The use of digital health services, including websites, mobile apps, and internet-connected devices that track health conditions and store sensitive personal health information, will soon be required to notify their users of data breaches under new enforcement rules set to take effect later this summer. These changes aim to modernize and expand the definition of covered entities in light of the growing reliance on health apps, fitness trackers, and telehealth appointments.
The amendment to the Federal Trade Commission’s Health Breach Notification Rule, adopted in April, puts more pressure on healthcare providers and services to safeguard consumers’ data from nation-state hackers and cybercriminals who often work to acquire sensitive personal information for use in black market data sales or identity fraud schemes. Breached providers are required to notify affected victims within 60 days of discovery. If 500 or more records are exposed in a breach, the targeted provider must also notify the FTC at the same time. Additionally, third parties such as data brokers, tech firms, or research institutions would need to be named in consumer notifications if they acquired personal health record information resulting from a security breach.
Recent hacks on UnitedHealth’s Change Healthcare unit and Ascension’s healthcare network have highlighted the importance of ensuring the protection of sensitive personal health information. The hacks have crippled multiple hospitals’ operations, leading to ambulances being diverted as staff take IT systems offline. As the use of digital health services continues to grow, regulators and providers alike remain committed to protecting consumers’ private data.
The FTC recently took enforcement action against two companies for violating the Health Breach Notification Rule: telemedicine platform GoodRx and fertility app developer Premom. GoodRx was accused of failing to inform customers and regulators about unauthorized disclosures of personal health information resulting in a $1.5 million civil penalty. Premom was alleged to have deceived users by sharing their sensitive personal information with third-party advertisers without notifying consumers of unauthorized disclosures.
In conclusion
