FTC Clarifies that Health Apps Have a Duty to Report Data Security Breaches

  • The Federal Trade Commission (“FTC”) issued a policy statement clarifying that health apps that collect or use consumers’ health information are subject to the Health Breach Notification Rule’s notification requirements when the consumer data they collect is subject to unauthorized access.
  • The FTC’s policy statement notes that the American Recovery and Reinvestment Act of 2009 directed the FTC to ensure that web-based companies contact customers in the event of a data security breach and that, pursuant to the Act, the FTC issued the Health Breach Notification Rule (“Rule”), which requires vendors of personal health records to notify consumers and the FTC when such a breach occurs. The Rule is intended to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are still accountable for the safety of consumers’ health information.
  • According to the FTC, health apps and wearable devices, which collect such sensitive and personal data as glucose levels, sleep cycles, heart health, and fertility, are increasingly targeted by scammers and hackers, but many apps do not have adequate privacy protections in place. Therefore, the FTC provided the policy statement to clarify the scope of the Rule, such that health apps and connected devices that can draw information from multiple sources (such as a wearable device and a user’s smartphone) must also comply with the Rule, and going forward it potentially subjects violators to monetary penalties of up to $43,792 per violation per day.