Getty Images

Congress Urges FTC Crackdown on Health Apps Via Breach Notice Rule

Three Congressional members are urging the FTC to enforce its Health Breach Notification Rule to penalize mobile apps sharing personal health data with third-party sources.

A group of three Congressional members from New Jersey are urging the Federal Trade Commission to utilize its Health Breach Notification Rule to crack down on mobile health apps that share personal health information with third parties without user consent.

Sen. Bob Menendez, D-New Jersey and Democratic New Jersey Reps. Bonnie Watson Coleman and Mikie Sherrill sent a letter to the FTC, blasting certain menstruation-tracking mobile health apps for failing to obtain user consent before sharing sensitive information of women with outside parties.

The letter follows a recent lawsuit against Easy Healthcare, which owns the Premom fertility app. The filing alleges that the platform routinely shares personal and geolocation information with three marketing, data collections, and analytics firms with ties to China.

The lawsuit further claimed those Chinese firms were also allowed access to sensitive user data, such as personal health interests, health, religion, politics, and a host of other sensitive data.

Though alarming, multiple reports have found the majority of health and mental health apps routinely share user data without consent or even transparency about the practice. This can be attributed to many of these apps falling outside of HIPAA regulations.

Thus, many of these consumer apps hold massive privacy gaps and concerns. What’s worse, some of the most popular mHealth apps are vulnerable to API attacks due to the use of hard-coded API keys and a number of security oversights.

The report from Alissa Knight, the leading cybersecurity analyst and partner at Knight Ink, estimated that at least 23 million mHealth users have been exposed due to these privacy and security failures.

In response, the Congressional members are urging the FTC to employ its authority to exact monetary fines and other penalties against companies that violate requirements to notify consumers when private health information is exposed through the apps.

Under the Health Breach Notification Rule, the FTC is authorized to address privacy issues tied to personal health records, including many menstruation-tracking mobile apps. The rule requires personal health record vendors to notify the FTC of these compromises, as well as the media in the event of a large breach.

In fact, the FTC recently settled with app developer Flo Health over allegations that the popular period and fertility tracking app shared users’ health information with outside analytics vendors, even though its policies claimed it would keep user data private.

However, the Congressional members expressed concern that the complaint did not address the possibility that the app explicitly violated the breach notification rule. 

And although the rule has been in place for more than a decade, the tech industry has rapidly “spawned dozens of popular menstruation-trackers and other mobile health apps,” furthering the privacy risks to consumers. 

“Despite several high-profile cases of period-tracking apps disclosing personal health information to third parties without their users’ authorization, the FTC has never taken any enforcement actions related to the Health Breach Notification Rule,” the members wrote.

“We urge the FTC to take enforcement action against menstruation-tracking mobile apps that violate the Health Breach Notification Rule or other applicable regulations,” the members wrote. “The FTC must fulfill its mandate from Congress to protect Americans from bad actors who betray their trust and misuse their personal health data.”

In light of these risks and likely expansion of mHealth apps in the future, the members urged the FTC to fully enforce all applicable regulations to send a clear message to app developers and vendors that it’s unacceptable to to improperly divulge sensitive information from users.

Stronger enforcement may also bolster the privacy of period-tracking apps, which hold both personal and highly valuable to advertisers, the members concluded.

As noted, HIPAA regulations only apply to third-party apps that are recommended by or directly connected to a healthcare provider. As such, the FTC holds much of the authority to enforce consumer privacy violations through consumer-chosen health apps.

Congress and even the Department of Health and Human Services are working to change these privacy gaps through either federal privacy legislation, or through a direct modification of the HIPAA rule.

However, bipartisanship will be crucial to moving the needle on the much-needed enforcement, while HHS is still considering stakeholder feedback on potential HIPAA modifications that would address third-party health apps that fall outside of HIPAA.

Next Steps

Dig Deeper on Health data threats