Axios Pro Exclusive Content

FTC takes "shot across the bow" on health data

Illustration of a gavel hovering over a block with an image of a red cross.

Illustration: Gabriella Turrisi/Axios

Regulators are cracking down on the digital health sector in response to what they view as unchecked growth at the expense of consumer privacy, FTC attorneys and outside legal experts tell Axios.

Why it matters: Legal protections for sensitive personal health data have not kept up with the health tech sector's explosive growth.

Catch up quick: Recent actions by the FTC against three digital health companies — Flo, GoodRx and BetterHelp — underscore a push from the agency to address large gaps in the nearly 3-decade-old policy that is the cornerstone of health data privacy protections.

Zoom in: That law, the 1996 Health Insurance Portability and Accountability Act (HIPAA), has lagged behind the proliferation in recent years of modern digital health tools that collect highly detailed and sensitive information, including fertility and medication history, sexuality and disease status.

  • Although HIPAA protects sensitive health information in the hands of health insurers and doctors, it does not apply to similar data logged in phone apps, discussed in texts or outlined in emails.
  • "I think this is something that sort of fell through the cracks for the industry," Goodwin health care practice lead Roger Cohen tells Axios. "This is a clear indication from the FTC that they're going to pursue enforcement action and watch the sector carefully."

Context: The FTC in 2021 and 2023 took action against fertility tracking app Flo, pharmacy discount startup GoodRx and Teladoc mental health subsidiary BetterHelp over allegations that the companies shared users’ sensitive health data with tech companies including Facebook despite promising to keep such information private.

  • The GoodRx order marked the first use of the Health Breach Notification Rule, which requires companies to notify users when their health data is infringed upon.
  • The action against BetterHelp represented the first action to return funds to consumers whose health data was allegedly improperly shared.

What they're saying: Part of the agency's recent motivation against health-tech companies comes from the notion that health information, unlike financial data, is sensitive and unchangeable.

  • In the case of BetterHelp — a therapy app — "this data speaks to the real essence of who we are," FTC senior privacy and data security attorney Miles Plant tells Axios.
  • While financial data "is incredibly important and sensitive, credit cards can be changed," says Plant, who served as one of the lead attorneys on the BetterHelp case. "Mental health status cannot. Once that bell is rung, [digital health companies] can’t pull it back."

Between the lines: The FTC's moves are designed to directly challenge the way digital health companies operate and make money. Cohen says, "This is a shot across the bow."

What's next: The agency "is really moving more into the health data privacy space," Plant says, but companies can start preparing now to protect themselves from financial and legal penalties.

  • "We’re trying to focus on this to signal to the market where companies should be most cautious about the data they’re collecting and transferring," Plant adds.
  • "If you’re a company in this space you ought to be looking at what you’re doing in this area," Cohen says. "Review your privacy policies and think through whether they're accurate, look at what you’re doing with patient information, who you’re sharing it with and what you’re sharing it for."

The bottom line: "This is intended to signal to the market that companies should be transparent and honest about health information disclosures," Plant says. "The FTC will continue to be very focused on this space."

Go deeper