Data Loss Prevention (DLP)
Governance & Risk Management
Attorney General Group Says Third-Party Apps Threaten Reproductive Health Privacy
Ten state attorneys general sent a letter to Apple urging the tech giant to address privacy and security gaps in third-party applications available on the App Store that track, collect or store reproductive health data.
The letter was sent Monday to Apple CEO Tim Cook by Matthew Platkin, attorney general of the state of New Jersey, and signed by the attorneys general of California, Connecticut, Illinois, Massachusetts, North Carolina, Oregon, Washington state and Washington, D.C.
The attorneys general say that in light of the U.S. Supreme Court’s July decision overturning Roe v. Wade, they fear App Store apps can be “weaponized against consumers by law enforcement, private entities, or individuals.”
“This gap in Apple’s protections threatens the privacy and safety of App Store consumers, and runs directly counter to Apple’s publicly expressed commitment to protect user data,” the attorney generals write.
Demands on Apple
Specifically, the attorneys general are demanding that Apple require third-party app developers to:
- Delete data not essential for the use of the application, including location history, search history and any other related data about consumers who may be seeking or helping to provide reproductive healthcare;
- Provide clear and conspicuous notices about the potential for App Store apps to disclose data on reproductive healthcare to third parties, and require that apps do so only when required by a valid subpoena, search warrant or court order;
- Implement at least the same data privacy and security standards as Apple when an App Store application collects consumers’ reproductive health data or syncs with user health data stored on Apple devices.
In a statement to Information Security Media Group, Apple says that when an Apple iPhone is locked with a passcode, Touch ID or Face ID, all of the health and fitness data in the Health app, other than the user’s Medical ID, is encrypted.
“Any health data synced to iCloud is encrypted both in transit and on our servers. And if you have a recent version of watchOS and iOS with the default two-factor authentication and a passcode, your health and activity data will be stored in a way that Apple can’t read it.”
Also, Apple’s HealthKit framework provides a central repository for health and fitness data on iPhones and Apple Watches, Apple says.
“Because health data can be sensitive, HealthKit provides users with fine-grained control over the information that apps can share. The user must explicitly grant each app permission to read and write data to the HealthKit store. Users can grant or deny permission separately for each type of data,” Apple says.
Apple did not immediately respond to ISMG’s request for comment on the letter from the attorneys general urging Apple to take specific steps to address gaps related to the privacy and security of reproductive health data collected, tracked or stored by third-party App Store applications.
Jeremy Barnett, chief commercial officer of data privacy firm Lokker, says that mobile app vendors should ensure that private health information is only collected and used by a party with whom the user has a direct relationship.
“No third parties should have access to the personal information provided via the app,” he says.
“One of the safeguards that Apple and other app store operators can enforce is that device information – such as location, user demographics – may not be joined with information collected by the application owner.”
The letter to Apple comes as scrutiny intensifies over how other technology vendors also track, collect, store and share data and location information pertaining to healthcare, including reproductive health.
Last year, Flo Health, a fertility-tracking mobile app maker, and the Federal Trade Commission settled a dispute in which the FTC alleged that Flo Health had shared sensitive health data from millions of users with marketing and analytics firms, including Facebook and Google, after promising users that such information would be kept private.
Under a final settlement reached in June 2021, the FTC ordered Flo Health to notify affected users about the disclosure of their health information and instruct any third party that received users’ health information to destroy that data.
Flo Health still faces a consolidated class action lawsuit in California related to its data-sharing practices (see: Lawsuit: Fertility App Maker Sent Data to Google, Facebook).
Meanwhile, Facebook parent company Meta faces a proposed consolidated class action suit filed in a San Francisco federal court alleging the social media firm violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps of hundreds of healthcare entity websites (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).
In July, President Joe Biden in an executive order encouraged the FTC to take action to protect patient privacy when it is threatened by the collection, transfer or sale of sensitive health-related data (see: Biden Order Seeks to Protect Reproductive Data Privacy).
The executive order came in response to the U.S. Supreme Court overturning Roe v. Wade, which left the legality of abortion up to the individual states.