Consumer health data needs better protection, FTC says

Congress needs to force data brokers to be more transparent about how they use the personal information of consumers--including health information--the Federal Trade Commission said in a new report published this week.

The FTC recommends that Congress act to protect such sensitive data by requiring that brokers collect information only after obtaining consumer consent.

"Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data," the report's authors wrote.

For the report, the agency examined the practices of nine data brokers. The brokers, it said, make "inferences" about consumers by combining and analyzing information, including data about health-related topics such as pregnancy and diabetes.

"The extent of consumer profiling today means that data brokers often know as much--or even more--about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income, our socioeconomic status and more," FTC Chairwoman Edith Ramirez said in a statement. "It's time to bring transparency and accountability to bear on this industry on behalf of customers."

Earlier this month, an FTC study revealed that mobile health and fitness applications are sharing user data with third-party vendors. The data includes device use information, as well as personal health and fitness insight.

Entities covered under the Health Insurance Portability and Accountability Act also may be subject to security enforcement by the FTC, the latter confirmed with a unanimous ruling in January against a medical testing laboratory that mishandled patient information. The case dated back to last summer, when the FTC filed a complaint against Atlanta-based LabMD for two separate privacy breaches--one that occurred in 2008 and one that took place in 2012--that involved roughly 10,000 patients. LabMD, in turn, claimed that FTC overstepped its statutory authority because the company was a covered entity under HIPAA.

To learn more:
- read the report (.pdf)
- here's the announcement