FTC: Amazon, One Medical Must Keep Privacy Promises
Governance & Risk Management , Healthcare , Industry Specific
Commission’s Data Protection Warning Comes After Firms’ $3.9B Deal Marianne Kolbasuk McGee (HealthInfoSec) • March 1, 2023
The U.S. Federal Trade Commission is warning Amazon it will hold the tech giant accountable for its promise not to use for advertising or marketing purposes the personal health information of patients seen by a newly acquired primary care practice.
See Also: OnDemand | Navigating the Difficulties of Patching OT
Amazon just days ago finalized a $3.9 billion acquisition of healthcare chain One Medical, giving it access to 214 medical offices in two dozen metro areas serving 815,000 patients.
In announcing the acquisition, Amazon pledged that “as required by law,” it would not share One Medical patients’ personal health information to sell other Amazon products, absent clear permission.
In a Monday warning from a bipartisan, joint statement signed by all four serving agency commissioners, the FTC said Amazon has made a pledge to consumers that it will respect their privacy. The commissioners say the agency won’t abide hedging about what constitutes personal health information.
“Whether the companies’ privacy representations are deceptive will turn on the perspective of a reasonable consumer rather than the perspective of a HIPAA expert,” the commissioners wrote. The agency has a history, they also wrote, of pursuing enforcement against company representations that may be technically true but “convey a false net impression.”
A recent survey by the Pew Research Center found the percentage of Americans with privacy concerns over health data in mobile apps nearly doubled to 62% when respondents were told that HIPAA does not cover data downloaded to apps.
Amazon’s acquisition is the latest foray by the retail giant into the healthcare space that includes the 2018 purchase, for nearly $1 billion, of online pharmacy PillPack. One Medical revealed in September the FTC was probing the acquisition for possible anti-competitive effects, although as the Monday letter says, the investigation did not result in a legal challenge before the deal’s consummation.
Amazon declined Information Security Media Group’s request for comment on the FTC’s statement. One Medical did not respond to a separate ISMG request for comment.
Stepping Up Enforcement
The FTC has signaled it intends to be more aggressive in pursuing privacy enforcement actions against companies that share personal health data. The Department of Health and Human Services enforces HIPAA violations, but the FTC since September 2021 has said it can pursue enforcement against companies that share personal health data with third parties without explicit consumer approval.
It put that legal interpretation of its powers to the test in a $1.5 million settlement with discount prescription drug provider GoodRx for failing to disclose to consumers that it had shared their data with advertisers, including Facebook and Google (see: FTC Hits Firm With $1.5M Fine in Health Data-Sharing Case).
The agency also initiated last year a lawsuit against Idaho-based Kochava, alleging the company sells sensitive location data collected from hundreds of millions of mobile devices, including data that could be used to identify individuals who have visited abortion clinics, mental health providers and other sensitive locations (see: FTC Sues Firm That Collects, Sells Sensitive Location Data).