United States of America: Adopted FTC statement on health app data breaches

On 15 September 2021 the Federal Trade Commission ('FTC') adopted a statement on breaches by health apps and other connected devices. The statement is intended to offer guidance on the scope of the Health Breach Notification Rule, 16 C.F.R. Part 318, which requires vendors of personal health records to notify U.S. consumers and the FTC, and, in some cases, the media, about a breach of unsecured identifiable health information. The Commission points out that the developers of aealth apps or connected devices are “health care providers” and therefore fall under the mentioned rule. Furthermore, it is outlined in the statement that the rule is already triggered in case of breach of security, which may for example be the case when sensitive health information is disclosed without users’ authorization.