FTC In The US Tightens Screws On Healthcare Data Breach


The Federal Trade Commission has gone on to solidify the data breach reporting needs on healthcare applications in the April 26, 2024 rule with the objective of stopping firms from trafficking medical information that’s potentially sensitive.

It is worth noting that the Health Breach Notification Rule requires companies to have personal health information so as to notify regulators, consumers, as well as in certain cases, the media too when the data gets breached, which enables the regulators to find bad actors.

The fresh final rule goes on to clarify that it happens to apply to health applications and also expands the information that went on to cover entities requirements to disclose in case of a breach.

The FTC first went over to warn the health apps that the HBNR went on to apply to them in a 2021 policy statement right before proposing a rule in 2023 spring which stated its case directly.

The FTC, apparently, is looking forward to keeping pace with the evolving health data use when it comes to updating the HBNR, which was first issued in 2009 and, in fact, has rarely been used pertaining to breaches so as to penalize the companies. But apps as well as other direct-to-consumer wearables such as fitness trackers have gone on to become much more popular, all thanks to COVID-19, which went on to push the adoption of new health tech. These applications commonly go on to make use of consumers’ data in terms of marketing as well as other purposes that users aren’t aware of and that are outside the HIPAA privacy law purview.

The final rule goes on to revise the existing definitions within the HBNR. However, highlighting the rule’s applicability to health apps can very well have greater ramifications for the sector since the FTC has been looking forward to having more enforcement actions relying on the HBNR.

In 2023, the FTC went on to notch its very first settlement under HBNR, thereby forcing drug discount provider GoodRx to shell out a $1.5 million civil penalty post finding that it disclosed consumer data to third party marketers such as Facebook and Google. In May, same year, the FTC went on to settle with Easy Healthcare with regards to similar concerns, and a fine of $100,000 was paid.

The comparatively lower fine amounts along with settlements suggest that the FTC has not been quite certain when it comes to its ability as far as enforcing its new interpretation of the HBNR in court is concerned, say experts.

This final rule is likely to bolster the enforcement position, and can as well lead to much larger civil penalties in the future.

The rule also goes on to clarify the definition of personally identifiable health data, which, when breached, goes on to trigger the HBNR’s reporting needs. This includes traditional health information such as diagnoses as well as medications, data acquired from interacting with applications, and also a category named emergent health data.

It is well to be noted that the emergent health data has in it purchase records that are related to healthcare as well as location data, which can be made use of to get results on a person’s medical history.

Location data happens to be a specific focus for regulators due to the Supreme Court’s decision, which overturned the constitutional right pertaining to abortion in 2022.

The Biden administration has been looking for novel ways to make use of the existing tools, such as HIPAA and HBNR, to stop data sharing over issues that the data can as well be made use of prosecute individuals who happen to receive, perform, or even help facilitate abortion.

The FTC, in a recent move, has taken certain steps against the data brokers, stopping them from leaking location info that can very well be made use of to track consumers medical clinic visits. The final rule also goes on to broaden what the companies have to tell consumers in a scenario of a data breach, such as what the third parties who have acquired personal information. It also helps companies to inform consumers with regards to an email breach or other electronic modes, and to set a deadline so as to report breaches that are large.

It is well to be noted that the FTC went on to vote 3-2 to go ahead and publish the rule in the Federal Register. Dissenting the majority, Commissioners Melissa Holyoak and Andrew Ferguson went on to argue that the rule goes on to exceed FTC authority and happens to put companies at risk in terms of perpetual non-compliance.

One of the researchers from the Rubrik Zero Labs research unit happened to find out that the average healthcare organization has more than 42 million sensitive data records, which is 50% over the global average of 28 million.

Taking in to account this figure, Rubrik went on to conclude that ransomware attacks against the healthcare organizations can have significant negative adverse effect in terms of operations, data security, and integrity.

Rubrik went on to base its findings on its own data, which was spread across 6,100 customer organizations, along with survey findings coming from Wakefield Research and data from numerous partner research organizations.

At any typical healthcare organization observed by Rubrik, 16.8 million files get impacted by every encryption event, and 8.4 million sensitive data files happen to be within the impacted files.

Researchers also went on to observe that healthcare organizations make utmost use of virtualized architecture at higher rates than organizations from other industries. It is worth noting that almost 97% of healthcare encrypted data happens to be within a virtualized architecture, as compared to 83% throughout all the industries analyzed in the report.

The point of concern here is that the effect of it on businesses as well as employees can go on to linger even when organizations come out of the cyberattack. Due to this, organizations have gone on to report dip in shareholder value; there have been mental health impacts, all of which have led to customer loss as well.

There are many organizations that have gone on to hire additional staff as well and, at the same time, have increased spending on new services after a successful recovery. The report underscored the fact that risk cannot be eliminated, but the risk cycle can be influenced and affect the new risk baseline, thereby highlighting the significance of learning from ransomware attacks and making sure to apply it to risk reduction activities in the future.