities to protect Americans from abusive data practices. Today’s action will be a step in the right direction.”