FTC rules that health apps must notify consumers affected by data breaches

Since 2009, companies handling health records have been required to notify consumers if their data is breeched. Now, the rule has been extended to health apps that track fitness, vital statistics, sleep and more. The FTC ruled 3-2 that companies producing such apps must inform users impacted by data breaches, lest they face a financial penalty of over $43,000 per day, The Hill has reported.

"As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever," the FTC wrote in the ruling. "Firms offering these services should take appropriate care to secure and protect consumer data."

Recent high-profile breaches include UnderArmour's MyFitnessPal breach that affected 150 million users in 2018. A more recent data leak came about due to an exposed server that contained 61 million records related to fitness trackers and wearables that exposed Apple and Fitbit users' data online.

The rule passed along party lines, with the majority Democratic commissioners voting 3-2 in favor. However, the Republican commissioners dissented because the FTC was already working on revamping health breach notification rules. "The right way to go about it is to conclude the ongoing rulemaking process, especially when the statutory and regulatory interpretation on which the majority rely is far from clear," said commissioner Noah Phillips.

FTC Chair Lina Khan said the ruling is just the start of what's needed. "A more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics," Khan said. "The Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk."