[BreachExchange] FTC rules that health apps must notify consumers affected by data breaches

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Fri Sep 17 09:02:22 EDT 2021 

https://news.yahoo.com/ftc-rules-that-health-apps-must-notify-consumers-if-their-data-is-breached-114043312.html

Since 2009, companies handling health records have been required to notify
consumers if their data is breached. Now, the rule has been extended to
health apps that track fitness, vital statistics, sleep and more. The FTC
ruled 3-2 that companies producing such apps must inform users impacted by
data breaches, lest they face a financial penalty of over $43,000 per day,
The Hill has reported.

"As many Americans turn to apps and other technologies to track diseases,
diagnoses, treatment, medications, fitness, fertility, sleep, mental
health, diet, and other vital areas, this Rule is more important than
ever," the FTC wrote in the ruling. "Firms offering these services should
take appropriate care to secure and protect consumer data."

A more fundamental problem is the commodification of sensitive health
information, where companies can use this data to feed behavioral ads or
power user analytics.

Recent high-profile breaches include UnderArmour's MyFitnessPal breach that
affected 150 million users in 2018. A more recent data leak came about due
to an exposed server that contained 61 million records related to fitness
trackers and wearables that exposed Apple and Fitbit users' data online.

The rule passed along party lines, with the majority Democratic
commissioners voting 3-2 in favor. However, the Republican commissioners
dissented because the FTC was already working on revamping health breach
notification rules. "The right way to go about it is to conclude the
ongoing rulemaking process, especially when the statutory and regulatory
interpretation on which the majority rely is far from clear," said
commissioner Noah Phillips.

FTC Chair Lina Khan said the ruling is just the start of what's needed. "A
more fundamental problem is the commodification of sensitive health
information, where companies can use this data to feed behavioral ads or
power user analytics," Khan said. "The Commission should be scrutinizing
what data is being collected in the first place and whether particular
types of business models create incentives that necessarily place users at
risk."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210917/19f22c39/attachment.html>

More information about the BreachExchange mailing list