Online health services, apps to face new data security rule enforcement in July

Tadamichi/Getty Images

The FTC rules are meant to incentivize digital health providers to shore up their security postures and increase transparency in the event of a data breach.

Digital health services like websites, mobile apps or internet-connected devices that track health conditions and store sensitive personal health information will be required to notify their users of data breaches under new enforcement rules set to take effect later this summer.

The amendment to the Federal Trade Commission’s Health Breach Notification Rule was adopted in April, and aims to modernize and expand its definition of covered entities amid growing reliance on health apps, fitness trackers and telehealth appointments. The changes are effective beginning July 29, according to an agency record set to be published Thursday.

The new stipulations put more pressure on healthcare providers and services to safeguard consumers’ data from nation-state hackers and cybercriminals that often work to hoover up sensitive personal information for use in black market data sales or identity fraud schemes.

Breached providers are required to notify affected victims within 60 days of discovery. If 500 or more records are exposed in a breach, the targeted provider must also notify the FTC at the same time.

Additionally, third parties like data brokers, tech firms or research institutions would need to be named in consumer notifications if they acquired personal health record information that resulted from a security breach.

Last February, the FTC and telemedicine platform GoodRx reached a settlement to address several claims under the Health Breach Notification Rule, marking the first enforcement action under the rule. The agency accused GoodRx of failing to inform customers and regulators about unauthorized disclosures of personal health information. As part of the settlement, GoodRx agreed to pay a $1.5 million civil penalty.

In May, the FTC invoked the rule in a settlement with the developer of the fertility app Premom after alleging it deceived users by sharing their sensitive personal information with third-party advertisers and failed to notify consumers of unauthorized disclosures.

Health data cybersecurity has become top of mind in recent months following a cascading hack on UnitedHealth’s Change Healthcare unit. A similar hack into Ascension’s healthcare network has crippled multiple hospitals’ operations over the past several weeks, forcing ambulances to divert as staff take IT systems offline.