Healthcare Apps Subject to Data Breach Notification Rule After FTC Policy Change

workout-and-activity-counting-mobile-app-and-healt-BRPZTWRWith more than 90,000 healthcare apps released in the last year, they’ve become more main-stream and advanced as consumers look towards technology to improve and self-monitor their health. But as these apps collect more user data than ever before – from email addresses and phone numbers to heart rate levels and sleep activity – the legal boundaries have become blurred between technology and privacy.

Privacy concerns arise when there’s a lack of controls or limits on the amount or type of sensitive data that is collected, used, or disclosed. With few privacy protection policies available and high volumes of sensitive data, data becomes increasingly difficult to protect, and simultaneously, more valuable for cyber criminals to exploit. 

In fact, popular fitness and calorie tracker Fitbit compromised the privacy of its users in 2011. To encourage competition and social media engagement, Fitbit had made its users’ profiles and activity public by default, meaning any user could be found on Google search results. However, Fitbit failed to acknowledge that certain forms of physical exercise are sensitive, and therefore, inadvertently exposed the sexual activity of its users online. 

In an effort to hold these apps accountable for the data they collect and share, the US Federal Trade Commission (FTC) extended the existing Health Breach Notification Rule on September 15 to cover healthcare apps and connected devices. This rule ensures that entities not covered by HIPAA are responsible for preventing unauthorized access to sensitive data. 

Healthcare apps and connected devices are now required to notify the FTC, US consumers, and in some cases, the media, in the event of a data breach. Failure to disclose the data breach can result in an upwards daily fine of $43,792 per violation. This new rule also extends the “data breach” definition to include sharing of information without individual consent. 

As we continue to see advances in app capabilities, this rule is a huge step towards addressing the gap in data security. Privacy is a human right, and with Dasera, companies can prevent data breaches and privacy violations, while ensuring that all consumers receive the confidentiality they expect. 

To learn more about how to better protect the privacy of your data, read our whitepaper on the subject. 


Tu Phan