FTC weighs in on health data breaches

The Federal Trade Commission (FTC) voted 3-2 Wednesday that a decade-old rule on health data breaches applies to apps that handle sensitive health information, warning these companies to comply.

Revamp: The new policy statement agreed to by the FTC was intended to clarify the agency’s 2009 Health Breach Notification Rule, which requires vendors handling health records to notify consumers if the data is accessed through a breach or other means without the individual’s authorization.

The new policy states that the rule applies to health apps, such as those tracking fitness or menstrual cycles, which have been developed over the past decade.

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” the policy statement agreed to Wednesday reads. “Firms offering these services should take appropriate care to secure and protect consumer data.”

The FTC intends to enforce the new policy, with those in violation facing a financial penalty of over $43,000 per day.

Disagreement: The vote for the policy fell along party lines, with FTC Chair Lina Khan and the other two Democratic commissioners voting 3-2 in favor of the policy against Republican Commissioners Noah Phillips and Christine Wilson.