Lawmakers Urge FTC to Enforce Health Breach Notification RuleLetter to FTC Spotlights Potential Violations by Fertility-Tracking Apps
Members of Congress are again calling on the Federal Trade Commission to begin using its existing authority to protect personal health data. In particular, they are demanding the FTC take enforcement action against certain fertility-tracking mobile apps that allegedly violate the decade-old FTC Health Breach Notification Rule, which covers certain entities not regulated under HIPAA.
The FTC's Health Breach Notification Rule, which is part of the American Recovery and Reinvestment Act of 2009, addresses privacy issues related to personal health records, including certain mobile apps, the lawmakers write.
For the most part, the HIPAA rules - enforced by the Department of Health and Human Services' Office for Civil Rights - do not cover health data shared directly by consumers with technology vendors outside of healthcare settings, as is the case with many fertility-tracking apps.
In a March 4 letter to the FTC, three Democrats from New Jersey - Sen. Bob Menendez, Rep. Bonnie Watson Coleman and Rep. Mikie Sherrill - urged the commission to "fulfill its mandate from Congress to protect Americans from bad actors who betray their trust and misuse their personal health data."
The lawmakers urged the FTC to take enforcement action against fertility-tracking mobile apps that violate the Health Breach Notification Rule or "other applicable regulations," citing the Flo menstruation-tracking app and Premom fertility-tracking app as examples.
Neither Flo Health nor Easy Healthcare - maker of the Premom app - immediately responded to Information Security Media Group's requests for comment.
In a similar letter written in August 2020, seven senators urged the commission to take action to address "the troubling data collection and sharing practices" of Premom.
In that letter, the senators noted an investigation by the watchdog group International Digital Accountability Council that alleged "material differences" between Premom’s stated privacy policies and its actual data-sharing practices.
"Most troubling, the investigation found that Premom shared its users’ data without their consent,” the senators wrote in August to the FTC.
A lawsuit seeking class-action status was filed in January in federal court against the maker of the Premom app, Burr Ridge, Illinois-based Easy Healthcare Corp. It alleges the app is sharing personal and sensitive health data, as well as geolocation data, device activity data and user and advertiser IDs, with three Chinese companies without obtaining users’ consent (see: Lawsuit: App Maker Shared Health Data with Chinese Firms.)
In their new letter to the FTC, the lawmakers from New Jersey note that the FTC Health Breach Notification rule requires personal health record vendors to promptly notify users if an entity has acquired their identifiable health information without their authorization.
The vendor must also notify the FTC, and, in the event of a large breach, local media outlets, if a threshold number of consumers in a particular geographical area are affected, the letter states.
"The Health Breach Notification Rule has been in force for more than 10 years, and during that time, the tech industry has spawned dozens of popular menstruation-trackers and other mobile health apps," the letter says.
"However, despite several high-profile cases of period-tracking apps disclosing personal health information to third parties without their users’ authorization, the FTC has never taken any enforcement actions related to the Health Breach Notification Rule."
A FTC spokeswoman declined to comment on the letter.
In December, the FTC issued a proposed settlement in a privacy and security case involving another women’s health app maker, Flo Health (see: FTC Orders Health App Vendor to Revamp Privacy Practices
The vendor agreed to a major revamp of its privacy practices after the commission alleged it had violated the FTC Act by misrepresenting to millions of women how it shared their sensitive health data with third-party analytics firms.
Under the proposed settlement, Flo Health must get app users’ consent before sharing their health information. It also must obtain an independent review of its privacy practices.
In their letter, the New Jersey lawmakers urged the FTC to take stronger action against vendors such as Flo that violate the FTC's Health Breach Notification Rule.
"While the FTC recently filed a complaint against Flo that cites various privacy violations and other deceptive practices, the complaint does not address the possibility that Flo violated the Health Breach Notification Rule," the letter says.
The lawmakers noted that aside from the Flo case, "there have been numerous instances of menstruation-tracking mobile apps improperly sharing their users’ data."
The lawmakers also called out the Premom fertility app for Android for allegedly sharing users’ data with several companies without their consent.
"We believe that … the FTC should enforce all applicable regulations. In doing so, the FTC would send a clear message that it is no longer acceptable for mobile health apps to improperly divulge users’ data," the letter says.
"Stronger enforcement would be especially impactful in the case of period-tracking apps, which manage data that is both deeply personal and highly valuable to advertisers. Looking ahead, we encourage you to use all of the tools at your disposal, including the Health Breach Notification Rule, to protect … people from mobile apps that exploit their personal data."
More Scrutiny to Come?
Some legal experts predict the FTC will ramp up its enforcement of health data privacy and security cases.
Former FTC attorney Julie O'Neill, a partner at law firm Morrison & Foerster LLP, expects the FTC will intensify its scrutiny of cases involving health data privacy and security issues.
"Even though the FTC was pretty active in bringing privacy and data security cases during the Trump administration, I fully expect that it will become even more focused on such matters in the new administration," she says. "We’ll see a renewed focus on matters involving sensitive personal data and, for that reason, it would not surprise me to see enforcement of the FTC Health Breach Notification Rule."
Privacy attorney Ashley Thomas of the law firm Morris, Manning & Martin LLP also predicts stepped-up FTC enforcement.
"With the new presidential administration and new Democratic majority at the FTC, we may likely see the FTC pursue violations of the Health Breach Notification Rule in future enforcement actions," she says. "The acting FTC chairwoman, Kelly Slaughter, publicly stated last month at a privacy event that she’d like for the FTC to pursue enforcement of the Health Breach Notification Rule, and she had been one of the dissenting opinions advocating for use of the Health Breach Notification Rule in the Flo Health settlement. So enforcement may be coming."
In the meantime, during the COVID-19 crisis, there's been a proliferation of telehealth apps and contact-tracing apps developed to help people manage their individual healthcare needs during the pandemic. But they have also created new risk, Thomas notes.
The FTC will likely evaluate these apps to ensure they are transparent in how they are handling sensitive health information, she says. It may also evaluate emerging vaccine passport apps that help travelers prove they have been vaccinated (see: Creating a Digital ID to Verify COVID-19 Testing).