FTC’s Warning for Health Apps & Software: Using Health Data in Advertising is a Costly Breach Under the Health Breach Notification Rule

The FTC’s Feb. 1, 2023, Settlement with GoodRx levies a $1.5 million fine, requires deletion of data and bars advertising on digital advertising platforms.

By Jenifer McIntosh, Data Privacy Shareholder/Attorney

We love our wellness apps. Our SleepNumber, MyFitnessPal, Tracey Anderson and Wodify apps. Our Whoops, Talkspace, Alle. Our GoodRx.

They track our activity. Our heart rate, sleep patterns, calories and macronutrient intake. That is all health data. It is all tracked outside the loving arms of HIPAA, so there is little to no regulation surrounding what companies do with the health information you give them. Health apps (and others), often times without our knowledge or consent, take information from us about:

1. How we sleep, how long we sleep. When we, ahem, wake up.
2. What we eat. When we binge. What we binge on. Where we shop to binge.
3. What time of day and month we engage a therapist. How often we change therapists.
4. What concerns we have about aging. What spas we frequent. What procedures we get.
5. What medications we use, the health conditions related to those medications, our pharmacies, where we live, cell numbers, dates of birth, gender, and even our latitude and longitude.

Until now, there have been few consequences (if any) for sharing or selling non-HIPAA health information, so companies sell health data without providing notice or obtaining a user’s consent to sell and profit from the data, even for issues as intimate as sexual or mental disorders. New privacy laws in California, Colorado, Connecticut, Utah and Virginia attempt to set standards and require a truthful accounting to the user about the sharing or selling of their data, but most companies have not treated these new laws with any real deference, possibly because the laws are so new, with California being the sole one to have had the regulations, support and time to begin enforcement.

On February 1, 2023, however, the FTC announced a settlement with GoodRx on allegations the company violated Section 5 of the FTC Act and, most notably, the long-dormant Health Breach Notification Rule (“HBNR” or “the Rule”). The HBNR has been around since 2009, but it wasn’t until this action that the HBNR was used with effect, setting the entire wellness, health and related industries on their heels, given there has been no real requirement to be responsible for (much less disclose) use of non-HIPAA health-related information. In the FTC’s complaint against GoodRX, the FTC goes into great detail to show, despite GoodRx’s statements and advertising otherwise, that the company’s use of customers’ health information went so far beyond actual notice that it actually qualified as a “breach” under the Rule.

The FTC’s complaint against GoodRx is filled with examples of GoodRx’s sharing and selling sensitive health data to third-parties for advertising – which is exactly what GoodRx’s Privacy Policy stated they would not do. Most of us would agree this is shady, slimy…but not necessarily surprising.  What is unique here is the HBNR was not used in the context of a cybersecurity breach, but rather GoodRx’s failure or, seemingly, complete dishonesty, about their use of customers’ sensitive health information. In other words, the actions constituting the breach under the HBNR was GoodRx’s decision to use that data in advertising on Tik Tok, Facebook and the like; and it looks so bad because GoodRx specifically promised its users it would not use this information for advertising. To those on the outside, GoodRx’s actions look like they were either intentional misuse of the data or even horribly sloppy data governance. Either its marketing department had no privacy or data use controls in place, or there were willful misrepresentations being made about their processes, despite GoodRx’s adamant privacy policy and advertising stating otherwise. It appears the FTC was serious when in 2021 it noted “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.”

What does this mean for companies in the health app and software space?

It means:

1. If you do not know what is being done with your user’s data, you need to find out.
2. If you do not have engineers or a marketing team who can tell you what data is being collected, shared, sold or otherwise managed by third-party software, you need to find some who can.
3. If you are going to insist on sharing health information for advertising purposes, you need to be clear about those uses and purposes and get user consent. Users can then determine if having intimate, personal data sold to TikTok is a gamble they are willing to take while on your app.
4. Are you consistent through all platforms about your use of the personal information collected from users? Is different data collected by different third parties? If you don’t know, this is a query you need to prioritize.

So how far will the Rule reach, as it concerns the type of data used? Will it apply to peripheral hospital services not covered by HIPAA? Will it govern health data collected by MyFitnessPal or Alle, which could be argued to collect only cosmetic data and not necessarily “health” information? If a company is utilizing health or wellness related personal information for clients, such as wellness boutiques administering IV drips and cryo treatments; will use of that personal information on Instagram without specific, informed consent be considered a “breach” and subject to the HBNR? According to this decision, yes.

The HBNR states:

It applies to foreign and domestic vendors of personal health records, PHR related entities, and third-party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.

What then is a personal health record, when that record is not one maintained by a covered entity or business associate under HIPAA?

A “personal health record” is defined by the Rule as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” PHR identifiable health information, according to the FTC’s interactive tool[i] is “demographic information and relates to a consumer’s past, present, or future physical or mental health or condition; the provision of health care to the consumer, that identifies the consumer or for which there’s a reasonable basis to believe it can be used to identify the consumer.” The 2021 Statement of the Commission on Breaches by Health Apps and Other Connected Devices[ii] notes the FTC will consider apps covered by the HBNR “if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (“APIs”).” The FTC goes into further detail to make it very clear when an app is subject to the HBNR:

“For example, an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. Similarly, an app that draws information from multiple sources is covered, even if the health information comes from only one source. For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.”

From the above statement, as well as the FTC’s GoodRx settlement, what constitutes “health information” under the HBNR extends beyond what is collected, applying to the collection capability of the application. Indeed, the FTC went to great lengths to make clear what “health” data is covered, and the GoodRx settlement seems to be a detailed shot across the bow to those applications with sloppy-to-no data governance or a willingness to forgo meaningful consumer notice.

It bears noting that once the FTC has flagged a misuse or lack of transparency with your users, every state with an aggressive attorney general will be looking in your direction to determine if pursuing an action against you has legs. If your app is used globally, like Strava or MyFitnessPal, there are Data Protection Authorities across Europe and the UK who keep a keen eye on what happens in the United States at the FTC. For boards bent on profit at all costs, the FTC, other federal agencies, international authorities and state attorney generals are looking to hold Directors and Officers responsible for failures to accurately and adequately govern the personal information they profit so much from. The days of asking forgiveness rather than permission seem to be dwindling. If not rapidly and drastically coming to a close.

 

[i] https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool#q2

[ii] statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (ftc.gov)