FTC Warns That Health Apps Must Notify Users of Data Breaches or Face Fines

Health apps have become wildly popular in the past decade, serving as a way for people to more easily monitor their diet, exercise, sleep patterns, and beyond. The fact that many of these applications collect sensitive personal information from their users, though, is cause for security concerns. Now, the U.S. Federal Trade Commission (FTC) is warning that any app that collects personal health information from its users must notify those users if their data is breached or otherwise shared with third parties without the user’s permission.

Since 2009, the Health Breach Notification Rule has required companies that handle health records to notify their consumers in the event of a data breach. In a 3-2 vote that took place on September 15, the FTC decided to extend that policy to digital applications and devices as well.

Speaking on the new policy, FTC chair Lina Khan said, “Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches”.

It isn’t just data breaches that come in the form of cybersecurity intrusion, though, that is covered by the new ruling. Under the new ruling, companies will also be required to notify their users of any instance of unauthorized data access, including instances where data is shared without permission.

In recent years, there have been numerous cases of health applications that have compromised the sensitive data of their users. Last year, UK AI chatbot and telehealth startup Babylon Health incurred a “software error” that allowed users to access the video consultations of other patients. The period tracking app Flo, meanwhile, was recently caught sharing its users’ health data with third-party marketing and analytics services without permission.

Going forward, though, health applications that fail to notify their users when their data is breached or otherwise shared without authorization will be subject to hefty fines. According to the FTC, companies that don’t comply with the new rule will be fined $43,792 per violation per day.