Application security, Privacy, Compliance Management

Health apps on notice: FTC signals more privacy enforcement actions ahead

Share
Online healthcare app on smartphone screen.

The Federal Trade Commission’s recent enforcement actions against GoodRx and BetterHelp sent ripples across the digital health app industry. But for those paying attention, the moves are a long awaited necessity to close major gaps in digital privacy enforcement.

For the last 18 months, FTC officials warned app developers of impending scrutiny through its long-dormant Health Breach Notification Rule. The rule requires entities to report any breaches of consumer health information to the FTC.

But until the GoodRx decision, the agency had yet to use its authority to penalize violations.

To Gaurav Kapoor, CEO of MetricStream, the federal scrutiny of these platforms aims to take hold of the rapid expansion of telemedicine and consumers taking hold of their health amid the pandemic through consumer-generated applications.

What’s been lacking throughout this process is a balance between trust and innovation. The rapid adoption of these tools was not met with an equal examination of data privacy or security.

“It's a challenging thing,” Kapoor said in an interview. “On one side, you've got to pace up the market on healthcare innovation because things changed quite dramatically. … But on the other side, it opens up these gaps with privacy of patient data.”

Despite some of these companies pushing back on the enforcement, the FTC is playing a very important role in protecting consumer data privacy. Healthcare leaders have long asked Congress to modify The Health Insurance Portability and Accountability Act to protect health data generated by consumers through apps not tied to their provider.

HIPAA was enacted well before the current state of digital health and consumer apps, and as such, enforcing rampant violations of consumer privacy has been minimal.

The FTC issued a fine against Flo Health in June 2021 for sharing users’ health data with Facebook, Google, and other third parties. At the time, FTC leaders said they intended to review its authorities under the Health Breach notification rule; later announcing they planned to leverage the rule to take action on egregious data privacy violations.

“The global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health,” FTC Chair Lina Khan said at the time. “As we have seen, however, digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches.” 

Under these rules, companies that fail to comply with the FTC rule could be subject to monetary penalties of up to $43,792 per violation, per day.

Baking trust into digital innovation

GoodRx has denied the FTC allegations, but reports have confirmed the company shared data with two dozen third parties without user consent before it changed its privacy policies after the practice went public in 2019.

The FTC settlement with BetterHelp contains many of the same allegations — but with a much heftier price tag, suggesting a longer period of dubious privacy practices.

What these companies seem to have missed in creating these consumer-facing apps is the need for balancing trust when attempting to innovate. Kapoor explained that consumers need to know what’s being done with their data to establish trust.

In fact, it’s likely that there is a large population of users willing to share this data to receive more tailored services and advertisements that can inform their choices. The issue at hand is about transparency — or lack thereof. Dozens of proposed data privacy bills have centered on just that: an opt-in or opt-out option for users and a greater need for transparency.

For Kapoor, the need for transparency should also be applied to the current commercialization of data in the U.S. What the companies engaging in these practices are missing is that health data is highly sensitive, and there needs to be a tremendous amount of discrepancy in how patient information is handled.

The BetterHelp settlement with the FTC spotlights where many of these companies are going wrong. The filing shows that its users were told that “aside from a few narrow uses related to providing online counseling services, their private information would remain private.”

Instead, the data of 7 million consumers, which could easily tie users to their sensitive health condition, was allegedly shared with third parties for advertising purposes and without contractually limiting the third parties from using users’ data for their own purposes.

The BetterHelp situation was not necessarily a data breach. Rather, the company aimed to share user data to commercialize it, without considering the privacy or compliance ramifications.

It’s also imperative to “treat patient data as an asset, just like you treat a technology or system as an asset,” said Kapoor. That requires a framework for protecting the information, including how it is stored and managed, implemented cybersecurity infrastructure, governance tools, and ensuring the data is secured.

These elements are all required by HIPAA, and as such, most providers at least understand these necessary security functions. But as these apps are not regulated by the rule, it’s likely the developers were unaware of the need to have stringent rules for how health data is handled.

As previously reported, companies attempting to enter the health space should either work with health systems, or have an experience healthcare leader on the team to ensure compliance — and success.

Security should also include a philosophy for commercializing data rooted in a culture of privacy and security, while ensuring that it’s well-understood, said Kapoor. This establishes trust with consumers.

“Patient data is different from advertising data. It’s extremely critical,” said Kapoor. Many banks and traditional companies have been fined over breaches, which has built in “a culture of awareness within the organization. … We have to take the entire regulatory framework pretty seriously.”

Time for an overhaul

Following its warning to Amazon after its $3.9 billion OneMedical acquisition, the FTC issued new guidance to support digital health apps and other tech companies with understanding the risks of pixel tracking and other tools that could negatively impact consumer data privacy and violate federal laws.

The BetterHelp and GoodRx actions highlighted the use of third-party tracking pixels and included provisions that ban sharing with third parties and enact strict limits on how user data can be disclosed for advertising, FTC officials explained.

The guidance clears up any confusion around pixel-tracking use and just why the tools are not ideal for apps leveraging sensitive information. 

“Academic and public reporting teams have found that thousands of the most visited webpages have pixels and other methods that leak personal information to third parties,” according to the post. “Any type of personal and identifying information can be collected and shared.”

As such, the FTC detailed the key questions developers should ask before (and perhaps in review of) using pixel tech. These areas include business rationales, potential consumer harms, industry conditions, and data retention and management, among others.

FTC officials also stressed there is certainly more to come: they’re “committed to protecting consumers and enforcing the law.” 

“Companies using tracking pixels that impermissibly disclose an individual’s personal information,which may include health information, to third parties may be violating the FTC Act,” FTC’s Health Breach Notification Rule, other state or federal statutes, and companies’ own privacy promises, the agency warned.

“As the Office of Technology grows, we will work to ensure the agency continues to be forward thinking and equipped to address and decipher developing technologies and harms,” they concluded.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.