Health apps and data privacy
Arthur Piper, IBA Technology CorrespondentThursday 11 May 2023
Technology linked to health and fitness is big business. But the abundant data privacy issues are leading to increasing numbers of enforcement actions.
Mobile tracking apps associated with a wide range of health and fitness measurements spiked in popularity during the pandemic and have continued to grow since. The analyst Statista estimated that between 2019 and 2020, revenue generated by health and fitness apps in the US rose from $592m to $837m – a 41 per cent jump. The European market also took a big leap forward.
The apps, which are usually linked with mobile devices, have a wide range of uses, from tracking exercise performance and providing healthcare professionals an opportunity to remotely monitor patients, to supporting individuals with their meditation, wellbeing and mental health. As virtual and augmented reality features aim to make such software more immersive, the trend only looks set to grow.
As a whole, the industry collects and analyses the biggest repository of real-time personal health data in history. And it is to the use of this data that regulators such as the US Federal Trade Commission (FTC) has turned in a series of recent legal challenges.
Privacy concerns
In February 2023, for example, the FTC took enforcement action against GoodRX, a US healthcare company. The business began as a drug comparison site but has since diversified into telehealth services, including the provision of coupons for medication that patients can redeem at pharmacies close to where they live. In a comprehensive filing, the FTC claimed that GoodRX provided detailed personal information to advertisers in violation of its own data privacy terms.
The FTC is testing privacy law from a wider range of angles now that technology has made it so easy to collect, and potentially distribute, personal medical data
‘The information GoodRX shared included its users’ prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers’, the filing said. ‘GoodRX shared this information without providing notice to its users or seeking their consent.’ Using this data, it claimed, advertisers could target people online (or via mobile campaigns) before they went to the pharmacy with specific offers based on their known health conditions.
Enforcement action included a $1.5m civil penalty and a ban on further data sharing under the Health Breach Notification Rule (HBNR). Although the rules are a decade old, the FTC had never used them until now. GoodRX said that the action related to an issue the company had addressed over three years ago and admitted no wrongdoing.
The company said in a statement: ‘While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices.’
On notice
It is these common practices that the FTC has decided to target. But why has it taken the FTC so long to dust off the HBNR for such a purpose when medical data is specifically protected in the US under the Health Insurance Portability and Accountability Act (HIPAA)?
HBNR was initially intended to protect data that had been made public during a breach from a cyberattack or similar incident. In 2021, however, the FTC issued a statement clarifying the scope of the law given the proliferation of apps that collected data from mobile devices. While the agency provided the sector with an interactive app to test whether they potentially fell foul of the law, they also put them on notice: ‘The Commission intends to bring actions to enforce the Rule consistent with this Policy Statement’, it warned. ‘Violations of the Rule face civil penalties of $43,792 per violation per day.’
This latest move comes in the wake of two other recent cases brought by FTC. In June 2021, FTC finalised a settlement with the fertility tracking app Flo Health, which it argued had breached its own privacy conditions by sharing data to marketing and analytics firms such as Facebook and Google without telling the women who use the app. In particular, The Wall Street Journal had alleged that Flo Health had informed Facebook when women using the app were on their period, for example, or when they had informed the app of their intention to get pregnant. Those violations involved transfer of data between the US and Europe, which, the FTC alleged, breached the principles of the EU–US and/or the Swiss–US Privacy Shield Frameworks.
Like GoodRX, Flo Health denied any wrongdoing and settled to avoid the hassle and expense of litigation. One of the conditions of the FTC’s settlement was for Flo to have an independent audit. In a statement issued in May 2022, the company said: ‘Independent auditors did not identify any material gaps or weaknesses in Flo’s privacy practices and found that Flo’s own practices are consistent with its publicly stated privacy policy.’
Given that both GoodRX and Flo Health declined to challenge these actions, both potential legal routes for enforcement remain relatively untested in an age of burgeoning health app popularity.
Executive order
Another case involved the data location broker Kochava, which the FTC sued in August 2022. The FTC claimed that the company sold location information from millions of smartphones that could be used to track visits to abortion clinics, places of worship and domestic violence shelters – and that people were unaware that their locations may be revealed. Kochava is defending the case and denies any wrongdoing.
The timing of the suit is significant. It came just a month after President Joe Biden issued an executive order to protect American women’s right to abortion. That move followed the Supreme Court’s ruling in June 2022 to overturn Roe v Wade, which had enshrined abortion rights in law for almost 50 years. President Biden’s order explicitly asked the FTC to beef up its action in this area, both under the HIPAA privacy rules and via new guidance relating to that Act from the US Department of Health and Human Services.
Clarity in this area could be a long time coming. At time of writing, for example, The New York Times reported that a federal judge in Idaho threw out the case on the basis that the regulator had failed to provide enough evidence that the company was unfairly selling millions of people’s data – although the decision allowed the FTC to strengthen its case if it wanted to continue with the claim. What does seem certain, however, is that the FTC is testing privacy laws from a wider range of angles now that technology has made it so easy to collect, and potentially distribute, personal medical data. Companies that may be data privacy compliant under HIPAA may not be under HBNR – or under the EU–US Privacy Shield Frameworks. There is little doubt that such challenges were already gathering pace in the health and fitness sector before judges overturned Roe v Wade last year. But given President Biden’s determination to protect the health rights of women in the US, it is safe to expect much more action in this area.
Arthur Piper is a freelance journalist. He can be contacted at arthur@sdw.co.uk