FTC’s Health Privacy Crackdown: 5 Lessons for Health App Providers
The Federal Trade Commission (FTC) is getting tough on privacy in health apps. In February and March 2023, the agency reached two significant settlements with companies providing remote healthcare (or “telehealth”) services.
These settlements weren’t with hospitals or clinics hit by cyberattacks. They were GoodRx and BetterHelp—loosely-regulated companies that shared data with advertisers, like thousands of other health apps.
Yes, health apps commonly share data with third parties. In fact, a 2021 British Medical Journal study found that nearly 90% of health apps include code that could “access and potentially share personal data.”
But the era of freely sharing personal information is over. In this article, we’ll look at what went wrong for GoodRx and BetterHelp and explore five lessons for health app providers in the new US privacy landscape.
FTC Health Privacy Crackdown: The Background
The FTC’s sanctions follow a series of warnings about privacy in health apps, and they take place against a backdrop of fast-changing attitudes towards privacy in the US.
Here’s a brief overview of the two recent FTC settlements.
GoodRx: $1.5 Million Settlement
GoodRx provides discount drugs via its app and websites. The FTC announced a settlement with GoodRx in February. Under the terms of the settlement, GoodRx must:
- Pay a $1.5 million civil penalty.
- Never again share health information for advertising purposes.
- Get consent before sharing health information for other purposes.
- Require third parties to delete health information they received from GoodRx.
- Implement a “comprehensive privacy program” under FTC supervision.
So how did GoodRx end up in this situation? The company’s data-sharing practices are more common than you might think.
What Did GoodRx Do Wrong?
The FTC accused GoodRx of violating the Health Breach Notification Rule. This decades-old law covers health-related businesses that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).
The FTC found GoodRx “monetized its users’ personal health information” through pixels and software development kits (SDKs).
The company shared user data with advertisers like Facebook, Google, and Criteo, plus other third parties such as analytics provider Branch and communication platform Twilio.
To make matters worse, GoodRx assured users it would never share personal health information with advertisers or other third parties. The FTC found that GoodRx “repeatedly violated these promises”.
BetterHelp: $7.8 Million Settlement
BetterHelp provides therapy services via its app and websites. The FTC announced a settlement with BetterHelp just one month after the GoodRx penalty.
Under this settlement, BetterHelp must pay a civil penalty of $7.8 million. The company also faces similar orders to GoodRx, including a ban on sharing user data with advertisers and a requirement to implement a privacy program.
What Did BetterHelp Do Wrong?
The FTC sanctioned BetterHelp under the FTC Act. This consumer protection law applies extremely broadly—not just to health-related companies.
The FTC found that BetterHelp had shared health information with third parties like Facebook, Pinterest, Snapchat, and Criteo.
BetterHelp shared information such as IP addresses, email addresses, and “other identifiers” together with data about customers’ medical histories and their use of the service. Like GoodRx, BetterHelp repeatedly promised not to do this.
BetterHelp also allegedly failed to employ “reasonable safeguards” to protect user data. The company did employ “hashing” techniques to conceal users’ identities. But as we’ll explore below, this measure didn’t count for much from the FTC’s perspective.
Five Lessons For Health Apps From the FTC’s GoodRx and BetterHelp Settlements
These two FTC settlements are highly significant. Not because of the multi-million dollar civil penalties or strict injunctions—but because of what the FTC said about health information, device information, and data-sharing.
1. ‘Health Information’ Takes Many Forms
The FTC takes a very broad view of “health information” that might surprise some health app developers.
Any information indicating that a person uses a health-related service can be health information.
Here’s an example from the BetterHelp complaint. BetterHelp only provides therapy services. Therefore, if the company has a person’s data, this indicates that the person is considering or receiving therapy.
As such, the FTC found that the “disclosure of even a (user’s) email address” is “a disclosure of the (user’s) health information” in this context.
And as noted by the US Department of Health and Human Services (HHS) last year: Even including a pixel or other tracker on a health-related website or app can lead to an illegal disclosure of health information.
2. Device Information Can Be Personal Information
Throughout both cases, the FTC repeatedly describes device information such as IP addresses and mobile IDs as “identifiers” and “personal information.”
If you share health information together with an identifier, you could be breaking the law.
Most websites and apps include pixels, cookies, and SDKs that collect and share this type of data.
