FTC warns connected device orgs: Comply with breach rule, or pay up

FTC warns connected device orgs: Comply with breach rule, or pay up

The U.S. Federal Trade Commission issued a policy statement this week confirming that connected devices and health apps that use or collect consumers’ health information must notify users and others when that data is breached.  

Failure to comply, the agency said, could result in a penalty of up to $43,792 per violation per day.  

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this rule is more important than ever,” wrote the commission in its policy statement.  


The FTC’s policy statement aims to offer guidance, it says, on the scope of its health breach notification rule.  

The rule aims to make sure that organizations that are not covered by HIPAA are still held accountable for keeping customers’ sensitive health data safe.  

Although the rule was issued more than a decade ago, the proliferation of connected devices and health apps in recent years imbues it with even more importance, said the agency.  

The FTC has also never enforced it – but that time, this statement implies, is over.  

“The rule covers vendors of personal health records that contain individually identifiable health information created or received by healthcare providers,” said the policy statement. “The rule is triggered when such entities experience a ‘breach of security.'”  

“Under the definitions cross-referenced by the rule, the developer of a health app or connected device is a ‘healthcare provider; because it ‘furnish[es] healthcare services or supplies,'” the statement continued.  

The FTC also noted that it considers apps to be covered if they are capable of drawing information from multiple sources – even if some sources do not contain health information, such as dates.  

“For example, an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker,” read the policy statement.  

The agency reminded entities, too, that a “breach” is not limited to nefarious actions – it also includes unauthorized actions and sharing in general.  

FTC Chair Lina M. Khan said in a statement that apps still have too few privacy protections.  

“While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” she said.   

“Given the growing prevalence of surveillance-based advertising, the commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she added.  


Data breaches – both “nefarious” and accidental – have gripped the news cycle in recent months.

Just this week, a non-password-protected database containing more than 61 million records with information from fitness trackers and wearables was discovered by cybersecurity researchers.  

But help is on the way, at least where devices are concerned: The University of Minnesota recently announced that it was launching a new Center for Medical Device Cybersecurity aimed at functioning as a hub for discovery, outreach and workforce training around device security and potential threats. 


“The commission’s ability to address privacy harms would be stronger if Congress enacted a comprehensive federal privacy law,” noted Morgan Reed, App Association president, in a statement.   

“Health apps can play a positive role in the lives of Americans and are transforming our healthcare system, but not without clear communication to users on use of their data. We look forward to working with the FTC as they consider additional actions around health data and privacy,” Reed continued.

Source: Read Full Article