PIRG’s comments on the FTC Health Breach Notification Rule

Health apps shouldn't be able to share our sensitive data with third party companies. The FTC is looking to rein them in with its Health Breach Notification Rule

A stethoscope sits next to an open laptop
NegativeSpace | Public Domain
Health data online poses serious privacy challenges.

Health apps, websites and fitness devices aren’t covered by HIPAA, and that’s a problem. Right now, these tools can legally share your sensitive health data with third party companies, including tech companies and advertisers.

The FTC has taken action against companies like GoodRx for sharing data with Facebook, and it’s looking to strengthen rules stopping health apps from using our data however they like.

PIRG supports the FTC’s new focus on protecting consumers in the digital age. We submitted comments expressing our support and asking the FTC to take even further action.

Download our full comments.

To protect consumers, the FTC should:

  1.  Finalize the proposed amendment to the Health Breach Notification Rule that expands the types of covered entities to include health apps, sites and fitness devices.
  2. Add data brokers and online advertising companies in the list of companies that have to follow the rule.
  3. Finalize the proposed change that would count the sharing of health data with third parties as a data breach.
  4. Add that the collection of unnecessary data also qualifies a data breach.

Along with our comments, we submitted over 9,600 petition signatures from PIRG members to the FTC encouraging it to take action.

Tell the FTC: Health apps shouldn’t share our data
A stethoscope sits next to an open laptop

Tell the FTC: Health apps shouldn’t share our data

Did you know that health apps like fitness trackers are allowed to share and even sell your private health information -- totally legally? Take action to put a stop to this practice and protect our data.



R.J. Cross

Director, Don't Sell My Data Campaign, PIRG; Policy Analyst, Frontier Group

R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.

Patricia Kelmar

Senior Director, Health Care Campaigns, PIRG

Patricia directs the health care campaign work for U.S. PIRG and provides support to our state offices for state-based health initiatives. Her prior roles include senior director of health policy with the National Consumers League, senior policy advisor at NJ Health Care Quality Institute, and advocate at AARP and NJPIRG. She serves on the Ground Ambulance and Patient Billing Advisory Committee at the Centers for Medicare and Medicaid Services. Patricia enjoys walks along the Potomac River and sharing her love of books with her friends and family around the world.

Find Out More