With data breaches on the rise, the FTC is looking to make health apps more accountable for telling patients when their data has been exposed.

The FTC released a new statement specifying that all health apps that capture sensitive patient information notify users, the commission itself and in some cases the media when a security breach has compromised identifiable health data. If the company fails to do so it could face a fine of $43,792 per day of violation. 

The ruling is actually more than ten years old, but according to the FTC statement, it was never enforced and was misunderstood by many companies. The ruling includes vendors of personal health records (PHR) and PHR-related functions, which draw information from multiple sources. 

This new statement specifies that apps which draw information from multiple outlets (i.e. ones that pull in wearable data through an API and also collects user input) are now subject to this ruling. The commission said that apps that “track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet and other vital areas.”

WHY IT MATTERS 

It’s no secret that digital health apps are on the rise in the US. A report by IQVIA found that there are now more than 350,000 digital health apps available to consumers. In 2020 alone there were more than 90,000 new apps introduced to the market.

The FTC is warning that as apps become more plentiful, consumer data remains a priority. 

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data,” the commission wrote.

THE LARGER TREND

Just last week news broke that a non-password-protected database exposed more than 61 million records containing data from fitness trackers and wearables. Some of the biggest names in health tech were part of the breach, including Fitbit and Apple Healthkit. 

In 2020, Walgreens announced that its app had an error, which led to the leak of customers' secure messages. 

Across the pond, London-based digital health company Babylon Health announced that a data breach occurred that allowed a patient to access recordings of another’s patient’s consultation through the GP at Hand app.

On the whole, health data breaches are on the rise, according to a report by risk protection services vendor Constella Intelligence.