Feature Data Privacy
FTC Health Breach Notification Rule: What Non-HIPAA Health Data Holders Must Report and When
The FTC's 2024 amendments to the Health Breach Notification Rule dramatically expanded coverage to health apps, wellness platforms, and connected devices — with enforcement actions totaling $9+ million. Here's what every fintech and non-HIPAA health data holder needs to know.
Table of Contents
TL;DR
- The FTC’s 2024 amendments to the Health Breach Notification Rule explicitly cover health apps, wellness platforms, connected devices, and non-HIPAA PHR vendors — effective July 29, 2024
- “Breach of security” now includes intentional but unauthorized corporate data-sharing decisions, not just hacking — meaning ad-tech integrations that share health data without authorization are covered
- Three enforcement actions (GoodRx, Premom/Easy Healthcare, BetterHelp) have already produced $9+ million in penalties and consumer refunds, with multi-year ad-data prohibitions
- The 60-day notification clock starts when anyone in the company knows OR should have known — and you must now identify third parties who received the health data in your consumer notice
Most compliance teams running a fintech or digital health company operate with a clear mental model: if we’re not a covered entity under HIPAA, we don’t have HIPAA breach notification obligations. That’s true. It’s also increasingly irrelevant.
The Federal Trade Commission finalized significant amendments to its Health Breach Notification Rule (HBNR) in April 2024, effective July 29, 2024. Those amendments do one thing with precision: they make clear that the gap between “HIPAA-covered” and “unregulated” does not exist for health data collected outside the healthcare system. Health apps. Wellness platforms. Reproductive tracking tools. HSA/FSA-adjacent products. Fitness wearables. Connected blood pressure cuffs.
The FTC has already brought three enforcement actions under the rule — GoodRx, Premom, and BetterHelp — producing $9+ million in penalties and consumer relief plus multi-year bans on sharing health data with advertisers. These are not warning shots. The rule is live, it is enforced, and the 2024 amendments made it sharper.
What the FTC Health Breach Notification Rule Actually Covers
The HBNR applies to three categories of entities specifically not covered by HIPAA:
Vendors of Personal Health Records (PHR vendors) — companies that offer or maintain electronic records of identifiable health information with the capacity to draw information from multiple sources. Think: a personal health dashboard that pulls data from a hospital portal, wearable, and patient-entered history. If you aggregate individual health data from more than one source, you are likely a PHR vendor.
PHR-related entities — companies that offer products or services through the online services (including mobile applications) of a PHR vendor. If your app integrates with a PHR vendor’s platform, you inherit coverage.
Third-party service providers — business entities that provide services involving the use, maintenance, disclosure, or disposal of PHR identifiable health information on behalf of PHR vendors or PHR-related entities. This pulls in billing processors, data analytics firms, cloud storage providers, and others in the supply chain.
The 2024 amendments made explicit what regulators had been arguing since 2021: health apps are covered. Fitness trackers that sync to proprietary health apps, ovulation tracking applications, mental health platforms, meditation apps that collect health questionnaire data, blood glucose monitoring systems — all covered if they meet the PHR vendor or PHR-related entity definitions.
What Now Counts as a “Breach of Security”
This is where the 2024 amendments changed the game for compliance programs built around cybersecurity-incident definitions of breach.
The prior rule defined breach as unauthorized acquisition of unsecured PHR identifiable health information. That was recognizable: a hacker exfiltrating a database.
The amended rule now includes:
Unauthorized disclosures — when a covered entity intentionally but without proper authorization discloses health information to third parties. If your company shared medication data with Facebook’s advertising API without users’ knowing, knowing permission-scope authorization, that’s a breach under the FTC rule. The FTC has been explicit: this is not limited to cybersecurity intrusions or “nefarious behavior.” A corporate policy decision can constitute a breach.
Unauthorized uses — when an entity “exceeds authorized access” to use PHR identifiable health information for a secondary purpose not originally authorized by the individual.
Presumption of breach — unauthorized access is presumed to include unauthorized acquisition unless the covered entity has reliable evidence that no unauthorized acquisition occurred.
This expanded definition is the reason GoodRx fell. GoodRx disclosed that patients had searched for medications — mental health drugs, HIV medications, fertility treatments — to Facebook and Google for advertising purposes. Users had not authorized that disclosure. Under the FTC rule, that was a breach regardless of whether any system was compromised.
The Notification Requirements: Who, What, and When
The 60-day clock runs from the date of discovery — defined as the date on which the breach became known to any employee, officer, or agent of the covered entity, or the date it should reasonably have been known. This is a lower threshold than “when the incident response investigation concludes.”