In a guidance note on the Health Breach Notification Rule, the FTC gives an example of why this interpretation of “personal information” is particularly important for health apps.
“...suppose you share your users’ medical information along with their mobile identifiers with an ad network for the purpose of targeted marketing without first getting the person’s consent… the information disclosed could still readily identify individual consumers, so it counts as (personal health record) identifiable health information.”
If you share anonymous health information with third parties—even without consent—this is not “identifiable health information.” But add an IP address, ad ID, or another identifier, and you could be disclosing health information.
Privacy as Code
The FTC’s regulatory approach shows why a “privacy as code” approach is so important when developing apps.
Privacy Code Scanning lets you understand precisely how your app collects, uses, stores, and shares personal information. This ongoing process is crucial to ensure you can keep control of the personal information you collect.
As privacy law becomes more demanding and complex, bridging the gap between privacy and engineering teams is essential.
The GoodRx and BetterHelp cases show how engineering teams must implement privacy controls from the start—rather than rewriting code late in development or after a product has shipped.
3. Hashing or Encrypting Data Might Not Help
In its BetterHelp complaint, the FTC noted that BetterHelp hashed people’s email addresses (“converted the email addresses into a sequence of letters and numbers through a cryptographic tool”) before sharing them with Facebook.
This sounds like a sensible security measure to prevent the identification of users. But in this case, it was not.
Personal information can still be personal information even when hashed or encrypted—if the recipient can undo the hashing.
As the FTC states, hashing users’ email addresses might have protected the information from malicious actors, but it didn’t conceal users’ identities from “Facebook or other third parties.”
The whole point of sharing this information was to link people’s email addresses to their Facebook accounts. Advertisers can simply undo the hashing, making the person who provided the information identifiable.
4. Sharing Personal Information With Advertisers Can be a ‘Data Breach’
The FTC pursued GoodRx under the Health Breach Notification Rule, which requires companies to notify people if they suffer a health information-related data breach.
When discussing a “data breach,” we usually think of malicious actors conducting cyberattacks.
This mindset needs to change.
Sharing personal information with advertisers and other third parties without notice or consent can be considered a “data breach.”
As the FTC states in its guidance for telehealth providers:
“...a ‘breach’ is not limited to cybersecurity intrusions or nefarious behavior by hackers or insiders. Incidents of unauthorized access, including a company’s disclosure of covered information without a person’s authorization, triggers notification obligations…”
5. Implementing ‘Privacy By Design’ Can Help Avoid Data-Sharing Issues
In both complaints, the FTC criticized the companies’ organizational approaches to privacy.
GoodRx allegedly allowed its marketing department to share personal information with third parties without “any formal review or approval process.”
As for BetterHelp, the company reportedly handed “most decision-making authority” over data-sharing to a junior marketing analyst with “no experience and little training” in safeguarding personal information.
Software providers should consider privacy at the earliest possible stage in the development cycle.
Marketing teams might not be in a position to understand what data an app shares, how that sharing occurs, and who might receive the data.
But if app developers implement “privacy by design,” they can control how the app collects, uses, and shares data before data-sharing becomes a problem.
The US Privacy Landscape Has Changed
The FTC’s settlements clearly indicate how attitudes toward privacy are changing in the US. But the FTC’s crackdown should not surprise anyone who has been paying attention.
- In September 2021, the FTC released a policy statement about “the proliferation of apps and connected devices that capture sensitive health data.”
- In October 2022, Advocate Aurora Health announced it was turning off pixels and trackers across due to a data breach affecting up to 3 million people.
- In December 2022, the HHS cautioned warned health firms not to “use tracking technologies in a manner that would result in impermissible disclosures.”
- This March, the therapy app Cerebral notified users of a similar tracking-related “privacy breach.”
- On March 16, the FTC released new guidance about the “hidden impacts of pixel tracking.”
- Five new state privacy laws take effect throughout 2023 across California, Virginia, Colorado, Connecticut, and Utah.
There are countless examples—and this is just the US. Privacy and data protection are developing fast worldwide.
Companies that integrate privacy into the core of their products can gain a significant competitive advantage in this new landscape.
Robert is a writer covering privacy, security, and AI. He is a respected voice on privacy and has covered and has been working in the field since 2017.