News Alerts and Breach Report for Week of May 8, 2023
FTC Settles Health Data Cases
The Federal Trade Commission settled data privacy cases with Better.com and GoodRX this week. The enforcement action comes as promised in a policy statement issued in October 2021 which made it clear the FTC would take action against health tech companies that failed to comply with the Health Breach Notification Rule. The rule requires data controllers of health records to alert the FTC, consumers, and in some cases the media when a personal health record data breach occurs. It also applies to unauthorized or undisclosed sharing of data with vendors, which is what landed GoodRX in hot water. According to the FTC’s statement, the pharmaceutical platform “violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures.” And according to Health IT Security, “the policy statement made it clear that the FTC would take action against health tech companies that failed to comply.”
ChatGPT Adds Data Privacy Measures
This week, ChatGPT disclosed a data breach last month, and today announced new data privacy measures in response to the breach. Instead of funneling users toward an opt-out process, ChatGPT will allow users to disable chat history, minimizing the data held by OpenAI, the maker of ChatGPT. An enterprise subscription with more data controls is also in the works. Cybersecurity Dive writes that “Data privacy is a top concern for CIOs when it comes to employees using publicly available large language models that use data put into the system to inform future responses. Recent incidents of data privacy leaks and an open-source library bug found in ChatGPT illustrate the fear. Samsung Electronics employees in the company’s semiconductor business unit reportedly put sensitive corporate data into ChatGPT recently, leading the company to limit upload capacity per prompt.”
Washington’s Health Data Act Creates Compliance Hurdles
Washington State passed a comprehensive new data privacy law last month with sweeping compliance implications. The My Health My Data Act (MHMD), signed April 27 by Governor Jay Inslee, requires any entity “doing business” in the state to comply with a rather broad set of regulations around “consumer health data.” This is defined by the law as “personal information that is linked or reasonably linkable to a consumer, and that identifies the consumer’s past, present, or future physical or mental health status.” This includes information derived from non-health data, including geolocation data that could be traced back to a consumer’s attempt to receive “health services or supplies.” Under MHMD, data controllers of health data and derivative health data will be required to obtain opt-in consent from consumers, will be barred from selling such data without prior written consent, and must delete almost any and all data upon request by a consumer. The law also prohibits geofencing advertising using health data. MHMD contains a private right of action, which could lead to changes in the law coming through the court system.
BREACH REPORT
* * * * * * *
To read our latest article on NTT Research, Inc.’s new cryptography tool that could ease compliance burdens for companies, click here
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
90 | AdTech Meets Privacy Laws (with guest Susan Israel)
89 | Quantum Technologies: What is Possible, Where We Are Headed & Policy Issues to Consider (with Guest Chris Hoofnagle)
88 | TikTok: A Path for Election Interference and Open Source Intelligence? (with guests Berit Anderson and Evan Anderson)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.