Individual Notification
Every affected U.S. citizen or resident must receive individual notice within 60 calendar days. The 2024 amendments significantly expanded what that notice must contain:
- Description of what happened, in plain language
- Date of discovery
- Types of health information involved
- Identity (or description if naming would pose a risk) of any third parties that acquired the unsecured health information
- Contact information for those third parties
- Measures affected individuals can take to protect themselves
- What the entity is doing to investigate and prevent future breaches
- Contact information for the entity
The third-party identification requirement is new and consequential. If you shared health data with an ad tech company and that sharing constitutes a breach, you must now tell your users which company received their data and how to contact them. This makes the notification substantially more informative — and substantially more difficult if you’ve been sharing data without tracking who received it.
FTC Notification
| Breach Size | Obligation | Timing |
|---|---|---|
| 500+ individuals affected | Notify FTC simultaneously with individual notices | Within 60 days of discovery |
| Fewer than 500 individuals | Submit annual breach log to FTC | By 60 days after calendar year end |
The FTC maintains an online portal for breach submissions: ftc.gov/health-breach-notification. For breaches affecting 500 or more, this is a simultaneous obligation — you cannot complete individual notification first and then get around to the FTC.
Media Notification
If a breach affects 500 or more residents of a single state, DC, or U.S. territory, you must notify prominent media outlets serving that jurisdiction within 60 days. This is a geographic threshold, not a total-count threshold. A breach affecting 600 people across 12 states triggers media notification in each state where 500+ residents are affected.
Most companies miss this in their breach notification matrices because they focus on total count, not state-level count. The threshold for media notification can be reached in a single state even if the overall breach is small.
How This Differs from HIPAA
The most dangerous compliance assumption in health data management is that HIPAA and the FTC HBNR cover the same ground. They don’t.
| Dimension | FTC Health Breach Notification Rule | HIPAA Breach Notification Rule |
|---|---|---|
| Who is covered | Non-HIPAA health apps, PHR vendors, connected devices, service providers | HIPAA covered entities and business associates |
| Breach definition | Unauthorized acquisition, access, disclosure, or use — including intentional corporate data sharing | Unauthorized acquisition, access, use, or disclosure of PHI due to security failure |
| Regulator notified | FTC | HHS Office for Civil Rights |
| Third-party identification in notice | Required (2024 amendment) | Not required |
| Media threshold | 500+ in a single state/territory | 500+ in a single state (cumulative) |
| Small-breach reporting | Annual log to FTC | Annual summary to HHS |
The critical practical difference: HIPAA covers health entities you expect (hospitals, insurance companies, their vendors). The FTC rule covers the rest of the health data ecosystem — and that ecosystem has expanded dramatically with digital health, wearables, and embedded wellness features in fintech products.
The Enforcement Record: What Got Companies in Trouble
The FTC has brought three enforcement actions under the HBNR since 2023, establishing the agency’s enforcement posture and the types of conduct that trigger liability.
GoodRx Holdings (February 2023) — The first enforcement action under the rule. GoodRx shared health information (including specific prescription medications and health conditions) with Facebook, Google, Criteo, and other advertising companies for years, despite promising users their data would “never” be shared with advertisers. FTC settlement: $1.5 million civil penalty, plus a permanent bar from sharing health data for advertising and multi-year compliance reporting.
Easy Healthcare Corporation / Premom (May 2023) — The Premom ovulation tracking app shared sensitive reproductive health data with third parties including China-based analytics companies, disclosed data to AppsFlyer and Google for advertising, and failed to encrypt data it shared. FTC settlement: $100,000 civil penalty, permanent bar from sharing health data for advertising.
BetterHelp (July 2023) — The mental health counseling platform shared users’ sensitive mental health information (email addresses, IP addresses, health questionnaire responses) with Facebook, Snapchat, Criteo, and Pinterest for advertising — despite privacy promises. FTC action resulted in $7.8 million in consumer refunds — the largest consumer-directed health data enforcement action at the time — plus a permanent ban on further data sharing for advertising.
In all three cases, the common thread wasn’t a hacker. It was a deliberate corporate decision to share health data with advertising platforms without adequate authorization — exactly the “unauthorized disclosure” scenario the 2024 amendments explicitly addressed in the rule text.
What Fintechs and Non-Healthcare Companies Actually Need to Do
Step 1: Determine whether you’re a covered entity
Map your data flows. If your product collects or processes any of the following, and you’re not a HIPAA-covered entity:
- Information about health conditions, treatments, diagnoses
- Prescription medication data
- Mental health or substance use data
- Reproductive health data (ovulation, pregnancy, fertility)
- Biometric data used for health monitoring (blood pressure, blood glucose, weight)
- Insurance or benefits data linked to health conditions
…you need to determine whether you qualify as a PHR vendor or PHR-related entity. The PHR definition — electronic record of identifiable health information that can draw from multiple sources — covers a surprising range of products, including HSA/FSA platforms that aggregate transaction data with health codes.
Step 2: Audit your third-party data-sharing relationships
The GoodRx and Premom enforcement actions both involved sharing health data with advertising technology companies. Before those actions, many companies considered this standard ad-tech practice. Under the FTC HBNR, it can be a breach.
Inventory every third party receiving health data. Assess whether the sharing exceeds what users authorized. For advertising-related integrations: segregate health data from behavioral/demographic data before passing to ad platforms, or obtain specific consent for health-data-informed advertising.
Step 3: Build a notification-ready operations structure
The 60-day clock runs from when anyone should have known. That means your breach detection → assessment → notification pipeline needs to start at detection, not at the conclusion of a lengthy investigation.
Key elements:
- Documented breach discovery date (journal entries, incident ticket timestamps)
- Third-party data recipient inventory (you need to name them in the consumer notice)
- Individual contact information accuracy verification
- FTC portal submission workflow
- State-level media notification threshold tracking by incident
Step 4: Update your incident response plan
If your IRP was built around HIPAA or state breach notification laws, add an HBNR track. The state breach notification law frameworks differ from the FTC HBNR in important ways — different regulators, different content requirements, different thresholds. Running both tracks simultaneously requires a coordination workflow.
Similarly, if you’re running a privacy impact assessment for new health data features, include HBNR coverage analysis as a required section.
Step 5: Document the authorization basis for every health data use
Under the expanded breach definition, using health data beyond its authorized scope is itself a breach. Your privacy notice is the authorization document. If your privacy notice says “we use your data to provide health tracking” and you then share it with an advertising partner, you’ve exceeded the authorization. Keep privacy notices current, specific, and accurate — especially for health data use cases. Review them after each new ad-tech or analytics integration.
So What? The Practitioner Takeaway
The FTC Health Breach Notification Rule has been in place since 2009. What changed in 2024 is precision: the FTC explicitly stated that health apps are covered, that intentional corporate data sharing decisions can constitute breaches, and that breach notices must name the third parties who received health data.
Three enforcement actions in two years, $9+ million in penalties and consumer refunds, and permanent advertising bans tell you this is not a paper tiger. The companies that fell: a medication discount platform, a fertility tracking app, a mental health counseling service. Each assumed their data practices were lawful because they weren’t HIPAA-covered. Each was wrong.
For fintechs running HSA/FSA products, health spending analytics, wellness programs, or any product that touches health data without a HIPAA business associate agreement: run the HBNR coverage analysis now, before you discover you needed it.
The FTC’s compliance guide is the starting point. The Federal Register final rule contains the full text of the 2024 amendments. And for organizations working through the broader framework of health data obligations — HIPAA, HBNR, state health privacy laws — the HIPAA Security Rule overhaul provides context on what’s changing inside the HIPAA perimeter.
The gap between “not HIPAA-regulated” and “unregulated” closed in 2024. The FTC’s enforcement record makes clear it intends to keep it closed.
Need a structured framework for documenting your health data flows, mapping third-party sharing relationships, and building your breach notification workflow? The Data Privacy Compliance Kit includes templates for data inventory mapping, breach assessment, and DSAR workflows across GDPR, CCPA/CPRA, GLBA, and state privacy laws.
◆ Related template
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Does the FTC Health Breach Notification Rule apply if we're already covered by HIPAA?
How is a 'breach of security' defined under the FTC rule — and is it different from HIPAA?
We're a fintech with an HSA or FSA product. Does the FTC Health Breach Notification Rule apply to us?
What is the notification timeline under the FTC Health Breach Notification Rule?
What does the FTC actually require in the breach notice to consumers?
Are there penalties for violating the FTC Health Breach Notification Rule?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Keep reading
Related posts.
Data Privacy
Connecticut's CDPA Took Effect Last Tuesday: Financial Account Data Is Now Sensitive Data, the Threshold Dropped to 35,000, and There's No 60-Day Grace Period
Connecticut's expanded CDPA took effect July 1, 2026. It lowered the applicability threshold from 100,000 to 35,000 consumers, reclassified financial account information as sensitive data requiring consent before processing or sale, eliminated the guaranteed 60-day cure period, and stripped the entity-level GLBA exemption from fintechs and nonbank lenders. Here's what changed and what your program needs to address this week.
Jul 8, 2026
Data Privacy
Biometric Data in Financial Services: The BIPA Exemption Isn't as Broad as Your Vendors Think
Financial institutions have a GLBA-based exemption from Illinois' Biometric Information Privacy Act — but courts are actively splitting on whether that exemption extends to your KYC and identity verification vendors. Two unsettled circuit questions, $100M+ in recent settlements, and what your vendor contracts need to say before the 7th Circuit decides.
Jul 5, 2026
Data Privacy
Minnesota's MCDPA Has Been Enforcing Since January — Your GLBA Exemption Doesn't Cover What You Think It Does
Minnesota's Consumer Data Privacy Act uses a data-level GLBA exemption, not an entity-level one. Non-bank fintechs have been exposed since January 31, 2026 — with no notice-to-cure period and $7,500-per-violation penalties.
Jul 2, 2026